Viewing the `settings` an alternate way - Problem?

About a month ago I was being helped and I was asked to open a page:
(ip address):1880/settings

And all I got was unauthorized

This was on a remote machine with passwords set.

If I do it on my local machine - NO PASSWORD set - it works.

Ok, I get it - kinda.
That machine has passwords set.

But here's the Rub:
If I open the edit screen and try to edit, I am prompted for the password then all is good.

It just seems strange that the edit screen asks for the password but the settings page doesn't.

It seems that the editor/admin page prompts for the password by design, while some of the other admin routes do not.

Open the developer console and look at the various requests when on the editor page and you will see that there are 2 types of auth headers:

Authorization: Basic dXNlcjA6OFtiUjAjLjshQzY7ekNpUiNlWXYhVk9bLFk=

Authorization: Bearer mkO5F3sKHjYsR2DaBaiPBqvon4wOOscWn3vP0w6DXaPh8C/UONODokMQphizc830etXx+ZYDeKrFxnOPAJ9dx96EwWR63gxHcJJZy3YOd2RXp1r6r5lBCDSe/s6n4cHSXDTh8XtU6AveOW6DezZp19GjgAFEEou21avmrnd189A=

The bearer token routes are the ones that you will not be able to just simply view in the browser directly. They are usually called from a node's config panel back to its route that was added to RED.httpAdmin and then protected with middleware RED.auth.needsPermission. The editor automatically patches the ajax requests with the necessary headers.

I am seeing a lot of words, but I am not understanding what they mean. (My problem)

I don't understand why it is that if there are passwords set, you can't open that page.
Although I am also not sure what good it would do if I could.

I've never opened that page before anyway.
It was/is more an anomaly for me.

The /settings is an API endpoint used by the application. It isn't intended to be accessed directly by a user. It can only be accessed if the request includes the proper authentication header.

The editor is a full application. It copes with missing authentication information because it expects users to try accessing it and for them to need to login. Once they login, the editor knows how to include the proper authentication header when it makes requests to the api (such as to /settings).

Your browser does not know how to add the required headers by itself when you ask it to access the /settings route.

Thanks for taking the time to explain it in words I better understand.

I still don't get the whole inter-relationship of it all, but how you explained it is slightly easier for me to understand.

I am having enough problems with structures of messages and how to parse them.
At a program level - although probably the same - I am not going to say I understand it as poorly as I do at the message level.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.