Merge pull request #2555 from node-red/authMiddleware

Add httpAdminMiddleware to allow custom headers on admin routes

packages/node_modules/@node-red/editor-api/lib/index.js

@@ -59,6 +59,12 @@ function init(settings,_server,storage,runtimeAPI) {
         });
         adminApp.use(corsHandler);
 
+        if (settings.httpAdminMiddleware) {
+            if (typeof settings.httpAdminMiddleware === "function") {
+                adminApp.use(settings.httpAdminMiddleware)
+            }
+        }
+
         auth.init(settings,storage);
 
         var maxApiRequestSize = settings.apiMaxLength || '5mb';

packages/node_modules/node-red/settings.js

@@ -182,6 +182,17 @@ module.exports = {
     //    next();
     //},
 
+
+    // The following property can be used to add a custom middleware function
+    // in front of all admin http routes. For example, to set custom http
+    // headers
+    // httpAdminMiddleware: function(req,res,next) {
+    //    // Set the X-Frame-Options header to limit where the editor
+    //    // can be embedded
+    //    //res.set('X-Frame-Options', 'sameorigin');
+    //    next();
+    // },
+
     // The following property can be used to pass custom options to the Express.js
     // server used by Node-RED. For a full list of available options, refer
     // to http://expressjs.com/en/api.html#app.settings.table