NODE-RED website login

[Ondřej Nedělka]

Hello guys,

just installed a NODE-RED on my RPi 2b, everything works perfectly. I wanted to lock the flow editing website, so i followed: http://nodered.org/docs/security .

Now, I have locked website, that I cannot access using my password.

When i was trying to generate a token, i shows this:

{"error":"invalid_grant","error_description":"Invalid resource owner credentials"}

I tried to disabble te security setings in settings.js, but nothing happend. The website is still locked. 

Can someone show me, how to properly put login at the NODE-RED website?

Thanks a lot!

[Ben Hardill]

Can you post the section of your settings.js (minus any passwords) so we can see what you've tried

[Ondřej Nedělka]

Hi, here it is:

    adminAuth: {

        type: "credentials",

        users: [{

            username: "admin",

            password: "",

            permissions: "*"

       }],

        default: {

        permissions: "read"

      }

    },

Thank you.

Dne čtvrtek 21. července 2016 11:39:06 UTC+2 Ben Hardill napsal(a):

[Ondřej Nedělka]

Does anyone tried to setup the security ?

Dne středa 20. července 2016 23:38:06 UTC+2 Ondřej Nedělka napsal(a):

[Nicholas O'Leary]

Yes, I use it every day.

What exactly are you doing to get the invalid grant response... I wouldn't expect you to see that if you were just logging into the editor.

Nick

--
http://nodered.org
 
Join us on Slack to continue the conversation: http://nodered.org/slack
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
To post to this group, send email to node...@googlegroups.com.
Visit this group at https://groups.google.com/group/node-red.
For more options, visit https://groups.google.com/d/optout.

[Ondřej Nedělka]

I can't login, because I can't even setup the security it self. I followed the example, but at the step of generating a token I get this

{"error":"invalid_grant","error_description":"Invalid resource owner credentials"}

Could be so kind a post here your steps to setup the security with console commands?

That would helped me a lot.

Thanks for your time :)

You received this message because you are subscribed to a topic in the Google Groups "Node-RED" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/node-red/HJ3PCvfeRlw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to node-red+u...@googlegroups.com.

[Nicholas O'Leary]

Which steps are you following?

[Ondřej Nedělka]

http://nodered.org/docs/security

[Nicholas O'Leary]

And what exact action are you taking when you get the invalid-grant response? Are you running a command? Are you entering you user/password in the editors login dialog and submitting it?

[Ondřej Nedělka]

I'm runing a command to generate a token. But, do I even need the token for default user? I cannot access the site even as default user. 

adminAuth: {

        type: "credentials",

        users: [{

            username: "admin",

            password: "",

            permissions: "*"

       }],

        default: {

        permissions: "read"

      }

    },

Dne 29. 7. 2016 1:54 AM napsal uživatel "Nicholas O'Leary" <nick....@gmail.com>:

[Nicholas O'Leary]

And WHAT command are you running?

[Ondřej Nedělka]

This one: curl http://localhost:1880/auth/token --data 'client_id=node-red-admin&grant_type=password&scope=*&username=admin&password=password' http://nodered.org/docs/api/admin/oauth

[Nicholas O'Leary]

Before you start trying to manually generate tokens, first check you can login to the editor via your browser.

With the adminAuth setting you shared, assuming you do have a hashed password set for the admin user, you should:

1. be able to access the editor without logging in (because of the default user you have)

2. whilst in that state, you won't be able to deploy and changes or trigger an inject node (for example)

3. there will be the user menu in the top right next to the deploy menu, which has a login option. Selecting that will prompt you to log in. If you login with admin/<your-password> you should then be able to deploy changes etc.

Does all of that work?

Nick

[Ondřej Nedělka]

Hi Nick,

I cannot access the editor without loggin in.

[Nicholas O'Leary]

Do you mean you can access the editor by logging in with the username/password you set under adminAuth?

Or do you mean the editor always gives you the login prompt but you cannot get past it?

[Ondřej Nedělka]

Ah, sorry, I meant that I cannot enter editor at all, even as default.

[Nicholas O'Leary]

Can you send me your settings file (directly, not on the mailing list)? Can't look right now, but I don't know what to suggest as this definitely does work.

[Ondřej Nedělka]

Sure Nick, I appreciate your help.

​

 settings.js

​

Thanks!

[Nicholas O'Leary]

Hi,

that settings file is working fine for me, once I add a properly hashed password - in this case, I hashed 'test' and got $2a$08$Kbk9kchamodExMGHWTxBQemVBOog4VlejcO4TmKvlKWEQK9gcfY6y

This suggests there may be a problem with the way you're hashing your password. What command are you using to do that?

Nick

[Ondřej Nedělka]

I tried your hash, but still "Login Failed". I tried both commands

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

and

node-red-admin hash-pw

Should I reinstall RPi OS and do everything from the start?

[Nicholas O'Leary]

So there are two assumptions I've made that its worth checking:

1. when node-red starts up, it logs the exact path of the settings file it is using. Are you sure you're editing the right one?

2. after you edit the file, are you restarting node-red for the change to take affect?

3. Using either of the hashing commands, could you hash the word 'password' (without quotes), put it in the settings file and then send it over to me?

Nick

[Ondřej Nedělka]

It works! 

It was issue number 1. 

Thanks a lot Nick for your help, I can finally deploy it in my house.

[vincent...@gmail.com]

Hi, Nick:

Nice to hear your instruction in this article, I'm vincentlin.

I have similar question like Ondřej, First, I'm sure I change the correct file to affect the default editor web login enable,

and I am using following  password hash tool also, my questions are:

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

and

node-red-admin hash-pw

1.Is it correct to have different outcome with same plant text to hash? Such as in your example, after I hash "test" with these 2 tools, I get 2 different results and either different with yours.(I though it might be correct...but:)

2.How can I pair the result with username or more than one user (2~5) in settings.js?

3.May I have the working fine settings.js for reference?

Thanks a lot.

Vincent

Nick O'Leary於 2016年8月1日星期一 UTC+8上午4時28分54秒寫道：