let uiHost be set by security question in admin init. Beef up language around security question.

lib/commands/init/index.js

@@ -105,10 +105,10 @@ async function promptUser() {
         {
             type: 'password',
             name: 'password',
-            message: "Password",
+            message: "Password (>15 characters)",
             validate(val) {
-                if (val.length < 8) {
-                    return "Password too short. Must be at least 8 characters"
+                if (val.length < 16) {
+                    return "Password too short. Must be at least 16 characters"
                 }
                 return true
             }
@@ -135,7 +135,7 @@ async function promptSecurity() {
             type: 'select',
             name: 'adminAuth',
             initial: "Yes",
-            message: 'Do you want to setup user security?',
+            message: 'Do you want to setup user security?\n  DO NOT select No if you will expose Node-RED to the internet - or you will be hacked!\n  If you select No we will restrict browser access to only the machine Node-RED is running on.\n  This can be changed by editing the uiHost entry in settings.js',
             choices: ['Yes', 'No'],
             result(value) {
                 return value === "Yes"
@@ -160,6 +160,11 @@ async function promptSecurity() {
                 break;
             }
         }
+        responses.uiHost = '//uiHost: "0.0.0.0",'
+    }
+    else {
+        responses.uiHost = 'uiHost: "127.0.0.1",'
+        console.log("\nuiHost set to 127.0.0.1 to restrict access to local machine ONLY.");
     }
     return responses;
 }
@@ -287,6 +292,7 @@ async function command(argv, result) {
         };
         config.adminAuth = JSON.stringify(adminAuth,"",4).replace(/\n/g,"\n    ");
     }
+    config.uiHost = securityResponses.uiHost;
 
     const projectsResponses = await promptProjects();
     let flowFileSettings = {};

lib/commands/init/resources/settings.js.mustache

@@ -71,7 +71,7 @@ module.exports = {
  ******************************************************************************/
 
     /** To password protect the Node-RED editor and admin API, the following
-     * property can be used. See http://nodered.org/docs/security.html for details.
+     * property can be used. See https://nodered.org/docs/security.html for details.
      */
     {{^adminAuth}}
     //adminAuth: {
@@ -123,7 +123,7 @@ module.exports = {
      * including node-red-dashboard, or the static content (httpStatic), the
      * following properties can be used.
      * The `pass` field is a bcrypt hash of the password.
-     * See http://nodered.org/docs/security.html#generating-the-password-hash
+     * See https://nodered.org/docs/security.html#generating-the-password-hash
      */
     //httpNodeAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
     //httpStaticAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
@@ -140,7 +140,7 @@ module.exports = {
  *  - httpNodeCors
  *  - httpNodeMiddleware
  *  - httpStatic
- * - httpStaticRoot
+ *  - httpStaticRoot
  ******************************************************************************/
 
     /** the tcp port that the Node-RED web server is listening on */
@@ -151,7 +151,7 @@ module.exports = {
      * The following property can be used to listen on a specific interface. For
      * example, the following would only allow connections from the local machine.
      */
-    //uiHost: "127.0.0.1",
+    {{uiHost}},
 
     /** The maximum size of HTTP request that will be accepted by the runtime api.
      * Default: 5mb
@@ -184,7 +184,7 @@ module.exports = {
 
     /** Some nodes, such as HTTP In, can be used to listen for incoming http requests.
      * By default, these are served relative to '/'. The following property
-     * can be used to specifiy a different root path. If set to false, this is
+     * can be used to specify a different root path. If set to false, this is
      * disabled.
      */
     //httpNodeRoot: '/red-nodes',
@@ -222,17 +222,22 @@ module.exports = {
     /** When httpAdminRoot is used to move the UI to a different root path, the
      * following property can be used to identify a directory of static content
      * that should be served at http://localhost:1880/.
-     * When httpStaticRoot is set differently to httpAdminRoot, there is no need 
+     * When httpStaticRoot is set differently to httpAdminRoot, there is no need
      * to move httpAdminRoot
      */
     //httpStatic: '/home/nol/node-red-static/', //single static source
-    /* OR multiple static sources can be created using an array of objects... */
+    /**
+     *  OR multiple static sources can be created using an array of objects...
+     *  Each object can also contain an options object for further configuration.
+     *  See https://expressjs.com/en/api.html#express.static for available options.
+     */
     //httpStatic: [
-    //    {path: '/home/nol/pics/',    root: "/img/"}, 
-    //    {path: '/home/nol/reports/', root: "/doc/"}, 
+    //    {path: '/home/nol/pics/',    root: "/img/"},
+    //    {path: '/home/nol/reports/', root: "/doc/"},
+    //    {path: '/home/nol/videos/',  root: "/vid/", options: {maxAge: '1d'}}
     //],
 
-    /**  
+    /**
      * All static routes will be appended to httpStaticRoot
      * e.g. if httpStatic = "/home/nol/docs" and  httpStaticRoot = "/static/"
      *      then "/home/nol/docs" will be served at "/static/"
@@ -245,83 +250,113 @@ module.exports = {
 /*******************************************************************************
  * Runtime Settings
  *  - lang
+ *  - runtimeState
+ *  - diagnostics
  *  - logging
  *  - contextStorage
  *  - exportGlobalContextKeys
  *  - externalModules
  ******************************************************************************/
 
-     /** Uncomment the following to run node-red in your preferred language.
-      * Available languages include: en-US (default), ja, de, zh-CN, zh-TW, ru, ko
-      * Some languages are more complete than others.
-      */
-     // lang: "de",
-
-     /** Configure the logging output */
-     logging: {
-         /** Only console logging is currently supported */
-         console: {
-             /** Level of logging to be recorded. Options are:
-              * fatal - only those errors which make the application unusable should be recorded
-              * error - record errors which are deemed fatal for a particular request + fatal errors
-              * warn - record problems which are non fatal + errors + fatal errors
-              * info - record information about the general running of the application + warn + error + fatal errors
-              * debug - record information which is more verbose than info + info + warn + error + fatal errors
-              * trace - record very detailed logging + debug + info + warn + error + fatal errors
-              * off - turn off all logging (doesn't affect metrics or audit)
-              */
-             level: "info",
-             /** Whether or not to include metric events in the log output */
-             metrics: false,
-             /** Whether or not to include audit events in the log output */
-             audit: false
-         }
-     },
-
-     /** Context Storage
-      * The following property can be used to enable context storage. The configuration
-      * provided here will enable file-based context that flushes to disk every 30 seconds.
-      * Refer to the documentation for further options: https://nodered.org/docs/api/context/
-      */
-     //contextStorage: {
-     //    default: {
-     //        module:"localfilesystem"
-     //    },
-     //},
-
-     /** `global.keys()` returns a list of all properties set in global context.
-      * This allows them to be displayed in the Context Sidebar within the editor.
-      * In some circumstances it is not desirable to expose them to the editor. The
-      * following property can be used to hide any property set in `functionGlobalContext`
-      * from being list by `global.keys()`.
-      * By default, the property is set to false to avoid accidental exposure of
-      * their values. Setting this to true will cause the keys to be listed.
-      */
-     exportGlobalContextKeys: false,
-
-     /** Configure how the runtime will handle external npm modules.
-      * This covers:
-      *  - whether the editor will allow new node modules to be installed
-      *  - whether nodes, such as the Function node are allowed to have their
-      * own dynamically configured dependencies.
-      * The allow/denyList options can be used to limit what modules the runtime
-      * will install/load. It can use '*' as a wildcard that matches anything.
-      */
-     externalModules: {
-         // autoInstall: false,   /** Whether the runtime will attempt to automatically install missing modules */
-         // autoInstallRetry: 30, /** Interval, in seconds, between reinstall attempts */
-         // palette: {              /** Configuration for the Palette Manager */
-         //     allowInstall: true, /** Enable the Palette Manager in the editor */
-         //     allowUpload: true,  /** Allow module tgz files to be uploaded and installed */
-         //     allowList: [],
-         //     denyList: []
-         // },
-         // modules: {              /** Configuration for node-specified modules */
-         //     allowInstall: true,
-         //     allowList: [],
-         //     denyList: []
-         // }
-     },
+    /** Uncomment the following to run node-red in your preferred language.
+     * Available languages include: en-US (default), ja, de, zh-CN, zh-TW, ru, ko
+     * Some languages are more complete than others.
+     */
+    // lang: "de",
+
+    /** Configure diagnostics options
+     * - enabled:  When `enabled` is `true` (or unset), diagnostics data will
+     *   be available at http://localhost:1880/diagnostics
+     * - ui: When `ui` is `true` (or unset), the action `show-system-info` will
+     *   be available to logged in users of node-red editor
+    */
+    diagnostics: {
+        /** enable or disable diagnostics endpoint. Must be set to `false` to disable */
+        enabled: true,
+        /** enable or disable diagnostics display in the node-red editor. Must be set to `false` to disable */
+        ui: true,
+    },
+    /** Configure runtimeState options
+     * - enabled:  When `enabled` is `true` flows runtime can be Started/Stopped
+     *   by POSTing to available at http://localhost:1880/flows/state
+     * - ui: When `ui` is `true`, the action `core:start-flows` and
+     *   `core:stop-flows` will be available to logged in users of node-red editor
+     *   Also, the deploy menu (when set to default) will show a stop or start button
+     */
+    runtimeState: {
+        /** enable or disable flows/state endpoint. Must be set to `false` to disable */
+        enabled: false,
+        /** show or hide runtime stop/start options in the node-red editor. Must be set to `false` to hide */
+        ui: false,
+    },
+    /** Configure the logging output */
+    logging: {
+        /** Only console logging is currently supported */
+        console: {
+            /** Level of logging to be recorded. Options are:
+             * fatal - only those errors which make the application unusable should be recorded
+             * error - record errors which are deemed fatal for a particular request + fatal errors
+             * warn - record problems which are non fatal + errors + fatal errors
+             * info - record information about the general running of the application + warn + error + fatal errors
+             * debug - record information which is more verbose than info + info + warn + error + fatal errors
+             * trace - record very detailed logging + debug + info + warn + error + fatal errors
+             * off - turn off all logging (doesn't affect metrics or audit)
+             */
+            level: "info",
+            /** Whether or not to include metric events in the log output */
+            metrics: false,
+            /** Whether or not to include audit events in the log output */
+            audit: false
+        }
+    },
+
+    /** Context Storage
+     * The following property can be used to enable context storage. The configuration
+     * provided here will enable file-based context that flushes to disk every 30 seconds.
+     * Refer to the documentation for further options: https://nodered.org/docs/api/context/
+     */
+    //contextStorage: {
+    //    default: {
+    //        module:"localfilesystem"
+    //    },
+    //},
+
+    /** `global.keys()` returns a list of all properties set in global context.
+     * This allows them to be displayed in the Context Sidebar within the editor.
+     * In some circumstances it is not desirable to expose them to the editor. The
+     * following property can be used to hide any property set in `functionGlobalContext`
+     * from being list by `global.keys()`.
+     * By default, the property is set to false to avoid accidental exposure of
+     * their values. Setting this to true will cause the keys to be listed.
+     */
+    exportGlobalContextKeys: false,
+
+    /** Configure how the runtime will handle external npm modules.
+     * This covers:
+     *  - whether the editor will allow new node modules to be installed
+     *  - whether nodes, such as the Function node are allowed to have their
+     * own dynamically configured dependencies.
+     * The allow/denyList options can be used to limit what modules the runtime
+     * will install/load. It can use '*' as a wildcard that matches anything.
+     */
+    externalModules: {
+        // autoInstall: false,   /** Whether the runtime will attempt to automatically install missing modules */
+        // autoInstallRetry: 30, /** Interval, in seconds, between reinstall attempts */
+        // palette: {              /** Configuration for the Palette Manager */
+        //     allowInstall: true, /** Enable the Palette Manager in the editor */
+        //     allowUpdate: true,  /** Allow modules to be updated in the Palette Manager */
+        //     allowUpload: true,  /** Allow module tgz files to be uploaded and installed */
+        //     allowList: ['*'],
+        //     denyList: [],
+        //     allowUpdateList: ['*'],
+        //     denyUpdateList: []
+        // },
+        // modules: {              /** Configuration for node-specified modules */
+        //     allowInstall: true,
+        //     allowList: [],
+        //     denyList: []
+        // }
+    },
 
 
 /*******************************************************************************
@@ -346,6 +381,12 @@ module.exports = {
          * a collection of themes to chose from.
          */
         {{^editorTheme}}//{{/editorTheme}}theme: "{{editorTheme}}",
+
+        /** To disable the 'Welcome to Node-RED' tour that is displayed the first
+         * time you access the editor for each release of Node-RED, set this to false
+         */
+        //tours: false,
+
         palette: {
             /** The following property can be used to order the categories in the editor
              * palette. If a node's category is not in the list, the category will get
@@ -379,15 +420,24 @@ module.exports = {
                  * packages/node_modules/@node-red/editor-client/src/vendor/monaco/dist/theme
                  * e.g. "tomorrow-night", "upstream-sunburst", "github", "my-theme"
                  */
-                //theme: "vs",
+                // theme: "vs",
                 /** other overrides can be set e.g. fontSize, fontFamily, fontLigatures etc.
                  * for the full list, see https://microsoft.github.io/monaco-editor/docs.html#interfaces/editor.IStandaloneEditorConstructionOptions.html
                  */
                 //fontSize: 14,
                 //fontFamily: "Cascadia Code, Fira Code, Consolas, 'Courier New', monospace",
                 //fontLigatures: true,
             }
-        }
+        },
+
+        markdownEditor: {
+            mermaid: {
+                /** enable or disable mermaid diagram in markdown document
+                 */
+                enabled: true
+            }
+        },
+
     },
 
 /*******************************************************************************
@@ -488,7 +538,7 @@ module.exports = {
      */
     //tlsConfigDisableLocalFiles: true,
 
-    /** The following property can be used to verify websocket connection attempts.
+    /** The following property can be used to verify WebSocket connection attempts.
      * This allows, for example, the HTTP request headers to be checked to ensure
      * they include valid authentication information.
      */