@alexandrainst/node-red-http-basic-auth 3.2.0
Node-RED node for HTTP Basic Authorization
@alexandrainst/node-red-http-basic-auth
Node-RED node for HTTP Basic Auth.
This Node-RED module performs HTTP Basic authentication. It is to be used in conjunction with an HTTP Input node.
In other words, it allows putting a password on a Node-RED HTTP listener node.
Note that this standard protocol sends passwords in plain-text by design, so HTTPS is required to ensure the security of the transmission.
Supports bcrypt to store passwords on disc (such as in the Apache htpasswd format). Note that this node will cache the bcrypt checks in memory (until the flow is redeployed / restarted) to improve performance (bcrypt is slow by design, to protect passwords on disc).
Example
Example of flow, with username test
and password test
: flow.json
Can be tested with e.g.:
curl 'https://test:[email protected]/basic-auth-demo'
Config
There are three types of configuration:
- Simple: each node has its own credentials. (one credential)
- Multiple credentials: credentials shared with multiple nodes. (multiple credentials)
- File with multiple credentials: the user credentials are stored in a file. (multiple credentials)
Definitions
Realm
- Authorization realm for which the credentials will be valid
- Example:
node-red
Username
- The username
- Example:
alice
Password
- The password may be in plain-text or hashed (only bcrypt is supported)
- Example in plain-text:
test
- Example in bcrypt:
$2y$10$5TSZDldoJ7MxDZdtK/SG2O3cwORqLDhHabYlKX9OsM.W/Z/oLwKW6
File
- Location of the file containing the credentials relative to the presently working directory
- Example:
/data/.htpasswd
- The format for each line is
username:password
Example of file: (see also Apache htpasswd
)
user1:test
user2:$2y$10$5TSZDldoJ7MxDZdtK/SG2O3cwORqLDhHabYlKX9OsM.W/Z/oLwKW6
Outputs
The first node output is used when the authentication succeeded, and it contains the username:
"msg": {
"realm": "node-red",
"username": "alice",
"req": "...",
"res": "...",
"...": "..."
}
The second node output is used when the authentication failed, and it contains error information:
"msg": {
"realm": "node-red",
"username": "",
"authError": "Unknown user 'test'",
"req": "...",
"res": "...",
"...": "..."
}
Both outputs contain the req
object, which can be inspected for detailed information about HTTP request headers, IP address, URL, etc.
Hints
Here are examples to create hashed passwords:
In Linux Debian / Ubuntu command line
sudo apt install apache2-utils
htpasswd -nbB -C 10 '' 'my-password' | cut -d: -f2
With Node.js
npm install bcryptjs
node -e "console.log(require('bcryptjs').hashSync('my-password', 10));"
Credits
Forked from endemecio02/node-red-contrib-httpauth (abandoned) by Alexandre Alapetite for the Alexandra Institute, October 2023.