Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(core): Use consistent CSRF state validation across oAuth controllers #9104

Merged
merged 4 commits into from
May 23, 2024
Merged

refactor(core): Use consistent CSRF state validation across oAuth controllers #9104

merged 4 commits into from
May 23, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Apr 9, 2024

We use a CSRF state on oAuth2 flows to prevent credentialId from being tampered with.
This PR updates the oAuth1 flows to reuse the same code to ensure the same level of safety across all oAuth flows.

Review / Merge checklist

  • PR title and summary are descriptive
  • Tests included

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Apr 9, 2024
despairblue
despairblue previously approved these changes May 23, 2024
View reviewed changes
Copy link
Contributor

@despairblue despairblue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I can tell this looks good. One small question out of curiosity.

packages/cli/src/controllers/oauth/oAuth2Credential.controller.ts Show resolved Hide resolved
@cypress Cypress
Copy link

cypress bot commented May 23, 2024
edited
Loading

2 failed and 1 flaky tests on run #5118 ↗︎

2 350 0 0 Flakiness 1

Details:

🌳 master 🖥️ browsers:node18.12.0-chrome107 🤖 PR User 🗃️ e2e/*
Project: n8n Commit: b585777c79
Status: Failed Duration: 04:51 💡
Started: May 24, 2024 3:11 AM Ended: May 24, 2024 3:15 AM
Failed  cypress/e2e/27-cloud.cy.ts • 2 failed tests

View Output Video

Test Artifacts
Cloud > Admin Home > Should show admin button Test Replay Screenshots Video
Cloud > Public API > Should show upgrade CTA for Public API if user is trialing Test Replay Screenshots Video
Flakiness  cypress/e2e/5-ndv.cy.ts • 1 flaky test

View Output Video

Test Artifacts
NDV > Stop listening for trigger event from NDV Screenshots Video

Review all test suite changes for PR #9104 ↗︎

@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy requested a review from despairblue May 23, 2024 12:54
despairblue
despairblue reviewed May 23, 2024
View reviewed changes
Copy link
Contributor

@despairblue despairblue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made some suggestions to the unit tests. Let me know what you think.

packages/cli/src/controllers/oauth/oAuth2Credential.controller.ts Outdated Show resolved Hide resolved
packages/cli/src/controllers/oauth/oAuth1Credential.controller.ts Show resolved Hide resolved
packages/cli/test/unit/controllers/oauth/oAuth1Credential.controller.test.ts Show resolved Hide resolved
packages/cli/test/unit/controllers/oauth/oAuth1Credential.controller.test.ts Show resolved Hide resolved
netroy and others added 2 commits May 23, 2024 16:02
@netroy netroy requested a review from despairblue May 23, 2024 14:34
@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy merged commit b585777 into master May 23, 2024
28 checks passed
@netroy netroy deleted the oauth1-csrf branch May 23, 2024 17:08
MiloradFilipovic added a commit that referenced this pull request May 24, 2024
@MiloradFilipovic
Merge branch 'master' into ADO-2220-agent-assistant-poc
de21a08 
* master:
  refactor(core): Use consistent CSRF state validation across oAuth controllers (#9104)
  feat(core): Print the name of the migration that cannot be reverted when using `n8n db:revert` (#9473)
  fix(editor): Hard load after logout to reset stores (no-changelog) (#9500)
  refactor(core): Stop reporting `EAUTH` error codes to Sentry (no-changelog) (#9496)
  fix(core): Upgrade sheetjs to address CVE-2024-22363 (#9498)
  refactor: Remove skipped tests (no-changelog) (#9497)
  feat(editor): Add initial code for NodeView and Canvas rewrite (no-changelog) (#9135)
  fix(editor): Show input panel with not connected message (#9495)
  fix(editor): Prevent XSS in node-issues tooltip (#9490)

# Conflicts:
#	pnpm-lock.yaml
@janober
Copy link
Member

janober commented May 30, 2024

Got released with [email protected]

@netroy netroy mentioned this pull request Jun 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@despairblue despairblue despairblue approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @despairblue