any way we can force the session logout on browser exit ?
somehow sessionexpiry has no effect. i put 60 seconds , but even if someone opens editor it allows without authentication.
Can you show us what you have in settings.js (include some of the surrounding lines for context).
Have you restarted node-red?
If you logout are you then forced to login?
Having logged out and in again does the 60 seconds now work?
Also please stop node-red and start it again in a command window and post the full output here. Copy/paste, not screenshot please.
/** To password protect the Node-RED editor and admin API, the following
* property can be used. See http://nodered.org/docs/security.html for details.
*/
adminAuth: {
type: "credentials",
users: [{
username: "admin",
password: "$2b$08$fXJDzY8ovPAcNYk9e/x/6eNKFpEM3Iw.oUGY2TrU87DZ5sz1c/1E2",
permissions: "*",
sessionExpiryTime:60,
}]
},
//adminAuth: {
// type: "credentials",
// users: [{
// username: "admin",
// password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
// permissions: "*"
// }]
//},
Yes I have started node-red (restarted the window service)
Yes, if I logout, then on re-opening editor session, it does ask for password.
startup log
15 Nov 16:38:52 - [info]
Welcome to Node-RED
===================
15 Nov 16:38:52 - [info] Node-RED version: v3.0.0
15 Nov 16:38:52 - [info] Node.js version: v16.16.0
15 Nov 16:38:52 - [info] Windows_NT 10.0.19045 x64 LE
15 Nov 16:38:54 - [info] Loading palette nodes
15 Nov 16:38:57 - [info] Dashboard version 3.6.1 started at /ui
15 Nov 16:38:59 - [info] Settings file : c:\Users\OEEHo\NR-NR-Reports\settings.js
15 Nov 16:38:59 - [info] HTTP Static : c:\temp > /
15 Nov 16:38:59 - [info] Context store : 'memoryOnly' [module=memory]
15 Nov 16:38:59 - [info] Context store : 'file' [module=localfilesystem]
15 Nov 16:38:59 - [info] User directory : c:\Users\OEEHo\NR-NR-Reports
15 Nov 16:38:59 - [warn] Projects disabled : set editorTheme.projects.enabled=true to enable
15 Nov 16:38:59 - [info] Flows file : c:/users/oeeho/nr-nr-reports/flows.json
15 Nov 16:38:59 - [info] Server now running at http://127.0.0.1:1886/
15 Nov 16:38:59 - [warn]
closing browser and after 90 seconds...directly opens the editor
Try deleting the file c:/users/oeeho/nr-nr-reports/.sessions.json
No effect,
newly created file .session.json contains this info
{"xMpGaCilHtenLgCFaUSGR5TdWDpmrCeQWI0dDXyuQuYOkVFOeLYo3TfXJYHIwkIP+q1ADC0/gXdvvdyzYNVP03dd+fqbkx3C/HTbrNXWu+dHjgkXAkQtxOaOPtiXsaLhrkgzdA694ZLy9KVo7WH+YqJ4MLciE+dh0WMuCgQQCj4=":{"user":"admin","client":"node-red-editor","scope":"*","accessToken":"xMpGaCilHtenLgCFaUSGR5TdWDpmrCeQWI0dDXyuQuYOkVFOeLYo3TfXJYHIwkIP+q1ADC0/gXdvvdyzYNVP03dd+fqbkx3C/HTbrNXWu+dHjgkXAkQtxOaOPtiXsaLhrkgzdA694ZLy9KVo7WH+YqJ4MLciE+dh0WMuCgQQCj4=","expires":1700653499764}}
Feeding that into https://www.epochconverter.com/ shows that is in 7 days, so it looks like the 60 is not working.
I suggest updating to the latest node-red (3.1.0) as there were a number of bugs in the first 3.0 release.
However, I don't think this will do what you want anyway, as I think you would have to log in again every 60 seconds, which is probably not desirable.
60 seconds was just an arbitrary number, i would keep it to my comfort.
will try updating to NR 3.1.
You have put the sessionExpiryTime inside the users array object. It should be in the adminAuth object itself.
You cannot set different session times for different users.
1 Like
Aha!
/** To password protect the Node-RED editor and admin API, the following
* property can be used. See http://nodered.org/docs/security.html for details.
*/
adminAuth: {
sessionExpiryTime:60,
type: "credentials",
users: [{
username: "admin",
password: "$2b$08$fXJDzY8ovPAcNYk9e/x/6eNKFpEM3Iw.oUGY2TrU87DZ5sz1c/1E2",
permissions: "*",
}]
},
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
