frodovdr
/
node-red
mirror of https://github.com/node-red/node-red.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Page: Design: API Token management
Pages
API Reference Architecture Overview Architecture: Cluster Multi Process Contribution Process Dashboard layout tool Definitions Deprecated: Message properties overriding set node properties Design Notes Design: dynamic palette Design: API Token management Design: CLI tool to produce a node skeleton Design: Concurrent editing Design: Custom Node admin route handling Design: Dynamic MQTT node Design: Dynamic node's icon Design: Editable port labels Design: Editor Events Design: Editor Themes Design: Editor UI Customisation Design: Encryption of credentials Design: Enhancements to Split Join nodes Design: Flow Linter Design: Flow Manipulation API Design: Flow file format v2 Design: Function Library node Design: Library Sidebar Design: Logging Framework Design: Node Generator Design: Node Messaging API Design: Node blacklist whitelist function Design: Node module lifecycle Design: Node settings Design: Palette Management UI Design: Persistable Context Design: Platform Specific Nodes Design: Projects Design: Runnable Project Design: Runtime Editor Split Design: Runtime Events Design: Runtime extension points Design: Subflow Enhancements Design: Subflow Instance properties Design: Subflow Node modules Design: Usage telemetry Design: Using environment variables Design: Version Control Design: adminAuth User Management Design: external file for function and templates nodes Design: i18n de Design: i18n Design: msg.parts description of usage Design: multiuser Design: subflows vNext Design: subflows Design:Shared Global Context Editor Mouse Actions Editor Runtime API Flow Format Flow testing Home Input node feature definitions Live runtime information Node Design Guidelines Node documentation guide Node msg Conventions Output node feature definitions Pluggable Message Routing Query node feature definitions ReadMe Raspberry Pi Advanced Runtime Editor Comms protocol Technical Interchange 2018 04 13 Technical Interchange Meetings Testing UI testing Watch node feature definitions Web Nodes outline adminAuth Credential Authentication dynamic palette join in auto mode npm installable nodes
0 Design: API Token management
Hideki Nakamura edited this page 2018-08-28 17:13:37 -07:00
Table of Contents

Description

Access to the admin API is based on access tokens. With password-based auth, a simple flow is available to get exchange username/password for a session token.

With the introduction of strategy-based auth, it is much harder to automate access to the api. For example, where auth is based on interaction with the Twitter website.

Configuration

The adminAuth.tokens property in settings.js can used to add the setting-defined access tokens. If you would like to use not only this access token feature but also a Node-RED plugin module for authenticatiing users such as node-red-auth-github, you can define the module in adminAuth.module property.

adminAuth: {
    module: require('node-red-auth-github')({
        ...
    }),
    tokens: [
        // you can add multiple access tokens
        {
            token: "0123456789abcdefghijk",  // access token
            user: "root",                    // user
            scope: ["*"]                     // scope
        }
    ]
}

  • token The token is used to access the adminAPI by setting it in HTTP Bearer header. The value should be a string with the different length from session token in order to avoid a conflict between access tokens and session tokens.

  • user The user is used to identify as which user access the adminAPI. The value in the user should be the username property in any record in adminAuth.users property in settings.js file.

  • scope The scope is used to specify which access permissions is granted to the specified user. This value should be a array object like permissions property in a record in adminAuth.users property in settings.js file.

Behaver/Implementation

  • The verify process for access token is implemented in the exisiting session token functions in red/api/auth/tokens.js. This means that we should NOT change the other functions.
  • If same access tokens are defined in adminAuth.tokens property in settings.js file, the only last access token is active. This means that scope properties are NOT merged.
  • If the specified access token is same to a session token, the specified access token is active but the session token is NOT active.
  • If a user define module property and type, strategy or users properties in adminAuth, Node-RED overwrites type, strategy and users properties in adminAuth with an object in module property.

Comments:

  • NOL: The apiAccessTokens setting should be under adminAuth. I suggest adminAuth.tokens

  • HNK: If we adopt your suggestion, we have to write the following code as an adminAuth object because users usually use not only API token feature together but also user authentication feature.

     adminAuth: Object.assign(require('node-red-auth-github')({
     clientID: GITHUB_CLIENT_ID,
     clientSecret: GITHUB_CLIENT_SECRET,
     baseURL: "http://localhost:1880/",
     users: [
        { username: "knolleary",permissions: ["*"]}
     ]
 }), {
     apiAccessTokens: [
         { token: XXXXXX, user: "root", scope: ['*'] }
     ]
 })

    I think it is not convenient for users to define the above adminAuth object. Please give me your comments or advices.

  • NOL: Good point; that doesn't look good, but I think we can find a cleaner way. Currently we allow external modules by doing:

     adminAuth: require('node-red-auth-github')({ ... })

    That sets the entire adminAuth settings. We could add support for something like the following to give us space to have additional settings:

     adminAuth: {
     module: require('node-red-auth-github')({ ... })
     tokens: [
        ...
     ]
 }

  • HNK: LGTM. I updated this wiki based on the above comments.