Skip to content

Access Control Quick Reference

TL;DR

  • Read-only users access rpi-prod-1883c404a12f.tagai.uk → see dashboard only
  • Admins access rpi-prod-1883c404a12f-nodered.tagai.uk → see full editor
  • Authentication: Google (users), GitHub (admins)
  • Enforcement: Cloudflare Access (who) + Node-RED middleware (what)

Access Matrix

User Type Dashboard Domain Admin Domain SSH Domain
Read-Only (Google auth) ✅ Dashboard only ❌ Denied ❌ Denied
Admin (GitHub auth) ✅ Dashboard ✅ Full Editor ✅ SSH
Unauthenticated ❌ Login required ❌ Login required ❌ Login required

Domain Reference

rpi-prod-1883c404a12f.tagai.uk (Dashboard Domain)

  • Who: Users with email in user_emails list
  • Auth: Google OAuth
  • What: Node-RED dashboard (read-only)
  • Access Control: Cloudflare Access policy (Users group) + Node-RED middleware (redirect)

rpi-prod-1883c404a12f-nodered.tagai.uk (Admin Domain)

  • Who: Users with email in admin_emails list OR in GitHub mbTagai/admins team
  • Auth: GitHub OAuth (with team check)
  • What: Full Node-RED editor
  • Access Control: Cloudflare Access policy (Admins group) + Node-RED middleware (allow all)

rpi-prod-1883c404a12f-ssh.tagai.uk (SSH Domain)

  • Who: Users with email in admin_emails list OR in GitHub mbTagai/admins team
  • Auth: GitHub OAuth (with team check)
  • What: SSH to device on port 22
  • Access Control: Cloudflare Tunnel SSH routing

Configuration Files

terraform/terraform.auto.tfvars

# Users: Can access dashboard domain, see dashboard only
user_emails = ["tautcius@gmail.com", "other-user@example.com"]

# Admins: Can access admin domain, see full editor
admin_emails = ["t.bujauskas@gmail.com", "other-admin@example.com"]

# GitHub team for admin verification
github_org_team = "mbTagai/admins"

# Identity Provider IDs (get from Cloudflare)
google_idp_id = "851602ea-abaf-40cd-8faf-ee7dd12295e9"
github_idp_id = "734dc9c7-30f1-42bb-9c9e-496fe75b5789"

node-red/settings.js

Two middleware functions control access within Node-RED:

httpAdminMiddleware: Protects editor UI - Dashboard domain: Redirects to /dashboard - Admin domain: Allows full access - /dashboard: Allowed for all users

httpNodeMiddleware: Protects deployed flows - /dashboard: Allowed for all - Non-dashboard on dashboard domain: Redirects to /dashboard - Non-dashboard on admin domain: Allowed

Deployment Steps

1. Update Terraform Variables

cd terraform
# Edit terraform.auto.tfvars with your users/admins
vim terraform.auto.tfvars

2. Apply Terraform

terraform validate
terraform plan
terraform apply -auto-approve

3. Update Node-RED Settings (if needed)

# Edit node-red/settings.js
vim ../node-red/settings.js

4. Restart Node-RED Service

sudo systemctl restart node-red

Testing Access

Test Read-Only User

# Access dashboard domain
curl -H "cf-access-authenticated-user-email: tautcius@gmail.com" \
  https://rpi-prod-1883c404a12f.tagai.uk/

# Should redirect to /dashboard
# Should NOT allow /editor access

Test Admin Access

# Access admin domain
curl -H "cf-access-authenticated-user-email: t.bujauskas@gmail.com" \
  https://rpi-prod-1883c404a12f-nodered.tagai.uk/editor

# Should allow editor access

Troubleshooting

User Gets 403 Forbidden

  1. Check user email in user_emails (Terraform)
  2. Verify they're authenticated with correct IdP (Google for users)
  3. Check Cloudflare Access logs

Admin Can't Access Editor

  1. Check admin email in admin_emails (Terraform)
  2. Verify GitHub team membership: mbTagai/admins
  3. Check both email AND team are configured
  4. Verify accessing -nodered. domain

Redirect Loop

  1. Check Node-RED service logs: journalctl -u node-red -f
  2. Ensure /dashboard path is whitelisted in both middleware
  3. Verify hostname check includes -nodered substring

Google Auth Not Working

  1. Verify google_idp_id is correct in Terraform
  2. Check dashboard app has Google in allowed_idps
  3. Verify user can authenticate with Google account

GitHub Auth Not Working

  1. Verify github_idp_id is correct in Terraform
  2. Verify user is in mbTagai/admins GitHub team
  3. Check admin app has GitHub in allowed_idps
  4. Check Cloudflare Access logs for team verification issues

Architecture Diagram

User (tautcius@gmail.com)          Admin (t.bujauskas@gmail.com)
         │                                    │
         ▼                                    ▼
    [Google OAuth]                    [GitHub OAuth]
         │                                    │
    [Email Match]                     [Team Verification]
         │                                    │
    ┌────┴────┐                          ┌───┴────┐
    │ User OK │                          │ Admin OK
    └────┬────┘                          └───┬────┘
         │                                    │
         ▼                                    ▼
    Dashboard Domain              Admin Domain
    rpi-prod-1883c404a12f.tagai.uk             rpi-prod-1883c404a12f-nodered.tagai.uk
         │                                    │
         ▼                                    ▼
    [Node-RED]                         [Node-RED]
    httpAdminMiddleware         httpAdminMiddleware
    (hostname check)             (hostname check)
         │                                    │
    Not "-nodered"?          Contains "-nodered"?
    Redirect to /dashboard   Allow all paths
         │                                    │
         ▼                                    ▼
    /dashboard                         /editor
    (Read-Only UI)                     (Full Editor)

See Also