feat: Add variables feature (#5602)

* feat: add variables db models and migrations * feat: variables api endpoints * feat: add $variables to expressions * test: fix ActiveWorkflowRunner tests failing * test: a different fix for the tests broken by $variables * feat: variables licensing * fix: could create one extra variable than licensed for * feat: Add Variables UI page and $vars global property (#5750) * feat: add support for row slot to datatable * feat: add variables create, read, update, delete * feat: add vars autocomplete * chore: remove alert * feat: add variables autocomplete for code and expressions * feat: add tests for variable components * feat: add variables search and sort * test: update tests for variables view * chore: fix test and linting issue * refactor: review changes * feat: add variable creation telemetry * fix: Improve variables listing and disabled case, fix resource sorting (no-changelog) (#5903) * fix: Improve variables disabled experience and fix sorting * fix: update action box margin * test: update tests for variables row and datatable * fix: Add ee controller to base controller * fix: variables.ee routes not being added * feat: add variables validation * fix: fix vue-fragment bug that breaks everything * chore: Update lock * feat: Add variables input validation and permissions (no-changelog) (#5910) * feat: add input validation * feat: handle variables view for non-instance-owner users * test: update variables tests * fix: fix data-testid pattern * feat: improve overflow styles * test: fix variables row snapshot * feat: update sorting to take newly created variables into account * fix: fix list layout overflow * fix: fix adding variables on page other than 1. fix validation * feat: add docs link * fix: fix default displayName function for resource-list-layout * feat: improve vars expressions ux, cm-tooltip * test: fix datatable test * feat: add MATCH_REGEX validation rule * fix: overhaul how datatable pagination selector works * feat: update completer description * fix: conditionally update usage syntax based on key validation * test: update datatable snapshot * fix: fix variables-row button margins * fix: fix pagination overflow * test: Fix broken test * test: Update snapshot * fix: Remove duplicate declaration * feat: add custom variables icon --------- Co-authored-by: Alex Grozav <alex@grozav.com> Co-authored-by: Omar Ajoue <krynble@gmail.com>
2025-12-21 11:49:59 +00:00 · 2023-04-18 11:41:55 +01:00
parent 1555387ece
commit 1bb987140a
94 changed files with 2925 additions and 200 deletions
--- a/packages/cli/src/Db.ts
+++ b/packages/cli/src/Db.ts
@@ -34,6 +34,7 @@ import {
 	SharedWorkflowRepository,
 	TagRepository,
 	UserRepository,
+	VariablesRepository,
 	WebhookRepository,
 	WorkflowRepository,
 	WorkflowStatisticsRepository,
@@ -178,6 +179,7 @@ export async function init(
 	collections.SharedWorkflow = Container.get(SharedWorkflowRepository);
 	collections.Tag = Container.get(TagRepository);
 	collections.User = Container.get(UserRepository);
+	collections.Variables = Container.get(VariablesRepository);
 	collections.Webhook = Container.get(WebhookRepository);
 	collections.Workflow = Container.get(WorkflowRepository);
 	collections.WorkflowStatistics = Container.get(WorkflowStatisticsRepository);
--- a/packages/cli/src/Interfaces.ts
+++ b/packages/cli/src/Interfaces.ts
@@ -56,6 +56,7 @@ import type {
 	SharedWorkflowRepository,
 	TagRepository,
 	UserRepository,
+	VariablesRepository,
 	WebhookRepository,
 	WorkflowRepository,
 	WorkflowStatisticsRepository,
@@ -99,6 +100,7 @@ export interface IDatabaseCollections {
 	SharedWorkflow: SharedWorkflowRepository;
 	Tag: TagRepository;
 	User: UserRepository;
+	Variables: VariablesRepository;
 	Webhook: WebhookRepository;
 	Workflow: WorkflowRepository;
 	WorkflowStatistics: WorkflowStatisticsRepository;
@@ -458,6 +460,7 @@ export interface IInternalHooksClass {
 	}): Promise<void>;
 	onApiKeyCreated(apiKeyDeletedData: { user: User; public_api: boolean }): Promise<void>;
 	onApiKeyDeleted(apiKeyDeletedData: { user: User; public_api: boolean }): Promise<void>;
+	onVariableCreated(createData: { variable_type: string }): Promise<void>;
 }

 export interface IVersionNotificationSettings {
@@ -538,11 +541,15 @@ export interface IN8nUISettings {
 		saml: boolean;
 		logStreaming: boolean;
 		advancedExecutionFilters: boolean;
+		variables: boolean;
 	};
 	hideUsagePage: boolean;
 	license: {
 		environment: 'production' | 'staging';
 	};
+	variables: {
+		limit: number;
+	};
 }

 export interface IPersonalizationSurveyAnswers {
--- a/packages/cli/src/InternalHooks.ts
+++ b/packages/cli/src/InternalHooks.ts
@@ -981,4 +981,8 @@ export class InternalHooks implements IInternalHooksClass {
 	async onAuditGeneratedViaCli() {
 		return this.telemetry.track('Instance generated security audit via CLI command');
 	}
+
+	async onVariableCreated(createData: { variable_type: string }): Promise<void> {
+		return this.telemetry.track('User created variable', createData);
+	}
 }
--- a/packages/cli/src/License.ts
+++ b/packages/cli/src/License.ts
@@ -4,7 +4,12 @@ import type { ILogger } from 'n8n-workflow';
 import { getLogger } from './Logger';
 import config from '@/config';
 import * as Db from '@/Db';
-import { LICENSE_FEATURES, N8N_VERSION, SETTINGS_LICENSE_CERT_KEY } from './constants';
+import {
+	LICENSE_FEATURES,
+	LICENSE_QUOTAS,
+	N8N_VERSION,
+	SETTINGS_LICENSE_CERT_KEY,
+} from './constants';
 import { Service } from 'typedi';

 async function loadCertStr(): Promise<TLicenseBlock> {
@@ -119,6 +124,10 @@ export class License {
 		return this.isFeatureEnabled(LICENSE_FEATURES.ADVANCED_EXECUTION_FILTERS);
 	}

+	isVariablesEnabled() {
+		return this.isFeatureEnabled(LICENSE_FEATURES.VARIABLES);
+	}
+
 	getCurrentEntitlements() {
 		return this.manager?.getCurrentEntitlements() ?? [];
 	}
@@ -162,7 +171,11 @@ export class License {

 	// Helper functions for computed data
 	getTriggerLimit(): number {
-		return (this.getFeatureValue('quota:activeWorkflows') ?? -1) as number;
+		return (this.getFeatureValue(LICENSE_QUOTAS.TRIGGER_LIMIT) ?? -1) as number;
+	}
+
+	getVariablesLimit(): number {
+		return (this.getFeatureValue(LICENSE_QUOTAS.VARIABLES_LIMIT) ?? -1) as number;
 	}

 	getPlanName(): string {
--- a/packages/cli/src/Server.ts
+++ b/packages/cli/src/Server.ts
@@ -156,7 +156,9 @@ import {
 import { getSamlLoginLabel, isSamlLoginEnabled, isSamlLicensed } from './sso/saml/samlHelpers';
 import { SamlController } from './sso/saml/routes/saml.controller.ee';
 import { SamlService } from './sso/saml/saml.service.ee';
+import { variablesController } from './environments/variables.controller';
 import { LdapManager } from './Ldap/LdapManager.ee';
+import { getVariablesLimit, isVariablesEnabled } from '@/environments/enviromentHelpers';
 import { getCurrentAuthenticationMethod } from './sso/ssoHelpers';

 const exec = promisify(callbackExec);
@@ -317,11 +319,15 @@ class Server extends AbstractServer {
 				saml: false,
 				logStreaming: false,
 				advancedExecutionFilters: false,
+				variables: false,
 			},
 			hideUsagePage: config.getEnv('hideUsagePage'),
 			license: {
 				environment: config.getEnv('license.tenantId') === 1 ? 'production' : 'staging',
 			},
+			variables: {
+				limit: 0,
+			},
 		};
 	}

@@ -347,6 +353,7 @@ class Server extends AbstractServer {
 			ldap: isLdapEnabled(),
 			saml: isSamlLicensed(),
 			advancedExecutionFilters: isAdvancedExecutionFiltersEnabled(),
+			variables: isVariablesEnabled(),
 		});

 		if (isLdapEnabled()) {
@@ -363,6 +370,10 @@ class Server extends AbstractServer {
 			});
 		}

+		if (isVariablesEnabled()) {
+			this.frontendSettings.variables.limit = getVariablesLimit();
+		}
+
 		if (config.get('nodes.packagesMissing').length > 0) {
 			this.frontendSettings.missingPackages = true;
 		}
@@ -540,6 +551,13 @@ class Server extends AbstractServer {
 		}

 		// ----------------------------------------
+		// Variables
+		// ----------------------------------------
+
+		this.app.use(`/${this.restEndpoint}/variables`, variablesController);
+
+		// ----------------------------------------
+
 		// Returns parameter values which normally get loaded from an external API or
 		// get generated dynamically
 		this.app.get(
--- a/packages/cli/src/WorkflowExecuteAdditionalData.ts
+++ b/packages/cli/src/WorkflowExecuteAdditionalData.ts
@@ -1164,7 +1164,10 @@ export async function getBase(
 	const webhookWaitingBaseUrl = urlBaseWebhook + config.getEnv('endpoints.webhookWaiting');
 	const webhookTestBaseUrl = urlBaseWebhook + config.getEnv('endpoints.webhookTest');

-	const encryptionKey = await UserSettings.getEncryptionKey();
+	const [encryptionKey, variables] = await Promise.all([
+		UserSettings.getEncryptionKey(),
+		WorkflowHelpers.getVariables(),
+	]);

 	return {
 		credentialsHelper: new CredentialsHelper(encryptionKey),
@@ -1179,6 +1182,7 @@ export async function getBase(
 		executionTimeoutTimestamp,
 		userId,
 		setExecutionStatus,
+		variables,
 	};
 }

--- a/packages/cli/src/WorkflowHelpers.ts
+++ b/packages/cli/src/WorkflowHelpers.ts
@@ -562,3 +562,12 @@ export function validateWorkflowCredentialUsage(

 	return newWorkflowVersion;
 }
+
+export async function getVariables(): Promise<IDataObject> {
+	return Object.freeze(
+		(await Db.collections.Variables.find()).reduce((prev, curr) => {
+			prev[curr.key] = curr.value;
+			return prev;
+		}, {} as IDataObject),
+	);
+}
--- a/packages/cli/src/constants.ts
+++ b/packages/cli/src/constants.ts
@@ -74,6 +74,12 @@ export enum LICENSE_FEATURES {
 	SAML = 'feat:saml',
 	LOG_STREAMING = 'feat:logStreaming',
 	ADVANCED_EXECUTION_FILTERS = 'feat:advancedExecutionFilters',
+	VARIABLES = 'feat:variables',
+}
+
+export enum LICENSE_QUOTAS {
+	TRIGGER_LIMIT = 'quota:activeWorkflows',
+	VARIABLES_LIMIT = 'quota:maxVariables',
 }

 export const CREDENTIAL_BLANKING_VALUE = '__n8n_BLANK_VALUE_e5362baf-c777-4d57-a609-6eaf1f9e87f6';
--- a/packages/cli/src/databases/entities/Variables.ts
+++ b/packages/cli/src/databases/entities/Variables.ts
@@ -0,0 +1,16 @@
+import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm';
+
+@Entity()
+export class Variables {
+	@PrimaryGeneratedColumn()
+	id: number;
+
+	@Column('text')
+	key: string;
+
+	@Column('text', { default: 'string' })
+	type: string;
+
+	@Column('text')
+	value: string;
+}
--- a/packages/cli/src/databases/entities/index.ts
+++ b/packages/cli/src/databases/entities/index.ts
@@ -12,6 +12,7 @@ import { SharedCredentials } from './SharedCredentials';
 import { SharedWorkflow } from './SharedWorkflow';
 import { TagEntity } from './TagEntity';
 import { User } from './User';
+import { Variables } from './Variables';
 import { WebhookEntity } from './WebhookEntity';
 import { WorkflowEntity } from './WorkflowEntity';
 import { WorkflowTagMapping } from './WorkflowTagMapping';
@@ -32,6 +33,7 @@ export const entities = {
 	SharedWorkflow,
 	TagEntity,
 	User,
+	Variables,
 	WebhookEntity,
 	WorkflowEntity,
 	WorkflowTagMapping,
--- a/packages/cli/src/databases/migrations/mysqldb/1677501636753-CreateVariables.ts
+++ b/packages/cli/src/databases/migrations/mysqldb/1677501636753-CreateVariables.ts
@@ -0,0 +1,33 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+import { logMigrationEnd, logMigrationStart, getTablePrefix } from '@db/utils/migrationHelpers';
+import config from '@/config';
+
+export class CreateVariables1677501636753 implements MigrationInterface {
+	name = 'CreateVariables1677501636753';
+	public async up(queryRunner: QueryRunner): Promise<void> {
+		logMigrationStart(this.name);
+		const tablePrefix = getTablePrefix();
+
+		await queryRunner.query(`
+			CREATE TABLE ${tablePrefix}variables (
+				id int(11) auto_increment NOT NULL PRIMARY KEY,
+				\`key\` VARCHAR(50) NOT NULL,
+				\`type\` VARCHAR(50) DEFAULT 'string' NOT NULL,
+				value VARCHAR(255) NULL,
+				UNIQUE (\`key\`)
+			)
+			ENGINE=InnoDB;
+		`);
+
+		logMigrationEnd(this.name);
+	}
+
+	public async down(queryRunner: QueryRunner): Promise<void> {
+		logMigrationStart(this.name);
+		const tablePrefix = getTablePrefix();
+
+		await queryRunner.query(`DROP TABLE ${tablePrefix}variables;`);
+
+		logMigrationEnd(this.name);
+	}
+}
--- a/packages/cli/src/databases/migrations/mysqldb/index.ts
+++ b/packages/cli/src/databases/migrations/mysqldb/index.ts
@@ -35,6 +35,7 @@ import { AddStatusToExecutions1674138566000 } from './1674138566000-AddStatusToE
 import { MigrateExecutionStatus1676996103000 } from './1676996103000-MigrateExecutionStatus';
 import { UpdateRunningExecutionStatus1677236788851 } from './1677236788851-UpdateRunningExecutionStatus';
 import { CreateExecutionMetadataTable1679416281779 } from './1679416281779-CreateExecutionMetadataTable';
+import { CreateVariables1677501636753 } from './1677501636753-CreateVariables';

 export const mysqlMigrations = [
 	InitialMigration1588157391238,
@@ -74,4 +75,5 @@ export const mysqlMigrations = [
 	MigrateExecutionStatus1676996103000,
 	UpdateRunningExecutionStatus1677236788851,
 	CreateExecutionMetadataTable1679416281779,
+	CreateVariables1677501636753,
 ];
--- a/packages/cli/src/databases/migrations/postgresdb/1677501636754-CreateVariables.ts
+++ b/packages/cli/src/databases/migrations/postgresdb/1677501636754-CreateVariables.ts
@@ -0,0 +1,32 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+import { logMigrationEnd, logMigrationStart, getTablePrefix } from '@db/utils/migrationHelpers';
+import config from '@/config';
+
+export class CreateVariables1677501636754 implements MigrationInterface {
+	name = 'CreateVariables1677501636754';
+	public async up(queryRunner: QueryRunner): Promise<void> {
+		logMigrationStart(this.name);
+		const tablePrefix = getTablePrefix();
+
+		await queryRunner.query(`
+			CREATE TABLE public.variables (
+				id serial4 NOT NULL PRIMARY KEY,
+				"key" varchar(50) NOT NULL,
+				"type" varchar(50) NOT NULL DEFAULT 'string',
+				value varchar(255) NULL,
+				UNIQUE ("key")
+			);
+		`);
+
+		logMigrationEnd(this.name);
+	}
+
+	public async down(queryRunner: QueryRunner): Promise<void> {
+		logMigrationStart(this.name);
+		const tablePrefix = getTablePrefix();
+
+		await queryRunner.query(`DROP TABLE ${tablePrefix}variables;`);
+
+		logMigrationEnd(this.name);
+	}
+}
--- a/packages/cli/src/databases/migrations/postgresdb/index.ts
+++ b/packages/cli/src/databases/migrations/postgresdb/index.ts
@@ -33,6 +33,7 @@ import { AddStatusToExecutions1674138566000 } from './1674138566000-AddStatusToE
 import { MigrateExecutionStatus1676996103000 } from './1676996103000-MigrateExecutionStatus';
 import { UpdateRunningExecutionStatus1677236854063 } from './1677236854063-UpdateRunningExecutionStatus';
 import { CreateExecutionMetadataTable1679416281778 } from './1679416281778-CreateExecutionMetadataTable';
+import { CreateVariables1677501636754 } from './1677501636754-CreateVariables';

 export const postgresMigrations = [
 	InitialMigration1587669153312,
@@ -70,4 +71,5 @@ export const postgresMigrations = [
 	MigrateExecutionStatus1676996103000,
 	UpdateRunningExecutionStatus1677236854063,
 	CreateExecutionMetadataTable1679416281778,
+	CreateVariables1677501636754,
 ];
--- a/packages/cli/src/databases/migrations/sqlite/1677501636752-CreateVariables.ts
+++ b/packages/cli/src/databases/migrations/sqlite/1677501636752-CreateVariables.ts
@@ -0,0 +1,32 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+import { logMigrationEnd, logMigrationStart, getTablePrefix } from '@db/utils/migrationHelpers';
+import config from '@/config';
+
+export class CreateVariables1677501636752 implements MigrationInterface {
+	name = 'CreateVariables1677501636752';
+	public async up(queryRunner: QueryRunner): Promise<void> {
+		logMigrationStart(this.name);
+		const tablePrefix = getTablePrefix();
+
+		await queryRunner.query(`
+			CREATE TABLE ${tablePrefix}variables (
+				id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
+				"key" TEXT NOT NULL,
+				"type" TEXT NOT NULL DEFAULT ('string'),
+				value TEXT,
+				UNIQUE("key")
+			);
+		`);
+
+		logMigrationEnd(this.name);
+	}
+
+	public async down(queryRunner: QueryRunner): Promise<void> {
+		logMigrationStart(this.name);
+		const tablePrefix = getTablePrefix();
+
+		await queryRunner.query(`DROP TABLE ${tablePrefix}variables;`);
+
+		logMigrationEnd(this.name);
+	}
+}
--- a/packages/cli/src/databases/migrations/sqlite/index.ts
+++ b/packages/cli/src/databases/migrations/sqlite/index.ts
@@ -32,6 +32,7 @@ import { AddStatusToExecutions1674138566000 } from './1674138566000-AddStatusToE
 import { MigrateExecutionStatus1676996103000 } from './1676996103000-MigrateExecutionStatus';
 import { UpdateRunningExecutionStatus1677237073720 } from './1677237073720-UpdateRunningExecutionStatus';
 import { CreateExecutionMetadataTable1679416281777 } from './1679416281777-CreateExecutionMetadataTable';
+import { CreateVariables1677501636752 } from './1677501636752-CreateVariables';

 const sqliteMigrations = [
 	InitialMigration1588102412422,
@@ -67,6 +68,7 @@ const sqliteMigrations = [
 	AddStatusToExecutions1674138566000,
 	MigrateExecutionStatus1676996103000,
 	UpdateRunningExecutionStatus1677237073720,
+	CreateVariables1677501636752,
 	CreateExecutionMetadataTable1679416281777,
 ];

--- a/packages/cli/src/databases/repositories/index.ts
+++ b/packages/cli/src/databases/repositories/index.ts
@@ -12,6 +12,7 @@ export { SharedCredentialsRepository } from './sharedCredentials.repository';
 export { SharedWorkflowRepository } from './sharedWorkflow.repository';
 export { TagRepository } from './tag.repository';
 export { UserRepository } from './user.repository';
+export { VariablesRepository } from './variables.repository';
 export { WebhookRepository } from './webhook.repository';
 export { WorkflowRepository } from './workflow.repository';
 export { WorkflowStatisticsRepository } from './workflowStatistics.repository';
--- a/packages/cli/src/databases/repositories/variables.repository.ts
+++ b/packages/cli/src/databases/repositories/variables.repository.ts
@@ -0,0 +1,10 @@
+import { Service } from 'typedi';
+import { DataSource, Repository } from 'typeorm';
+import { Variables } from '../entities/Variables';
+
+@Service()
+export class VariablesRepository extends Repository<Variables> {
+	constructor(dataSource: DataSource) {
+		super(Variables, dataSource.manager);
+	}
+}
--- a/packages/cli/src/environments/enviromentHelpers.ts
+++ b/packages/cli/src/environments/enviromentHelpers.ts
@@ -0,0 +1,26 @@
+import { License } from '@/License';
+import Container from 'typedi';
+
+export function isVariablesEnabled(): boolean {
+	const license = Container.get(License);
+	return license.isVariablesEnabled();
+}
+
+export function canCreateNewVariable(variableCount: number): boolean {
+	if (!isVariablesEnabled()) {
+		return false;
+	}
+	const license = Container.get(License);
+	// This defaults to -1 which is what we want if we've enabled
+	// variables via the config
+	const limit = license.getVariablesLimit();
+	if (limit === -1) {
+		return true;
+	}
+	return limit > variableCount;
+}
+
+export function getVariablesLimit(): number {
+	const license = Container.get(License);
+	return license.getVariablesLimit();
+}
--- a/packages/cli/src/environments/variables.controller.ee.ts
+++ b/packages/cli/src/environments/variables.controller.ee.ts
@@ -0,0 +1,79 @@
+import express from 'express';
+import { LoggerProxy } from 'n8n-workflow';
+
+import * as ResponseHelper from '@/ResponseHelper';
+import type { VariablesRequest } from '@/requests';
+import {
+	VariablesLicenseError,
+	EEVariablesService,
+	VariablesValidationError,
+} from './variables.service.ee';
+import { isVariablesEnabled } from './enviromentHelpers';
+
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const EEVariablesController = express.Router();
+
+/**
+ * Initialize Logger if needed
+ */
+EEVariablesController.use((req, res, next) => {
+	if (!isVariablesEnabled()) {
+		next('router');
+		return;
+	}
+
+	next();
+});
+
+EEVariablesController.post(
+	'/',
+	ResponseHelper.send(async (req: VariablesRequest.Create) => {
+		if (req.user.globalRole.name !== 'owner') {
+			LoggerProxy.info('Attempt to update a variable blocked due to lack of permissions', {
+				userId: req.user.id,
+			});
+			throw new ResponseHelper.AuthError('Unauthorized');
+		}
+		const variable = req.body;
+		delete variable.id;
+		try {
+			return await EEVariablesService.create(variable);
+		} catch (error) {
+			if (error instanceof VariablesLicenseError) {
+				throw new ResponseHelper.BadRequestError(error.message);
+			} else if (error instanceof VariablesValidationError) {
+				throw new ResponseHelper.BadRequestError(error.message);
+			}
+			throw error;
+		}
+	}),
+);
+
+EEVariablesController.patch(
+	'/:id(\\d+)',
+	ResponseHelper.send(async (req: VariablesRequest.Update) => {
+		const id = parseInt(req.params.id);
+		if (isNaN(id)) {
+			throw new ResponseHelper.BadRequestError('Invalid variable id ' + req.params.id);
+		}
+		if (req.user.globalRole.name !== 'owner') {
+			LoggerProxy.info('Attempt to update a variable blocked due to lack of permissions', {
+				id,
+				userId: req.user.id,
+			});
+			throw new ResponseHelper.AuthError('Unauthorized');
+		}
+		const variable = req.body;
+		delete variable.id;
+		try {
+			return await EEVariablesService.update(id, variable);
+		} catch (error) {
+			if (error instanceof VariablesLicenseError) {
+				throw new ResponseHelper.BadRequestError(error.message);
+			} else if (error instanceof VariablesValidationError) {
+				throw new ResponseHelper.BadRequestError(error.message);
+			}
+			throw error;
+		}
+	}),
+);
--- a/packages/cli/src/environments/variables.controller.ts
+++ b/packages/cli/src/environments/variables.controller.ts
@@ -0,0 +1,82 @@
+import express from 'express';
+import { LoggerProxy } from 'n8n-workflow';
+
+import { getLogger } from '@/Logger';
+import * as ResponseHelper from '@/ResponseHelper';
+import type { VariablesRequest } from '@/requests';
+import { VariablesService } from './variables.service';
+import { EEVariablesController } from './variables.controller.ee';
+
+export const variablesController = express.Router();
+
+variablesController.use('/', EEVariablesController);
+
+/**
+ * Initialize Logger if needed
+ */
+variablesController.use((req, res, next) => {
+	try {
+		LoggerProxy.getInstance();
+	} catch (error) {
+		LoggerProxy.init(getLogger());
+	}
+	next();
+});
+
+variablesController.use(EEVariablesController);
+
+variablesController.get(
+	'/',
+	ResponseHelper.send(async () => {
+		return VariablesService.getAll();
+	}),
+);
+
+variablesController.post(
+	'/',
+	ResponseHelper.send(async () => {
+		throw new ResponseHelper.BadRequestError('No variables license found');
+	}),
+);
+
+variablesController.get(
+	'/:id(\\d+)',
+	ResponseHelper.send(async (req: VariablesRequest.Get) => {
+		const id = parseInt(req.params.id);
+		if (isNaN(id)) {
+			throw new ResponseHelper.BadRequestError('Invalid variable id ' + req.params.id);
+		}
+		const variable = await VariablesService.get(id);
+		if (variable === null) {
+			throw new ResponseHelper.NotFoundError(`Variable with id ${req.params.id} not found`);
+		}
+		return variable;
+	}),
+);
+
+variablesController.patch(
+	'/:id(\\d+)',
+	ResponseHelper.send(async () => {
+		throw new ResponseHelper.BadRequestError('No variables license found');
+	}),
+);
+
+variablesController.delete(
+	'/:id(\\d+)',
+	ResponseHelper.send(async (req: VariablesRequest.Delete) => {
+		const id = parseInt(req.params.id);
+		if (isNaN(id)) {
+			throw new ResponseHelper.BadRequestError('Invalid variable id ' + req.params.id);
+		}
+		if (req.user.globalRole.name !== 'owner') {
+			LoggerProxy.info('Attempt to delete a variable blocked due to lack of permissions', {
+				id,
+				userId: req.user.id,
+			});
+			throw new ResponseHelper.AuthError('Unauthorized');
+		}
+		await VariablesService.delete(id);
+
+		return true;
+	}),
+);
--- a/packages/cli/src/environments/variables.service.ee.ts
+++ b/packages/cli/src/environments/variables.service.ee.ts
@@ -0,0 +1,45 @@
+import type { Variables } from '@/databases/entities/Variables';
+import { collections } from '@/Db';
+import { InternalHooks } from '@/InternalHooks';
+import Container from 'typedi';
+import { canCreateNewVariable } from './enviromentHelpers';
+import { VariablesService } from './variables.service';
+
+export class VariablesLicenseError extends Error {}
+export class VariablesValidationError extends Error {}
+
+export class EEVariablesService extends VariablesService {
+	static async getCount(): Promise<number> {
+		return collections.Variables.count();
+	}
+
+	static validateVariable(variable: Omit<Variables, 'id'>): void {
+		if (variable.key.length > 50) {
+			throw new VariablesValidationError('key cannot be longer than 50 characters');
+		}
+		if (variable.key.replace(/[A-Za-z0-9_]/g, '').length !== 0) {
+			throw new VariablesValidationError('key can only contain characters A-Za-z0-9_');
+		}
+		if (variable.value.length > 255) {
+			throw new VariablesValidationError('value cannot be longer than 255 characters');
+		}
+	}
+
+	static async create(variable: Omit<Variables, 'id'>): Promise<Variables> {
+		if (!canCreateNewVariable(await this.getCount())) {
+			throw new VariablesLicenseError('Variables limit reached');
+		}
+		this.validateVariable(variable);
+
+		void Container.get(InternalHooks).onVariableCreated({ variable_type: variable.type });
+		return collections.Variables.save(variable);
+	}
+
+	static async update(id: number, variable: Omit<Variables, 'id'>): Promise<Variables> {
+		this.validateVariable(variable);
+
+		await collections.Variables.update(id, variable);
+		// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+		return (await this.get(id))!;
+	}
+}
--- a/packages/cli/src/environments/variables.service.ts
+++ b/packages/cli/src/environments/variables.service.ts
@@ -0,0 +1,20 @@
+import type { Variables } from '@/databases/entities/Variables';
+import { collections } from '@/Db';
+
+export class VariablesService {
+	static async getAll(): Promise<Variables[]> {
+		return collections.Variables.find();
+	}
+
+	static async getCount(): Promise<number> {
+		return collections.Variables.count();
+	}
+
+	static async get(id: number): Promise<Variables | null> {
+		return collections.Variables.findOne({ where: { id } });
+	}
+
+	static async delete(id: number): Promise<void> {
+		await collections.Variables.delete(id);
+	}
+}
--- a/packages/cli/src/requests.ts
+++ b/packages/cli/src/requests.ts
@@ -16,6 +16,7 @@ import type { PublicUser, IExecutionDeleteFilter, IWorkflowDb } from '@/Interfac
 import type { Role } from '@db/entities/Role';
 import type { User } from '@db/entities/User';
 import type { UserManagementMailer } from '@/UserManagement/email';
+import type { Variables } from '@db/entities/Variables';

 export class UserUpdatePayload implements Pick<User, 'email' | 'firstName' | 'lastName'> {
 	@IsEmail()
@@ -386,3 +387,17 @@ export type BinaryDataRequest = AuthenticatedRequest<
 		mimeType?: string;
 	}
 >;
+
+// ----------------------------------
+//           /variables
+// ----------------------------------
+//
+export declare namespace VariablesRequest {
+	type CreateUpdatePayload = Omit<Variables, 'id'> & { id?: unknown };
+
+	type GetAll = AuthenticatedRequest;
+	type Get = AuthenticatedRequest<{ id: string }, {}, {}, {}>;
+	type Create = AuthenticatedRequest<{}, {}, CreateUpdatePayload, {}>;
+	type Update = AuthenticatedRequest<{ id: string }, {}, CreateUpdatePayload, {}>;
+	type Delete = Get;
+}
--- a/packages/cli/test/integration/shared/testDb.ts
+++ b/packages/cli/test/integration/shared/testDb.ts
@@ -489,6 +489,33 @@ export async function getWorkflowSharing(workflow: WorkflowEntity) {
 	});
 }

+// ----------------------------------
+//             variables
+// ----------------------------------
+
+export async function createVariable(key: string, value: string) {
+	return Db.collections.Variables.save({
+		key,
+		value,
+	});
+}
+
+export async function getVariableByKey(key: string) {
+	return Db.collections.Variables.findOne({
+		where: {
+			key,
+		},
+	});
+}
+
+export async function getVariableById(id: number) {
+	return Db.collections.Variables.findOne({
+		where: {
+			id,
+		},
+	});
+}
+
 // ----------------------------------
 //        connection options
 // ----------------------------------
--- a/packages/cli/test/integration/shared/types.d.ts
+++ b/packages/cli/test/integration/shared/types.d.ts
@@ -24,7 +24,8 @@ type EndpointGroup =
 	| 'ldap'
 	| 'saml'
 	| 'eventBus'
-	| 'license';
+	| 'license'
+	| 'variables';

 export type CredentialPayload = {
 	name: string;
--- a/packages/cli/test/integration/shared/utils.ts
+++ b/packages/cli/test/integration/shared/utils.ts
@@ -73,6 +73,7 @@ import { v4 as uuid } from 'uuid';
 import { InternalHooks } from '@/InternalHooks';
 import { LoadNodesAndCredentials } from '@/LoadNodesAndCredentials';
 import { PostHogClient } from '@/posthog';
+import { variablesController } from '@/environments/variables.controller';
 import { LdapManager } from '@/Ldap/LdapManager.ee';
 import { handleLdapInit } from '@/Ldap/helpers';
 import { Push } from '@/push';
@@ -151,6 +152,7 @@ export async function initTestServer({
 			credentials: { controller: credentialsController, path: 'credentials' },
 			workflows: { controller: workflowsController, path: 'workflows' },
 			license: { controller: licenseController, path: 'license' },
+			variables: { controller: variablesController, path: 'variables' },
 		};

 		if (enablePublicAPI) {
@@ -268,7 +270,7 @@ const classifyEndpointGroups = (endpointGroups: EndpointGroup[]) => {
 	const routerEndpoints: EndpointGroup[] = [];
 	const functionEndpoints: EndpointGroup[] = [];

-	const ROUTER_GROUP = ['credentials', 'workflows', 'publicApi', 'license'];
+	const ROUTER_GROUP = ['credentials', 'workflows', 'publicApi', 'license', 'variables'];

 	endpointGroups.forEach((group) =>
 		(ROUTER_GROUP.includes(group) ? routerEndpoints : functionEndpoints).push(group),
--- a/packages/cli/test/integration/variables.test.ts
+++ b/packages/cli/test/integration/variables.test.ts
@@ -0,0 +1,379 @@
+import type { Application } from 'express';
+
+import type { User } from '@/databases/entities/User';
+import * as testDb from './shared/testDb';
+import * as utils from './shared/utils';
+
+import type { AuthAgent } from './shared/types';
+import type { ClassLike, MockedClass } from 'jest-mock';
+import { License } from '@/License';
+
+// mock that credentialsSharing is not enabled
+let app: Application;
+let ownerUser: User;
+let memberUser: User;
+let authAgent: AuthAgent;
+let variablesSpy: jest.SpyInstance<boolean>;
+let licenseLike = {
+	isVariablesEnabled: jest.fn().mockReturnValue(true),
+	getVariablesLimit: jest.fn().mockReturnValue(-1),
+};
+
+beforeAll(async () => {
+	app = await utils.initTestServer({ endpointGroups: ['variables'] });
+
+	utils.initConfigFile();
+	utils.mockInstance(License, licenseLike);
+
+	ownerUser = await testDb.createOwner();
+	memberUser = await testDb.createUser();
+
+	authAgent = utils.createAuthAgent(app);
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Variables']);
+	licenseLike.isVariablesEnabled.mockReturnValue(true);
+	licenseLike.getVariablesLimit.mockReturnValue(-1);
+});
+
+afterAll(async () => {
+	await testDb.terminate();
+});
+
+// ----------------------------------------
+// GET /variables - fetch all variables
+// ----------------------------------------
+
+test('GET /variables should return all variables for an owner', async () => {
+	await Promise.all([
+		testDb.createVariable('test1', 'value1'),
+		testDb.createVariable('test2', 'value2'),
+	]);
+
+	const response = await authAgent(ownerUser).get('/variables');
+	expect(response.statusCode).toBe(200);
+	expect(response.body.data.length).toBe(2);
+});
+
+test('GET /variables should return all variables for a member', async () => {
+	await Promise.all([
+		testDb.createVariable('test1', 'value1'),
+		testDb.createVariable('test2', 'value2'),
+	]);
+
+	const response = await authAgent(memberUser).get('/variables');
+	expect(response.statusCode).toBe(200);
+	expect(response.body.data.length).toBe(2);
+});
+
+// ----------------------------------------
+// GET /variables/:id - get a single variable
+// ----------------------------------------
+
+test('GET /variables/:id should return a single variable for an owner', async () => {
+	const [var1, var2] = await Promise.all([
+		testDb.createVariable('test1', 'value1'),
+		testDb.createVariable('test2', 'value2'),
+	]);
+
+	const response1 = await authAgent(ownerUser).get(`/variables/${var1.id}`);
+	expect(response1.statusCode).toBe(200);
+	expect(response1.body.data.key).toBe('test1');
+
+	const response2 = await authAgent(ownerUser).get(`/variables/${var2.id}`);
+	expect(response2.statusCode).toBe(200);
+	expect(response2.body.data.key).toBe('test2');
+});
+
+test('GET /variables/:id should return a single variable for a member', async () => {
+	const [var1, var2] = await Promise.all([
+		testDb.createVariable('test1', 'value1'),
+		testDb.createVariable('test2', 'value2'),
+	]);
+
+	const response1 = await authAgent(memberUser).get(`/variables/${var1.id}`);
+	expect(response1.statusCode).toBe(200);
+	expect(response1.body.data.key).toBe('test1');
+
+	const response2 = await authAgent(memberUser).get(`/variables/${var2.id}`);
+	expect(response2.statusCode).toBe(200);
+	expect(response2.body.data.key).toBe('test2');
+});
+
+// ----------------------------------------
+// POST /variables - create a new variable
+// ----------------------------------------
+
+test('POST /variables should create a new credential and return it for an owner', async () => {
+	const toCreate = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(200);
+	expect(response.body.data.key).toBe(toCreate.key);
+	expect(response.body.data.value).toBe(toCreate.value);
+
+	const [byId, byKey] = await Promise.all([
+		testDb.getVariableById(response.body.data.id),
+		testDb.getVariableByKey(toCreate.key),
+	]);
+
+	expect(byId).not.toBeNull();
+	expect(byId!.key).toBe(toCreate.key);
+	expect(byId!.value).toBe(toCreate.value);
+
+	expect(byKey).not.toBeNull();
+	expect(byKey!.id).toBe(response.body.data.id);
+	expect(byKey!.value).toBe(toCreate.value);
+});
+
+test('POST /variables should not create a new credential and return it for a member', async () => {
+	const toCreate = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	const response = await authAgent(memberUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(401);
+	expect(response.body.data?.key).not.toBe(toCreate.key);
+	expect(response.body.data?.value).not.toBe(toCreate.value);
+
+	const byKey = await testDb.getVariableByKey(toCreate.key);
+	expect(byKey).toBeNull();
+});
+
+test("POST /variables should not create a new credential and return it if the instance doesn't have a license", async () => {
+	licenseLike.isVariablesEnabled.mockReturnValue(false);
+	const toCreate = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(400);
+	expect(response.body.data?.key).not.toBe(toCreate.key);
+	expect(response.body.data?.value).not.toBe(toCreate.value);
+
+	const byKey = await testDb.getVariableByKey(toCreate.key);
+	expect(byKey).toBeNull();
+});
+
+test('POST /variables should fail to create a new credential and if one with the same key exists', async () => {
+	const toCreate = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	await testDb.createVariable(toCreate.key, toCreate.value);
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(500);
+	expect(response.body.data?.key).not.toBe(toCreate.key);
+	expect(response.body.data?.value).not.toBe(toCreate.value);
+});
+
+test('POST /variables should not fail if variable limit not reached', async () => {
+	licenseLike.getVariablesLimit.mockReturnValue(5);
+	let i = 1;
+	let toCreate = {
+		key: `create${i}`,
+		value: `createvalue${i}`,
+	};
+	while (i < 3) {
+		await testDb.createVariable(toCreate.key, toCreate.value);
+		i++;
+		toCreate = {
+			key: `create${i}`,
+			value: `createvalue${i}`,
+		};
+	}
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(200);
+	expect(response.body.data?.key).toBe(toCreate.key);
+	expect(response.body.data?.value).toBe(toCreate.value);
+});
+
+test('POST /variables should fail if variable limit reached', async () => {
+	licenseLike.getVariablesLimit.mockReturnValue(5);
+	let i = 1;
+	let toCreate = {
+		key: `create${i}`,
+		value: `createvalue${i}`,
+	};
+	while (i < 6) {
+		await testDb.createVariable(toCreate.key, toCreate.value);
+		i++;
+		toCreate = {
+			key: `create${i}`,
+			value: `createvalue${i}`,
+		};
+	}
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(400);
+	expect(response.body.data?.key).not.toBe(toCreate.key);
+	expect(response.body.data?.value).not.toBe(toCreate.value);
+});
+
+test('POST /variables should fail if key too long', async () => {
+	const toCreate = {
+		// 51 'a's
+		key: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+		value: 'value',
+	};
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(400);
+	expect(response.body.data?.key).not.toBe(toCreate.key);
+	expect(response.body.data?.value).not.toBe(toCreate.value);
+});
+
+test('POST /variables should fail if value too long', async () => {
+	const toCreate = {
+		key: 'key',
+		// 256 'a's
+		value:
+			'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+	};
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(400);
+	expect(response.body.data?.key).not.toBe(toCreate.key);
+	expect(response.body.data?.value).not.toBe(toCreate.value);
+});
+
+test("POST /variables should fail if key contain's prohibited characters", async () => {
+	const toCreate = {
+		// 51 'a's
+		key: 'te$t',
+		value: 'value',
+	};
+	const response = await authAgent(ownerUser).post('/variables').send(toCreate);
+	expect(response.statusCode).toBe(400);
+	expect(response.body.data?.key).not.toBe(toCreate.key);
+	expect(response.body.data?.value).not.toBe(toCreate.value);
+});
+
+// ----------------------------------------
+// PATCH /variables/:id - change a variable
+// ----------------------------------------
+
+test('PATCH /variables/:id should modify existing credential if use is an owner', async () => {
+	const variable = await testDb.createVariable('test1', 'value1');
+	const toModify = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	const response = await authAgent(ownerUser).patch(`/variables/${variable.id}`).send(toModify);
+	expect(response.statusCode).toBe(200);
+	expect(response.body.data.key).toBe(toModify.key);
+	expect(response.body.data.value).toBe(toModify.value);
+
+	const [byId, byKey] = await Promise.all([
+		testDb.getVariableById(response.body.data.id),
+		testDb.getVariableByKey(toModify.key),
+	]);
+
+	expect(byId).not.toBeNull();
+	expect(byId!.key).toBe(toModify.key);
+	expect(byId!.value).toBe(toModify.value);
+
+	expect(byKey).not.toBeNull();
+	expect(byKey!.id).toBe(response.body.data.id);
+	expect(byKey!.value).toBe(toModify.value);
+});
+
+test('PATCH /variables/:id should modify existing credential if use is an owner', async () => {
+	const variable = await testDb.createVariable('test1', 'value1');
+	const toModify = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	const response = await authAgent(ownerUser).patch(`/variables/${variable.id}`).send(toModify);
+	expect(response.statusCode).toBe(200);
+	expect(response.body.data.key).toBe(toModify.key);
+	expect(response.body.data.value).toBe(toModify.value);
+
+	const [byId, byKey] = await Promise.all([
+		testDb.getVariableById(response.body.data.id),
+		testDb.getVariableByKey(toModify.key),
+	]);
+
+	expect(byId).not.toBeNull();
+	expect(byId!.key).toBe(toModify.key);
+	expect(byId!.value).toBe(toModify.value);
+
+	expect(byKey).not.toBeNull();
+	expect(byKey!.id).toBe(response.body.data.id);
+	expect(byKey!.value).toBe(toModify.value);
+});
+
+test('PATCH /variables/:id should not modify existing credential if use is a member', async () => {
+	const variable = await testDb.createVariable('test1', 'value1');
+	const toModify = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	const response = await authAgent(memberUser).patch(`/variables/${variable.id}`).send(toModify);
+	expect(response.statusCode).toBe(401);
+	expect(response.body.data?.key).not.toBe(toModify.key);
+	expect(response.body.data?.value).not.toBe(toModify.value);
+
+	const byId = await testDb.getVariableById(variable.id);
+	expect(byId).not.toBeNull();
+	expect(byId!.key).not.toBe(toModify.key);
+	expect(byId!.value).not.toBe(toModify.value);
+});
+
+test('PATCH /variables/:id should not modify existing credential if one with the same key exists', async () => {
+	const toModify = {
+		key: 'create1',
+		value: 'createvalue1',
+	};
+	const [var1, var2] = await Promise.all([
+		testDb.createVariable('test1', 'value1'),
+		testDb.createVariable(toModify.key, toModify.value),
+	]);
+	const response = await authAgent(ownerUser).patch(`/variables/${var1.id}`).send(toModify);
+	expect(response.statusCode).toBe(500);
+	expect(response.body.data?.key).not.toBe(toModify.key);
+	expect(response.body.data?.value).not.toBe(toModify.value);
+
+	const byId = await testDb.getVariableById(var1.id);
+	expect(byId).not.toBeNull();
+	expect(byId!.key).toBe(var1.key);
+	expect(byId!.value).toBe(var1.value);
+});
+
+// ----------------------------------------
+// DELETE /variables/:id - change a variable
+// ----------------------------------------
+
+test('DELETE /variables/:id should delete a single credential for an owner', async () => {
+	const [var1, var2, var3] = await Promise.all([
+		testDb.createVariable('test1', 'value1'),
+		testDb.createVariable('test2', 'value2'),
+		testDb.createVariable('test3', 'value3'),
+	]);
+
+	const delResponse = await authAgent(ownerUser).delete(`/variables/${var1.id}`);
+	expect(delResponse.statusCode).toBe(200);
+
+	const byId = await testDb.getVariableById(var1.id);
+	expect(byId).toBeNull();
+
+	const getResponse = await authAgent(ownerUser).get('/variables');
+	expect(getResponse.body.data.length).toBe(2);
+});
+
+test('DELETE /variables/:id should not delete a single credential for a member', async () => {
+	const [var1, var2, var3] = await Promise.all([
+		testDb.createVariable('test1', 'value1'),
+		testDb.createVariable('test2', 'value2'),
+		testDb.createVariable('test3', 'value3'),
+	]);
+
+	const delResponse = await authAgent(memberUser).delete(`/variables/${var1.id}`);
+	expect(delResponse.statusCode).toBe(401);
+
+	const byId = await testDb.getVariableById(var1.id);
+	expect(byId).not.toBeNull();
+
+	const getResponse = await authAgent(memberUser).get('/variables');
+	expect(getResponse.body.data.length).toBe(3);
+});
--- a/packages/cli/test/unit/ActiveWorkflowRunner.test.ts
+++ b/packages/cli/test/unit/ActiveWorkflowRunner.test.ts
@@ -121,6 +121,9 @@ jest.mock('@/Db', () => {
 				clear: jest.fn(),
 				delete: jest.fn(),
 			},
+			Variables: {
+				find: jest.fn(() => []),
+			},
 		},
 	};
 });