How to install require and CryptoJS module in nodered??
When starting node-red i am not getting any errors. While launching i am getting
Uncaught ReferenceError: require is not defined in the console.
I tried to install require and CryptoJS by the following command.
npm install require
npm install crypto-js and it is added in the package.json of nodered .
short answer - these are not node-red nodes.
longer answer - what is it you are trying to achieve? there may already be proper node-red nodes ready for use.
For Nodered user Login (Custom user authentication) . we are trying to encrypt the password from client side before sending to server. So we are trying to install require module.
In this particular file node-red/packages/node_modules/@node-red/editor-client/src/js/user.js
before sending ajax post call $.ajax({
url: "auth/token",
type: "POST",
data: body
})
We are trying to encrypt the password using Crpyto.js library.
Again, I am no expert here, but I believe (typically) most folk just rely on HTTPS to encrypt the data from client to server (and/or use something like nginx)
Are you using https?
PS, as you are modifying the "backend" (core of node-red), is it your intension to maintain your own fork & keep it up to date with all the future improvements made by the node-red devs? or
are you intending on improving the node-red core and issuing a Pull Req to node-red so that your modifications are built in? If so, you would need to discuss with maintainers first.
PS2: You seem to be veering off from the solution that Nick pointed you towards back in July. Is there an issue with the documentation he provided?
Just to get this straight - you are trying to authenticate your users before they are allowed access to the Node-RED Editor? Or is it access to a web page served by Node-RED?
In either case, trying to encrypt in the browser is going to be the wrong approach. Encryption is generally reversible and doing it in the client creates all manner of security vulnerabilities.
You can cryptographically hash values in the client because that can't be reversed and it can be useful to hash a password before sending it to the server.
However, you still need to use TLS to give wire-level encryption from client to server. As Colin says, that can either be done using Node-RED itself or (probably more scalable) using a reverse proxy to terminate the TLS.
Using something like NGINX, IIS, Apache or whatever also lets you add user authentication (and even authorisation) using the proxy. This is generally easier to manage securely than trying to squeeze everything into Node-RED (though it can do it as well if needed).
ALWAYS use standards-based authentication and authorisation methods - NEVER roll your own as you seem to be trying to do.
All of the above is friendly advice, not professional guidance.
Above all else, if you need security and you aren't sure how to do it - get a professional - at least get your work tested by professionals.
Security is hard to get right but very easy to mess up.
Thanks for that link to the @knolleary's link. Over the last week, I was working on a custom authentication system to protect my dashboard and mp4 video routes and was ready to move to the step of using my middleware to protect the admin section. I am not very good at reading the docs, apparently.
It seems that httpAdminMiddleware can only receive a single function and does not support receiving an array of functions, similar to the limitation of node-red-dashboard. For the meanwhile, I will rewrite my middleware to be a single function to be compatible.