feat(cli): User Management and Credentials sharing (#3602)

* 🎉 starting feature development

* ✨ sharing/unsharing a credential (#3601)

* 🎉 initial design

* ✨ sharing/unsharing of credentials

* ✅ add tests for EE credentials controller

* 💪 implement review comments

* 🛠 refactor agent creation and credential role locking

* 👕 linting adjustments (#3691)

* 👕 Adjust rule `naming-convention`

* 👕 Fix `naming-convention` config value

* 👕 Disregard casing for EE-prefixed vars

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>

* 🛠 refactor authAgents in tests (#3725)

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 👕 fix ts issue

* 🐘 add migration for mysql and postgres + add AuthAgent type

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>

* ⚡️ refactor existing credentials routes (#3672)

* 🎉 initial design

* ✨ sharing/unsharing of credentials

* ♻️ split credential update route into controller and service

* 🔥 remove credentials test that is no longer applicable

* ♻️ split credential creation route into controller and service

* ♻️ split single credential get

* ♻️ split delete credentials route

* ♻️ split get all credentials route

* 🔥 remove unused imports in credentials contoller

* 🔥 remove console.log

* :refactor: changes to credentials controller and service from review

 - removed credentials from service function names
 - made relations list optional
 - put allowGlobalOwner in options objects
 - check length of relations array so join doesn't happen if empty
 - update some comments to further explain rationale
 - remove unneeded `Object.assign`
 - remove non-null assertion from test

* ♻️ move filtered credentials selected fields to variable

* ♻️ remove unneeded merges in credentials service

Co-authored-by: Ben Hesseldieck <b.hesseldieck@gmail.com>
Co-authored-by: Ben Hesseldieck <1849459+BHesseldieck@users.noreply.github.com>

* ✅ fix test

* 🐛 fix imports

* 👕 fix lint issue

* User Management: switch over to decorators to define routes (#3827)

* Add permissions details to credentials for User Management (#3863)

* ⚡ Open `GET /users`

* ⚡ Add permissions to cred service

* 🚚 Rename method

* ⚡ Refactor cred controller

* 🧪 Adjust test

* ✏️ Improve comment

* ✏️ Improve another comment

* ⚡ Account for multiple sharings

* 🐛 Fix access when user is editor

* 📘 Expand interface

* 📘 Relocate types

* 📘 Exempt cred entity with service-injected fields

* 📘 Adjust interface

* ♻️ Add permissions only in `GET /credentials`

* 🧪 Add expectations for `ownedBy`

* 🧪 Add sharing details test

* 🧪 Make `ownedBy` checks more granular

* 📘 Adjust interface

* 🚚 Rename cred getter

* ♻️ Refactor cred getter

* 🧪 Expand tests

* ♻️ Refactor to use guard

* 👕 Remove unneeded lint exception

* 🔥 Remove unneeded relation

* 🚚 Move relation to `GET /credentials/:id`

* 📘 Consolidate typings

* 🎨 Add multiline for readability

* 🔥 Remove unneeded type

* ✏️ Clarity comment

* ✏️ Make comments consistent

* 👕 Add exception to fix build

* 👕 Add more lint exceptions to fix build

* 🐛 Check for non-owner

* 📘 Improve typings

* 🧪 Temporarily skip tests

* 🔥 Remove `@ts-ignore`

* 👕 Move lint exceptions

* ♻️ Refactor cred service and controller

* ⚡ Simplify check

* ✏️ adjust naming to experimental

* ⚡️ add credentialsSharing flag to settings

* 🛠 add helper to check if UM is also enabled as dependency for CredentialsSharing

* 👕 fix lint error

* 🐘 change name of credential role

* 🚧 WIP batch sharing

* 🚧 WIP use put for sharing

* ✅ add tests for batch sharing, 🛠 implement review suggestions

* ✅ expand credential sharing tests for User Management (#3931)

* 🧪 Expand cred sharing tests

* ⚡ Add recently added flags

* ✅ fix and adjust tests for /credentials

Co-authored-by: Ben Hesseldieck <b.hesseldieck@gmail.com>

* ✨ User management v2 Front End (#3795)

* feat: Added responsive generic page view layout.

* feat: Added empty state.

* feat: Added credentials view empty state.

* test: Added unit tests for N8nActionBox

* feat: Added credentials list initial design.

* feat: Added credential actions. Started working on filters.

* feat: Updated InfoTip markup, added tests and changed stories to typescript.

* feat: Added credentials filtering by type. Added support for apply/reset filters.

* feat: Added credential sharing user select and user list. Added paywall component.

* feat: Updated credentials view permissions.

* feat: Added support for temporary sharing config for unsaved credentials.

* test: Fixed broken snapshots.

* feat: Added overflow styles to page-view-layout list.

* feat: Handled sharee specific views.

* feat: Integration between FE and BE to support real-world credential sharing scenario.

* feat: Added front end permissions table.

* feat: Refactored credential sharing flow. Updated design elements.

* feat: Added margin and padding auto spacer utilities.

* feat: Rehauled permissions to support instanceOwner role and action inheritance.

* feat: Updated credentials view to apply filters automatically.

* feat: Removed apply filters button and added active button state.

* test: Updated component snapshots.

* refactor: Renamed ResourceSharee to ResourceReader.

* feat: Credential sharing error handling, permissions improvement.

* feat: Updated permissions and error handling.

* chore: Removed console.log.

* 🛠 refactor enabling of credentialsSharing

* feat: Removed owner menu selector from credentials when sharing is disabled.

* refactor: Moved EE features into ee store module file.

* 🛠 add sharing info to GET credentials/:id

* fix: Fixed initial credential data loading for sharing.

* chore: Removed console.log.

* 🐛 owner can fetch any credential

* 🛠 refactor users test

* 👕 fix build type issue

* fix: Removed owner tag when credential sharing is disabled. Fixed small reactivity issue.

* chore: Removed console.log.

* 🚧 separate fetching credentials between EE and open

* fix: Fixed empty dropdown in users list.

* fix: Fixed error message and initialization when credential gets unshared.

* ✅ add tests for fetching single credential

* Revert decorators based controllers

* ⚡️ adjust credentials test route to also allow testing for sharees (#3999)

* ⚡️ pull data if user is sharee

* fix: Removed sharedWith and ownedBy from credentialData on testing credentials.

Co-authored-by: Alex Grozav <alex@grozav.com>

* 📈 add BE analytics

* 💪 improve credential test

* ⚡️ adjust tracking properties

* ⚡️ removed roles from tracking

* 🐛 fix build by removing imports

* 🐛 fix missed merge conflict

* feat: User management P2 Front End bug bash and improvements (#4014)

* fix: Fixed type select size after reopening dropdown.

* fix: Fixed template cards.

* fix: Fixed card content size and copy input.

* fix: Fixed horizontal overflow.

* fix: Hiding el-tags scrollbar in select.

* fix: Added fallback credential icon. Added oAuth credential owner check.

* feat: Added disabled state to user select.

* feat: Added fallback scenario for non-existent credential types.

* feat: Adjusted credentials empty state to show that there are shared credentials.

* fix: Fixed time title.

* feat: Added actionable empty state when shared credentials are present.

* fix: Made action box x padding smaller

* feat: Repositioned owner tag for credential card.

* feat: Updated message box styling to use n8n css variables.

* feat: Added confirmation for deleting sharee.

* fix: Fixed deleted credential types. Fixed select in dropdown bug.

* fix: Various code improvements. Addressed PR review comments.

* fix: Fixed credential deletion errors.

* fix: Various code quality improvements.

* feat: N8N-4531 update cloud coming soon features (#4025)

* feat: Showing different upcoming feature messages and format for cloud.

* fix: Changed url format.

* fix: Updated how cloud deployment is determined.

* feat: N8N-4527 implementing credential sharing FE telemetry (#4023)

* feat: Added credential sharing telemetry.

* chore: Renamed computed function for consistency.

* refactor: Simplified subview telemetry sending.

* fix: Changed to callDebounced() helper.

* 📧 update email text

* fix: Adjusted feature coming soon margin.

* chore: Fixed type and line height for delete sharee confirmation modal.

* refactor(editor-ui): Update telemetry (#4040)

* 🔥 Remove `identify` from BE

* ⚡ Add `versionCli`

* ⚡ Add node creator ignore input

* ⚡ Move obfuscators to editor-ui

* ⚡ Refactor `ph-no-capture`

* ⚡ Pass `user_id` to manual exec props

* 🚚 Relocate class in `SettingsApiView`

* ⚡ Add `userId` to BE PH `identify` call

* ⏪ Revert "⚡ Add `userId` to BE PH `identify` call"

This reverts commit 895aaa45e51506d5dbdcbdabe249a2c743d8e468.

* Revert "⏪ Revert "⚡ Add `userId` to BE PH `identify` call""

This reverts commit b86a098c202155742c927c88c04c971a5d34dce5.

* 🐛 Fix `Promise` handling in `track()` call

* ⏪ Restore `Db.collections` call

* ⚡ Set up PH payload to mirror RS

* 🔥 Remove excess `userId`

* 📘 Remove `userId` from interface

* 🔥 Remove unused ref and method

* fix: Fixed bug causing instanceOwner to become credential owner on update. (#4079)

* 🐛 fix test for credential shared with member

* 👕 fix lint issues

* delete conflicting migration. this data is already seeded in CreateUserManagement

* feat: Expand obfuscation to User Management credential sharing (#4070)

⚡ Expand obfuscation

* feat: Added credential sharing infotip for instance owner.

* bring back the migration. add a check to avoid conflicts on inserts

* fix(cli): use a non-env config flag to detect of enterprise features are enabled (#4105)

* chore: Changed ampersand to and in translation.

* refactor(telemetry): Obfuscate code and JSON editors (#4118)

⚡ Obfuscate code and JSON editors

* feat(editor): improve design and functionality of coming soon features (#4116)

* feat: Improved coming soon feature design and functionality.

* style: Removed empty line.

* chore: Removed unused translation.

* fix: fix telemetry for credential creates and updates (#4125)

fix telemetry for credential creates and updates

* feat: Display errors due to missing credentials in the correct node (#4124)

feat: Display errors due to invalid credentials in the correct node when missing permissions

* fix: remove duplicate header for coming soon features in cloud deployment

* telemetry: fix the payload for `User viewed credential tab`

* telemetry: add credential_id to 'User selected credential from node modal'

* feat: update empty states for coming soon features

* Update ActionBox.spec.ts.snap

* replace UserSharingsDetails with a subset of User properties

* rename the CreateCredentialsEditorRole to CreateCredentialsUserRole

* move IUser to the workflow package

* use IUser in the frontend as well

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>
Co-authored-by: Valya <68596159+valya@users.noreply.github.com>
Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <netroy@users.noreply.github.com>
Co-authored-by: Alex Grozav <alex@grozav.com>
Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
Co-authored-by: Omar Ajoue <krynble@gmail.com>

packages/cli/src/UserManagement/UserManagementHelper.ts

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/no-unused-vars */
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
 /* eslint-disable import/no-cycle */
-import { Workflow } from 'n8n-workflow';
+import { INode, NodeOperationError, Workflow } from 'n8n-workflow';
 import { In } from 'typeorm';
 import express from 'express';
 import { compare, genSaltSync, hash } from 'bcryptjs';
@@ -147,6 +147,7 @@ export async function checkPermissionsForExecution(
 ): Promise<boolean> {
 	const credentialIds = new Set();
 	const nodeNames = Object.keys(workflow.nodes);
+	const credentialUsedBy = new Map();
 	// Iterate over all nodes
 	nodeNames.forEach((nodeName) => {
 		const node = workflow.nodes[nodeName];
@@ -165,16 +166,21 @@ export async function checkPermissionsForExecution(
 				// Migrations should handle the case where a credential does
 				// not have an id.
 				if (credentialDetail.id === null) {
-					throw new Error(
+					throw new NodeOperationError(
+						node,
 						`The credential on node '${node.name}' is not valid. Please open the workflow and set it to a valid value.`,
 					);
 				}
 				if (!credentialDetail.id) {
-					throw new Error(
+					throw new NodeOperationError(
+						node,
 						`Error initializing workflow: credential ID not present. Please open the workflow and save it to fix this error. [Node: '${node.name}']`,
 					);
 				}
 				credentialIds.add(credentialDetail.id.toString());
+				if (!credentialUsedBy.has(credentialDetail.id)) {
+					credentialUsedBy.set(credentialDetail.id, node);
+				}
 			});
 		}
 	});
@@ -197,7 +203,7 @@ export async function checkPermissionsForExecution(
 	}
 
 	// Check for the user's permission to all used credentials
-	const credentialCount = await Db.collections.SharedCredentials.count({
+	const credentialsWithAccess = await Db.collections.SharedCredentials.find({
 		where: {
 			user: { id: userId },
 			credentials: In(ids),
@@ -207,8 +213,21 @@ export async function checkPermissionsForExecution(
 	// Considering the user needs to have access to all credentials
 	// then both arrays (allowed credentials vs used credentials)
 	// must be the same length
-	if (ids.length !== credentialCount) {
-		throw new Error('One or more of the used credentials are not accessible.');
+	if (ids.length !== credentialsWithAccess.length) {
+		credentialsWithAccess.forEach((credential) => {
+			credentialUsedBy.delete(credential.credentialId.toString());
+		});
+
+		// Find the first missing node from the Set - this is arbitrarily fetched
+		const firstMissingCredentialNode = credentialUsedBy.values().next().value as INode;
+		throw new NodeOperationError(
+			firstMissingCredentialNode,
+			'This node does not have access to the required credential',
+			{
+				description:
+					'Maybe the credential was removed or you have lost access to it. Try contacting the owner if this credential does not belong to you',
+			},
+		);
 	}
 	return true;
 }

packages/cli/src/UserManagement/email/templates/passwordReset.html

@@ -1,5 +1,5 @@
 <p>Hi {{firstName}},</p>
 <p>Somebody asked to reset your password on n8n ({{ domain }}).</p>
-<p>If it was not you, you can safely ignore this email.</p>
+<br/>
 <p>Click the following link to choose a new password. The link is valid for 2 hours.</p>
 <a href="{{ passwordResetUrl }}">{{ passwordResetUrl }}</a>

packages/cli/src/UserManagement/middlewares/auth.ts

@@ -0,0 +1,56 @@
+/* eslint-disable import/no-cycle */
+import { Request, RequestHandler } from 'express';
+import jwt from 'jsonwebtoken';
+import passport from 'passport';
+import { Strategy } from 'passport-jwt';
+import { LoggerProxy as Logger } from 'n8n-workflow';
+import { JwtPayload } from '../Interfaces';
+import type { AuthenticatedRequest } from '../../requests';
+import * as config from '../../../config';
+import { AUTH_COOKIE_NAME } from '../../constants';
+import { issueCookie, resolveJwtContent } from '../auth/jwt';
+
+const jwtFromRequest = (req: Request) => {
+	// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+	return (req.cookies?.[AUTH_COOKIE_NAME] as string | undefined) ?? null;
+};
+
+export const jwtAuth = (): RequestHandler => {
+	const jwtStrategy = new Strategy(
+		{
+			jwtFromRequest,
+			secretOrKey: config.getEnv('userManagement.jwtSecret'),
+		},
+		async (jwtPayload: JwtPayload, done) => {
+			try {
+				const user = await resolveJwtContent(jwtPayload);
+				return done(null, user);
+			} catch (error) {
+				Logger.debug('Failed to extract user from JWT payload', { jwtPayload });
+				return done(null, false, { message: 'User not found' });
+			}
+		},
+	);
+
+	passport.use(jwtStrategy);
+	return passport.initialize();
+};
+
+/**
+ * middleware to refresh cookie before it expires
+ */
+export const refreshExpiringCookie: RequestHandler = async (
+	req: AuthenticatedRequest,
+	res,
+	next,
+) => {
+	const cookieAuth = jwtFromRequest(req);
+	if (cookieAuth && req.user) {
+		const cookieContents = jwt.decode(cookieAuth) as JwtPayload & { exp: number };
+		if (cookieContents.exp * 1000 - Date.now() < 259200000) {
+			// if cookie expires in < 3 days, renew it.
+			await issueCookie(res, req.user);
+		}
+	}
+	next();
+};

packages/cli/src/UserManagement/middlewares/index.ts

@@ -0,0 +1,2 @@
+/* eslint-disable import/no-cycle */
+export * from './auth';

packages/cli/src/UserManagement/routes/auth.ts

@@ -21,20 +21,19 @@ export function authenticationMethods(this: N8nApp): void {
 	this.app.post(
 		`/${this.restEndpoint}/login`,
 		ResponseHelper.send(async (req: LoginRequest, res: Response): Promise<PublicUser> => {
-			if (!req.body.email) {
+			const { email, password } = req.body;
+			if (!email) {
 				throw new Error('Email is required to log in');
 			}
 
-			if (!req.body.password) {
+			if (!password) {
 				throw new Error('Password is required to log in');
 			}
 
-			let user;
+			let user: User | undefined;
 			try {
 				user = await Db.collections.User.findOne(
-					{
-						email: req.body.email,
-					},
+					{ email },
 					{
 						relations: ['globalRole'],
 					},

packages/cli/src/UserManagement/routes/index.ts

@@ -4,21 +4,10 @@
 /* eslint-disable import/no-cycle */
 import cookieParser from 'cookie-parser';
 import passport from 'passport';
-import { Strategy } from 'passport-jwt';
 import { NextFunction, Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
 import { LoggerProxy as Logger } from 'n8n-workflow';
-
-import { JwtPayload, N8nApp } from '../Interfaces';
-import { authenticationMethods } from './auth';
-import * as config from '../../../config';
-import { AUTH_COOKIE_NAME } from '../../constants';
-import { issueCookie, resolveJwtContent } from '../auth/jwt';
-import { meNamespace } from './me';
-import { usersNamespace } from './users';
-import { passwordResetNamespace } from './passwordReset';
+import { N8nApp } from '../Interfaces';
 import { AuthenticatedRequest } from '../../requests';
-import { ownerNamespace } from './owner';
 import {
 	isAuthExcluded,
 	isPostUsersId,
@@ -26,32 +15,17 @@ import {
 	isUserManagementDisabled,
 } from '../UserManagementHelper';
 import { Db } from '../..';
+import { jwtAuth, refreshExpiringCookie } from '../middlewares';
+import { authenticationMethods } from './auth';
+import { meNamespace } from './me';
+import { usersNamespace } from './users';
+import { passwordResetNamespace } from './passwordReset';
+import { ownerNamespace } from './owner';
 
 export function addRoutes(this: N8nApp, ignoredEndpoints: string[], restEndpoint: string): void {
 	// needed for testing; not adding overhead since it directly returns if req.cookies exists
 	this.app.use(cookieParser());
-
-	const options = {
-		jwtFromRequest: (req: Request) => {
-			// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
-			return (req.cookies?.[AUTH_COOKIE_NAME] as string | undefined) ?? null;
-		},
-		secretOrKey: config.getEnv('userManagement.jwtSecret'),
-	};
-
-	passport.use(
-		new Strategy(options, async function validateCookieContents(jwtPayload: JwtPayload, done) {
-			try {
-				const user = await resolveJwtContent(jwtPayload);
-				return done(null, user);
-			} catch (error) {
-				Logger.debug('Failed to extract user from JWT payload', { jwtPayload });
-				return done(null, false, { message: 'User not found' });
-			}
-		}),
-	);
-
-	this.app.use(passport.initialize());
+	this.app.use(jwtAuth());
 
 	this.app.use(async (req: Request, res: Response, next: NextFunction) => {
 		if (
@@ -102,7 +76,7 @@ export function addRoutes(this: N8nApp, ignoredEndpoints: string[], restEndpoint
 		}
 		// Not owner and user exists. We now protect restricted urls.
 		const postRestrictedUrls = [`/${this.restEndpoint}/users`, `/${this.restEndpoint}/owner`];
-		const getRestrictedUrls = [`/${this.restEndpoint}/users`];
+		const getRestrictedUrls: string[] = [];
 		const trimmedUrl = req.url.endsWith('/') ? req.url.slice(0, -1) : req.url;
 		if (
 			(req.method === 'POST' && postRestrictedUrls.includes(trimmedUrl)) ||
@@ -124,18 +98,7 @@ export function addRoutes(this: N8nApp, ignoredEndpoints: string[], restEndpoint
 		next();
 	});
 
-	// middleware to refresh cookie before it expires
-	this.app.use(async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
-		const cookieAuth = options.jwtFromRequest(req);
-		if (cookieAuth && req.user) {
-			const cookieContents = jwt.decode(cookieAuth) as JwtPayload & { exp: number };
-			if (cookieContents.exp * 1000 - Date.now() < 259200000) {
-				// if cookie expires in < 3 days, renew it.
-				await issueCookie(res, req.user);
-			}
-		}
-		next();
-	});
+	this.app.use(refreshExpiringCookie);
 
 	authenticationMethods.apply(this);
 	ownerNamespace.apply(this);

packages/cli/src/UserManagement/routes/me.ts

@@ -32,7 +32,8 @@ export function meNamespace(this: N8nApp): void {
 		`/${this.restEndpoint}/me`,
 		ResponseHelper.send(
 			async (req: MeRequest.Settings, res: express.Response): Promise<PublicUser> => {
-				if (!req.body.email) {
+				const { email } = req.body;
+				if (!email) {
 					Logger.debug('Request to update user email failed because of missing email in payload', {
 						userId: req.user.id,
 						payload: req.body,
@@ -40,10 +41,10 @@ export function meNamespace(this: N8nApp): void {
 					throw new ResponseHelper.ResponseError('Email is mandatory', undefined, 400);
 				}
 
-				if (!validator.isEmail(req.body.email)) {
+				if (!validator.isEmail(email)) {
 					Logger.debug('Request to update user email failed because of invalid email in payload', {
 						userId: req.user.id,
-						invalidEmail: req.body.email,
+						invalidEmail: email,
 					});
 					throw new ResponseHelper.ResponseError('Invalid email address', undefined, 400);
 				}