node-red · TotallyInformation · Apr 20, 2017 · Apr 20, 2017 · Apr 20, 2017 · Apr 26, 2017
diff --git a/docs/api/admin/oauth.md b/docs/api/admin/oauth.md
@@ -54,7 +54,7 @@ The API is secured by access token.
 ### Step 1 - Obtain an access token
 
 An HTTP POST to `/auth/token` is used to exchange user credentials for an access
-token.
+token. This path is only available if an authentication scheme is enabled (see above).
 
 The following parameters must be provided:
 
@@ -95,3 +95,14 @@ POST to `/auth/revoke`:
 <div class="doc-callout"><em>curl example</em>:
 <pre>curl --data 'token=A_SECRET_TOKEN' -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/auth/revoke</pre>
 </div>
+
+### A note on paths
+
+The above assumes that you are using the http scheme rather than https. It also assumes that you have not used the `httpAdminRoot` setting to change the path that admin resources are delivered from.
+
+If you have changed either of those, you will need to adjust the paths given in the examples.
+
+<div class="doc-callout"><em>adjusted curl example</em>:<br>
+Assuming <code>httpAdminRoot</code> is set to <code>red</code> and <code>https</code> is configured
+<pre>curl https://localhost:1880/red/auth/login</pre>
+</div>
diff --git a/docs/creating-nodes/first-node.md b/docs/creating-nodes/first-node.md
@@ -34,7 +34,7 @@ module.exports = function(RED) {
     function LowerCaseNode(config) {
         RED.nodes.createNode(this,config);
         var node = this;
-        this.on('input', function(msg) {
+        node.on('input', function(msg) {
             msg.payload = msg.payload.toLowerCase();
             node.send(msg);
         });
@@ -62,6 +62,11 @@ on in the flow.
 Finally, the `LowerCaseNode` function is registered with the runtime using the
 name for the node, `lower-case`.
 
+In order to retain a consistent reference to the nodes `this`, a variable called
+`node` is created pointing to `this`. `this`/`node` contains the information
+related to the created instance of the node. You would typically pass the nodes
+properties, `config`. to to `node` as well.
+
 If the node has any external module dependencies, they must be npm installed
 alongside the node files.
 

diff --git a/docs/security.md b/docs/security.md
@@ -14,6 +14,11 @@ two parts:
  - the [editor and admin API](#editor--admin-api-security)
  - the [HTTP Nodes and static content](#http-node-security).
 
+<div class="doc-callout">
+<em>Note</em>: When adding security, you should also switch from using `http` to `https` otherwise you are transmitting
+credentials in a way that can be intercepted. The setting `https` is used for this purpose.
+</div>
+
 ### Editor & Admin API security
 
 To enable user authentication on the Editor and Admin API, add the following to
@@ -202,3 +207,7 @@ was expected to be an MD5 hash. This is cryptographically insecure, so has been
 superseded with bcrypt, as used by <code>adminAuth</code>. For backwards compatibility, MD5
 hashes are still supported - but they are not recommended.
 </div>
+
+#### Alternatives
+
+As an alternative to using `httpNodeAuth`, the `httpNodeMiddleware` setting allows you to specify some ExpressJS middleware. This can be used to provide your own security function.