Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(core)!: Set the secure flag on issued cookies #8812

Merged
merged 1 commit into from
Mar 5, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Mar 5, 2024

Currently n8n does not set secure flag on issues cookies. This means that if an instance is reachable over http, it could be vulnerable to MITM attacks.

N8N-7246

Review / Merge checklist

  • PR title and summary are descriptive
  • Tests included

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Mar 5, 2024
tomi
tomi previously approved these changes Mar 5, 2024
Copy link
Contributor

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

Should we mark this as a breaking change? As it does break the app if someone is hosting it over http.

Copy link

cypress bot commented Mar 5, 2024

4 flaky tests on run #4294 ↗︎

0 343 12 0 Flakiness 4

Details:

🌳 🖥️ browsers:node18.12.0-chrome107 🤖 netroy 🗃️ e2e/*
Project: n8n Commit: b1f05463b0
Status: Passed Duration: 03:55 💡
Started: Mar 5, 2024 4:46 PM Ended: Mar 5, 2024 4:50 PM
Flakiness  5-ndv.cy.ts • 1 flaky test

View Output Video

Test Artifacts
NDV > should not retrieve remote options when required params throw errors Test Replay Screenshots Video
Flakiness  30-editor-after-route-changes.cy.ts • 1 flaky test

View Output Video

Test Artifacts
Editor zoom should work after route changes > after switching between Editor and Workflow history and Workflow list Test Replay Screenshots Video
Flakiness  17-sharing.cy.ts • 1 flaky test

View Output Video

Test Artifacts
Sharing > should work for admin role on credentials created by others (also can share it with themselves) Test Replay Screenshots Video
Flakiness  24-ndv-paired-item.cy.ts • 1 flaky test

View Output Video

Test Artifacts
NDV > resolves expression with default item when input node is not parent, while still pairing items Test Replay Screenshots Video

Review all test suite changes for PR #8812 ↗︎

Copy link
Contributor

github-actions bot commented Mar 5, 2024

✅ All Cypress E2E specs passed

@netroy netroy force-pushed the N8N-7246-secure-only-cookie branch from 12cd613 to b1f0546 Compare March 5, 2024 15:49
@netroy netroy changed the title feat(core): Set the secure flag on issued cookies feat(core)!: Set the secure flag on issued cookies Mar 5, 2024
@netroy
Copy link
Member Author

netroy commented Mar 5, 2024

Updated BREAKING-CHANGES.md and the PR title to mark this as a breaking changes, and added a new config variable to let people disable the Secure flag.

@netroy netroy requested a review from tomi March 5, 2024 15:51
Copy link
Contributor

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@@ -15,6 +15,7 @@ if (inE2ETests) {
process.env.N8N_LOG_LEVEL = 'silent';
process.env.N8N_PUBLIC_API_DISABLED = 'true';
process.env.SKIP_STATISTICS_EVENTS = 'true';
process.env.N8N_SECURE_COOKIE = 'false';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could set it to true in tests so it corresponds the most common config? Or leave it out so the default value gets tested

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we unfortunately can't to do that right now because superagent doesn't handle secure cookies, which breaks every integration test that updates the cookie in response.

Copy link
Contributor

github-actions bot commented Mar 5, 2024

✅ All Cypress E2E specs passed

@netroy netroy merged commit 0818824 into master Mar 5, 2024
28 checks passed
@netroy netroy deleted the N8N-7246-secure-only-cookie branch March 5, 2024 17:57
@janober
Copy link
Member

janober commented Mar 6, 2024

Got released with [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants