@n8n/eslint-plugin-community-nodes 0.7.0 → 0.9.0

package/src/rules/no-http-request-with-manual-auth.test.ts

@@ -0,0 +1,104 @@
+import { RuleTester } from '@typescript-eslint/rule-tester';
+
+import { NoHttpRequestWithManualAuthRule } from './no-http-request-with-manual-auth.js';
+
+const ruleTester = new RuleTester();
+
+ruleTester.run('no-http-request-with-manual-auth', NoHttpRequestWithManualAuthRule, {
+	valid: [
+		{
+			name: 'httpRequest and getCredentials at module top level (no function scope)',
+			code: `
+const credentials = await this.getCredentials('myApi');
+const result = await this.helpers.httpRequest({ url: 'https://api.example.com' });`,
+		},
+		{
+			name: 'httpRequest without getCredentials (unauthenticated call)',
+			code: `
+async function makeRequest() {
+	return this.helpers.httpRequest({ url: 'https://public.api.com' });
+}`,
+		},
+		{
+			name: 'httpRequestWithAuthentication with getCredentials (correct pattern)',
+			code: `
+async function makeRequest() {
+	const credentials = await this.getCredentials('myApi');
+	return this.helpers.httpRequestWithAuthentication.call(this, 'myApi', {
+		url: 'https://api.example.com',
+	});
+}`,
+		},
+		{
+			name: 'getCredentials called but no httpRequest in same function',
+			code: `
+async function loadConfig() {
+	const credentials = await this.getCredentials('myApi');
+	return credentials.apiKey;
+}`,
+		},
+		{
+			name: 'getCredentials in outer function, httpRequest in nested function (separate scopes)',
+			code: `
+async function execute() {
+	const credentials = await this.getCredentials('myApi');
+	const makeRequest = async () => {
+		return this.helpers.httpRequest({ url: 'https://api.example.com' });
+	};
+	return makeRequest();
+}`,
+		},
+		{
+			name: 'other object with helpers.httpRequest is not flagged',
+			code: `
+async function test() {
+	const credentials = await this.getCredentials('myApi');
+	const otherObject = { helpers: { httpRequest: async () => {} } };
+	return otherObject.helpers.httpRequest({ url: 'https://example.com' });
+}`,
+		},
+	],
+	invalid: [
+		{
+			name: 'function calls both getCredentials and httpRequest',
+			code: `
+async function makeRequest() {
+	const credentials = await this.getCredentials('myApi');
+	const options = {
+		headers: { Authorization: \`Bearer \${credentials.apiKey}\` },
+		url: 'https://api.example.com',
+	};
+	return this.helpers.httpRequest(options);
+}`,
+			errors: [{ messageId: 'useHttpRequestWithAuthentication' }],
+		},
+		{
+			name: 'two httpRequest calls in a function that also calls getCredentials — both flagged',
+			code: `
+async function makeRequests() {
+	const credentials = await this.getCredentials('myApi');
+	const r1 = await this.helpers.httpRequest({ url: 'https://api.example.com/a' });
+	const r2 = await this.helpers.httpRequest({ url: 'https://api.example.com/b' });
+	return [r1, r2];
+}`,
+			errors: [
+				{ messageId: 'useHttpRequestWithAuthentication' },
+				{ messageId: 'useHttpRequestWithAuthentication' },
+			],
+		},
+		{
+			name: 'class method pattern',
+			code: `
+class MyNode {
+	async execute() {
+		const credentials = await this.getCredentials('myApi');
+		return this.helpers.httpRequest({
+			headers: { Authorization: credentials.apiKey },
+			url: 'https://api.example.com',
+		});
+	}
+}`,
+			errors: [{ messageId: 'useHttpRequestWithAuthentication' }],
+		},
+	],
+});

package/src/rules/no-http-request-with-manual-auth.ts

@@ -0,0 +1,78 @@
+/**
+ * Flags `this.helpers.httpRequest()` in functions that also call `this.getCredentials()`.
+ * Those functions should use `this.helpers.httpRequestWithAuthentication()` instead.
+ *
+ * Uses a function-scope stack: if both `getCredentials` and `httpRequest` appear in
+ * the same function body, every `httpRequest` call is reported. Nested functions are
+ * checked independently.
+ *
+ * Alternatives considered:
+ * - Checking for credential variables in `httpRequest` arguments — misses the common
+ *   pattern where options are built in a separate variable first.
+ * - Matching auth header names (`Authorization`, etc.) — brittle and requires deep
+ *   AST traversal with no guarantee of coverage.
+ *
+ * Known false positive: a function that fetches credentials for a non-HTTP purpose
+ * and also makes an unauthenticated request. Use eslint-disable to suppress.
+ */
+
+import type { TSESTree } from '@typescript-eslint/utils';
+
+import { createRule, isThisHelpersMethodCall, isThisMethodCall } from '../utils/index.js';
+
+type FunctionScope = {
+	getCredentialsCall: TSESTree.CallExpression | null;
+	httpRequestCalls: TSESTree.CallExpression[];
+};
+
+export const NoHttpRequestWithManualAuthRule = createRule({
+	name: 'no-http-request-with-manual-auth',
+	meta: {
+		type: 'suggestion',
+		docs: {
+			description:
+				'Disallow this.helpers.httpRequest() in functions that call this.getCredentials(). Use this.helpers.httpRequestWithAuthentication() instead.',
+		},
+		messages: {
+			useHttpRequestWithAuthentication:
+				"Avoid calling 'this.helpers.httpRequest()' in a function that retrieves credentials via 'this.getCredentials()'. Use 'this.helpers.httpRequestWithAuthentication()' instead — it handles authentication internally and benefits from future n8n improvements like token refresh and audit logging.",
+		},
+		schema: [],
+		hasSuggestions: false,
+	},
+	defaultOptions: [],
+	create(context) {
+		const scopeStack: FunctionScope[] = [];
+
+		const pushScope = () => scopeStack.push({ getCredentialsCall: null, httpRequestCalls: [] });
+
+		const popScope = () => {
+			const scope = scopeStack.pop();
+			if (scope?.getCredentialsCall && scope.httpRequestCalls.length > 0) {
+				for (const call of scope.httpRequestCalls) {
+					context.report({ node: call, messageId: 'useHttpRequestWithAuthentication' });
+				}
+			}
+		};
+
+		return {
+			FunctionDeclaration: pushScope,
+			FunctionExpression: pushScope,
+			ArrowFunctionExpression: pushScope,
+			'FunctionDeclaration:exit': popScope,
+			'FunctionExpression:exit': popScope,
+			'ArrowFunctionExpression:exit': popScope,
+
+			CallExpression(node: TSESTree.CallExpression) {
+				const scope = scopeStack[scopeStack.length - 1];
+				if (!scope) return;
+				if (isThisMethodCall(node, 'getCredentials')) {
+					scope.getCredentialsCall = node;
+				}
+				if (isThisHelpersMethodCall(node, 'httpRequest')) {
+					scope.httpRequestCalls.push(node);
+				}
+			},
+		};
+	},
+});

package/src/rules/no-restricted-imports.test.ts

@@ -128,7 +128,8 @@ ruleTester.run('no-restricted-imports', NoRestrictedImportsRule, {
 			code: `
 import fs from "fs";
 import path from "path";
-import { WorkflowExecuteMode } from "n8n-workflow";`,
+import { WorkflowExecuteMode } from "n8n-workflow";
+import { supplyModel } from "@n8n/ai-node-sdk";`,
 			errors: [
 				{ messageId: 'restrictedImport', data: { modulePath: 'fs' } },
 				{ messageId: 'restrictedImport', data: { modulePath: 'path' } },

package/src/rules/no-restricted-imports.ts

@@ -7,6 +7,7 @@ import {
 
 const allowedModules = [
 	'n8n-workflow',
+	'ai-node-sdk',
 	'lodash',
 	'moment',
 	'p-limit',
@@ -14,6 +15,7 @@ const allowedModules = [
 	'zod',
 	'crypto',
 	'node:crypto',
+	'@n8n/ai-node-sdk',
 ];
 
 const isModuleAllowed = (modulePath: string): boolean => {

package/src/rules/node-usable-as-tool.test.ts

@@ -51,6 +51,33 @@ export class RegularClass {
 }`;
 }
 
+function createNodeCodeWithOutputsInputs(
+	outputs: string,
+	inputs: string,
+	includeUsableAsTool = false,
+): string {
+	const usableAsToolLine = includeUsableAsTool ? '\n\t\tusableAsTool: true,' : '';
+	return `
+import type { INodeType, INodeTypeDescription } from 'n8n-workflow';
+import { NodeConnectionTypes } from 'n8n-workflow';
+
+export class TestNode implements INodeType {
+	description: INodeTypeDescription = {
+		displayName: 'Test Node',
+		name: 'testNode',
+		group: ['input'],
+		version: 1,
+		description: 'A test node',
+		defaults: {
+			name: 'Test Node',
+		},
+		inputs: ${inputs},
+		outputs: ${outputs},
+		properties: [],${usableAsToolLine}
+	};
+}`;
+}
+
 ruleTester.run('node-usable-as-tool', NodeUsableAsToolRule, {
 	valid: [
 		{
@@ -69,6 +96,21 @@ ruleTester.run('node-usable-as-tool', NodeUsableAsToolRule, {
 			name: 'node without description property',
 			code: createNodeCode(undefined, false),
 		},
+		{
+			name: 'AI-only node: NodeConnectionTypes non-Main output and empty inputs skips usableAsTool check',
+			code: createNodeCodeWithOutputsInputs('[NodeConnectionTypes.AiAgent]', '[]'),
+		},
+		{
+			name: 'AI-only node: multiple non-Main NodeConnectionTypes outputs and empty inputs skips usableAsTool check',
+			code: createNodeCodeWithOutputsInputs(
+				'[NodeConnectionTypes.AiAgent, NodeConnectionTypes.AiTool]',
+				'[]',
+			),
+		},
+		{
+			name: 'AI-only node: non-main string literal output and empty inputs skips usableAsTool check',
+			code: createNodeCodeWithOutputsInputs("['ai_agent']", '[]'),
+		},
 	],
 	invalid: [
 		{
@@ -77,5 +119,29 @@ ruleTester.run('node-usable-as-tool', NodeUsableAsToolRule, {
 			errors: [{ messageId: 'missingUsableAsTool' }],
 			output: createNodeCode(true),
 		},
+		{
+			name: 'NodeConnectionTypes.Main output with empty inputs does not skip check',
+			code: createNodeCodeWithOutputsInputs('[NodeConnectionTypes.Main]', '[]'),
+			errors: [{ messageId: 'missingUsableAsTool' }],
+			output: createNodeCodeWithOutputsInputs('[NodeConnectionTypes.Main]', '[]', true),
+		},
+		{
+			name: 'main string literal output with empty inputs does not skip check',
+			code: createNodeCodeWithOutputsInputs("['main']", '[]'),
+			errors: [{ messageId: 'missingUsableAsTool' }],
+			output: createNodeCodeWithOutputsInputs("['main']", '[]', true),
+		},
+		{
+			name: 'non-Main output with non-empty inputs does not skip check',
+			code: createNodeCodeWithOutputsInputs('[NodeConnectionTypes.AiAgent]', "['main']"),
+			errors: [{ messageId: 'missingUsableAsTool' }],
+			output: createNodeCodeWithOutputsInputs('[NodeConnectionTypes.AiAgent]', "['main']", true),
+		},
+		{
+			name: 'non-main string literal output with non-empty inputs does not skip check',
+			code: createNodeCodeWithOutputsInputs("['ai_agent']", "['main']"),
+			errors: [{ messageId: 'missingUsableAsTool' }],
+			output: createNodeCodeWithOutputsInputs("['ai_agent']", "['main']", true),
+		},
 	],
 });

package/src/rules/node-usable-as-tool.ts

@@ -40,6 +40,28 @@ export const NodeUsableAsToolRule = createRule({
 				}
 
 				const usableAsToolProperty = findObjectProperty(descriptionValue, 'usableAsTool');
+				const outputsProperty = findObjectProperty(descriptionValue, 'outputs');
+				const inputsProperty = findObjectProperty(descriptionValue, 'inputs');
+				if (
+					outputsProperty?.value?.type === TSESTree.AST_NODE_TYPES.ArrayExpression &&
+					inputsProperty?.value?.type === TSESTree.AST_NODE_TYPES.ArrayExpression
+				) {
+					const isAiOutput = outputsProperty?.value?.elements?.some((element) => {
+						const isAiOutputEnum =
+							element?.type === TSESTree.AST_NODE_TYPES.MemberExpression &&
+							element?.object?.type === TSESTree.AST_NODE_TYPES.Identifier &&
+							element?.object?.name === 'NodeConnectionTypes' &&
+							element?.property?.type === TSESTree.AST_NODE_TYPES.Identifier &&
+							element?.property?.name !== 'Main';
+						const isAiOutputLiteral =
+							element?.type === TSESTree.AST_NODE_TYPES.Literal && element?.value !== 'main';
+						return isAiOutputEnum || isAiOutputLiteral;
+					});
+					const isEmptyInputs = inputsProperty?.value?.elements?.length === 0;
+					if (isAiOutput && isEmptyInputs) {
+						return;
+					}
+				}
 
 				if (!usableAsToolProperty) {
 					context.report({

package/src/rules/package-name-convention.ts

@@ -2,7 +2,7 @@ import type { TSESTree } from '@typescript-eslint/utils';
 import { AST_NODE_TYPES } from '@typescript-eslint/utils';
 import type { ReportSuggestionArray } from '@typescript-eslint/utils/ts-eslint';
 
-import { createRule } from '../utils/index.js';
+import { createRule, findJsonProperty } from '../utils/index.js';
 
 export const PackageNameConventionRule = createRule({
 	name: 'package-name-convention',
@@ -31,14 +31,9 @@ export const PackageNameConventionRule = createRule({
 					return;
 				}
 
-				const nameProperty = node.properties.find(
-					(property) =>
-						property.type === AST_NODE_TYPES.Property &&
-						property.key.type === AST_NODE_TYPES.Literal &&
-						property.key.value === 'name',
-				);
+				const nameProperty = findJsonProperty(node, 'name');
 
-				if (!nameProperty || nameProperty.type !== AST_NODE_TYPES.Property) {
+				if (!nameProperty) {
 					return;
 				}
 

package/src/utils/ast-utils.ts

@@ -89,6 +89,19 @@ export function getBooleanLiteralValue(node: TSESTree.Node | null): boolean | nu
 	return typeof value === 'boolean' ? value : null;
 }
 
+export function findJsonProperty(
+	obj: TSESTree.ObjectExpression,
+	propertyName: string,
+): TSESTree.Property | null {
+	const property = obj.properties.find(
+		(prop) =>
+			prop.type === AST_NODE_TYPES.Property &&
+			prop.key.type === AST_NODE_TYPES.Literal &&
+			prop.key.value === propertyName,
+	);
+	return property?.type === AST_NODE_TYPES.Property ? property : null;
+}
+
 export function findArrayLiteralProperty(
 	obj: TSESTree.ObjectExpression,
 	propertyName: string,
@@ -184,6 +197,36 @@ export function extractCredentialNameFromArray(
 	return info ? { name: info.name, node: info.node } : null;
 }
 
+/** Matches the `this.helpers` MemberExpression (the object part of `this.helpers.foo`). */
+export function isThisHelpersAccess(node: TSESTree.MemberExpression): boolean {
+	return (
+		node.object?.type === AST_NODE_TYPES.MemberExpression &&
+		node.object.object?.type === AST_NODE_TYPES.ThisExpression &&
+		node.object.property?.type === AST_NODE_TYPES.Identifier &&
+		node.object.property.name === 'helpers'
+	);
+}
+
+/** Matches a call expression of the form `this.methodName(...)`. */
+export function isThisMethodCall(node: TSESTree.CallExpression, method: string): boolean {
+	return (
+		node.callee.type === AST_NODE_TYPES.MemberExpression &&
+		node.callee.object.type === AST_NODE_TYPES.ThisExpression &&
+		node.callee.property.type === AST_NODE_TYPES.Identifier &&
+		node.callee.property.name === method
+	);
+}
+
+/** Matches a call expression of the form `this.helpers.methodName(...)`. */
+export function isThisHelpersMethodCall(node: TSESTree.CallExpression, method: string): boolean {
+	return (
+		node.callee.type === AST_NODE_TYPES.MemberExpression &&
+		node.callee.property.type === AST_NODE_TYPES.Identifier &&
+		node.callee.property.name === method &&
+		isThisHelpersAccess(node.callee)
+	);
+}
+
 export function findSimilarStrings(
 	target: string,
 	candidates: Set<string>,