User context in httpAdminMiddleware?

Hi all,
i'm currently integrating node-red in an OpenID-connect context using keycloak as provider - see OAuth/OpenID logout with Keycloak . In this context i found the httpAdminMiddleware settings and tried it out.

I documented in the PR regarding the topic above:
If the httpAdminMiddleware had access to the profile information provided by the authentication layer, it would be an option to set the username to a keyword like "no_node_red_permission" and redirect from the middleware in that case. Unfortunately this middleware seems to run in an independent middleware chain and i can't get a user context before or after the next() call.

Is my assumption with different chains correct or am i missing something?

Thanks for clearing that up for my!


I don't think it has been properly considered, so would be happy to discuss any proposed changes to make it more useful (as long as they are backwards compatible of course).

One challenge is identifying where the middleware should be inserted in the chain - whether it comes before or after the authentication layer. I can see uses for both.

Why not both?
@node-red/editor-api/lib/index.js : 61

        if (settings.httpAdminMiddleware) {
            if (typeof settings.httpAdminMiddleware === "function" || Array.isArray(settings.httpAdminMiddleware)) {
>            if (typeof settings.httpAdminMiddleware.early === "function" || Array.isArray(settings.httpAdminMiddleware.early)) {
>                adminApp.use(settings.httpAdminMiddleware.early);
>            } 
... - 106 
        if (settings.httpAdminCors) {
            var corsHandler = cors(settings.httpAdminCors);

>        if (settings.httpAdminMiddleware) {
>            if (typeof settings.httpAdminMiddleware.late === "function" || Array.isArray(settings.httpAdminMiddleware.late)) {
>                adminApp.use(settings.httpAdminMiddleware.late);
>            } 
>        }

        var adminApiApp = require("./admin").init(settings, runtimeAPI);

The default-early behavior is just to keep the current implementation stable.

PR on request.

Any feedback would be appreciated @knolleary and @all!

Happy to discuss in the context of a PR against the dev branch.

I'm not sure early and late is the right naming. Maybe preAuth and postAuth would be clearer and give scope for having other well-defined points a middleware could be inserted.

1 Like

@mw75 @knolleary

Is there some estimation when such feature could be avalible?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.