feat(cli): User Management and Credentials sharing (#3602)

* 🎉 starting feature development

* ✨ sharing/unsharing a credential (#3601)

* 🎉 initial design

* ✨ sharing/unsharing of credentials

* ✅ add tests for EE credentials controller

* 💪 implement review comments

* 🛠 refactor agent creation and credential role locking

* 👕 linting adjustments (#3691)

* 👕 Adjust rule `naming-convention`

* 👕 Fix `naming-convention` config value

* 👕 Disregard casing for EE-prefixed vars

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>

* 🛠 refactor authAgents in tests (#3725)

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 🛠 refactor authAgent

* 👕 fix ts issue

* 🐘 add migration for mysql and postgres + add AuthAgent type

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>

* ⚡️ refactor existing credentials routes (#3672)

* 🎉 initial design

* ✨ sharing/unsharing of credentials

* ♻️ split credential update route into controller and service

* 🔥 remove credentials test that is no longer applicable

* ♻️ split credential creation route into controller and service

* ♻️ split single credential get

* ♻️ split delete credentials route

* ♻️ split get all credentials route

* 🔥 remove unused imports in credentials contoller

* 🔥 remove console.log

* :refactor: changes to credentials controller and service from review

 - removed credentials from service function names
 - made relations list optional
 - put allowGlobalOwner in options objects
 - check length of relations array so join doesn't happen if empty
 - update some comments to further explain rationale
 - remove unneeded `Object.assign`
 - remove non-null assertion from test

* ♻️ move filtered credentials selected fields to variable

* ♻️ remove unneeded merges in credentials service

Co-authored-by: Ben Hesseldieck <b.hesseldieck@gmail.com>
Co-authored-by: Ben Hesseldieck <1849459+BHesseldieck@users.noreply.github.com>

* ✅ fix test

* 🐛 fix imports

* 👕 fix lint issue

* User Management: switch over to decorators to define routes (#3827)

* Add permissions details to credentials for User Management (#3863)

* ⚡ Open `GET /users`

* ⚡ Add permissions to cred service

* 🚚 Rename method

* ⚡ Refactor cred controller

* 🧪 Adjust test

* ✏️ Improve comment

* ✏️ Improve another comment

* ⚡ Account for multiple sharings

* 🐛 Fix access when user is editor

* 📘 Expand interface

* 📘 Relocate types

* 📘 Exempt cred entity with service-injected fields

* 📘 Adjust interface

* ♻️ Add permissions only in `GET /credentials`

* 🧪 Add expectations for `ownedBy`

* 🧪 Add sharing details test

* 🧪 Make `ownedBy` checks more granular

* 📘 Adjust interface

* 🚚 Rename cred getter

* ♻️ Refactor cred getter

* 🧪 Expand tests

* ♻️ Refactor to use guard

* 👕 Remove unneeded lint exception

* 🔥 Remove unneeded relation

* 🚚 Move relation to `GET /credentials/:id`

* 📘 Consolidate typings

* 🎨 Add multiline for readability

* 🔥 Remove unneeded type

* ✏️ Clarity comment

* ✏️ Make comments consistent

* 👕 Add exception to fix build

* 👕 Add more lint exceptions to fix build

* 🐛 Check for non-owner

* 📘 Improve typings

* 🧪 Temporarily skip tests

* 🔥 Remove `@ts-ignore`

* 👕 Move lint exceptions

* ♻️ Refactor cred service and controller

* ⚡ Simplify check

* ✏️ adjust naming to experimental

* ⚡️ add credentialsSharing flag to settings

* 🛠 add helper to check if UM is also enabled as dependency for CredentialsSharing

* 👕 fix lint error

* 🐘 change name of credential role

* 🚧 WIP batch sharing

* 🚧 WIP use put for sharing

* ✅ add tests for batch sharing, 🛠 implement review suggestions

* ✅ expand credential sharing tests for User Management (#3931)

* 🧪 Expand cred sharing tests

* ⚡ Add recently added flags

* ✅ fix and adjust tests for /credentials

Co-authored-by: Ben Hesseldieck <b.hesseldieck@gmail.com>

* ✨ User management v2 Front End (#3795)

* feat: Added responsive generic page view layout.

* feat: Added empty state.

* feat: Added credentials view empty state.

* test: Added unit tests for N8nActionBox

* feat: Added credentials list initial design.

* feat: Added credential actions. Started working on filters.

* feat: Updated InfoTip markup, added tests and changed stories to typescript.

* feat: Added credentials filtering by type. Added support for apply/reset filters.

* feat: Added credential sharing user select and user list. Added paywall component.

* feat: Updated credentials view permissions.

* feat: Added support for temporary sharing config for unsaved credentials.

* test: Fixed broken snapshots.

* feat: Added overflow styles to page-view-layout list.

* feat: Handled sharee specific views.

* feat: Integration between FE and BE to support real-world credential sharing scenario.

* feat: Added front end permissions table.

* feat: Refactored credential sharing flow. Updated design elements.

* feat: Added margin and padding auto spacer utilities.

* feat: Rehauled permissions to support instanceOwner role and action inheritance.

* feat: Updated credentials view to apply filters automatically.

* feat: Removed apply filters button and added active button state.

* test: Updated component snapshots.

* refactor: Renamed ResourceSharee to ResourceReader.

* feat: Credential sharing error handling, permissions improvement.

* feat: Updated permissions and error handling.

* chore: Removed console.log.

* 🛠 refactor enabling of credentialsSharing

* feat: Removed owner menu selector from credentials when sharing is disabled.

* refactor: Moved EE features into ee store module file.

* 🛠 add sharing info to GET credentials/:id

* fix: Fixed initial credential data loading for sharing.

* chore: Removed console.log.

* 🐛 owner can fetch any credential

* 🛠 refactor users test

* 👕 fix build type issue

* fix: Removed owner tag when credential sharing is disabled. Fixed small reactivity issue.

* chore: Removed console.log.

* 🚧 separate fetching credentials between EE and open

* fix: Fixed empty dropdown in users list.

* fix: Fixed error message and initialization when credential gets unshared.

* ✅ add tests for fetching single credential

* Revert decorators based controllers

* ⚡️ adjust credentials test route to also allow testing for sharees (#3999)

* ⚡️ pull data if user is sharee

* fix: Removed sharedWith and ownedBy from credentialData on testing credentials.

Co-authored-by: Alex Grozav <alex@grozav.com>

* 📈 add BE analytics

* 💪 improve credential test

* ⚡️ adjust tracking properties

* ⚡️ removed roles from tracking

* 🐛 fix build by removing imports

* 🐛 fix missed merge conflict

* feat: User management P2 Front End bug bash and improvements (#4014)

* fix: Fixed type select size after reopening dropdown.

* fix: Fixed template cards.

* fix: Fixed card content size and copy input.

* fix: Fixed horizontal overflow.

* fix: Hiding el-tags scrollbar in select.

* fix: Added fallback credential icon. Added oAuth credential owner check.

* feat: Added disabled state to user select.

* feat: Added fallback scenario for non-existent credential types.

* feat: Adjusted credentials empty state to show that there are shared credentials.

* fix: Fixed time title.

* feat: Added actionable empty state when shared credentials are present.

* fix: Made action box x padding smaller

* feat: Repositioned owner tag for credential card.

* feat: Updated message box styling to use n8n css variables.

* feat: Added confirmation for deleting sharee.

* fix: Fixed deleted credential types. Fixed select in dropdown bug.

* fix: Various code improvements. Addressed PR review comments.

* fix: Fixed credential deletion errors.

* fix: Various code quality improvements.

* feat: N8N-4531 update cloud coming soon features (#4025)

* feat: Showing different upcoming feature messages and format for cloud.

* fix: Changed url format.

* fix: Updated how cloud deployment is determined.

* feat: N8N-4527 implementing credential sharing FE telemetry (#4023)

* feat: Added credential sharing telemetry.

* chore: Renamed computed function for consistency.

* refactor: Simplified subview telemetry sending.

* fix: Changed to callDebounced() helper.

* 📧 update email text

* fix: Adjusted feature coming soon margin.

* chore: Fixed type and line height for delete sharee confirmation modal.

* refactor(editor-ui): Update telemetry (#4040)

* 🔥 Remove `identify` from BE

* ⚡ Add `versionCli`

* ⚡ Add node creator ignore input

* ⚡ Move obfuscators to editor-ui

* ⚡ Refactor `ph-no-capture`

* ⚡ Pass `user_id` to manual exec props

* 🚚 Relocate class in `SettingsApiView`

* ⚡ Add `userId` to BE PH `identify` call

* ⏪ Revert "⚡ Add `userId` to BE PH `identify` call"

This reverts commit 895aaa45e51506d5dbdcbdabe249a2c743d8e468.

* Revert "⏪ Revert "⚡ Add `userId` to BE PH `identify` call""

This reverts commit b86a098c202155742c927c88c04c971a5d34dce5.

* 🐛 Fix `Promise` handling in `track()` call

* ⏪ Restore `Db.collections` call

* ⚡ Set up PH payload to mirror RS

* 🔥 Remove excess `userId`

* 📘 Remove `userId` from interface

* 🔥 Remove unused ref and method

* fix: Fixed bug causing instanceOwner to become credential owner on update. (#4079)

* 🐛 fix test for credential shared with member

* 👕 fix lint issues

* delete conflicting migration. this data is already seeded in CreateUserManagement

* feat: Expand obfuscation to User Management credential sharing (#4070)

⚡ Expand obfuscation

* feat: Added credential sharing infotip for instance owner.

* bring back the migration. add a check to avoid conflicts on inserts

* fix(cli): use a non-env config flag to detect of enterprise features are enabled (#4105)

* chore: Changed ampersand to and in translation.

* refactor(telemetry): Obfuscate code and JSON editors (#4118)

⚡ Obfuscate code and JSON editors

* feat(editor): improve design and functionality of coming soon features (#4116)

* feat: Improved coming soon feature design and functionality.

* style: Removed empty line.

* chore: Removed unused translation.

* fix: fix telemetry for credential creates and updates (#4125)

fix telemetry for credential creates and updates

* feat: Display errors due to missing credentials in the correct node (#4124)

feat: Display errors due to invalid credentials in the correct node when missing permissions

* fix: remove duplicate header for coming soon features in cloud deployment

* telemetry: fix the payload for `User viewed credential tab`

* telemetry: add credential_id to 'User selected credential from node modal'

* feat: update empty states for coming soon features

* Update ActionBox.spec.ts.snap

* replace UserSharingsDetails with a subset of User properties

* rename the CreateCredentialsEditorRole to CreateCredentialsUserRole

* move IUser to the workflow package

* use IUser in the frontend as well

Co-authored-by: Iván Ovejero <ivov.src@gmail.com>
Co-authored-by: Valya <68596159+valya@users.noreply.github.com>
Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <netroy@users.noreply.github.com>
Co-authored-by: Alex Grozav <alex@grozav.com>
Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
Co-authored-by: Omar Ajoue <krynble@gmail.com>

packages/cli/src/credentials/oauth2Credential.api.ts

@@ -0,0 +1,346 @@
+/* eslint-disable import/no-cycle */
+import ClientOAuth2 from 'client-oauth2';
+import Csrf from 'csrf';
+import express from 'express';
+import get from 'lodash.get';
+import omit from 'lodash.omit';
+import set from 'lodash.set';
+import split from 'lodash.split';
+import unset from 'lodash.unset';
+import { Credentials, UserSettings } from 'n8n-core';
+import {
+	LoggerProxy,
+	WorkflowExecuteMode,
+	INodeCredentialsDetails,
+	ICredentialsEncrypted,
+	IDataObject,
+} from 'n8n-workflow';
+import { resolve as pathResolve } from 'path';
+import querystring from 'querystring';
+
+import { Db, ICredentialsDb, ResponseHelper } from '..';
+import { RESPONSE_ERROR_MESSAGES } from '../constants';
+import {
+	CredentialsHelper,
+	getCredentialForUser,
+	getCredentialWithoutUser,
+} from '../CredentialsHelper';
+import { getLogger } from '../Logger';
+import { OAuthRequest } from '../requests';
+import { externalHooks } from '../Server';
+import config from '../../config';
+import { getInstanceBaseUrl } from '../UserManagement/UserManagementHelper';
+
+export const oauth2CredentialController = express.Router();
+
+/**
+ * Initialize Logger if needed
+ */
+oauth2CredentialController.use((req, res, next) => {
+	try {
+		LoggerProxy.getInstance();
+	} catch (error) {
+		LoggerProxy.init(getLogger());
+	}
+	next();
+});
+
+const restEndpoint = config.getEnv('endpoints.rest');
+
+/**
+ * GET /oauth2-credential/auth
+ *
+ * Authorize OAuth Data
+ */
+oauth2CredentialController.get(
+	'/auth',
+	ResponseHelper.send(async (req: OAuthRequest.OAuth1Credential.Auth): Promise<string> => {
+		const { id: credentialId } = req.query;
+
+		if (!credentialId) {
+			throw new ResponseHelper.ResponseError('Required credential ID is missing', undefined, 400);
+		}
+
+		const credential = await getCredentialForUser(credentialId, req.user);
+
+		if (!credential) {
+			LoggerProxy.error('Failed to authorize OAuth2 due to lack of permissions', {
+				userId: req.user.id,
+				credentialId,
+			});
+			throw new ResponseHelper.ResponseError(RESPONSE_ERROR_MESSAGES.NO_CREDENTIAL, undefined, 404);
+		}
+
+		let encryptionKey: string;
+		try {
+			encryptionKey = await UserSettings.getEncryptionKey();
+		} catch (error) {
+			throw new ResponseHelper.ResponseError((error as Error).message, undefined, 500);
+		}
+
+		const mode: WorkflowExecuteMode = 'internal';
+		const timezone = config.getEnv('generic.timezone');
+		const credentialsHelper = new CredentialsHelper(encryptionKey);
+		const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+			credential as INodeCredentialsDetails,
+			(credential as unknown as ICredentialsEncrypted).type,
+			mode,
+			timezone,
+			true,
+		);
+
+		const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+			decryptedDataOriginal,
+			(credential as unknown as ICredentialsEncrypted).type,
+			mode,
+			timezone,
+		);
+
+		const token = new Csrf();
+		// Generate a CSRF prevention token and send it as a OAuth2 state stringma/ERR
+		const csrfSecret = token.secretSync();
+		const state = {
+			token: token.create(csrfSecret),
+			cid: req.query.id,
+		};
+		const stateEncodedStr = Buffer.from(JSON.stringify(state)).toString('base64');
+
+		const oAuthOptions: ClientOAuth2.Options = {
+			clientId: get(oauthCredentials, 'clientId') as string,
+			clientSecret: get(oauthCredentials, 'clientSecret', '') as string,
+			accessTokenUri: get(oauthCredentials, 'accessTokenUrl', '') as string,
+			authorizationUri: get(oauthCredentials, 'authUrl', '') as string,
+			redirectUri: `${getInstanceBaseUrl()}/${restEndpoint}/oauth2-credential/callback`,
+			scopes: split(get(oauthCredentials, 'scope', 'openid,') as string, ','),
+			state: stateEncodedStr,
+		};
+
+		await externalHooks.run('oauth2.authenticate', [oAuthOptions]);
+
+		const oAuthObj = new ClientOAuth2(oAuthOptions);
+
+		// Encrypt the data
+		const credentials = new Credentials(
+			credential as INodeCredentialsDetails,
+			(credential as unknown as ICredentialsEncrypted).type,
+			(credential as unknown as ICredentialsEncrypted).nodesAccess,
+		);
+		decryptedDataOriginal.csrfSecret = csrfSecret;
+
+		credentials.setData(decryptedDataOriginal, encryptionKey);
+		const newCredentialsData = credentials.getDataToSave() as unknown as ICredentialsDb;
+
+		// Add special database related data
+		newCredentialsData.updatedAt = new Date();
+
+		// Update the credentials in DB
+		await Db.collections.Credentials.update(req.query.id, newCredentialsData);
+
+		const authQueryParameters = get(oauthCredentials, 'authQueryParameters', '') as string;
+		let returnUri = oAuthObj.code.getUri();
+
+		// if scope uses comma, change it as the library always return then with spaces
+		if ((get(oauthCredentials, 'scope') as string).includes(',')) {
+			const data = querystring.parse(returnUri.split('?')[1]);
+			data.scope = get(oauthCredentials, 'scope') as string;
+			returnUri = `${get(oauthCredentials, 'authUrl', '') as string}?${querystring.stringify(
+				data,
+			)}`;
+		}
+
+		if (authQueryParameters) {
+			returnUri += `&${authQueryParameters}`;
+		}
+
+		LoggerProxy.verbose('OAuth2 authentication successful for new credential', {
+			userId: req.user.id,
+			credentialId,
+		});
+		return returnUri;
+	}),
+);
+
+/**
+ * GET /oauth2-credential/callback
+ *
+ * Verify and store app code. Generate access tokens and store for respective credential.
+ */
+
+oauth2CredentialController.get(
+	'/callback',
+	async (req: OAuthRequest.OAuth2Credential.Callback, res: express.Response) => {
+		try {
+			// realmId it's currently just use for the quickbook OAuth2 flow
+			const { code, state: stateEncoded } = req.query;
+
+			if (!code || !stateEncoded) {
+				const errorResponse = new ResponseHelper.ResponseError(
+					`Insufficient parameters for OAuth2 callback. Received following query parameters: ${JSON.stringify(
+						req.query,
+					)}`,
+					undefined,
+					503,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			let state;
+			try {
+				state = JSON.parse(Buffer.from(stateEncoded, 'base64').toString()) as {
+					cid: string;
+					token: string;
+				};
+			} catch (error) {
+				const errorResponse = new ResponseHelper.ResponseError(
+					'Invalid state format returned',
+					undefined,
+					503,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			const credential = await getCredentialWithoutUser(state.cid);
+
+			if (!credential) {
+				LoggerProxy.error('OAuth2 callback failed because of insufficient permissions', {
+					userId: req.user?.id,
+					credentialId: state.cid,
+				});
+				const errorResponse = new ResponseHelper.ResponseError(
+					RESPONSE_ERROR_MESSAGES.NO_CREDENTIAL,
+					undefined,
+					404,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			let encryptionKey: string;
+			try {
+				encryptionKey = await UserSettings.getEncryptionKey();
+			} catch (error) {
+				throw new ResponseHelper.ResponseError(
+					(error as IDataObject).message as string,
+					undefined,
+					500,
+				);
+			}
+
+			const mode: WorkflowExecuteMode = 'internal';
+			const timezone = config.getEnv('generic.timezone');
+			const credentialsHelper = new CredentialsHelper(encryptionKey);
+			const decryptedDataOriginal = await credentialsHelper.getDecrypted(
+				credential as INodeCredentialsDetails,
+				(credential as unknown as ICredentialsEncrypted).type,
+				mode,
+				timezone,
+				true,
+			);
+			const oauthCredentials = credentialsHelper.applyDefaultsAndOverwrites(
+				decryptedDataOriginal,
+				(credential as unknown as ICredentialsEncrypted).type,
+				mode,
+				timezone,
+			);
+
+			const token = new Csrf();
+			if (
+				decryptedDataOriginal.csrfSecret === undefined ||
+				!token.verify(decryptedDataOriginal.csrfSecret as string, state.token)
+			) {
+				LoggerProxy.debug('OAuth2 callback state is invalid', {
+					userId: req.user?.id,
+					credentialId: state.cid,
+				});
+				const errorResponse = new ResponseHelper.ResponseError(
+					'The OAuth2 callback state is invalid!',
+					undefined,
+					404,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			let options = {};
+
+			const oAuth2Parameters = {
+				clientId: get(oauthCredentials, 'clientId') as string,
+				clientSecret: get(oauthCredentials, 'clientSecret', '') as string | undefined,
+				accessTokenUri: get(oauthCredentials, 'accessTokenUrl', '') as string,
+				authorizationUri: get(oauthCredentials, 'authUrl', '') as string,
+				redirectUri: `${getInstanceBaseUrl()}/${restEndpoint}/oauth2-credential/callback`,
+				scopes: split(get(oauthCredentials, 'scope', 'openid,') as string, ','),
+			};
+
+			if ((get(oauthCredentials, 'authentication', 'header') as string) === 'body') {
+				options = {
+					body: {
+						client_id: get(oauthCredentials, 'clientId') as string,
+						client_secret: get(oauthCredentials, 'clientSecret', '') as string,
+					},
+				};
+				delete oAuth2Parameters.clientSecret;
+			}
+
+			await externalHooks.run('oauth2.callback', [oAuth2Parameters]);
+
+			const oAuthObj = new ClientOAuth2(oAuth2Parameters);
+
+			const queryParameters = req.originalUrl.split('?').splice(1, 1).join('');
+
+			const oauthToken = await oAuthObj.code.getToken(
+				`${oAuth2Parameters.redirectUri}?${queryParameters}`,
+				options,
+			);
+
+			if (Object.keys(req.query).length > 2) {
+				set(oauthToken.data, 'callbackQueryString', omit(req.query, 'state', 'code'));
+			}
+
+			if (oauthToken === undefined) {
+				LoggerProxy.error('OAuth2 callback failed: unable to get access tokens', {
+					userId: req.user?.id,
+					credentialId: state.cid,
+				});
+				const errorResponse = new ResponseHelper.ResponseError(
+					'Unable to get access tokens!',
+					undefined,
+					404,
+				);
+				return ResponseHelper.sendErrorResponse(res, errorResponse);
+			}
+
+			if (decryptedDataOriginal.oauthTokenData) {
+				// Only overwrite supplied data as some providers do for example just return the
+				// refresh_token on the very first request and not on subsequent ones.
+				Object.assign(decryptedDataOriginal.oauthTokenData, oauthToken.data);
+			} else {
+				// No data exists so simply set
+				decryptedDataOriginal.oauthTokenData = oauthToken.data;
+			}
+
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-call
+			unset(decryptedDataOriginal, 'csrfSecret');
+
+			const credentials = new Credentials(
+				credential as INodeCredentialsDetails,
+				(credential as unknown as ICredentialsEncrypted).type,
+				(credential as unknown as ICredentialsEncrypted).nodesAccess,
+			);
+			credentials.setData(decryptedDataOriginal, encryptionKey);
+			const newCredentialsData = credentials.getDataToSave() as unknown as ICredentialsDb;
+			// Add special database related data
+			newCredentialsData.updatedAt = new Date();
+			// Save the credentials in DB
+			await Db.collections.Credentials.update(state.cid, newCredentialsData);
+			LoggerProxy.verbose('OAuth2 callback successful for new credential', {
+				userId: req.user?.id,
+				credentialId: state.cid,
+			});
+
+			return res.sendFile(pathResolve(__dirname, '../../../templates/oauth-callback.html'));
+		} catch (error) {
+			// Error response
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+			return ResponseHelper.sendErrorResponse(res, error);
+		}
+	},
+);