mirror of https://github.com/node-red/node-red.git
Initial version
parent
9cf81c9cf8
commit
49939efa9b
|
@ -0,0 +1,34 @@
|
||||||
|
# Description
|
||||||
|
Access to the admin API is based on access tokens.
|
||||||
|
With password-based auth, a simple flow is available to get exchange username/password for a session token.
|
||||||
|
|
||||||
|
With the introduction of strategy-based auth, it is much harder to automate access to the api. For example, where auth is based on interaction with the Twitter website.
|
||||||
|
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
The `apiAccessTokens` propety in `settings.js` can used to add the setting-defined accessToken.
|
||||||
|
|
||||||
|
```Javascript
|
||||||
|
apiAccessTokens: [
|
||||||
|
// you can add multiple access tokens
|
||||||
|
{
|
||||||
|
token: "0123456789abcdefghijk", // access token
|
||||||
|
user: "root", // user
|
||||||
|
scope: ["*"] // scope
|
||||||
|
}
|
||||||
|
]
|
||||||
|
```
|
||||||
|
|
||||||
|
* **acccess token**
|
||||||
|
The access token is used to access the adminAPI by setting it in HTTP Bearer header. The value should be a string with the different length from session token in order to avoid a conflict between access tokens and session tokens.
|
||||||
|
|
||||||
|
* **user**
|
||||||
|
The user is used to identify as which user access the adminAPI. The value in the user should be the `username` property in any record in `adminAuth.users` property in `settings.js` file.
|
||||||
|
|
||||||
|
* **scope**
|
||||||
|
The scope is used to specify which access permissions is granted to the specified user. This value should be a array object like `permissions` property in a record in `adminAuth.users` property in `settings.js` file.
|
||||||
|
|
||||||
|
## Behaver/Implementation
|
||||||
|
* The verify process for access token is implemented in the exisiting session token functions in `red/api/auth/tokens.js`. This means that we should NOT change the other functions.
|
||||||
|
* If same access tokens are defined in `apiAccessTokens` property in `settings.js` file, the only last access token is active. This means that scope properties are NOT merged.
|
||||||
|
* If the specified access token is same to a session token, the specified access token is active but the session token is NOT active.
|
Loading…
Reference in New Issue