fix(patch): oauth2 workflow failed, added basic auth support and error handling to check client credentials

ZoneMix · ZoneMix · commit 055ef95adec9 · 2025-12-19T20:54:57.000Z
diff --git a/n8n-nodes-actual-budget-rest-api b/n8n-nodes-actual-budget-rest-api
@@ -1 +1 @@
-Subproject commit 0108e259799e07c5ca5ad5c8261216badc267eae
+Subproject commit 324d1800e3d976f65c8ccfb324eb2272d54de1cc
diff --git a/src/auth/oauth2/client.js b/src/auth/oauth2/client.js
@@ -44,11 +44,17 @@ const migrateClientSecret = async (db, clientId, plainSecret) => {
  * Supports both hashed and plain-text secrets (for migration).
  */
 export const validateClient = async (clientId, clientSecret) => {
+  if (!clientId || !clientSecret) {
+    logger.warn('OAuth2 client validation failed: missing client_id or client_secret');
+    throw new AuthenticationError('Invalid client credentials');
+  }
+
   pruneExpiredCodes();
   const db = getDb();
   const client = db.prepare('SELECT * FROM clients WHERE client_id = ?').get(clientId);
 
   if (!client) {
+    logger.warn(`OAuth2 client validation failed: client_id not found: ${clientId}`);
     throw new AuthenticationError('Invalid client credentials');
   }
 
@@ -57,17 +63,20 @@ export const validateClient = async (clientId, clientSecret) => {
     // Compare with hashed secret
     const isValid = await compareClientSecret(clientSecret, client.client_secret);
     if (!isValid) {
+      logger.warn(`OAuth2 client validation failed: invalid client_secret for client_id: ${clientId}`);
       throw new AuthenticationError('Invalid client credentials');
     }
   } else {
     // Legacy: compare plain text (and migrate to hashed)
     if (client.client_secret !== clientSecret) {
+      logger.warn(`OAuth2 client validation failed: invalid client_secret for client_id: ${clientId}`);
       throw new AuthenticationError('Invalid client credentials');
     }
     // Migrate to hashed format
     await migrateClientSecret(db, clientId, clientSecret);
   }
 
+  logger.debug(`OAuth2 client validation successful: ${clientId}`);
   return client;
 };
 
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
@@ -81,25 +81,69 @@ router.get('/authorize', asyncHandler(async (req, res) => {
   res.redirect(redirectUrl.toString());
 }));
 
+/**
+ * Extract client credentials from request.
+ * Supports both:
+ * 1. HTTP Basic Authentication (Authorization header) - OAuth2 recommended
+ * 2. Request body parameters (client_id, client_secret)
+ */
+const extractClientCredentials = (req) => {
+  // Method 1: Try Basic Auth header first (OAuth2 recommended)
+  const authHeader = req.headers.authorization;
+  if (authHeader && authHeader.startsWith('Basic ')) {
+    try {
+      const base64Credentials = authHeader.slice(6); // Remove 'Basic ' prefix
+      const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');
+      const [clientId, clientSecret] = credentials.split(':', 2);
+      
+      if (clientId && clientSecret) {
+        return { clientId, clientSecret };
+      }
+    } catch {
+      // Invalid Basic Auth format, fall through to body method
+    }
+  }
+  
+  // Method 2: Fall back to request body
+  const { client_id, client_secret } = req.body;
+  if (client_id && client_secret) {
+    return { clientId: client_id, clientSecret: client_secret };
+  }
+  
+  return null;
+};
+
 /**
  * POST /oauth/token
  *
  * OAuth2 token endpoint. Exchanges authorization code for access token.
  * Validates client credentials and authorization code before issuing tokens.
+ * 
+ * Supports client credentials via:
+ * - HTTP Basic Authentication (Authorization: Basic <base64(client_id:client_secret)>) - Recommended
+ * - Request body (client_id, client_secret) - form-encoded or JSON
  */
-router.post('/token', express.urlencoded({ extended: true }), asyncHandler(async (req, res) => {
-  const { grant_type, code, client_id, client_secret, redirect_uri } = req.body;
+router.post('/token', express.json(), express.urlencoded({ extended: true }), asyncHandler(async (req, res) => {
+  const { grant_type, code, redirect_uri } = req.body;
 
   // Only support authorization code grant
   if (grant_type !== 'authorization_code') {
     throwBadRequest('Unsupported grant_type');
   }
 
+  // Extract client credentials (supports Basic Auth or body)
+  const credentials = extractClientCredentials(req);
+  if (!credentials) {
+    throwBadRequest('Client credentials required. Provide via Basic Auth header or request body (client_id, client_secret)');
+  }
+
+  const { clientId, clientSecret } = credentials;
+
   // Validate client credentials
-  await validateClient(client_id, client_secret);
+  await validateClient(clientId, clientSecret);
   
   // Validate and exchange authorization code
-  const { userId, scope } = validateAuthCode(code, client_id, redirect_uri);
+  const { userId, scope } = validateAuthCode(code, clientId, redirect_uri);
 
   // Get user details for token issuance
   const db = getDb();
