fix(core): Improve browserId checks, and add logging (#9161)

package.json

@@ -94,6 +94,7 @@
       "@sentry/cli@2.17.0": "patches/@sentry__cli@2.17.0.patch",
       "pkce-challenge@3.0.0": "patches/pkce-challenge@3.0.0.patch",
       "pyodide@0.23.4": "patches/pyodide@0.23.4.patch",
+      "@types/express-serve-static-core@4.17.43": "patches/@types__express-serve-static-core@4.17.43.patch",
       "@types/ws@8.5.4": "patches/@types__ws@8.5.4.patch",
       "vite-plugin-checker@0.6.4": "patches/vite-plugin-checker@0.6.4.patch"
     }

packages/@n8n/nodes-langchain/package.json

@@ -120,7 +120,7 @@
   "devDependencies": {
     "@aws-sdk/types": "3.357.0",
     "@types/basic-auth": "^1.1.3",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
     "@types/html-to-text": "^9.0.1",
     "@types/json-schema": "^7.0.15",
     "@types/temp": "^0.9.1",

packages/cli/src/auth/auth.service.ts

@@ -41,7 +41,7 @@ const skipBrowserIdCheckEndpoints = [
 	`/${restEndpoint}/push`,
 
 	// We need to exclude binary-data downloading endpoint because we can't send custom headers on `<embed>` tags
-	`/${restEndpoint}/binary-data`,
+	`/${restEndpoint}/binary-data/`,
 
 	// oAuth callback urls aren't called by the frontend. therefore we can't send custom header on these requests
 	`/${restEndpoint}/oauth1-credential/callback`,
@@ -131,15 +131,23 @@ export class AuthService {
 			// or, If the user has been deactivated (i.e. LDAP users)
 			user.disabled ||
 			// or, If the email or password has been updated
-			jwtPayload.hash !== this.createJWTHash(user) ||
-			// If the token was issued for another browser session
-			(!skipBrowserIdCheckEndpoints.includes(req.baseUrl) &&
-				jwtPayload.browserId &&
-				(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId)))
+			jwtPayload.hash !== this.createJWTHash(user)
 		) {
 			throw new AuthError('Unauthorized');
 		}
 
+		// Check if the token was issued for another browser session, ignoring the endpoints that can't send custom headers
+		const endpoint = req.route ? `${req.baseUrl}${req.route.path}` : req.baseUrl;
+		if (req.method === 'GET' && skipBrowserIdCheckEndpoints.includes(endpoint)) {
+			this.logger.debug(`Skipped browserId check on ${endpoint}`);
+		} else if (
+			jwtPayload.browserId &&
+			(!req.browserId || jwtPayload.browserId !== this.hash(req.browserId))
+		) {
+			this.logger.warn(`browserId check failed on ${endpoint}`);
+			throw new AuthError('Unauthorized');
+		}
+
 		if (jwtPayload.exp * 1000 - Date.now() < this.jwtRefreshTimeout) {
 			this.logger.debug('JWT about to expire. Will be refreshed');
 			this.issueCookie(res, user, jwtPayload.browserId);

packages/core/package.json

@@ -37,7 +37,7 @@
     "@types/aws4": "^1.5.1",
     "@types/concat-stream": "^2.0.0",
     "@types/cron": "~1.7.1",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
     "@types/lodash": "^4.14.195",
     "@types/mime-types": "^2.1.0",
     "@types/uuid": "^8.3.2",

packages/nodes-base/package.json

@@ -810,7 +810,7 @@
     "@types/cheerio": "^0.22.15",
     "@types/cron": "~1.7.1",
     "@types/eventsource": "^1.1.2",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
     "@types/html-to-text": "^9.0.1",
     "@types/gm": "^1.25.0",
     "@types/js-nacl": "^1.3.0",

packages/workflow/package.json

@@ -40,7 +40,7 @@
   ],
   "devDependencies": {
     "@types/deep-equal": "^1.0.1",
-    "@types/express": "^4.17.6",
+    "@types/express": "^4.17.21",
     "@types/jmespath": "^0.15.0",
     "@types/lodash": "^4.14.195",
     "@types/luxon": "^3.2.0",

patches/@types__express-serve-static-core@4.17.43.patch

@@ -0,0 +1,13 @@
+diff --git a/index.d.ts b/index.d.ts
+index 5cc36f5760c806a76ee839bfb67c419c9cb48901..8ef0bf74f0f31741b564fe37f040144526e98eb5 100644
+--- a/index.d.ts
++++ b/index.d.ts
+@@ -646,7 +646,7 @@ export interface Request<
+
+     query: ReqQuery;
+
+-    route: any;
++    route?: Pick<IRoute, 'path' | 'stack'>;
+
+     signedCookies: any;
+