node-red / node-red-dashboard

A dashboard UI for Node-RED
Other
1.32k stars 453 forks source link

Node Red Custom Token issue #810

Open shaharzoo93 opened 1 year ago

shaharzoo93 commented 1 year ago

Current Behavior

We have successfully integrated and launched the Node-RED application as an embedded component within our existing system using an iframe. However, we encountered an issue where all the child requests are being denied due to unauthorized access.

Here is an improved version of the provided code:

<iframe id="pwi_smv_app_iframe" name="pwi_smv_app_iframe" frameborder="0"
  src="${baseUri}/api/nginx/api/ui/?jwt=${window.localStorage.getItem('credentials')}"
  style="width: 100%; height: calc(100vh - 101px); position: fixed;"></iframe>

image image (1)

Since authentication is already integrated into the existing application, there is no need to perform any authentication checks on the Node-RED side. However, to ensure that all subsequent requests include a token, we need to make some configuration changes in the Node-RED core.

image

In our current structure, the Node-RED UI path is accessed from the UI with a JWT token, and it successfully executes and returns the Node-RED UI dashboard. However, the dashboard also requires additional resource files such as app.min.js and socket.io. Unfortunately, these resource files do not automatically include the token, resulting in authentication errors from the Kong gateway.

it seems that the child requests are failing because the authentication token is not being set for the Node-RED resources/ child requests. image (2)

Expected Behavior

All the subsequent node-red child/resources requests add a token if the initiator request has a token and UI should load.

Steps To Reproduce

Example flow

paste your flow here

Environment

shaharzoo93 commented 1 year ago

Please provide the solution to solve the issue

knolleary commented 1 year ago

Hi @shaharzoo93 - there isn't an immediate solution available. The dashboard doesn't know anything about your tokens and has nothing in it to automatically add tokens to every request to sends back to the runtime.

This would require some considerable development effort to add support for this.

knolleary commented 1 year ago

The only workaround I can think of is if you were to use a cookie based approach for your tokens - so the browser would automatically include the cookies in each request sent back to your server.

knolleary commented 1 year ago

Sorry, I know nothing about Kong Gateway.