Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Add query auth for Jira Trigger security - N8N-3568 #3172

Merged
merged 6 commits into from
Jul 10, 2022
Merged

✨ Add query auth for Jira Trigger security - N8N-3568 #3172

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
631b8b9
✨ Add query auth for Jira Trigger security
pemontto Apr 22, 2022
09e57f0
Merge branch 'master' of https://github.com/n8n-io/n8n into jira-trig…
michael-radency May 11, 2022
9d19830
:zap: small fixes:
michael-radency May 11, 2022
8f7aedd
⬆️ Merge master
RicardoE105 Jul 6, 2022
689dc6a
:zap: Response with 403 when invalid query authentication
RicardoE105 Jul 6, 2022
34357a6
:shirt: Fix linting issues
RicardoE105 Jul 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 91 additions & 4 deletions packages/nodes-base/nodes/Jira/JiraTrigger.node.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@ import {
} from 'n8n-core';

import {
ICredentialDataDecryptedObject,
IDataObject,
INodeType,
INodeTypeDescription,
IWebhookResponseData,
NodeOperationError,
} from 'n8n-workflow';

import {
Expand Down Expand Up @@ -55,6 +57,17 @@ export class JiraTrigger implements INodeType {
},
},
},
{
name: 'httpQueryAuth',
required: true,
displayOptions: {
show: {
incomingAuthentication: [
'queryAuth',
],
},
},
},
],
webhooks: [
{
Expand All @@ -81,6 +94,23 @@ export class JiraTrigger implements INodeType {
],
default: 'cloud',
},
{
displayName: 'Incoming Authentication',
name: 'incomingAuthentication',
type: 'options',
options: [
{
name: 'Query Auth',
value: 'queryAuth',
},
{
name: 'None',
value: 'none',
},
],
default: 'none',
description: 'If authentication should be activated for the webhook (makes it more secure)',
},
{
displayName: 'Events',
name: 'events',
Expand Down Expand Up @@ -379,6 +409,8 @@ export class JiraTrigger implements INodeType {

const webhookData = this.getWorkflowStaticData('node');

const incomingAuthentication = this.getNodeParameter('incomingAuthentication') as string;

if (events.includes('*')) {
events = allEvents;
}
Expand All @@ -402,12 +434,30 @@ export class JiraTrigger implements INodeType {
body.excludeBody = additionalFields.excludeBody as boolean;
}

// tslint:disable-next-line: no-any
const parameters: any = {};

if (incomingAuthentication === 'queryAuth') {
let httpQueryAuth;
try{
httpQueryAuth = await this.getCredentials('httpQueryAuth');
} catch (e) {
throw new NodeOperationError(this.getNode(), `Could not retrieve HTTP Query Auth credentials: ${e}`);
}
if (!httpQueryAuth.name && !httpQueryAuth.value) {
throw new NodeOperationError(this.getNode(), `HTTP Query Auth credentials are empty`);
}
parameters[encodeURIComponent(httpQueryAuth.name as string)] = Buffer.from(httpQueryAuth.value as string).toString('base64');
}

if (additionalFields.includeFields) {
// tslint:disable-next-line: no-any
const parameters: any = {};

for (const field of additionalFields.includeFields as string[]) {
parameters[field] = '${' + field + '}';
}
}

if (Object.keys(parameters).length) {
body.url = `${body.url}?${queryString.unescape(queryString.stringify(parameters))}`;
}

Expand Down Expand Up @@ -441,9 +491,46 @@ export class JiraTrigger implements INodeType {

async webhook(this: IWebhookFunctions): Promise<IWebhookResponseData> {
const bodyData = this.getBodyData();
const queryData = this.getQueryData();
const queryData = this.getQueryData() as IDataObject;
const response = this.getResponseObject();

const incomingAuthentication = this.getNodeParameter('incomingAuthentication') as string;

if (incomingAuthentication === 'queryAuth') {
let httpQueryAuth: ICredentialDataDecryptedObject | undefined;

try {
httpQueryAuth = await this.getCredentials('httpQueryAuth');
} catch (error) { }

if (httpQueryAuth === undefined || !httpQueryAuth.name || !httpQueryAuth.value) {

response.status(403).json({ message: 'Auth settings are not valid, some data are missing' });

return {
noWebhookResponse: true,
};
}

const paramName = httpQueryAuth.name as string;
const paramValue = Buffer.from(httpQueryAuth.value as string).toString('base64');

if (!queryData.hasOwnProperty(paramName) || queryData[paramName] !== paramValue) {

response.status(403).json({ message: 'Provided authentication data is not valid' });

return {
noWebhookResponse: true,
};
}

delete queryData[paramName];

Object.assign(bodyData, queryData);

Object.assign(bodyData, queryData);
} else {
Object.assign(bodyData, queryData);
}

return {
workflowData: [
Expand Down