feat(API): Implement users account quota guards

[OlegIvaniv]

Github issue / Community forum post (link here to close automatically):

[github-actions]

Great PR! Please pay attention to the following items before merging:

Files matching packages/**:

• If fixing bug, added test to cover scenario.
• If addressing forum or Github issue, added link to description.

Files matching packages/**/*.ts:

• Added unit tests to cover new or updated functionality.

Make sure to check off this list before asking for review.

[ivov]

General comments:

1. We are aiming to have a 1-user flavor of UM, rather than to check whether UM is enabled or disabled. Also remember that in v1 there will be no explicit checks for UM as it will always be enabled. Hence we should focus the checks on the users quota.
2. Let's aim to add functionality to services or repositories instead of UserManagementHelper. The UserManagement dir was created when UM was only a feature, but by now UM has become an integral part of the BE - so over time that dir and its helpers should be removed. isInstanceOwner in particular could be isOwner is the UserRepository.
3. Can we centralize the check by adding it to resolveJwtContent instead? Or was there a reason that this didn't work or shouldn't be done?
4. We are throwing 400 but I wonder if 401 would be more appropriate, since members are unauthorized in 1-user UM.
5. For endpoints protected by this new check, I wonder if we could create a Nest-style decorator auth guard. We should have most of the setup for this already.

[ivov]

An overload on getFeatureValue would be nice, to have proper typing.

[OlegIvaniv]

Thanks @ivov! I've addressed all your points but 5. Moving the check to central place(resolveJwtContent) simplified the logic so IMO there's no need for the decorator. Can you have another look, please?

[codecov]

Codecov Report

Patch coverage: 75.47% and project coverage change: -0.06 ⚠️

Comparison is base (20737b5) 28.92% compared to head (04db6a8) 28.87%.

❗ Current head 04db6a8 differs from pull request most recent head 9ed555d. Consider uploading reports for the commit 9ed555d to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6434      +/-   ##
==========================================
- Coverage   28.92%   28.87%   -0.06%     
==========================================
  Files        3069     3070       +1     
  Lines      188355   188417      +62     
  Branches    20892    20899       +7     
==========================================
- Hits        54488    54399      -89     
- Misses     132987   133135     +148     
- Partials      880      883       +3     

Impacted Files	Coverage Δ
...blicApi/v1/handlers/workflows/workflows.service.ts	92.15% <ø> (-0.16%)	⬇️
packages/cli/src/Server.ts	0.00% <0.00%> (ø)
packages/cli/src/push/index.ts	23.63% <ø> (ø)
packages/workflow/src/Interfaces.ts	57.14% <ø> (ø)
packages/cli/src/controllers/users.controller.ts	73.27% <45.45%> (-1.61%)	⬇️
packages/cli/src/controllers/auth.controller.ts	74.71% <50.00%> (-1.20%)	⬇️
packages/cli/src/License.ts	55.55% <54.54%> (+1.11%)	⬆️
...es/cli/src/controllers/passwordReset.controller.ts	82.22% <60.00%> (-3.32%)	⬇️
packages/editor-ui/src/views/SettingsUsersView.vue	47.92% <82.50%> (+4.28%)	⬆️
packages/editor-ui/src/stores/settings.store.ts	73.17% <85.71%> (+0.26%)	⬆️
... and 10 more

... and 5 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[OlegIvaniv]

@ivov Addressed your comments. Can you re-review, please?

[cypress]

1 flaky tests on run #1424 ↗︎

0

219

0

0

1

Details:

🌳 ado-762-in-app-deny-member-logins-for-plans-having-1-as-users-quota 🖥️ brows...
Project: n8n	Commit: 9ed555dc89
Status: Passed	Duration: 07:45 💡
Started: Jul 12, 2023 7:29 AM	Ended: Jul 12, 2023 7:37 AM

  cypress/e2e/24-ndv-paired-item.cy.ts • 1 flaky test

View Output Video

Test		Artifacts
NDV > can pair items between input and output across branches and runs		Output Screenshots Video

_{This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.}

[ivov]

Still need to test it locally.

[ivov]

Thanks for addressing everything! I'll test it out later today :)

[OlegIvaniv]

Thanks for addressing everything! I'll test it out later today :)

Thanks for the thorough review <3 Let me know if I can help with anything

[github-actions]

✅ All Cypress E2E specs passed

[ivov]

@OlegIvaniv

Tested these cases, let me know if I'm missing any, else let's merge!

When having 1 as user quota:

• Owner can log in
• Owner cannot invite users, sees upgrade path
• Owner can delete existing users, with transfer
• Already logged-in member remains logged in
• Logged out member cannot log in, sees quota message

Regular case:

• Owner can log in
• Owner can invite users
• Member can log in

[janober]

Got released with n8n@1.0.3