dockernode-red

Does Node-RED require hashed passwords in settings.js for adminAuth with Docker?

I'm trying to set up a Node-RED Docker container with a custom module and password protection using adminAuth. However, I suspect that my approach to authentication won't work because Node-RED typically requires hashed passwords inside settings.js.

Here’s my Dockerfile:

FROM nodered/node-red:latest

# Install custom module
RUN npm install node-red-contrib-my-custom-module

# Set working directory
WORKDIR /usr/src/node-red

# Copy settings file with adminAuth configuration
COPY settings.js /usr/src/node-red/

# Expose port
EXPOSE 1880

# Start Node-RED
CMD ["npm", "start", "--", "--userDir", "/data"]

And here’s my settings.js configuration for authentication:

module.exports = {
    // other settings
    adminAuth: {
        type: "credentials",
        users: function(username) {
            if (username === "myuser") {
                return Promise.resolve({
                    username: "myuser",
                    permissions: "*"
                });
            } else {
                return Promise.resolve(null);
            }
        },
        authenticate: function(username, password) {
            if (username === "myuser" && password === "mypassword") {
                return Promise.resolve({
                    username: "myuser",
                    permissions: "*"
                });
            } else {
                return Promise.resolve(null);
            }
        }
    },
    // other settings
};

I have a few concerns:

  1. Does Node-RED require passwords to be hashed inside settings.js? The documentation suggests using bcrypt hashes.
  2. Will this authentication approach work as expected inside a Docker container?
  3. If hashing is required, how can I properly hash and store the password while still using this authenticate function?

To build and run the container, I use:

docker build -t my-node-red .
docker run -d -p 1880:1880 my-node-red

Should I modify the approach to ensure secure authentication, or is there an alternative way to handle authentication inside settings.js for Node-RED?

Any insights or corrections would be greatly appreciated!

Solution

  • The default built in authentication module uses hashed passwords. The built in authentication module is applied when adminAuth takes a users field as an array of user objects with hashed passwords.

    If you are passing users and authenticate functions then it's entirely up to you how/where you store the password to validate a user session.

    I would recommend not using plain text passwords sorted in the settings file.

    So to explicitly answer the questions.

    1. Passwords only need to be hashed with bcrypt for the built in authentication module
    2. Running in docker should have no impact on any of the authentication methods.
    3. As mentioned in answer 1, the hash is only required for the default build in authentication module, but a well designed authentication module should not normally be storing plain text passwords.

    But as with all security it really depends on what threat model you are working with.