http in node - protect with Basic Auth

jo2

unread,

Aug 25, 2015, 6:19:32 AM8/25/15

to Node-RED

Hi!

I wanted to protect some of my public http in nodes (running in Bluemix).

I ended up putting a Function node behind the http in node to mimic HTTP server Basic Auth challenge and verification.

It would be nice to have Basic Auth available in the http in node UI, like for http request node >/(

Here is the code from the Function node. It has 2 outputs, one for successfull authentication, one for failed.

var username = 'janedoe';

var password = 'password';

console.log('Authorization header: ' + msg.req.get('Authorization'));

if (msg.req.get('Authorization')) {

var buf = new Buffer(msg.req.get('Authorization').split(' ')[1], 'base64');

console.log('Authorization header value: '+ buf.toString());

var user = buf.toString().split(':')[0];

var pwd = buf.toString().split(':')[1];

if (username == user && password == pwd) {

msg.payload = {'Auth' : 'ok'};

return [msg, null];

} else {

msg.headers = {'WWW-Authenticate' : 'Basic'};

msg.statusCode = 401;

return [null, msg];

}

} else {

msg.headers = {'WWW-Authenticate' : 'Basic'};

msg.statusCode = 401;

return [null, msg];

}

Nicholas O'Leary

unread,

Aug 25, 2015, 6:36:18 AM8/25/15

to Node-RED Mailing LIst

Hi,

I realise you say you want to do this for 'some' of your nodes, but in case you weren't aware, you can enable basic auth across all http nodes via your settings file - have a look at httpNodeAuth here: http://nodered.org/docs/configuration.html

We'd held off exposing this sort of thing on a per-node basis as it quickly becomes quite involved if you want to do anything other than have a hard-coded user/password.

Nick

--
http://nodered.org
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

jo2

unread,

Aug 25, 2015, 7:23:18 AM8/25/15

to Node-RED

Hi Nick and thank you for quick reply on this!

Yes I have read about the httpNodeAuth setting. But I need / want the protection for only selected http in nodes.

I see that my dumb Baisc Auth function messes up for the browser, it stores the credentials for the site, and then I suddenly

cannot log in to the Node/RED UI in the same browser session without clearing the credentials...;-)

What if http in node Basic Auth could autheticate in same way as the UI and admin API, e.g. a "userAuth" property?

Or a modified httpNodeAuth property? Will it get too messy?

Cheers

-jo

Julian Knight

unread,

Aug 30, 2015, 7:56:41 AM8/30/15

to Node-RED

Also don't forget to make sure that you are only using TLS (https) if using basic auth otherwise you are transmitting your id and password in clear text over the net.

alan

unread,

Apr 12, 2016, 1:53:44 PM4/12/16

to Node-RED

Hi all, would just like to resurrect this if I may. I have exactly this need for basic auth on some nodes. Now I do acknowledge your point Nick, that handling many differing auth settings on http nodes could get messy. But how about some kind of option to just switch on/off the defined basic auth on a per node basis? That would probably provide a solution that works for many (*if* there are many with this problem of course!).

In the meantime, I'd be very interested in following up with jo2 - what was your solution in the end? And does anybody have a workaround otherwise?! My specific case is that I need basic auth on all http in nodes except one - a mail confirm link from a mail received by our user. You see the problem I suppose...

I've got this harebrained idea to link that mail confirm to a static page which then forwards to the correct http in node with the necessary basic auth...? As basic auth is set separately for static content, I guess that might be a solution, right?

Julian Knight

unread,

Apr 12, 2016, 3:32:14 PM4/12/16

to Node-RED

You might be better off implementing NR as an embedded version so that you get more control over the ExpressJS server and should be able to apply security by path?

jo2

unread,

Apr 12, 2016, 7:08:46 PM4/12/16

to Node-RED

Hi alan!
Interesting thought, are you going to try it out?

I am still using the same workaround. It might be an idea packaging the nodes handling it into a subflow for reuse.
But not sure if a subflow can be the "input node" for a flow...

Cheers
-jo2

alan

unread,

Apr 18, 2016, 6:19:12 PM4/18/16

to Node-RED

Jo2 yeah, I did try out. And it works! Although what I actually did in the end was set up an express server on another port that makes the basic auth request for me. Problem solved!

After going through this exercise, it seems likely that embedding NR as Julian suggested would be a tidier, more elegant way to go. I will probably redo this in the near future to that end.

Btw, don't think you can have a sub flow as an input node. I certainly haven't worked out how to if so...