Securing NodeRED dashboard from unwanted access

Question

I'm trying to create some kind of user authentication to prevent unwanted access to my NodeRED's User Interface. I've searched online and found 2 solutions, that for some reason didn't worked out. Here they are:

1. Tried to add the httpNodeAuth{user:"user", pass:"password"} key to the bluemix-settings.js but after that my dashboard kept prompting me to type username and password, even after I typed the password defined at pass:"password" field.

2. Added the user defined Environtment Variables NODE_RED_USERNAME : username and NODE_RED_PASSWORD : password . But nothing has changed.

Those solutions were sugested here: How could I prohibit anonymous access to my NodeRed UI Dashboard on IBM Cloud(Bluemix)? Thanks for the help, guys!

Here is a little bit of the 'bluemix-settings.js'

 autoInstallModules: true,

// Move the admin UI
httpAdminRoot: '/red',

// Serve up the welcome page
httpStatic: path.join(__dirname,"public"),

//GUI password authentication (ALEX)
httpNodeAuth: {user:"admin",pass:"$2y$12$W2VkVHvBTwRyGCEV0oDw7OkajzG3mdV3vKRDkbXMgIjDHw0mcotLC"},
functionGlobalContext: { },

// Configure the logging output
logging: {

Answer 1

As described in the Node-RED docs here, you need to add a section as follows to the settings.js (or in the case of Bluemix/IBM Cloud the bluemix-settings.js file.

...
httpNodeAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
...

The pass files is a bcrypt hash of the password. There are 2 ways listed in the docs about how to generate the hash in the correct way.

1. if you have a local copy of Node-RED installed you can use the following command:

   node-red admin hash-pw
   

2. As long as you have a local NodeJS install you can use the following:

   node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here
   

   You may need to install bcryptjs first with npm install bcryptjs first.