Trying authorization on flow editor without secret key

henkkas · 7 February 2023 09:20

Until now I used node red without a secret key so I have credentialSecret: false ,in de settings.js.

Now I played around with authorization on the flow editor, still with credentialSecret: false .

But that doesn't seem to work. Do I need the secret key to make password protect to work for me?

afbeelding

Or do I have to do something with de type-attribute to make it work?

I would like this, because if you give webbrowser <ip address>:<port>, without /uiit will go directly to flow editor, rather then dashboard.

knolleary · 7 February 2023 09:24

Hi @henkkas

credentialSecret does not have any relation to how you secure the editor.

What have you tried so far? When you say it doesn't work what exactly do you mean? Does the editor prompt for a login but you can't get in? Or does it not prompt for a login at all? Have you restarted Node-RED to pickup those changes? Are you sure you're editing the right settings file?

If you are trying to setup a user called admin with a password hallo then it will not work because you need to generate a password hash. This is explained in the link shown in the comment in that screenshot.

henkkas · 7 February 2023 09:45

@knolleary Yes, indeed, I didn't read that carefully enough. Thanks, now it is working.

henkkas · 8 February 2023 12:07

@knolleary I said it was working fine and it did.

But then I got the great idea of changing the password, so I generated another hash for new password.
I pasted that new hash into the settings.js and restarted node-red.
But now it looks like there is no password check anymore. I tried rebooting and wiping password from browser, but no password check anymore.

Do you have any idea what I did wrong?

knolleary · 8 February 2023 12:20

Did you log out of the editor (from the user drop-down menu)?

henkkas · 8 February 2023 12:44

@knolleary Indeed, that was the solution.

Is it some how possible that log-out is automatic after x time not being on the editor?

knolleary · 8 February 2023 12:54

Login tokens are valid for 7 days by default, but you can reduce that in the settings file.

However it is not activity based - it is an expiry time from the moment you login.

https://nodered.org/docs/user-guide/runtime/securing-node-red#token-expiration

henkkas · 8 February 2023 13:01

Ok @knolleary , thanks very much, that will do it for me.

system · 22 February 2023 13:01

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Should I be worried? (Message noticed while editing a flow) General	10	9024	26 December 2018
Is there any way to update the flow creds encryption key outside of the editor? General	5	110	26 June 2024
How to lock the access to http://127.0.0.1:1880/#flow/ General	2	162	27 March 2023
Flows missing after http securing General	2	110	5 October 2023
Your flow credentials file is encrypted using a system-generated key General	58	31449	28 July 2021

Trying authorization on flow editor without secret key

Related Topics