User context in httpAdminMiddleware?

mw75 · 31 January 2022 09:34

Hi all,
i'm currently integrating node-red in an OpenID-connect context using keycloak as provider - see OAuth/OpenID logout with Keycloak . In this context i found the httpAdminMiddleware settings and tried it out.

I documented in the PR regarding the topic above:
If the httpAdminMiddleware had access to the profile information provided by the authentication layer, it would be an option to set the username to a keyword like "no_node_red_permission" and redirect from the middleware in that case. Unfortunately this middleware seems to run in an independent middleware chain and i can't get a user context before or after the next() call.

Is my assumption with different chains correct or am i missing something?

Thanks for clearing that up for my!

Regards,
Mario

knolleary · 31 January 2022 10:50

I don't think it has been properly considered, so would be happy to discuss any proposed changes to make it more useful (as long as they are backwards compatible of course).

One challenge is identifying where the middleware should be inserted in the chain - whether it comes before or after the authentication layer. I can see uses for both.

mw75 · 1 February 2022 13:30

Why not both?
@node-red/editor-api/lib/index.js : 61

        if (settings.httpAdminMiddleware) {
            if (typeof settings.httpAdminMiddleware === "function" || Array.isArray(settings.httpAdminMiddleware)) {
                adminApp.use(settings.httpAdminMiddleware);
            } 
>            if (typeof settings.httpAdminMiddleware.early === "function" || Array.isArray(settings.httpAdminMiddleware.early)) {
>                adminApp.use(settings.httpAdminMiddleware.early);
>            } 
        }
...
...
... - 106 
        if (settings.httpAdminCors) {
            var corsHandler = cors(settings.httpAdminCors);
            adminApp.use(corsHandler);
        }   

>        if (settings.httpAdminMiddleware) {
>            if (typeof settings.httpAdminMiddleware.late === "function" || Array.isArray(settings.httpAdminMiddleware.late)) {
>                adminApp.use(settings.httpAdminMiddleware.late);
>            } 
>        }

        var adminApiApp = require("./admin").init(settings, runtimeAPI);
        adminApp.use(adminApiApp);

The default-early behavior is just to keep the current implementation stable.

PR on request.

mw75 · 5 February 2022 07:47

Any feedback would be appreciated @knolleary and @all!

knolleary · 5 February 2022 09:30

Happy to discuss in the context of a PR against the dev branch.

I'm not sure early and late is the right naming. Maybe preAuth and postAuth would be clearer and give scope for having other well-defined points a middleware could be inserted.

bubus · 14 March 2022 15:00

@mw75 @knolleary

Is there some estimation when such feature could be avalible?

system · 13 May 2022 15:00

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
httpAdminMiddleware setting for authentication from parent website General	3	874	14 September 2020
When to use which? RED.httpNode vs RED.httpAdmin Developing Nodes	5	2782	2 July 2020
Help - Middleware for httpin node Auth General security	6	198	2 October 2023
Catch editors 'access_token' from httpAdminMiddleware General http-request	2	292	25 October 2021
Alternate auth sources for httpNodeAuth Dashboard	11	4086	21 November 2020

User context in httpAdminMiddleware?

Related Topics