Security, add more then one user

Hi like to add more then one user to use the dashboard.
So i edit the setting.js.
It seems that only the last account/user is working, can there be only one user ?
I want to have one user that i use to edit the dashboard and another user for using in IFTTT

// Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See http://nodered.org/docs/security.html for details.
adminAuth: {
    type: "credentials",
    users: [{
        username: "admin",
        password: "<my_hash1>",
        permissions: "*",
        username: "api-user",
        password: "<my_hash2>",
        permissions: "read"
    }]
},

Hi @pvklink - you haven't quite got the syntax right. The users property is meant to be an array of user objects:

   users: [{
        username: "admin",
        password: "<my_hash1>",
        permissions: "*"
   }, {
        username: "api-user",
        password: "<my_hash2>",
        permissions: "read"
    }]

thanks @knolleary

OK, my dashboard seems to work now with two accounts (one readonly) and ssl, so much secure!
But, my webhook in IFTTT does not use this settings and is not secure!
I tested my IFTTT webhook:
https://:@router..nl:1880/pvkapi it works, but:
https://router..nl:1880/pvkapi also works!

post (body)
{"command":"switchlight", "idx": 354, "switchcmd": "Set Level","level": 40}

adminAuth only secures the editor. It does not secure the routes you define with the HTTP nodes.

We only support basic auth on those routes - the security docs page tells you how to configure it.

I also set
httpNodeAuth: {user:"api-user",pass:"xxx"},
httpStaticAuth: {user:"api-user",pass:"xxxx"},

but still i can add http post and get requests in IFTTT without username and password

problem solved... reboot did the trick