Node-RED node for HTTP Basic Auth.
This Node-RED module performs HTTP Basic authentication. It is to be used in conjunction with an HTTP Input node.
In other words, it allows putting a password on a Node-RED HTTP listener node.
Note that this standard protocol sends passwords in plain-text by design, so HTTPS is required to ensure the security of the transmission.
Supports bcrypt to store passwords on disc (such as in the Apache htpasswd format). Note that this node will cache the bcrypt checks in memory (until the flow is redeployed / restarted) to improve performance (bcrypt is slow by design, to protect passwords on disc).
Example of flow, with username test
and password test
: flow.json
Can be tested with e.g.:
curl 'https://test:test@nodered.example.net/basic-auth-demo'
There are three types of configuration:
- Simple: each node has its own credentials. (one credential)
- Multiple credentials: credentials shared with multiple nodes. (multiple credentials)
- File with multiple credentials: the user credentials are stored in a file. (multiple credentials)
-
Realm
- Authorization realm for which the credentials will be valid
- Example:
node-red
-
Username
- The username
- Example:
alice
-
Password
- The password may be in plain-text or hashed (only bcrypt is supported)
- Example in plain-text:
test
- Example in bcrypt:
$2y$10$5TSZDldoJ7MxDZdtK/SG2O3cwORqLDhHabYlKX9OsM.W/Z/oLwKW6
-
File
- Location of the file containing the credentials relative to the presently working directory
- Example:
/data/.htpasswd
- The format for each line is
username:password
Example of file: (see also Apache htpasswd
)
user1:test
user2:$2y$10$5TSZDldoJ7MxDZdtK/SG2O3cwORqLDhHabYlKX9OsM.W/Z/oLwKW6
The first node output is used when the authentication succeeded, and it contains the username:
"msg": {
"realm": "node-red",
"username": "alice",
"req": "...",
"res": "...",
"...": "..."
}
The second node output is used when the authentication failed, and it contains error information:
"msg": {
"realm": "node-red",
"username": "",
"authError": "Unknown user 'test'",
"req": "...",
"res": "...",
"...": "..."
}
Both outputs contain the req
object, which can be inspected for detailed information about HTTP request headers, IP address, URL, etc.
Here are examples to create hashed passwords:
sudo apt install apache2-utils
htpasswd -nbB -C 10 '' 'my-password' | cut -d: -f2
npm install bcryptjs
node -e "console.log(require('bcryptjs').hashSync('my-password', 10));"
Forked from endemecio02/node-red-contrib-httpauth (abandoned) by Alexandre Alapetite for the Alexandra Institute, October 2023.