npm - n8n - Versions diffs - 2.19.2 → 2.20.0 - Mend

n8n 2.19.2 → 2.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (306) hide show

package/dist/modules/oauth-jwe/oauth-jwe-key.service.js ADDED Viewed

@@ -0,0 +1,174 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthJweKeyService = void 0;
+const backend_common_1 = require("@n8n/backend-common");
+const db_1 = require("@n8n/db");
+const di_1 = require("@n8n/di");
+const typeorm_1 = require("@n8n/typeorm");
+const utils_1 = require("@n8n/utils");
+const jose_1 = require("jose");
+const n8n_core_1 = require("n8n-core");
+const n8n_workflow_1 = require("n8n-workflow");
+const cache_service_1 = require("../../services/cache/cache.service");
+const oauth_jwe_constants_1 = require("./oauth-jwe.constants");
+let OAuthJweKeyService = class OAuthJweKeyService {
+    constructor(deploymentKeyRepository, cipher, cacheService, logger) {
+        this.deploymentKeyRepository = deploymentKeyRepository;
+        this.cipher = cipher;
+        this.cacheService = cacheService;
+        this.logger = logger;
+        this.logger = this.logger.scoped('oauth-jwe');
+    }
+    async initialize() {
+        await this.loadData();
+    }
+    async getKeyPair(algorithm = oauth_jwe_constants_1.JWE_KEY_ALGORITHMS[0]) {
+        const entry = await this.findEntry(algorithm);
+        return await this.deriveKeyPair(entry);
+    }
+    async getPublicJwk(algorithm = oauth_jwe_constants_1.JWE_KEY_ALGORITHMS[0]) {
+        const { publicJwk } = await this.getKeyPair(algorithm);
+        return publicJwk;
+    }
+    async getPublicJwks() {
+        const data = await this.loadData();
+        return await Promise.all(data.map(async (entry) => (await this.deriveKeyPair(entry)).publicJwk));
+    }
+    async findEntry(algorithm) {
+        const data = await this.loadData();
+        const entry = data.find((e) => e.algorithm === algorithm);
+        if (!entry) {
+            throw new n8n_workflow_1.UnexpectedError(`No active OAuth JWE key found for algorithm "${algorithm}"`);
+        }
+        return entry;
+    }
+    async loadData() {
+        const data = await this.cacheService.get(oauth_jwe_constants_1.JWE_KEY_CACHE_KEY, {
+            refreshFn: async () => await this.loadOrGenerate(),
+        });
+        if (!data || data.length === 0) {
+            throw new n8n_workflow_1.UnexpectedError('OAuth JWE key pair unavailable');
+        }
+        return data;
+    }
+    async deriveKeyPair(entry) {
+        const decryptedPrivate = this.cipher.decryptWithInstanceKey(entry.encryptedPrivateJwk);
+        const privateJwk = (0, n8n_workflow_1.jsonParse)(decryptedPrivate, {
+            errorMessage: 'Failed to parse OAuth JWE private key',
+        });
+        const publicJwk = toPublicJwk(privateJwk, entry.algorithm);
+        const [publicKey, privateKey] = await Promise.all([
+            (0, jose_1.importJWK)(publicJwk, entry.algorithm),
+            (0, jose_1.importJWK)(privateJwk, entry.algorithm),
+        ]);
+        return {
+            algorithm: entry.algorithm,
+            publicKey: publicKey,
+            privateKey: privateKey,
+            publicJwk,
+            kid: entry.kid,
+        };
+    }
+    async loadOrGenerate() {
+        const entries = [];
+        for (const algorithm of oauth_jwe_constants_1.JWE_KEY_ALGORITHMS) {
+            let entry = await this.readActiveEntry(algorithm);
+            if (!entry) {
+                await this.generateAndPersist(algorithm);
+                entry = await this.readActiveEntry(algorithm);
+            }
+            if (!entry) {
+                throw new n8n_workflow_1.UnexpectedError(`OAuth JWE key for algorithm "${algorithm}" not found after generation`);
+            }
+            entries.push(entry);
+        }
+        return entries;
+    }
+    async readActiveEntry(algorithm) {
+        const privateRow = await this.deploymentKeyRepository.findOne({
+            where: {
+                type: oauth_jwe_constants_1.JWE_PRIVATE_KEY_TYPE,
+                algorithm,
+                status: 'active',
+            },
+        });
+        if (!privateRow)
+            return null;
+        const decryptedPrivate = this.cipher.decryptWithInstanceKey(privateRow.value);
+        const privateJwk = (0, n8n_workflow_1.jsonParse)(decryptedPrivate, {
+            errorMessage: 'Failed to parse OAuth JWE private key',
+        });
+        if (!privateJwk.kid) {
+            throw new n8n_workflow_1.UnexpectedError(`OAuth JWE private key for "${algorithm}" is missing a kid`);
+        }
+        if (privateJwk.kid !== privateRow.id) {
+            throw new n8n_workflow_1.UnexpectedError(`OAuth JWE private key for "${algorithm}" has a kid that does not match its row id`);
+        }
+        return {
+            algorithm,
+            encryptedPrivateJwk: privateRow.value,
+            kid: privateRow.id,
+        };
+    }
+    async generateAndPersist(algorithm) {
+        const { privateKey } = await (0, jose_1.generateKeyPair)(algorithm, { extractable: true });
+        const id = (0, utils_1.generateNanoId)();
+        const privateJwk = {
+            ...(await (0, jose_1.exportJWK)(privateKey)),
+            kid: id,
+            alg: algorithm,
+            use: oauth_jwe_constants_1.JWE_KEY_USE,
+        };
+        const encryptedPrivate = this.cipher.encryptWithInstanceKey(JSON.stringify(privateJwk));
+        try {
+            await this.deploymentKeyRepository.insert({
+                id,
+                type: oauth_jwe_constants_1.JWE_PRIVATE_KEY_TYPE,
+                value: encryptedPrivate,
+                algorithm,
+                status: 'active',
+            });
+            this.logger.info('Generated new instance OAuth JWE key pair', { algorithm, kid: id });
+        }
+        catch (error) {
+            if (!isUniqueConstraintViolation(error))
+                throw error;
+            this.logger.debug('OAuth JWE key insert raced with another main; re-reading winner', error instanceof Error ? { algorithm, message: error.message } : { algorithm });
+        }
+    }
+};
+exports.OAuthJweKeyService = OAuthJweKeyService;
+exports.OAuthJweKeyService = OAuthJweKeyService = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [db_1.DeploymentKeyRepository,
+        n8n_core_1.Cipher,
+        cache_service_1.CacheService,
+        backend_common_1.Logger])
+], OAuthJweKeyService);
+const PUBLIC_JWK_FIELDS = {
+    'RSA-OAEP-256': ['kty', 'kid', 'alg', 'use', 'n', 'e'],
+};
+function toPublicJwk(privateJwk, algorithm) {
+    const allowed = PUBLIC_JWK_FIELDS[algorithm];
+    const entries = allowed
+        .filter((field) => privateJwk[field] !== undefined)
+        .map((field) => [field, privateJwk[field]]);
+    return Object.fromEntries(entries);
+}
+function isUniqueConstraintViolation(error) {
+    if (!(error instanceof typeorm_1.QueryFailedError))
+        return false;
+    const driverError = error.driverError;
+    const code = driverError?.code;
+    return code === '23505' || code === 'SQLITE_CONSTRAINT_UNIQUE';
+}
+//# sourceMappingURL=oauth-jwe-key.service.js.map

package/dist/modules/oauth-jwe/oauth-jwe-key.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-jwe-key.service.js","sourceRoot":"","sources":["../../../src/modules/oauth-jwe/oauth-jwe-key.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA6C;AAC7C,gCAAkD;AAClD,gCAAkC;AAClC,0CAAgD;AAChD,sCAA4C;AAE5C,+BAA6D;AAC7D,uCAAkC;AAClC,+CAA0D;AAE1D,kEAA8D;AAE9D,+DAM+B;AA4BxB,IAAM,kBAAkB,GAAxB,MAAM,kBAAkB;IAC9B,YACkB,uBAAgD,EAChD,MAAc,EACd,YAA0B,EAC1B,MAAc;QAHd,4BAAuB,GAAvB,uBAAuB,CAAyB;QAChD,WAAM,GAAN,MAAM,CAAQ;QACd,iBAAY,GAAZ,YAAY,CAAc;QAC1B,WAAM,GAAN,MAAM,CAAQ;QAE/B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;IAQD,KAAK,CAAC,UAAU;QACf,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;IACvB,CAAC;IAQD,KAAK,CAAC,UAAU,CAAC,YAA6B,wCAAkB,CAAC,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC9C,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAMD,KAAK,CAAC,YAAY,CAAC,YAA6B,wCAAkB,CAAC,CAAC,CAAC;QACpE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACvD,OAAO,SAAS,CAAC;IAClB,CAAC;IAGD,KAAK,CAAC,aAAa;QAClB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnC,OAAO,MAAM,OAAO,CAAC,GAAG,CACvB,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CACtE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,SAA0B;QACjD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;QAC1D,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,IAAI,8BAAe,CAAC,gDAAgD,SAAS,GAAG,CAAC,CAAC;QACzF,CAAC;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,QAAQ;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAqB,uCAAiB,EAAE;YAC/E,SAAS,EAAE,KAAK,IAAI,EAAE,CAAC,MAAM,IAAI,CAAC,cAAc,EAAE;SAClD,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,8BAAe,CAAC,gCAAgC,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,KAAuB;QAClD,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvF,MAAM,UAAU,GAAG,IAAA,wBAAS,EAAM,gBAAgB,EAAE;YACnD,YAAY,EAAE,uCAAuC;SACrD,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAE3D,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACjD,IAAA,gBAAS,EAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC;YACrC,IAAA,gBAAS,EAAC,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC;SACtC,CAAC,CAAC;QAEH,OAAO;YACN,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,SAAsB;YACjC,UAAU,EAAE,UAAuB;YACnC,SAAS;YACT,GAAG,EAAE,KAAK,CAAC,GAAG;SACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc;QAC3B,MAAM,OAAO,GAAuB,EAAE,CAAC;QAEvC,KAAK,MAAM,SAAS,IAAI,wCAAkB,EAAE,CAAC;YAC5C,IAAI,KAAK,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;YAElD,IAAI,CAAC,KAAK,EAAE,CAAC;gBACZ,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;gBACzC,KAAK,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;gBACZ,MAAM,IAAI,8BAAe,CACxB,gCAAgC,SAAS,8BAA8B,CACvE,CAAC;YACH,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,SAA0B;QACvD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC;YAC7D,KAAK,EAAE;gBACN,IAAI,EAAE,0CAAoB;gBAC1B,SAAS;gBACT,MAAM,EAAE,QAAQ;aAChB;SACD,CAAC,CAAC;QACH,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAE7B,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QAC9E,MAAM,UAAU,GAAG,IAAA,wBAAS,EAAM,gBAAgB,EAAE;YACnD,YAAY,EAAE,uCAAuC;SACrD,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,8BAAe,CAAC,8BAA8B,SAAS,oBAAoB,CAAC,CAAC;QACxF,CAAC;QAED,IAAI,UAAU,CAAC,GAAG,KAAK,UAAU,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,8BAAe,CACxB,8BAA8B,SAAS,4CAA4C,CACnF,CAAC;QACH,CAAC;QAED,OAAO;YACN,SAAS;YACT,mBAAmB,EAAE,UAAU,CAAC,KAAK;YACrC,GAAG,EAAE,UAAU,CAAC,EAAE;SAClB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,SAA0B;QAC1D,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,sBAAe,EAAC,SAAS,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;QAE/E,MAAM,EAAE,GAAG,IAAA,sBAAc,GAAE,CAAC;QAE5B,MAAM,UAAU,GAAQ;YACvB,GAAG,CAAC,MAAM,IAAA,gBAAS,EAAC,UAAU,CAAC,CAAC;YAChC,GAAG,EAAE,EAAE;YACP,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,iCAAW;SAChB,CAAC;QAEF,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;QAExF,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC;gBACzC,EAAE;gBACF,IAAI,EAAE,0CAAoB;gBAC1B,KAAK,EAAE,gBAAgB;gBACvB,SAAS;gBACT,MAAM,EAAE,QAAQ;aAChB,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,CAAC;QACvF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC;gBAAE,MAAM,KAAK,CAAC;YAErD,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,iEAAiE,EACjE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAC9E,CAAC;QACH,CAAC;IACF,CAAC;CACD,CAAA;AAhLY,gDAAkB;6BAAlB,kBAAkB;IAD9B,IAAA,YAAO,GAAE;qCAGkC,4BAAuB;QACxC,iBAAM;QACA,4BAAY;QAClB,uBAAM;GALpB,kBAAkB,CAgL9B;AASD,MAAM,iBAAiB,GAAsD;IAC5E,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC;CACtD,CAAC;AAMF,SAAS,WAAW,CAAC,UAAe,EAAE,SAA0B;IAC/D,MAAM,OAAO,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO;SACrB,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC;SAClD,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,CAAU,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC,WAAW,CAAC,OAAO,CAAQ,CAAC;AAC3C,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAc;IAClD,IAAI,CAAC,CAAC,KAAK,YAAY,0BAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IACvD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAgC,CAAC;IAC3D,MAAM,IAAI,GAAG,WAAW,EAAE,IAAI,CAAC;IAC/B,OAAO,IAAI,KAAK,OAAO,IAAmB,IAAI,KAAK,0BAA0B,CAAC;AAC/E,CAAC"}

package/dist/modules/oauth-jwe/oauth-jwe.config.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export declare class OAuthJweConfig {
+    rateLimitJwksPerMinute: number;
+}

package/dist/modules/oauth-jwe/oauth-jwe.config.js ADDED Viewed

@@ -0,0 +1,27 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthJweConfig = void 0;
+const config_1 = require("@n8n/config");
+let OAuthJweConfig = class OAuthJweConfig {
+    constructor() {
+        this.rateLimitJwksPerMinute = 60;
+    }
+};
+exports.OAuthJweConfig = OAuthJweConfig;
+__decorate([
+    (0, config_1.Env)('N8N_OAUTH_JWE_JWKS_PER_MINUTE'),
+    __metadata("design:type", Number)
+], OAuthJweConfig.prototype, "rateLimitJwksPerMinute", void 0);
+exports.OAuthJweConfig = OAuthJweConfig = __decorate([
+    config_1.Config
+], OAuthJweConfig);
+//# sourceMappingURL=oauth-jwe.config.js.map

package/dist/modules/oauth-jwe/oauth-jwe.config.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"oauth-jwe.config.js","sourceRoot":"","sources":["../../../src/modules/oauth-jwe/oauth-jwe.config.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wCAA0C;AAGnC,IAAM,cAAc,GAApB,MAAM,cAAc;IAApB;QAGN,2BAAsB,GAAW,EAAE,CAAC;IACrC,CAAC;CAAA,CAAA;AAJY,wCAAc;AAG1B;IADC,IAAA,YAAG,EAAC,+BAA+B,CAAC;;8DACD;yBAHxB,cAAc;IAD1B,eAAM;GACM,cAAc,CAI1B"}

package/dist/modules/oauth-jwe/oauth-jwe.constants.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+export declare const JWE_PRIVATE_KEY_TYPE = "jwe.private-key";
+export declare const JWE_RSA_ALGORITHMS: readonly ["RSA-OAEP-256"];
+export type JweRsaAlgorithm = (typeof JWE_RSA_ALGORITHMS)[number];
+export declare const JWE_EC_ALGORITHMS: readonly ["ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"];
+export type JweEcAlgorithm = (typeof JWE_EC_ALGORITHMS)[number];
+export declare const JWE_KEY_ALGORITHMS: readonly ["RSA-OAEP-256"];
+export type JweKeyAlgorithm = (typeof JWE_KEY_ALGORITHMS)[number];
+export declare const JWE_KEY_USE = "enc";
+export declare const JWE_KEY_CACHE_KEY = "jwe:key-pair";

package/dist/modules/oauth-jwe/oauth-jwe.constants.js ADDED Viewed

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWE_KEY_CACHE_KEY = exports.JWE_KEY_USE = exports.JWE_KEY_ALGORITHMS = exports.JWE_EC_ALGORITHMS = exports.JWE_RSA_ALGORITHMS = exports.JWE_PRIVATE_KEY_TYPE = void 0;
+exports.JWE_PRIVATE_KEY_TYPE = 'jwe.private-key';
+exports.JWE_RSA_ALGORITHMS = ['RSA-OAEP-256'];
+exports.JWE_EC_ALGORITHMS = [
+    'ECDH-ES',
+    'ECDH-ES+A128KW',
+    'ECDH-ES+A192KW',
+    'ECDH-ES+A256KW',
+];
+exports.JWE_KEY_ALGORITHMS = ['RSA-OAEP-256'];
+exports.JWE_KEY_USE = 'enc';
+exports.JWE_KEY_CACHE_KEY = 'jwe:key-pair';
+//# sourceMappingURL=oauth-jwe.constants.js.map

package/dist/modules/oauth-jwe/oauth-jwe.constants.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-jwe.constants.js","sourceRoot":"","sources":["../../../src/modules/oauth-jwe/oauth-jwe.constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,oBAAoB,GAAG,iBAAiB,CAAC;AAMzC,QAAA,kBAAkB,GAAG,CAAC,cAAc,CAAU,CAAC;AAQ/C,QAAA,iBAAiB,GAAG;IAChC,SAAS;IACT,gBAAgB;IAChB,gBAAgB;IAChB,gBAAgB;CACP,CAAC;AAUE,QAAA,kBAAkB,GAAG,CAAC,cAAc,CAAU,CAAC;AAG/C,QAAA,WAAW,GAAG,KAAK,CAAC;AACpB,QAAA,iBAAiB,GAAG,cAAc,CAAC"}

package/dist/modules/oauth-jwe/oauth-jwe.controller.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { Logger } from '@n8n/backend-common';
+import type { Response } from 'express';
+import { AuthlessRequest } from '../../requests';
+import { OAuthJweKeyService } from './oauth-jwe-key.service';
+export declare class OAuthJweController {
+    private readonly jweKeyService;
+    private readonly logger;
+    constructor(jweKeyService: OAuthJweKeyService, logger: Logger);
+    getKeys(_req: AuthlessRequest, res: Response): Promise<void>;
+}

package/dist/modules/oauth-jwe/oauth-jwe.controller.js ADDED Viewed

@@ -0,0 +1,60 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthJweController = void 0;
+const backend_common_1 = require("@n8n/backend-common");
+const constants_1 = require("@n8n/constants");
+const decorators_1 = require("@n8n/decorators");
+const di_1 = require("@n8n/di");
+const oauth_jwe_key_service_1 = require("./oauth-jwe-key.service");
+const oauth_jwe_config_1 = require("./oauth-jwe.config");
+const oauth_jwe_schemas_1 = require("./oauth-jwe.schemas");
+const configService = di_1.Container.get(oauth_jwe_config_1.OAuthJweConfig);
+let OAuthJweController = class OAuthJweController {
+    constructor(jweKeyService, logger) {
+        this.jweKeyService = jweKeyService;
+        this.logger = logger;
+    }
+    async getKeys(_req, res) {
+        const jwks = await this.jweKeyService.getPublicJwks();
+        const keys = jwks
+            .map((key) => oauth_jwe_schemas_1.PublicJweJwkSchema.safeParse(key))
+            .filter((result) => {
+            if (!result.success) {
+                this.logger.warn('Failed to parse public JWK', { error: result.error });
+            }
+            return result.success;
+        })
+            .map((result) => result.data);
+        const response = { keys };
+        res.setHeader('Cache-Control', 'public, max-age=3600, must-revalidate');
+        res.json(response);
+    }
+};
+exports.OAuthJweController = OAuthJweController;
+__decorate([
+    (0, decorators_1.Get)('/jwks.json', {
+        skipAuth: true,
+        ipRateLimit: {
+            limit: configService.rateLimitJwksPerMinute,
+            windowMs: 1 * constants_1.Time.minutes.toMilliseconds,
+        },
+    }),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], OAuthJweController.prototype, "getKeys", null);
+exports.OAuthJweController = OAuthJweController = __decorate([
+    (0, decorators_1.RestController)('/.well-known'),
+    __metadata("design:paramtypes", [oauth_jwe_key_service_1.OAuthJweKeyService,
+        backend_common_1.Logger])
+], OAuthJweController);
+//# sourceMappingURL=oauth-jwe.controller.js.map

package/dist/modules/oauth-jwe/oauth-jwe.controller.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-jwe.controller.js","sourceRoot":"","sources":["../../../src/modules/oauth-jwe/oauth-jwe.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA6C;AAC7C,8CAAsC;AACtC,gDAAsD;AACtD,gCAAoC;AAKpC,mEAA6D;AAC7D,yDAAoD;AACpD,2DAA4E;AAE5E,MAAM,aAAa,GAAG,cAAS,CAAC,GAAG,CAAC,iCAAc,CAAC,CAAC;AAG7C,IAAM,kBAAkB,GAAxB,MAAM,kBAAkB;IAC9B,YACkB,aAAiC,EACjC,MAAc;QADd,kBAAa,GAAb,aAAa,CAAoB;QACjC,WAAM,GAAN,MAAM,CAAQ;IAC7B,CAAC;IASE,AAAN,KAAK,CAAC,OAAO,CAAC,IAAqB,EAAE,GAAa;QACjD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,CAAC;QAEtD,MAAM,IAAI,GAAG,IAAI;aACf,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,sCAAkB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;aAC/C,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;YAClB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YACzE,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC;QACvB,CAAC,CAAC;aACD,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAE/B,MAAM,QAAQ,GAAiB,EAAE,IAAI,EAAE,CAAC;QAExC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,uCAAuC,CAAC,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;CACD,CAAA;AA/BY,gDAAkB;AAaxB;IAPL,IAAA,gBAAG,EAAC,YAAY,EAAE;QAClB,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE;YACZ,KAAK,EAAE,aAAa,CAAC,sBAAsB;YAC3C,QAAQ,EAAE,CAAC,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc;SACzC;KACD,CAAC;;;;iDAkBD;6BA9BW,kBAAkB;IAD9B,IAAA,2BAAc,EAAC,cAAc,CAAC;qCAGG,0CAAkB;QACzB,uBAAM;GAHpB,kBAAkB,CA+B9B"}

package/dist/modules/oauth-jwe/oauth-jwe.module.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { ModuleInterface } from '@n8n/decorators';
+import { OAuthJweServiceProxy } from '../../oauth/oauth-jwe-service.proxy';
+export declare class OAuthJweModule implements ModuleInterface {
+    init(): Promise<void>;
+    context(): Promise<{
+        oauthJweProxyProvider: OAuthJweServiceProxy;
+    }>;
+}

package/dist/modules/oauth-jwe/oauth-jwe.module.js ADDED Viewed

@@ -0,0 +1,70 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthJweModule = void 0;
+const decorators_1 = require("@n8n/decorators");
+const di_1 = require("@n8n/di");
+const n8n_core_1 = require("n8n-core");
+const oauth_jwe_service_proxy_1 = require("../../oauth/oauth-jwe-service.proxy");
+function isFeatureFlagEnabled() {
+    return process.env.N8N_ENV_FEAT_OAUTH2_JWE === 'true';
+}
+let OAuthJweModule = class OAuthJweModule {
+    async init() {
+        if (!isFeatureFlagEnabled())
+            return;
+        const { OAuthJweDecryptService } = await Promise.resolve().then(() => __importStar(require('./oauth-jwe-decrypt.service')));
+        di_1.Container.get(oauth_jwe_service_proxy_1.OAuthJweServiceProxy).setHandler(di_1.Container.get(OAuthJweDecryptService));
+        if (di_1.Container.get(n8n_core_1.InstanceSettings).instanceType === 'main') {
+            const { OAuthJweKeyService } = await Promise.resolve().then(() => __importStar(require('./oauth-jwe-key.service')));
+            await di_1.Container.get(OAuthJweKeyService).initialize();
+            await Promise.resolve().then(() => __importStar(require('./oauth-jwe.controller')));
+        }
+    }
+    async context() {
+        return { oauthJweProxyProvider: di_1.Container.get(oauth_jwe_service_proxy_1.OAuthJweServiceProxy) };
+    }
+};
+exports.OAuthJweModule = OAuthJweModule;
+exports.OAuthJweModule = OAuthJweModule = __decorate([
+    (0, decorators_1.BackendModule)({ name: 'oauth-jwe' })
+], OAuthJweModule);
+//# sourceMappingURL=oauth-jwe.module.js.map

package/dist/modules/oauth-jwe/oauth-jwe.module.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-jwe.module.js","sourceRoot":"","sources":["../../../src/modules/oauth-jwe/oauth-jwe.module.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,gDAAgD;AAChD,gCAAoC;AACpC,uCAA4C;AAE5C,6EAAuE;AAEvE,SAAS,oBAAoB;IAC5B,OAAO,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,MAAM,CAAC;AACvD,CAAC;AAGM,IAAM,cAAc,GAApB,MAAM,cAAc;IAC1B,KAAK,CAAC,IAAI;QACT,IAAI,CAAC,oBAAoB,EAAE;YAAE,OAAO;QAEpC,MAAM,EAAE,sBAAsB,EAAE,GAAG,wDAAa,6BAA6B,GAAC,CAAC;QAC/E,cAAS,CAAC,GAAG,CAAC,8CAAoB,CAAC,CAAC,UAAU,CAAC,cAAS,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC;QAMtF,IAAI,cAAS,CAAC,GAAG,CAAC,2BAAgB,CAAC,CAAC,YAAY,KAAK,MAAM,EAAE,CAAC;YAC7D,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAAa,yBAAyB,GAAC,CAAC;YACvE,MAAM,cAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,UAAU,EAAE,CAAC;YACrD,wDAAa,wBAAwB,GAAC,CAAC;QACxC,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO;QACZ,OAAO,EAAE,qBAAqB,EAAE,cAAS,CAAC,GAAG,CAAC,8CAAoB,CAAC,EAAE,CAAC;IACvE,CAAC;CACD,CAAA;AArBY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,0BAAa,EAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;GACxB,cAAc,CAqB1B"}

package/dist/modules/oauth-jwe/oauth-jwe.schemas.d.ts ADDED Viewed

@@ -0,0 +1,131 @@
+import { z } from 'zod';
+export declare const PublicJweJwkSchema: z.ZodDiscriminatedUnion<"kty", [z.ZodObject<{
+    kty: z.ZodLiteral<"RSA">;
+    kid: z.ZodString;
+    use: z.ZodLiteral<"enc">;
+    alg: z.ZodEnum<["RSA-OAEP-256"]>;
+    n: z.ZodString;
+    e: z.ZodString;
+}, "strict", z.ZodTypeAny, {
+    kid: string;
+    use: "enc";
+    e: string;
+    n: string;
+    kty: "RSA";
+    alg: "RSA-OAEP-256";
+}, {
+    kid: string;
+    use: "enc";
+    e: string;
+    n: string;
+    kty: "RSA";
+    alg: "RSA-OAEP-256";
+}>, z.ZodObject<{
+    kty: z.ZodLiteral<"EC">;
+    kid: z.ZodString;
+    use: z.ZodLiteral<"enc">;
+    alg: z.ZodEnum<["ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]>;
+    crv: z.ZodEnum<["P-256", "P-384", "P-521"]>;
+    x: z.ZodString;
+    y: z.ZodString;
+}, "strict", z.ZodTypeAny, {
+    y: string;
+    kid: string;
+    use: "enc";
+    crv: "P-256" | "P-384" | "P-521";
+    x: string;
+    kty: "EC";
+    alg: "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A192KW" | "ECDH-ES+A256KW";
+}, {
+    y: string;
+    kid: string;
+    use: "enc";
+    crv: "P-256" | "P-384" | "P-521";
+    x: string;
+    kty: "EC";
+    alg: "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A192KW" | "ECDH-ES+A256KW";
+}>]>;
+export type PublicJweJwk = z.infer<typeof PublicJweJwkSchema>;
+export declare const JwksResponseSchema: z.ZodObject<{
+    keys: z.ZodArray<z.ZodDiscriminatedUnion<"kty", [z.ZodObject<{
+        kty: z.ZodLiteral<"RSA">;
+        kid: z.ZodString;
+        use: z.ZodLiteral<"enc">;
+        alg: z.ZodEnum<["RSA-OAEP-256"]>;
+        n: z.ZodString;
+        e: z.ZodString;
+    }, "strict", z.ZodTypeAny, {
+        kid: string;
+        use: "enc";
+        e: string;
+        n: string;
+        kty: "RSA";
+        alg: "RSA-OAEP-256";
+    }, {
+        kid: string;
+        use: "enc";
+        e: string;
+        n: string;
+        kty: "RSA";
+        alg: "RSA-OAEP-256";
+    }>, z.ZodObject<{
+        kty: z.ZodLiteral<"EC">;
+        kid: z.ZodString;
+        use: z.ZodLiteral<"enc">;
+        alg: z.ZodEnum<["ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]>;
+        crv: z.ZodEnum<["P-256", "P-384", "P-521"]>;
+        x: z.ZodString;
+        y: z.ZodString;
+    }, "strict", z.ZodTypeAny, {
+        y: string;
+        kid: string;
+        use: "enc";
+        crv: "P-256" | "P-384" | "P-521";
+        x: string;
+        kty: "EC";
+        alg: "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A192KW" | "ECDH-ES+A256KW";
+    }, {
+        y: string;
+        kid: string;
+        use: "enc";
+        crv: "P-256" | "P-384" | "P-521";
+        x: string;
+        kty: "EC";
+        alg: "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A192KW" | "ECDH-ES+A256KW";
+    }>]>, "many">;
+}, "strip", z.ZodTypeAny, {
+    keys: ({
+        kid: string;
+        use: "enc";
+        e: string;
+        n: string;
+        kty: "RSA";
+        alg: "RSA-OAEP-256";
+    } | {
+        y: string;
+        kid: string;
+        use: "enc";
+        crv: "P-256" | "P-384" | "P-521";
+        x: string;
+        kty: "EC";
+        alg: "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A192KW" | "ECDH-ES+A256KW";
+    })[];
+}, {
+    keys: ({
+        kid: string;
+        use: "enc";
+        e: string;
+        n: string;
+        kty: "RSA";
+        alg: "RSA-OAEP-256";
+    } | {
+        y: string;
+        kid: string;
+        use: "enc";
+        crv: "P-256" | "P-384" | "P-521";
+        x: string;
+        kty: "EC";
+        alg: "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A192KW" | "ECDH-ES+A256KW";
+    })[];
+}>;
+export type JwksResponse = z.infer<typeof JwksResponseSchema>;

package/dist/modules/oauth-jwe/oauth-jwe.schemas.js ADDED Viewed

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwksResponseSchema = exports.PublicJweJwkSchema = void 0;
+const zod_1 = require("zod");
+const oauth_jwe_constants_1 = require("./oauth-jwe.constants");
+const RsaPublicJwkSchema = zod_1.z
+    .object({
+    kty: zod_1.z.literal('RSA'),
+    kid: zod_1.z.string().min(1),
+    use: zod_1.z.literal(oauth_jwe_constants_1.JWE_KEY_USE),
+    alg: zod_1.z.enum(oauth_jwe_constants_1.JWE_RSA_ALGORITHMS),
+    n: zod_1.z.string().min(1),
+    e: zod_1.z.string().min(1),
+})
+    .strict();
+const EcPublicJwkSchema = zod_1.z
+    .object({
+    kty: zod_1.z.literal('EC'),
+    kid: zod_1.z.string().min(1),
+    use: zod_1.z.literal(oauth_jwe_constants_1.JWE_KEY_USE),
+    alg: zod_1.z.enum(oauth_jwe_constants_1.JWE_EC_ALGORITHMS),
+    crv: zod_1.z.enum(['P-256', 'P-384', 'P-521']),
+    x: zod_1.z.string().min(1),
+    y: zod_1.z.string().min(1),
+})
+    .strict();
+exports.PublicJweJwkSchema = zod_1.z.discriminatedUnion('kty', [
+    RsaPublicJwkSchema,
+    EcPublicJwkSchema,
+]);
+exports.JwksResponseSchema = zod_1.z.object({
+    keys: zod_1.z.array(exports.PublicJweJwkSchema),
+});
+//# sourceMappingURL=oauth-jwe.schemas.js.map

package/dist/modules/oauth-jwe/oauth-jwe.schemas.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-jwe.schemas.js","sourceRoot":"","sources":["../../../src/modules/oauth-jwe/oauth-jwe.schemas.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AAExB,+DAA2F;AAO3F,MAAM,kBAAkB,GAAG,OAAC;KAC1B,MAAM,CAAC;IACP,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,iCAAW,CAAC;IAC3B,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,wCAAkB,CAAC;IAC/B,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CACpB,CAAC;KACD,MAAM,EAAE,CAAC;AAMX,MAAM,iBAAiB,GAAG,OAAC;KACzB,MAAM,CAAC;IACP,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,iCAAW,CAAC;IAC3B,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,uCAAiB,CAAC;IAC9B,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CACpB,CAAC;KACD,MAAM,EAAE,CAAC;AAOE,QAAA,kBAAkB,GAAG,OAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE;IAC7D,kBAAkB;IAClB,iBAAiB;CACjB,CAAC,CAAC;AAIU,QAAA,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,0BAAkB,CAAC;CACjC,CAAC,CAAC"}

package/dist/modules/oauth-jwe/oauth-jwe.utils.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { CryptoKey } from 'jose';
+export declare function isJweToken(token: unknown): token is string;
+export declare function decryptJweToken(token: string, privateKey: CryptoKey): Promise<string>;
+export declare function decryptJweTokenData(data: Record<string, unknown>, privateKey: CryptoKey): Promise<Record<string, unknown>>;

package/dist/modules/oauth-jwe/oauth-jwe.utils.js ADDED Viewed

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isJweToken = isJweToken;
+exports.decryptJweToken = decryptJweToken;
+exports.decryptJweTokenData = decryptJweTokenData;
+const jose_1 = require("jose");
+const JWE_SEGMENT_COUNT = 5;
+function isJweToken(token) {
+    if (typeof token !== 'string' || token.length === 0)
+        return false;
+    return token.split('.').length === JWE_SEGMENT_COUNT;
+}
+async function decryptJweToken(token, privateKey) {
+    const { plaintext } = await (0, jose_1.compactDecrypt)(token, privateKey);
+    return new TextDecoder().decode(plaintext);
+}
+async function decryptJweTokenData(data, privateKey) {
+    const result = { ...data };
+    for (const field of ['access_token', 'id_token']) {
+        const value = result[field];
+        if (isJweToken(value)) {
+            result[field] = await decryptJweToken(value, privateKey);
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=oauth-jwe.utils.js.map

package/dist/modules/oauth-jwe/oauth-jwe.utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-jwe.utils.js","sourceRoot":"","sources":["../../../src/modules/oauth-jwe/oauth-jwe.utils.ts"],"names":[],"mappings":";;AAWA,gCAGC;AAOD,0CAGC;AAOD,kDAcC;AA5CD,+BAAsC;AAEtC,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAQ5B,SAAgB,UAAU,CAAC,KAAc;IACxC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,iBAAiB,CAAC;AACtD,CAAC;AAOM,KAAK,UAAU,eAAe,CAAC,KAAa,EAAE,UAAqB;IACzE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,qBAAc,EAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC9D,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC5C,CAAC;AAOM,KAAK,UAAU,mBAAmB,CACxC,IAA6B,EAC7B,UAAqB;IAErB,MAAM,MAAM,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;IAEpD,KAAK,MAAM,KAAK,IAAI,CAAC,cAAc,EAAE,UAAU,CAAU,EAAE,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5B,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAC1D,CAAC;IACF,CAAC;IAED,OAAO,MAAM,CAAC;AACf,CAAC"}

package/dist/modules/source-control.ee/source-control-export.service.ee.js CHANGED Viewed

@@ -422,7 +422,7 @@ let SourceControlExportService = class SourceControlExportService {
                         teamName: sharing.project.name,
                     };
                 }
-                const sanitizedData = (0, source_control_helper_ee_1.sanitizeCredentialData)(credentials.getData());
+                const sanitizedData = (0, source_control_helper_ee_1.sanitizeCredentialData)(await credentials.getData());
                 const stub = {
                     id,
                     name,