UNPKG

n8n

Version:

n8n Workflow Automation Tool

n8n.io

n8n-io/n8n

207 lines 10.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
"use strict"; var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; Object.defineProperty(exports, "__esModule", { value: true }); exports.McpOAuthService = exports.SUPPORTED_SCOPES = void 0; const backend_common_1 = require("@n8n/backend-common"); const config_1 = require("@n8n/config"); const di_1 = require("@n8n/di"); const oauth_client_repository_1 = require("./database/repositories/oauth-client.repository"); const oauth_user_consent_repository_1 = require("./database/repositories/oauth-user-consent.repository"); const mcp_oauth_authorization_code_service_1 = require("./mcp-oauth-authorization-code.service"); const mcp_oauth_token_service_1 = require("./mcp-oauth-token.service"); const mcp_errors_1 = require("./mcp.errors"); const oauth_session_service_1 = require("./oauth-session.service"); exports.SUPPORTED_SCOPES = ['tool:listWorkflows', 'tool:getWorkflowDetails']; const MAX_REDIRECT_URIS = 10; const MAX_REDIRECT_URI_LENGTH = 2048; let McpOAuthService = class McpOAuthService { constructor(logger, globalConfig, oauthSessionService, oauthClientRepository, tokenService, authorizationCodeService, userConsentRepository) { this.logger = logger; this.globalConfig = globalConfig; this.oauthSessionService = oauthSessionService; this.oauthClientRepository = oauthClientRepository; this.tokenService = tokenService; this.authorizationCodeService = authorizationCodeService; this.userConsentRepository = userConsentRepository; } get clientsStore() { return { getClient: async (clientId) => { const client = await this.oauthClientRepository.findOneBy({ id: clientId }); if (!client) { return undefined; } return { client_id: client.id, client_name: client.name, redirect_uris: client.redirectUris, grant_types: client.grantTypes, token_endpoint_auth_method: client.tokenEndpointAuthMethod, ...(client.clientSecret && { client_secret: client.clientSecret }), ...(client.clientSecretExpiresAt && { client_secret_expires_at: client.clientSecretExpiresAt, }), response_types: ['code'], scope: exports.SUPPORTED_SCOPES.join(' '), logo_uri: undefined, tos_uri: undefined, }; }, registerClient: async (client) => { this.validateClientRegistration(client); await this.oauthClientRepository.insert({ id: client.client_id, name: client.client_name, redirectUris: client.redirect_uris, grantTypes: client.grant_types, clientSecret: client.client_secret ?? null, clientSecretExpiresAt: client.client_secret_expires_at ?? null, tokenEndpointAuthMethod: client.token_endpoint_auth_method ?? 'none', }); await this.enforceClientLimit(client.client_id); return client; }, }; } async isClientLimitReached() { const clientCount = await this.oauthClientRepository.count(); return clientCount >= this.globalConfig.endpoints.mcpMaxRegisteredClients; } async getInstanceClientStats() { const count = await this.oauthClientRepository.count(); const limit = this.globalConfig.endpoints.mcpMaxRegisteredClients; return { count, limit, atCapacity: count >= limit }; } async enforceClientLimit(clientId) { const clientCount = await this.oauthClientRepository.count(); const limit = this.globalConfig.endpoints.mcpMaxRegisteredClients; if (clientCount > limit) { await this.oauthClientRepository.delete({ id: clientId }); this.logger.warn('MCP OAuth client registration rejected: instance limit reached (post-insert rollback)', { limit, clientCount }); throw new mcp_errors_1.McpClientLimitReachedError(limit); } } validateClientRegistration(client) { if (!client.client_name) { throw new Error('client_name is required'); } if (!client.grant_types || client.grant_types.length === 0) { throw new Error('grant_types is required'); } if (!client.redirect_uris || client.redirect_uris.length === 0) { throw new Error('redirect_uris is required'); } if (client.redirect_uris.length > MAX_REDIRECT_URIS) { throw new Error(`redirect_uris exceeds maximum count of ${MAX_REDIRECT_URIS}`); } for (const uri of client.redirect_uris) { if (uri.length > MAX_REDIRECT_URI_LENGTH) { throw new Error(`redirect_uri exceeds maximum length of ${MAX_REDIRECT_URI_LENGTH} characters`); } } } async authorize(client, params, res) { this.logger.debug('Starting OAuth authorization', { clientId: client.client_id }); try { this.oauthSessionService.createSession(res, { clientId: client.client_id, redirectUri: params.redirectUri, codeChallenge: params.codeChallenge, state: params.state ?? null, }); res.redirect('/oauth/consent'); } catch (error) { this.logger.error('Error in authorize method', { error, clientId: client.client_id }); this.oauthSessionService.clearSession(res); res.status(500).json({ error: 'server_error', error_description: 'Internal server error' }); } } async challengeForAuthorizationCode(client, authorizationCode) { return await this.authorizationCodeService.getCodeChallenge(authorizationCode, client.client_id); } async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier, redirectUri) { const authRecord = await this.authorizationCodeService.validateAndConsumeAuthorizationCode(authorizationCode, client.client_id, redirectUri); const { accessToken, refreshToken } = this.tokenService.generateTokenPair(authRecord.userId, client.client_id); await this.tokenService.saveTokenPair(accessToken, refreshToken, client.client_id, authRecord.userId); this.logger.info('Authorization code exchanged for tokens', { clientId: client.client_id, userId: authRecord.userId, }); return { access_token: accessToken, token_type: 'Bearer', expires_in: this.tokenService.getAccessTokenExpirySeconds(), refresh_token: refreshToken, }; } async exchangeRefreshToken(client, refreshToken, _scopes) { return await this.tokenService.validateAndRotateRefreshToken(refreshToken, client.client_id); } async verifyAccessToken(token) { return await this.tokenService.verifyAccessToken(token); } async revokeToken(client, request) { const { token, token_type_hint } = request; if (!token_type_hint || token_type_hint === 'access_token') { const revoked = await this.tokenService.revokeAccessToken(token, client.client_id); if (revoked) { return; } } if (!token_type_hint || token_type_hint === 'refresh_token') { const revoked = await this.tokenService.revokeRefreshToken(token, client.client_id); if (revoked) { return; } } this.logger.debug('Token revocation requested for unknown token', { clientId: client.client_id, }); } async getAllClients(userId) { const userConsents = await this.userConsentRepository.findByUserWithClient(userId); return userConsents.map((consent) => { const { clientSecret, clientSecretExpiresAt, ...sanitizedClient } = consent.client; return sanitizedClient; }); } async deleteClient(clientId, userId) { const client = await this.oauthClientRepository.findOne({ where: { id: clientId }, }); if (!client) { throw new Error(`OAuth client with ID ${clientId} not found`); } const consent = await this.userConsentRepository.findOneBy({ clientId, userId }); if (!consent) { throw new Error(`OAuth client with ID ${clientId} not found`); } this.logger.info('Deleting OAuth client and related data', { clientId }); await this.oauthClientRepository.delete({ id: clientId }); this.logger.info('OAuth client deleted successfully', { clientId, clientName: client.name, }); } }; exports.McpOAuthService = McpOAuthService; exports.McpOAuthService = McpOAuthService = __decorate([ (0, di_1.Service)(), __metadata("design:paramtypes", [backend_common_1.Logger, config_1.GlobalConfig, oauth_session_service_1.OAuthSessionService, oauth_client_repository_1.OAuthClientRepository, mcp_oauth_token_service_1.McpOAuthTokenService, mcp_oauth_authorization_code_service_1.McpOAuthAuthorizationCodeService, oauth_user_consent_repository_1.UserConsentRepository]) ], McpOAuthService); //# sourceMappingURL=mcp-oauth-service.js.map