refactor(core): Introduce @GlobalScope() and @ProjectScope() deco…

…rators (no-changelog) (#8546) Co-authored-by: Valya Bullions <valya@n8n.io>
n8n-io · Feb 19, 2024 · 674abd8 · 674abd8
1 parent bc1aa30
commit 674abd8
Show file tree

Hide file tree

Showing 45 changed files with 593 additions and 230 deletions.
diff --git a/packages/cli/.eslintrc.js b/packages/cli/.eslintrc.js
@@ -34,4 +34,20 @@ module.exports = {
 		'@typescript-eslint/no-unsafe-enum-comparison': 'warn',
 		'@typescript-eslint/no-unsafe-declaration-merging': 'warn',
 	},
+
+	overrides: [
+		{
+			files: ['./src/decorators/**/*.ts'],
+			rules: {
+				'@typescript-eslint/ban-types': [
+					'warn',
+					{
+						types: {
+							Function: false,
+						},
+					},
+				],
+			},
+		},
+	],
 };
diff --git a/packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts b/packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts
@@ -1,4 +1,4 @@
-import { Authorized, Get, Post, RestController, RequireGlobalScope } from '@/decorators';
+import { Authorized, Get, Post, RestController, GlobalScope } from '@/decorators';
 import { ExternalSecretsRequest } from '@/requests';
 import { Response } from 'express';
 import { ExternalSecretsService } from './ExternalSecrets.service.ee';
@@ -11,13 +11,13 @@ export class ExternalSecretsController {
 	constructor(private readonly secretsService: ExternalSecretsService) {}
 
 	@Get('/providers')
-	@RequireGlobalScope('externalSecretsProvider:list')
+	@GlobalScope('externalSecretsProvider:list')
 	async getProviders() {
 		return await this.secretsService.getProviders();
 	}
 
 	@Get('/providers/:provider')
-	@RequireGlobalScope('externalSecretsProvider:read')
+	@GlobalScope('externalSecretsProvider:read')
 	async getProvider(req: ExternalSecretsRequest.GetProvider) {
 		const providerName = req.params.provider;
 		try {
@@ -31,7 +31,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider/test')
-	@RequireGlobalScope('externalSecretsProvider:read')
+	@GlobalScope('externalSecretsProvider:read')
 	async testProviderSettings(req: ExternalSecretsRequest.TestProviderSettings, res: Response) {
 		const providerName = req.params.provider;
 		try {
@@ -51,7 +51,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider')
-	@RequireGlobalScope('externalSecretsProvider:create')
+	@GlobalScope('externalSecretsProvider:create')
 	async setProviderSettings(req: ExternalSecretsRequest.SetProviderSettings) {
 		const providerName = req.params.provider;
 		try {
@@ -66,7 +66,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider/connect')
-	@RequireGlobalScope('externalSecretsProvider:update')
+	@GlobalScope('externalSecretsProvider:update')
 	async setProviderConnected(req: ExternalSecretsRequest.SetProviderConnected) {
 		const providerName = req.params.provider;
 		try {
@@ -81,7 +81,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider/update')
-	@RequireGlobalScope('externalSecretsProvider:sync')
+	@GlobalScope('externalSecretsProvider:sync')
 	async updateProvider(req: ExternalSecretsRequest.UpdateProvider, res: Response) {
 		const providerName = req.params.provider;
 		try {
@@ -101,7 +101,7 @@ export class ExternalSecretsController {
 	}
 
 	@Get('/secrets')
-	@RequireGlobalScope('externalSecret:list')
+	@GlobalScope('externalSecret:list')
 	getSecretNames() {
 		return this.secretsService.getAllSecrets();
 	}

diff --git a/packages/cli/src/Ldap/ldap.controller.ts b/packages/cli/src/Ldap/ldap.controller.ts
@@ -1,5 +1,5 @@
 import pick from 'lodash/pick';
-import { Authorized, Get, Post, Put, RestController, RequireGlobalScope } from '@/decorators';
+import { Authorized, Get, Post, Put, RestController, GlobalScope } from '@/decorators';
 import { InternalHooks } from '@/InternalHooks';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 
@@ -17,13 +17,13 @@ export class LdapController {
 	) {}
 
 	@Get('/config')
-	@RequireGlobalScope('ldap:manage')
+	@GlobalScope('ldap:manage')
 	async getConfig() {
 		return await this.ldapService.loadConfig();
 	}
 
 	@Post('/test-connection')
-	@RequireGlobalScope('ldap:manage')
+	@GlobalScope('ldap:manage')
 	async testConnection() {
 		try {
 			await this.ldapService.testConnection();
@@ -33,7 +33,7 @@ export class LdapController {
 	}
 
 	@Put('/config')
-	@RequireGlobalScope('ldap:manage')
+	@GlobalScope('ldap:manage')
 	async updateConfig(req: LdapConfiguration.Update) {
 		try {
 			await this.ldapService.updateConfig(req.body);
@@ -52,14 +52,14 @@ export class LdapController {
 	}
 
 	@Get('/sync')
-	@RequireGlobalScope('ldap:sync')
+	@GlobalScope('ldap:sync')
 	async getLdapSync(req: LdapConfiguration.GetSync) {
 		const { page = '0', perPage = '20' } = req.query;
 		return await getLdapSynchronizations(parseInt(page, 10), parseInt(perPage, 10));
 	}
 
 	@Post('/sync')
-	@RequireGlobalScope('ldap:sync')
+	@GlobalScope('ldap:sync')
 	async syncLdap(req: LdapConfiguration.Sync) {
 		try {
 			await this.ldapService.runSync(req.body.type);

diff --git a/packages/cli/src/PublicApi/types.ts b/packages/cli/src/PublicApi/types.ts
@@ -1,5 +1,5 @@
 import type express from 'express';
-import type { IDataObject, ExecutionStatus } from 'n8n-workflow';
+import type { ExecutionStatus, ICredentialDataDecryptedObject } from 'n8n-workflow';
 
 import type { User } from '@db/entities/User';
 
@@ -151,7 +151,14 @@ export declare namespace UserRequest {
 }
 
 export declare namespace CredentialRequest {
-	type Create = AuthenticatedRequest<{}, {}, { type: string; name: string; data: IDataObject }, {}>;
+	type Create = AuthenticatedRequest<
+		{},
+		{},
+		{ type: string; name: string; data: ICredentialDataDecryptedObject },
+		{}
+	>;
+
+	type Delete = AuthenticatedRequest<{ id: string }, {}, {}, Record<string, string>>;
 }
 
 export type OperationID = 'getUsers' | 'getUser';

diff --git a/packages/cli/src/PublicApi/v1/handlers/credentials/credentials.handler.ts b/packages/cli/src/PublicApi/v1/handlers/credentials/credentials.handler.ts
@@ -4,8 +4,7 @@ import type express from 'express';
 import { CredentialsHelper } from '@/CredentialsHelper';
 import { CredentialTypes } from '@/CredentialTypes';
 import type { CredentialsEntity } from '@db/entities/CredentialsEntity';
-import type { CredentialRequest } from '@/requests';
-import type { CredentialTypeRequest } from '../../../types';
+import type { CredentialTypeRequest, CredentialRequest } from '../../../types';
 import { authorize } from '../../shared/middlewares/global.middleware';
 import { validCredentialsProperties, validCredentialType } from './credentials.middleware';
 

diff --git a/packages/cli/src/auth/jwt.ts b/packages/cli/src/auth/jwt.ts
@@ -8,7 +8,7 @@ import { License } from '@/License';
 import { Container } from 'typedi';
 import { UserRepository } from '@db/repositories/user.repository';
 import { JwtService } from '@/services/jwt.service';
-import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
+import { ForbiddenError } from '@/errors/response-errors/forbidden.error';
 import { AuthError } from '@/errors/response-errors/auth.error';
 import { ApplicationError } from 'n8n-workflow';
 
@@ -30,7 +30,7 @@ export function issueJWT(user: User): JwtToken {
 		!user.isOwner &&
 		!isWithinUsersLimit
 	) {
-		throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
+		throw new ForbiddenError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 	}
 	if (password) {
 		payload.password = createHash('sha256')

diff --git a/packages/cli/src/constants.ts b/packages/cli/src/constants.ts
@@ -48,7 +48,8 @@ export const RESPONSE_ERROR_MESSAGES = {
 	USERS_QUOTA_REACHED: 'Maximum number of users reached',
 	OAUTH2_CREDENTIAL_TEST_SUCCEEDED: 'Connection Successful!',
 	OAUTH2_CREDENTIAL_TEST_FAILED: 'This OAuth2 credential was not connected to an account.',
-};
+	MISSING_SCOPE: 'User is missing a scope required to perform this action',
+} as const;
 
 export const AUTH_COOKIE_NAME = 'n8n-auth';
 

diff --git a/packages/cli/src/controllers/auth.controller.ts b/packages/cli/src/controllers/auth.controller.ts
@@ -22,7 +22,7 @@ import { Logger } from '@/Logger';
 import { AuthError } from '@/errors/response-errors/auth.error';
 import { InternalServerError } from '@/errors/response-errors/internal-server.error';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
-import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
+import { ForbiddenError } from '@/errors/response-errors/forbidden.error';
 import { ApplicationError } from 'n8n-workflow';
 import { UserRepository } from '@/databases/repositories/user.repository';
 
@@ -166,7 +166,7 @@ export class AuthController {
 				inviterId,
 				inviteeId,
 			});
-			throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
+			throw new ForbiddenError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 		}
 
 		if (!inviterId || !inviteeId) {

diff --git a/packages/cli/src/controllers/communityPackages.controller.ts b/packages/cli/src/controllers/communityPackages.controller.ts
@@ -13,7 +13,7 @@ import {
 	Patch,
 	Post,
 	RestController,
-	RequireGlobalScope,
+	GlobalScope,
 } from '@/decorators';
 import { NodeRequest } from '@/requests';
 import type { InstalledPackages } from '@db/entities/InstalledPackages';
@@ -62,7 +62,7 @@ export class CommunityPackagesController {
 	}
 
 	@Post('/')
-	@RequireGlobalScope('communityPackage:install')
+	@GlobalScope('communityPackage:install')
 	async installPackage(req: NodeRequest.Post) {
 		const { name } = req.body;
 
@@ -159,7 +159,7 @@ export class CommunityPackagesController {
 	}
 
 	@Get('/')
-	@RequireGlobalScope('communityPackage:list')
+	@GlobalScope('communityPackage:list')
 	async getInstalledPackages() {
 		const installedPackages = await this.communityPackagesService.getAllInstalledPackages();
 
@@ -194,7 +194,7 @@ export class CommunityPackagesController {
 	}
 
 	@Delete('/')
-	@RequireGlobalScope('communityPackage:uninstall')
+	@GlobalScope('communityPackage:uninstall')
 	async uninstallPackage(req: NodeRequest.Delete) {
 		const { name } = req.query;
 
@@ -246,7 +246,7 @@ export class CommunityPackagesController {
 	}
 
 	@Patch('/')
-	@RequireGlobalScope('communityPackage:update')
+	@GlobalScope('communityPackage:update')
 	async updatePackage(req: NodeRequest.Update) {
 		const { name } = req.body;
 

diff --git a/packages/cli/src/controllers/invitation.controller.ts b/packages/cli/src/controllers/invitation.controller.ts
@@ -2,7 +2,7 @@ import { Response } from 'express';
 import validator from 'validator';
 
 import config from '@/config';
-import { Authorized, NoAuthRequired, Post, RequireGlobalScope, RestController } from '@/decorators';
+import { Authorized, NoAuthRequired, Post, RestController, GlobalScope } from '@/decorators';
 import { issueCookie } from '@/auth/jwt';
 import { RESPONSE_ERROR_MESSAGES } from '@/constants';
 import { UserRequest } from '@/requests';
@@ -15,7 +15,7 @@ import { PostHogClient } from '@/posthog';
 import type { User } from '@/databases/entities/User';
 import { UserRepository } from '@db/repositories/user.repository';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
-import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
+import { ForbiddenError } from '@/errors/response-errors/forbidden.error';
 import { InternalHooks } from '@/InternalHooks';
 import { ExternalHooks } from '@/ExternalHooks';
 
@@ -38,7 +38,7 @@ export class InvitationController {
 	 */
 
 	@Post('/')
-	@RequireGlobalScope('user:create')
+	@GlobalScope('user:create')
 	async inviteUser(req: UserRequest.Invite) {
 		const isWithinUsersLimit = this.license.isWithinUsersLimit();
 
@@ -55,7 +55,7 @@ export class InvitationController {
 			this.logger.debug(
 				'Request to send email invite(s) to user(s) failed because the user limit quota has been reached',
 			);
-			throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
+			throw new ForbiddenError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 		}
 
 		if (!config.getEnv('userManagement.isInstanceOwnerSetUp')) {
@@ -98,7 +98,7 @@ export class InvitationController {
 			}
 
 			if (invite.role === 'global:admin' && !this.license.isAdvancedPermissionsLicensed()) {
-				throw new UnauthorizedError(
+				throw new ForbiddenError(
 					'Cannot invite admin user without advanced permissions. Please upgrade to a license that includes this feature.',
 				);
 			}

diff --git a/packages/cli/src/controllers/orchestration.controller.ts b/packages/cli/src/controllers/orchestration.controller.ts
@@ -1,4 +1,4 @@
-import { Authorized, Post, RestController, RequireGlobalScope } from '@/decorators';
+import { Authorized, Post, RestController, GlobalScope } from '@/decorators';
 import { OrchestrationRequest } from '@/requests';
 import { OrchestrationService } from '@/services/orchestration.service';
 import { License } from '@/License';
@@ -15,22 +15,22 @@ export class OrchestrationController {
 	 * These endpoints do not return anything, they just trigger the messsage to
 	 * the workers to respond on Redis with their status.
 	 */
-	@RequireGlobalScope('orchestration:read')
+	@GlobalScope('orchestration:read')
 	@Post('/worker/status/:id')
 	async getWorkersStatus(req: OrchestrationRequest.Get) {
 		if (!this.licenseService.isWorkerViewLicensed()) return;
 		const id = req.params.id;
 		return await this.orchestrationService.getWorkerStatus(id);
 	}
 
-	@RequireGlobalScope('orchestration:read')
+	@GlobalScope('orchestration:read')
 	@Post('/worker/status')
 	async getWorkersStatusAll() {
 		if (!this.licenseService.isWorkerViewLicensed()) return;
 		return await this.orchestrationService.getWorkerStatus();
 	}
 
-	@RequireGlobalScope('orchestration:list')
+	@GlobalScope('orchestration:list')
 	@Post('/worker/ids')
 	async getWorkerIdsAll() {
 		if (!this.licenseService.isWorkerViewLicensed()) return;

diff --git a/packages/cli/src/controllers/passwordReset.controller.ts b/packages/cli/src/controllers/passwordReset.controller.ts
@@ -18,7 +18,7 @@ import { InternalHooks } from '@/InternalHooks';
 import { UrlService } from '@/services/url.service';
 import { InternalServerError } from '@/errors/response-errors/internal-server.error';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
-import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
+import { ForbiddenError } from '@/errors/response-errors/forbidden.error';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
 import { UnprocessableRequestError } from '@/errors/response-errors/unprocessable.error';
 import { UserRepository } from '@/databases/repositories/user.repository';
@@ -84,7 +84,7 @@ export class PasswordResetController {
 			this.logger.debug(
 				'Request to send password reset email failed because the user limit was reached',
 			);
-			throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
+			throw new ForbiddenError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 		}
 		if (
 			isSamlCurrentAuthenticationMethod() &&
@@ -96,7 +96,7 @@ export class PasswordResetController {
 			this.logger.debug(
 				'Request to send password reset email failed because login is handled by SAML',
 			);
-			throw new UnauthorizedError(
+			throw new ForbiddenError(
 				'Login is handled by SAML. Please contact your Identity Provider to reset your password.',
 			);
 		}
@@ -171,7 +171,7 @@ export class PasswordResetController {
 				'Request to resolve password token failed because the user limit was reached',
 				{ userId: user.id },
 			);
-			throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
+			throw new ForbiddenError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 		}
 
 		this.logger.info('Reset-password token resolved successfully', { userId: user.id });