[BUG] Enabling "httpNodeAuth" for dashboard breaks editing nodes

[DarkZeros]

Describe the bug If we want to expose the node red dashboard to the internet, it is a good idea to enable this feature and only allow password protected acceses. But this breaks the victron nodes editing in the UI. The nodes themselves work fine, it is just that is no longer possible to re-configure them.

To Reproduce Steps to reproduce the behavior:

1. Enable "httpNodeAuth" in settings-user.js or settings.js
2. restart nodered or VenusOS
3. Open any victron node
4. Will ask for a password, no password seems to work, it just fails:

Expected behavior Works normally

Screenshots

Hardware (please complete the following information):

• Hardware: VenusOS on Rpi3B

Software (please complete the following information):

• node-red-contrib-victron version: 1.4.32
• Venus OS version: v3.01 (but also failed on v2.xx that is why I updated)

[dirkjanfaber]

Thanks for reporting, though I would not consider this a bug. https://www.victronenergy.com/live/venus-os:large#q3how_can_i_password_protect_node-red describes how to password protect the dashboard, while keeping the VRM connection.

[DarkZeros]

Can you elaborate on the proposed solutions? As far as I can see, nodered does not "by default" have any protection, it does not share the one in remote console. Even if it does, it applies to the node red flow configuration, but not to the dashboard part (the dashboard is always accessible, even if the flows are protected).

The official way to protect the dashboard is with httpNodeAuth, as stated here: https://flows.nodered.org/node/node-red-dashboard#Securing%20the%20Dashboard

[DarkZeros]

As I understand this problem is occuring because the Victron UI is requesting https://localhost:1881/victron/services/input-solarcharger and so on addresses to the server, and this requires authentication for httpNodeAuth. Looks like abug to me, since the feature is incompatible with a feature in node red.

[dirkjanfaber]

Alright, I see a possible overlooked feature here. I'll reopen the issue and check if user authentication can somehow be configured. Mind that the node-red-contrib-victron node don't use the http endpoints while running, it is only used on the edit panel (as other nodes also do).

[mpvader]

Careful here: exposing anything from a GX device, and especially things related to nodejs and thus Node-RED is a bad idea - from a security point of view.

I recommend strongly against it, even though I'm well aware that it might be quite some work to organise an alternate customisable solution to show a dashboard on the internet.