Security, add more then one user

#1

Hi like to add more then one user to use the dashboard.
So i edit the setting.js.
It seems that only the last account/user is working, can there be only one user ?
I want to have one user that i use to edit the dashboard and another user for using in IFTTT

// Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See http://nodered.org/docs/security.html for details.
adminAuth: {
    type: "credentials",
    users: [{
        username: "admin",
        password: "<my_hash1>",
        permissions: "*",
        username: "api-user",
        password: "<my_hash2>",
        permissions: "read"
    }]
},
0 Likes

#2

Hi @pvklink - you haven't quite got the syntax right. The users property is meant to be an array of user objects:

   users: [{
        username: "admin",
        password: "<my_hash1>",
        permissions: "*"
   }, {
        username: "api-user",
        password: "<my_hash2>",
        permissions: "read"
    }]
0 Likes

#3

thanks @knolleary

0 Likes

#4

OK, my dashboard seems to work now with two accounts (one readonly) and ssl, so much secure!
But, my webhook in IFTTT does not use this settings and is not secure!
I tested my IFTTT webhook:
https://:@router..nl:1880/pvkapi it works, but:
https://router..nl:1880/pvkapi also works!

post (body)
{"command":"switchlight", "idx": 354, "switchcmd": "Set Level","level": 40}

0 Likes

#5

adminAuth only secures the editor. It does not secure the routes you define with the HTTP nodes.

We only support basic auth on those routes - the security docs page tells you how to configure it.

0 Likes

#6

I also set
httpNodeAuth: {user:"api-user",pass:"xxx"},
httpStaticAuth: {user:"api-user",pass:"xxxx"},

but still i can add http post and get requests in IFTTT without username and password

0 Likes

#7

problem solved... reboot did the trick

0 Likes