Hello there,
we want to use Node-Red, but our security-team requests, that the SessionID of a web-applications for every user has to be unpredictable randomised (PRNG) with at least 128bit entropy.
I tried to search for that without any clear answer.
So my question is, does Node-Red fits these requirements and is documented anywhere or can it be configured like this?
Or ist this realated to OS?
Thank you very much for your help!
Have a nice weekend
Jan-Frederik
Are you referring to the login token used to access the Node-RED editor? Or is this about the application you'd like to create using Node-RED?
If this is regarding the session token for the editor, you can see the code used to generate the token here: https://github.com/node-red/node-red/blob/master/packages/node_modules/@node-red/editor-api/lib/auth/tokens.js#L17
The tokens are generated as 128 character random hex strings using node's built-in Math.random function, which does have 128bit entropy from the v8 engine - https://v8.dev/blog/math-random
Whether that is sufficient for your needs, I can't say.
Now I look at it again, there are probably better alternatives to Math.random built into node.js that we ought to move over to. Something for the next release.
Hi Knolleary,
thanks for your fast response!
I thought about the session token for the editor itself.
So your answer is perfect for me and if you will implement better solutions you know, this would be very nice, of course.
Is the SessionID different for applications created with Node-Red?
You caught me at the right time with this question - just pushed a commit that moves over to node's crypto.randomBytes function for all of our token/session generation. Will be in the next release.
(By "right time" I mean: "I have lots I should be doing, but finding plenty of distractions to keep me busy")
Yes - because the built-in HTTP nodes do not have any session handling built into them. It is up to the Application Developer to create whatever session handling they need.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy