refactor(core): Enforce authorization by default on all routes (no-changelog) (#8762)

2025-12-18 10:31:15 +00:00 · 2024-02-28 17:02:18 +01:00
parent 2811f77798
commit db4a419c8d
46 changed files with 126 additions and 299 deletions
--- a/packages/cli/src/controllers/owner.controller.ts
+++ b/packages/cli/src/controllers/owner.controller.ts
@@ -4,7 +4,7 @@ import { Response } from 'express';
 import { AuthService } from '@/auth/auth.service';
 import config from '@/config';
 import { validateEntity } from '@/GenericHelpers';
-import { Authorized, Post, RestController } from '@/decorators';
+import { GlobalScope, Post, RestController } from '@/decorators';
 import { PasswordUtility } from '@/services/password.utility';
 import { OwnerRequest } from '@/requests';
 import { SettingsRepository } from '@db/repositories/settings.repository';
@@ -15,7 +15,6 @@ import { Logger } from '@/Logger';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { InternalHooks } from '@/InternalHooks';

-@Authorized('global:owner')
@RestController('/owner')
 export class OwnerController {
 	constructor(
@@ -33,24 +32,19 @@ export class OwnerController {
 	 * Promote a shell into the owner of the n8n instance,
 	 * and enable `isInstanceOwnerSetUp` setting.
 	 */
-	@Post('/setup')
+	@Post('/setup', { skipAuth: true })
 	async setupOwner(req: OwnerRequest.Post, res: Response) {
 		const { email, firstName, lastName, password } = req.body;
-		const { id: userId } = req.user;

 		if (config.getEnv('userManagement.isInstanceOwnerSetUp')) {
 			this.logger.debug(
 				'Request to claim instance ownership failed because instance owner already exists',
-				{
-					userId,
-				},
 			);
 			throw new BadRequestError('Instance owner already setup');
 		}

 		if (!email || !validator.isEmail(email)) {
 			this.logger.debug('Request to claim instance ownership failed because of invalid email', {
-				userId,
 				invalidEmail: email,
 			});
 			throw new BadRequestError('Invalid email address');
@@ -61,25 +55,24 @@ export class OwnerController {
 		if (!firstName || !lastName) {
 			this.logger.debug(
 				'Request to claim instance ownership failed because of missing first name or last name in payload',
-				{ userId, payload: req.body },
+				{ payload: req.body },
 			);
 			throw new BadRequestError('First and last names are mandatory');
 		}

-		let owner = req.user;
-
-		Object.assign(owner, {
-			email,
-			firstName,
-			lastName,
-			password: await this.passwordUtility.hash(validPassword),
+		let owner = await this.userRepository.findOneOrFail({
+			where: { role: 'global:owner' },
 		});
+		owner.email = email;
+		owner.firstName = firstName;
+		owner.lastName = lastName;
+		owner.password = await this.passwordUtility.hash(validPassword);

 		await validateEntity(owner);

 		owner = await this.userRepository.save(owner, { transaction: false });

-		this.logger.info('Owner was set up successfully', { userId });
+		this.logger.info('Owner was set up successfully');

 		await this.settingsRepository.update(
 			{ key: 'userManagement.isInstanceOwnerSetUp' },
@@ -88,19 +81,19 @@ export class OwnerController {

 		config.set('userManagement.isInstanceOwnerSetUp', true);

-		this.logger.debug('Setting isInstanceOwnerSetUp updated successfully', { userId });
+		this.logger.debug('Setting isInstanceOwnerSetUp updated successfully');

 		this.authService.issueCookie(res, owner);

-		void this.internalHooks.onInstanceOwnerSetup({ user_id: userId });
+		void this.internalHooks.onInstanceOwnerSetup({ user_id: owner.id });

 		return await this.userService.toPublic(owner, { posthog: this.postHog, withScopes: true });
 	}

 	@Post('/dismiss-banner')
+	@GlobalScope('banner:dismiss')
 	async dismissBanner(req: OwnerRequest.DismissBanner) {
 		const bannerName = 'banner' in req.body ? (req.body.banner as string) : '';
-		const response = await this.settingsRepository.dismissBanner({ bannerName });
-		return response;
+		return await this.settingsRepository.dismissBanner({ bannerName });
 	}
 }