mirror of
https://github.com/n8n-io/n8n.git
synced 2024-12-24 04:04:06 -08:00
fix(core): Improve browserId checks, and add logging (#9161)
This commit is contained in:
parent
135ef75add
commit
ff9ae549fd
|
@ -94,6 +94,7 @@
|
|||
"@sentry/cli@2.17.0": "patches/@sentry__cli@2.17.0.patch",
|
||||
"pkce-challenge@3.0.0": "patches/pkce-challenge@3.0.0.patch",
|
||||
"pyodide@0.23.4": "patches/pyodide@0.23.4.patch",
|
||||
"@types/express-serve-static-core@4.17.43": "patches/@types__express-serve-static-core@4.17.43.patch",
|
||||
"@types/ws@8.5.4": "patches/@types__ws@8.5.4.patch",
|
||||
"vite-plugin-checker@0.6.4": "patches/vite-plugin-checker@0.6.4.patch"
|
||||
}
|
||||
|
|
|
@ -120,7 +120,7 @@
|
|||
"devDependencies": {
|
||||
"@aws-sdk/types": "3.357.0",
|
||||
"@types/basic-auth": "^1.1.3",
|
||||
"@types/express": "^4.17.6",
|
||||
"@types/express": "^4.17.21",
|
||||
"@types/html-to-text": "^9.0.1",
|
||||
"@types/json-schema": "^7.0.15",
|
||||
"@types/temp": "^0.9.1",
|
||||
|
|
|
@ -41,7 +41,7 @@ const skipBrowserIdCheckEndpoints = [
|
|||
`/${restEndpoint}/push`,
|
||||
|
||||
// We need to exclude binary-data downloading endpoint because we can't send custom headers on `<embed>` tags
|
||||
`/${restEndpoint}/binary-data`,
|
||||
`/${restEndpoint}/binary-data/`,
|
||||
|
||||
// oAuth callback urls aren't called by the frontend. therefore we can't send custom header on these requests
|
||||
`/${restEndpoint}/oauth1-credential/callback`,
|
||||
|
@ -131,15 +131,23 @@ export class AuthService {
|
|||
// or, If the user has been deactivated (i.e. LDAP users)
|
||||
user.disabled ||
|
||||
// or, If the email or password has been updated
|
||||
jwtPayload.hash !== this.createJWTHash(user) ||
|
||||
// If the token was issued for another browser session
|
||||
(!skipBrowserIdCheckEndpoints.includes(req.baseUrl) &&
|
||||
jwtPayload.browserId &&
|
||||
(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId)))
|
||||
jwtPayload.hash !== this.createJWTHash(user)
|
||||
) {
|
||||
throw new AuthError('Unauthorized');
|
||||
}
|
||||
|
||||
// Check if the token was issued for another browser session, ignoring the endpoints that can't send custom headers
|
||||
const endpoint = req.route ? `${req.baseUrl}${req.route.path}` : req.baseUrl;
|
||||
if (req.method === 'GET' && skipBrowserIdCheckEndpoints.includes(endpoint)) {
|
||||
this.logger.debug(`Skipped browserId check on ${endpoint}`);
|
||||
} else if (
|
||||
jwtPayload.browserId &&
|
||||
(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId))
|
||||
) {
|
||||
this.logger.warn(`browserId check failed on ${endpoint}`);
|
||||
throw new AuthError('Unauthorized');
|
||||
}
|
||||
|
||||
if (jwtPayload.exp * 1000 - Date.now() < this.jwtRefreshTimeout) {
|
||||
this.logger.debug('JWT about to expire. Will be refreshed');
|
||||
this.issueCookie(res, user, jwtPayload.browserId);
|
||||
|
|
|
@ -37,7 +37,7 @@
|
|||
"@types/aws4": "^1.5.1",
|
||||
"@types/concat-stream": "^2.0.0",
|
||||
"@types/cron": "~1.7.1",
|
||||
"@types/express": "^4.17.6",
|
||||
"@types/express": "^4.17.21",
|
||||
"@types/lodash": "^4.14.195",
|
||||
"@types/mime-types": "^2.1.0",
|
||||
"@types/uuid": "^8.3.2",
|
||||
|
|
|
@ -812,7 +812,7 @@
|
|||
"@types/cheerio": "^0.22.15",
|
||||
"@types/cron": "~1.7.1",
|
||||
"@types/eventsource": "^1.1.2",
|
||||
"@types/express": "^4.17.6",
|
||||
"@types/express": "^4.17.21",
|
||||
"@types/html-to-text": "^9.0.1",
|
||||
"@types/gm": "^1.25.0",
|
||||
"@types/js-nacl": "^1.3.0",
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
],
|
||||
"devDependencies": {
|
||||
"@types/deep-equal": "^1.0.1",
|
||||
"@types/express": "^4.17.6",
|
||||
"@types/express": "^4.17.21",
|
||||
"@types/jmespath": "^0.15.0",
|
||||
"@types/lodash": "^4.14.195",
|
||||
"@types/luxon": "^3.2.0",
|
||||
|
|
13
patches/@types__express-serve-static-core@4.17.43.patch
Normal file
13
patches/@types__express-serve-static-core@4.17.43.patch
Normal file
|
@ -0,0 +1,13 @@
|
|||
diff --git a/index.d.ts b/index.d.ts
|
||||
index 5cc36f5760c806a76ee839bfb67c419c9cb48901..8ef0bf74f0f31741b564fe37f040144526e98eb5 100644
|
||||
--- a/index.d.ts
|
||||
+++ b/index.d.ts
|
||||
@@ -646,7 +646,7 @@ export interface Request<
|
||||
|
||||
query: ReqQuery;
|
||||
|
||||
- route: any;
|
||||
+ route?: Pick<IRoute, 'path' | 'stack'>;
|
||||
|
||||
signedCookies: any;
|
||||
|
|
@ -23,6 +23,9 @@ patchedDependencies:
|
|||
'@sentry/cli@2.17.0':
|
||||
hash: nchnoezkq6p37qaiku3vrpwraq
|
||||
path: patches/@sentry__cli@2.17.0.patch
|
||||
'@types/express-serve-static-core@4.17.43':
|
||||
hash: 5orrj4qleu2iko5t27vl44u4we
|
||||
path: patches/@types__express-serve-static-core@4.17.43.patch
|
||||
'@types/ws@8.5.4':
|
||||
hash: nbzuqaoyqbrfwipijj5qriqqju
|
||||
path: patches/@types__ws@8.5.4.patch
|
||||
|
@ -351,8 +354,8 @@ importers:
|
|||
specifier: ^1.1.3
|
||||
version: 1.1.3
|
||||
'@types/express':
|
||||
specifier: ^4.17.6
|
||||
version: 4.17.14
|
||||
specifier: ^4.17.21
|
||||
version: 4.17.21
|
||||
'@types/html-to-text':
|
||||
specifier: ^9.0.1
|
||||
version: 9.0.4
|
||||
|
@ -907,8 +910,8 @@ importers:
|
|||
specifier: ~1.7.1
|
||||
version: 1.7.3
|
||||
'@types/express':
|
||||
specifier: ^4.17.6
|
||||
version: 4.17.14
|
||||
specifier: ^4.17.21
|
||||
version: 4.17.21
|
||||
'@types/lodash':
|
||||
specifier: ^4.14.195
|
||||
version: 4.14.195
|
||||
|
@ -1481,8 +1484,8 @@ importers:
|
|||
specifier: ^1.1.2
|
||||
version: 1.1.9
|
||||
'@types/express':
|
||||
specifier: ^4.17.6
|
||||
version: 4.17.14
|
||||
specifier: ^4.17.21
|
||||
version: 4.17.21
|
||||
'@types/gm':
|
||||
specifier: ^1.25.0
|
||||
version: 1.25.0
|
||||
|
@ -1614,8 +1617,8 @@ importers:
|
|||
specifier: ^1.0.1
|
||||
version: 1.0.1
|
||||
'@types/express':
|
||||
specifier: ^4.17.6
|
||||
version: 4.17.14
|
||||
specifier: ^4.17.21
|
||||
version: 4.17.21
|
||||
'@types/jmespath':
|
||||
specifier: ^0.15.0
|
||||
version: 0.15.0
|
||||
|
@ -9636,28 +9639,20 @@ packages:
|
|||
resolution: {integrity: sha512-F3K4oyM12o8W9jxuJmW+1sc8kdw0Hj0t+26urwkcolPJTgkfppEfIdftdcXmUU2QPBIwcrYO6diqgIqgCDf1FA==}
|
||||
dev: true
|
||||
|
||||
/@types/express-serve-static-core@4.17.43:
|
||||
/@types/express-serve-static-core@4.17.43(patch_hash=5orrj4qleu2iko5t27vl44u4we):
|
||||
resolution: {integrity: sha512-oaYtiBirUOPQGSWNGPWnzyAFJ0BP3cwvN4oWZQY+zUBwpVIGsKUkpBpSztp74drYcjavs7SKFZ4DX1V2QeN8rg==}
|
||||
dependencies:
|
||||
'@types/node': 18.16.16
|
||||
'@types/qs': 6.9.7
|
||||
'@types/range-parser': 1.2.4
|
||||
'@types/send': 0.17.4
|
||||
|
||||
/@types/express@4.17.14:
|
||||
resolution: {integrity: sha512-TEbt+vaPFQ+xpxFLFssxUDXj5cWCxZJjIcB7Yg0k0GMHGtgtQgpvx/MUQUeAkNbA9AAGrwkAsoeItdTgS7FMyg==}
|
||||
dependencies:
|
||||
'@types/body-parser': 1.19.2
|
||||
'@types/express-serve-static-core': 4.17.43
|
||||
'@types/qs': 6.9.7
|
||||
'@types/serve-static': 1.15.0
|
||||
dev: true
|
||||
patched: true
|
||||
|
||||
/@types/express@4.17.21:
|
||||
resolution: {integrity: sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ==}
|
||||
dependencies:
|
||||
'@types/body-parser': 1.19.2
|
||||
'@types/express-serve-static-core': 4.17.43
|
||||
'@types/express-serve-static-core': 4.17.43(patch_hash=5orrj4qleu2iko5t27vl44u4we)
|
||||
'@types/qs': 6.9.7
|
||||
'@types/serve-static': 1.15.0
|
||||
|
||||
|
|
Loading…
Reference in a new issue