Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): Improve the security on OAuth callback endpoints #11593

Merged
merged 10 commits into from
Nov 19, 2024
Merged

fix(core): Improve the security on OAuth callback endpoints #11593

merged 10 commits into from
Nov 19, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Nov 6, 2024
edited
Loading

Summary

This PR updates our oauth endpoints to

  1. Optionally enable auth on the callback endpoints
  2. Include the userId of the person starting the oauth flow, in the CSRF state, and ensure that only that user can handle the callback url
  3. Add createdAt to CSRF state, and use that to expire oauth flows if not finished under 5 minutes
  4. reduce code duplication
  5. get test coverage for this code over 95%

Auth on the callback endpoint is disabled for now for backward compatibility, but will be enabled by default in the next major release.

Related Linear tickets, Github issues, and Community forum posts

SEC-163

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@netroy netroy changed the title fix(core): Improve the scurity on OAuth calback endpoints fix(core): Improve the security on OAuth calback endpoints Nov 6, 2024
@netroy netroy changed the title fix(core): Improve the security on OAuth calback endpoints fix(core): Improve the security on OAuth callback endpoints Nov 6, 2024
@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Nov 6, 2024
@netroy netroy force-pushed the SEC-163-secure-oauth-callback branch 2 times, most recently from 80fb12e to 51453bc Compare November 12, 2024 10:28
@codecov Codecov
Copy link

codecov bot commented Nov 12, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

@netroy netroy force-pushed the SEC-163-secure-oauth-callback branch from 51453bc to 54808e6 Compare November 12, 2024 12:24
@netroy netroy force-pushed the SEC-163-secure-oauth-callback branch from 54808e6 to e4eb7d0 Compare November 12, 2024 14:07
@netroy netroy marked this pull request as ready for review November 12, 2024 14:23
@netroy netroy force-pushed the SEC-163-secure-oauth-callback branch from e4eb7d0 to a49f61d Compare November 12, 2024 14:55
ivov
ivov previously approved these changes Nov 13, 2024
View reviewed changes
packages/cli/src/controllers/oauth/abstract-oauth.controller.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/abstract-oauth.controller.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/abstract-oauth.controller.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/abstract-oauth.controller.ts

const additionalData = await this.getAdditionalData();
const decryptedDataOriginal = await this.getDecryptedData(credential, additionalData);
const oauthCredentials = this.applyDefaultsAndOverwrites<T>(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we should set a default for this generic.

packages/cli/src/controllers/oauth/oauth1-credential.controller.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/abstract-oauth.controller.ts Show resolved Hide resolved
packages/cli/src/controllers/oauth/__tests__/oauth1-credential.controller.test.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/abstract-oauth.controller.ts Show resolved Hide resolved
@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@cypress Cypress
Copy link

cypress bot commented Nov 13, 2024
edited
Loading

n8n    Run #7985

Run Properties:  status check passed Passed #7985  •  git commit 53d0940177: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 netroy 🗃️ e2e/*
Project n8n
Branch Review SEC-163-secure-oauth-callback
Run status status check passed Passed #7985
Run duration 04m 40s
Commit git commit 53d0940177: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 netroy 🗃️ e2e/*
Committer कारतोफ्फेलस्क्रिप्ट™
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 3
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 477
View all changes introduced in this branch ↗︎

@netroy netroy requested a review from ivov November 14, 2024 19:06
ivov
ivov previously approved these changes Nov 15, 2024
View reviewed changes
Copy link
Contributor

@ivov ivov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏🏻

packages/cli/src/controllers/oauth/abstract-oauth.controller.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/oauth1-credential.controller.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/abstract-oauth.controller.ts

// TODO: Flip this flag in v2
// https://linear.app/n8n/issue/CAT-329
export const skipAuthOnOAuthCallback = process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK !== 'true';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we want this as an "unofficial" env? (i.e. excluded from config object and from docs)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't want to document this because we really don't want anyone using it unless they have no other option, like some embed customers.
Once we have those customers migrated, we'll just remove this, and make auth always mandatory on callback.

@github-actions GitHub Actions
Copy link
Contributor

⚠️ Some Cypress E2E specs are failing, please fix them before merging

@netroy netroy requested a review from ivov November 15, 2024 17:57
@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy merged commit 274fcf4 into master Nov 19, 2024
35 checks passed
@netroy netroy deleted the SEC-163-secure-oauth-callback branch November 19, 2024 15:17
@github-actions github-actions bot mentioned this pull request Nov 20, 2024
Merged
@janober
Copy link
Member

janober commented Nov 20, 2024

Got released with n8n@1.69.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivov ivov ivov approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @ivov