feat(cli): User Management and Credentials sharing (#3602)

* 🎉 starting feature development

* ✨ sharing/unsharing a credential (#3601)

* 🎉 initial design

* ✨ sharing/unsharing of credentials

* ✅ add tests for EE credentials controller

* 💪 implement review comments

* 🛠 refactor agent creation and credential role locking

* 👕 linting adjustments (#3691)

* 👕 Adjust rule `naming-convention`

* 👕 Fix `naming-convention` config value

* 👕 Disregard casing for EE-prefixed vars

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>

* 🛠 refactor authAgents in tests (#3725)

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 👕 fix ts issue

* 🐘 add migration for mysql and postgres + add AuthAgent type

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>

* ⚡️ refactor existing credentials routes (#3672)

* 🎉 initial design

* ✨ sharing/unsharing of credentials

* ♻️ split credential update route into controller and service

* 🔥 remove credentials test that is no longer applicable

* ♻️ split credential creation route into controller and service

* ♻️ split single credential get

* ♻️ split delete credentials route

* ♻️ split get all credentials route

* 🔥 remove unused imports in credentials contoller

* 🔥 remove console.log

* :refactor: changes to credentials controller and service from review

 - removed credentials from service function names
 - made relations list optional
 - put allowGlobalOwner in options objects
 - check length of relations array so join doesn't happen if empty
 - update some comments to further explain rationale
 - remove unneeded `Object.assign`
 - remove non-null assertion from test

* ♻️ move filtered credentials selected fields to variable

* ♻️ remove unneeded merges in credentials service

Co-authored-by: Ben Hesseldieck <b.hesseldieck@gmail.com>
Co-authored-by: Ben Hesseldieck <1849459+BHesseldieck@users.noreply.github.com>

* ✅ fix test

* 🐛 fix imports

* 👕 fix lint issue

* User Management: switch over to decorators to define routes (#3827)

* Add permissions details to credentials for User Management (#3863)

* ⚡ Open `GET /users`

* ⚡ Add permissions to cred service

* 🚚 Rename method

* ⚡ Refactor cred controller

* 🧪 Adjust test

* ✏️ Improve comment

* ✏️ Improve another comment

* ⚡ Account for multiple sharings

* 🐛 Fix access when user is editor

* 📘 Expand interface

* 📘 Relocate types

* 📘 Exempt cred entity with service-injected fields

* 📘 Adjust interface

* ♻️ Add permissions only in `GET /credentials`

* 🧪 Add expectations for `ownedBy`

* 🧪 Add sharing details test

* 🧪 Make `ownedBy` checks more granular

* 📘 Adjust interface

* 🚚 Rename cred getter

* ♻️ Refactor cred getter

* 🧪 Expand tests

* ♻️ Refactor to use guard

* 👕 Remove unneeded lint exception

* 🔥 Remove unneeded relation

* 🚚 Move relation to `GET /credentials/:id`

* 📘 Consolidate typings

* 🎨 Add multiline for readability

* 🔥 Remove unneeded type

* ✏️ Clarity comment

* ✏️ Make comments consistent

* 👕 Add exception to fix build

* 👕 Add more lint exceptions to fix build

* 🐛 Check for non-owner

* 📘 Improve typings

* 🧪 Temporarily skip tests

* 🔥 Remove `@ts-ignore`

* 👕 Move lint exceptions

* ♻️ Refactor cred service and controller

* ⚡ Simplify check

* ✏️ adjust naming to experimental

* ⚡️ add credentialsSharing flag to settings

* 🛠 add helper to check if UM is also enabled as dependency for CredentialsSharing

* 👕 fix lint error

* 🐘 change name of credential role

* 🚧 WIP batch sharing

* 🚧 WIP use put for sharing

* ✅ add tests for batch sharing, 🛠 implement review suggestions

* ✅ expand credential sharing tests for User Management (#3931)

* 🧪 Expand cred sharing tests

* ⚡ Add recently added flags

* ✅ fix and adjust tests for /credentials

Co-authored-by: Ben Hesseldieck <b.hesseldieck@gmail.com>

* ✨ User management v2 Front End (#3795)

* feat: Added responsive generic page view layout.

* feat: Added empty state.

* feat: Added credentials view empty state.

* test: Added unit tests for N8nActionBox

* feat: Added credentials list initial design.

* feat: Added credential actions. Started working on filters.

* feat: Updated InfoTip markup, added tests and changed stories to typescript.

* feat: Added credentials filtering by type. Added support for apply/reset filters.

* feat: Added credential sharing user select and user list. Added paywall component.

* feat: Updated credentials view permissions.

* feat: Added support for temporary sharing config for unsaved credentials.

* test: Fixed broken snapshots.

* feat: Added overflow styles to page-view-layout list.

* feat: Handled sharee specific views.

* feat: Integration between FE and BE to support real-world credential sharing scenario.

* feat: Added front end permissions table.

* feat: Refactored credential sharing flow. Updated design elements.

* feat: Added margin and padding auto spacer utilities.

* feat: Rehauled permissions to support instanceOwner role and action inheritance.

* feat: Updated credentials view to apply filters automatically.

* feat: Removed apply filters button and added active button state.

* test: Updated component snapshots.

* refactor: Renamed ResourceSharee to ResourceReader.

* feat: Credential sharing error handling, permissions improvement.

* feat: Updated permissions and error handling.

* chore: Removed console.log.

* 🛠 refactor enabling of credentialsSharing

* feat: Removed owner menu selector from credentials when sharing is disabled.

* refactor: Moved EE features into ee store module file.

* 🛠 add sharing info to GET credentials/:id

* fix: Fixed initial credential data loading for sharing.

* chore: Removed console.log.

* 🐛 owner can fetch any credential

* 🛠 refactor users test

* 👕 fix build type issue

* fix: Removed owner tag when credential sharing is disabled. Fixed small reactivity issue.

* chore: Removed console.log.

* 🚧 separate fetching credentials between EE and open

* fix: Fixed empty dropdown in users list.

* fix: Fixed error message and initialization when credential gets unshared.

* ✅ add tests for fetching single credential

* Revert decorators based controllers

* ⚡️ adjust credentials test route to also allow testing for sharees (#3999)

* ⚡️ pull data if user is sharee

* fix: Removed sharedWith and ownedBy from credentialData on testing credentials.

Co-authored-by: Alex Grozav <alex@grozav.com>

* 📈 add BE analytics

* 💪 improve credential test

* ⚡️ adjust tracking properties

* ⚡️ removed roles from tracking

* 🐛 fix build by removing imports

* 🐛 fix missed merge conflict

* feat: User management P2 Front End bug bash and improvements (#4014)

* fix: Fixed type select size after reopening dropdown.

* fix: Fixed template cards.

* fix: Fixed card content size and copy input.

* fix: Fixed horizontal overflow.

* fix: Hiding el-tags scrollbar in select.

* fix: Added fallback credential icon. Added oAuth credential owner check.

* feat: Added disabled state to user select.

* feat: Added fallback scenario for non-existent credential types.

* feat: Adjusted credentials empty state to show that there are shared credentials.

* fix: Fixed time title.

* feat: Added actionable empty state when shared credentials are present.

* fix: Made action box x padding smaller

* feat: Repositioned owner tag for credential card.

* feat: Updated message box styling to use n8n css variables.

* feat: Added confirmation for deleting sharee.

* fix: Fixed deleted credential types. Fixed select in dropdown bug.

* fix: Various code improvements. Addressed PR review comments.

* fix: Fixed credential deletion errors.

* fix: Various code quality improvements.

* feat: N8N-4531 update cloud coming soon features (#4025)

* feat: Showing different upcoming feature messages and format for cloud.

* fix: Changed url format.

* fix: Updated how cloud deployment is determined.

* feat: N8N-4527 implementing credential sharing FE telemetry (#4023)

* feat: Added credential sharing telemetry.

* chore: Renamed computed function for consistency.

* refactor: Simplified subview telemetry sending.

* fix: Changed to callDebounced() helper.

* 📧 update email text

* fix: Adjusted feature coming soon margin.

* chore: Fixed type and line height for delete sharee confirmation modal.

* refactor(editor-ui): Update telemetry (#4040)

* 🔥 Remove `identify` from BE

* ⚡ Add `versionCli`

* ⚡ Add node creator ignore input

* ⚡ Move obfuscators to editor-ui

* ⚡ Refactor `ph-no-capture`

* ⚡ Pass `user_id` to manual exec props

* 🚚 Relocate class in `SettingsApiView`

* ⚡ Add `userId` to BE PH `identify` call

* ⏪ Revert "⚡ Add `userId` to BE PH `identify` call"

This reverts commit 895aaa45e51506d5dbdcbdabe249a2c743d8e468.

* Revert "⏪ Revert "⚡ Add `userId` to BE PH `identify` call""

This reverts commit b86a098c202155742c927c88c04c971a5d34dce5.

* 🐛 Fix `Promise` handling in `track()` call

* ⏪ Restore `Db.collections` call

* ⚡ Set up PH payload to mirror RS

* 🔥 Remove excess `userId`

* 📘 Remove `userId` from interface

* 🔥 Remove unused ref and method

* fix: Fixed bug causing instanceOwner to become credential owner on update. (#4079)

* 🐛 fix test for credential shared with member

* 👕 fix lint issues

* delete conflicting migration. this data is already seeded in CreateUserManagement

* feat: Expand obfuscation to User Management credential sharing (#4070)

⚡ Expand obfuscation

* feat: Added credential sharing infotip for instance owner.

* bring back the migration. add a check to avoid conflicts on inserts

* fix(cli): use a non-env config flag to detect of enterprise features are enabled (#4105)

* chore: Changed ampersand to and in translation.

* refactor(telemetry): Obfuscate code and JSON editors (#4118)

⚡ Obfuscate code and JSON editors

* feat(editor): improve design and functionality of coming soon features (#4116)

* feat: Improved coming soon feature design and functionality.

* style: Removed empty line.

* chore: Removed unused translation.

* fix: fix telemetry for credential creates and updates (#4125)

fix telemetry for credential creates and updates

* feat: Display errors due to missing credentials in the correct node (#4124)

feat: Display errors due to invalid credentials in the correct node when missing permissions

* fix: remove duplicate header for coming soon features in cloud deployment

* telemetry: fix the payload for `User viewed credential tab`

* telemetry: add credential_id to 'User selected credential from node modal'

* feat: update empty states for coming soon features

* Update ActionBox.spec.ts.snap

* replace UserSharingsDetails with a subset of User properties

* rename the CreateCredentialsEditorRole to CreateCredentialsUserRole

* move IUser to the workflow package

* use IUser in the frontend as well

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>
Co-authored-by: Valya <68596159+valya@users.noreply.github.com>
Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <netroy@users.noreply.github.com>
Co-authored-by: Alex Grozav <alex@grozav.com>
Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
Co-authored-by: Omar Ajoue <krynble@gmail.com>

packages/cli/src/credentials/credentials.controller.ee.ts

@@ -0,0 +1,182 @@
+/* eslint-disable import/no-cycle */
+import express from 'express';
+import { INodeCredentialTestResult, LoggerProxy } from 'n8n-workflow';
+import { Db, InternalHooksManager, ResponseHelper } from '..';
+import type { CredentialsEntity } from '../databases/entities/CredentialsEntity';
+
+import type { CredentialRequest } from '../requests';
+import { EECredentialsService as EECredentials } from './credentials.service.ee';
+import type { CredentialWithSharings } from './credentials.types';
+import { isCredentialsSharingEnabled, rightDiff } from './helpers';
+
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const EECredentialsController = express.Router();
+
+EECredentialsController.use((req, res, next) => {
+	if (!isCredentialsSharingEnabled()) {
+		// skip ee router and use free one
+		next('router');
+		return;
+	}
+	// use ee router
+	next();
+});
+
+/**
+ * GET /credentials
+ */
+EECredentialsController.get(
+	'/',
+	ResponseHelper.send(async (req: CredentialRequest.GetAll): Promise<CredentialWithSharings[]> => {
+		try {
+			const allCredentials = await EECredentials.getAll(req.user, {
+				relations: ['shared', 'shared.role', 'shared.user'],
+			});
+
+			// eslint-disable-next-line @typescript-eslint/unbound-method
+			return allCredentials.map(EECredentials.addOwnerAndSharings);
+		} catch (error) {
+			LoggerProxy.error('Request to list credentials failed', error as Error);
+			throw error;
+		}
+	}),
+);
+
+/**
+ * GET /credentials/:id
+ */
+EECredentialsController.get(
+	'/:id',
+	(req, res, next) => (req.params.id === 'new' ? next('router') : next()), // skip ee router and use free one for naming
+	ResponseHelper.send(async (req: CredentialRequest.Get) => {
+		const { id: credentialId } = req.params;
+		const includeDecryptedData = req.query.includeData === 'true';
+
+		if (Number.isNaN(Number(credentialId))) {
+			throw new ResponseHelper.ResponseError(`Credential ID must be a number.`, undefined, 400);
+		}
+
+		let credential = (await EECredentials.get(
+			{ id: credentialId },
+			{ relations: ['shared', 'shared.role', 'shared.user'] },
+		)) as CredentialsEntity & CredentialWithSharings;
+
+		if (!credential) {
+			throw new ResponseHelper.ResponseError(
+				`Credential with ID "${credentialId}" could not be found.`,
+				undefined,
+				404,
+			);
+		}
+
+		const userSharing = credential.shared?.find((shared) => shared.user.id === req.user.id);
+
+		if (!userSharing && req.user.globalRole.name !== 'owner') {
+			throw new ResponseHelper.ResponseError(`Forbidden.`, undefined, 403);
+		}
+
+		credential = EECredentials.addOwnerAndSharings(credential);
+
+		// @ts-ignore @TODO_TECH_DEBT: Stringify `id` with entity field transformer
+		credential.id = credential.id.toString();
+
+		if (!includeDecryptedData || !userSharing || userSharing.role.name !== 'owner') {
+			// eslint-disable-next-line @typescript-eslint/no-unused-vars
+			const { id, data: _, ...rest } = credential;
+
+			// @TODO_TECH_DEBT: Stringify `id` with entity field transformer
+			return { id: id.toString(), ...rest };
+		}
+
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		const { id, data: _, ...rest } = credential;
+
+		const key = await EECredentials.getEncryptionKey();
+		const decryptedData = await EECredentials.decrypt(key, credential);
+
+		// @TODO_TECH_DEBT: Stringify `id` with entity field transformer
+		return { id: id.toString(), data: decryptedData, ...rest };
+	}),
+);
+
+/**
+ * POST /credentials/test
+ *
+ * Test if a credential is valid.
+ */
+EECredentialsController.post(
+	'/test',
+	ResponseHelper.send(async (req: CredentialRequest.Test): Promise<INodeCredentialTestResult> => {
+		const { credentials, nodeToTestWith } = req.body;
+
+		const encryptionKey = await EECredentials.getEncryptionKey();
+
+		const { ownsCredential } = await EECredentials.isOwned(req.user, credentials.id.toString());
+
+		if (!ownsCredential) {
+			const sharing = await EECredentials.getSharing(req.user, credentials.id);
+			if (!sharing) {
+				throw new ResponseHelper.ResponseError(`Forbidden`, undefined, 403);
+			}
+
+			const decryptedData = await EECredentials.decrypt(encryptionKey, sharing.credentials);
+			Object.assign(credentials, { data: decryptedData });
+		}
+
+		return EECredentials.test(req.user, encryptionKey, credentials, nodeToTestWith);
+	}),
+);
+
+/**
+ * (EE) PUT /credentials/:id/share
+ *
+ * Grant or remove users' access to a credential.
+ */
+
+EECredentialsController.put('/:credentialId/share', async (req: CredentialRequest.Share, res) => {
+	const { credentialId } = req.params;
+	const { shareWithIds } = req.body;
+
+	if (!Array.isArray(shareWithIds) || !shareWithIds.every((userId) => typeof userId === 'string')) {
+		return res.status(400).send('Bad Request');
+	}
+
+	const { ownsCredential, credential } = await EECredentials.isOwned(req.user, credentialId);
+
+	if (!ownsCredential || !credential) {
+		return res.status(403).send();
+	}
+
+	let amountRemoved: number | null = null;
+	let newShareeIds: string[] = [];
+	await Db.transaction(async (trx) => {
+		// remove all sharings that are not supposed to exist anymore
+		const { affected } = await EECredentials.pruneSharings(trx, credentialId, [
+			req.user.id,
+			...shareWithIds,
+		]);
+		if (affected) amountRemoved = affected;
+
+		const sharings = await EECredentials.getSharings(trx, credentialId);
+
+		// extract the new sharings that need to be added
+		newShareeIds = rightDiff(
+			[sharings, (sharing) => sharing.userId],
+			[shareWithIds, (shareeId) => shareeId],
+		);
+
+		if (newShareeIds.length) {
+			await EECredentials.share(trx, credential, newShareeIds);
+		}
+	});
+
+	void InternalHooksManager.getInstance().onUserSharedCredentials({
+		credential_type: credential.type,
+		credential_id: credential.id.toString(),
+		user_id_sharer: req.user.id,
+		user_ids_sharees_added: newShareeIds,
+		sharees_removed: amountRemoved,
+	});
+
+	return res.status(200).send();
+});

packages/cli/src/credentials/credentials.controller.ts

@@ -0,0 +1,232 @@
+/* eslint-disable no-param-reassign */
+/* eslint-disable @typescript-eslint/no-unused-vars */
+/* eslint-disable import/no-cycle */
+import express from 'express';
+import { INodeCredentialTestResult, LoggerProxy } from 'n8n-workflow';
+
+import { GenericHelpers, InternalHooksManager, ResponseHelper } from '..';
+import config from '../../config';
+import { getLogger } from '../Logger';
+import { EECredentialsController } from './credentials.controller.ee';
+import { CredentialsService } from './credentials.service';
+
+import type { ICredentialsResponse } from '..';
+import type { CredentialRequest } from '../requests';
+
+export const credentialsController = express.Router();
+
+/**
+ * Initialize Logger if needed
+ */
+credentialsController.use((req, res, next) => {
+	try {
+		LoggerProxy.getInstance();
+	} catch (error) {
+		LoggerProxy.init(getLogger());
+	}
+	next();
+});
+
+credentialsController.use('/', EECredentialsController);
+
+/**
+ * GET /credentials
+ */
+credentialsController.get(
+	'/',
+	ResponseHelper.send(async (req: CredentialRequest.GetAll): Promise<ICredentialsResponse[]> => {
+		const credentials = await CredentialsService.getAll(req.user);
+
+		return credentials.map((credential) => {
+			// eslint-disable-next-line no-param-reassign
+			credential.id = credential.id.toString();
+			return credential as ICredentialsResponse;
+		});
+	}),
+);
+
+/**
+ * GET /credentials/new
+ *
+ * Generate a unique credential name.
+ */
+credentialsController.get(
+	'/new',
+	ResponseHelper.send(async (req: CredentialRequest.NewName): Promise<{ name: string }> => {
+		const { name: newName } = req.query;
+
+		return {
+			name: await GenericHelpers.generateUniqueName(
+				newName ?? config.getEnv('credentials.defaultName'),
+				'credentials',
+			),
+		};
+	}),
+);
+
+/**
+ * GET /credentials/:id
+ */
+credentialsController.get(
+	'/:id',
+	ResponseHelper.send(async (req: CredentialRequest.Get) => {
+		const { id: credentialId } = req.params;
+		const includeDecryptedData = req.query.includeData === 'true';
+
+		if (Number.isNaN(Number(credentialId))) {
+			throw new ResponseHelper.ResponseError(`Credential ID must be a number.`, undefined, 400);
+		}
+
+		const sharing = await CredentialsService.getSharing(req.user, credentialId, ['credentials']);
+
+		if (!sharing) {
+			throw new ResponseHelper.ResponseError(
+				`Credential with ID "${credentialId}" could not be found.`,
+				undefined,
+				404,
+			);
+		}
+
+		const { credentials: credential } = sharing;
+
+		if (!includeDecryptedData) {
+			const { id, data: _, ...rest } = credential;
+
+			// @TODO_TECH_DEBT: Stringify `id` with entity field transformer
+			return { id: id.toString(), ...rest };
+		}
+
+		const { id, data: _, ...rest } = credential;
+
+		const key = await CredentialsService.getEncryptionKey();
+		const decryptedData = await CredentialsService.decrypt(key, credential);
+
+		// @TODO_TECH_DEBT: Stringify `id` with entity field transformer
+		return { id: id.toString(), data: decryptedData, ...rest };
+	}),
+);
+
+/**
+ * POST /credentials/test
+ *
+ * Test if a credential is valid.
+ */
+credentialsController.post(
+	'/test',
+	ResponseHelper.send(async (req: CredentialRequest.Test): Promise<INodeCredentialTestResult> => {
+		const { credentials, nodeToTestWith } = req.body;
+
+		const encryptionKey = await CredentialsService.getEncryptionKey();
+		return CredentialsService.test(req.user, encryptionKey, credentials, nodeToTestWith);
+	}),
+);
+
+/**
+ * POST /credentials
+ */
+credentialsController.post(
+	'/',
+	ResponseHelper.send(async (req: CredentialRequest.Create) => {
+		const newCredential = await CredentialsService.prepareCreateData(req.body);
+
+		const key = await CredentialsService.getEncryptionKey();
+		const encryptedData = CredentialsService.createEncryptedData(key, null, newCredential);
+		const { id, ...rest } = await CredentialsService.save(newCredential, encryptedData, req.user);
+
+		void InternalHooksManager.getInstance().onUserCreatedCredentials({
+			credential_type: rest.type,
+			credential_id: id.toString(),
+			public_api: false,
+		});
+
+		return { id: id.toString(), ...rest };
+	}),
+);
+
+/**
+ * PATCH /credentials/:id
+ */
+credentialsController.patch(
+	'/:id',
+	ResponseHelper.send(async (req: CredentialRequest.Update): Promise<ICredentialsResponse> => {
+		const { id: credentialId } = req.params;
+
+		const sharing = await CredentialsService.getSharing(req.user, credentialId);
+
+		if (!sharing) {
+			LoggerProxy.info('Attempt to update credential blocked due to lack of permissions', {
+				credentialId,
+				userId: req.user.id,
+			});
+			throw new ResponseHelper.ResponseError(
+				`Credential with ID "${credentialId}" could not be found to be updated.`,
+				undefined,
+				404,
+			);
+		}
+
+		const { credentials: credential } = sharing;
+
+		const key = await CredentialsService.getEncryptionKey();
+		const decryptedData = await CredentialsService.decrypt(key, credential);
+		const preparedCredentialData = await CredentialsService.prepareUpdateData(
+			req.body,
+			decryptedData,
+		);
+		const newCredentialData = CredentialsService.createEncryptedData(
+			key,
+			credentialId,
+			preparedCredentialData,
+		);
+
+		const responseData = await CredentialsService.update(credentialId, newCredentialData);
+
+		if (responseData === undefined) {
+			throw new ResponseHelper.ResponseError(
+				`Credential ID "${credentialId}" could not be found to be updated.`,
+				undefined,
+				404,
+			);
+		}
+
+		// Remove the encrypted data as it is not needed in the frontend
+		const { id, data: _, ...rest } = responseData;
+
+		LoggerProxy.verbose('Credential updated', { credentialId });
+
+		return {
+			id: id.toString(),
+			...rest,
+		};
+	}),
+);
+
+/**
+ * DELETE /credentials/:id
+ */
+credentialsController.delete(
+	'/:id',
+	ResponseHelper.send(async (req: CredentialRequest.Delete) => {
+		const { id: credentialId } = req.params;
+
+		const sharing = await CredentialsService.getSharing(req.user, credentialId);
+
+		if (!sharing) {
+			LoggerProxy.info('Attempt to delete credential blocked due to lack of permissions', {
+				credentialId,
+				userId: req.user.id,
+			});
+			throw new ResponseHelper.ResponseError(
+				`Credential with ID "${credentialId}" could not be found to be deleted.`,
+				undefined,
+				404,
+			);
+		}
+
+		const { credentials: credential } = sharing;
+
+		await CredentialsService.delete(credential);
+
+		return true;
+	}),
+);

packages/cli/src/credentials/credentials.service.ee.ts

@@ -0,0 +1,96 @@
+/* eslint-disable import/no-cycle */
+/* eslint-disable no-param-reassign */
+import { DeleteResult, EntityManager, In, Not } from 'typeorm';
+import { Db } from '..';
+import { RoleService } from '../role/role.service';
+import { CredentialsService } from './credentials.service';
+
+import { CredentialsEntity } from '../databases/entities/CredentialsEntity';
+import { SharedCredentials } from '../databases/entities/SharedCredentials';
+import { User } from '../databases/entities/User';
+import { UserService } from '../user/user.service';
+import type { CredentialWithSharings } from './credentials.types';
+
+export class EECredentialsService extends CredentialsService {
+	static async isOwned(
+		user: User,
+		credentialId: string,
+	): Promise<{ ownsCredential: boolean; credential?: CredentialsEntity }> {
+		const sharing = await this.getSharing(user, credentialId, ['credentials', 'role'], {
+			allowGlobalOwner: false,
+		});
+
+		if (!sharing || sharing.role.name !== 'owner') return { ownsCredential: false };
+
+		const { credentials: credential } = sharing;
+
+		return { ownsCredential: true, credential };
+	}
+
+	static async getSharings(
+		transaction: EntityManager,
+		credentialId: string,
+	): Promise<SharedCredentials[]> {
+		const credential = await transaction.findOne(CredentialsEntity, credentialId, {
+			relations: ['shared'],
+		});
+		return credential?.shared ?? [];
+	}
+
+	static async pruneSharings(
+		transaction: EntityManager,
+		credentialId: string,
+		userIds: string[],
+	): Promise<DeleteResult> {
+		return transaction.delete(SharedCredentials, {
+			credentials: { id: credentialId },
+			user: { id: Not(In(userIds)) },
+		});
+	}
+
+	static async share(
+		transaction: EntityManager,
+		credential: CredentialsEntity,
+		shareWithIds: string[],
+	): Promise<SharedCredentials[]> {
+		const [users, role] = await Promise.all([
+			UserService.getByIds(transaction, shareWithIds),
+			RoleService.trxGet(transaction, { scope: 'credential', name: 'user' }),
+		]);
+
+		const newSharedCredentials = users
+			.filter((user) => !user.isPending)
+			.map((user) =>
+				Db.collections.SharedCredentials.create({
+					credentials: credential,
+					user,
+					role,
+				}),
+			);
+
+		return transaction.save(newSharedCredentials);
+	}
+
+	static addOwnerAndSharings(
+		credential: CredentialsEntity & CredentialWithSharings,
+	): CredentialsEntity & CredentialWithSharings {
+		credential.ownedBy = null;
+		credential.sharedWith = [];
+
+		credential.shared?.forEach(({ user, role }) => {
+			const { id, email, firstName, lastName } = user;
+
+			if (role.name === 'owner') {
+				credential.ownedBy = { id, email, firstName, lastName };
+				return;
+			}
+
+			credential.sharedWith?.push({ id, email, firstName, lastName });
+		});
+
+		// @ts-ignore
+		delete credential.shared;
+
+		return credential;
+	}
+}

packages/cli/src/credentials/credentials.service.ts

@@ -0,0 +1,276 @@
+/* eslint-disable no-restricted-syntax */
+/* eslint-disable import/no-cycle */
+import { Credentials, UserSettings } from 'n8n-core';
+import {
+	ICredentialDataDecryptedObject,
+	ICredentialsDecrypted,
+	INodeCredentialTestResult,
+	LoggerProxy,
+} from 'n8n-workflow';
+import { FindOneOptions, In } from 'typeorm';
+
+import {
+	createCredentialsFromCredentialsEntity,
+	CredentialsHelper,
+	Db,
+	ICredentialsDb,
+	ResponseHelper,
+} from '..';
+import { RESPONSE_ERROR_MESSAGES } from '../constants';
+import { CredentialsEntity } from '../databases/entities/CredentialsEntity';
+import { SharedCredentials } from '../databases/entities/SharedCredentials';
+import { validateEntity } from '../GenericHelpers';
+import { externalHooks } from '../Server';
+
+import type { User } from '../databases/entities/User';
+import type { CredentialRequest } from '../requests';
+
+export class CredentialsService {
+	static async get(
+		credential: Partial<ICredentialsDb>,
+		options?: { relations: string[] },
+	): Promise<ICredentialsDb | undefined> {
+		return Db.collections.Credentials.findOne(credential, {
+			relations: options?.relations,
+		});
+	}
+
+	static async getAll(user: User, options?: { relations: string[] }): Promise<ICredentialsDb[]> {
+		const SELECT_FIELDS: Array<keyof ICredentialsDb> = [
+			'id',
+			'name',
+			'type',
+			'nodesAccess',
+			'createdAt',
+			'updatedAt',
+		];
+
+		// if instance owner, return all credentials
+
+		if (user.globalRole.name === 'owner') {
+			return Db.collections.Credentials.find({
+				select: SELECT_FIELDS,
+				relations: options?.relations,
+			});
+		}
+
+		// if member, return credentials owned by or shared with member
+
+		const userSharings = await Db.collections.SharedCredentials.find({
+			where: {
+				user,
+			},
+		});
+
+		return Db.collections.Credentials.find({
+			select: SELECT_FIELDS,
+			relations: options?.relations,
+			where: {
+				id: In(userSharings.map((x) => x.credentialId)),
+			},
+		});
+	}
+
+	/**
+	 * Retrieve the sharing that matches a user and a credential.
+	 */
+	static async getSharing(
+		user: User,
+		credentialId: number | string,
+		relations: string[] | undefined = ['credentials'],
+		{ allowGlobalOwner } = { allowGlobalOwner: true },
+	): Promise<SharedCredentials | undefined> {
+		const options: FindOneOptions = {
+			where: {
+				credentials: { id: credentialId },
+			},
+		};
+
+		// Omit user from where if the requesting user is the global
+		// owner. This allows the global owner to view and delete
+		// credentials they don't own.
+		if (!allowGlobalOwner || user.globalRole.name !== 'owner') {
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+			options.where.user = { id: user.id };
+		}
+
+		if (relations?.length) {
+			options.relations = relations;
+		}
+
+		return Db.collections.SharedCredentials.findOne(options);
+	}
+
+	static createCredentialsFromCredentialsEntity(
+		credential: CredentialsEntity,
+		encrypt = false,
+	): Credentials {
+		const { id, name, type, nodesAccess, data } = credential;
+		if (encrypt) {
+			return new Credentials({ id: null, name }, type, nodesAccess);
+		}
+		return new Credentials({ id: id.toString(), name }, type, nodesAccess, data);
+	}
+
+	static async prepareCreateData(
+		data: CredentialRequest.CredentialProperties,
+	): Promise<CredentialsEntity> {
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		const { id, ...rest } = data;
+
+		// This saves us a merge but requires some type casting. These
+		// types are compatiable for this case.
+		const newCredentials = Db.collections.Credentials.create(
+			rest as ICredentialsDb,
+		) as CredentialsEntity;
+
+		await validateEntity(newCredentials);
+
+		// Add the date for newly added node access permissions
+		for (const nodeAccess of newCredentials.nodesAccess) {
+			nodeAccess.date = new Date();
+		}
+
+		return newCredentials;
+	}
+
+	static async prepareUpdateData(
+		data: CredentialRequest.CredentialProperties,
+		decryptedData: ICredentialDataDecryptedObject,
+	): Promise<CredentialsEntity> {
+		// This saves us a merge but requires some type casting. These
+		// types are compatiable for this case.
+		const updateData = Db.collections.Credentials.create(
+			data as ICredentialsDb,
+		) as CredentialsEntity;
+
+		await validateEntity(updateData);
+
+		// Add the date for newly added node access permissions
+		for (const nodeAccess of updateData.nodesAccess) {
+			if (!nodeAccess.date) {
+				nodeAccess.date = new Date();
+			}
+		}
+
+		// Do not overwrite the oauth data else data like the access or refresh token would get lost
+		// everytime anybody changes anything on the credentials even if it is just the name.
+		if (decryptedData.oauthTokenData) {
+			// @ts-ignore
+			updateData.data.oauthTokenData = decryptedData.oauthTokenData;
+		}
+		return updateData;
+	}
+
+	static createEncryptedData(
+		encryptionKey: string,
+		credentialsId: string | null,
+		data: CredentialsEntity,
+	): ICredentialsDb {
+		const credentials = new Credentials(
+			{ id: credentialsId, name: data.name },
+			data.type,
+			data.nodesAccess,
+		);
+
+		credentials.setData(data.data as unknown as ICredentialDataDecryptedObject, encryptionKey);
+
+		const newCredentialData = credentials.getDataToSave() as ICredentialsDb;
+
+		// Add special database related data
+		newCredentialData.updatedAt = new Date();
+
+		return newCredentialData;
+	}
+
+	static async getEncryptionKey(): Promise<string> {
+		try {
+			return await UserSettings.getEncryptionKey();
+		} catch (error) {
+			throw new ResponseHelper.ResponseError(
+				RESPONSE_ERROR_MESSAGES.NO_ENCRYPTION_KEY,
+				undefined,
+				500,
+			);
+		}
+	}
+
+	static async decrypt(
+		encryptionKey: string,
+		credential: CredentialsEntity,
+	): Promise<ICredentialDataDecryptedObject> {
+		const coreCredential = createCredentialsFromCredentialsEntity(credential);
+		return coreCredential.getData(encryptionKey);
+	}
+
+	static async update(
+		credentialId: string,
+		newCredentialData: ICredentialsDb,
+	): Promise<ICredentialsDb | undefined> {
+		await externalHooks.run('credentials.update', [newCredentialData]);
+
+		// Update the credentials in DB
+		await Db.collections.Credentials.update(credentialId, newCredentialData);
+
+		// We sadly get nothing back from "update". Neither if it updated a record
+		// nor the new value. So query now the updated entry.
+		return Db.collections.Credentials.findOne(credentialId);
+	}
+
+	static async save(
+		credential: CredentialsEntity,
+		encryptedData: ICredentialsDb,
+		user: User,
+	): Promise<CredentialsEntity> {
+		// To avoid side effects
+		const newCredential = new CredentialsEntity();
+		Object.assign(newCredential, credential, encryptedData);
+
+		await externalHooks.run('credentials.create', [encryptedData]);
+
+		const role = await Db.collections.Role.findOneOrFail({
+			name: 'owner',
+			scope: 'credential',
+		});
+
+		const result = await Db.transaction(async (transactionManager) => {
+			const savedCredential = await transactionManager.save<CredentialsEntity>(newCredential);
+
+			savedCredential.data = newCredential.data;
+
+			const newSharedCredential = new SharedCredentials();
+
+			Object.assign(newSharedCredential, {
+				role,
+				user,
+				credentials: savedCredential,
+			});
+
+			await transactionManager.save<SharedCredentials>(newSharedCredential);
+
+			return savedCredential;
+		});
+		LoggerProxy.verbose('New credential created', {
+			credentialId: newCredential.id,
+			ownerId: user.id,
+		});
+		return result;
+	}
+
+	static async delete(credentials: CredentialsEntity): Promise<void> {
+		await externalHooks.run('credentials.delete', [credentials.id]);
+
+		await Db.collections.Credentials.remove(credentials);
+	}
+
+	static async test(
+		user: User,
+		encryptionKey: string,
+		credentials: ICredentialsDecrypted,
+		nodeToTestWith: string | undefined,
+	): Promise<INodeCredentialTestResult> {
+		const helper = new CredentialsHelper(encryptionKey);
+
+		return helper.testCredentials(user, credentials.type, credentials, nodeToTestWith);
+	}
+}

packages/cli/src/credentials/credentials.types.ts

@@ -0,0 +1,7 @@
+import type { IUser } from 'n8n-workflow';
+import type { ICredentialsDb } from '../Interfaces';
+
+export interface CredentialWithSharings extends ICredentialsDb {
+	ownedBy?: IUser | null;
+	sharedWith?: IUser[];
+}

packages/cli/src/credentials/helpers.ts

@@ -0,0 +1,28 @@
+/* eslint-disable import/no-cycle */
+import config from '../../config';
+import { isUserManagementEnabled } from '../UserManagement/UserManagementHelper';
+
+export function isCredentialsSharingEnabled(): boolean {
+	return isUserManagementEnabled() && config.getEnv('enterprise.features.sharing');
+}
+
+// return the difference between two arrays
+export function rightDiff<T1, T2>(
+	[arr1, keyExtractor1]: [T1[], (item: T1) => string],
+	[arr2, keyExtractor2]: [T2[], (item: T2) => string],
+): T2[] {
+	// create map { itemKey => true } for fast lookup for diff
+	const keyMap = arr1.reduce<{ [key: string]: true }>((map, item) => {
+		// eslint-disable-next-line no-param-reassign
+		map[keyExtractor1(item)] = true;
+		return map;
+	}, {});
+
+	// diff against map
+	return arr2.reduce<T2[]>((acc, item) => {
+		if (!keyMap[keyExtractor2(item)]) {
+			acc.push(item);
+		}
+		return acc;
+	}, []);
+}

packages/cli/src/credentials/oauth2Credential.api.ts

@@ -0,0 +1,346 @@
+/* eslint-disable import/no-cycle */
+import ClientOAuth2 from 'client-oauth2';
+import Csrf from 'csrf';
+import express from 'express';
+import get from 'lodash.get';
+import omit from 'lodash.omit';
+import set from 'lodash.set';
+import split from 'lodash.split';
+import unset from 'lodash.unset';
+import { Credentials, UserSettings } from 'n8n-core';
+import {
+	LoggerProxy,
+	WorkflowExecuteMode,
+	INodeCredentialsDetails,
+	ICredentialsEncrypted,
+	IDataObject,
+} from 'n8n-workflow';
+import { resolve as pathResolve } from 'path';
+import querystring from 'querystring';
+
+import { Db, ICredentialsDb, ResponseHelper } from '..';
+import { RESPONSE_ERROR_MESSAGES } from '../constants';
+import {
+	CredentialsHelper,
+	getCredentialForUser,
+	getCredentialWithoutUser,
+} from '../CredentialsHelper';
+import { getLogger } from '../Logger';
+import { OAuthRequest } from '../requests';
+import { externalHooks } from '../Server';
+import config from '../../config';
+import { getInstanceBaseUrl } from '../UserManagement/UserManagementHelper';
+
+export const oauth2CredentialController = express.Router();
+
+/**
+ * Initialize Logger if needed
+ */
+oauth2CredentialController.use((req, res, next) => {
+	try {
+		LoggerProxy.getInstance();
+	} catch (error) {
+		LoggerProxy.init(getLogger());
+	}
+	next();
+});
+
+const restEndpoint = config.getEnv('endpoints.rest');
+
+/**
+ * GET /oauth2-credential/auth
+ *
+ * Authorize OAuth Data
+ */
+oauth2CredentialController.get(
+	'/auth',
+	ResponseHelper.send(async (req: OAuthRequest.OAuth1Credential.Auth): Promise<string> => {
+		const { id: credentialId } = req.query;
+
+		if (!credentialId) {
+			throw new ResponseHelper.ResponseError('Required credential ID is missing', undefined, 400);
+		}
+
+		const credential = await getCredentialForUser(credentialId, req.user);
+
+		if (!credential) {
+			LoggerProxy.error('Failed to authorize OAuth2 due to lack of permissions', {
+				userId: req.user.id,
+				credentialId,
+			});
+			throw new ResponseHelper.ResponseError(RESPONSE_ERROR_MESSAGES.NO_CREDENTIAL, undefined, 404);
+		}
+
+		let encryptionKey: string;
+		try {
+			encryptionKey = await UserSettings.getEncryptionKey();
+		} catch (error) {
+			throw new ResponseHelper.ResponseError((error as Error).message, undefined, 500);
+		}
+
+		const mode: WorkflowExecuteMode = 'internal';
+		const timezone = config.getEnv('generic.timezone');
+		const credentialsHelper = new CredentialsHelper(encryptionKey);
+		const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+			credential as INodeCredentialsDetails,
+			(credential as unknown as ICredentialsEncrypted).type,
+			mode,
+			timezone,
+			true,
+		);
+
+		const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+			decryptedDataOriginal,
+			(credential as unknown as ICredentialsEncrypted).type,
+			mode,
+			timezone,
+		);
+
+		const token = new Csrf();
+		// Generate a CSRF prevention token and send it as a OAuth2 state stringma/ERR
+		const csrfSecret = token.secretSync();
+		const state = {
+			token: token.create(csrfSecret),
+			cid: req.query.id,
+		};
+		const stateEncodedStr = Buffer.from(JSON.stringify(state)).toString('base64');
+
+		const oAuthOptions: ClientOAuth2.Options = {
+			clientId: get(oauthCredentials, 'clientId') as string,
+			clientSecret: get(oauthCredentials, 'clientSecret', '') as string,
+			accessTokenUri: get(oauthCredentials, 'accessTokenUrl', '') as string,
+			authorizationUri: get(oauthCredentials, 'authUrl', '') as string,
+			redirectUri: `${getInstanceBaseUrl()}/${restEndpoint}/oauth2-credential/callback`,
+			scopes: split(get(oauthCredentials, 'scope', 'openid,') as string, ','),
+			state: stateEncodedStr,
+		};
+
+		await externalHooks.run('oauth2.authenticate', [oAuthOptions]);
+
+		const oAuthObj = new ClientOAuth2(oAuthOptions);
+
+		// Encrypt the data
+		const credentials = new Credentials(
+			credential as INodeCredentialsDetails,
+			(credential as unknown as ICredentialsEncrypted).type,
+			(credential as unknown as ICredentialsEncrypted).nodesAccess,
+		);
+		decryptedDataOriginal.csrfSecret = csrfSecret;
+
+		credentials.setData(decryptedDataOriginal, encryptionKey);
+		const newCredentialsData = credentials.getDataToSave() as unknown as ICredentialsDb;
+
+		// Add special database related data
+		newCredentialsData.updatedAt = new Date();
+
+		// Update the credentials in DB
+		await Db.collections.Credentials.update(req.query.id, newCredentialsData);
+
+		const authQueryParameters = get(oauthCredentials, 'authQueryParameters', '') as string;
+		let returnUri = oAuthObj.code.getUri();
+
+		// if scope uses comma, change it as the library always return then with spaces
+		if ((get(oauthCredentials, 'scope') as string).includes(',')) {
+			const data = querystring.parse(returnUri.split('?')[1]);
+			data.scope = get(oauthCredentials, 'scope') as string;
+			returnUri = `${get(oauthCredentials, 'authUrl', '') as string}?${querystring.stringify(
+				data,
+			)}`;
+		}
+
+		if (authQueryParameters) {
+			returnUri += `&${authQueryParameters}`;
+		}
+
+		LoggerProxy.verbose('OAuth2 authentication successful for new credential', {
+			userId: req.user.id,
+			credentialId,
+		});
+		return returnUri;
+	}),
+);
+
+/**
+ * GET /oauth2-credential/callback
+ *
+ * Verify and store app code. Generate access tokens and store for respective credential.
+ */
+
+oauth2CredentialController.get(
+	'/callback',
+	async (req: OAuthRequest.OAuth2Credential.Callback, res: express.Response) => {
+		try {
+			// realmId it's currently just use for the quickbook OAuth2 flow
+			const { code, state: stateEncoded } = req.query;
+
+			if (!code || !stateEncoded) {
+				const errorResponse = new ResponseHelper.ResponseError(
+					`Insufficient parameters for OAuth2 callback. Received following query parameters: ${JSON.stringify(
+						req.query,
+					)}`,
+					undefined,
+					503,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			let state;
+			try {
+				state = JSON.parse(Buffer.from(stateEncoded, 'base64').toString()) as {
+					cid: string;
+					token: string;
+				};
+			} catch (error) {
+				const errorResponse = new ResponseHelper.ResponseError(
+					'Invalid state format returned',
+					undefined,
+					503,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			const credential = await getCredentialWithoutUser(state.cid);
+
+			if (!credential) {
+				LoggerProxy.error('OAuth2 callback failed because of insufficient permissions', {
+					userId: req.user?.id,
+					credentialId: state.cid,
+				});
+				const errorResponse = new ResponseHelper.ResponseError(
+					RESPONSE_ERROR_MESSAGES.NO_CREDENTIAL,
+					undefined,
+					404,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			let encryptionKey: string;
+			try {
+				encryptionKey = await UserSettings.getEncryptionKey();
+			} catch (error) {
+				throw new ResponseHelper.ResponseError(
+					(error as IDataObject).message as string,
+					undefined,
+					500,
+				);
+			}
+
+			const mode: WorkflowExecuteMode = 'internal';
+			const timezone = config.getEnv('generic.timezone');
+			const credentialsHelper = new CredentialsHelper(encryptionKey);
+			const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+				credential as INodeCredentialsDetails,
+				(credential as unknown as ICredentialsEncrypted).type,
+				mode,
+				timezone,
+				true,
+			);
+			const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+				decryptedDataOriginal,
+				(credential as unknown as ICredentialsEncrypted).type,
+				mode,
+				timezone,
+			);
+
+			const token = new Csrf();
+			if (
+				decryptedDataOriginal.csrfSecret === undefined ||
+				!token.verify(decryptedDataOriginal.csrfSecret as string, state.token)
+			) {
+				LoggerProxy.debug('OAuth2 callback state is invalid', {
+					userId: req.user?.id,
+					credentialId: state.cid,
+				});
+				const errorResponse = new ResponseHelper.ResponseError(
+					'The OAuth2 callback state is invalid!',
+					undefined,
+					404,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			let options = {};
+
+			const oAuth2Parameters = {
+				clientId: get(oauthCredentials, 'clientId') as string,
+				clientSecret: get(oauthCredentials, 'clientSecret', '') as string | undefined,
+				accessTokenUri: get(oauthCredentials, 'accessTokenUrl', '') as string,
+				authorizationUri: get(oauthCredentials, 'authUrl', '') as string,
+				redirectUri: `${getInstanceBaseUrl()}/${restEndpoint}/oauth2-credential/callback`,
+				scopes: split(get(oauthCredentials, 'scope', 'openid,') as string, ','),
+			};
+
+			if ((get(oauthCredentials, 'authentication', 'header') as string) === 'body') {
+				options = {
+					body: {
+						client_id: get(oauthCredentials, 'clientId') as string,
+						client_secret: get(oauthCredentials, 'clientSecret', '') as string,
+					},
+				};
+				delete oAuth2Parameters.clientSecret;
+			}
+
+			await externalHooks.run('oauth2.callback', [oAuth2Parameters]);
+
+			const oAuthObj = new ClientOAuth2(oAuth2Parameters);
+
+			const queryParameters = req.originalUrl.split('?').splice(1, 1).join('');
+
+			const oauthToken = await oAuthObj.code.getToken(
+				`${oAuth2Parameters.redirectUri}?${queryParameters}`,
+				options,
+			);
+
+			if (Object.keys(req.query).length > 2) {
+				set(oauthToken.data, 'callbackQueryString', omit(req.query, 'state', 'code'));
+			}
+
+			if (oauthToken === undefined) {
+				LoggerProxy.error('OAuth2 callback failed: unable to get access tokens', {
+					userId: req.user?.id,
+					credentialId: state.cid,
+				});
+				const errorResponse = new ResponseHelper.ResponseError(
+					'Unable to get access tokens!',
+					undefined,
+					404,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			if (decryptedDataOriginal.oauthTokenData) {
+				// Only overwrite supplied data as some providers do for example just return the
+				// refresh_token on the very first request and not on subsequent ones.
+				Object.assign(decryptedDataOriginal.oauthTokenData, oauthToken.data);
+			} else {
+				// No data exists so simply set
+				decryptedDataOriginal.oauthTokenData = oauthToken.data;
+			}
+
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-call
+			unset(decryptedDataOriginal, 'csrfSecret');
+
+			const credentials = new Credentials(
+				credential as INodeCredentialsDetails,
+				(credential as unknown as ICredentialsEncrypted).type,
+				(credential as unknown as ICredentialsEncrypted).nodesAccess,
+			);
+			credentials.setData(decryptedDataOriginal, encryptionKey);
+			const newCredentialsData = credentials.getDataToSave() as unknown as ICredentialsDb;
+			// Add special database related data
+			newCredentialsData.updatedAt = new Date();
+			// Save the credentials in DB
+			await Db.collections.Credentials.update(state.cid, newCredentialsData);
+			LoggerProxy.verbose('OAuth2 callback successful for new credential', {
+				userId: req.user?.id,
+				credentialId: state.cid,
+			});
+
+			return res.sendFile(pathResolve(__dirname, '../../../templates/oauth-callback.html'));
+		} catch (error) {
+			// Error response
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+			return ResponseHelper.sendErrorResponse(res, error);
+		}
+	},
+);