npm - n8n - Versions diffs - 2.16.0 → 2.17.0 - Mend

n8n 2.16.0 → 2.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/dist/modules/token-exchange/database/repositories/trusted-key.repository.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"trusted-key.repository.js","sourceRoot":"","sources":["../../../../../src/modules/token-exchange/database/repositories/trusted-key.repository.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,gCAAkC;AAClC,0CAAsD;AAEtD,uEAAkE;AAG3D,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,oBAA4B;IACrE,YAAY,UAAsB;QACjC,KAAK,CAAC,qCAAgB,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,GAAW;QACrD,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW;QAC7B,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,CAAC;CACD,CAAA;AAZY,oDAAoB;+BAApB,oBAAoB;IADhC,IAAA,YAAO,GAAE;qCAEe,oBAAU;GADtB,oBAAoB,CAYhC"}

package/dist/modules/token-exchange/services/identity-resolution.service.d.ts CHANGED Viewed

@@ -1,5 +1,23 @@
-import type { User } from '@n8n/db';
+import { Logger } from '@n8n/backend-common';
+import { AuthIdentityRepository, UserRepository, type User } from '@n8n/db';
+import { EventService } from '../../../events/event.service';
+import { UserService } from '../../../services/user.service';
 import type { ExternalTokenClaims } from '../token-exchange.schemas';
 export declare class IdentityResolutionService {
-    resolve(_claims: ExternalTokenClaims): Promise<User>;
+    private readonly userRepository;
+    private readonly authIdentityRepository;
+    private readonly eventService;
+    private readonly userService;
+    private readonly logger;
+    constructor(logger: Logger, userRepository: UserRepository, authIdentityRepository: AuthIdentityRepository, eventService: EventService, userService: UserService);
+    resolve(claims: ExternalTokenClaims, allowedRoles?: string[], tokenContext?: {
+        kid: string;
+        issuer: string;
+    }): Promise<User>;
+    private resolveByIdentity;
+    private resolveByEmail;
+    private provisionUser;
+    private resolveRoleForExistingUser;
+    private resolveRoleForNewUser;
+    private syncProfile;
 }

package/dist/modules/token-exchange/services/identity-resolution.service.js CHANGED Viewed

@@ -5,17 +5,191 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.IdentityResolutionService = void 0;
+const backend_common_1 = require("@n8n/backend-common");
+const db_1 = require("@n8n/db");
 const di_1 = require("@n8n/di");
-const n8n_workflow_1 = require("n8n-workflow");
+const auth_error_1 = require("../../../errors/response-errors/auth.error");
+const event_service_1 = require("../../../events/event.service");
+const user_service_1 = require("../../../services/user.service");
+const INVALID_PASSWORD_PLACEHOLDER = '!token-exchange-no-password';
+const MAX_NAME_LENGTH = 32;
+function isGlobalRole(role) {
+    return role in db_1.GLOBAL_ROLES;
+}
+function trimName(value, fallback = '') {
+    return (value ?? fallback).slice(0, MAX_NAME_LENGTH);
+}
 let IdentityResolutionService = class IdentityResolutionService {
-    async resolve(_claims) {
-        throw new n8n_workflow_1.UserError('Identity resolution is not yet implemented');
+    constructor(logger, userRepository, authIdentityRepository, eventService, userService) {
+        this.userRepository = userRepository;
+        this.authIdentityRepository = authIdentityRepository;
+        this.eventService = eventService;
+        this.userService = userService;
+        this.logger = logger.scoped('token-exchange');
+    }
+    async resolve(claims, allowedRoles, tokenContext) {
+        const email = claims.email?.toLowerCase();
+        const identity = await this.authIdentityRepository.findOne({
+            where: { providerId: claims.sub, providerType: 'token-exchange' },
+            relations: { user: { role: true } },
+        });
+        if (identity) {
+            return await this.resolveByIdentity(claims, identity, allowedRoles, tokenContext);
+        }
+        if (email) {
+            const existingUser = await this.userRepository.findOne({
+                where: { email },
+                relations: ['authIdentities', 'role'],
+            });
+            if (existingUser) {
+                return await this.resolveByEmail(claims, email, existingUser, allowedRoles, tokenContext);
+            }
+        }
+        if (!email) {
+            throw new auth_error_1.AuthError('Email claim is required for user provisioning');
+        }
+        return await this.provisionUser(claims, email, allowedRoles, tokenContext);
+    }
+    async resolveByIdentity(claims, identity, allowedRoles, tokenContext) {
+        this.logger.debug('Resolved user by auth identity', { sub: claims.sub });
+        const resolvedRole = this.resolveRoleForExistingUser(claims.role, allowedRoles, identity.user.role?.slug);
+        return await this.syncProfile(identity.user, claims, resolvedRole, tokenContext);
+    }
+    async resolveByEmail(claims, email, existingUser, allowedRoles, tokenContext) {
+        this.logger.debug('Linking external identity to existing user by email', {
+            sub: claims.sub,
+            email,
+        });
+        const resolvedRole = this.resolveRoleForExistingUser(claims.role, allowedRoles, existingUser.role?.slug);
+        await this.authIdentityRepository.save(db_1.AuthIdentity.create(existingUser, claims.sub, 'token-exchange'));
+        this.eventService.emit('token-exchange-identity-linked', {
+            userId: existingUser.id,
+            sub: claims.sub,
+            email,
+            kid: tokenContext?.kid ?? '',
+            issuer: tokenContext?.issuer ?? claims.iss,
+        });
+        return await this.syncProfile(existingUser, claims, resolvedRole, tokenContext);
+    }
+    async provisionUser(claims, email, allowedRoles, tokenContext) {
+        this.logger.debug('JIT provisioning new user', { sub: claims.sub, email });
+        const jitRole = this.resolveRoleForNewUser(claims.role, allowedRoles);
+        const targetRole = jitRole ? { slug: jitRole } : db_1.GLOBAL_MEMBER_ROLE;
+        const user = await this.userRepository.manager.transaction(async (trx) => {
+            const { user: newUser } = await this.userRepository.createUserWithProject({
+                email,
+                firstName: trimName(claims.given_name),
+                lastName: trimName(claims.family_name),
+                role: targetRole,
+                password: INVALID_PASSWORD_PLACEHOLDER,
+            }, trx);
+            await trx.save(trx.create(db_1.AuthIdentity, {
+                providerId: claims.sub,
+                providerType: 'token-exchange',
+                userId: newUser.id,
+            }));
+            return newUser;
+        });
+        this.eventService.emit('token-exchange-user-provisioned', {
+            userId: user.id,
+            sub: claims.sub,
+            email,
+            role: targetRole.slug,
+            kid: tokenContext?.kid ?? '',
+            issuer: tokenContext?.issuer ?? claims.iss,
+        });
+        return user;
+    }
+    resolveRoleForExistingUser(roleClaim, allowedRoles, currentRole) {
+        if (roleClaim === undefined)
+            return undefined;
+        if (currentRole === 'global:owner') {
+            this.logger.debug('Skipping role sync for existing owner');
+            return undefined;
+        }
+        const role = roleClaim;
+        if (role === 'global:owner') {
+            this.logger.warn('Ignoring global:owner role claim for existing user');
+            return undefined;
+        }
+        if (!isGlobalRole(role)) {
+            this.logger.warn('Unknown role claim ignored', { role });
+            return undefined;
+        }
+        if (allowedRoles && allowedRoles.length > 0 && !allowedRoles.includes(role)) {
+            throw new auth_error_1.AuthError(`Role '${role}' is not allowed for this token exchange key`);
+        }
+        return role;
+    }
+    resolveRoleForNewUser(roleClaim, allowedRoles) {
+        if (roleClaim === undefined)
+            return undefined;
+        const role = roleClaim;
+        if (role === 'global:owner') {
+            throw new auth_error_1.AuthError('Cannot provision global:owner role via token exchange');
+        }
+        if (!isGlobalRole(role)) {
+            throw new auth_error_1.AuthError(`Unrecognized role '${role}' cannot be assigned to new user`);
+        }
+        if (allowedRoles && allowedRoles.length > 0 && !allowedRoles.includes(role)) {
+            throw new auth_error_1.AuthError(`Role '${role}' is not allowed for this token exchange key`);
+        }
+        return role;
+    }
+    async syncProfile(user, claims, resolvedRole, tokenContext) {
+        let needsReload = false;
+        const profileUpdates = {};
+        if (claims.given_name !== undefined) {
+            const trimmed = trimName(claims.given_name);
+            if (trimmed !== user.firstName) {
+                profileUpdates.firstName = trimmed;
+            }
+        }
+        if (claims.family_name !== undefined) {
+            const trimmed = trimName(claims.family_name);
+            if (trimmed !== user.lastName) {
+                profileUpdates.lastName = trimmed;
+            }
+        }
+        if (Object.keys(profileUpdates).length > 0) {
+            await this.userRepository.update(user.id, profileUpdates);
+            needsReload = true;
+        }
+        const previousRole = user.role?.slug;
+        if (resolvedRole && resolvedRole !== previousRole) {
+            await this.userService.changeUserRole(user, { newRoleName: resolvedRole });
+            needsReload = true;
+            if (previousRole) {
+                this.eventService.emit('token-exchange-role-updated', {
+                    userId: user.id,
+                    previousRole,
+                    newRole: resolvedRole,
+                    kid: tokenContext?.kid ?? '',
+                    issuer: tokenContext?.issuer ?? claims.iss,
+                });
+            }
+        }
+        if (needsReload) {
+            return await this.userRepository.findOneOrFail({
+                where: { id: user.id },
+                relations: ['role'],
+            });
+        }
+        return user;
     }
 };
 exports.IdentityResolutionService = IdentityResolutionService;
 exports.IdentityResolutionService = IdentityResolutionService = __decorate([
-    (0, di_1.Service)()
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [backend_common_1.Logger,
+        db_1.UserRepository,
+        db_1.AuthIdentityRepository,
+        event_service_1.EventService,
+        user_service_1.UserService])
 ], IdentityResolutionService);
 //# sourceMappingURL=identity-resolution.service.js.map

package/dist/modules/token-exchange/services/identity-resolution.service.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"identity-resolution.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/identity-resolution.service.ts"],"names":[],"mappings":"~~;;;;;;;;;AACA~~,gCAAkC;AAElC~~,+CAAyC~~;~~AAWlC~~,IAAM,yBAAyB,GAA/B,MAAM,yBAAyB;~~IAIrC~~,KAAK,CAAC,OAAO,CAAC,~~OAA4B~~;~~QACzC~~,MAAM,IAAI,~~wBAAS~~,CAAC,~~4CAA4C~~,CAAC,CAAC;~~IACnE~~,CAAC;CACD,CAAA;~~AAPY~~,8DAAyB;oCAAzB,yBAAyB;IADrC,IAAA,YAAO,GAAE;~~GACG~~,yBAAyB,~~CAOrC~~"}
1	+ {"version":3,"file":"identity-resolution.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/identity-resolution.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA6C;AAC7C,gCAOiB;AACjB,gCAAkC;AAElC,oEAAgE;AAChE,0DAAsD;AACtD,0DAAsD;AAStD,MAAM,4BAA4B,GAAG,6BAA6B,CAAC;AAGnE,MAAM,eAAe,GAAG,EAAE,CAAC;AAI3B,SAAS,YAAY,CAAC,IAAY;IACjC,OAAO,IAAI,IAAI,iBAAY,CAAC;AAC7B,CAAC;AAED,SAAS,QAAQ,CAAC,KAAyB,EAAE,QAAQ,GAAG,EAAE;IACzD,OAAO,CAAC,KAAK,IAAI,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;AACtD,CAAC;AAGM,IAAM,yBAAyB,GAA/B,MAAM,yBAAyB;IAGrC,YACC,MAAc,EACG,cAA8B,EAC9B,sBAA8C,EAC9C,YAA0B,EAC1B,WAAwB;QAHxB,mBAAc,GAAd,cAAc,CAAgB;QAC9B,2BAAsB,GAAtB,sBAAsB,CAAwB;QAC9C,iBAAY,GAAZ,YAAY,CAAc;QAC1B,gBAAW,GAAX,WAAW,CAAa;QAEzC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAcD,KAAK,CAAC,OAAO,CACZ,MAA2B,EAC3B,YAAuB,EACvB,YAA8C;QAE9C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC;QAG1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC;YAC1D,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,EAAE,YAAY,EAAE,gBAAgB,EAAE;YACjE,SAAS,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;SACnC,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACd,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;QACnF,CAAC;QAGD,IAAI,KAAK,EAAE,CAAC;YACX,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC;gBACtD,KAAK,EAAE,EAAE,KAAK,EAAE;gBAChB,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;aACrC,CAAC,CAAC;YAEH,IAAI,YAAY,EAAE,CAAC;gBAClB,OAAO,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;YAC3F,CAAC;QACF,CAAC;QAGD,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,IAAI,sBAAS,CAAC,+CAA+C,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;IAC5E,CAAC;IAGO,KAAK,CAAC,iBAAiB,CAC9B,MAA2B,EAC3B,QAAsB,EACtB,YAAkC,EAClC,YAAyD;QAEzD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CACnD,MAAM,CAAC,IAAI,EACX,YAAY,EACZ,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CACxB,CAAC;QACF,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;IAClF,CAAC;IAGO,KAAK,CAAC,cAAc,CAC3B,MAA2B,EAC3B,KAAa,EACb,YAAkB,EAClB,YAAkC,EAClC,YAAyD;QAEzD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qDAAqD,EAAE;YACxE,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;SACL,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CACnD,MAAM,CAAC,IAAI,EACX,YAAY,EACZ,YAAY,CAAC,IAAI,EAAE,IAAI,CACvB,CAAC;QACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,CACrC,iBAAY,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAC/D,CAAC;QACF,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,gCAAgC,EAAE;YACxD,MAAM,EAAE,YAAY,CAAC,EAAE;YACvB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,GAAG,EAAE,YAAY,EAAE,GAAG,IAAI,EAAE;YAC5B,MAAM,EAAE,YAAY,EAAE,MAAM,IAAI,MAAM,CAAC,GAAG;SAC1C,CAAC,CAAC;QACH,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;IACjF,CAAC;IAGO,KAAK,CAAC,aAAa,CAC1B,MAA2B,EAC3B,KAAa,EACb,YAAkC,EAClC,YAAyD;QAEzD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAE3E,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QACtE,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,uBAAkB,CAAC;QAEpE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACxE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,qBAAqB,CACxE;gBACC,KAAK;gBACL,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC;gBACtC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC;gBACtC,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,4BAA4B;aACtC,EACD,GAAG,CACH,CAAC;YAEF,MAAM,GAAG,CAAC,IAAI,CACb,GAAG,CAAC,MAAM,CAAC,iBAAY,EAAE;gBACxB,UAAU,EAAE,MAAM,CAAC,GAAG;gBACtB,YAAY,EAAE,gBAAgB;gBAC9B,MAAM,EAAE,OAAO,CAAC,EAAE;aAClB,CAAC,CACF,CAAC;YAEF,OAAO,OAAO,CAAC;QAChB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,iCAAiC,EAAE;YACzD,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,GAAG,EAAE,YAAY,EAAE,GAAG,IAAI,EAAE;YAC5B,MAAM,EAAE,YAAY,EAAE,MAAM,IAAI,MAAM,CAAC,GAAG;SAC1C,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACb,CAAC;IAUO,0BAA0B,CACjC,SAAsC,EACtC,YAAkC,EAClC,WAA+B;QAE/B,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QAG9C,IAAI,WAAW,KAAK,cAAc,EAAE,CAAC;YACpC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D,OAAO,SAAS,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,SAAS,CAAC;QAGvB,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;YACvE,OAAO,SAAS,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YACzD,OAAO,SAAS,CAAC;QAClB,CAAC;QAED,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7E,MAAM,IAAI,sBAAS,CAAC,SAAS,IAAI,8CAA8C,CAAC,CAAC;QAClF,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IASO,qBAAqB,CAC5B,SAAsC,EACtC,YAAkC;QAElC,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QAE9C,MAAM,IAAI,GAAG,SAAS,CAAC;QAEvB,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;YAC7B,MAAM,IAAI,sBAAS,CAAC,uDAAuD,CAAC,CAAC;QAC9E,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,sBAAS,CAAC,sBAAsB,IAAI,kCAAkC,CAAC,CAAC;QACnF,CAAC;QAED,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7E,MAAM,IAAI,sBAAS,CAAC,SAAS,IAAI,8CAA8C,CAAC,CAAC;QAClF,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAOO,KAAK,CAAC,WAAW,CACxB,IAAU,EACV,MAA2B,EAC3B,YAA4B,EAC5B,YAA8C;QAE9C,IAAI,WAAW,GAAG,KAAK,CAAC;QAGxB,MAAM,cAAc,GAAkD,EAAE,CAAC;QAEzE,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACrC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC5C,IAAI,OAAO,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,cAAc,CAAC,SAAS,GAAG,OAAO,CAAC;YACpC,CAAC;QACF,CAAC;QAED,IAAI,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC7C,IAAI,OAAO,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC/B,cAAc,CAAC,QAAQ,GAAG,OAAO,CAAC;YACnC,CAAC;QACF,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;YAC1D,WAAW,GAAG,IAAI,CAAC;QACpB,CAAC;QAGD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC;QACrC,IAAI,YAAY,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;YACnD,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,CAAC;YAC3E,WAAW,GAAG,IAAI,CAAC;YAEnB,IAAI,YAAY,EAAE,CAAC;gBAClB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,6BAA6B,EAAE;oBACrD,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,YAAY;oBACZ,OAAO,EAAE,YAAY;oBACrB,GAAG,EAAE,YAAY,EAAE,GAAG,IAAI,EAAE;oBAC5B,MAAM,EAAE,YAAY,EAAE,MAAM,IAAI,MAAM,CAAC,GAAG;iBAC1C,CAAC,CAAC;YACJ,CAAC;QACF,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACjB,OAAO,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC;gBAC9C,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;gBACtB,SAAS,EAAE,CAAC,MAAM,CAAC;aACnB,CAAC,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;CACD,CAAA;AA/RY,8DAAyB;oCAAzB,yBAAyB;IADrC,IAAA,YAAO,GAAE;qCAKA,uBAAM;QACmB,mBAAc;QACN,2BAAsB;QAChC,4BAAY;QACb,0BAAW;GAR9B,yBAAyB,CA+RrC"}

package/dist/modules/token-exchange/services/jti-cleanup.service.js CHANGED Viewed

@@ -30,7 +30,7 @@ let JtiCleanupService = class JtiCleanupService {
             this.startCleanup();
     }
     startCleanup() {
-        if (this.isShuttingDown)
+        if (this.isShuttingDown || this.cleanupInterval)
             return;
         const intervalMs = this.config.jtiCleanupIntervalSeconds * constants_1.Time.seconds.toMilliseconds;
         this.cleanupInterval = setInterval(async () => await this.cleanup(), intervalMs);

package/dist/modules/token-exchange/services/jti-cleanup.service.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"jti-cleanup.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/jti-cleanup.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA6C;AAC7C,8CAAsC;AACtC,gDAAiF;AACjF,gCAAkC;AAClC,uCAA4C;AAE5C,0GAAoG;AACpG,oEAA+D;AAGxD,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAO7B,YACC,MAAc,EACG,MAA2B,EAC3B,aAAyC,EACzC,gBAAkC;QAFlC,WAAM,GAAN,MAAM,CAAqB;QAC3B,kBAAa,GAAb,aAAa,CAA4B;QACzC,qBAAgB,GAAhB,gBAAgB,CAAkB;QAR5C,mBAAc,GAAG,KAAK,CAAC;QAU9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI;QACH,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ;YAAE,IAAI,CAAC,YAAY,EAAE,CAAC;IACzD,CAAC;IAGD,YAAY;QACX,IAAI,IAAI,CAAC,cAAc;YAAE,OAAO;~~QAEhC~~,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,yBAAyB,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QACvF,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;QAEjF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,IAAI,CAAC,MAAM,CAAC,yBAAyB,GAAG,CAAC,CAAC;IAC5F,CAAC;IAGD,WAAW;QACV,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACpC,IAAI,CAAC,eAAe,GAAG,SAAS,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,OAAO;QACpB,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,IAAI,CAAC;YACJ,IAAI,OAAe,CAAC;YACpB,GAAG,CAAC;gBACH,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBACvF,YAAY,IAAI,OAAO,CAAC;YACzB,CAAC,QAAQ,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE;YAErD,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;YACvE,CAAC;QACF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACjE,CAAC;IACF,CAAC;IAGD,QAAQ;QACP,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;CACD,CAAA;AA1DY,8CAAiB;AAqB7B;IADC,IAAA,6BAAgB,GAAE;;;;qDAQlB;AAGD;IADC,IAAA,6BAAgB,GAAE;;;;oDAIlB;AAoBD;IADC,IAAA,uBAAU,GAAE;;;;iDAIZ;4BAzDW,iBAAiB;IAD7B,IAAA,YAAO,GAAE;qCASA,uBAAM;QACW,2CAAmB;QACZ,0DAA0B;QACvB,2BAAgB;GAXxC,iBAAiB,CA0D7B"}
1	+ {"version":3,"file":"jti-cleanup.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/jti-cleanup.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA6C;AAC7C,8CAAsC;AACtC,gDAAiF;AACjF,gCAAkC;AAClC,uCAA4C;AAE5C,0GAAoG;AACpG,oEAA+D;AAGxD,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAO7B,YACC,MAAc,EACG,MAA2B,EAC3B,aAAyC,EACzC,gBAAkC;QAFlC,WAAM,GAAN,MAAM,CAAqB;QAC3B,kBAAa,GAAb,aAAa,CAA4B;QACzC,qBAAgB,GAAhB,gBAAgB,CAAkB;QAR5C,mBAAc,GAAG,KAAK,CAAC;QAU9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI;QACH,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ;YAAE,IAAI,CAAC,YAAY,EAAE,CAAC;IACzD,CAAC;IAGD,YAAY;QACX,IAAI,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,eAAe;YAAE,OAAO;QAExD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,yBAAyB,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QACvF,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;QAEjF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,IAAI,CAAC,MAAM,CAAC,yBAAyB,GAAG,CAAC,CAAC;IAC5F,CAAC;IAGD,WAAW;QACV,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACpC,IAAI,CAAC,eAAe,GAAG,SAAS,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,OAAO;QACpB,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,IAAI,CAAC;YACJ,IAAI,OAAe,CAAC;YACpB,GAAG,CAAC;gBACH,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBACvF,YAAY,IAAI,OAAO,CAAC;YACzB,CAAC,QAAQ,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE;YAErD,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;YACvE,CAAC;QACF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACjE,CAAC;IACF,CAAC;IAGD,QAAQ;QACP,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;CACD,CAAA;AA1DY,8CAAiB;AAqB7B;IADC,IAAA,6BAAgB,GAAE;;;;qDAQlB;AAGD;IADC,IAAA,6BAAgB,GAAE;;;;oDAIlB;AAoBD;IADC,IAAA,uBAAU,GAAE;;;;iDAIZ;4BAzDW,iBAAiB;IAD7B,IAAA,YAAO,GAAE;qCASA,uBAAM;QACW,2CAAmB;QACZ,0DAA0B;QACvB,2BAAgB;GAXxC,iBAAiB,CA0D7B"}

package/dist/modules/token-exchange/services/jwks-resolver.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import { Logger } from '@n8n/backend-common';
+import type { JwksKeySource } from '../token-exchange.schemas';
+export interface SkippedKey {
+    kid?: string;
+    reason: string;
+}
+export interface JwksResolvedKey {
+    kid: string;
+    algorithms: string[];
+    keyMaterial: string;
+    issuer: string;
+    expectedAudience?: string;
+    allowedRoles?: string[];
+}
+export interface JwksResolverResult {
+    keys: JwksResolvedKey[];
+    ttlSeconds: number;
+    skipped: SkippedKey[];
+}
+export declare class JwksResolverService {
+    private readonly logger;
+    constructor(logger: Logger);
+    resolveKeys(source: JwksKeySource, options?: {
+        fetcher?: typeof fetch;
+        defaultTtlSeconds?: number;
+    }): Promise<JwksResolverResult>;
+    private fetchJwkSet;
+    private parseJwk;
+    private computeTtl;
+}

package/dist/modules/token-exchange/services/jwks-resolver.js ADDED Viewed

@@ -0,0 +1,190 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwksResolverService = void 0;
+const node_crypto_1 = require("node:crypto");
+const backend_common_1 = require("@n8n/backend-common");
+const di_1 = require("@n8n/di");
+const n8n_workflow_1 = require("n8n-workflow");
+const zod_1 = require("zod");
+const token_exchange_schemas_1 = require("../token-exchange.schemas");
+const FETCH_TIMEOUT_MS = 10_000;
+const DEFAULT_TTL_SECONDS = 3600;
+const MIN_TTL_SECONDS = 60;
+const MAX_TTL_SECONDS = 86_400;
+const supportedAlgorithmSet = new Set(token_exchange_schemas_1.JwtAlgorithmSchema.options);
+const SigningJwkSchema = zod_1.z
+    .object({
+    kid: zod_1.z.string().min(1),
+    kty: zod_1.z.enum(['RSA', 'EC', 'OKP']),
+    alg: zod_1.z.string().optional(),
+    use: zod_1.z
+        .string()
+        .optional()
+        .refine((use) => use === undefined || use === 'sig', {
+        message: 'Only signing keys (use: "sig" or absent) are accepted',
+    }),
+    crv: zod_1.z.string().optional(),
+})
+    .passthrough();
+const JwkSetSchema = zod_1.z.object({
+    keys: zod_1.z.array(zod_1.z.unknown()).min(1),
+});
+const CURVE_TO_ALGORITHM = {
+    'P-256': 'ES256',
+    'P-384': 'ES384',
+    'P-521': 'ES512',
+    Ed25519: 'EdDSA',
+};
+function inferAlgorithm(jwk) {
+    if (jwk.alg) {
+        return supportedAlgorithmSet.has(jwk.alg) ? jwk.alg : undefined;
+    }
+    switch (jwk.kty) {
+        case 'RSA':
+            return 'RS256';
+        case 'EC':
+        case 'OKP':
+            return jwk.crv ? CURVE_TO_ALGORITHM[jwk.crv] : undefined;
+        default:
+            return undefined;
+    }
+}
+function parseMaxAge(cacheControl) {
+    if (!cacheControl)
+        return undefined;
+    const match = /max-age=(\d+)/.exec(cacheControl);
+    if (!match)
+        return undefined;
+    const value = parseInt(match[1], 10);
+    return Number.isNaN(value) ? undefined : value;
+}
+let JwksResolverService = class JwksResolverService {
+    constructor(logger) {
+        this.logger = logger.scoped('token-exchange');
+    }
+    async resolveKeys(source, options) {
+        const fetcher = options?.fetcher ?? globalThis.fetch;
+        const defaultTtl = options?.defaultTtlSeconds ?? DEFAULT_TTL_SECONDS;
+        const { url } = source;
+        this.logger.debug(`Fetching JWKS from "${url}"`);
+        const { rawKeys, cacheControl } = await this.fetchJwkSet(url, fetcher);
+        const ttlSeconds = this.computeTtl(cacheControl, source, defaultTtl);
+        const keys = [];
+        const skipped = [];
+        for (const rawJwk of rawKeys) {
+            const result = this.parseJwk(rawJwk, source);
+            if ('resolved' in result) {
+                keys.push(result.resolved);
+            }
+            else {
+                skipped.push(result.skipped);
+            }
+        }
+        if (keys.length === 0) {
+            const reasons = skipped.map((s) => `${s.kid ?? 'unknown'}: ${s.reason}`).join('; ');
+            throw new n8n_workflow_1.OperationalError(`JWKS response has no usable signing keys for "${url}" (${reasons})`);
+        }
+        this.logger.debug(`Resolved ${keys.length} key(s) from "${url}"`, {
+            resolved: keys.length,
+            skipped: skipped.length,
+            ttlSeconds,
+        });
+        return { keys, ttlSeconds, skipped };
+    }
+    async fetchJwkSet(url, fetcher) {
+        let response;
+        try {
+            response = await fetcher(url, {
+                signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+                headers: { Accept: 'application/json' },
+                redirect: 'error',
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'unknown error';
+            throw new n8n_workflow_1.OperationalError(`JWKS fetch failed for "${url}": ${message}`);
+        }
+        if (!response.ok) {
+            throw new n8n_workflow_1.OperationalError(`JWKS fetch failed for "${url}": HTTP ${response.status}`);
+        }
+        let body;
+        try {
+            body = await response.json();
+        }
+        catch {
+            throw new n8n_workflow_1.OperationalError(`JWKS response is not valid JSON for "${url}"`);
+        }
+        const jwkSetResult = JwkSetSchema.safeParse(body);
+        if (!jwkSetResult.success) {
+            throw new n8n_workflow_1.OperationalError(`JWKS response has no keys for "${url}"`);
+        }
+        return {
+            rawKeys: jwkSetResult.data.keys,
+            cacheControl: response.headers.get('cache-control'),
+        };
+    }
+    parseJwk(rawJwk, source) {
+        if (rawJwk === null || typeof rawJwk !== 'object') {
+            return { skipped: { kid: undefined, reason: 'not an object' } };
+        }
+        const jwkResult = SigningJwkSchema.safeParse(rawJwk);
+        if (!jwkResult.success) {
+            const raw = rawJwk;
+            return {
+                skipped: {
+                    kid: typeof raw.kid === 'string' ? raw.kid : undefined,
+                    reason: 'failed schema validation',
+                },
+            };
+        }
+        const jwk = jwkResult.data;
+        const algorithm = inferAlgorithm(jwk);
+        if (!algorithm) {
+            return {
+                skipped: {
+                    kid: jwk.kid,
+                    reason: `unsupported algorithm or key type (kty=${jwk.kty}, alg=${jwk.alg ?? 'none'}, crv=${jwk.crv ?? 'none'})`,
+                },
+            };
+        }
+        let keyObject;
+        try {
+            keyObject = (0, node_crypto_1.createPublicKey)({ format: 'jwk', key: jwk });
+        }
+        catch {
+            return {
+                skipped: { kid: jwk.kid, reason: 'failed to create public key from JWK material' },
+            };
+        }
+        return {
+            resolved: {
+                kid: jwk.kid,
+                algorithms: [algorithm],
+                keyMaterial: keyObject.export({ type: 'spki', format: 'pem' }),
+                issuer: source.issuer,
+                expectedAudience: source.expectedAudience,
+                allowedRoles: source.allowedRoles,
+            },
+        };
+    }
+    computeTtl(cacheControl, source, defaultTtl) {
+        const maxAge = parseMaxAge(cacheControl);
+        const rawTtl = maxAge ?? source.cacheTtlSeconds ?? defaultTtl;
+        return Math.max(MIN_TTL_SECONDS, Math.min(rawTtl, MAX_TTL_SECONDS));
+    }
+};
+exports.JwksResolverService = JwksResolverService;
+exports.JwksResolverService = JwksResolverService = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [backend_common_1.Logger])
+], JwksResolverService);
+//# sourceMappingURL=jwks-resolver.js.map

package/dist/modules/token-exchange/services/jwks-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks-resolver.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/jwks-resolver.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,6CAA8C;AAE9C,wDAA6C;AAC7C,gCAAkC;AAElC,+CAAgD;AAChD,6BAAwB;AAGxB,sEAA+D;AAS/D,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAChC,MAAM,mBAAmB,GAAG,IAAI,CAAC;AACjC,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,eAAe,GAAG,MAAM,CAAC;AA2B/B,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAS,2CAAkB,CAAC,OAAO,CAAC,CAAC;AAG1E,MAAM,gBAAgB,GAAG,OAAC;KACxB,MAAM,CAAC;IACP,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACjC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC;SACJ,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,KAAK,EAAE;QACpD,OAAO,EAAE,uDAAuD;KAChE,CAAC;IACH,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC1B,CAAC;KACD,WAAW,EAAE,CAAC;AAKhB,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;CACjC,CAAC,CAAC;AAMH,MAAM,kBAAkB,GAAuC;IAC9D,OAAO,EAAE,OAAO;IAChB,OAAO,EAAE,OAAO;IAChB,OAAO,EAAE,OAAO;IAChB,OAAO,EAAE,OAAO;CAChB,CAAC;AAEF,SAAS,cAAc,CAAC,GAAe;IACtC,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACb,OAAO,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,GAA0B,CAAC,CAAC,CAAC,SAAS,CAAC;IACzF,CAAC;IAED,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QACjB,KAAK,KAAK;YACT,OAAO,OAAO,CAAC;QAChB,KAAK,IAAI,CAAC;QACV,KAAK,KAAK;YACT,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC1D;YACC,OAAO,SAAS,CAAC;IACnB,CAAC;AACF,CAAC;AAMD,SAAS,WAAW,CAAC,YAA2B;IAC/C,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IACpC,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;AAChD,CAAC;AAWM,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAG/B,YAAY,MAAc;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,WAAW,CAChB,MAAqB,EACrB,OAGC;QAED,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC;QACrD,MAAM,UAAU,GAAG,OAAO,EAAE,iBAAiB,IAAI,mBAAmB,CAAC;QACrE,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC;QAEvB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,GAAG,GAAG,CAAC,CAAC;QAEjD,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QAErE,MAAM,IAAI,GAAsB,EAAE,CAAC;QACnC,MAAM,OAAO,GAAiB,EAAE,CAAC;QAEjC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,UAAU,IAAI,MAAM,EAAE,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACP,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC9B,CAAC;QACF,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,SAAS,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpF,MAAM,IAAI,+BAAgB,CACzB,iDAAiD,GAAG,MAAM,OAAO,GAAG,CACpE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,MAAM,iBAAiB,GAAG,GAAG,EAAE;YACjE,QAAQ,EAAE,IAAI,CAAC,MAAM;YACrB,OAAO,EAAE,OAAO,CAAC,MAAM;YACvB,UAAU;SACV,CAAC,CAAC;QAEH,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;IACtC,CAAC;IAKO,KAAK,CAAC,WAAW,CACxB,GAAW,EACX,OAAqB;QAErB,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACJ,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;gBAC7B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;gBACvC,QAAQ,EAAE,OAAO;aACjB,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,MAAM,IAAI,+BAAgB,CAAC,0BAA0B,GAAG,MAAM,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAClB,MAAM,IAAI,+BAAgB,CAAC,0BAA0B,GAAG,WAAW,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,IAAa,CAAC;QAClB,IAAI,CAAC;YACJ,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACR,MAAM,IAAI,+BAAgB,CAAC,wCAAwC,GAAG,GAAG,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,YAAY,GAAG,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClD,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,+BAAgB,CAAC,kCAAkC,GAAG,GAAG,CAAC,CAAC;QACtE,CAAC;QAED,OAAO;YACN,OAAO,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI;YAC/B,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;SACnD,CAAC;IACH,CAAC;IAGO,QAAQ,CACf,MAAe,EACf,MAAqB;QAErB,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YACnD,OAAO,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,CAAC;QACjE,CAAC;QAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACrD,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,MAAiC,CAAC;YAC9C,OAAO;gBACN,OAAO,EAAE;oBACR,GAAG,EAAE,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;oBACtD,MAAM,EAAE,0BAA0B;iBAClC;aACD,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC;QAE3B,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,OAAO;gBACN,OAAO,EAAE;oBACR,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,MAAM,EAAE,0CAA0C,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,GAAG,IAAI,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,MAAM,GAAG;iBAChH;aACD,CAAC;QACH,CAAC;QAED,IAAI,SAA6C,CAAC;QAClD,IAAI,CAAC;YACJ,SAAS,GAAG,IAAA,6BAAe,EAAC,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAA4B,CAAC,CAAC;QACpF,CAAC;QAAC,MAAM,CAAC;YACR,OAAO;gBACN,OAAO,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,+CAA+C,EAAE;aAClF,CAAC;QACH,CAAC;QAED,OAAO;YACN,QAAQ,EAAE;gBACT,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,UAAU,EAAE,CAAC,SAAS,CAAC;gBACvB,WAAW,EAAE,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW;gBACxE,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;gBACzC,YAAY,EAAE,MAAM,CAAC,YAAY;aACjC;SACD,CAAC;IACH,CAAC;IAGO,UAAU,CACjB,YAA2B,EAC3B,MAAqB,EACrB,UAAkB;QAElB,MAAM,MAAM,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,IAAI,MAAM,CAAC,eAAe,IAAI,UAAU,CAAC;QAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IACrE,CAAC;CACD,CAAA;AA3JY,kDAAmB;8BAAnB,mBAAmB;IAD/B,IAAA,YAAO,GAAE;qCAIW,uBAAM;GAHd,mBAAmB,CA2J/B"}

package/dist/modules/token-exchange/services/scoped-jwt.strategy.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { AuthenticatedRequest } from '@n8n/db';
+import { UserRepository } from '@n8n/db';
+import type { AuthStrategy } from '../../../services/auth-strategy.types';
+import { JwtService } from '../../../services/jwt.service';
+export declare class ScopedJwtStrategy implements AuthStrategy {
+    private readonly jwtService;
+    private readonly userRepository;
+    constructor(jwtService: JwtService, userRepository: UserRepository);
+    authenticate(req: AuthenticatedRequest): Promise<boolean | null>;
+    private findUser;
+    private extractToken;
+}

package/dist/modules/token-exchange/services/scoped-jwt.strategy.js ADDED Viewed

@@ -0,0 +1,92 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopedJwtStrategy = void 0;
+const db_1 = require("@n8n/db");
+const di_1 = require("@n8n/di");
+const jsonwebtoken_1 = require("jsonwebtoken");
+const jwt_service_1 = require("../../../services/jwt.service");
+const permissions_1 = require("@n8n/permissions");
+const token_exchange_types_1 = require("../token-exchange.types");
+const BEARER_PREFIX = 'Bearer ';
+const API_KEY_HEADER = 'x-n8n-api-key';
+let ScopedJwtStrategy = class ScopedJwtStrategy {
+    constructor(jwtService, userRepository) {
+        this.jwtService = jwtService;
+        this.userRepository = userRepository;
+    }
+    async authenticate(req) {
+        const token = this.extractToken(req);
+        if (!token)
+            return null;
+        const decoded = this.jwtService.decode(token);
+        if (!decoded || decoded.iss !== token_exchange_types_1.TOKEN_EXCHANGE_ISSUER) {
+            return null;
+        }
+        let payload;
+        try {
+            payload = this.jwtService.verify(token, {
+                issuer: token_exchange_types_1.TOKEN_EXCHANGE_ISSUER,
+            });
+        }
+        catch (error) {
+            if (error instanceof jsonwebtoken_1.TokenExpiredError || error instanceof jsonwebtoken_1.JsonWebTokenError) {
+                return false;
+            }
+            throw error;
+        }
+        const subject = await this.findUser(payload.sub);
+        if (!subject || subject.disabled)
+            return false;
+        let actor;
+        if (payload.act) {
+            const found = await this.findUser(payload.act.sub);
+            if (found?.disabled)
+                return false;
+            actor = found ?? undefined;
+        }
+        const actingUser = actor ?? subject;
+        req.tokenGrant = {
+            scopes: actingUser.role.scopes.map((s) => s.slug),
+            apiKeyScopes: Array.from(permissions_1.ALL_API_KEY_SCOPES),
+            subject,
+            ...(actor && { actor }),
+        };
+        req.user = actingUser;
+        return true;
+    }
+    async findUser(id) {
+        return await this.userRepository.findOne({
+            where: { id },
+            relations: { role: true },
+        });
+    }
+    extractToken(req) {
+        const authHeader = req.headers.authorization;
+        if (typeof authHeader === 'string' && authHeader.startsWith(BEARER_PREFIX)) {
+            const token = authHeader.slice(BEARER_PREFIX.length).trim();
+            if (token)
+                return token;
+        }
+        const apiKeyHeader = req.headers[API_KEY_HEADER];
+        if (typeof apiKeyHeader === 'string' && apiKeyHeader) {
+            return apiKeyHeader;
+        }
+        return null;
+    }
+};
+exports.ScopedJwtStrategy = ScopedJwtStrategy;
+exports.ScopedJwtStrategy = ScopedJwtStrategy = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [jwt_service_1.JwtService,
+        db_1.UserRepository])
+], ScopedJwtStrategy);
+//# sourceMappingURL=scoped-jwt.strategy.js.map

package/dist/modules/token-exchange/services/scoped-jwt.strategy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scoped-jwt.strategy.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/scoped-jwt.strategy.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,gCAAyC;AACzC,gCAAkC;AAClC,+CAAoE;AAGpE,wDAAoD;AAEpD,kDAAsD;AACtD,kEAAuF;AAEvF,MAAM,aAAa,GAAG,SAAS,CAAC;AAChC,MAAM,cAAc,GAAG,eAAe,CAAC;AAGhC,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAC7B,YACkB,UAAsB,EACtB,cAA8B;QAD9B,eAAU,GAAV,UAAU,CAAY;QACtB,mBAAc,GAAd,cAAc,CAAgB;IAC7C,CAAC;IAEJ,KAAK,CAAC,YAAY,CAAC,GAAyB;QAE3C,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAGxB,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAmB,KAAK,CAAC,CAAC;QAChE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,KAAK,4CAAqB,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QACb,CAAC;QAGD,IAAI,OAAyB,CAAC;QAC9B,IAAI,CAAC;YACJ,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAmB,KAAK,EAAE;gBACzD,MAAM,EAAE,4CAAqB;aAC7B,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,gCAAiB,IAAI,KAAK,YAAY,gCAAiB,EAAE,CAAC;gBAC9E,OAAO,KAAK,CAAC;YACd,CAAC;YACD,MAAM,KAAK,CAAC;QACb,CAAC;QAGD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAI/C,IAAI,KAAuB,CAAC;QAC5B,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACnD,IAAI,KAAK,EAAE,QAAQ;gBAAE,OAAO,KAAK,CAAC;YAClC,KAAK,GAAG,KAAK,IAAI,SAAS,CAAC;QAC5B,CAAC;QAGD,MAAM,UAAU,GAAG,KAAK,IAAI,OAAO,CAAC;QAGpC,GAAG,CAAC,UAAU,GAAG;YAChB,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YACjD,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,gCAAkB,CAAC;YAC5C,OAAO;YACP,GAAG,CAAC,KAAK,IAAI,EAAE,KAAK,EAAE,CAAC;SACvB,CAAC;QAEF,GAAG,CAAC,IAAI,GAAG,UAAU,CAAC;QAEtB,OAAO,IAAI,CAAC;IACb,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,EAAU;QAChC,OAAO,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC;YACxC,KAAK,EAAE,EAAE,EAAE,EAAE;YACb,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;SACzB,CAAC,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,GAAyB;QAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAC5E,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5D,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC;QACzB,CAAC;QAED,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACjD,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,EAAE,CAAC;YACtD,OAAO,YAAY,CAAC;QACrB,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;CACD,CAAA;AAhFY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,YAAO,GAAE;qCAGqB,wBAAU;QACN,mBAAc;GAHpC,iBAAiB,CAgF7B"}

package/dist/modules/token-exchange/services/token-exchange.service.d.ts CHANGED Viewed

@@ -1,6 +1,9 @@
 import { Logger } from '@n8n/backend-common';
 import type { User } from '@n8n/db';
-import type { ExternalTokenClaims } from '../token-exchange.schemas';
+import { JwtService } from '../../../services/jwt.service';
+import { TokenExchangeConfig } from '../token-exchange.config';
+import type { ExternalTokenClaims, ResolvedTrustedKey, TokenExchangeRequest } from '../token-exchange.schemas';
+import { type IssuedTokenResult } from '../token-exchange.types';
 import { IdentityResolutionService } from './identity-resolution.service';
 import { JtiStoreService } from './jti-store.service';
 import { TrustedKeyService } from './trusted-key.service';
@@ -8,10 +11,21 @@ export declare class TokenExchangeService {
     private readonly trustedKeyStore;
     private readonly jtiStore;
     private readonly identityResolutionService;
+    private readonly config;
+    private readonly jwtService;
     private readonly logger;
-    constructor(logger: Logger, trustedKeyStore: TrustedKeyService, jtiStore: JtiStoreService, identityResolutionService: IdentityResolutionService);
+    constructor(logger: Logger, trustedKeyStore: TrustedKeyService, jtiStore: JtiStoreService, identityResolutionService: IdentityResolutionService, config: TokenExchangeConfig, jwtService: JwtService);
     verifyToken(subjectToken: string, { maxLifetimeSeconds }?: {
         maxLifetimeSeconds?: number;
-    }): Promise<ExternalTokenClaims>;
-    embedLogin(subjectToken: string): Promise<User>;
+    }): Promise<{
+        claims: ExternalTokenClaims;
+        resolvedKey: ResolvedTrustedKey;
+    }>;
+    embedLogin(subjectToken: string): Promise<{
+        user: User;
+        subject: string;
+        issuer: string;
+        kid: string;
+    }>;
+    exchange(request: TokenExchangeRequest): Promise<IssuedTokenResult>;
 }