fix(core): Allow secrets manager secrets to be used in credentials #13110
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
n8n-assistant
bot
added
core
Codecov ReportAll modified and coverable lines are covered by tests ✅ 📢 Thoughts on this report? Let us know! |
…issue-external-secrets-bug-woauth
netroy
approved these changes
Feb 7, 2025
|
✅ All Cypress E2E specs passed |
n8n
|
||||||||||||||||||||||||||||
| Project |
n8n
|
| Branch Review |
pay-2557-community-issue-external-secrets-bug-woauth
|
| Run status |
|
| Run duration | 04m 33s |
| Commit |
|
| Committer | कारतोफ्फेलस्क्रिप्ट™ |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
Failures
|
0
|
Flaky
|
1
|
Pending
|
5
|
Skipped
|
0
|
Passing
|
434
|
| View all changes introduced in this branch ↗︎ | |
netroy
deleted the
pay-2557-community-issue-external-secrets-bug-woauth
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
There is a bug in our OAuth2 flow which doesn't allow credential expressions to be evaluated when they use
$secrets. This means that the secrets manager credentials don't work as expected. E.g. passing{{ $secrets.awsSecretsManager.google_client_secret }}would become undefined.The initial request to the OAuth
/authendpoint will be incorrect as theclient_idwill be present but theclient_secretdoesn't exist. This then fails the OAuth2 flow with a missing client secret error.We currently fail to allow
$secretsto be added to the context for expression evaluation when decrypting the credentials. We should only allow this to happen on the initial OAuth URL. If we add it to the subsequent callback when the auth token is exchanged for access and refresh tokens, it loses thecsrfTokenthat we pass with the request do to the wayapplyDefaultsAndOverwritesis applied in the credentials helper.I'm concerned that this has the potential to break other OAuth flows so comments would be appreciated
It's also currently lacking any additional tests but it does now work as expected.
Related Linear tickets, Github issues, and Community forum posts
PAY-2557
resolves #12947
https://community.n8n.io/t/aws-secrets-manager-external-secrets-bug-w-google/73697
Review / Merge checklist
release/backport(if the PR is an urgent fix that needs to be backported)