Hi UIBuilder users,
I'm looking for a basic example of a basic authentication solution. I don't need a big level of security.
Just for blocking the basic users. Does anyone can share somthing or help me giving me the good way ?
Thanks for your help.
Probably would be best to keep to 1 related thread rather than two as I've already provided some background info in your other thread about the complexities of tracking connected users (it mostly comes down to how you want your system to work).
Authentication is a complex subject so you really need to start by sharing your requirements. You've indicated that you don't need a lot of security. I take that to mean that this system will not be accessible over the Internet and the value of the system is relatively low.
That being the case, an easy approach is to keep a database (can be a simple node-red flow variable as long as you don't have many users) in node-red. Each new connection should record the user id and ip address (probably, only you can really know at this point) and look up in the db whether that user is logged in. If not, show them a login form. The user fills in the form, get the front-end to hash the password before sending ideally - and sends to node-red, you have a flow that handles that form submission, compares the id and hash against your user db and if they match, send a response to the client that lets them now see the full UI rather than the login form Record the fact that they are logged in in a db/variable.
Now that has no logout or expiry processing so you should make some decisions about that next.
It is also not terribly secure since anyone in the know could bypass the login and nothing stops them sending/receiving further data. So a further enhancement would be to not allow any data to/from the client unless they are logged in. That is where the persistent uibuilder user id and the IP address come in. If that data for the client doesn't match the record, invalidate their login and block them except for the login form submission.
That's about as simple as it gets and it doesn't require anything special other than uibuilder itself, an HTML form (maybe a standard hashing library to keep the password more secure - if you don't use this make certain that you only allow https communications, not http).
If you want more, I would generally recommend the use of something outside of node-red that is suited to authentication. The use of a proxy with authentication is generally easier to properly secure than having your own flows in node-red.
Thanks a lot @totallyInformation. I will follow your advice, it seems pretty clear to me.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.