No such thing as a stupid question - though plenty of stupid answers
And in this case, certainly not stupid, a very reasonable question in fact.
To use SQLlite or any other DB in security.js, you just need to remember that security.js is a node.js module. The code inside the exports section is used inside uibuilder.js which itself is, of course, inside Node-RED which runs under node.js.
Any code outside the export isn't directly accessible to uibuilder but it IS accessible to the functions in the export. That means, to use a DB, you need to find a node.js library that supports the db. You can then
require that library at the top of security.js and make use of the functions the library exposes inside the exported functions.
The functions in the export are standard and must be present in order for uibuilder to make use of them. There is a reasonably well defined set of inputs and outputs. Extended documentation is available in the technical docs. Please do, however, bear in mind that the API for security is not fully stable and might need to change in the future.
I hope that makes sense?
Please do let us know when you get something working - it would be great to get an example in the WIKI so that others can learn as well. And keep asking the questions - only way to learn. I also learn as you ask since I've absolutely no doubt that there are lots of things I've missed or bugs that are lurking in dark corners.
Again, the exact sequence of events should be documented in the technical docs.
At the moment, when you turn on security, you start to get more debug messages and nothing is actually secured. However, most if not all of the functions are in place. So in theory, you could add a simple check to the input and output of your uibuilder node that prevented data from flowing if the user wasn't authenticated.
When security is on, all messages should contain a msg._auth object
If the client isn't authenticated, that should be reflected in the object as seen above.
At present, only when you call the logon function will the security.js userValidate function get called. If that function returns an _auth object showing that authentication succeeded, A JWT token is created and attached to the _auth object.
After that, every message received by uibuilder validates the JWT which MUST be provided in the msg._auth for every message. The uibuilderfe library does this for you. That library also provides logon and logoff convenience functions.
The JWT has an embedded timeout. If a msg is received and the timeout has expired, the client will be invalidated and will have to log back in. There is a setting in uibuilder to auto-extend that timeout. What that does is exend the timeout every time a msg is received from the client that contains the JWT.
WARNING: JWT is NOT a security feature on its own. The token can be hijacked and replayed. So token lifespans should be short. This is an area that needs improving in uibuilder, we need a standard mechanism to add other checks to the token check - for example checking if the token was received from the same IP address as the original. So some additional standard functions will need to be added to security.js and linked to from the create/validate token functions but they aren't there yet.
So, yes, you need to call the
uibuilder.logon function in your front-end, passing at least the ID (and generally a password). That sends a control msg back to uibuilder which, in turn, calls its own logon function that then calls the security.js userValidate. In the userValidate function, you will replace the default code with something that tests the uid and pw against your db.
Note that when storing passwords in a db - ALWAYS securely hash the pw before saving and only ever compare the hashes. Also, because you are sending the password from the front-end to Node-RED, you MUST always use TLS (HTTPS & WSS) - uibuilder will whinge at you if you don't because implementing that in live without TLS, your passwords are sent over the wire in clear text.
uibuilder then sends a response message back to your front end code that you can validate. The following function is an example of code that will let you take actions in your front-end if the client is logged on or off:
// If user is logged on/off
console.info('[indexjs:uibuilder.onChange:isAuthorised] isAuthorised changed. User logged on?:', isAuthorised)
console.log('authData: ', uibuilder.get('authData'))
vueApp.isLoggedOn = isAuthorised
You can use this for turning on/off the appropriate login/logout form in your html.
If you want, once uibuilder v4 is published, I can create a new security branch and we could use that to expand the security features.
If you have any thoughts or ideas on how security should work, please do let me know.