Hi all,
i'm currently integrating node-red in an OpenID-connect context using keycloak as provider - see OAuth/OpenID logout with Keycloak . In this context i found the httpAdminMiddleware settings and tried it out.
I documented in the PR regarding the topic above:
If the httpAdminMiddleware had access to the profile information provided by the authentication layer, it would be an option to set the username to a keyword like "no_node_red_permission" and redirect from the middleware in that case. Unfortunately this middleware seems to run in an independent middleware chain and i can't get a user context before or after the next() call.
Is my assumption with different chains correct or am i missing something?
I don't think it has been properly considered, so would be happy to discuss any proposed changes to make it more useful (as long as they are backwards compatible of course).
One challenge is identifying where the middleware should be inserted in the chain - whether it comes before or after the authentication layer. I can see uses for both.
Happy to discuss in the context of a PR against the dev branch.
I'm not sure early and late is the right naming. Maybe preAuth and postAuth would be clearer and give scope for having other well-defined points a middleware could be inserted.