fix(core): Redact csrfSecret when returning oauth credentials to th…

…e frontend (#10075)
n8n-io · Jul 16, 2024 · 48f047e · 48f047e
1 parent 68d5d7e
commit 48f047e
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 1 deletion.
diff --git a/packages/cli/src/credentials/__tests__/credentials.service.test.ts b/packages/cli/src/credentials/__tests__/credentials.service.test.ts
@@ -0,0 +1,70 @@
+import { CREDENTIAL_EMPTY_VALUE, type ICredentialType } from 'n8n-workflow';
+import { mock } from 'jest-mock-extended';
+import { CREDENTIAL_BLANKING_VALUE } from '@/constants';
+import type { CredentialsEntity } from '@db/entities/CredentialsEntity';
+import type { CredentialTypes } from '@/CredentialTypes';
+import { CredentialsService } from '../credentials.service';
+
+describe('CredentialsService', () => {
+	const credType = mock<ICredentialType>({
+		extends: [],
+		properties: [
+			{
+				name: 'clientSecret',
+				type: 'string',
+				typeOptions: { password: true },
+				doNotInherit: false,
+			},
+			{
+				name: 'accessToken',
+				type: 'string',
+				typeOptions: { password: true },
+				doNotInherit: false,
+			},
+		],
+	});
+	const credentialTypes = mock<CredentialTypes>();
+	const service = new CredentialsService(
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+		credentialTypes,
+		mock(),
+		mock(),
+		mock(),
+		mock(),
+	);
+
+	describe('redact', () => {
+		it('should redact sensitive values', () => {
+			const credential = mock<CredentialsEntity>({
+				id: '123',
+				name: 'Test Credential',
+				type: 'oauth2',
+			});
+
+			const decryptedData = {
+				clientId: 'abc123',
+				clientSecret: 'sensitiveSecret',
+				accessToken: '',
+				oauthTokenData: 'super-secret',
+				csrfSecret: 'super-secret',
+			};
+
+			credentialTypes.getByName.calledWith(credential.type).mockReturnValue(credType);
+
+			const redactedData = service.redact(decryptedData, credential);
+
+			expect(redactedData).toEqual({
+				clientId: 'abc123',
+				clientSecret: CREDENTIAL_BLANKING_VALUE,
+				accessToken: CREDENTIAL_EMPTY_VALUE,
+				oauthTokenData: CREDENTIAL_BLANKING_VALUE,
+				csrfSecret: CREDENTIAL_BLANKING_VALUE,
+			});
+		});
+	});
+});
diff --git a/packages/cli/src/credentials/credentials.service.ts b/packages/cli/src/credentials/credentials.service.ts
@@ -407,7 +407,7 @@ export class CredentialsService {
 
 		for (const dataKey of Object.keys(copiedData)) {
 			// The frontend only cares that this value isn't falsy.
-			if (dataKey === 'oauthTokenData') {
+			if (dataKey === 'oauthTokenData' || dataKey === 'csrfSecret') {
 				if (copiedData[dataKey].toString().length > 0) {
 					copiedData[dataKey] = CREDENTIAL_BLANKING_VALUE;
 				} else {