fix(core): Improve browserId checks, and add logging (#9161)

2024-04-18 15:53:19 +02:00
parent 135ef75add
commit ff9ae549fd
8 changed files with 46 additions and 29 deletions
--- a/packages/@n8n/nodes-langchain/package.json
+++ b/packages/@n8n/nodes-langchain/package.json
@@ -120,7 +120,7 @@
  "devDependencies": {
    "@aws-sdk/types": "3.357.0",
    "@types/basic-auth": "^1.1.3",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
    "@types/html-to-text": "^9.0.1",
    "@types/json-schema": "^7.0.15",
    "@types/temp": "^0.9.1",
--- a/packages/cli/src/auth/auth.service.ts
+++ b/packages/cli/src/auth/auth.service.ts
@@ -41,7 +41,7 @@ const skipBrowserIdCheckEndpoints = [
 	`/${restEndpoint}/push`,

 	// We need to exclude binary-data downloading endpoint because we can't send custom headers on `<embed>` tags
-	`/${restEndpoint}/binary-data`,
+	`/${restEndpoint}/binary-data/`,

 	// oAuth callback urls aren't called by the frontend. therefore we can't send custom header on these requests
 	`/${restEndpoint}/oauth1-credential/callback`,
@@ -131,15 +131,23 @@ export class AuthService {
 			// or, If the user has been deactivated (i.e. LDAP users)
 			user.disabled ||
 			// or, If the email or password has been updated
-			jwtPayload.hash !== this.createJWTHash(user) ||
-			// If the token was issued for another browser session
-			(!skipBrowserIdCheckEndpoints.includes(req.baseUrl) &&
-				jwtPayload.browserId &&
-				(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId)))
+			jwtPayload.hash !== this.createJWTHash(user)
 		) {
 			throw new AuthError('Unauthorized');
 		}

+		// Check if the token was issued for another browser session, ignoring the endpoints that can't send custom headers
+		const endpoint = req.route ? `${req.baseUrl}${req.route.path}` : req.baseUrl;
+		if (req.method === 'GET' && skipBrowserIdCheckEndpoints.includes(endpoint)) {
+			this.logger.debug(`Skipped browserId check on ${endpoint}`);
+		} else if (
+			jwtPayload.browserId &&
+			(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId))
+		) {
+			this.logger.warn(`browserId check failed on ${endpoint}`);
+			throw new AuthError('Unauthorized');
+		}
+
 		if (jwtPayload.exp * 1000 - Date.now() < this.jwtRefreshTimeout) {
 			this.logger.debug('JWT about to expire. Will be refreshed');
 			this.issueCookie(res, user, jwtPayload.browserId);
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -37,7 +37,7 @@
    "@types/aws4": "^1.5.1",
    "@types/concat-stream": "^2.0.0",
    "@types/cron": "~1.7.1",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
    "@types/lodash": "^4.14.195",
    "@types/mime-types": "^2.1.0",
    "@types/uuid": "^8.3.2",
--- a/packages/nodes-base/package.json
+++ b/packages/nodes-base/package.json
@@ -812,7 +812,7 @@
    "@types/cheerio": "^0.22.15",
    "@types/cron": "~1.7.1",
    "@types/eventsource": "^1.1.2",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
    "@types/html-to-text": "^9.0.1",
    "@types/gm": "^1.25.0",
    "@types/js-nacl": "^1.3.0",
--- a/packages/workflow/package.json
+++ b/packages/workflow/package.json
@@ -40,7 +40,7 @@
  ],
  "devDependencies": {
    "@types/deep-equal": "^1.0.1",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
    "@types/jmespath": "^0.15.0",
    "@types/lodash": "^4.14.195",
    "@types/luxon": "^3.2.0",