fix(Form Trigger Node): Skip authentication check for form submissions #23608
+107
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Use httpCredentials to properly authenticate in Playwright - Replace networkidle with explicit selector wait - Add proper context cleanup - Update comments to reflect POST auth skip behavior 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
|
|
Author
|
close #23602 |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 3 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/nodes-base/nodes/Form/utils/utils.ts">
<violation number="1" location="packages/nodes-base/nodes/Form/utils/utils.ts:579">
P1: Security concern: Skipping authentication on POST requests allows unauthenticated users to submit forms directly. An attacker who knows the form endpoint URL can bypass authentication by sending POST requests without credentials.
For Basic Auth specifically, browsers automatically include credentials on every request once authenticated. If the validation fails on POST for multi-page forms, consider investigating the root cause (e.g., session/redirect issues) rather than removing authentication entirely. Alternative approaches could include validating a CSRF token generated during the authenticated GET request.</violation>
</file>
<file name="packages/testing/playwright/tests/e2e/nodes/form-trigger-node.spec.ts">
<violation number="1" location="packages/testing/playwright/tests/e2e/nodes/form-trigger-node.spec.ts:176">
P2: Using `waitForTimeout(1000)` is a flaky test pattern. Consider waiting for the URL element to be visible instead of using a hardcoded timeout.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| if (node.typeVersion > 1) { | ||
| // Only validate authentication on GET requests (form display) | ||
| // POST requests (form submission) are already authenticated if the user can see the form | ||
| if (node.typeVersion > 1 && method === 'GET') { |
Contributor
There was a problem hiding this comment.
P1: Security concern: Skipping authentication on POST requests allows unauthenticated users to submit forms directly. An attacker who knows the form endpoint URL can bypass authentication by sending POST requests without credentials.
For Basic Auth specifically, browsers automatically include credentials on every request once authenticated. If the validation fails on POST for multi-page forms, consider investigating the root cause (e.g., session/redirect issues) rather than removing authentication entirely. Alternative approaches could include validating a CSRF token generated during the authenticated GET request.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/nodes-base/nodes/Form/utils/utils.ts, line 579:
<comment>Security concern: Skipping authentication on POST requests allows unauthenticated users to submit forms directly. An attacker who knows the form endpoint URL can bypass authentication by sending POST requests without credentials.
For Basic Auth specifically, browsers automatically include credentials on every request once authenticated. If the validation fails on POST for multi-page forms, consider investigating the root cause (e.g., session/redirect issues) rather than removing authentication entirely. Alternative approaches could include validating a CSRF token generated during the authenticated GET request.</comment>
<file context>
@@ -568,11 +568,15 @@ export async function formWebhook(
- if (node.typeVersion > 1) {
+ // Only validate authentication on GET requests (form display)
+ // POST requests (form submission) are already authenticated if the user can see the form
+ if (node.typeVersion > 1 && method === 'GET') {
await validateWebhookAuthentication(context, authProperty);
}
</file context>
| await n8n.canvas.openNode('On form submission'); | ||
| // When basic auth is enabled, the full URL (http://...) is shown instead of just the path | ||
| // The URL may wrap across lines in the UI, so we get all text content and extract it | ||
| await n8n.page.waitForTimeout(1000); // Wait for the URL to render |
Contributor
There was a problem hiding this comment.
P2: Using waitForTimeout(1000) is a flaky test pattern. Consider waiting for the URL element to be visible instead of using a hardcoded timeout.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/testing/playwright/tests/e2e/nodes/form-trigger-node.spec.ts, line 176:
<comment>Using `waitForTimeout(1000)` is a flaky test pattern. Consider waiting for the URL element to be visible instead of using a hardcoded timeout.</comment>
<file context>
@@ -120,4 +122,103 @@ test.describe('Form Trigger', () => {
+ await n8n.canvas.openNode('On form submission');
+ // When basic auth is enabled, the full URL (http://...) is shown instead of just the path
+ // The URL may wrap across lines in the UI, so we get all text content and extract it
+ await n8n.page.waitForTimeout(1000); // Wait for the URL to render
+ const pageContent = await n8n.page.textContent('body');
+ // Remove line breaks and extra spaces from the wrapped URL
</file context>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes an issue where multi-page forms with Basic Authentication fail to submit because authentication is unnecessarily checked on POST requests (form submissions).
Root Cause
The Form Trigger node validates authentication on both GET (form display) and POST (form submission) requests. However, if a user can already see the form (passed GET authentication), they should be able to submit it without re-authenticating on POST.
Changes
Core Fix (
packages/nodes-base/nodes/Form/utils/utils.ts)formWebhook()to only validate authentication on GET requestsmethodvariable declaration earlier for clarityTemplate Fix (
packages/cli/templates/form-trigger.handlebars)useResponseDatavalue attribute (minor cleanup)E2E Test (
packages/testing/playwright/tests/e2e/nodes/form-trigger-node.spec.ts)httpCredentialsto simulate authenticated browser contextTest Plan
Breaking Changes
None. This is a bug fix that makes the authentication behavior more intuitive.
Related Issues
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com