Node to manage users accessing the endpoints of your http nodes

[Ted]

Hi guys, 

It seems like a lot of our FRED users are using Node-RED to host their own sites/services for other users of their own via "http in" nodes. The problem is they don't really have an easy way of controlling who has access to their http endpoints opened by the http in node.

I've started on a node (node-red-contrib-users) that lets Node-RED admins designate a list of allowed users and a simple "middleware" like node that sits after the "http in" node and checks if a user is logged in and redirects the request appropriately. The node generates and stores json web tokens (JWT) in the cookie and uses it to authenticate users. It also allows the flow to distinguish who is logged in via their username in the JWT payload and a custom "scope" field attached to their user which can be used for permission level checks.  A typical usage would be to use a change node and route the request to different pages depending on user scope/permission (see example flow).

The node works similar to other nodes that uses JWT such as node-red-contrib-auth but aims to make it easier to integrate with existing flows running http nodes. More of the details can be found in the readme. 

https://www.npmjs.com/package/node-red-contrib-users

Example flow: (see readme for json)

More work is needed to make it more flexible and accommodate other use cases and integrations (external user systems, oauth, etc).

Any feedback would be greatly appreciated! 

Ted