Dynamic options

[Steve-Mcl]

Hi @sammachin - PR as discussed in #14

[Steve-Mcl]

Hi @sammachin I have updated my local fork to check out the tweaks you made.

I see you have defaulted to an insecure mode upon a new node being added to the editor (binding is set to HTTP+HTTPS and password is set to None)

Forgive me for saying but I dont think this is the right direction.

The modifications I made was designed as...

• For anyone upgrading the node module (when they already have an instance of the node on their flow), their settings should remain as-were in V1
• Adding a new node to the editor canvas would default to secure mode (HTTPS only + requiring a username password).

I am curious as to why you decided to change these?

[sammachin]

Hi @Steve-Mcl

The main reason behind the defaults was to align with the native ngrok service defaults which today is HTTP & HTTPS along with no auth.

I'm still debating with myself if this is in-secure as such, I'm leaning towards the beliefe that its up to the client to choose to make a secure connection, additionally ngrok doesn't gracefully redirect HTTP to HTTPS so I'm concerned at the cost to user experience of making HTTPS only the default. The url thats sent out by the node and displayed in the status is the https version in an effort to steer users to that path.

Again with the auth the ngrok default is not to use auth, the primary use of ngrok is for receiveing webhooks from 3rd party API's and those interfaces while generally supporting auth require them in the format of https://user:pass@example.com and don't make this obvious to users, I've seen first hand this problem multiple times. I also believe that the best way to secure Node-RED is within the application itself, there's a large DANGER warning in the readme to prompt people to this. Hopefully Node-RED will also make setting up a password much easier in the near future.