From 16b99191ad3903fc4e3b70870f6415b3528a6191 Mon Sep 17 00:00:00 2001 From: Omar Ajoue Date: Thu, 21 Apr 2022 15:31:30 +0200 Subject: [PATCH] Open oauth callback endpoints to be public --- packages/cli/src/CredentialsHelper.ts | 10 ++++++++ packages/cli/src/Server.ts | 23 ++++++++++--------- .../cli/src/UserManagement/routes/index.ts | 2 ++ packages/cli/src/requests.d.ts | 8 +++++-- 4 files changed, 30 insertions(+), 13 deletions(-) diff --git a/packages/cli/src/CredentialsHelper.ts b/packages/cli/src/CredentialsHelper.ts index 230499adeffa5..c4278aaa6aa92 100644 --- a/packages/cli/src/CredentialsHelper.ts +++ b/packages/cli/src/CredentialsHelper.ts @@ -753,3 +753,13 @@ export async function getCredentialForUser( return sharedCredential.credentials as ICredentialsDb; } + +/** + * Get a credential without user check + */ +export async function getCredentialWithoutUser( + credentialId: string, +): Promise { + const credential = await Db.collections.Credentials.findOne(credentialId); + return credential; +} diff --git a/packages/cli/src/Server.ts b/packages/cli/src/Server.ts index 81e6a871384a1..68d97c31809f8 100644 --- a/packages/cli/src/Server.ts +++ b/packages/cli/src/Server.ts @@ -137,6 +137,7 @@ import { WorkflowHelpers, WorkflowRunner, getCredentialForUser, + getCredentialWithoutUser, } from '.'; import config from '../config'; @@ -1822,18 +1823,18 @@ class App { LoggerProxy.error( 'OAuth1 callback failed because of insufficient parameters received', { - userId: req.user.id, + userId: req.user?.id, credentialId, }, ); return ResponseHelper.sendErrorResponse(res, errorResponse); } - const credential = await getCredentialForUser(credentialId, req.user); + const credential = await getCredentialWithoutUser(credentialId); if (!credential) { LoggerProxy.error('OAuth1 callback failed because of insufficient user permissions', { - userId: req.user.id, + userId: req.user?.id, credentialId, }); const errorResponse = new ResponseHelper.ResponseError( @@ -1883,7 +1884,7 @@ class App { oauthToken = await requestPromise(options); } catch (error) { LoggerProxy.error('Unable to fetch tokens for OAuth1 callback', { - userId: req.user.id, + userId: req.user?.id, credentialId, }); const errorResponse = new ResponseHelper.ResponseError( @@ -1913,13 +1914,13 @@ class App { await Db.collections.Credentials!.update(credentialId, newCredentialsData); LoggerProxy.verbose('OAuth1 callback successful for new credential', { - userId: req.user.id, + userId: req.user?.id, credentialId, }); res.sendFile(pathResolve(__dirname, '../../templates/oauth-callback.html')); } catch (error) { LoggerProxy.error('OAuth1 callback failed because of insufficient user permissions', { - userId: req.user.id, + userId: req.user?.id, credentialId: req.query.cid, }); // Error response @@ -2084,11 +2085,11 @@ class App { return ResponseHelper.sendErrorResponse(res, errorResponse); } - const credential = await getCredentialForUser(state.cid, req.user); + const credential = await getCredentialWithoutUser(state.cid); if (!credential) { LoggerProxy.error('OAuth2 callback failed because of insufficient permissions', { - userId: req.user.id, + userId: req.user?.id, credentialId: state.cid, }); const errorResponse = new ResponseHelper.ResponseError( @@ -2129,7 +2130,7 @@ class App { !token.verify(decryptedDataOriginal.csrfSecret as string, state.token) ) { LoggerProxy.debug('OAuth2 callback state is invalid', { - userId: req.user.id, + userId: req.user?.id, credentialId: state.cid, }); const errorResponse = new ResponseHelper.ResponseError( @@ -2180,7 +2181,7 @@ class App { if (oauthToken === undefined) { LoggerProxy.error('OAuth2 callback failed: unable to get access tokens', { - userId: req.user.id, + userId: req.user?.id, credentialId: state.cid, }); const errorResponse = new ResponseHelper.ResponseError( @@ -2214,7 +2215,7 @@ class App { // Save the credentials in DB await Db.collections.Credentials!.update(state.cid, newCredentialsData); LoggerProxy.verbose('OAuth2 callback successful for new credential', { - userId: req.user.id, + userId: req.user?.id, credentialId: state.cid, }); diff --git a/packages/cli/src/UserManagement/routes/index.ts b/packages/cli/src/UserManagement/routes/index.ts index 78534c106e8e1..c1ca20895122a 100644 --- a/packages/cli/src/UserManagement/routes/index.ts +++ b/packages/cli/src/UserManagement/routes/index.ts @@ -66,6 +66,8 @@ export function addRoutes(this: N8nApp, ignoredEndpoints: string[], restEndpoint req.url.startsWith(`/${restEndpoint}/forgot-password`) || req.url.startsWith(`/${restEndpoint}/resolve-password-token`) || req.url.startsWith(`/${restEndpoint}/change-password`) || + req.url.startsWith(`/${restEndpoint}/oauth2-credential/callback`) || + req.url.startsWith(`/${restEndpoint}/oauth1-credential/callback`) || isAuthExcluded(req.url, ignoredEndpoints) ) { return next(); diff --git a/packages/cli/src/requests.d.ts b/packages/cli/src/requests.d.ts index 3ab1d7a301903..eeba44f25be6d 100644 --- a/packages/cli/src/requests.d.ts +++ b/packages/cli/src/requests.d.ts @@ -237,12 +237,16 @@ export declare namespace OAuthRequest { {}, {}, { oauth_verifier: string; oauth_token: string; cid: string } - >; + > & { + user?: User; + }; } namespace OAuth2Credential { type Auth = OAuth1Credential.Auth; - type Callback = AuthenticatedRequest<{}, {}, {}, { code: string; state: string }>; + type Callback = AuthenticatedRequest<{}, {}, {}, { code: string; state: string }> & { + user?: User; + }; } }