Skip to content

Commit

Permalink
fix(core): Improve browserId checks, and add logging (#9161)
Browse files Browse the repository at this point in the history
  • Loading branch information
netroy authored Apr 18, 2024
1 parent 135ef75 commit ff9ae54
Show file tree
Hide file tree
Showing 8 changed files with 46 additions and 29 deletions.
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@
"@sentry/cli@2.17.0": "patches/@sentry__cli@2.17.0.patch",
"pkce-challenge@3.0.0": "patches/pkce-challenge@3.0.0.patch",
"pyodide@0.23.4": "patches/pyodide@0.23.4.patch",
"@types/express-serve-static-core@4.17.43": "patches/@types__express-serve-static-core@4.17.43.patch",
"@types/ws@8.5.4": "patches/@types__ws@8.5.4.patch",
"vite-plugin-checker@0.6.4": "patches/vite-plugin-checker@0.6.4.patch"
}
Expand Down
2 changes: 1 addition & 1 deletion packages/@n8n/nodes-langchain/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@
"devDependencies": {
"@aws-sdk/types": "3.357.0",
"@types/basic-auth": "^1.1.3",
"@types/express": "^4.17.6",
"@types/express": "^4.17.21",
"@types/html-to-text": "^9.0.1",
"@types/json-schema": "^7.0.15",
"@types/temp": "^0.9.1",
Expand Down
20 changes: 14 additions & 6 deletions packages/cli/src/auth/auth.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ const skipBrowserIdCheckEndpoints = [
`/${restEndpoint}/push`,

// We need to exclude binary-data downloading endpoint because we can't send custom headers on `<embed>` tags
`/${restEndpoint}/binary-data`,
`/${restEndpoint}/binary-data/`,

// oAuth callback urls aren't called by the frontend. therefore we can't send custom header on these requests
`/${restEndpoint}/oauth1-credential/callback`,
Expand Down Expand Up @@ -131,15 +131,23 @@ export class AuthService {
// or, If the user has been deactivated (i.e. LDAP users)
user.disabled ||
// or, If the email or password has been updated
jwtPayload.hash !== this.createJWTHash(user) ||
// If the token was issued for another browser session
(!skipBrowserIdCheckEndpoints.includes(req.baseUrl) &&
jwtPayload.browserId &&
(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId)))
jwtPayload.hash !== this.createJWTHash(user)
) {
throw new AuthError('Unauthorized');
}

// Check if the token was issued for another browser session, ignoring the endpoints that can't send custom headers
const endpoint = req.route ? `${req.baseUrl}${req.route.path}` : req.baseUrl;
if (req.method === 'GET' && skipBrowserIdCheckEndpoints.includes(endpoint)) {
this.logger.debug(`Skipped browserId check on ${endpoint}`);
} else if (
jwtPayload.browserId &&
(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId))
) {
this.logger.warn(`browserId check failed on ${endpoint}`);
throw new AuthError('Unauthorized');
}

if (jwtPayload.exp * 1000 - Date.now() < this.jwtRefreshTimeout) {
this.logger.debug('JWT about to expire. Will be refreshed');
this.issueCookie(res, user, jwtPayload.browserId);
Expand Down
2 changes: 1 addition & 1 deletion packages/core/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
"@types/aws4": "^1.5.1",
"@types/concat-stream": "^2.0.0",
"@types/cron": "~1.7.1",
"@types/express": "^4.17.6",
"@types/express": "^4.17.21",
"@types/lodash": "^4.14.195",
"@types/mime-types": "^2.1.0",
"@types/uuid": "^8.3.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/nodes-base/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -812,7 +812,7 @@
"@types/cheerio": "^0.22.15",
"@types/cron": "~1.7.1",
"@types/eventsource": "^1.1.2",
"@types/express": "^4.17.6",
"@types/express": "^4.17.21",
"@types/html-to-text": "^9.0.1",
"@types/gm": "^1.25.0",
"@types/js-nacl": "^1.3.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/workflow/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
],
"devDependencies": {
"@types/deep-equal": "^1.0.1",
"@types/express": "^4.17.6",
"@types/express": "^4.17.21",
"@types/jmespath": "^0.15.0",
"@types/lodash": "^4.14.195",
"@types/luxon": "^3.2.0",
Expand Down
13 changes: 13 additions & 0 deletions patches/@types__express-serve-static-core@4.17.43.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
diff --git a/index.d.ts b/index.d.ts
index 5cc36f5760c806a76ee839bfb67c419c9cb48901..8ef0bf74f0f31741b564fe37f040144526e98eb5 100644
--- a/index.d.ts
+++ b/index.d.ts
@@ -646,7 +646,7 @@ export interface Request<

query: ReqQuery;

- route: any;
+ route?: Pick<IRoute, 'path' | 'stack'>;

signedCookies: any;

33 changes: 14 additions & 19 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit ff9ae54

Please sign in to comment.