feat(core): Add onlySharedWithMe filter to GET /credentials endpoint (no-changelog) (#14885)

Co-authored-by: Danny Martini <danny@n8n.io>
2025-12-17 18:12:04 +00:00 · 2025-05-02 13:08:30 -04:00
parent 8a30c35c33
commit e01bab58a5
5 changed files with 143 additions and 5 deletions
--- a/packages/@n8n/api-types/src/dto/credentials/credentials-get-many-request.dto.ts
+++ b/packages/@n8n/api-types/src/dto/credentials/credentials-get-many-request.dto.ts
@@ -19,4 +19,6 @@ export class CredentialsGetManyRequestQuery extends Z.class({
 	 * This switches `includeScopes` to true to be able to check for the scopes
 	 */
 	includeData: booleanFromString.optional(),
 	onlySharedWithMe: booleanFromString.optional(),
 }) {}
--- a/packages/cli/src/credentials/credentials.controller.ts
+++ b/packages/cli/src/credentials/credentials.controller.ts
@@ -70,6 +70,7 @@ export class CredentialsController {
 			listQueryOptions: req.listQueryOptions,
 			includeScopes: query.includeScopes,
 			includeData: query.includeData,
 			onlySharedWithMe: query.onlySharedWithMe,
 		});
 		credentials.forEach((c) => {
 			// @ts-expect-error: This is to emulate the old behavior of removing the shared
--- a/packages/cli/src/credentials/credentials.service.ts
+++ b/packages/cli/src/credentials/credentials.service.ts
@@ -72,10 +72,12 @@ export class CredentialsService {
 			listQueryOptions = {},
 			includeScopes = false,
 			includeData = false,
 			onlySharedWithMe = false,
 		}: {
 			listQueryOptions?: ListQuery.Options & { includeData?: boolean };
 			includeScopes?: boolean;
 			includeData?: boolean;
 			onlySharedWithMe?: boolean;
 		} = {},
 	) {
 		const returnAll = user.hasGlobalScope('credential:list');
@@ -85,6 +87,14 @@ export class CredentialsService {
 				? listQueryOptions.filter.projectId
 				: undefined;
 		if (onlySharedWithMe) {
 			listQueryOptions.filter = {
 				...listQueryOptions.filter,
 				withRole: 'credential:user',
 				user,
 			};
 		}
 		if (includeData) {
 			// We need the scopes to check if we're allowed to include the decrypted
 			// data.
@@ -118,7 +128,10 @@ export class CredentialsService {
 				// it's shared to a project, it won't be able to find the home project.
 				// To solve this, we have to get all the relation now, even though
 				// we're deleting them later.
-				if ((listQueryOptions.filter?.shared as { projectId?: string })?.projectId) {
+				if (
 					(listQueryOptions.filter?.shared as { projectId?: string })?.projectId ??
 					onlySharedWithMe
 				) {
 					const relations = await this.sharedCredentialsRepository.getAllRelationsForCredentials(
 						credentials.map((c) => c.id),
 					);
@@ -168,7 +181,10 @@ export class CredentialsService {
 			// it's shared to a project, it won't be able to find the home project.
 			// To solve this, we have to get all the relation now, even though
 			// we're deleting them later.
-			if ((listQueryOptions.filter?.shared as { projectId?: string })?.projectId) {
+			if (
 				(listQueryOptions.filter?.shared as { projectId?: string })?.projectId ??
 				onlySharedWithMe
 			) {
 				const relations = await this.sharedCredentialsRepository.getAllRelationsForCredentials(
 					credentials.map((c) => c.id),
 				);
--- a/packages/cli/src/databases/repositories/credentials.repository.ts
+++ b/packages/cli/src/databases/repositories/credentials.repository.ts
@@ -1,3 +1,4 @@
 import type { User } from '@n8n/db';
 import { CredentialsEntity } from '@n8n/db';
 import { Service } from '@n8n/di';
 import { DataSource, In, Repository, Like } from '@n8n/typeorm';
@@ -19,7 +20,7 @@ export class CredentialsRepository extends Repository<CredentialsEntity> {
 	}
 	async findMany(
-		listQueryOptions?: ListQuery.Options & { includeData?: boolean },
+		listQueryOptions?: ListQuery.Options & { includeData?: boolean; user?: User },
 		credentialIds?: string[],
 	) {
 		const findManyOptions = this.toFindManyOptions(listQueryOptions);
@@ -36,7 +37,7 @@ export class CredentialsRepository extends Repository<CredentialsEntity> {
 		type Select = Array<keyof CredentialsEntity>;
-		const defaultRelations = ['shared', 'shared.project'];
+		const defaultRelations = ['shared', 'shared.project', 'shared.project.projectRelations'];
 		const defaultSelect: Select = ['id', 'name', 'type', 'isManaged', 'createdAt', 'updatedAt'];
 		if (!listQueryOptions) return { select: defaultSelect, relations: defaultRelations };
@@ -99,6 +100,23 @@ export class CredentialsRepository extends Repository<CredentialsEntity> {
 			};
 			delete filter.withRole;
 		}
 		if (
 			filter.user &&
 			typeof filter.user === 'object' &&
 			'id' in filter.user &&
 			typeof filter.user.id === 'string'
 		) {
 			filter.shared = {
 				...(filter?.shared ? filter.shared : {}),
 				project: {
 					projectRelations: {
 						userId: filter.user.id,
 					},
 				},
 			};
 			delete filter.user;
 		}
 	}
 	async getManyByIds(ids: string[], { withSharings } = { withSharings: false }) {
--- a/packages/cli/test/integration/credentials/credentials.api.test.ts
+++ b/packages/cli/test/integration/credentials/credentials.api.test.ts
@@ -25,7 +25,7 @@ import {
 	shareCredentialWithUsers,
 } from '../shared/db/credentials';
 import { createTeamProject, linkUserToProject } from '../shared/db/projects';
-import { createManyUsers, createMember, createOwner } from '../shared/db/users';
+import { createAdmin, createManyUsers, createMember, createOwner } from '../shared/db/users';
 import {
 	randomCredentialPayload as payload,
 	randomCredentialPayload,
@@ -42,6 +42,7 @@ const testServer = setupTestServer({ endpointGroups: ['credentials'] });
 let owner: User;
 let member: User;
 let admin: User;
 let secondMember: User;
 let ownerPersonalProject: Project;
@@ -49,6 +50,7 @@ let memberPersonalProject: Project;
 let authOwnerAgent: SuperAgentTest;
 let authMemberAgent: SuperAgentTest;
 let authAdminAgent: SuperAgentTest;
 let projectRepository: ProjectRepository;
 let sharedCredentialsRepository: SharedCredentialsRepository;
@@ -58,6 +60,7 @@ beforeEach(async () => {
 	owner = await createOwner();
 	member = await createMember();
 	admin = await createAdmin();
 	secondMember = await createMember();
 	ownerPersonalProject = await Container.get(ProjectRepository).getPersonalProjectForUserOrFail(
@@ -69,6 +72,7 @@ beforeEach(async () => {
 	authOwnerAgent = testServer.authAgentFor(owner);
 	authMemberAgent = testServer.authAgentFor(member);
 	authAdminAgent = testServer.authAgentFor(admin);
 	projectRepository = Container.get(ProjectRepository);
 	sharedCredentialsRepository = Container.get(SharedCredentialsRepository);
@@ -1509,6 +1513,103 @@ describe('POST /credentials/test', () => {
 			data: credential.data,
 		});
 	});
 	test('should return only credentials shared with me when ?onlySharedWithMe=true (owner)', async () => {
 		await saveCredential(randomCredentialPayload(), {
 			user: owner,
 			role: 'credential:owner',
 		});
 		await saveCredential(randomCredentialPayload(), {
 			user: owner,
 			role: 'credential:owner',
 		});
 		const memberCredential = await saveCredential(randomCredentialPayload(), {
 			user: member,
 			role: 'credential:owner',
 		});
 		await shareCredentialWithUsers(memberCredential, [owner]);
 		let response;
 		response = await authOwnerAgent.get('/credentials').query({ onlySharedWithMe: true });
 		expect(response.statusCode).toBe(200);
 		expect(response.body.data).toHaveLength(1);
 		expect(response.body.data[0].id).toBe(memberCredential.id);
 		expect(response.body.data[0].homeProject).not.toBeNull();
 		response = await authMemberAgent.get('/credentials').query({ onlySharedWithMe: true });
 		expect(response.statusCode).toBe(200);
 		expect(response.body.data).toHaveLength(0);
 	});
 	test('should return only credentials shared with me when ?onlySharedWithMe=true (admin)', async () => {
 		await saveCredential(randomCredentialPayload(), {
 			user: admin,
 			role: 'credential:owner',
 		});
 		await saveCredential(randomCredentialPayload(), {
 			user: admin,
 			role: 'credential:owner',
 		});
 		const memberCredential = await saveCredential(randomCredentialPayload(), {
 			user: member,
 			role: 'credential:owner',
 		});
 		await shareCredentialWithUsers(memberCredential, [admin]);
 		let response;
 		response = await authAdminAgent.get('/credentials').query({ onlySharedWithMe: true });
 		expect(response.statusCode).toBe(200);
 		expect(response.body.data).toHaveLength(1);
 		expect(response.body.data[0].id).toBe(memberCredential.id);
 		expect(response.body.data[0].homeProject).not.toBeNull();
 		response = await authMemberAgent.get('/credentials').query({ onlySharedWithMe: true });
 		expect(response.statusCode).toBe(200);
 		expect(response.body.data).toHaveLength(0);
 	});
 	test('should return only credentials shared with me when ?onlySharedWithMe=true (member)', async () => {
 		await saveCredential(randomCredentialPayload(), {
 			user: member,
 			role: 'credential:owner',
 		});
 		await saveCredential(randomCredentialPayload(), {
 			user: member,
 			role: 'credential:owner',
 		});
 		const ownerCredential = await saveCredential(randomCredentialPayload(), {
 			user: owner,
 			role: 'credential:owner',
 		});
 		await shareCredentialWithUsers(ownerCredential, [member]);
 		let response;
 		response = await authMemberAgent.get('/credentials').query({ onlySharedWithMe: true });
 		expect(response.statusCode).toBe(200);
 		expect(response.body.data).toHaveLength(1);
 		expect(response.body.data[0].id).toBe(ownerCredential.id);
 		expect(response.body.data[0].homeProject).not.toBeNull();
 		response = await authOwnerAgent.get('/credentials').query({ onlySharedWithMe: true });
 		expect(response.statusCode).toBe(200);
 		expect(response.body.data).toHaveLength(0);
 	});
 });
 const INVALID_PAYLOADS = [