I'm developing an IOT app using Node-Red and until now everything it's quite good. The problem that I'm facing regards security. Basically all I want it's to have two types of accounts: admin and guest. The admin has the rights to change parameters of the system and the guest can only see data. So no databases and complicated stuff. The application uses httpin-out nodes and some bootstrap templates, so I'm not using Reds's dashboard. Because web security it's not my stuff i started to read about it. The more I read the more I get confused. Mainly I want you guys to help me to choose the best way of securing the server using one of the two approaches:
First: The site is secured using https (a selfsigned private key and certificate was used). Now I can use a basicAuth node for the users to log in. Since there are only two types of users it will be very simple to filter users by reading the header of the request.
Second: The site is secured in the same way. The users will be redirected to a login page where they will input the credentials. The username and pass will be stored on file on the server, crypted with bcrypt. Now if the credentials are ok a cookie will be generated with bcrypt which will be polled on every request.
I tested both methods and both are working. But because of the lack of knowledge/experience I don't know which one to choose or if they are ok.
Can you guys help me?
Thank you in advance.
via Petrescu Cristian
No comments:
Post a Comment