Securing Tab with Password

Chorum · 4 October 2021 12:44

Hello,

i try to secure a tab on my Dashboard so only the person that knows the password could work on it.

my flow for that:

[
    {
        "id": "fe447904.ed3c58",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Statuswarnung",
        "func": "msg.payload = \" Dieses Dashboard ist zu Aufzeichnungszwecken gesichert.\" +\"<br>Die Benutzung ist nur mit einem Passwort möglich\"+\"<br> Mit freundlichen Grüßen\"+\"<br> Chorum\"\nreturn msg;",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 2200,
        "y": 160,
        "wires": [
            [
                "e8316994.2e51c",
                "ed95e50b.e73a3"
            ]
        ]
    },
    {
        "id": "e8316994.2e51c",
        "type": "ui_toast",
        "z": "923d648e.9f25f8",
        "d": true,
        "position": "prompt",
        "displayTime": "3",
        "highlight": "",
        "sendall": true,
        "outputs": 1,
        "ok": "Zur Kenntnis genommen",
        "cancel": "Cancel",
        "raw": true,
        "topic": "",
        "name": "",
        "x": 2410,
        "y": 160,
        "wires": [
            [
                "6873c934.b29178",
                "c9b789c9.04423"
            ]
        ]
    },
    {
        "id": "6873c934.b29178",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2570,
        "y": 200,
        "wires": []
    },
    {
        "id": "c9b789c9.04423",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Rückleitung",
        "func": "if(msg.payload == \"Daniela\"){\n    \n}else{\n    msg.Label = '<a  href=\"http://http://url:1880/ui/#!/2\"  >Consulter</a>'\n    msg.name = \"\"\n    return msg;\n}\n",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 2590,
        "y": 160,
        "wires": [
            [
                "db68598e.236ce8",
                "4dc4b335.639a54"
            ]
        ]
    },
    {
        "id": "db68598e.236ce8",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2790,
        "y": 160,
        "wires": []
    },
    {
        "id": "ac13efd9.0ad9e",
        "type": "ui_ui_control",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "events": "all",
        "x": 1680,
        "y": 160,
        "wires": [
            [
                "aa19f118.d96f",
                "ea5e681e.273a28"
            ]
        ]
    },
    {
        "id": "aa19f118.d96f",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 1850,
        "y": 200,
        "wires": []
    },
    {
        "id": "ea5e681e.273a28",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Gesperrte Dashboards detecktieren",
        "func": "var name = msg.name\n\n\nif(name == \"Multiscreensetup\" || name == \"W17Kamera\"){\n    return msg;\n}else{\n    \n}\n",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 1940,
        "y": 160,
        "wires": [
            [
                "fe447904.ed3c58",
                "c9295c6a.c19e08"
            ]
        ]
    },
    {
        "id": "c9295c6a.c19e08",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2170,
        "y": 200,
        "wires": []
    },
    {
        "id": "ed95e50b.e73a3",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2390,
        "y": 200,
        "wires": []
    },
    {
        "id": "4dc4b335.639a54",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Leer",
        "func": "\nreturn msg;",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 2190,
        "y": 40,
        "wires": [
            [
                "ac13efd9.0ad9e",
                "d8fe7823.b16228"
            ]
        ]
    },
    {
        "id": "d8fe7823.b16228",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2450,
        "y": 40,
        "wires": []
    }
]

my problem is the cancel option. it should reload the page or link to another tab.
but both variants are not working.

maybe someone else can see what i am doing wrong ?

Dearly
Chorum

PS: i tested show/hide with ui_control with that payload:
ui_control_hide_show

that test is on an other tab for testing.
but nothing is hided

Chorum · 5 October 2021 06:58

Mhmm solved the problem.

i used a simple change node and sended a simple number for aiming to the new tab.
so there is a password protection now

TotallyInformation · 5 October 2021 08:44

You realise, I suppose, that you haven't actually "secured" anything?

Because Dashboard is a single-page app, everything is still loaded to the browser and anyone with any knowledge at all could get to the information.

Chorum · 5 October 2021 09:00

The use case is in an internal network and the main function is to keep user away from the tab where they could use switches and sliders and so on.

Its not about securing information, its about preventing access to function elements

and every normal user (what is the main user group in that network) cant reach all the switches and sliders and cant see what they shouldnt see...

With using only the Dashboard i cannot reach the secured tab...

TotallyInformation · 5 October 2021 09:07

Just so long as people don't think that this is a generic security solution.

On all browsers, the dev tools are a single button click or menu selection away and that will show everything and give access to change any of the switches as well.

Chorum · 5 October 2021 09:22

ok, but most users in that group do not know that there are dev tools

i will think about other ways later (ldap+reverse proxy, ip filter, perhaps other things) but this is a working solution and i dont want to " shoot sparrows with a cannon " at the moment

davidz · 5 October 2021 18:01

I can see that this is a useful feature.

When more dashboards are used for end products, then this becomes very useful to protect some mission critical operations. For example, system maintenance tab can only be operated by managers.

TotallyInformation · 6 October 2021 08:08

You see, that is exactly why I commented above.

If you come across this thread - please make sure that you understand the proposed approach above can NEVER be more than security theatre.

The Dashboard is a single-page app. It loads everything into your browser when you access it. Including the "protected" tab - whether you have "access" or not. Therefore anyone with even the slightest knowledge can access what you have tried to protect.

The only way to actually protect data in a Dashboard is to never send it in the first place until after some kind of authentication and authorisation has taken place - in Node-RED, not in the browser.

davidz · 6 October 2021 16:54

Of course I am aware of this.

I was commenting that securing tab with password is a useful feature.

It would be nice to have this feature implemented in a secure way down the road.

system · 20 October 2021 16:54

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Insert a security in a certain TAB? Dashboard	18	899	16 February 2023
Password Protect a single page in dashboard Dashboard	1	1304	17 October 2019
Secure different dashboard Dashboard	6	369	18 May 2022
Password per tab / flow ? possible? Dashboard	3	1224	29 May 2020
Simple Password Authentication for Dashboard (Caution: Very Low Security, for simple application only) Share Your Projects dashboard	3	1655	3 February 2022

Securing Tab with Password

Related topics