Securing NodeRED dashboard from unwanted access

Question

I'm trying to create some kind of user authentication to prevent unwanted access to my NodeRED's User Interface. I've searched online and found 2 solutions, that for some reason didn't worked out. Here they are:

Tried to add the httpNodeAuth{user:"user", pass:"password"} key to the bluemix-settings.js but after that my dashboard kept prompting me to type username and password, even after I typed the password defined at pass:"password" field.
Added the user defined Environtment Variables NODE_RED_USERNAME : username and NODE_RED_PASSWORD : password . But nothing has changed.

Those solutions were sugested here: How could I prohibit anonymous access to my NodeRed UI Dashboard on IBM Cloud(Bluemix)? Thanks for the help, guys!

Here is a little bit of the 'bluemix-settings.js'

 autoInstallModules: true,

// Move the admin UI
httpAdminRoot: '/red',

// Serve up the welcome page
httpStatic: path.join(__dirname,"public"),

//GUI password authentication (ALEX)
httpNodeAuth: {user:"admin",pass:"$2y$12$W2VkVHvBTwRyGCEV0oDw7OkajzG3mdV3vKRDkbXMgIjDHw0mcotLC"},
functionGlobalContext: { },

// Configure the logging output
logging: {

An Update...I've tried to hash the password here: https://bcrypt-generator.com/ , but I still getting the same prompt for username/password... — AlexMacabu, Aug 28 '20 at 16:53
Please add some more details to your question. Are you running in the cloud? If so which one? What version of node-red are you using? By default, and for some time now, when you spin up a new instance of node-red in the cloud you are given an option of securing it. Leaving it unsecure requires you to consciously select the unsecure option. — chughts, Sep 01 '20 at 13:02
The web bcrypt generator probably failed because it used the wrong number of rounds (it looks to default to 12 and Node-RED is expecting 8) — hardillb, Sep 01 '20 at 14:48
Oh, sorry! I forgot to mention... I'm using NodeRED hosted at IBM Cloud, that's why my settings file it's called 'bluemix-settings.js'. I've tried to hash the password with 4,8 and 10 rounds and got the same output. It kept prompting me to type username/password even after the typed — AlexMacabu, Sep 01 '20 at 19:28
Sorry, it's not the number of rounds, its the length of the salt to generate. — hardillb, Sep 01 '20 at 21:42

score 0 · Answer 1 · answered Sep 01 '20 at 14:46

0

As described in the Node-RED docs here, you need to add a section as follows to the settings.js (or in the case of Bluemix/IBM Cloud the bluemix-settings.js file.

...
httpNodeAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
...

The pass files is a bcrypt hash of the password. There are 2 ways listed in the docs about how to generate the hash in the correct way.

if you have a local copy of Node-RED installed you can use the following command:
```
node-red admin hash-pw
```
As long as you have a local NodeJS install you can use the following:
```
node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here
```
You may need to install bcryptjs first with npm install bcryptjs first.

answered Sep 01 '20 at 14:46

hardillb

54,545
11
67
105

Thanks for the help! Yes I've added the httpNodeAuth section but I think I'm missing something, because I kept getting the same prompt over and over again, asking me to type to username and password, like if I was typing it wrong. – AlexMacabu Sep 01 '20 at 19:33
[Edit](https://stackoverflow.com/posts/63620499/edit) question to show the section you have edited into `bluemix-settings.js` so we can see it in context – hardillb Sep 01 '20 at 20:36
Also have you used the methods I mentioned, not the website? – hardillb Sep 01 '20 at 20:38
I've added a bit of the 'bluemix-settings.js', if it's not enough, I can add more or even upload the file. Regarding the methods that you've mentioned, since I'm running NodeRED on IBM, is there a way for me to run those commands? Or maybe change the length of the salt on bcrypt-generator.com ? Thanks ! – AlexMacabu Sep 01 '20 at 23:28
The second option is one you can run locally on your own machine – hardillb Sep 02 '20 at 06:41
So are you sugesting install NodeJS on my local machine and then run the command 'node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here' to hash the password. After that I just need to copy the hashed password string and paste it on my 'bluemix-settings.js' ? – AlexMacabu Sep 02 '20 at 11:49

Securing NodeRED dashboard from unwanted access

1 Answers1