n8n 2.16.0 → 2.17.0

package/dist/modules/token-exchange/services/token-exchange.service.js

@@ -15,19 +15,26 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.TokenExchangeService = void 0;
 const backend_common_1 = require("@n8n/backend-common");
 const di_1 = require("@n8n/di");
+const crypto_1 = require("crypto");
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const auth_error_1 = require("../../../errors/response-errors/auth.error");
 const bad_request_error_1 = require("../../../errors/response-errors/bad-request.error");
+const jwt_service_1 = require("../../../services/jwt.service");
+const token_exchange_config_1 = require("../token-exchange.config");
 const token_exchange_schemas_1 = require("../token-exchange.schemas");
+const token_exchange_types_1 = require("../token-exchange.types");
 const identity_resolution_service_1 = require("./identity-resolution.service");
 const jti_store_service_1 = require("./jti-store.service");
 const trusted_key_service_1 = require("./trusted-key.service");
 const MAX_TOKEN_LIFETIME_SECONDS = 60;
+const MIN_REMAINING_LIFETIME_SECONDS = 5;
 let TokenExchangeService = class TokenExchangeService {
-    constructor(logger, trustedKeyStore, jtiStore, identityResolutionService) {
+    constructor(logger, trustedKeyStore, jtiStore, identityResolutionService, config, jwtService) {
         this.trustedKeyStore = trustedKeyStore;
         this.jtiStore = jtiStore;
         this.identityResolutionService = identityResolutionService;
+        this.config = config;
+        this.jwtService = jwtService;
         this.logger = logger.scoped('token-exchange');
     }
     async verifyToken(subjectToken, { maxLifetimeSeconds } = {}) {
@@ -39,7 +46,14 @@ let TokenExchangeService = class TokenExchangeService {
         if (!kid) {
             throw new bad_request_error_1.BadRequestError('Token header missing kid');
         }
-        const resolvedKey = await this.trustedKeyStore.getByKid(kid);
+        const decodedPayload = decoded.payload;
+        const iss = typeof decodedPayload === 'object' && decodedPayload !== null
+            ? decodedPayload.iss
+            : undefined;
+        if (typeof iss !== 'string' || !iss) {
+            throw new bad_request_error_1.BadRequestError('Token payload missing iss');
+        }
+        const resolvedKey = await this.trustedKeyStore.getByKidAndIss(kid, iss);
         if (!resolvedKey) {
             throw new auth_error_1.AuthError('Unknown key id');
         }
@@ -49,6 +63,8 @@ let TokenExchangeService = class TokenExchangeService {
                 algorithms: resolvedKey.algorithms,
                 issuer: resolvedKey.issuer,
                 audience: resolvedKey.expectedAudience,
+                ignoreExpiration: false,
+                ignoreNotBefore: false,
             });
             if (typeof result === 'string' || !('iat' in result)) {
                 throw new auth_error_1.AuthError('Unexpected token format');
@@ -73,13 +89,54 @@ let TokenExchangeService = class TokenExchangeService {
         if (!consumed) {
             throw new auth_error_1.AuthError('Token has already been used');
         }
-        return claims;
+        return { claims, resolvedKey };
     }
     async embedLogin(subjectToken) {
-        const claims = await this.verifyToken(subjectToken, {
+        const { claims, resolvedKey } = await this.verifyToken(subjectToken, {
             maxLifetimeSeconds: MAX_TOKEN_LIFETIME_SECONDS,
         });
-        return await this.identityResolutionService.resolve(claims);
+        const user = await this.identityResolutionService.resolve(claims, resolvedKey.allowedRoles, {
+            kid: resolvedKey.kid,
+            issuer: resolvedKey.issuer,
+        });
+        return { user, subject: claims.sub, issuer: resolvedKey.issuer, kid: resolvedKey.kid };
+    }
+    async exchange(request) {
+        const subjectClaims = await this.verifyToken(request.subject_token);
+        const actorClaims = request.actor_token
+            ? await this.verifyToken(request.actor_token)
+            : undefined;
+        const actor = actorClaims
+            ? await this.identityResolutionService.resolve(actorClaims.claims, actorClaims.resolvedKey.allowedRoles, actorClaims.resolvedKey)
+            : undefined;
+        const subject = await this.identityResolutionService.resolve(subjectClaims.claims, subjectClaims.resolvedKey.allowedRoles, subjectClaims.resolvedKey);
+        const now = Math.floor(Date.now() / 1000);
+        const maxTtl = this.config.maxTokenTtl;
+        const exp = Math.min(subjectClaims.claims.exp, actorClaims?.claims.exp ?? Infinity, now + maxTtl);
+        if (exp <= now + MIN_REMAINING_LIFETIME_SECONDS) {
+            throw new auth_error_1.AuthError('Subject token too close to expiry to issue a new token');
+        }
+        const resources = request.resource?.split(' ').filter(Boolean);
+        const payload = {
+            iss: token_exchange_types_1.TOKEN_EXCHANGE_ISSUER,
+            sub: subject.id,
+            ...(actor && { act: { sub: actor.id } }),
+            ...(request.scope && { scope: request.scope }),
+            ...(resources?.length && { resource: resources }),
+            iat: now,
+            exp,
+            jti: (0, crypto_1.randomUUID)(),
+        };
+        const accessToken = this.jwtService.sign(payload);
+        return {
+            accessToken,
+            expiresIn: exp - now,
+            subjectUserId: subject.id,
+            subject: subjectClaims.claims.sub,
+            issuer: subjectClaims.claims.iss,
+            actor: actorClaims?.claims.sub,
+            actorUserId: actor?.id,
+        };
     }
 };
 exports.TokenExchangeService = TokenExchangeService;
@@ -88,6 +145,8 @@ exports.TokenExchangeService = TokenExchangeService = __decorate([
     __metadata("design:paramtypes", [backend_common_1.Logger,
         trusted_key_service_1.TrustedKeyService,
         jti_store_service_1.JtiStoreService,
-        identity_resolution_service_1.IdentityResolutionService])
+        identity_resolution_service_1.IdentityResolutionService,
+        token_exchange_config_1.TokenExchangeConfig,
+        jwt_service_1.JwtService])
 ], TokenExchangeService);
 //# sourceMappingURL=token-exchange.service.js.map

package/dist/modules/token-exchange/services/token-exchange.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-exchange.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/token-exchange.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAA6C;AAE7C,gCAAkC;AAClC,gEAA+B;AAE/B,oEAAgE;AAChE,kFAA6E;AAG7E,sEAAsE;AACtE,+EAA0E;AAC1E,2DAAsD;AACtD,+DAA0D;AAE1D,MAAM,0BAA0B,GAAG,EAAE,CAAC;AAG/B,IAAM,oBAAoB,GAA1B,MAAM,oBAAoB;IAGhC,YACC,MAAc,EACG,eAAkC,EAClC,QAAyB,EACzB,yBAAoD;QAFpD,oBAAe,GAAf,eAAe,CAAmB;QAClC,aAAQ,GAAR,QAAQ,CAAiB;QACzB,8BAAyB,GAAzB,yBAAyB,CAA2B;QAErE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAaD,KAAK,CAAC,WAAW,CAChB,YAAoB,EACpB,EAAE,kBAAkB,KAAsC,EAAE;QAE5D,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,YAAY,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC7C,MAAM,IAAI,mCAAe,CAAC,sBAAsB,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,mCAAe,CAAC,0BAA0B,CAAC,CAAC;QACvD,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,MAAM,IAAI,sBAAS,CAAC,gBAAgB,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,OAAuB,CAAC;QAC5B,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,sBAAG,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,EAAE;gBACxD,UAAU,EAAE,WAAW,CAAC,UAAU;gBAClC,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,QAAQ,EAAE,WAAW,CAAC,gBAAgB;aACtC,CAAC,CAAC;YACH,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,sBAAS,CAAC,yBAAyB,CAAC,CAAC;YAChD,CAAC;YACD,OAAO,GAAG,MAAM,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,sBAAS;gBAAE,MAAM,KAAK,CAAC;YAC5C,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YAChE,MAAM,IAAI,sBAAS,CAAC,2BAA2B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,MAAM,GAAG,kDAAyB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAExD,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;YAC9C,IAAI,aAAa,GAAG,kBAAkB,EAAE,CAAC;gBACxC,MAAM,IAAI,sBAAS,CAAC,wCAAwC,CAAC,CAAC;YAC/D,CAAC;QACF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;QACtF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,MAAM,IAAI,sBAAS,CAAC,6BAA6B,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,CAAC;IACf,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,YAAoB;QACpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE;YACnD,kBAAkB,EAAE,0BAA0B;SAC9C,CAAC,CAAC;QACH,OAAO,MAAM,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,CAAC;CACD,CAAA;AAnFY,oDAAoB;+BAApB,oBAAoB;IADhC,IAAA,YAAO,GAAE;qCAKA,uBAAM;QACoB,uCAAiB;QACxB,mCAAe;QACE,uDAAyB;GAP1D,oBAAoB,CAmFhC"}
+{"version":3,"file":"token-exchange.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/token-exchange.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAA6C;AAE7C,gCAAkC;AAClC,mCAAoC;AACpC,gEAA+B;AAE/B,oEAAgE;AAChE,kFAA6E;AAC7E,wDAAoD;AAEpD,oEAA+D;AAM/D,sEAAsE;AACtE,kEAIiC;AACjC,+EAA0E;AAC1E,2DAAsD;AACtD,+DAA0D;AAE1D,MAAM,0BAA0B,GAAG,EAAE,CAAC;AACtC,MAAM,8BAA8B,GAAG,CAAC,CAAC;AAGlC,IAAM,oBAAoB,GAA1B,MAAM,oBAAoB;IAGhC,YACC,MAAc,EACG,eAAkC,EAClC,QAAyB,EACzB,yBAAoD,EACpD,MAA2B,EAC3B,UAAsB;QAJtB,oBAAe,GAAf,eAAe,CAAmB;QAClC,aAAQ,GAAR,QAAQ,CAAiB;QACzB,8BAAyB,GAAzB,yBAAyB,CAA2B;QACpD,WAAM,GAAN,MAAM,CAAqB;QAC3B,eAAU,GAAV,UAAU,CAAY;QAEvC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAaD,KAAK,CAAC,WAAW,CAChB,YAAoB,EACpB,EAAE,kBAAkB,KAAsC,EAAE;QAE5D,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,YAAY,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC7C,MAAM,IAAI,mCAAe,CAAC,sBAAsB,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,mCAAe,CAAC,0BAA0B,CAAC,CAAC;QACvD,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;QACvC,MAAM,GAAG,GACR,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,KAAK,IAAI;YAC5D,CAAC,CAAC,cAAc,CAAC,GAAG;YACpB,CAAC,CAAC,SAAS,CAAC;QACd,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG,EAAE,CAAC;YACrC,MAAM,IAAI,mCAAe,CAAC,2BAA2B,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,MAAM,IAAI,sBAAS,CAAC,gBAAgB,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,OAAuB,CAAC;QAC5B,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,sBAAG,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,EAAE;gBAExD,UAAU,EAAE,WAAW,CAAC,UAA6B;gBACrD,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,QAAQ,EAAE,WAAW,CAAC,gBAAgB;gBACtC,gBAAgB,EAAE,KAAK;gBACvB,eAAe,EAAE,KAAK;aACtB,CAAC,CAAC;YACH,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,sBAAS,CAAC,yBAAyB,CAAC,CAAC;YAChD,CAAC;YACD,OAAO,GAAG,MAAM,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,sBAAS;gBAAE,MAAM,KAAK,CAAC;YAC5C,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YAChE,MAAM,IAAI,sBAAS,CAAC,2BAA2B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,MAAM,GAAG,kDAAyB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAExD,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;YAC9C,IAAI,aAAa,GAAG,kBAAkB,EAAE,CAAC;gBACxC,MAAM,IAAI,sBAAS,CAAC,wCAAwC,CAAC,CAAC;YAC/D,CAAC;QACF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;QACtF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,MAAM,IAAI,sBAAS,CAAC,6BAA6B,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,UAAU,CACf,YAAoB;QAEpB,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE;YACpE,kBAAkB,EAAE,0BAA0B;SAC9C,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,YAAY,EAAE;YAC3F,GAAG,EAAE,WAAW,CAAC,GAAG;YACpB,MAAM,EAAE,WAAW,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,EAAE,CAAC;IACxF,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAA6B;QAC3C,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QACpE,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW;YACtC,CAAC,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,WAAW,CAAC;YAC7C,CAAC,CAAC,SAAS,CAAC;QAEb,MAAM,KAAK,GAAG,WAAW;YACxB,CAAC,CAAC,MAAM,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAC5C,WAAW,CAAC,MAAM,EAClB,WAAW,CAAC,WAAW,CAAC,YAAY,EACpC,WAAW,CAAC,WAAW,CACvB;YACF,CAAC,CAAC,SAAS,CAAC;QACb,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAC3D,aAAa,CAAC,MAAM,EACpB,aAAa,CAAC,WAAW,CAAC,YAAY,EACtC,aAAa,CAAC,WAAW,CACzB,CAAC;QAEF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CACnB,aAAa,CAAC,MAAM,CAAC,GAAG,EACxB,WAAW,EAAE,MAAM,CAAC,GAAG,IAAI,QAAQ,EACnC,GAAG,GAAG,MAAM,CACZ,CAAC;QAEF,IAAI,GAAG,IAAI,GAAG,GAAG,8BAA8B,EAAE,CAAC;YACjD,MAAM,IAAI,sBAAS,CAAC,wDAAwD,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE/D,MAAM,OAAO,GAAqB;YACjC,GAAG,EAAE,4CAAqB;YAC1B,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,GAAG,CAAC,KAAK,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;YACxC,GAAG,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;YAC9C,GAAG,CAAC,SAAS,EAAE,MAAM,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;YACjD,GAAG,EAAE,GAAG;YACR,GAAG;YACH,GAAG,EAAE,IAAA,mBAAU,GAAE;SACjB,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAElD,OAAO;YACN,WAAW;YACX,SAAS,EAAE,GAAG,GAAG,GAAG;YACpB,aAAa,EAAE,OAAO,CAAC,EAAE;YACzB,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG;YACjC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG;YAChC,KAAK,EAAE,WAAW,EAAE,MAAM,CAAC,GAAG;YAC9B,WAAW,EAAE,KAAK,EAAE,EAAE;SACtB,CAAC;IACH,CAAC;CACD,CAAA;AAjKY,oDAAoB;+BAApB,oBAAoB;IADhC,IAAA,YAAO,GAAE;qCAKA,uBAAM;QACoB,uCAAiB;QACxB,mCAAe;QACE,uDAAyB;QAC5C,2CAAmB;QACf,wBAAU;GAT5B,oBAAoB,CAiKhC"}

package/dist/modules/token-exchange/services/trusted-key.service.d.ts

@@ -1,13 +1,47 @@
 import { Logger } from '@n8n/backend-common';
+import { DbLockService } from '@n8n/db';
+import { InstanceSettings } from 'n8n-core';
+import { TrustedKeySourceEntity } from '../database/entities/trusted-key-source.entity';
+import { TrustedKeyEntity } from '../database/entities/trusted-key.entity';
+import { TrustedKeySourceRepository } from '../database/repositories/trusted-key-source.repository';
+import { TrustedKeyRepository } from '../database/repositories/trusted-key.repository';
 import { TokenExchangeConfig } from '../token-exchange.config';
 import type { ResolvedTrustedKey } from '../token-exchange.schemas';
+import { JwksResolverService } from './jwks-resolver';
 export declare class TrustedKeyService {
-    private readonly tokenExchangeConfig;
+    private readonly config;
+    private readonly trustedKeySourceRepository;
+    private readonly trustedKeyRepository;
+    private readonly instanceSettings;
+    private readonly dbLockService;
+    private readonly jwksResolverService;
     private readonly logger;
-    private readonly keys;
-    constructor(logger: Logger, tokenExchangeConfig: TokenExchangeConfig);
+    private refreshInterval;
+    private isShuttingDown;
+    private readonly cryptoCache;
+    constructor(logger: Logger, config: TokenExchangeConfig, trustedKeySourceRepository: TrustedKeySourceRepository, trustedKeyRepository: TrustedKeyRepository, instanceSettings: InstanceSettings, dbLockService: DbLockService, jwksResolverService: JwksResolverService);
     initialize(): Promise<void>;
-    getByKid(kid: string): Promise<ResolvedTrustedKey | undefined>;
-    get size(): number;
-    private validateAndStoreStaticKey;
+    onLeaderTakeover(): Promise<void>;
+    private initializeAsLeader;
+    startRefresh(): void;
+    stopRefresh(): void;
+    shutdown(): void;
+    getByKidAndIss(kid: string, issuer: string): Promise<ResolvedTrustedKey | undefined>;
+    refreshSource(sourceId: string): Promise<void>;
+    listAll(): Promise<TrustedKeyEntity[]>;
+    listSources(): Promise<TrustedKeySourceEntity[]>;
+    private parseConfigSources;
+    private generateSourceId;
+    private syncSourcesToDb;
+    private refreshAllSources;
+    private refreshDueSources;
+    private getRefreshIntervalMs;
+    private refreshSourceInternal;
+    private refreshSourceWithinTransaction;
+    private resolveKeysForSource;
+    private resolveKeysForJwksSource;
+    private resolveKeysForStaticSource;
+    private resolveStaticKeys;
+    private validateKeyMaterial;
+    private resolveCryptoKey;
 }

package/dist/modules/token-exchange/services/trusted-key.service.js

@@ -12,11 +12,21 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.TrustedKeyService = void 0;
 const node_crypto_1 = require("node:crypto");
 const backend_common_1 = require("@n8n/backend-common");
+const constants_1 = require("@n8n/constants");
+const db_1 = require("@n8n/db");
+const decorators_1 = require("@n8n/decorators");
 const di_1 = require("@n8n/di");
+const typeorm_1 = require("@n8n/typeorm");
+const n8n_core_1 = require("n8n-core");
 const n8n_workflow_1 = require("n8n-workflow");
 const zod_1 = require("zod");
+const trusted_key_source_entity_1 = require("../database/entities/trusted-key-source.entity");
+const trusted_key_entity_1 = require("../database/entities/trusted-key.entity");
+const trusted_key_source_repository_1 = require("../database/repositories/trusted-key-source.repository");
+const trusted_key_repository_1 = require("../database/repositories/trusted-key.repository");
 const token_exchange_config_1 = require("../token-exchange.config");
 const token_exchange_schemas_1 = require("../token-exchange.schemas");
+const jwks_resolver_1 = require("./jwks-resolver");
 const ALGORITHM_FAMILY = {
     RS256: 'RSA',
     RS384: 'RSA',
@@ -29,17 +39,110 @@ const ALGORITHM_FAMILY = {
     ES512: 'EC',
     EdDSA: 'EdDSA',
 };
+const STATIC_SOURCE_ID = 'static';
+const REFRESH_POLL_INTERVAL_MS = 30 * constants_1.Time.seconds.toMilliseconds;
 let TrustedKeyService = class TrustedKeyService {
-    constructor(logger, tokenExchangeConfig) {
-        this.tokenExchangeConfig = tokenExchangeConfig;
-        this.keys = new Map();
+    constructor(logger, config, trustedKeySourceRepository, trustedKeyRepository, instanceSettings, dbLockService, jwksResolverService) {
+        this.config = config;
+        this.trustedKeySourceRepository = trustedKeySourceRepository;
+        this.trustedKeyRepository = trustedKeyRepository;
+        this.instanceSettings = instanceSettings;
+        this.dbLockService = dbLockService;
+        this.jwksResolverService = jwksResolverService;
+        this.isShuttingDown = false;
+        this.cryptoCache = new Map();
         this.logger = logger.scoped('token-exchange');
     }
     async initialize() {
-        const raw = this.tokenExchangeConfig.trustedKeys;
+        if (!this.instanceSettings.isLeader) {
+            this.logger.debug('Worker instance — skipping trusted key initialization');
+            return;
+        }
+        await this.initializeAsLeader();
+    }
+    async onLeaderTakeover() {
+        await this.initializeAsLeader();
+    }
+    async initializeAsLeader() {
+        const sources = this.parseConfigSources();
+        await this.syncSourcesToDb(sources);
+        await this.refreshAllSources();
+        this.startRefresh();
+    }
+    startRefresh() {
+        if (this.isShuttingDown || this.refreshInterval)
+            return;
+        this.refreshInterval = setInterval(async () => await this.refreshDueSources(), REFRESH_POLL_INTERVAL_MS);
+        this.logger.debug('Trusted key refresh poller started');
+    }
+    stopRefresh() {
+        clearInterval(this.refreshInterval);
+        this.refreshInterval = undefined;
+    }
+    shutdown() {
+        this.isShuttingDown = true;
+        this.stopRefresh();
+    }
+    async getByKidAndIss(kid, issuer) {
+        const entities = await this.trustedKeyRepository.findAllByKid(kid);
+        if (entities.length === 0)
+            return undefined;
+        for (const entity of entities) {
+            let data;
+            try {
+                const parsed = token_exchange_schemas_1.TrustedKeyDataSchema.safeParse(JSON.parse(entity.data));
+                if (!parsed.success) {
+                    this.logger.warn('Skipping corrupted trusted key entity', {
+                        kid,
+                        sourceId: entity.sourceId,
+                        error: parsed.error.message,
+                    });
+                    continue;
+                }
+                data = parsed.data;
+            }
+            catch {
+                this.logger.warn('Skipping corrupted trusted key entity', {
+                    kid,
+                    sourceId: entity.sourceId,
+                    error: 'invalid JSON',
+                });
+                continue;
+            }
+            if (data.issuer !== issuer)
+                continue;
+            const cryptoKey = this.resolveCryptoKey(`${entity.sourceId}:${kid}`, data.keyMaterial);
+            if (!cryptoKey)
+                continue;
+            return {
+                kid,
+                algorithms: data.algorithms,
+                key: cryptoKey,
+                issuer: data.issuer,
+                expectedAudience: data.expectedAudience,
+                allowedRoles: data.allowedRoles,
+            };
+        }
+        return undefined;
+    }
+    async refreshSource(sourceId) {
+        const source = await this.trustedKeySourceRepository.findOneBy({ id: sourceId });
+        if (!source) {
+            throw new n8n_workflow_1.UnexpectedError(`Trusted key source not found: ${sourceId}`);
+        }
+        await this.refreshSourceInternal(source);
+    }
+    async listAll() {
+        return await this.trustedKeyRepository.find();
+    }
+    async listSources() {
+        return await this.trustedKeySourceRepository.find();
+    }
+    parseConfigSources() {
+        const raw = this.config.trustedKeys;
         if (!raw) {
             this.logger.info('No trusted keys configured');
-            return;
+            return [];
         }
         let parsed;
         try {
@@ -49,32 +152,237 @@ let TrustedKeyService = class TrustedKeyService {
             this.logger.error('Failed to parse trusted keys JSON', { error });
             throw new n8n_workflow_1.UnexpectedError('Failed to parse trusted keys JSON');
         }
-        const sourcesResult = zod_1.z.array(token_exchange_schemas_1.TrustedKeySourceSchema).safeParse(parsed);
-        if (!sourcesResult.success) {
-            this.logger.error('Trusted keys JSON has invalid format', { error: sourcesResult.error });
+        const result = zod_1.z.array(token_exchange_schemas_1.TrustedKeySourceSchema).safeParse(parsed);
+        if (!result.success) {
+            this.logger.error('Trusted keys JSON has invalid format', { error: result.error });
             throw new n8n_workflow_1.UnexpectedError('Trusted keys JSON has invalid format');
         }
-        const sources = sourcesResult.data;
-        for (const source of sources) {
-            if (source.type === 'jwks') {
-                this.logger.warn('JWKS key sources are not yet supported, skipping kid in source');
-                continue;
+        return result.data;
+    }
+    generateSourceId(source) {
+        if (source.type === 'static')
+            return STATIC_SOURCE_ID;
+        return (0, node_crypto_1.createHash)('sha256').update(source.url).digest('hex').slice(0, 36);
+    }
+    async syncSourcesToDb(sources) {
+        await this.dbLockService.withLock(1002, async (tx) => {
+            this.logger.debug('Syncing sources to the database', { sources });
+            const staticSources = sources.filter((s) => s.type === 'static');
+            const jwksSources = sources.filter((s) => s.type === 'jwks');
+            const expectedSourceIds = new Set();
+            if (staticSources.length > 0) {
+                const sourceId = STATIC_SOURCE_ID;
+                expectedSourceIds.add(sourceId);
+                await tx.save(trusted_key_source_entity_1.TrustedKeySourceEntity, {
+                    id: sourceId,
+                    type: 'static',
+                    config: JSON.stringify(staticSources),
+                    status: 'pending',
+                });
+            }
+            for (const jwks of jwksSources) {
+                const sourceId = this.generateSourceId(jwks);
+                expectedSourceIds.add(sourceId);
+                await tx.save(trusted_key_source_entity_1.TrustedKeySourceEntity, {
+                    id: sourceId,
+                    type: 'jwks',
+                    config: JSON.stringify(jwks),
+                    status: 'pending',
+                });
+            }
+            if (expectedSourceIds.size > 0) {
+                await tx.delete(trusted_key_source_entity_1.TrustedKeySourceEntity, {
+                    id: (0, typeorm_1.Not)((0, typeorm_1.In)([...expectedSourceIds])),
+                });
+            }
+            else {
+                await tx.delete(trusted_key_source_entity_1.TrustedKeySourceEntity, {});
+            }
+        });
+    }
+    async refreshAllSources() {
+        try {
+            const sources = await this.trustedKeySourceRepository.find();
+            for (const source of sources) {
+                await this.refreshSourceInternal(source);
             }
-            this.validateAndStoreStaticKey(source);
         }
-        this.logger.info(`Loaded ${this.keys.size} trusted key(s)`);
+        catch (error) {
+            this.logger.error('Failed to run trusted key refresh cycle', { error });
+        }
     }
-    async getByKid(kid) {
-        return this.keys.get(kid);
+    async refreshDueSources() {
+        try {
+            this.logger.debug('Refreshing due sources');
+            const sources = await this.trustedKeySourceRepository.find();
+            const now = Date.now();
+            for (const source of sources) {
+                const intervalMs = this.getRefreshIntervalMs(source);
+                const lastRefresh = source.lastRefreshedAt?.getTime() ?? 0;
+                if (now - lastRefresh >= intervalMs) {
+                    await this.refreshSourceInternal(source);
+                }
+            }
+        }
+        catch (error) {
+            this.logger.error('Failed to run trusted key refresh cycle', { error });
+        }
     }
-    get size() {
-        return this.keys.size;
+    getRefreshIntervalMs(source) {
+        if (source.type === 'jwks') {
+            try {
+                const config = (0, n8n_workflow_1.jsonParse)(source.config);
+                if (typeof config.cacheTtlSeconds === 'number' && config.cacheTtlSeconds > 0) {
+                    return config.cacheTtlSeconds * constants_1.Time.seconds.toMilliseconds;
+                }
+            }
+            catch (e) {
+                this.logger.warn('Failed to parse source configuration for jwks source', {
+                    id: source.id,
+                    error: e,
+                });
+            }
+        }
+        return this.config.keyRefreshIntervalSeconds * constants_1.Time.seconds.toMilliseconds;
+    }
+    async refreshSourceInternal(source) {
+        try {
+            await this.dbLockService.withLock(1002, async (tx) => {
+                const freshSource = await tx.findOneBy(trusted_key_source_entity_1.TrustedKeySourceEntity, { id: source.id });
+                if (!freshSource)
+                    return;
+                await this.refreshSourceWithinTransaction(freshSource, tx);
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            this.logger.error('Failed to refresh trusted key source', {
+                sourceId: source.id,
+                error: message,
+            });
+            await this.trustedKeySourceRepository.update(source.id, {
+                status: 'error',
+                lastError: message,
+                lastRefreshedAt: new Date(),
+            });
+        }
     }
-    validateAndStoreStaticKey(source) {
-        const { kid, algorithms, key: pemString, issuer, expectedAudience, allowedRoles } = source;
-        if (this.keys.has(kid)) {
-            throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": duplicate kid`);
+    async refreshSourceWithinTransaction(source, tx) {
+        const result = await this.resolveKeysForSource(source);
+        if (!result) {
+            await tx.update(trusted_key_source_entity_1.TrustedKeySourceEntity, source.id, {
+                status: 'healthy',
+                lastRefreshedAt: new Date(),
+            });
+            return;
+        }
+        const keys = result.keys;
+        const cacheTtlSeconds = result.cacheTtlSeconds;
+        await tx.delete(trusted_key_entity_1.TrustedKeyEntity, { sourceId: source.id });
+        for (const key of keys) {
+            await tx.save(trusted_key_entity_1.TrustedKeyEntity, {
+                sourceId: source.id,
+                kid: key.kid,
+                data: JSON.stringify(key.data),
+                createdAt: new Date(),
+            });
+        }
+        const updatePayload = {
+            status: 'healthy',
+            lastError: null,
+            lastRefreshedAt: new Date(),
+        };
+        if (cacheTtlSeconds !== undefined) {
+            const config = (0, n8n_workflow_1.jsonParse)(source.config);
+            config.cacheTtlSeconds = cacheTtlSeconds;
+            updatePayload.config = JSON.stringify(config);
+        }
+        await tx.update(trusted_key_source_entity_1.TrustedKeySourceEntity, source.id, updatePayload);
+    }
+    async resolveKeysForSource(source) {
+        switch (source.type) {
+            case 'static':
+                return this.resolveKeysForStaticSource(source);
+            case 'jwks':
+                return await this.resolveKeysForJwksSource(source);
+            default:
+                this.logger.warn('Unknown key source type, skipping', {
+                    sourceId: source.id,
+                    type: source.type,
+                });
+                return undefined;
+        }
+    }
+    async resolveKeysForJwksSource(source) {
+        let jwksConfig;
+        try {
+            jwksConfig = (0, n8n_workflow_1.jsonParse)(source.config);
+        }
+        catch {
+            throw new n8n_workflow_1.UnexpectedError('Invalid JWKS source config: malformed JSON');
+        }
+        const result = await this.jwksResolverService.resolveKeys(jwksConfig);
+        if (result.skipped.length > 0) {
+            this.logger.debug(`JWKS "${jwksConfig.url}": skipped ${result.skipped.length} key(s)`, {
+                skipped: result.skipped,
+            });
         }
+        return {
+            keys: result.keys.map((key) => ({
+                kid: key.kid,
+                data: {
+                    algorithms: key.algorithms,
+                    keyMaterial: key.keyMaterial,
+                    issuer: key.issuer,
+                    expectedAudience: key.expectedAudience,
+                    allowedRoles: key.allowedRoles,
+                    expiresAt: new Date(Date.now() + result.ttlSeconds * 1000).toISOString(),
+                },
+            })),
+            cacheTtlSeconds: result.ttlSeconds,
+        };
+    }
+    resolveKeysForStaticSource(source) {
+        let rawConfig;
+        try {
+            rawConfig = JSON.parse(source.config);
+        }
+        catch {
+            throw new n8n_workflow_1.UnexpectedError('Invalid static source config: malformed JSON');
+        }
+        const configResult = zod_1.z.array(token_exchange_schemas_1.TrustedKeySourceSchema).safeParse(rawConfig);
+        if (!configResult.success) {
+            throw new n8n_workflow_1.UnexpectedError(`Invalid static source config: ${configResult.error.message}`);
+        }
+        const staticConfigs = configResult.data.filter((s) => s.type === 'static');
+        return {
+            keys: this.resolveStaticKeys(staticConfigs),
+        };
+    }
+    resolveStaticKeys(configs) {
+        const result = [];
+        const seenKids = new Set();
+        for (const config of configs) {
+            const { kid, algorithms, key: pemString, issuer, expectedAudience, allowedRoles } = config;
+            if (seenKids.has(kid)) {
+                throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": duplicate kid`);
+            }
+            seenKids.add(kid);
+            this.validateKeyMaterial(kid, algorithms, pemString);
+            result.push({
+                kid,
+                data: {
+                    algorithms,
+                    keyMaterial: pemString,
+                    issuer,
+                    expectedAudience,
+                    allowedRoles,
+                },
+            });
+        }
+        return result;
+    }
+    validateKeyMaterial(kid, algorithms, pemString) {
         const families = new Set();
         for (const alg of algorithms) {
             const family = ALGORITHM_FAMILY[alg];
@@ -104,20 +412,54 @@ let TrustedKeyService = class TrustedKeyService {
         if (!expectedTypes[family].includes(keyType ?? '')) {
             throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": key type "${keyType}" does not match algorithm family "${family}"`);
         }
-        this.keys.set(kid, {
-            kid,
-            algorithms: algorithms,
-            key: keyObject,
-            issuer,
-            expectedAudience,
-            allowedRoles,
-        });
+    }
+    resolveCryptoKey(cacheKey, keyMaterial) {
+        const hash = (0, node_crypto_1.createHash)('sha256').update(keyMaterial).digest('hex');
+        const cached = this.cryptoCache.get(cacheKey);
+        if (cached && cached.keyMaterialHash === hash) {
+            return cached.cryptoKey;
+        }
+        try {
+            const cryptoKey = (0, node_crypto_1.createPublicKey)(keyMaterial);
+            this.cryptoCache.set(cacheKey, { keyMaterialHash: hash, cryptoKey });
+            return cryptoKey;
+        }
+        catch (error) {
+            this.logger.warn('Failed to parse key material from DB', {
+                cacheKey,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return undefined;
+        }
     }
 };
 exports.TrustedKeyService = TrustedKeyService;
+__decorate([
+    (0, decorators_1.OnLeaderTakeover)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Promise)
+], TrustedKeyService.prototype, "onLeaderTakeover", null);
+__decorate([
+    (0, decorators_1.OnLeaderStepdown)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], TrustedKeyService.prototype, "stopRefresh", null);
+__decorate([
+    (0, decorators_1.OnShutdown)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], TrustedKeyService.prototype, "shutdown", null);
 exports.TrustedKeyService = TrustedKeyService = __decorate([
     (0, di_1.Service)(),
     __metadata("design:paramtypes", [backend_common_1.Logger,
-        token_exchange_config_1.TokenExchangeConfig])
+        token_exchange_config_1.TokenExchangeConfig,
+        trusted_key_source_repository_1.TrustedKeySourceRepository,
+        trusted_key_repository_1.TrustedKeyRepository,
+        n8n_core_1.InstanceSettings,
+        db_1.DbLockService,
+        jwks_resolver_1.JwksResolverService])
 ], TrustedKeyService);
 //# sourceMappingURL=trusted-key.service.js.map