Simple Password Authentication for Dashboard (Caution: Very Low Security, for simple application only)

an attempt to create a password authentication subflow. Inspired by several posts in this forum.
feedback and suggestions required to improve.

gives output msg.auth as boolean true or boolean false
also shows the result in notification on browser

PS: password is password

image765×286 11.7 KB

[{"id":"215bd10b8e5bb52e","type":"subflow","name":"Password","info":"","category":"","in":[{"x":110,"y":210,"wires":[{"id":"99cc850a1d0922be"}]}],"out":[{"x":910,"y":190,"wires":[{"id":"fc8e1e11e9e11e6a","port":0},{"id":"3e6ee77098e8b163","port":0}]}],"env":[],"meta":{},"color":"#DDAA99"},{"id":"19cb3fa7a24b617f","type":"ui_toast","z":"215bd10b8e5bb52e","position":"prompt","displayTime":"3","highlight":"","sendall":false,"outputs":1,"ok":"OK","cancel":"Cancel","raw":true,"className":"","topic":"","name":"Ask Password","x":420,"y":210,"wires":[["823e9dc589a4ae6a"]]},{"id":"823e9dc589a4ae6a","type":"switch","z":"215bd10b8e5bb52e","name":"","property":"payload","propertyType":"msg","rules":[{"t":"eq","v":"password","vt":"str"},{"t":"else"}],"checkall":"true","repair":false,"outputs":2,"x":590,"y":210,"wires":[["fc8e1e11e9e11e6a"],["3e6ee77098e8b163"]]},{"id":"ea6bc392d093238b","type":"ui_toast","z":"215bd10b8e5bb52e","position":"dialog","displayTime":"3","highlight":"","sendall":false,"outputs":1,"ok":"OK","cancel":"","raw":false,"className":"","topic":"","name":"Incorrect Password","x":960,"y":250,"wires":[[]]},{"id":"3e6ee77098e8b163","type":"change","z":"215bd10b8e5bb52e","name":"","rules":[{"t":"set","p":"payload","pt":"msg","to":"Authentication Failed!","tot":"str"},{"t":"set","p":"auth","pt":"msg","to":"false","tot":"bool"}],"action":"","property":"","from":"","to":"","reg":false,"x":750,"y":250,"wires":[["ea6bc392d093238b"]]},{"id":"99cc850a1d0922be","type":"function","z":"215bd10b8e5bb52e","name":"Content","func":"return { payload: '<style>input{ -webkit-text-security: disc;}</style>Please enter your password'};","outputs":1,"noerr":0,"x":240,"y":210,"wires":[["19cb3fa7a24b617f"]]},{"id":"fc8e1e11e9e11e6a","type":"change","z":"215bd10b8e5bb52e","name":"","rules":[{"t":"delete","p":"payload","pt":"msg"},{"t":"set","p":"payload","pt":"msg","to":"Authentication Successful!","tot":"str"},{"t":"set","p":"auth","pt":"msg","to":"true","tot":"bool"}],"action":"","property":"","from":"","to":"","reg":false,"x":750,"y":130,"wires":[["076bc748a119ecaf"]]},{"id":"076bc748a119ecaf","type":"ui_toast","z":"215bd10b8e5bb52e","position":"dialog","displayTime":"2","highlight":"green","sendall":false,"outputs":1,"ok":"OK","cancel":"","raw":false,"className":"","topic":"","name":"Password OK","x":940,"y":130,"wires":[[]]},{"id":"f894a1be8b5bafb6","type":"subflow:215bd10b8e5bb52e","z":"d12f70e7abaacb43","name":"","x":970,"y":150,"wires":[["86aa2a0467eae814","874c04f877e552e8"]],"icon":"font-awesome/fa-eye"},{"id":"5d41dae9debf4c0a","type":"inject","z":"d12f70e7abaacb43","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"","payloadType":"date","x":820,"y":150,"wires":[["f894a1be8b5bafb6"]]},{"id":"86aa2a0467eae814","type":"debug","z":"d12f70e7abaacb43","name":"Authentication Status","active":true,"tosidebar":true,"console":false,"tostatus":true,"complete":"payload","targetType":"msg","statusVal":"payload","statusType":"auto","x":1170,"y":110,"wires":[]},{"id":"874c04f877e552e8","type":"debug","z":"d12f70e7abaacb43","name":"Authentication","active":true,"tosidebar":false,"console":false,"tostatus":true,"complete":"auth","targetType":"msg","statusVal":"payload","statusType":"auto","x":1160,"y":180,"wires":[]}]

Not terribly secure. You need to make sure you are using https in order to protect the transmission of the password. You are also getting the raw password into the flow which means that the password has to be considered compromised immediately. Users would really need to avoid using an important password.

You would also need to think about how to manage passwords - will you have one password for the anyone or will you want separate passwords per user? If one pw, that might be fine for a home automation system but wouldn't be any good in an enterprise or customer environment.

In any kind of managed service, you would need to hash the password in the browser so that the server never gets the actual password, only the hash.

Thanks a lot for your feedback.
This was more of a testing of my skills at creating a flow rather than creating a strong authentication. Expected feedback from subject matter experts (which is exactly what you have given, thanks again!)
you have pushed me to right path now, i will study more on 'hash' concept. i have out a hash password in my editor in settings but i have absolutely no idea what i have done.

(asks for a password when I open the editor (well, not every time exactly, even though i have NOT SAVED password in browser but many times the editor opens up without asking for password) that is for another post)

I was thinking of using MySql database to create/modify password and link with dashboard, have a feeling now that would not be secure too.

So I believe now I should refrain from posting these kind of projects , as someone can be misled to assume these are perfect and can use them in their flows with consequences ?

Thanks for your valuable feedback again. will get back to the forum, if i get stuck and improving this.

It isn't so much that MySQL might be insecure but rather that there are right and wrong ways of doing things.

Key things are:

• Never handle the raw password - get it hashed as soon as possible.
• NEVER store a raw password
• NEVER trust user input - you need to limit it to a fixed max length and prevent input of data that might cause issues in the DB - use prepared statements for queries and updates which also helps prevent scripting attacks.
• Probably need to handle some kind of token that the client will include in every transaction with the server (e.g. in both web requests and websocket messages). The server validates the token against the client details continuously. Note that the token is not the security here, it is only a token and tokens can be intercepted and reused - so the server must validate the token.

Remember that security is always complex, easy to get wrong and hard to keep right. But it isn't impossible, it needs attention to details and some specialist knowledge.

I think just make it clear the status/progress. It is great to see what people are doing but if it is something that is speculative or experimental, just let people know.