httpNodeAuth with the dashboard path.

[vcailly]

I try to set httpNodeAuth to password protect the node-defined HTTP endpoints

httpNodeAuth: {user:"user",pass:"$2a$08$Yoi2hNXHuclRT2oJN5tpC.CvxRCscs5..03UI.*************"}

Dashboard is storing data in localSTorage ( localStorage stores information as long as the user does not delete them.),

Once data has been stored in the browser's localStorage, authentication is no more required

Authentication is required only once (unless you clear manually the localStorage of the browser). In my humble opinion, It is not really secured.

Is there a way to have the dashboard using sessionStorage (sessionStorage stores information as long as the session goes. Usually until the user closes the tab/browser), instead of localStorage .

[dceejay]

Hi,
not quite sure what is happening here. Are you saying that because it is storing some data in localStorage then the session never ends ? Or that once you log out, that the data is still there and this may be insecure ?

The only thing stored is the state of the groups (open or closed) so not particularly "leaky" - but I guess it could all be used to mean something. If this was stored in sessionStorage then next time you connect the groups would be back to default state - which is what this was trying to avoid.

The reality of course is that simple httpAuth is probably not the best way to handle this at all - and that with another auth scheme then the ui state data could potentially be held at the backend instead.

[vcailly]

It looks like the session never ending. The authentication windows popups only after clearing all "site data". I observe this behavior on both Firefox and chrome.

I am using:
node v6.13.1
node-red v0.18.4
node-red-dashboard v2.9.0

[Paul-Reed]

If you clear the browser application cache it will force a re-auth.
In chrome, use the url - chrome://appcache-internals/ to see and delete the respective cache.

[vcailly]

yes - but the problem is still there after the re-auth. The new session never ends.

[dceejay]

Hmm actually reverting this fix as localStorage does the right thing from the UX point of view. A better fix for this would be to allow the dashboard user to log out properly and thence delete localStorage at that point.... so re-opening for some time to think about it.

[sslupsky]

I am not sure if I am having the same problem so maybe this needs to be a new issue. I enabled adminAuth and httpNodeAuth. AdminAuth is working fine (tested with Safari). httpNodeAuth is not. Using Safari, no authentication is required to view the dashboard. Using FireFox, I get a message requesting credentials for the "AutoAuth Extension" ... I do not see the login dialog. Using Chrome, I see the "Sign in" dialog. Using Chrome, I used my credentials and successfully logged in. When I close the tab and open it again, I go straight to the dashboard without having to login.

I have attached a couple screenshots of Firefox and Chrome.

[dceejay]

Yes,
this seems to be a "feature" of basicAuth... most browsers seem to be too clever for themselves and keep hold of the credentials for the site - so when you go back they log you straight in.
There are some hacky ways to try to log out - but they don't seem to work reliably.

I have tried adding a logout button that attempts to login with a bad set of credentials and so then fails... and it does seem to work but ONLY if you use your browser in incognito mode. Once again the browser seems to keep the older good credentials hanging around and re-uses them when it can...

If anyone has any good ideas how to force basicAuth to logout then please shout.

[eppak]

Hello,
i have a similar problem, just put adminAuth in settings and restarting; the editor now ask for password but the /ui don't. Tried with private mode and a browser never accessed to this site. Any ideas?

Thanks

[dceejay]

the adminAuth and httpAuth are separate.
the Dashboard is not part of the Editor so is not protected by adminAuth

[eppak]

@dceejay Very kind, sorry for the misunderstanding on reading the docs, thanks!

[bneumann]

Just stumbled upon that. The credentials for httpAuth are definitly cached. Any other way of securing the dashboard?