From c66929f53d87035160ad099873d73cea3fff4d2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?= =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?= =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?= Date: Thu, 27 Oct 2022 17:39:59 +0200 Subject: [PATCH] fix(API): do not reset the auth cookie on every request to `GET /login` (#4459) The cookie and the JWT refresh is already handled in `refreshExpiringCookie` middleware, which only updates the cookie 3 days before the expiration. The middleware also uses `issueCookie`, which ensures that attributes like `sameSite` and `httpOnly` are correctly set on the cookie. --- packages/cli/src/UserManagement/routes/auth.ts | 5 ----- packages/cli/test/integration/auth.api.test.ts | 7 ++++--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/packages/cli/src/UserManagement/routes/auth.ts b/packages/cli/src/UserManagement/routes/auth.ts index f89fe4af2a..b4567aed64 100644 --- a/packages/cli/src/UserManagement/routes/auth.ts +++ b/packages/cli/src/UserManagement/routes/auth.ts @@ -70,11 +70,6 @@ export function authenticationMethods(this: N8nApp): void { // If logged in, return user try { user = await resolveJwt(cookieContents); - - if (!config.get('userManagement.isInstanceOwnerSetUp')) { - res.cookie(AUTH_COOKIE_NAME, cookieContents); - } - return sanitizeUser(user); } catch (error) { res.clearCookie(AUTH_COOKIE_NAME); diff --git a/packages/cli/test/integration/auth.api.test.ts b/packages/cli/test/integration/auth.api.test.ts index fc266b06d3..86dd387986 100644 --- a/packages/cli/test/integration/auth.api.test.ts +++ b/packages/cli/test/integration/auth.api.test.ts @@ -103,8 +103,9 @@ test('GET /login should return 401 Unauthorized if no cookie', async () => { expect(authToken).toBeUndefined(); }); -test('GET /login should return cookie if UM is disabled', async () => { - const ownerShell = await testDb.createUserShell(globalOwnerRole); +test('GET /login should return cookie if UM is disabled and no cookie is already set', async () => { + const authlessAgent = utils.createAgent(app); + await testDb.createUserShell(globalOwnerRole); config.set('userManagement.isInstanceOwnerSetUp', false); @@ -113,7 +114,7 @@ test('GET /login should return cookie if UM is disabled', async () => { { value: JSON.stringify(false) }, ); - const response = await authAgent(ownerShell).get('/login'); + const response = await authlessAgent.get('/login'); expect(response.statusCode).toBe(200);