fix(core): Redact csrfSecret when returning oauth credentials to the frontend (#10075)

packages/cli/src/credentials/__tests__/credentials.service.test.ts

@@ -0,0 +1,70 @@
+import { CREDENTIAL_EMPTY_VALUE, type ICredentialType } from 'n8n-workflow';
+import { mock } from 'jest-mock-extended';
+import { CREDENTIAL_BLANKING_VALUE } from '@/constants';
+import type { CredentialsEntity } from '@db/entities/CredentialsEntity';
+import type { CredentialTypes } from '@/CredentialTypes';
+import { CredentialsService } from '../credentials.service';
+
+describe('CredentialsService', () => {
+	const credType = mock<ICredentialType>({
+		extends: [],
+		properties: [
+			{
+				name: 'clientSecret',
+				type: 'string',
+				typeOptions: { password: true },
+				doNotInherit: false,
+			},
+			{
+				name: 'accessToken',
+				type: 'string',
+				typeOptions: { password: true },
+				doNotInherit: false,
+			},
+		],
+	});
+	const credentialTypes = mock<CredentialTypes>();
+	const service = new CredentialsService(
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+		credentialTypes,
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+	);
+
+	describe('redact', () => {
+		it('should redact sensitive values', () => {
+			const credential = mock<CredentialsEntity>({
+				id: '123',
+				name: 'Test Credential',
+				type: 'oauth2',
+			});
+
+			const decryptedData = {
+				clientId: 'abc123',
+				clientSecret: 'sensitiveSecret',
+				accessToken: '',
+				oauthTokenData: 'super-secret',
+				csrfSecret: 'super-secret',
+			};
+
+			credentialTypes.getByName.calledWith(credential.type).mockReturnValue(credType);
+
+			const redactedData = service.redact(decryptedData, credential);
+
+			expect(redactedData).toEqual({
+				clientId: 'abc123',
+				clientSecret: CREDENTIAL_BLANKING_VALUE,
+				accessToken: CREDENTIAL_EMPTY_VALUE,
+				oauthTokenData: CREDENTIAL_BLANKING_VALUE,
+				csrfSecret: CREDENTIAL_BLANKING_VALUE,
+			});
+		});
+	});
+});