refactor(core): Move some request DTOs to @n8n/api-types (no-changelog) (#10880)

biome.jsonc

@@ -33,6 +33,9 @@
 		"enabled": false
 	},
 	"javascript": {
+		"parser": {
+			"unsafeParameterDecoratorsEnabled": true
+		},
 		"formatter": {
 			"jsxQuoteStyle": "double",
 			"quoteProperties": "asNeeded",

cypress/e2e/33-settings-personal.cy.ts

@@ -42,7 +42,7 @@ describe('Personal Settings', () => {
 			cy.getByTestId('personal-data-form').find('input[name="firstName"]').clear().type(name);
 			cy.getByTestId('personal-data-form').find('input[name="lastName"]').clear().type(name);
 			cy.getByTestId('save-settings-button').click();
-			errorToast().should('contain', 'Potentially malicious string | Potentially malicious string');
+			errorToast().should('contain', 'Potentially malicious string');
 			errorToast().find('.el-notification__closeBtn').click();
 		});
 	});

packages/@n8n/api-types/package.json

@@ -11,7 +11,8 @@
     "lint": "eslint .",
     "lintfix": "eslint . --fix",
     "watch": "tsc -p tsconfig.build.json --watch",
-    "test": "echo \"No tests yet\" && exit 0"
+    "test": "jest",
+    "test:dev": "jest --watch"
   },
   "main": "dist/index.js",
   "module": "src/index.ts",
@@ -21,5 +22,10 @@
   ],
   "devDependencies": {
     "n8n-workflow": "workspace:*"
+  },
+  "dependencies": {
+    "xss": "catalog:",
+    "zod": "catalog:",
+    "zod-class": "0.0.15"
   }
 }

packages/@n8n/api-types/src/dto/index.ts

@@ -0,0 +1,4 @@
+export { PasswordUpdateRequestDto } from './user/password-update-request.dto';
+export { RoleChangeRequestDto } from './user/role-change-request.dto';
+export { SettingsUpdateRequestDto } from './user/settings-update-request.dto';
+export { UserUpdateRequestDto } from './user/user-update-request.dto';

packages/@n8n/api-types/src/dto/user/__tests__/password-update-request.dto.test.ts

@@ -0,0 +1,50 @@
+import { PasswordUpdateRequestDto } from '../password-update-request.dto';
+
+describe('PasswordUpdateRequestDto', () => {
+	it('should fail validation with missing currentPassword', () => {
+		const data = {
+			newPassword: 'newPassword123',
+			mfaCode: '123456',
+		};
+
+		const result = PasswordUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path[0]).toBe('currentPassword');
+	});
+
+	it('should fail validation with missing newPassword', () => {
+		const data = {
+			currentPassword: 'oldPassword123',
+			mfaCode: '123456',
+		};
+
+		const result = PasswordUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path[0]).toBe('newPassword');
+	});
+
+	it('should pass validation with missing mfaCode', () => {
+		const data = {
+			currentPassword: 'oldPassword123',
+			newPassword: 'newPassword123',
+		};
+
+		const result = PasswordUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(true);
+	});
+
+	it('should pass validation with valid data', () => {
+		const data = {
+			currentPassword: 'oldPassword123',
+			newPassword: 'newPassword123',
+			mfaCode: '123456',
+		};
+
+		const result = PasswordUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(true);
+	});
+});

packages/@n8n/api-types/src/dto/user/__tests__/role-change-request.dto.test.ts

@@ -0,0 +1,37 @@
+import { RoleChangeRequestDto } from '../role-change-request.dto';
+
+describe('RoleChangeRequestDto', () => {
+	it('should fail validation with missing newRoleName', () => {
+		const data = {};
+
+		const result = RoleChangeRequestDto.safeParse(data);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path[0]).toBe('newRoleName');
+		expect(result.error?.issues[0].message).toBe('New role is required');
+	});
+
+	it('should fail validation with invalid newRoleName', () => {
+		const data = {
+			newRoleName: 'invalidRole',
+		};
+
+		const result = RoleChangeRequestDto.safeParse(data);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path[0]).toBe('newRoleName');
+		expect(result.error?.issues[0].message).toBe(
+			"Invalid enum value. Expected 'global:admin' | 'global:member', received 'invalidRole'",
+		);
+	});
+
+	it('should pass validation with valid data', () => {
+		const data = {
+			newRoleName: 'global:admin',
+		};
+
+		const result = RoleChangeRequestDto.safeParse(data);
+
+		expect(result.success).toBe(true);
+	});
+});

packages/@n8n/api-types/src/dto/user/__tests__/settings-update-request.dto.test.ts

@@ -0,0 +1,68 @@
+import { SettingsUpdateRequestDto } from '../settings-update-request.dto';
+
+describe('SettingsUpdateRequestDto', () => {
+	it('should pass validation with missing userActivated', () => {
+		const data = {
+			allowSSOManualLogin: false,
+		};
+
+		const result = SettingsUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(true);
+	});
+
+	it('should pass validation with missing allowSSOManualLogin', () => {
+		const data = {
+			userActivated: true,
+		};
+
+		const result = SettingsUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(true);
+	});
+
+	it('should pass validation with missing userActivated and allowSSOManualLogin', () => {
+		const data = {};
+
+		const result = SettingsUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(true);
+	});
+
+	it('should fail validation with invalid userActivated', () => {
+		const data = {
+			userActivated: 'invalid',
+			allowSSOManualLogin: false,
+		};
+
+		const result = SettingsUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path[0]).toBe('userActivated');
+		expect(result.error?.issues[0].message).toBe('Expected boolean, received string');
+	});
+
+	it('should fail validation with invalid allowSSOManualLogin', () => {
+		const data = {
+			userActivated: true,
+			allowSSOManualLogin: 'invalid',
+		};
+
+		const result = SettingsUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path[0]).toBe('allowSSOManualLogin');
+		expect(result.error?.issues[0].message).toBe('Expected boolean, received string');
+	});
+
+	it('should pass validation with valid data', () => {
+		const data = {
+			userActivated: true,
+			allowSSOManualLogin: false,
+		};
+
+		const result = SettingsUpdateRequestDto.safeParse(data);
+
+		expect(result.success).toBe(true);
+	});
+});

packages/@n8n/api-types/src/dto/user/__tests__/user-update-request.dto.test.ts

@@ -0,0 +1,86 @@
+import { UserUpdateRequestDto } from '../user-update-request.dto';
+
+describe('UserUpdateRequestDto', () => {
+	it('should fail validation for an invalid email', () => {
+		const invalidRequest = {
+			email: 'invalid-email',
+			firstName: 'John',
+			lastName: 'Doe',
+			mfaCode: '123456',
+		};
+
+		const result = UserUpdateRequestDto.safeParse(invalidRequest);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path).toEqual(['email']);
+	});
+
+	it('should fail validation for a firstName with potential XSS attack', () => {
+		const invalidRequest = {
+			email: 'test@example.com',
+			firstName: '<script>alert("XSS")</script>',
+			lastName: 'Doe',
+			mfaCode: '123456',
+		};
+
+		const result = UserUpdateRequestDto.safeParse(invalidRequest);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path).toEqual(['firstName']);
+	});
+
+	it('should fail validation for a firstName with a URL', () => {
+		const invalidRequest = {
+			email: 'test@example.com',
+			firstName: 'test http://malicious.com',
+			lastName: 'Doe',
+			mfaCode: '123456',
+		};
+
+		const result = UserUpdateRequestDto.safeParse(invalidRequest);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path).toEqual(['firstName']);
+	});
+
+	it('should fail validation for a lastName with potential XSS attack', () => {
+		const invalidRequest = {
+			email: 'test@example.com',
+			firstName: 'John',
+			lastName: '<script>alert("XSS")</script>',
+			mfaCode: '123456',
+		};
+
+		const result = UserUpdateRequestDto.safeParse(invalidRequest);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path).toEqual(['lastName']);
+	});
+
+	it('should fail validation for a lastName with a URL', () => {
+		const invalidRequest = {
+			email: 'test@example.com',
+			firstName: 'John',
+			lastName: 'testing http://malicious.com',
+			mfaCode: '123456',
+		};
+
+		const result = UserUpdateRequestDto.safeParse(invalidRequest);
+
+		expect(result.success).toBe(false);
+		expect(result.error?.issues[0].path).toEqual(['lastName']);
+	});
+
+	it('should validate a valid user update request', () => {
+		const validRequest = {
+			email: 'test@example.com',
+			firstName: 'John',
+			lastName: 'Doe',
+			mfaCode: '123456',
+		};
+
+		const result = UserUpdateRequestDto.safeParse(validRequest);
+
+		expect(result.success).toBe(true);
+	});
+});

packages/@n8n/api-types/src/dto/user/password-update-request.dto.ts

@@ -0,0 +1,8 @@
+import { z } from 'zod';
+import { Z } from 'zod-class';
+
+export class PasswordUpdateRequestDto extends Z.class({
+	currentPassword: z.string(),
+	newPassword: z.string(),
+	mfaCode: z.string().optional(),
+}) {}

packages/@n8n/api-types/src/dto/user/role-change-request.dto.ts

@@ -0,0 +1,8 @@
+import { z } from 'zod';
+import { Z } from 'zod-class';
+
+export class RoleChangeRequestDto extends Z.class({
+	newRoleName: z.enum(['global:admin', 'global:member'], {
+		required_error: 'New role is required',
+	}),
+}) {}

packages/@n8n/api-types/src/dto/user/settings-update-request.dto.ts

@@ -0,0 +1,7 @@
+import { z } from 'zod';
+import { Z } from 'zod-class';
+
+export class SettingsUpdateRequestDto extends Z.class({
+	userActivated: z.boolean().optional(),
+	allowSSOManualLogin: z.boolean().optional(),
+}) {}

packages/@n8n/api-types/src/dto/user/user-update-request.dto.ts

@@ -0,0 +1,31 @@
+import xss from 'xss';
+import { z } from 'zod';
+import { Z } from 'zod-class';
+
+const xssCheck = (value: string) =>
+	value ===
+	xss(value, {
+		whiteList: {}, // no tags are allowed
+	});
+
+const URL_REGEX = /^(https?:\/\/|www\.)|(\.[\p{L}\d-]+)/iu;
+const urlCheck = (value: string) => !URL_REGEX.test(value);
+
+const nameSchema = () =>
+	z
+		.string()
+		.min(1)
+		.max(32)
+		.refine(xssCheck, {
+			message: 'Potentially malicious string',
+		})
+		.refine(urlCheck, {
+			message: 'Potentially malicious string',
+		});
+
+export class UserUpdateRequestDto extends Z.class({
+	email: z.string().email(),
+	firstName: nameSchema().optional(),
+	lastName: nameSchema().optional(),
+	mfaCode: z.string().optional(),
+}) {}

packages/@n8n/api-types/src/index.ts

@@ -1,4 +1,5 @@
 export type * from './datetime';
+export * from './dto';
 export type * from './push';
 export type * from './scaling';
 export type * from './frontend-settings';

packages/cli/package.json

@@ -174,7 +174,7 @@
     "ws": "8.17.1",
     "xml2js": "catalog:",
     "xmllint-wasm": "3.0.1",
-    "xss": "^1.0.14",
+    "xss": "catalog:",
     "yamljs": "0.3.0",
     "zod": "catalog:"
   }

packages/cli/src/controllers/__tests__/me.controller.test.ts

@@ -1,3 +1,4 @@
+import { UserUpdateRequestDto } from '@n8n/api-types';
 import type { Response } from 'express';
 import { mock, anyObject } from 'jest-mock-extended';
 import jwt from 'jsonwebtoken';
@@ -35,20 +36,6 @@ describe('MeController', () => {
 	const controller = Container.get(MeController);
 
 	describe('updateCurrentUser', () => {
-		it('should throw BadRequestError if email is missing in the payload', async () => {
-			const req = mock<MeRequest.UserUpdate>({});
-			await expect(controller.updateCurrentUser(req, mock())).rejects.toThrowError(
-				new BadRequestError('Email is mandatory'),
-			);
-		});
-
-		it('should throw BadRequestError if email is invalid', async () => {
-			const req = mock<MeRequest.UserUpdate>({ body: { email: 'invalid-email' } });
-			await expect(controller.updateCurrentUser(req, mock())).rejects.toThrowError(
-				new BadRequestError('Invalid email address'),
-			);
-		});
-
 		it('should update the user in the DB, and issue a new cookie', async () => {
 			const user = mock<User>({
 				id: '123',
@@ -58,24 +45,24 @@ describe('MeController', () => {
 				role: 'global:owner',
 				mfaEnabled: false,
 			});
-			const req = mock<MeRequest.UserUpdate>({ user, browserId });
-			req.body = {
+			const payload = new UserUpdateRequestDto({
 				email: 'valid@email.com',
 				firstName: 'John',
 				lastName: 'Potato',
-			};
+			});
+			const req = mock<AuthenticatedRequest>({ user, browserId });
 			const res = mock<Response>();
 			userRepository.findOneByOrFail.mockResolvedValue(user);
 			userRepository.findOneOrFail.mockResolvedValue(user);
 			jest.spyOn(jwt, 'sign').mockImplementation(() => 'signed-token');
 			userService.toPublic.mockResolvedValue({} as unknown as PublicUser);
 
-			await controller.updateCurrentUser(req, res);
+			await controller.updateCurrentUser(req, res, payload);
 
 			expect(externalHooks.run).toHaveBeenCalledWith('user.profile.beforeUpdate', [
 				user.id,
 				user.email,
-				req.body,
+				payload,
 			]);
 
 			expect(userService.update).toHaveBeenCalled();
@@ -100,35 +87,6 @@ describe('MeController', () => {
 			]);
 		});
 
-		it('should not allow updating any other fields on a user besides email and name', async () => {
-			const user = mock<User>({
-				id: '123',
-				password: 'password',
-				authIdentities: [],
-				role: 'global:member',
-				mfaEnabled: false,
-			});
-			const req = mock<MeRequest.UserUpdate>({ user, browserId });
-			req.body = { email: 'valid@email.com', firstName: 'John', lastName: 'Potato' };
-			const res = mock<Response>();
-			userRepository.findOneOrFail.mockResolvedValue(user);
-			jest.spyOn(jwt, 'sign').mockImplementation(() => 'signed-token');
-
-			// Add invalid data to the request payload
-			Object.assign(req.body, { id: '0', role: 'global:owner' });
-
-			await controller.updateCurrentUser(req, res);
-
-			expect(userService.update).toHaveBeenCalled();
-
-			const updatePayload = userService.update.mock.calls[0][1];
-			expect(updatePayload.email).toBe(req.body.email);
-			expect(updatePayload.firstName).toBe(req.body.firstName);
-			expect(updatePayload.lastName).toBe(req.body.lastName);
-			expect(updatePayload.id).toBeUndefined();
-			expect(updatePayload.role).toBeUndefined();
-		});
-
 		it('should throw BadRequestError if beforeUpdate hook throws BadRequestError', async () => {
 			const user = mock<User>({
 				id: '123',
@@ -137,9 +95,7 @@ describe('MeController', () => {
 				role: 'global:owner',
 				mfaEnabled: false,
 			});
-			const reqBody = { email: 'valid@email.com', firstName: 'John', lastName: 'Potato' };
-			const req = mock<MeRequest.UserUpdate>({ user, body: reqBody });
-			req.body = reqBody; // We don't want the body to be a mock object
+			const req = mock<AuthenticatedRequest>({ user });
 
 			externalHooks.run.mockImplementationOnce(async (hookName) => {
 				if (hookName === 'user.profile.beforeUpdate') {
@@ -147,9 +103,13 @@ describe('MeController', () => {
 				}
 			});
 
-			await expect(controller.updateCurrentUser(req, mock())).rejects.toThrowError(
-				new BadRequestError('Invalid email address'),
-			);
+			await expect(
+				controller.updateCurrentUser(
+					req,
+					mock(),
+					mock({ email: 'valid@email.com', firstName: 'John', lastName: 'Potato' }),
+				),
+			).rejects.toThrowError(new BadRequestError('Invalid email address'));
 		});
 
 		describe('when mfa is enabled', () => {
@@ -162,12 +122,19 @@ describe('MeController', () => {
 					role: 'global:owner',
 					mfaEnabled: true,
 				});
-				const req = mock<MeRequest.UserUpdate>({ user, browserId });
-				req.body = { email: 'new@email.com', firstName: 'John', lastName: 'Potato' };
+				const req = mock<AuthenticatedRequest>({ user, browserId });
 
-				await expect(controller.updateCurrentUser(req, mock())).rejects.toThrowError(
-					new BadRequestError('Two-factor code is required to change email'),
-				);
+				await expect(
+					controller.updateCurrentUser(
+						req,
+						mock(),
+						new UserUpdateRequestDto({
+							email: 'new@email.com',
+							firstName: 'John',
+							lastName: 'Potato',
+						}),
+					),
+				).rejects.toThrowError(new BadRequestError('Two-factor code is required to change email'));
 			});
 
 			it('should throw InvalidMfaCodeError if mfa code is invalid', async () => {
@@ -179,18 +146,21 @@ describe('MeController', () => {
 					role: 'global:owner',
 					mfaEnabled: true,
 				});
-				const req = mock<MeRequest.UserUpdate>({ user, browserId });
-				req.body = {
-					email: 'new@email.com',
-					firstName: 'John',
-					lastName: 'Potato',
-					mfaCode: 'invalid',
-				};
+				const req = mock<AuthenticatedRequest>({ user, browserId });
 				mockMfaService.validateMfa.mockResolvedValue(false);
 
-				await expect(controller.updateCurrentUser(req, mock())).rejects.toThrow(
-					InvalidMfaCodeError,
-				);
+				await expect(
+					controller.updateCurrentUser(
+						req,
+						mock(),
+						mock({
+							email: 'new@email.com',
+							firstName: 'John',
+							lastName: 'Potato',
+							mfaCode: 'invalid',
+						}),
+					),
+				).rejects.toThrow(InvalidMfaCodeError);
 			});
 
 			it("should update the user's email if mfa code is valid", async () => {
@@ -202,13 +172,7 @@ describe('MeController', () => {
 					role: 'global:owner',
 					mfaEnabled: true,
 				});
-				const req = mock<MeRequest.UserUpdate>({ user, browserId });
-				req.body = {
-					email: 'new@email.com',
-					firstName: 'John',
-					lastName: 'Potato',
-					mfaCode: '123456',
-				};
+				const req = mock<AuthenticatedRequest>({ user, browserId });
 				const res = mock<Response>();
 				userRepository.findOneByOrFail.mockResolvedValue(user);
 				userRepository.findOneOrFail.mockResolvedValue(user);
@@ -216,7 +180,16 @@ describe('MeController', () => {
 				userService.toPublic.mockResolvedValue({} as unknown as PublicUser);
 				mockMfaService.validateMfa.mockResolvedValue(true);
 
-				const result = await controller.updateCurrentUser(req, res);
+				const result = await controller.updateCurrentUser(
+					req,
+					res,
+					mock({
+						email: 'new@email.com',
+						firstName: 'John',
+						lastName: 'Potato',
+						mfaCode: '123456',
+					}),
+				);
 
 				expect(result).toEqual({});
 			});
@@ -227,51 +200,59 @@ describe('MeController', () => {
 		const passwordHash = '$2a$10$ffitcKrHT.Ls.m9FfWrMrOod76aaI0ogKbc3S96Q320impWpCbgj6'; // Hashed 'old_password'
 
 		it('should throw if the user does not have a password set', async () => {
-			const req = mock<MeRequest.Password>({
+			const req = mock<AuthenticatedRequest>({
 				user: mock({ password: undefined }),
-				body: { currentPassword: '', newPassword: '' },
 			});
-			await expect(controller.updatePassword(req, mock())).rejects.toThrowError(
-				new BadRequestError('Requesting user not set up.'),
-			);
+			await expect(
+				controller.updatePassword(req, mock(), mock({ currentPassword: '', newPassword: '' })),
+			).rejects.toThrowError(new BadRequestError('Requesting user not set up.'));
 		});
 
 		it("should throw if currentPassword does not match the user's password", async () => {
-			const req = mock<MeRequest.Password>({
+			const req = mock<AuthenticatedRequest>({
 				user: mock({ password: passwordHash }),
-				body: { currentPassword: 'not_old_password', newPassword: '' },
 			});
-			await expect(controller.updatePassword(req, mock())).rejects.toThrowError(
-				new BadRequestError('Provided current password is incorrect.'),
-			);
+			await expect(
+				controller.updatePassword(
+					req,
+					mock(),
+					mock({ currentPassword: 'not_old_password', newPassword: '' }),
+				),
+			).rejects.toThrowError(new BadRequestError('Provided current password is incorrect.'));
 		});
 
 		describe('should throw if newPassword is not valid', () => {
 			Object.entries(badPasswords).forEach(([newPassword, errorMessage]) => {
 				it(newPassword, async () => {
-					const req = mock<MeRequest.Password>({
+					const req = mock<AuthenticatedRequest>({
 						user: mock({ password: passwordHash }),
-						body: { currentPassword: 'old_password', newPassword },
 						browserId,
 					});
-					await expect(controller.updatePassword(req, mock())).rejects.toThrowError(
-						new BadRequestError(errorMessage),
-					);
+					await expect(
+						controller.updatePassword(
+							req,
+							mock(),
+							mock({ currentPassword: 'old_password', newPassword }),
+						),
+					).rejects.toThrowError(new BadRequestError(errorMessage));
 				});
 			});
 		});
 
 		it('should update the password in the DB, and issue a new cookie', async () => {
-			const req = mock<MeRequest.Password>({
+			const req = mock<AuthenticatedRequest>({
 				user: mock({ password: passwordHash, mfaEnabled: false }),
-				body: { currentPassword: 'old_password', newPassword: 'NewPassword123' },
 				browserId,
 			});
 			const res = mock<Response>();
 			userRepository.save.calledWith(req.user).mockResolvedValue(req.user);
 			jest.spyOn(jwt, 'sign').mockImplementation(() => 'new-signed-token');
 
-			await controller.updatePassword(req, res);
+			await controller.updatePassword(
+				req,
+				res,
+				mock({ currentPassword: 'old_password', newPassword: 'NewPassword123' }),
+			);
 
 			expect(req.user.password).not.toBe(passwordHash);
 
@@ -299,34 +280,43 @@ describe('MeController', () => {
 
 		describe('mfa enabled', () => {
 			it('should throw BadRequestError if mfa code is missing', async () => {
-				const req = mock<MeRequest.Password>({
+				const req = mock<AuthenticatedRequest>({
 					user: mock({ password: passwordHash, mfaEnabled: true }),
-					body: { currentPassword: 'old_password', newPassword: 'NewPassword123' },
 				});
 
-				await expect(controller.updatePassword(req, mock())).rejects.toThrowError(
+				await expect(
+					controller.updatePassword(
+						req,
+						mock(),
+						mock({ currentPassword: 'old_password', newPassword: 'NewPassword123' }),
+					),
+				).rejects.toThrowError(
 					new BadRequestError('Two-factor code is required to change password.'),
 				);
 			});
 
 			it('should throw InvalidMfaCodeError if invalid mfa code is given', async () => {
-				const req = mock<MeRequest.Password>({
+				const req = mock<AuthenticatedRequest>({
 					user: mock({ password: passwordHash, mfaEnabled: true }),
-					body: { currentPassword: 'old_password', newPassword: 'NewPassword123', mfaCode: '123' },
 				});
 				mockMfaService.validateMfa.mockResolvedValue(false);
 
-				await expect(controller.updatePassword(req, mock())).rejects.toThrow(InvalidMfaCodeError);
+				await expect(
+					controller.updatePassword(
+						req,
+						mock(),
+						mock({
+							currentPassword: 'old_password',
+							newPassword: 'NewPassword123',
+							mfaCode: '123',
+						}),
+					),
+				).rejects.toThrow(InvalidMfaCodeError);
 			});
 
 			it('should succeed when mfa code is correct', async () => {
-				const req = mock<MeRequest.Password>({
+				const req = mock<AuthenticatedRequest>({
 					user: mock({ password: passwordHash, mfaEnabled: true }),
-					body: {
-						currentPassword: 'old_password',
-						newPassword: 'NewPassword123',
-						mfaCode: 'valid',
-					},
 					browserId,
 				});
 				const res = mock<Response>();
@@ -334,7 +324,15 @@ describe('MeController', () => {
 				jest.spyOn(jwt, 'sign').mockImplementation(() => 'new-signed-token');
 				mockMfaService.validateMfa.mockResolvedValue(true);
 
-				const result = await controller.updatePassword(req, res);
+				const result = await controller.updatePassword(
+					req,
+					res,
+					mock({
+						currentPassword: 'old_password',
+						newPassword: 'NewPassword123',
+						mfaCode: 'valid',
+					}),
+				);
 
 				expect(result).toEqual({ success: true });
 				expect(req.user.password).not.toBe(passwordHash);
@@ -411,18 +409,6 @@ describe('MeController', () => {
 		});
 	});
 
-	describe('updateCurrentUserSettings', () => {
-		it('should throw BadRequestError on XSS attempt', async () => {
-			const req = mock<AuthenticatedRequest>({
-				body: {
-					userActivated: '<script>alert("XSS")</script>',
-				},
-			});
-
-			await expect(controller.updateCurrentUserSettings(req)).rejects.toThrowError(BadRequestError);
-		});
-	});
-
 	describe('API Key methods', () => {
 		let req: AuthenticatedRequest;
 		beforeAll(() => {

packages/cli/src/controllers/__tests__/users.controller.test.ts

@@ -3,7 +3,7 @@ import { mock } from 'jest-mock-extended';
 import type { User } from '@/databases/entities/user';
 import type { UserRepository } from '@/databases/repositories/user.repository';
 import type { EventService } from '@/events/event.service';
-import type { UserRequest } from '@/requests';
+import type { AuthenticatedRequest } from '@/requests';
 import type { ProjectService } from '@/services/project.service';
 
 import { UsersController } from '../users.controller';
@@ -33,15 +33,18 @@ describe('UsersController', () => {
 
 	describe('changeGlobalRole', () => {
 		it('should emit event user-changed-role', async () => {
-			const request = mock<UserRequest.ChangeRole>({
+			const request = mock<AuthenticatedRequest>({
 				user: { id: '123' },
-				params: { id: '456' },
-				body: { newRoleName: 'global:member' },
 			});
-			userRepository.findOne.mockResolvedValue(mock<User>({ id: '456' }));
+			userRepository.findOneBy.mockResolvedValue(mock<User>({ id: '456' }));
 			projectService.getUserOwnedOrAdminProjects.mockResolvedValue([]);
 
-			await controller.changeGlobalRole(request);
+			await controller.changeGlobalRole(
+				request,
+				mock(),
+				mock({ newRoleName: 'global:member' }),
+				'456',
+			);
 
 			expect(eventService.emit).toHaveBeenCalledWith('user-changed-role', {
 				userId: '123',

packages/cli/src/controllers/me.controller.ts

@@ -1,12 +1,16 @@
+import {
+	PasswordUpdateRequestDto,
+	SettingsUpdateRequestDto,
+	UserUpdateRequestDto,
+} from '@n8n/api-types';
 import { plainToInstance } from 'class-transformer';
 import { randomBytes } from 'crypto';
 import { type RequestHandler, Response } from 'express';
-import validator from 'validator';
 
 import { AuthService } from '@/auth/auth.service';
 import type { User } from '@/databases/entities/user';
 import { UserRepository } from '@/databases/repositories/user.repository';
-import { Delete, Get, Patch, Post, RestController } from '@/decorators';
+import { Body, Delete, Get, Patch, Post, RestController } from '@/decorators';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { InvalidMfaCodeError } from '@/errors/response-errors/invalid-mfa-code.error';
 import { EventService } from '@/events/event.service';
@@ -16,12 +20,7 @@ import type { PublicUser } from '@/interfaces';
 import { Logger } from '@/logger';
 import { MfaService } from '@/mfa/mfa.service';
 import { isApiEnabled } from '@/public-api';
-import {
-	AuthenticatedRequest,
-	MeRequest,
-	UserSettingsUpdatePayload,
-	UserUpdatePayload,
-} from '@/requests';
+import { AuthenticatedRequest, MeRequest } from '@/requests';
 import { PasswordUtility } from '@/services/password.utility';
 import { UserService } from '@/services/user.service';
 import { isSamlLicensedAndEnabled } from '@/sso/saml/saml-helpers';
@@ -55,30 +54,14 @@ export class MeController {
 	 * Update the logged-in user's properties, except password.
 	 */
 	@Patch('/')
-	async updateCurrentUser(req: MeRequest.UserUpdate, res: Response): Promise<PublicUser> {
+	async updateCurrentUser(
+		req: AuthenticatedRequest,
+		res: Response,
+		@Body payload: UserUpdateRequestDto,
+	): Promise<PublicUser> {
 		const { id: userId, email: currentEmail, mfaEnabled } = req.user;
 
-		const payload = plainToInstance(UserUpdatePayload, req.body, { excludeExtraneousValues: true });
-
 		const { email } = payload;
-		if (!email) {
-			this.logger.debug('Request to update user email failed because of missing email in payload', {
-				userId,
-				payload,
-			});
-			throw new BadRequestError('Email is mandatory');
-		}
-
-		if (!validator.isEmail(email)) {
-			this.logger.debug('Request to update user email failed because of invalid email in payload', {
-				userId,
-				invalidEmail: email,
-			});
-			throw new BadRequestError('Invalid email address');
-		}
-
-		await validateEntity(payload);
-
 		const isEmailBeingChanged = email !== currentEmail;
 
 		// If SAML is enabled, we don't allow the user to change their email address
@@ -134,9 +117,13 @@ export class MeController {
 	 * Update the logged-in user's password.
 	 */
 	@Patch('/password', { rateLimit: true })
-	async updatePassword(req: MeRequest.Password, res: Response) {
+	async updatePassword(
+		req: AuthenticatedRequest,
+		res: Response,
+		@Body payload: PasswordUpdateRequestDto,
+	) {
 		const { user } = req;
-		const { currentPassword, newPassword, mfaCode } = req.body;
+		const { currentPassword, newPassword, mfaCode } = payload;
 
 		// If SAML is enabled, we don't allow the user to change their password
 		if (isSamlLicensedAndEnabled()) {
@@ -270,13 +257,11 @@ export class MeController {
 	 * Update the logged-in user's settings.
 	 */
 	@Patch('/settings')
-	async updateCurrentUserSettings(req: MeRequest.UserSettingsUpdate): Promise<User['settings']> {
-		const payload = plainToInstance(UserSettingsUpdatePayload, req.body, {
-			excludeExtraneousValues: true,
-		});
-
-		await validateEntity(payload);
-
+	async updateCurrentUserSettings(
+		req: AuthenticatedRequest,
+		_: Response,
+		@Body payload: SettingsUpdateRequestDto,
+	): Promise<User['settings']> {
 		const { id } = req.user;
 
 		await this.userService.updateSettings(id, payload);

packages/cli/src/controllers/users.controller.ts

@@ -1,4 +1,5 @@
-import { plainToInstance } from 'class-transformer';
+import { RoleChangeRequestDto, SettingsUpdateRequestDto } from '@n8n/api-types';
+import { Response } from 'express';
 
 import { AuthService } from '@/auth/auth.service';
 import { CredentialsService } from '@/credentials/credentials.service';
@@ -9,22 +10,17 @@ import { ProjectRepository } from '@/databases/repositories/project.repository';
 import { SharedCredentialsRepository } from '@/databases/repositories/shared-credentials.repository';
 import { SharedWorkflowRepository } from '@/databases/repositories/shared-workflow.repository';
 import { UserRepository } from '@/databases/repositories/user.repository';
-import { GlobalScope, Delete, Get, RestController, Patch, Licensed } from '@/decorators';
+import { GlobalScope, Delete, Get, RestController, Patch, Licensed, Body } from '@/decorators';
+import { Param } from '@/decorators/args';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { ForbiddenError } from '@/errors/response-errors/forbidden.error';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
 import { EventService } from '@/events/event.service';
 import { ExternalHooks } from '@/external-hooks';
-import { validateEntity } from '@/generic-helpers';
 import type { PublicUser } from '@/interfaces';
 import { Logger } from '@/logger';
 import { listQueryMiddleware } from '@/middlewares';
-import {
-	ListQuery,
-	UserRequest,
-	UserRoleChangePayload,
-	UserSettingsUpdatePayload,
-} from '@/requests';
+import { AuthenticatedRequest, ListQuery, UserRequest } from '@/requests';
 import { ProjectService } from '@/services/project.service';
 import { UserService } from '@/services/user.service';
 import { WorkflowService } from '@/workflows/workflow.service';
@@ -124,13 +120,12 @@ export class UsersController {
 
 	@Patch('/:id/settings')
 	@GlobalScope('user:update')
-	async updateUserSettings(req: UserRequest.UserSettingsUpdate) {
-		const payload = plainToInstance(UserSettingsUpdatePayload, req.body, {
-			excludeExtraneousValues: true,
-		});
-
-		const id = req.params.id;
-
+	async updateUserSettings(
+		_req: AuthenticatedRequest,
+		_res: Response,
+		@Body payload: SettingsUpdateRequestDto,
+		@Param('id') id: string,
+	) {
 		await this.userService.updateSettings(id, payload);
 
 		const user = await this.userRepository.findOneOrFail({
@@ -263,18 +258,16 @@ export class UsersController {
 	@Patch('/:id/role')
 	@GlobalScope('user:changeRole')
 	@Licensed('feat:advancedPermissions')
-	async changeGlobalRole(req: UserRequest.ChangeRole) {
+	async changeGlobalRole(
+		req: AuthenticatedRequest,
+		_: Response,
+		@Body payload: RoleChangeRequestDto,
+		@Param('id') id: string,
+	) {
 		const { NO_ADMIN_ON_OWNER, NO_USER, NO_OWNER_ON_OWNER } =
 			UsersController.ERROR_MESSAGES.CHANGE_ROLE;
 
-		const payload = plainToInstance(UserRoleChangePayload, req.body, {
-			excludeExtraneousValues: true,
-		});
-		await validateEntity(payload);
-
-		const targetUser = await this.userRepository.findOne({
-			where: { id: req.params.id },
-		});
+		const targetUser = await this.userRepository.findOneBy({ id });
 		if (targetUser === null) {
 			throw new NotFoundError(NO_USER);
 		}

packages/cli/src/decorators/__tests__/controller.registry.test.ts

@@ -12,6 +12,8 @@ import { ControllerRegistry, Get, Licensed, RestController } from '@/decorators'
 import type { License } from '@/license';
 import type { SuperAgentTest } from '@test-integration/types';
 
+import { Param } from '../args';
+
 describe('ControllerRegistry', () => {
 	const license = mock<License>();
 	const authService = mock<AuthService>();
@@ -114,4 +116,26 @@ describe('ControllerRegistry', () => {
 			expect(license.isFeatureEnabled).toHaveBeenCalled();
 		});
 	});
+
+	describe('Args', () => {
+		@RestController('/test')
+		// @ts-expect-error tsc complains about unused class
+		class TestController {
+			@Get('/args/:id')
+			args(req: express.Request, res: express.Response, @Param('id') id: string) {
+				res.setHeader('Testing', 'true');
+				return { url: req.url, id };
+			}
+		}
+
+		beforeEach(() => {
+			authService.authMiddleware.mockImplementation(async (_req, _res, next) => next());
+		});
+
+		it('should pass in correct args to the route handler', async () => {
+			const { headers, body } = await agent.get('/rest/test/args/1234').expect(200);
+			expect(headers.testing).toBe('true');
+			expect(body.data).toEqual({ url: '/args/1234', id: '1234' });
+		});
+	});
 });

packages/cli/src/decorators/args.ts

@@ -0,0 +1,18 @@
+import { getRouteMetadata } from './controller.registry';
+import type { Arg, Controller } from './types';
+
+const ArgDecorator =
+	(arg: Arg): ParameterDecorator =>
+	(target, handlerName, parameterIndex) => {
+		const routeMetadata = getRouteMetadata(target.constructor as Controller, String(handlerName));
+		routeMetadata.args[parameterIndex] = arg;
+	};
+
+/** Injects the request body into the handler */
+export const Body = ArgDecorator({ type: 'body' });
+
+/** Injects the request query into the handler */
+export const Query = ArgDecorator({ type: 'query' });
+
+/** Injects a request parameter into the handler */
+export const Param = (key: string) => ArgDecorator({ type: 'param', key });

packages/cli/src/decorators/controller.registry.ts

@@ -2,7 +2,9 @@ import { GlobalConfig } from '@n8n/config';
 import { Router } from 'express';
 import type { Application, Request, Response, RequestHandler } from 'express';
 import { rateLimit as expressRateLimit } from 'express-rate-limit';
+import { ApplicationError } from 'n8n-workflow';
 import { Container, Service } from 'typedi';
+import type { ZodClass } from 'zod-class';
 
 import { AuthService } from '@/auth/auth.service';
 import { inProduction, RESPONSE_ERROR_MESSAGES } from '@/constants';
@@ -42,6 +44,7 @@ export const getRouteMetadata = (controllerClass: Controller, handlerName: Handl
 	let route = metadata.routes.get(handlerName);
 	if (!route) {
 		route = {} as RouteMetadata;
+		route.args = [];
 		metadata.routes.set(handlerName, route);
 	}
 	return route;
@@ -76,8 +79,31 @@ export class ControllerRegistry {
 		);
 
 		for (const [handlerName, route] of metadata.routes) {
-			const handler = async (req: Request, res: Response) =>
-				await controller[handlerName](req, res);
+			const argTypes = Reflect.getMetadata(
+				'design:paramtypes',
+				controller,
+				handlerName,
+			) as unknown[];
+			// eslint-disable-next-line @typescript-eslint/no-loop-func
+			const handler = async (req: Request, res: Response) => {
+				const args: unknown[] = [req, res];
+				for (let index = 0; index < route.args.length; index++) {
+					const arg = route.args[index];
+					if (!arg) continue; // Skip args without any decorators
+					if (arg.type === 'param') args.push(req.params[arg.key]);
+					else if (['body', 'query'].includes(arg.type)) {
+						const paramType = argTypes[index] as ZodClass;
+						if (paramType && 'parse' in paramType) {
+							const output = paramType.safeParse(req[arg.type]);
+							if (output.success) args.push(output.data);
+							else {
+								return res.status(400).json(output.error.errors[0]);
+							}
+						}
+					} else throw new ApplicationError('Unknown arg type: ' + arg.type);
+				}
+				return await controller[handlerName](...args);
+			};
 
 			router[route.method](
 				route.path,

packages/cli/src/decorators/index.ts

@@ -1,3 +1,4 @@
+export { Body } from './args';
 export { RestController } from './rest-controller';
 export { Get, Post, Put, Patch, Delete } from './route';
 export { Middleware } from './middleware';

packages/cli/src/decorators/types.ts

@@ -6,6 +6,8 @@ import type { BooleanLicenseFeature } from '@/interfaces';
 
 export type Method = 'get' | 'post' | 'put' | 'patch' | 'delete';
 
+export type Arg = { type: 'body' | 'query' } | { type: 'param'; key: string };
+
 export interface RateLimit {
 	/**
 	 * The maximum number of requests to allow during the `window` before rate limiting the client.
@@ -35,6 +37,7 @@ export interface RouteMetadata {
 	rateLimit?: boolean | RateLimit;
 	licenseFeature?: BooleanLicenseFeature;
 	accessScope?: AccessScope;
+	args: Arg[];
 }
 
 export interface ControllerMetadata {

packages/cli/src/generic-helpers.ts

@@ -5,11 +5,6 @@ import type { CredentialsEntity } from '@/databases/entities/credentials-entity'
 import type { TagEntity } from '@/databases/entities/tag-entity';
 import type { User } from '@/databases/entities/user';
 import type { WorkflowEntity } from '@/databases/entities/workflow-entity';
-import type {
-	UserRoleChangePayload,
-	UserSettingsUpdatePayload,
-	UserUpdatePayload,
-} from '@/requests';
 
 import type { PersonalizationSurveyAnswersV4 } from './controllers/survey-answers.dto';
 import { BadRequestError } from './errors/response-errors/bad-request.error';
@@ -21,9 +16,6 @@ export async function validateEntity(
 		| TagEntity
 		| AnnotationTagEntity
 		| User
-		| UserUpdatePayload
-		| UserRoleChangePayload
-		| UserSettingsUpdatePayload
 		| PersonalizationSurveyAnswersV4,
 ): Promise<void> {
 	const errors = await validate(entity);

packages/cli/src/public-api/v1/handlers/users/users.handler.ee.ts

@@ -1,3 +1,4 @@
+import { RoleChangeRequestDto } from '@n8n/api-types';
 import type express from 'express';
 import type { Response } from 'express';
 import { Container } from 'typedi';
@@ -6,7 +7,7 @@ import { InvitationController } from '@/controllers/invitation.controller';
 import { UsersController } from '@/controllers/users.controller';
 import { ProjectRelationRepository } from '@/databases/repositories/project-relation.repository';
 import { EventService } from '@/events/event.service';
-import type { UserRequest } from '@/requests';
+import type { AuthenticatedRequest, UserRequest } from '@/requests';
 
 import { clean, getAllUsersAndCount, getUser } from './users.service.ee';
 import {
@@ -19,7 +20,7 @@ import { encodeNextCursor } from '../../shared/services/pagination.service';
 
 type Create = UserRequest.Invite;
 type Delete = UserRequest.Delete;
-type ChangeRole = UserRequest.ChangeRole;
+type ChangeRole = AuthenticatedRequest<{ id: string }, {}, RoleChangeRequestDto, {}>;
 
 export = {
 	getUser: [
@@ -98,7 +99,19 @@ export = {
 		isLicensed('feat:advancedPermissions'),
 		globalScope('user:changeRole'),
 		async (req: ChangeRole, res: Response) => {
-			await Container.get(UsersController).changeGlobalRole(req);
+			const validation = RoleChangeRequestDto.safeParse(req.body);
+			if (validation.error) {
+				return res.status(400).json({
+					message: validation.error.errors[0],
+				});
+			}
+
+			await Container.get(UsersController).changeGlobalRole(
+				req,
+				res,
+				validation.data,
+				req.params.id,
+			);
 
 			return res.status(204).send();
 		},

packages/cli/src/requests.ts

@@ -1,7 +1,5 @@
 import type { Scope } from '@n8n/permissions';
 import type { AiAssistantSDK } from '@n8n_io/ai-assistant-sdk';
-import { Expose } from 'class-transformer';
-import { IsBoolean, IsEmail, IsIn, IsOptional, IsString, Length } from 'class-validator';
 import type express from 'express';
 import type {
 	BannerName,
@@ -18,61 +16,15 @@ import type {
 
 import type { CredentialsEntity } from '@/databases/entities/credentials-entity';
 import type { Project, ProjectType } from '@/databases/entities/project';
-import { AssignableRole } from '@/databases/entities/user';
-import type { GlobalRole, User } from '@/databases/entities/user';
+import type { AssignableRole, GlobalRole, User } from '@/databases/entities/user';
 import type { Variables } from '@/databases/entities/variables';
 import type { WorkflowEntity } from '@/databases/entities/workflow-entity';
 import type { WorkflowHistory } from '@/databases/entities/workflow-history';
 import type { PublicUser, SecretsProvider, SecretsProviderState } from '@/interfaces';
-import { NoUrl } from '@/validators/no-url.validator';
-import { NoXss } from '@/validators/no-xss.validator';
 
 import type { ProjectRole } from './databases/entities/project-relation';
 import type { ScopesField } from './services/role.service';
 
-export class UserUpdatePayload implements Pick<User, 'email' | 'firstName' | 'lastName'> {
-	@Expose()
-	@IsEmail()
-	email: string;
-
-	@Expose()
-	@NoXss()
-	@NoUrl()
-	@IsString({ message: 'First name must be of type string.' })
-	@Length(1, 32, { message: 'First name must be $constraint1 to $constraint2 characters long.' })
-	firstName: string;
-
-	@Expose()
-	@NoXss()
-	@NoUrl()
-	@IsString({ message: 'Last name must be of type string.' })
-	@Length(1, 32, { message: 'Last name must be $constraint1 to $constraint2 characters long.' })
-	lastName: string;
-
-	@IsOptional()
-	@Expose()
-	@IsString({ message: 'Two factor code must be a string.' })
-	mfaCode?: string;
-}
-
-export class UserSettingsUpdatePayload {
-	@Expose()
-	@IsBoolean({ message: 'userActivated should be a boolean' })
-	@IsOptional()
-	userActivated?: boolean;
-
-	@Expose()
-	@IsBoolean({ message: 'allowSSOManualLogin should be a boolean' })
-	@IsOptional()
-	allowSSOManualLogin?: boolean;
-}
-
-export class UserRoleChangePayload {
-	@Expose()
-	@IsIn(['global:admin', 'global:member'])
-	newRoleName: AssignableRole;
-}
-
 export type APIRequest<
 	RouteParams = {},
 	ResponseBody = {},
@@ -230,13 +182,6 @@ export declare namespace CredentialRequest {
 // ----------------------------------
 
 export declare namespace MeRequest {
-	export type UserSettingsUpdate = AuthenticatedRequest<{}, {}, UserSettingsUpdatePayload>;
-	export type UserUpdate = AuthenticatedRequest<{}, {}, UserUpdatePayload>;
-	export type Password = AuthenticatedRequest<
-		{},
-		{},
-		{ currentPassword: string; newPassword: string; mfaCode?: string }
-	>;
 	export type SurveyAnswers = AuthenticatedRequest<{}, {}, IPersonalizationSurveyAnswersV4>;
 }
 
@@ -311,8 +256,6 @@ export declare namespace UserRequest {
 		{ transferId?: string; includeRole: boolean }
 	>;
 
-	export type ChangeRole = AuthenticatedRequest<{ id: string }, {}, UserRoleChangePayload, {}>;
-
 	export type Get = AuthenticatedRequest<
 		{ id: string; email: string; identifier: string },
 		{},
@@ -322,12 +265,6 @@ export declare namespace UserRequest {
 
 	export type PasswordResetLink = AuthenticatedRequest<{ id: string }, {}, {}, {}>;
 
-	export type UserSettingsUpdate = AuthenticatedRequest<
-		{ id: string },
-		{},
-		UserSettingsUpdatePayload
-	>;
-
 	export type Reinvite = AuthenticatedRequest<{ id: string }>;
 
 	export type Update = AuthlessRequest<

packages/cli/test/integration/public-api/users.test.ts

@@ -225,6 +225,29 @@ describe('Users in Public API', () => {
 			expect(response.body).toHaveProperty('message', 'Forbidden');
 		});
 
+		it('should return a 400 on invalid payload', async () => {
+			/**
+			 * Arrange
+			 */
+			testServer.license.enable('feat:advancedPermissions');
+			const owner = await createOwner({ withApiKey: true });
+			const member = await createMember();
+			const payload = { newRoleName: 'invalid' };
+
+			/**
+			 * Act
+			 */
+			const response = await testServer
+				.publicApiAgentFor(owner)
+				.patch(`/users/${member.id}/role`)
+				.send(payload);
+
+			/**
+			 * Assert
+			 */
+			expect(response.status).toBe(400);
+		});
+
 		it("should change a user's role", async () => {
 			/**
 			 * Arrange

packages/cli/test/integration/saml/saml.api.test.ts

@@ -22,9 +22,11 @@ const testServer = utils.setupTestServer({
 	enabledFeatures: ['feat:saml'],
 });
 
+const memberPassword = randomValidPassword();
+
 beforeAll(async () => {
 	owner = await createOwner();
-	someUser = await createUser();
+	someUser = await createUser({ password: memberPassword });
 	authOwnerAgent = testServer.authAgentFor(owner);
 	authMemberAgent = testServer.authAgentFor(someUser);
 });
@@ -60,10 +62,11 @@ describe('Instance owner', () => {
 	describe('PATCH /password', () => {
 		test('should throw BadRequestError if password is changed when SAML is enabled', async () => {
 			await enableSaml(true);
-			await authOwnerAgent
+			await authMemberAgent
 				.patch('/me/password')
 				.send({
-					password: randomValidPassword(),
+					currentPassword: memberPassword,
+					newPassword: randomValidPassword(),
 				})
 				.expect(400, {
 					code: 400,

packages/cli/test/integration/users.api.test.ts

@@ -672,9 +672,6 @@ describe('PATCH /users/:id/role', () => {
 		])('%s', async (_, payload) => {
 			const response = await adminAgent.patch(`/users/${member.id}/role`).send(payload);
 			expect(response.statusCode).toBe(400);
-			expect(response.body.message).toBe(
-				'newRoleName must be one of the following values: global:admin, global:member',
-			);
 		});
 	});
 

packages/design-system/package.json

@@ -54,6 +54,6 @@
     "vue": "catalog:frontend",
     "vue-boring-avatars": "^1.3.0",
     "vue-router": "catalog:frontend",
-    "xss": "^1.0.14"
+    "xss": "catalog:"
   }
 }

packages/editor-ui/package.json

@@ -77,7 +77,7 @@
     "vue-markdown-render": "catalog:frontend",
     "vue-router": "catalog:frontend",
     "vue3-touch-events": "^4.1.3",
-    "xss": "^1.0.14"
+    "xss": "catalog:"
   },
   "devDependencies": {
     "@faker-js/faker": "^8.0.2",

packages/editor-ui/src/api/users.ts

@@ -1,3 +1,8 @@
+import type {
+	PasswordUpdateRequestDto,
+	SettingsUpdateRequestDto,
+	UserUpdateRequestDto,
+} from '@n8n/api-types';
 import type {
 	CurrentUserResponse,
 	IPersonalizationLatestVersion,
@@ -8,11 +13,6 @@ import type {
 import type { IDataObject, IUserSettings } from 'n8n-workflow';
 import { makeRestApiRequest } from '@/utils/apiUtils';
 
-export interface IUpdateUserSettingsReqPayload {
-	allowSSOManualLogin?: boolean;
-	userActivated?: boolean;
-}
-
 export async function loginCurrentUser(
 	context: IRestApiContext,
 ): Promise<CurrentUserResponse | null> {
@@ -89,23 +89,16 @@ export async function changePassword(
 	await makeRestApiRequest(context, 'POST', '/change-password', params);
 }
 
-export type UpdateCurrentUserParams = {
-	firstName?: string;
-	lastName?: string;
-	email: string;
-	mfaCode?: string;
-};
-
 export async function updateCurrentUser(
 	context: IRestApiContext,
-	params: UpdateCurrentUserParams,
+	params: UserUpdateRequestDto,
 ): Promise<IUserResponse> {
 	return await makeRestApiRequest(context, 'PATCH', '/me', params);
 }
 
 export async function updateCurrentUserSettings(
 	context: IRestApiContext,
-	settings: IUpdateUserSettingsReqPayload,
+	settings: SettingsUpdateRequestDto,
 ): Promise<IUserSettings> {
 	return await makeRestApiRequest(context, 'PATCH', '/me/settings', settings);
 }
@@ -113,20 +106,14 @@ export async function updateCurrentUserSettings(
 export async function updateOtherUserSettings(
 	context: IRestApiContext,
 	userId: string,
-	settings: IUpdateUserSettingsReqPayload,
+	settings: SettingsUpdateRequestDto,
 ): Promise<IUserSettings> {
 	return await makeRestApiRequest(context, 'PATCH', `/users/${userId}/settings`, settings);
 }
 
-export type UpdateUserPasswordParams = {
-	newPassword: string;
-	currentPassword: string;
-	mfaCode?: string;
-};
-
 export async function updateCurrentUserPassword(
 	context: IRestApiContext,
-	params: UpdateUserPasswordParams,
+	params: PasswordUpdateRequestDto,
 ): Promise<void> {
 	return await makeRestApiRequest(context, 'PATCH', '/me/password', params);
 }

packages/editor-ui/src/stores/users.store.ts

@@ -1,4 +1,9 @@
-import type { IUpdateUserSettingsReqPayload, UpdateGlobalRolePayload } from '@/api/users';
+import type {
+	PasswordUpdateRequestDto,
+	SettingsUpdateRequestDto,
+	UserUpdateRequestDto,
+} from '@n8n/api-types';
+import type { UpdateGlobalRolePayload } from '@/api/users';
 import * as usersApi from '@/api/users';
 import { BROWSER_ID_STORAGE_KEY, PERSONALIZATION_MODAL_KEY, STORES, ROLE } from '@/constants';
 import type {
@@ -226,12 +231,12 @@ export const useUsersStore = defineStore(STORES.USERS, () => {
 		await usersApi.changePassword(rootStore.restApiContext, params);
 	};
 
-	const updateUser = async (params: usersApi.UpdateCurrentUserParams) => {
+	const updateUser = async (params: UserUpdateRequestDto) => {
 		const user = await usersApi.updateCurrentUser(rootStore.restApiContext, params);
 		addUsers([user]);
 	};
 
-	const updateUserSettings = async (settings: IUpdateUserSettingsReqPayload) => {
+	const updateUserSettings = async (settings: SettingsUpdateRequestDto) => {
 		const updatedSettings = await usersApi.updateCurrentUserSettings(
 			rootStore.restApiContext,
 			settings,
@@ -242,10 +247,7 @@ export const useUsersStore = defineStore(STORES.USERS, () => {
 		}
 	};
 
-	const updateOtherUserSettings = async (
-		userId: string,
-		settings: IUpdateUserSettingsReqPayload,
-	) => {
+	const updateOtherUserSettings = async (userId: string, settings: SettingsUpdateRequestDto) => {
 		const updatedSettings = await usersApi.updateOtherUserSettings(
 			rootStore.restApiContext,
 			userId,
@@ -255,7 +257,7 @@ export const useUsersStore = defineStore(STORES.USERS, () => {
 		addUsers([usersById.value[userId]]);
 	};
 
-	const updateCurrentUserPassword = async (params: usersApi.UpdateUserPasswordParams) => {
+	const updateCurrentUserPassword = async (params: PasswordUpdateRequestDto) => {
 		await usersApi.updateCurrentUserPassword(rootStore.restApiContext, params);
 	};
 

pnpm-lock.yaml

@@ -54,6 +54,9 @@ catalogs:
     xml2js:
       specifier: 0.6.2
       version: 0.6.2
+    xss:
+      specifier: 1.0.15
+      version: 1.0.15
     zod:
       specifier: 3.23.8
       version: 3.23.8
@@ -233,6 +236,16 @@ importers:
         version: link:../packages/workflow
 
   packages/@n8n/api-types:
+    dependencies:
+      xss:
+        specifier: 'catalog:'
+        version: 1.0.15
+      zod:
+        specifier: 'catalog:'
+        version: 3.23.8
+      zod-class:
+        specifier: 0.0.15
+        version: 0.0.15(zod@3.23.8)
     devDependencies:
       n8n-workflow:
         specifier: workspace:*
@@ -938,8 +951,8 @@ importers:
         specifier: 3.0.1
         version: 3.0.1
       xss:
-        specifier: ^1.0.14
-        version: 1.0.14
+        specifier: 'catalog:'
+        version: 1.0.15
       yamljs:
         specifier: 0.3.0
         version: 0.3.0
@@ -1171,8 +1184,8 @@ importers:
         specifier: catalog:frontend
         version: 4.4.2(vue@3.4.21(typescript@5.6.2))
       xss:
-        specifier: ^1.0.14
-        version: 1.0.14
+        specifier: 'catalog:'
+        version: 1.0.15
     devDependencies:
       '@n8n/storybook':
         specifier: workspace:*
@@ -1430,8 +1443,8 @@ importers:
         specifier: ^4.1.3
         version: 4.1.3
       xss:
-        specifier: ^1.0.14
-        version: 1.0.14
+        specifier: 'catalog:'
+        version: 1.0.15
     devDependencies:
       '@faker-js/faker':
         specifier: ^8.0.2
@@ -11844,6 +11857,10 @@ packages:
     resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==}
     engines: {node: '>=12.20'}
 
+  type-fest@4.26.1:
+    resolution: {integrity: sha512-yOGpmOAL7CkKe/91I5O3gPICmJNLJ1G4zFYVAsRHg7M64biSnPtRj0WNQt++bRkjYOqjWXrhnUw1utzmVErAdg==}
+    engines: {node: '>=16'}
+
   type-is@1.6.18:
     resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==}
     engines: {node: '>= 0.6'}
@@ -12528,8 +12545,8 @@ packages:
   xregexp@2.0.0:
     resolution: {integrity: sha512-xl/50/Cf32VsGq/1R8jJE5ajH1yMCQkpmoS10QbFZWl2Oor4H0Me64Pu2yxvsRWK3m6soJbmGfzSR7BYmDcWAA==}
 
-  xss@1.0.14:
-    resolution: {integrity: sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==}
+  xss@1.0.15:
+    resolution: {integrity: sha512-FVdlVVC67WOIPvfOwhoMETV72f6GbW7aOabBC3WxN/oUdoEMDyLz4OgRv5/gck2ZeNqEQu+Tb0kloovXOfpYVg==}
     engines: {node: '>= 0.10.0'}
     hasBin: true
 
@@ -12609,6 +12626,11 @@ packages:
     engines: {node: '>=8.0.0'}
     hasBin: true
 
+  zod-class@0.0.15:
+    resolution: {integrity: sha512-CD5B4e9unKPj1hiy7JOSwRV01WqbEBkFOlhws0C9s9wB0FSpECOnlKXOAkjo9tKYX2enQsXWyyOIBNPPNUHWRA==}
+    peerDependencies:
+      zod: ^3
+
   zod-to-json-schema@3.23.2:
     resolution: {integrity: sha512-uSt90Gzc/tUfyNqxnjlfBs8W6WSGpNBv0rVsNxP/BVSMHMKGdthPYff4xtCHYloJGM0CFxFsb3NbC0eqPhfImw==}
     peerDependencies:
@@ -25550,6 +25572,8 @@ snapshots:
 
   type-fest@2.19.0: {}
 
+  type-fest@4.26.1: {}
+
   type-is@1.6.18:
     dependencies:
       media-typer: 0.3.0
@@ -26278,7 +26302,7 @@ snapshots:
 
   xregexp@2.0.0: {}
 
-  xss@1.0.14:
+  xss@1.0.15:
     dependencies:
       commander: 2.20.3
       cssfilter: 0.0.10
@@ -26376,6 +26400,11 @@ snapshots:
     optionalDependencies:
       commander: 9.4.1
 
+  zod-class@0.0.15(zod@3.23.8):
+    dependencies:
+      type-fest: 4.26.1
+      zod: 3.23.8
+
   zod-to-json-schema@3.23.2(zod@3.23.8):
     dependencies:
       zod: 3.23.8

pnpm-workspace.yaml

@@ -20,6 +20,7 @@ catalog:
   typedi: 0.10.0
   uuid: 10.0.0
   xml2js: 0.6.2
+  xss: 1.0.15
   zod: 3.23.8
   '@langchain/core': 0.2.31