feat(core): Wire up embed login end-to-end with cookie overrides and audit events (no-changelog) (#28303)

Author: afitzek

packages/cli/src/auth/__tests__/auth.service.test.ts

@@ -766,6 +766,25 @@ describe('AuthService', () => {
 			expect(res.cookie).toHaveBeenCalled();
 		});
 
+		it('should preserve embed cookie attributes when refreshing an embed session', async () => {
+			userRepository.findOne.mockResolvedValue(user);
+			const embedToken = authService.issueJWT(user, false, browserId, true);
+
+			jest.advanceTimersByTime(6 * Time.days.toMilliseconds);
+			await authService.resolveJwt(embedToken, req, res);
+
+			expect(res.cookie).toHaveBeenCalledWith('n8n-auth', expect.any(String), {
+				httpOnly: true,
+				maxAge: 604800000,
+				sameSite: 'none',
+				secure: true,
+			});
+
+			const refreshedToken = res.cookie.mock.calls[0].at(1);
+			const decoded = jwt.decode(refreshedToken) as jwt.JwtPayload;
+			expect(decoded.isEmbed).toBe(true);
+		});
+
 		it('should not refresh the cookie if jwtRefreshTimeoutHours is set to -1', async () => {
 			globalConfig.userManagement.jwtRefreshTimeoutHours = -1;
 

packages/cli/src/auth/auth.service.ts

@@ -26,6 +26,8 @@ interface AuthJwtPayload {
 	browserId?: string;
 	/** This indicates if mfa was used during the creation of this token */
 	usedMfa?: boolean;
+	/** This indicates if the session originated from an embed login (cross-site cookie required) */
+	isEmbed?: boolean;
 }
 
 interface IssuedJWT extends AuthJwtPayload {
@@ -204,30 +206,38 @@ export class AuthService {
 		}
 	}
 
-	issueCookie(res: Response, user: User, usedMfa: boolean, browserId?: string) {
+	issueCookie(
+		res: Response,
+		user: User,
+		usedMfa: boolean,
+		browserId?: string,
+		isEmbed?: boolean,
+		cookieOverrides?: { sameSite?: 'strict' | 'lax' | 'none'; secure?: boolean },
+	) {
 		// TODO: move this check to the login endpoint in AuthController
 		// If the instance has exceeded its user quota, prevent non-owners from logging in
 		const isWithinUsersLimit = this.license.isWithinUsersLimit();
 		if (user.role.slug !== GLOBAL_OWNER_ROLE.slug && !isWithinUsersLimit) {
 			throw new ForbiddenError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
 		}
 
-		const token = this.issueJWT(user, usedMfa, browserId);
+		const token = this.issueJWT(user, usedMfa, browserId, isEmbed);
 		const { samesite, secure } = this.globalConfig.auth.cookie;
 		res.cookie(AUTH_COOKIE_NAME, token, {
 			maxAge: this.jwtExpiration * Time.seconds.toMilliseconds,
 			httpOnly: true,
-			sameSite: samesite,
-			secure,
+			sameSite: cookieOverrides?.sameSite ?? samesite,
+			secure: cookieOverrides?.secure ?? secure,
 		});
 	}
 
-	issueJWT(user: User, usedMfa: boolean = false, browserId?: string) {
+	issueJWT(user: User, usedMfa: boolean = false, browserId?: string, isEmbed?: boolean) {
 		const payload: AuthJwtPayload = {
 			id: user.id,
 			hash: this.createJWTHash(user),
 			browserId: browserId && this.hash(browserId),
 			usedMfa,
+			...(isEmbed && { isEmbed }),
 		};
 		return this.jwtService.sign(payload, {
 			expiresIn: this.jwtExpiration,
@@ -338,7 +348,17 @@ export class AuthService {
 
 		if (jwtPayload.exp * 1000 - Date.now() < this.jwtRefreshTimeout) {
 			this.logger.debug('JWT about to expire. Will be refreshed');
-			this.issueCookie(res, user, jwtPayload.usedMfa ?? false, browserId);
+			const embedCookieOverrides = jwtPayload.isEmbed
+				? ({ sameSite: 'none' as const, secure: true } as const)
+				: undefined;
+			this.issueCookie(
+				res,
+				user,
+				jwtPayload.usedMfa ?? false,
+				browserId,
+				jwtPayload.isEmbed,
+				embedCookieOverrides,
+			);
 		}
 
 		return [user, { usedMfa: jwtPayload.usedMfa ?? false }];

packages/cli/src/events/maps/relay.event-map.ts

@@ -718,6 +718,7 @@ export type RelayEventMap = {
 	'embed-login': {
 		subject: string;
 		issuer: string;
+		kid: string;
 		clientIp: string;
 	};
 

packages/cli/src/modules/token-exchange/controllers/__tests__/embed-auth.controller.test.ts

@@ -4,69 +4,139 @@ import type { Response } from 'express';
 import { mock } from 'jest-mock-extended';
 
 import type { AuthService } from '@/auth/auth.service';
+import type { EventService } from '@/events/event.service';
 import type { AuthlessRequest } from '@/requests';
 import type { UrlService } from '@/services/url.service';
 
 import { EmbedAuthController } from '../embed-auth.controller';
 import type { TokenExchangeService } from '../../services/token-exchange.service';
+import type { TokenExchangeConfig } from '../../token-exchange.config';
 
+const config = mock<TokenExchangeConfig>({ embedEnabled: true });
 const tokenExchangeService = mock<TokenExchangeService>();
 const authService = mock<AuthService>();
 const urlService = mock<UrlService>();
+const eventService = mock<EventService>();
 
-const controller = new EmbedAuthController(tokenExchangeService, authService, urlService);
+const controller = new EmbedAuthController(
+	config,
+	tokenExchangeService,
+	authService,
+	urlService,
+	eventService,
+);
 
 const mockUser = mock<User>({
 	id: '123',
 	email: 'user@example.com',
 	role: GLOBAL_MEMBER_ROLE,
 });
 
+const embedLoginResult = {
+	user: mockUser,
+	subject: 'ext-sub-1',
+	issuer: 'https://issuer.example.com',
+	kid: 'key-id-1',
+};
+
 describe('EmbedAuthController', () => {
 	beforeEach(() => {
 		jest.clearAllMocks();
+		config.embedEnabled = true;
 		urlService.getInstanceBaseUrl.mockReturnValue('http://localhost:5678');
 	});
 
-	describe('GET /auth/embed', () => {
-		it('should extract token from query, call embedLogin, issue cookie, and redirect', async () => {
-			const req = mock<AuthlessRequest>({
-				browserId: 'browser-id-123',
+	describe('when disabled', () => {
+		it('should return 501 for GET and POST when embedEnabled is false', async () => {
+			config.embedEnabled = false;
+			const req = mock<AuthlessRequest>();
+			const res = mock<Response>();
+			res.status.mockReturnThis();
+
+			await controller.getLogin(req, res, new EmbedLoginQueryDto({ token: 'any' }));
+
+			expect(res.status).toHaveBeenCalledWith(501);
+			expect(res.json).toHaveBeenCalledWith({
+				error: 'server_error',
+				error_description: 'Embed login is not enabled on this instance',
 			});
+			expect(tokenExchangeService.embedLogin).not.toHaveBeenCalled();
+
+			jest.clearAllMocks();
+			res.status.mockReturnThis();
+
+			await controller.postLogin(req, res, new EmbedLoginBodyDto({ token: 'any' }));
+
+			expect(res.status).toHaveBeenCalledWith(501);
+			expect(tokenExchangeService.embedLogin).not.toHaveBeenCalled();
+		});
+	});
+
+	describe('GET /auth/embed', () => {
+		it('should login, issue cookie with embed overrides, emit audit event, and redirect', async () => {
+			const req = mock<AuthlessRequest>({ browserId: 'browser-id-123', ip: '192.168.1.1' });
 			const res = mock<Response>();
 			const query = new EmbedLoginQueryDto({ token: 'subject-token' });
-			tokenExchangeService.embedLogin.mockResolvedValue(mockUser);
+			tokenExchangeService.embedLogin.mockResolvedValue(embedLoginResult);
 
 			await controller.getLogin(req, res, query);
 
 			expect(tokenExchangeService.embedLogin).toHaveBeenCalledWith('subject-token');
-			expect(authService.issueCookie).toHaveBeenCalledWith(res, mockUser, true, 'browser-id-123');
+			expect(authService.issueCookie).toHaveBeenCalledWith(
+				res,
+				mockUser,
+				true,
+				'browser-id-123',
+				true,
+				{
+					sameSite: 'none',
+					secure: true,
+				},
+			);
+			expect(eventService.emit).toHaveBeenCalledWith('embed-login', {
+				subject: 'ext-sub-1',
+				issuer: 'https://issuer.example.com',
+				kid: 'key-id-1',
+				clientIp: '192.168.1.1',
+			});
 			expect(res.redirect).toHaveBeenCalledWith('http://localhost:5678/');
 		});
 	});
 
 	describe('POST /auth/embed', () => {
-		it('should extract token from body, call embedLogin, issue cookie, and redirect', async () => {
-			const req = mock<AuthlessRequest>({
-				browserId: 'browser-id-456',
-			});
+		it('should login, issue cookie with embed overrides, emit audit event, and redirect', async () => {
+			const req = mock<AuthlessRequest>({ browserId: 'browser-id-456', ip: '10.0.0.1' });
 			const res = mock<Response>();
 			const body = new EmbedLoginBodyDto({ token: 'subject-token' });
-			tokenExchangeService.embedLogin.mockResolvedValue(mockUser);
+			tokenExchangeService.embedLogin.mockResolvedValue(embedLoginResult);
 
 			await controller.postLogin(req, res, body);
 
 			expect(tokenExchangeService.embedLogin).toHaveBeenCalledWith('subject-token');
-			expect(authService.issueCookie).toHaveBeenCalledWith(res, mockUser, true, 'browser-id-456');
+			expect(authService.issueCookie).toHaveBeenCalledWith(
+				res,
+				mockUser,
+				true,
+				'browser-id-456',
+				true,
+				{
+					sameSite: 'none',
+					secure: true,
+				},
+			);
+			expect(eventService.emit).toHaveBeenCalledWith('embed-login', {
+				subject: 'ext-sub-1',
+				issuer: 'https://issuer.example.com',
+				kid: 'key-id-1',
+				clientIp: '10.0.0.1',
+			});
 			expect(res.redirect).toHaveBeenCalledWith('http://localhost:5678/');
 		});
 	});
 
 	describe('error propagation', () => {
-		it('should propagate errors from TokenExchangeService', async () => {
-			const req = mock<AuthlessRequest>({
-				browserId: 'browser-id-789',
-			});
+		it('should not emit audit event or issue cookie on failure', async () => {
+			const req = mock<AuthlessRequest>({ browserId: 'browser-id-789' });
 			const res = mock<Response>();
 			const query = new EmbedLoginQueryDto({ token: 'bad-token' });
 			tokenExchangeService.embedLogin.mockRejectedValue(new Error('Token verification failed'));
@@ -75,6 +145,7 @@ describe('EmbedAuthController', () => {
 				'Token verification failed',
 			);
 			expect(authService.issueCookie).not.toHaveBeenCalled();
+			expect(eventService.emit).not.toHaveBeenCalled();
 			expect(res.redirect).not.toHaveBeenCalled();
 		});
 	});

packages/cli/src/modules/token-exchange/controllers/embed-auth.controller.ts

@@ -4,24 +4,35 @@ import { Body, Get, Post, Query, RestController } from '@n8n/decorators';
 import type { Response } from 'express';
 
 import { AuthService } from '@/auth/auth.service';
+import { EventService } from '@/events/event.service';
 import { AuthlessRequest } from '@/requests';
 import { UrlService } from '@/services/url.service';
 
 import { TokenExchangeService } from '../services/token-exchange.service';
+import { TokenExchangeConfig } from '../token-exchange.config';
 
 @RestController('/auth/embed')
 export class EmbedAuthController {
 	constructor(
+		private readonly config: TokenExchangeConfig,
 		private readonly tokenExchangeService: TokenExchangeService,
 		private readonly authService: AuthService,
 		private readonly urlService: UrlService,
+		private readonly eventService: EventService,
 	) {}
 
 	@Get('/', {
 		skipAuth: true,
 		ipRateLimit: { limit: 20, windowMs: 1 * Time.minutes.toMilliseconds },
 	})
 	async getLogin(req: AuthlessRequest, res: Response, @Query query: EmbedLoginQueryDto) {
+		if (!this.config.embedEnabled) {
+			res.status(501).json({
+				error: 'server_error',
+				error_description: 'Embed login is not enabled on this instance',
+			});
+			return;
+		}
 		return await this.handleLogin(query.token, req, res);
 	}
 
@@ -30,17 +41,30 @@ export class EmbedAuthController {
 		ipRateLimit: { limit: 20, windowMs: 1 * Time.minutes.toMilliseconds },
 	})
 	async postLogin(req: AuthlessRequest, res: Response, @Body body: EmbedLoginBodyDto) {
+		if (!this.config.embedEnabled) {
+			res.status(501).json({
+				error: 'server_error',
+				error_description: 'Embed login is not enabled on this instance',
+			});
+			return;
+		}
 		return await this.handleLogin(body.token, req, res);
 	}
 
 	private async handleLogin(subjectToken: string, req: AuthlessRequest, res: Response) {
-		const user = await this.tokenExchangeService.embedLogin(subjectToken);
+		const { user, subject, issuer, kid } = await this.tokenExchangeService.embedLogin(subjectToken);
 
-		this.authService.issueCookie(res, user, true, req.browserId);
-		// TODO: Override cookie SameSite=None for embed/iframe usage.
-		// The standard issueCookie uses the global config's sameSite setting.
-		// For embed, SameSite=None + Secure is required. Integrate into
-		// AuthService.issueCookie() options in a follow-up PR.
+		this.authService.issueCookie(res, user, true, req.browserId, true, {
+			sameSite: 'none',
+			secure: true,
+		});
+
+		this.eventService.emit('embed-login', {
+			subject,
+			issuer,
+			kid,
+			clientIp: req.ip ?? 'unknown',
+		});
 
 		res.redirect(this.urlService.getInstanceBaseUrl() + '/');
 	}

packages/cli/src/modules/token-exchange/services/__tests__/token-exchange.service.test.ts

@@ -78,7 +78,12 @@ describe('TokenExchangeService', () => {
 
 			const result = await service.embedLogin('valid-token');
 
-			expect(result).toBe(mockUser);
+			expect(result).toEqual({
+				user: mockUser,
+				subject: 'external-user-1',
+				issuer: 'https://issuer.example.com',
+				kid: 'test-kid',
+			});
 			expect(trustedKeyStore.getByKidAndIss).toHaveBeenCalledWith(
 				'test-kid',
 				'https://issuer.example.com',

packages/cli/src/modules/token-exchange/services/token-exchange.service.ts

@@ -116,14 +116,17 @@ export class TokenExchangeService {
 		return { claims, resolvedKey };
 	}
 
-	async embedLogin(subjectToken: string): Promise<User> {
+	async embedLogin(
+		subjectToken: string,
+	): Promise<{ user: User; subject: string; issuer: string; kid: string }> {
 		const { claims, resolvedKey } = await this.verifyToken(subjectToken, {
 			maxLifetimeSeconds: MAX_TOKEN_LIFETIME_SECONDS,
 		});
-		return await this.identityResolutionService.resolve(claims, resolvedKey.allowedRoles, {
+		const user = await this.identityResolutionService.resolve(claims, resolvedKey.allowedRoles, {
 			kid: resolvedKey.kid,
 			issuer: resolvedKey.issuer,
 		});
+		return { user, subject: claims.sub, issuer: resolvedKey.issuer, kid: resolvedKey.kid };
 	}
 
 	async exchange(request: TokenExchangeRequest): Promise<IssuedTokenResult> {

packages/cli/src/modules/token-exchange/token-exchange.config.ts

@@ -6,6 +6,10 @@ export class TokenExchangeConfig {
 	@Env('N8N_TOKEN_EXCHANGE_ENABLED')
 	enabled: boolean = false;
 
+	/** Whether the embed login endpoint (GET/POST /auth/embed) is enabled. */
+	@Env('N8N_EMBED_LOGIN_ENABLED')
+	embedEnabled: boolean = false;
+
 	/** Maximum lifetime in seconds for an issued token. */
 	@Env('N8N_TOKEN_EXCHANGE_MAX_TOKEN_TTL')
 	maxTokenTtl: number = 900;