Two-Factor Authentication is usually associated with access and security. It’s prompt, that you get on your mobile device when you are trying to log in to a Gmail account with the 2FA enabled. You can employ the same tactics for your NodeRED server and home automation! Let’s talk about Two-Factor Authentication in NodeRED.
Two-Factor Authentication: basics
When a login action is triggered 2FA issues a prompt to “Allow” or “Decline” the sign in from a new machine. Access to the secured account is only granted when that action is authorised on a secured device.
Two-Factor Authentication in NodeRED can work as a safety net. Selected automated actions can trigger the 2FA warning to authorise the action. To make this even more useful I introduced a timeout and a default timeout action.
Example:
This PC Dashboard uses 2FA to prevent desktop from being disconnected from AC.
A geo-fence trigger to open garage door can be prone to false-positive triggers. Since no one wants their garage to open without permission, sending a 2FA prompt to your mobile could prove beneficial. The 2FA notification would show up for 1 min when you are inside the geo-fence, and automatically stop opening the garage door unless authorised.
Two-Factor Authentication in NodeRED
To create your own Two-Factor Authentication in NodeRED you will need:
- Tasker
- AutoRemote
- AutoNotification
- AutoTools
These are the apps needed to create the Android responder system. NodeRED set up consist of a subflow and receiver node to deal with HTTP requests. The Two-Factor Authentication in NodeRED is customisable and you will be able to specify:
- Message Title and Text
- Timeout length
- Timeout Action
- Comes with a progress bar, automatic updates and a timer
NodeRED 2FA
I needed Two-Factor Authentication in NodeRED to be as easy to use as possible, and I managed to push all of the code inside a single subflow that you can drop between nodes in a need of 2FA.
To make it work, you will need to add an HTTP in node to send the authorisation calls from your mobile.
Message true|false received from the mobile device will allow the looped message to travel through the flow.
Subflow
To use the subflow, you need to set up environmental variables that will shape the message that is displayed on your Android device:
- default2fa – timeout behaviour (
true|false) - timer – how much time is allowed for the message
- ARdevice – the name of the device for AR prompt (see Perfect Notification)
- title – the title of the 2FA notification
- text – the text of the 2FA notification
- 2FApath – path for the HTTP in (keep unique for each instance)
- ID – Notification ID (keep unique for each message)
In the subflow, there are 3 function nodes responsible for 2FA behaviour.
Set alarm
To make the 2FA timeout, I have monitor the current time and create the alarm at which the message expires. Quick time manipulation is needed to get the Epoch time and set the alarm (all done in ms). These are stored in flow variables for later
2FA Push
At the same time, an AutoRemote message is sent to a mobile device. I modified the Perfect Notification script to support progress bar. I wanted to have a visual aid in the notification. Here is the new message body:
var body = {
"title": {
"title": title,
"titleexpanded": title
},
"text": {
"text": text,
"textexpanded": text
},
"icons": {
"navbaricon": "android.resource://net.dinglisch.android.taskerm/hl_device_access_new_account",
"bigicon": "android.resource://net.dinglisch.android.taskerm/hl_device_access_new_account"
},
"notificationid": ID,
"persistent": true,
"priority": 1,
"default2fa": default2fa,
"status2fa" : status2fa,
"path" : path,
"timer": timer, // in seconds
"start": time, // in ms
"alarm": alarm, // in ms
"buttons": [
{
"button1": {
"icon": "",
"label": "Allow",
"command": "2faresponse_true"
},
"button2": { "icon": "", "label": "Deny", "command": "2faresponse_false" } }
]
};
Timer
When a trigger hits the subflow, this function node sends the message to one of 3 destinations: to loop (3-sec loop cycle), to approve or decline. With every loop, a flow variable authentication is checked for updates.
If the response is received, on the next loop cycle the decision is made, otherwise, the function node will assign the outcome at the timeout based on the default setting of default2fa.
Tasker 2FA
In principle, the Tasker profile isn’t complicated. It receives AR message, using AutoTools JSON action an AutoNotification is created with a live progress bar and AutoApps commands.
On authentication, an HTTP request is sent to the server, a confirmation message is displayed.
2FA received
This is a modified Perfect AutoNotification project. I have added variables for time, progress bar and chronometer to create a complete notification. AutoRemote passes the JSON body of the message to AutoTools JSON action.
With the exception of the ID and Path, these are used as local variables. ID and Path are saved globally, as I need these in the 2nd profile. To update the progress bar, I have to create a loop which checks the current time vs alarm:
IF %ellapsed < timer
and updates the AutoNotification. This loop stops if the timeout is reached, or the notification button is pressed. Lastly, a confirmation message is issued based on the timeout (with a correct default action) or as soon as the allow or decline is pressed.
2FA commands
Since I'm sending sensitive info via HTTP, I used this profile to enable sharing my file without compromising my security.
After capturing AutoApps command with a profile, the true|false message is sent via HTTP POST back to the NodeRED server. Note that to complete the request I need to know the path (%2FApath). This is why I set the %2FApath as a global variable.
I need to cancel the original AutoNotification message as well and to do so, I'm using the ID stored globally (%NotificationID).
Conclusion
Why am I doing this? I got NETIO connected power cables and one of the cables comes with a PC connector. From time to time, my desktop computer becomes inaccessible via remote desktop and the only way to fix this is to reboot it. I can kill the power and take advantage of the BIOS setting to restore the power on AC loss. For obvious reasons, I don't want this action to be performed accidentally! What would you use Two-Factor Authentication in NodeRED for? Let me know in this Reddit thread.
Project Download
Download project files here. Bear in mind that Patreon supporters have early access to project files and videos.
