refactor(core): Modernize credentials controllers and services (no-changelog) (#8488)

Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
2025-12-18 18:41:14 +00:00 · 2024-01-31 09:48:48 +01:00
parent 0febe62ad0
commit dac511b710
10 changed files with 330 additions and 441 deletions
--- a/packages/cli/src/credentials/credentials.controller.ts
+++ b/packages/cli/src/credentials/credentials.controller.ts
@@ -1,62 +1,100 @@
-import express from 'express';
-import type { INodeCredentialTestResult } from 'n8n-workflow';
 import { deepCopy } from 'n8n-workflow';
-
-import * as ResponseHelper from '@/ResponseHelper';
 import config from '@/config';
-import { EECredentialsController } from './credentials.controller.ee';
 import { CredentialsService } from './credentials.service';
-
-import type { ICredentialsDb } from '@/Interfaces';
-import type { CredentialRequest, ListQuery } from '@/requests';
-import { Container } from 'typedi';
+import { CredentialRequest, ListQuery } from '@/requests';
 import { InternalHooks } from '@/InternalHooks';
-import { listQueryMiddleware } from '@/middlewares';
 import { Logger } from '@/Logger';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
 import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
 import { NamingService } from '@/services/naming.service';
+import { License } from '@/License';
+import { CredentialsRepository } from '@/databases/repositories/credentials.repository';
+import { OwnershipService } from '@/services/ownership.service';
+import { EnterpriseCredentialsService } from './credentials.service.ee';
+import { Authorized, Delete, Get, Licensed, Patch, Post, Put, RestController } from '@/decorators';
+import { BadRequestError } from '@/errors/response-errors/bad-request.error';
+import { UserManagementMailer } from '@/UserManagement/email';
+import * as Db from '@/Db';
+import * as utils from '@/utils';
+import { listQueryMiddleware } from '@/middlewares';

-export const credentialsController = express.Router();
-credentialsController.use('/', EECredentialsController);
+@Authorized()
+@RestController('/credentials')
+export class CredentialsController {
+	constructor(
+		private readonly credentialsService: CredentialsService,
+		private readonly enterpriseCredentialsService: EnterpriseCredentialsService,
+		private readonly credentialsRepository: CredentialsRepository,
+		private readonly namingService: NamingService,
+		private readonly license: License,
+		private readonly logger: Logger,
+		private readonly ownershipService: OwnershipService,
+		private readonly internalHooks: InternalHooks,
+		private readonly userManagementMailer: UserManagementMailer,
+	) {}

-/**
- * GET /credentials
- */
-credentialsController.get(
-	'/',
-	listQueryMiddleware,
-	ResponseHelper.send(async (req: ListQuery.Request) => {
-		return await CredentialsService.getMany(req.user, { listQueryOptions: req.listQueryOptions });
-	}),
-);
+	@Get('/', { middlewares: listQueryMiddleware })
+	async getMany(req: ListQuery.Request) {
+		return await this.credentialsService.getMany(req.user, {
+			listQueryOptions: req.listQueryOptions,
+		});
+	}

-/**
- * GET /credentials/new
- *
- * Generate a unique credential name.
- */
-credentialsController.get(
-	'/new',
-	ResponseHelper.send(async (req: CredentialRequest.NewName) => {
+	@Get('/new')
+	async generateUniqueName(req: CredentialRequest.NewName) {
 		const requestedName = req.query.name ?? config.getEnv('credentials.defaultName');

 		return {
-			name: await Container.get(NamingService).getUniqueCredentialName(requestedName),
+			name: await this.namingService.getUniqueCredentialName(requestedName),
 		};
-	}),
-);
+	}
+
+	@Get('/:id')
+	async getOne(req: CredentialRequest.Get) {
+		if (this.license.isSharingEnabled()) {
+			const { id: credentialId } = req.params;
+			const includeDecryptedData = req.query.includeData === 'true';
+
+			let credential = await this.credentialsRepository.findOne({
+				where: { id: credentialId },
+				relations: ['shared', 'shared.user'],
+			});
+
+			if (!credential) {
+				throw new NotFoundError(
+					'Could not load the credential. If you think this is an error, ask the owner to share it with you again',
+				);
+			}
+
+			const userSharing = credential.shared?.find((shared) => shared.user.id === req.user.id);
+
+			if (!userSharing && !req.user.hasGlobalScope('credential:read')) {
+				throw new UnauthorizedError('Forbidden.');
+			}
+
+			credential = this.ownershipService.addOwnedByAndSharedWith(credential);
+
+			if (!includeDecryptedData || !userSharing || userSharing.role !== 'credential:owner') {
+				const { data: _, ...rest } = credential;
+				return { ...rest };
+			}
+
+			const { data: _, ...rest } = credential;
+
+			const decryptedData = this.credentialsService.redact(
+				this.credentialsService.decrypt(credential),
+				credential,
+			);
+
+			return { data: decryptedData, ...rest };
+		}
+
+		// non-enterprise

-/**
- * GET /credentials/:id
- */
-credentialsController.get(
-	'/:id(\\w+)',
-	ResponseHelper.send(async (req: CredentialRequest.Get) => {
 		const { id: credentialId } = req.params;
 		const includeDecryptedData = req.query.includeData === 'true';

-		const sharing = await CredentialsService.getSharing(
+		const sharing = await this.credentialsService.getSharing(
 			req.user,
 			credentialId,
 			{ allowGlobalScope: true, globalScope: 'credential:read' },
@@ -75,52 +113,79 @@ credentialsController.get(
 			return { ...rest };
 		}

-		const decryptedData = CredentialsService.redact(
-			CredentialsService.decrypt(credential),
+		const decryptedData = this.credentialsService.redact(
+			this.credentialsService.decrypt(credential),
 			credential,
 		);

 		return { data: decryptedData, ...rest };
-	}),
-);
+	}
+
+	@Post('/test')
+	async testCredentials(req: CredentialRequest.Test) {
+		if (this.license.isSharingEnabled()) {
+			const { credentials } = req.body;
+
+			const credentialId = credentials.id;
+			const { ownsCredential } = await this.enterpriseCredentialsService.isOwned(
+				req.user,
+				credentialId,
+			);
+
+			const sharing = await this.enterpriseCredentialsService.getSharing(req.user, credentialId, {
+				allowGlobalScope: true,
+				globalScope: 'credential:read',
+			});
+			if (!ownsCredential) {
+				if (!sharing) {
+					throw new UnauthorizedError('Forbidden');
+				}
+
+				const decryptedData = this.credentialsService.decrypt(sharing.credentials);
+				Object.assign(credentials, { data: decryptedData });
+			}
+
+			const mergedCredentials = deepCopy(credentials);
+			if (mergedCredentials.data && sharing?.credentials) {
+				const decryptedData = this.credentialsService.decrypt(sharing.credentials);
+				mergedCredentials.data = this.credentialsService.unredact(
+					mergedCredentials.data,
+					decryptedData,
+				);
+			}
+
+			return await this.credentialsService.test(req.user, mergedCredentials);
+		}
+
+		// non-enterprise

-/**
- * POST /credentials/test
- *
- * Test if a credential is valid.
- */
-credentialsController.post(
-	'/test',
-	ResponseHelper.send(async (req: CredentialRequest.Test): Promise<INodeCredentialTestResult> => {
 		const { credentials } = req.body;

-		const sharing = await CredentialsService.getSharing(req.user, credentials.id, {
+		const sharing = await this.credentialsService.getSharing(req.user, credentials.id, {
 			allowGlobalScope: true,
 			globalScope: 'credential:read',
 		});

 		const mergedCredentials = deepCopy(credentials);
 		if (mergedCredentials.data && sharing?.credentials) {
-			const decryptedData = CredentialsService.decrypt(sharing.credentials);
-			mergedCredentials.data = CredentialsService.unredact(mergedCredentials.data, decryptedData);
+			const decryptedData = this.credentialsService.decrypt(sharing.credentials);
+			mergedCredentials.data = this.credentialsService.unredact(
+				mergedCredentials.data,
+				decryptedData,
+			);
 		}

-		return await CredentialsService.test(req.user, mergedCredentials);
-	}),
-);
+		return await this.credentialsService.test(req.user, mergedCredentials);
+	}

-/**
- * POST /credentials
- */
-credentialsController.post(
-	'/',
-	ResponseHelper.send(async (req: CredentialRequest.Create) => {
-		const newCredential = await CredentialsService.prepareCreateData(req.body);
+	@Post('/')
+	async createCredentials(req: CredentialRequest.Create) {
+		const newCredential = await this.credentialsService.prepareCreateData(req.body);

-		const encryptedData = CredentialsService.createEncryptedData(null, newCredential);
-		const credential = await CredentialsService.save(newCredential, encryptedData, req.user);
+		const encryptedData = this.credentialsService.createEncryptedData(null, newCredential);
+		const credential = await this.credentialsService.save(newCredential, encryptedData, req.user);

-		void Container.get(InternalHooks).onUserCreatedCredentials({
+		void this.internalHooks.onUserCreatedCredentials({
 			user: req.user,
 			credential_name: newCredential.name,
 			credential_type: credential.type,
@@ -129,18 +194,13 @@ credentialsController.post(
 		});

 		return credential;
-	}),
-);
+	}

-/**
- * PATCH /credentials/:id
- */
-credentialsController.patch(
-	'/:id(\\w+)',
-	ResponseHelper.send(async (req: CredentialRequest.Update): Promise<ICredentialsDb> => {
+	@Patch('/:id')
+	async updateCredentials(req: CredentialRequest.Update) {
 		const { id: credentialId } = req.params;

-		const sharing = await CredentialsService.getSharing(
+		const sharing = await this.credentialsService.getSharing(
 			req.user,
 			credentialId,
 			{
@@ -151,42 +211,36 @@ credentialsController.patch(
 		);

 		if (!sharing) {
-			Container.get(Logger).info(
-				'Attempt to update credential blocked due to lack of permissions',
-				{
-					credentialId,
-					userId: req.user.id,
-				},
-			);
+			this.logger.info('Attempt to update credential blocked due to lack of permissions', {
+				credentialId,
+				userId: req.user.id,
+			});
 			throw new NotFoundError(
 				'Credential to be updated not found. You can only update credentials owned by you',
 			);
 		}

 		if (sharing.role !== 'credential:owner' && !req.user.hasGlobalScope('credential:update')) {
-			Container.get(Logger).info(
-				'Attempt to update credential blocked due to lack of permissions',
-				{
-					credentialId,
-					userId: req.user.id,
-				},
-			);
+			this.logger.info('Attempt to update credential blocked due to lack of permissions', {
+				credentialId,
+				userId: req.user.id,
+			});
 			throw new UnauthorizedError('You can only update credentials owned by you');
 		}

 		const { credentials: credential } = sharing;

-		const decryptedData = CredentialsService.decrypt(credential);
-		const preparedCredentialData = await CredentialsService.prepareUpdateData(
+		const decryptedData = this.credentialsService.decrypt(credential);
+		const preparedCredentialData = await this.credentialsService.prepareUpdateData(
 			req.body,
 			decryptedData,
 		);
-		const newCredentialData = CredentialsService.createEncryptedData(
+		const newCredentialData = this.credentialsService.createEncryptedData(
 			credentialId,
 			preparedCredentialData,
 		);

-		const responseData = await CredentialsService.update(credentialId, newCredentialData);
+		const responseData = await this.credentialsService.update(credentialId, newCredentialData);

 		if (responseData === null) {
 			throw new NotFoundError(`Credential ID "${credentialId}" could not be found to be updated.`);
@@ -195,21 +249,16 @@ credentialsController.patch(
 		// Remove the encrypted data as it is not needed in the frontend
 		const { data: _, ...rest } = responseData;

-		Container.get(Logger).verbose('Credential updated', { credentialId });
+		this.logger.verbose('Credential updated', { credentialId });

 		return { ...rest };
-	}),
-);
+	}

-/**
- * DELETE /credentials/:id
- */
-credentialsController.delete(
-	'/:id(\\w+)',
-	ResponseHelper.send(async (req: CredentialRequest.Delete) => {
+	@Delete('/:id')
+	async deleteCredentials(req: CredentialRequest.Delete) {
 		const { id: credentialId } = req.params;

-		const sharing = await CredentialsService.getSharing(
+		const sharing = await this.credentialsService.getSharing(
 			req.user,
 			credentialId,
 			{
@@ -220,33 +269,112 @@ credentialsController.delete(
 		);

 		if (!sharing) {
-			Container.get(Logger).info(
-				'Attempt to delete credential blocked due to lack of permissions',
-				{
-					credentialId,
-					userId: req.user.id,
-				},
-			);
+			this.logger.info('Attempt to delete credential blocked due to lack of permissions', {
+				credentialId,
+				userId: req.user.id,
+			});
 			throw new NotFoundError(
 				'Credential to be deleted not found. You can only removed credentials owned by you',
 			);
 		}

 		if (sharing.role !== 'credential:owner' && !req.user.hasGlobalScope('credential:delete')) {
-			Container.get(Logger).info(
-				'Attempt to delete credential blocked due to lack of permissions',
-				{
-					credentialId,
-					userId: req.user.id,
-				},
-			);
+			this.logger.info('Attempt to delete credential blocked due to lack of permissions', {
+				credentialId,
+				userId: req.user.id,
+			});
 			throw new UnauthorizedError('You can only remove credentials owned by you');
 		}

 		const { credentials: credential } = sharing;

-		await CredentialsService.delete(credential);
+		await this.credentialsService.delete(credential);

 		return true;
-	}),
-);
+	}
+
+	@Licensed('feat:sharing')
+	@Put('/:id/share')
+	async shareCredentials(req: CredentialRequest.Share) {
+		const { id: credentialId } = req.params;
+		const { shareWithIds } = req.body;
+
+		if (
+			!Array.isArray(shareWithIds) ||
+			!shareWithIds.every((userId) => typeof userId === 'string')
+		) {
+			throw new BadRequestError('Bad request');
+		}
+
+		const isOwnedRes = await this.enterpriseCredentialsService.isOwned(req.user, credentialId);
+		const { ownsCredential } = isOwnedRes;
+		let { credential } = isOwnedRes;
+		if (!ownsCredential || !credential) {
+			credential = undefined;
+			// Allow owners/admins to share
+			if (req.user.hasGlobalScope('credential:share')) {
+				const sharedRes = await this.enterpriseCredentialsService.getSharing(
+					req.user,
+					credentialId,
+					{
+						allowGlobalScope: true,
+						globalScope: 'credential:share',
+					},
+				);
+				credential = sharedRes?.credentials;
+			}
+			if (!credential) {
+				throw new UnauthorizedError('Forbidden');
+			}
+		}
+
+		const ownerIds = (
+			await this.enterpriseCredentialsService.getSharings(
+				Db.getConnection().createEntityManager(),
+				credentialId,
+				['shared'],
+			)
+		)
+			.filter((e) => e.role === 'credential:owner')
+			.map((e) => e.userId);
+
+		let amountRemoved: number | null = null;
+		let newShareeIds: string[] = [];
+		await Db.transaction(async (trx) => {
+			// remove all sharings that are not supposed to exist anymore
+			const { affected } = await this.credentialsRepository.pruneSharings(trx, credentialId, [
+				...ownerIds,
+				...shareWithIds,
+			]);
+			if (affected) amountRemoved = affected;
+
+			const sharings = await this.enterpriseCredentialsService.getSharings(trx, credentialId);
+
+			// extract the new sharings that need to be added
+			newShareeIds = utils.rightDiff(
+				[sharings, (sharing) => sharing.userId],
+				[shareWithIds, (shareeId) => shareeId],
+			);
+
+			if (newShareeIds.length) {
+				await this.enterpriseCredentialsService.share(trx, credential!, newShareeIds);
+			}
+		});
+
+		void this.internalHooks.onUserSharedCredentials({
+			user: req.user,
+			credential_name: credential.name,
+			credential_type: credential.type,
+			credential_id: credential.id,
+			user_id_sharer: req.user.id,
+			user_ids_sharees_added: newShareeIds,
+			sharees_removed: amountRemoved,
+		});
+
+		await this.userManagementMailer.notifyCredentialsShared({
+			sharer: req.user,
+			newShareeIds,
+			credentialsName: credential.name,
+		});
+	}
+}