@limetech/n8n-nodes-lime 3.6.3 → 3.6.4-dev.1

package/nodes/{common.ts → crypto.ts}

@@ -1,6 +1,15 @@
-import { createHmac } from 'node:crypto';
+import {
+    createCipheriv,
+    createDecipheriv,
+    createHmac,
+    hkdfSync,
+    randomBytes,
+} from 'node:crypto';
 import { NodeOperationError, INode } from 'n8n-workflow';
 
+const ENCRYPTION_KEY_ENV = 'N8N_ENCRYPTION_KEY';
+const HKDF_INFO = 'lime-webhook-secret';
+
 /**
  * Generate an HMAC SHA-256 hash for the given data using the provided key.
  *
@@ -57,20 +66,7 @@ export const verifyRequest = (
     webhookSecret: string,
     data: Buffer
 ): void => {
-    if (!webhookSecret && !limeSignature) {
-        throw new NodeOperationError(
-            node,
-            'Webhook secret and lime signature are missing!'
-        );
-    }
-    if (!webhookSecret && limeSignature) {
-        throw new NodeOperationError(
-            node,
-            'Webhook authentication failed, secret key is missing while signature is present!'
-        );
-    }
-
-    if (!limeSignature && webhookSecret) {
+    if (!limeSignature) {
         throw new NodeOperationError(
             node,
             'Webhook authentication failed, signature key is missing while secret is present!'
@@ -85,3 +81,44 @@ export const verifyRequest = (
         );
     }
 };
+
+export function getMasterKey(): string {
+    const key = process.env[ENCRYPTION_KEY_ENV];
+    if (!key) {
+        throw new Error(
+            `${ENCRYPTION_KEY_ENV} must be set to manage Lime CRM webhooks`
+        );
+    }
+    return key;
+}
+
+export function encryptSecret(plaintext: string): string {
+    const salt = randomBytes(16);
+    const iv = randomBytes(12);
+    const key = Buffer.from(
+        hkdfSync('sha256', getMasterKey(), salt, HKDF_INFO, 32)
+    );
+    const cipher = createCipheriv('aes-256-gcm', key, iv);
+    const ct = Buffer.concat([
+        cipher.update(plaintext, 'utf8'),
+        cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([salt, iv, tag, ct]).toString('base64');
+}
+
+export function decryptSecret(blob: string): string {
+    const buf = Buffer.from(blob, 'base64');
+    const salt = buf.subarray(0, 16);
+    const iv = buf.subarray(16, 28);
+    const tag = buf.subarray(28, 44);
+    const ct = buf.subarray(44);
+    const key = Buffer.from(
+        hkdfSync('sha256', getMasterKey(), salt, HKDF_INFO, 32)
+    );
+    const decipher = createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(ct), decipher.final()]).toString(
+        'utf8'
+    );
+}

package/nodes/lime-crm/LimeCrmTrigger.node.ts

@@ -19,9 +19,11 @@ import {
     getSubscription,
     listSubscriptionsWithExistingData,
 } from './transport';
-import { createHash } from 'node:crypto';
+import { createHash, randomBytes } from 'node:crypto';
+
+import { decryptSecret, encryptSecret } from '../crypto';
 import { getWebhook, handleWorkflowError } from './utils';
-import { verifyRequest } from '../common';
+import { verifyRequest } from '../crypto';
 
 /**
  * Trigger node for handling incoming webhooks from **Lime CRM**.
@@ -165,7 +167,7 @@ export class LimeCrmTrigger implements INodeType {
                 }
 
                 try {
-                    await getSubscription(this, webhook);
+                    await getSubscription(this, webhook.data.webhookId);
                 } catch (error) {
                     if (error.cause?.status === 404) {
                         delete webhook.data.webhookId;
@@ -202,46 +204,43 @@ export class LimeCrmTrigger implements INodeType {
                     });
                 }
 
-                if (existingSubscriptionResponse.data.length === 0) {
-                    const credentials = await this.getCredentials(
-                        LIME_CRM_API_CREDENTIAL_KEY
-                    );
-                    const webhookCreateData = {
-                        ...webhook,
-                        secret: credentials.webhookSecret as string,
-                    };
-
-                    const createSubscriptionResponse = await createSubscription(
-                        this,
-                        webhookCreateData
-                    );
-
-                    if (!createSubscriptionResponse.success) {
-                        throw new NodeApiError(this.getNode(), {
-                            message:
-                                createSubscriptionResponse.data.error.message,
-                        });
+                if (existingSubscriptionResponse.data.length > 0) {
+                    for (const subscription of existingSubscriptionResponse.data) {
+                        Logger.info(
+                            'Deleting existing Lime CRM webhook with ID: ' +
+                                subscription.id
+                        );
+                        await deleteSubscription(this, subscription.id);
                     }
+                }
 
-                    const subscriptionId = createSubscriptionResponse.data.id;
-                    const events = createSubscriptionResponse.data.events;
+                const rawSecret = randomBytes(32).toString('hex');
+                webhook.data.webhookSecret = encryptSecret(rawSecret);
+                const webhookCreateData = {
+                    ...webhook,
+                    secret: rawSecret,
+                };
 
-                    webhook.data.webhookId = subscriptionId;
-                    webhook.data.webhookEvents = events;
-                    Logger.info(
-                        `Webhook with URL ${webhook.url}, ID ${subscriptionId} and events ${events} created!`
-                    );
-                    return true;
-                } else {
-                    const limeWebhook = existingSubscriptionResponse.data[0];
-                    webhook.data.webhookId = limeWebhook.id;
-                    webhook.data.webhookEvents = limeWebhook.events;
-                    Logger.info(
-                        `Webhook with URL ${webhook.url}, and events ${webhook.events} exists in Lime. 
-                        ID ${limeWebhook.id} set up to the N8N data.`
-                    );
-                    return true;
+                const createSubscriptionResponse = await createSubscription(
+                    this,
+                    webhookCreateData
+                );
+
+                if (!createSubscriptionResponse.success) {
+                    throw new NodeApiError(this.getNode(), {
+                        message: createSubscriptionResponse.data.error.message,
+                    });
                 }
+
+                const subscriptionId = createSubscriptionResponse.data.id;
+                const events = createSubscriptionResponse.data.events;
+
+                webhook.data.webhookId = subscriptionId;
+                webhook.data.webhookEvents = events;
+                Logger.info(
+                    `Webhook with URL ${webhook.url}, ID ${subscriptionId} and events ${events} created!`
+                );
+                return true;
             },
 
             async delete(this: IHookFunctions): Promise<boolean> {
@@ -252,7 +251,7 @@ export class LimeCrmTrigger implements INodeType {
                 );
                 if (webhook.data.webhookId !== undefined) {
                     try {
-                        await deleteSubscription(this, webhook);
+                        await deleteSubscription(this, webhook.data.webhookId);
                     } catch {
                         Logger.error(
                             `Failed to delete webhook with ID: ${webhook.data.webhookId}`,
@@ -295,11 +294,16 @@ export class LimeCrmTrigger implements INodeType {
         const webhook = getWebhook(this);
         Logger.info('Webhook received. Starting webhook processing...', {
             ...webhook.context,
+            ...webhook.data,
         });
-        const credentials = await this.getCredentials(
-            LIME_CRM_API_CREDENTIAL_KEY
-        );
-        const webhookSecret = credentials.webhookSecret as string;
+        const encryptedSecret = webhook.data.webhookSecret;
+        if (!encryptedSecret) {
+            throw new NodeOperationError(
+                this.getNode(),
+                'Webhook is not registered: missing secret in static data'
+            );
+        }
+        const webhookSecret = decryptSecret(encryptedSecret);
         const requestObject = this.getRequestObject();
         const headerData = this.getHeaderData();
         const bodyData = this.getBodyData();

package/nodes/lime-crm/models/webhook.ts

@@ -42,7 +42,7 @@ export interface WebhookContext {
  * @group Models
  */
 export interface Webhook {
-    data: IDataObject;
+    data: IDataObject & { webhookId?: string; webhookSecret?: string };
     events: string[];
     url?: string;
     context: WebhookContext;

package/nodes/lime-crm/transport/webhooks.ts

@@ -35,7 +35,7 @@ export interface ApiResponseWebhook {
  * Retrieve details of a specific subscription from Lime CRM.
  *
  * @param nodeContext - The n8n node execution context
- * @param webhook - The webhook object containing subscription details
+ * @param webhookId - Id of a webhook containing subscription details
  *
  * @returns The subscription information from Lime CRM.
  *
@@ -44,11 +44,11 @@ export interface ApiResponseWebhook {
  */
 export async function getSubscription(
     nodeContext: IAllExecuteFunctions,
-    webhook: Webhook
+    webhookId: string
 ): Promise<APIResponse<ApiResponseWebhook>> {
     return await callLimeApi(nodeContext, {
         method: 'GET',
-        url: `${SUBSCRIPTION_URL}${webhook.data.webhookId}`,
+        url: `${SUBSCRIPTION_URL}${webhookId}`,
     });
 }
 
@@ -113,7 +113,7 @@ export async function createSubscription(
  * Delete a webhook subscription from Lime CRM.
  *
  * @param nodeContext - The n8n node execution context
- * @param webhook - The webhook object identifying the subscription to delete
+ * @param webhookId - ID of a webhook that should be deleted
  *
  * @returns Response indicating success or failure of the deletion.
  *
@@ -122,13 +122,13 @@ export async function createSubscription(
  */
 export async function deleteSubscription(
     nodeContext: IAllExecuteFunctions,
-    webhook: Webhook
+    webhookId: string
 ): Promise<APIResponse<void>> {
     return await callLimeApi(nodeContext, {
         method: 'DELETE',
-        url: `${SUBSCRIPTION_URL}${webhook.data.webhookId}/`,
+        url: `${SUBSCRIPTION_URL}${webhookId}/`,
         errorMetadata: {
-            id: webhook.data.webhookId,
+            id: webhookId,
         },
     });
 }

package/nodes/lime-forms/LimeFormsTrigger.node.ts

@@ -22,7 +22,7 @@ import { ObservableActionType } from './types/enums/ObservableAction';
 import { ObservableType } from './types/enums/ObservableType';
 import { FORMS_API_CREDENTIALS_NAME } from '../../credentials';
 import { getWorkflowUrl } from './utils/workflow';
-import { verifyHmac } from '../common';
+import { verifyHmac } from '../crypto';
 import { handleWorkflowError } from '../errorHandling';
 
 const FORMS_OBSERVABLE_WEBHOOK_NAME_PREFIX = 'N8N';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@limetech/n8n-nodes-lime",
-  "version": "3.6.3",
+  "version": "3.6.4-dev.1",
   "description": "n8n node to connect to Lime CRM",
   "license": "Apache-2.0",
   "main": "nodes/index.ts",

package/dist/nodes/common.js

@@ -1,29 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyRequest = void 0;
-exports.verifyHmac = verifyHmac;
-const node_crypto_1 = require("node:crypto");
-const n8n_workflow_1 = require("n8n-workflow");
-function generateHmac(key, data) {
-    return 'sha256=' + (0, node_crypto_1.createHmac)('sha256', key).update(data).digest('hex');
-}
-function verifyHmac(key, data, comparedHmac) {
-    return generateHmac(key, data) === comparedHmac;
-}
-const verifyRequest = (node, limeSignature, webhookSecret, data) => {
-    if (!webhookSecret && !limeSignature) {
-        throw new n8n_workflow_1.NodeOperationError(node, 'Webhook secret and lime signature are missing!');
-    }
-    if (!webhookSecret && limeSignature) {
-        throw new n8n_workflow_1.NodeOperationError(node, 'Webhook authentication failed, secret key is missing while signature is present!');
-    }
-    if (!limeSignature && webhookSecret) {
-        throw new n8n_workflow_1.NodeOperationError(node, 'Webhook authentication failed, signature key is missing while secret is present!');
-    }
-    const expectedHmac = generateHmac(webhookSecret, data);
-    if (expectedHmac !== limeSignature) {
-        throw new n8n_workflow_1.NodeOperationError(node, 'Webhook authentication failed, signatures do not match');
-    }
-};
-exports.verifyRequest = verifyRequest;
-//# sourceMappingURL=common.js.map

package/dist/nodes/common.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"common.js","sourceRoot":"","sources":["../../nodes/common.ts"],"names":[],"mappings":";;;AA6BA,gCAMC;AAnCD,6CAAyC;AACzC,+CAAyD;AAYzD,SAAS,YAAY,CAAC,GAAW,EAAE,IAAY;IAC3C,OAAO,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5E,CAAC;AAcD,SAAgB,UAAU,CACtB,GAAW,EACX,IAAY,EACZ,YAAoB;IAEpB,OAAO,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,YAAY,CAAC;AACpD,CAAC;AAkBM,MAAM,aAAa,GAAG,CACzB,IAAW,EACX,aAAqB,EACrB,aAAqB,EACrB,IAAY,EACR,EAAE;IACN,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;QACnC,MAAM,IAAI,iCAAkB,CACxB,IAAI,EACJ,gDAAgD,CACnD,CAAC;IACN,CAAC;IACD,IAAI,CAAC,aAAa,IAAI,aAAa,EAAE,CAAC;QAClC,MAAM,IAAI,iCAAkB,CACxB,IAAI,EACJ,kFAAkF,CACrF,CAAC;IACN,CAAC;IAED,IAAI,CAAC,aAAa,IAAI,aAAa,EAAE,CAAC;QAClC,MAAM,IAAI,iCAAkB,CACxB,IAAI,EACJ,kFAAkF,CACrF,CAAC;IACN,CAAC;IAED,MAAM,YAAY,GAAG,YAAY,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACvD,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;QACjC,MAAM,IAAI,iCAAkB,CACxB,IAAI,EACJ,wDAAwD,CAC3D,CAAC;IACN,CAAC;AACL,CAAC,CAAC;AAjCW,QAAA,aAAa,iBAiCxB"}