From ec2edff03c941d18b8fe84912e7e18ab9be7d7a3 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Thu, 20 Apr 2017 11:30:09 +0100 Subject: [PATCH 1/5] Add note on https and httpNodeMiddleware --- docs/security.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/security.md b/docs/security.md index 15bbb5e8..a7cd213e 100644 --- a/docs/security.md +++ b/docs/security.md @@ -14,6 +14,11 @@ two parts: - the [editor and admin API](#editor--admin-api-security) - the [HTTP Nodes and static content](#http-node-security). +
+Note: When adding security, you should also switch from using `http` to `https` otherwise you are transmitting +credentials in a way that can be intercepted. The setting `https` is used for this purpose. +
+ ### Editor & Admin API security To enable user authentication on the Editor and Admin API, add the following to @@ -202,3 +207,7 @@ was expected to be an MD5 hash. This is cryptographically insecure, so has been superseded with bcrypt, as used by adminAuth. For backwards compatibility, MD5 hashes are still supported - but they are not recommended. + +#### Alternatives + +As an alternative to using `httpNodeAuth`, the `httpNodeMiddleware` setting allows you to specify some ExpressJS middleware. This can be used to provide your own security function. From b8e59c80e6b06957d1f11939215e1d486fdfdfa1 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Thu, 20 Apr 2017 11:37:57 +0100 Subject: [PATCH 2/5] Add section on adjusted paths when using https and/or httpAdminRoot --- docs/api/admin/oauth.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/api/admin/oauth.md b/docs/api/admin/oauth.md index 5760061f..afed1e47 100644 --- a/docs/api/admin/oauth.md +++ b/docs/api/admin/oauth.md @@ -95,3 +95,14 @@ POST to `/auth/revoke`:
curl example: 
curl --data 'token=A_SECRET_TOKEN' -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/auth/revoke
+ +### A note on paths + +The above assumes that you are using the http scheme rather than https. It also assumes that you have not used the `httpAdminRoot` setting to change the path that admin resources are delivered from. + +If you have changed either of those, you will need to adjust the paths given in the examples. + +
adjusted curl example:
+Assuming httpAdminRoot is set to red and https is configured +
curl https://localhost:1880/red/auth/login
+
From bc19218650bdf4f60dddc7fb618115a948ee22b2 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Thu, 20 Apr 2017 12:16:46 +0100 Subject: [PATCH 3/5] Add clarification to /auth/token path + prev note on https/httpAdminRoot --- docs/api/admin/oauth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/api/admin/oauth.md b/docs/api/admin/oauth.md index afed1e47..1bc609a0 100644 --- a/docs/api/admin/oauth.md +++ b/docs/api/admin/oauth.md @@ -54,7 +54,7 @@ The API is secured by access token. ### Step 1 - Obtain an access token An HTTP POST to `/auth/token` is used to exchange user credentials for an access -token. +token. This path is only available if an authentication scheme is enabled (see above). The following parameters must be provided: From 91c2c26a94415b4aac994984a8f342379dd7c698 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Wed, 26 Apr 2017 09:09:13 +0100 Subject: [PATCH 4/5] Chg this to node in eg Having created a reference to this, it should be used in the code. More consistent and more obvious. Also added reason why node var is created. --- docs/creating-nodes/first-node.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/creating-nodes/first-node.md b/docs/creating-nodes/first-node.md index 9ec6412e..ebf0b17a 100644 --- a/docs/creating-nodes/first-node.md +++ b/docs/creating-nodes/first-node.md @@ -34,7 +34,7 @@ module.exports = function(RED) { function LowerCaseNode(config) { RED.nodes.createNode(this,config); var node = this; - this.on('input', function(msg) { + node.on('input', function(msg) { msg.payload = msg.payload.toLowerCase(); node.send(msg); }); @@ -62,6 +62,11 @@ on in the flow. Finally, the `LowerCaseNode` function is registered with the runtime using the name for the node, `lower-case`. +In order to retain a consistent reference to the nodes `this`, a variable called +`node` is created pointing to `this`. `this`/`node` contains the information +related to the created instance of the node. You would typically pass the nodes +properties, `config`. to to `node` as well. + If the node has any external module dependencies, they must be npm installed alongside the node files. From e0dbbe14a04b537b9f32c4fb8ceb8f6f76f7b318 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Wed, 26 Apr 2017 09:11:59 +0100 Subject: [PATCH 5/5] Use node var instead of this for clarity Since node is created as a reference to the correct this object, it should be used throughout. --- docs/creating-nodes/properties.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/creating-nodes/properties.md b/docs/creating-nodes/properties.md index 7d341ca7..fab0538f 100644 --- a/docs/creating-nodes/properties.md +++ b/docs/creating-nodes/properties.md @@ -36,9 +36,9 @@ property called `prefix` to the node: function LowerCaseNode(config) { RED.nodes.createNode(this,config); - this.prefix = config.prefix; var node = this; - this.on('input', function(msg) { + node.prefix = config.prefix; + node.on('input', function(msg) { msg.payload = node.prefix + msg.payload.toLowerCase(); node.send(msg); });