n8n/dist/services/public-api-key.service.js

n8n Workflow Automation Tool

"use strict";
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
    return c > 3 && r && Object.defineProperty(target, key, r), r;
};
var __metadata = (this && this.__metadata) || function (k, v) {
    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.PublicApiKeyService = exports.PREFIX_LEGACY_API_KEY = exports.API_KEY_ISSUER = exports.API_KEY_AUDIENCE = void 0;
const db_1 = require("@n8n/db");
const di_1 = require("@n8n/di");
const permissions_1 = require("@n8n/permissions");
const crypto_1 = require("crypto");
const jwt_service_1 = require("./jwt.service");
exports.API_KEY_AUDIENCE = 'public-api';
exports.API_KEY_ISSUER = 'n8n';
const REDACT_API_KEY_REVEAL_COUNT = 4;
const REDACT_API_KEY_MAX_LENGTH = 10;
exports.PREFIX_LEGACY_API_KEY = 'n8n_api_';
let PublicApiKeyService = class PublicApiKeyService {
    constructor(apiKeyRepository, jwtService) {
        this.apiKeyRepository = apiKeyRepository;
        this.jwtService = jwtService;
        this.getApiKeyExpiration = (apiKey) => {
            const decoded = this.jwtService.decode(apiKey);
            return decoded?.exp ?? null;
        };
    }
    async createPublicApiKeyForUser(user, { label, expiresAt, scopes }) {
        const apiKey = this.generateApiKey(user, expiresAt);
        await this.apiKeyRepository.insert(this.apiKeyRepository.create({
            userId: user.id,
            apiKey,
            label,
            scopes,
            audience: exports.API_KEY_AUDIENCE,
        }));
        return await this.apiKeyRepository.findOneByOrFail({ apiKey });
    }
    async getRedactedApiKeysForUser(user) {
        const apiKeys = await this.apiKeyRepository.findBy({
            userId: user.id,
            audience: exports.API_KEY_AUDIENCE,
        });
        return apiKeys.map((apiKeyRecord) => ({
            ...apiKeyRecord,
            apiKey: this.redactApiKey(apiKeyRecord.apiKey),
            expiresAt: this.getApiKeyExpiration(apiKeyRecord.apiKey),
        }));
    }
    async deleteApiKeyForUser(user, apiKeyId) {
        await this.apiKeyRepository.delete({ userId: user.id, id: apiKeyId });
    }
    async deleteAllApiKeysForUser(user, tx) {
        return await (0, db_1.withTransaction)(this.apiKeyRepository.manager, tx, async (em) => {
            const userApiKeys = await em.find(db_1.ApiKey, {
                where: { userId: user.id, audience: exports.API_KEY_AUDIENCE },
            });
            return await Promise.all(userApiKeys.map(async (apiKey) => await em.delete(db_1.ApiKey, { id: apiKey.id })));
        });
    }
    async updateApiKeyForUser(user, apiKeyId, { label, scopes }) {
        await this.apiKeyRepository.update({ id: apiKeyId, userId: user.id }, { label, scopes });
    }
    redactApiKey(apiKey) {
        const visiblePart = apiKey.slice(-REDACT_API_KEY_REVEAL_COUNT);
        const redactedPart = '*'.repeat(Math.max(0, REDACT_API_KEY_MAX_LENGTH - REDACT_API_KEY_REVEAL_COUNT));
        return redactedPart + visiblePart;
    }
    generateApiKey(user, expiresAt) {
        const nowInSeconds = Math.floor(Date.now() / 1000);
        return this.jwtService.sign({ sub: user.id, iss: exports.API_KEY_ISSUER, aud: exports.API_KEY_AUDIENCE, jti: (0, crypto_1.randomUUID)() }, { ...(expiresAt && { expiresIn: expiresAt - nowInSeconds }) });
    }
    apiKeyHasValidScopesForRole(role, apiKeyScopes) {
        const scopesForRole = (0, permissions_1.getApiKeyScopesForRole)(role);
        return apiKeyScopes.every((scope) => scopesForRole.includes(scope));
    }
    async apiKeyHasValidScopes(apiKey, endpointScope) {
        const apiKeyData = await this.apiKeyRepository.findOne({
            where: { apiKey, audience: exports.API_KEY_AUDIENCE },
            select: { scopes: true },
        });
        if (!apiKeyData)
            return false;
        return apiKeyData.scopes.includes(endpointScope);
    }
    async removeOwnerOnlyScopesFromApiKeys(user, tx) {
        const manager = tx ?? this.apiKeyRepository.manager;
        const ownerOnlyScopes = (0, permissions_1.getOwnerOnlyApiKeyScopes)();
        const userApiKeys = await manager.find(db_1.ApiKey, {
            where: { userId: user.id, audience: exports.API_KEY_AUDIENCE },
        });
        const keysWithOwnerScopes = userApiKeys.filter((apiKey) => apiKey.scopes.some((scope) => ownerOnlyScopes.includes(scope)));
        return await Promise.all(keysWithOwnerScopes.map(async (currentApiKey) => await manager.update(db_1.ApiKey, currentApiKey.id, {
            scopes: currentApiKey.scopes.filter((scope) => !ownerOnlyScopes.includes(scope)),
        })));
    }
};
exports.PublicApiKeyService = PublicApiKeyService;
exports.PublicApiKeyService = PublicApiKeyService = __decorate([
    (0, di_1.Service)(),
    __metadata("design:paramtypes", [db_1.ApiKeyRepository,
        jwt_service_1.JwtService])
], PublicApiKeyService);
//# sourceMappingURL=public-api-key.service.js.map