fix(core): Clean up resolver references on deletion (n8n-io#26524)

Author: cstuncsik

packages/@n8n/api-types/src/index.ts

@@ -113,8 +113,10 @@ export {
 	credentialResolversSchema,
 	credentialResolverTypeSchema,
 	credentialResolverTypesSchema,
+	credentialResolverAffectedWorkflowsSchema,
 	type CredentialResolver,
 	type CredentialResolverType,
+	type CredentialResolverAffectedWorkflow,
 } from './schemas/credential-resolver.schema';
 export {
 	WORKFLOW_VERSION_NAME_MAX_LENGTH,

packages/@n8n/api-types/src/schemas/credential-resolver.schema.ts

@@ -29,3 +29,16 @@ export type CredentialResolverType = z.infer<typeof credentialResolverTypeSchema
 export const credentialResolversSchema = z.array(credentialResolverSchema);
 
 export type CredentialResolver = z.infer<typeof credentialResolverSchema>;
+
+export const credentialResolverAffectedWorkflowSchema = z.object({
+	id: z.string(),
+	name: z.string(),
+});
+
+export const credentialResolverAffectedWorkflowsSchema = z.array(
+	credentialResolverAffectedWorkflowSchema,
+);
+
+export type CredentialResolverAffectedWorkflow = z.infer<
+	typeof credentialResolverAffectedWorkflowSchema
+>;

packages/@n8n/db/src/repositories/__tests__/workflow.repository.test.ts

@@ -567,4 +567,105 @@ describe('WorkflowRepository', () => {
 			expect(result).toBe(3);
 		});
 	});
+
+	describe('findByCredentialResolverId', () => {
+		it('should use PostgreSQL JSON operator for postgresdb', async () => {
+			const workflows = [{ id: 'wf-1', name: 'Workflow 1' }] as WorkflowEntity[];
+			queryBuilder.getMany.mockResolvedValue(workflows);
+
+			const result = await workflowRepository.findByCredentialResolverId('resolver-123');
+
+			expect(queryBuilder.select).toHaveBeenCalledWith(['workflow.id', 'workflow.name']);
+			expect(queryBuilder.where).toHaveBeenCalledWith(
+				"workflow.settings ->> 'credentialResolverId' = :resolverId",
+				{ resolverId: 'resolver-123' },
+			);
+			expect(result).toEqual(workflows);
+		});
+
+		it('should use SQLite JSON_EXTRACT for sqlite', async () => {
+			const sqliteConfig = mockInstance(GlobalConfig, {
+				database: { type: 'sqlite' },
+			});
+			const sqliteWorkflowRepository = new WorkflowRepository(
+				entityManager.connection,
+				sqliteConfig,
+				folderRepository,
+				workflowHistoryRepository,
+			);
+			jest.spyOn(sqliteWorkflowRepository, 'createQueryBuilder').mockReturnValue(queryBuilder);
+			queryBuilder.getMany.mockResolvedValue([]);
+
+			const result = await sqliteWorkflowRepository.findByCredentialResolverId('resolver-123');
+
+			expect(queryBuilder.where).toHaveBeenCalledWith(
+				"JSON_EXTRACT(workflow.settings, '$.credentialResolverId') = :resolverId",
+				{ resolverId: 'resolver-123' },
+			);
+			expect(result).toEqual([]);
+		});
+
+		it('should return empty array when no workflows match', async () => {
+			queryBuilder.getMany.mockResolvedValue([]);
+
+			const result = await workflowRepository.findByCredentialResolverId('no-match');
+
+			expect(result).toEqual([]);
+		});
+	});
+
+	describe('clearCredentialResolverId', () => {
+		it('should use PostgreSQL jsonb removal for postgresdb', async () => {
+			const mockExecute = jest.fn().mockResolvedValue({ affected: 1 });
+			const mockUpdateWhere = jest.fn().mockReturnValue({ execute: mockExecute });
+			const mockSet = jest.fn().mockReturnValue({ where: mockUpdateWhere });
+			const mockUpdate = jest.fn().mockReturnValue({ set: mockSet });
+			const updateQb = { update: mockUpdate } as unknown as SelectQueryBuilder<WorkflowEntity>;
+
+			jest.spyOn(workflowRepository, 'createQueryBuilder').mockReturnValue(updateQb);
+
+			await workflowRepository.clearCredentialResolverId('resolver-123');
+
+			expect(mockUpdate).toHaveBeenCalled();
+			expect(mockSet).toHaveBeenCalledWith({
+				settings: expect.any(Function),
+			});
+			expect(mockUpdateWhere).toHaveBeenCalledWith(
+				"settings ->> 'credentialResolverId' = :resolverId",
+				{ resolverId: 'resolver-123' },
+			);
+			expect(mockExecute).toHaveBeenCalled();
+		});
+
+		it('should use SQLite json_remove for sqlite', async () => {
+			const mockExecute = jest.fn().mockResolvedValue({ affected: 1 });
+			const mockUpdateWhere = jest.fn().mockReturnValue({ execute: mockExecute });
+			const mockSet = jest.fn().mockReturnValue({ where: mockUpdateWhere });
+			const mockUpdate = jest.fn().mockReturnValue({ set: mockSet });
+			const updateQb = { update: mockUpdate } as unknown as SelectQueryBuilder<WorkflowEntity>;
+
+			const sqliteConfig = mockInstance(GlobalConfig, {
+				database: { type: 'sqlite' },
+			});
+			const sqliteWorkflowRepository = new WorkflowRepository(
+				entityManager.connection,
+				sqliteConfig,
+				folderRepository,
+				workflowHistoryRepository,
+			);
+			jest.spyOn(sqliteWorkflowRepository, 'createQueryBuilder').mockReturnValue(updateQb);
+
+			await sqliteWorkflowRepository.clearCredentialResolverId('resolver-123');
+
+			expect(mockUpdate).toHaveBeenCalled();
+			expect(mockSet).toHaveBeenCalledWith({
+				settings: expect.any(Function),
+			});
+			expect(mockUpdateWhere).toHaveBeenCalledWith(
+				"JSON_EXTRACT(settings, '$.credentialResolverId') = :resolverId",
+				{ resolverId: 'resolver-123' },
+			);
+			expect(mockExecute).toHaveBeenCalled();
+		});
+	});
 });

packages/@n8n/db/src/repositories/workflow.repository.ts

@@ -125,6 +125,67 @@ export class WorkflowRepository extends Repository<WorkflowEntity> {
 		return count > 0;
 	}
 
+	async findByCredentialResolverId(
+		resolverId: string,
+	): Promise<Array<Pick<WorkflowEntity, 'id' | 'name'>>> {
+		const qb = this.createQueryBuilder('workflow').select(['workflow.id', 'workflow.name']);
+		this.addCredentialResolverFilter(qb, resolverId);
+		return await qb.getMany();
+	}
+
+	/**
+	 * Finds IDs of active workflows that reference a credential resolver.
+	 */
+	async findActiveByCredentialResolverId(resolverId: string): Promise<string[]> {
+		const qb = this.createQueryBuilder('workflow')
+			.select(['workflow.id'])
+			.where('workflow.activeVersionId IS NOT NULL');
+		this.addCredentialResolverFilter(qb, resolverId, 'andWhere');
+		const workflows = await qb.getMany();
+		return workflows.map((w) => w.id);
+	}
+
+	private addCredentialResolverFilter(
+		qb: SelectQueryBuilder<WorkflowEntity>,
+		resolverId: string,
+		method: 'where' | 'andWhere' = 'where',
+	): void {
+		const dbType = this.globalConfig.database.type;
+
+		if (dbType === 'postgresdb') {
+			qb[method]("workflow.settings ->> 'credentialResolverId' = :resolverId", { resolverId });
+		} else if (dbType === 'sqlite') {
+			qb[method]("JSON_EXTRACT(workflow.settings, '$.credentialResolverId') = :resolverId", {
+				resolverId,
+			});
+		}
+	}
+
+	async clearCredentialResolverId(resolverId: string, trx?: EntityManager): Promise<void> {
+		const dbType = this.globalConfig.database.type;
+		const qb = trx
+			? trx.createQueryBuilder().update(WorkflowEntity)
+			: this.createQueryBuilder('workflow').update();
+
+		if (dbType === 'postgresdb') {
+			await qb
+				.set({
+					settings: () => "settings::jsonb - 'credentialResolverId'",
+				})
+				.where("settings ->> 'credentialResolverId' = :resolverId", { resolverId })
+				.execute();
+		} else if (dbType === 'sqlite') {
+			await qb
+				.set({
+					settings: () => "json_remove(settings, '$.credentialResolverId')",
+				})
+				.where("JSON_EXTRACT(settings, '$.credentialResolverId') = :resolverId", {
+					resolverId,
+				})
+				.execute();
+		}
+	}
+
 	async findById(workflowId: string) {
 		return await this.findOne({
 			where: { id: workflowId },

packages/cli/src/modules/dynamic-credentials.ee/credential-resolvers.controller.ts

@@ -3,9 +3,11 @@ import {
 	CredentialResolver,
 	credentialResolverSchema,
 	credentialResolversSchema,
+	credentialResolverAffectedWorkflowsSchema,
 	UpdateCredentialResolverDto,
 	CredentialResolverType,
 	credentialResolverTypesSchema,
+	type CredentialResolverAffectedWorkflow,
 } from '@n8n/api-types';
 import { AuthenticatedRequest } from '@n8n/db';
 import {
@@ -90,6 +92,27 @@ export class CredentialResolversController {
 		}
 	}
 
+	@Get('/:id/workflows')
+	@GlobalScope('credentialResolver:read')
+	async getAffectedWorkflows(
+		_req: AuthenticatedRequest,
+		_res: Response,
+		@Param('id') id: string,
+	): Promise<CredentialResolverAffectedWorkflow[]> {
+		try {
+			const workflows = await this.service.findAffectedWorkflows(id);
+			return credentialResolverAffectedWorkflowsSchema.parse(workflows);
+		} catch (e: unknown) {
+			if (e instanceof DynamicCredentialResolverNotFoundError) {
+				throw new NotFoundError(e.message);
+			}
+			if (e instanceof Error) {
+				throw new InternalServerError(e.message, e);
+			}
+			throw e;
+		}
+	}
+
 	@Get('/:id')
 	@GlobalScope('credentialResolver:read')
 	async getResolver(