N8N_AUTH_EXCLUDE_ENDPOINTS cannot be set to rest

[lawfulsoftware]

Bug Description

n8n has been returning 401 errors at the final stage of OAuth2 authentication. It returns: {"status":"error","message":"Unauthorized"} however the other application (e.g., Nextcloud) shows that a session was properly created.

As part of my troubleshooting efforts, I set N8N_AUTH_EXCLUDE_ENDPOINTS=rest however the container fails to start; instead, it returns an error in the logs AssertionError [ERR_ASSERTION]: REST endpoint cannot be set to any of these values: assets,healthz,metrics,e2e,rest

I set N8N_ENDPOINT_REST to different values (e.g., rest2 or resting) and set N8N_AUTH_EXCLUDE_ENDPOINTS to match the value of N8N_ENDPOINT_REST. The container failed to start each time and returned the same error except the list of values to which the REST endpoint cannot be set was updated to replace rest with whatever value I set for N8N_ENDPOINT_REST

I was, however, able to set N8N_AUTH_EXCLUDE_ENDPOINTS=api and the container started without any complaints.

To Reproduce

Follow the steps above.

Expected behavior

If N8N_AUTH_EXCLUDE_ENDPOINTS cannot be used on the REST endpoint, this should be documented.

Operating System

n8nio/n8n:1.35.0

n8n Version

n8nio/n8n:1.35.0

Node.js Version

n8nio/n8n:1.35.0

Database

PostgreSQL

Execution mode

main (default)

[netroy]

N8N_AUTH_EXCLUDE_ENDPOINTS is used to skip auth checks. If we allow setting it to rest, we'd be saying that the internal api can skip auth, which is not going to work.

Anyways, since we have rewritten most of the auth in a way now that auth is defined on a per-route basis, we can likely remove this env variable, as it's most likely not being used anymore.

[netroy]

fixed in #9044