feat(core): Add dynamic credential resolution with credential resolver id and workflow settings resolver id

Author: guillaumejacquart

packages/cli/src/__tests__/credentials-helper.test.ts

@@ -381,4 +381,189 @@ describe('CredentialsHelper', () => {
 			expect(parsedUpdatedData.oauthTokenData.token_type).toBe('Bearer');
 		});
 	});
+
+	describe('getDecrypted - credential resolution integration', () => {
+		const mockCredentialResolutionProvider = {
+			resolveIfNeeded: jest.fn(),
+		};
+
+		const mockAdditionalData = {
+			executionContext: {
+				version: 1,
+				establishedAt: Date.now(),
+				source: 'manual' as const,
+				credentials: 'encrypted-credential-context',
+			},
+			workflowSettings: {
+				executionTimeout: 300,
+				credentialResolverId: 'workflow-resolver-123',
+			},
+		} as any;
+
+		const nodeCredentials: INodeCredentialsDetails = {
+			id: 'cred-456',
+			name: 'Test Credentials',
+		};
+
+		const credentialType = 'testApi';
+
+		const mockCredentialEntity = {
+			id: 'cred-456',
+			name: 'Test Credentials',
+			type: credentialType,
+			data: cipher.encrypt({ apiKey: 'static-key' }),
+			isResolvable: true,
+			resolverId: 'credential-resolver-789',
+			resolvableAllowFallback: false,
+		} as CredentialsEntity;
+
+		beforeEach(() => {
+			jest.clearAllMocks();
+			credentialsRepository.findOneByOrFail.mockResolvedValue(mockCredentialEntity);
+		});
+
+		test('should call resolveIfNeeded when credentialResolutionProvider is set', async () => {
+			credentialsHelper.setCredentialResolutionProvider(mockCredentialResolutionProvider);
+
+			const resolvedData = { apiKey: 'dynamic-key' };
+			mockCredentialResolutionProvider.resolveIfNeeded.mockResolvedValue(resolvedData);
+
+			const result = await credentialsHelper.getDecrypted(
+				mockAdditionalData,
+				nodeCredentials,
+				credentialType,
+				'manual',
+				undefined, // executeData
+				true, // raw = true to get the resolved data directly
+			);
+
+			expect(mockCredentialResolutionProvider.resolveIfNeeded).toHaveBeenCalledWith(
+				mockCredentialEntity,
+				{ apiKey: 'static-key' },
+				mockAdditionalData.executionContext,
+				mockAdditionalData.workflowSettings,
+			);
+			expect(result).toEqual(resolvedData);
+		});
+
+		test('should pass executionContext from additionalData to resolver', async () => {
+			credentialsHelper.setCredentialResolutionProvider(mockCredentialResolutionProvider);
+			mockCredentialResolutionProvider.resolveIfNeeded.mockResolvedValue({ apiKey: 'resolved' });
+
+			await credentialsHelper.getDecrypted(
+				mockAdditionalData,
+				nodeCredentials,
+				credentialType,
+				'manual',
+				undefined,
+				true,
+			);
+
+			const call = mockCredentialResolutionProvider.resolveIfNeeded.mock.calls[0];
+			expect(call[2]).toBe(mockAdditionalData.executionContext);
+		});
+
+		test('should pass workflowSettings from additionalData to resolver', async () => {
+			credentialsHelper.setCredentialResolutionProvider(mockCredentialResolutionProvider);
+			mockCredentialResolutionProvider.resolveIfNeeded.mockResolvedValue({ apiKey: 'resolved' });
+
+			await credentialsHelper.getDecrypted(
+				mockAdditionalData,
+				nodeCredentials,
+				credentialType,
+				'manual',
+				undefined,
+				true,
+			);
+
+			const call = mockCredentialResolutionProvider.resolveIfNeeded.mock.calls[0];
+			expect(call[3]).toBe(mockAdditionalData.workflowSettings);
+		});
+
+		test('should skip resolution when credentialResolutionProvider is not set', async () => {
+			// Create a new instance without provider
+			const helperWithoutProvider = new CredentialsHelper(
+				new CredentialTypes(mockNodesAndCredentials),
+				mock(),
+				credentialsRepository,
+				mock(),
+				mock(),
+			);
+
+			const result = await helperWithoutProvider.getDecrypted(
+				mockAdditionalData,
+				nodeCredentials,
+				credentialType,
+				'manual',
+				undefined,
+				true,
+			);
+
+			// Should return static decrypted data
+			expect(result).toEqual({ apiKey: 'static-key' });
+		});
+
+		test('should use resolved data instead of static data when resolution succeeds', async () => {
+			credentialsHelper.setCredentialResolutionProvider(mockCredentialResolutionProvider);
+
+			const dynamicData = { apiKey: 'dynamic-key', extraField: 'extra-value' };
+			mockCredentialResolutionProvider.resolveIfNeeded.mockResolvedValue(dynamicData);
+
+			const result = await credentialsHelper.getDecrypted(
+				mockAdditionalData,
+				nodeCredentials,
+				credentialType,
+				'manual',
+				undefined,
+				true,
+			);
+
+			expect(result).toEqual(dynamicData);
+			expect(result).not.toEqual({ apiKey: 'static-key' });
+		});
+
+		test('should handle missing executionContext gracefully', async () => {
+			credentialsHelper.setCredentialResolutionProvider(mockCredentialResolutionProvider);
+			mockCredentialResolutionProvider.resolveIfNeeded.mockResolvedValue({ apiKey: 'resolved' });
+
+			const additionalDataWithoutContext = {
+				...mockAdditionalData,
+				executionContext: undefined,
+			};
+
+			await credentialsHelper.getDecrypted(
+				additionalDataWithoutContext,
+				nodeCredentials,
+				credentialType,
+				'manual',
+				undefined,
+				true,
+			);
+
+			const call = mockCredentialResolutionProvider.resolveIfNeeded.mock.calls[0];
+			expect(call[2]).toBeUndefined();
+		});
+
+		test('should handle missing workflowSettings gracefully', async () => {
+			credentialsHelper.setCredentialResolutionProvider(mockCredentialResolutionProvider);
+			mockCredentialResolutionProvider.resolveIfNeeded.mockResolvedValue({ apiKey: 'resolved' });
+
+			const additionalDataWithoutSettings = {
+				...mockAdditionalData,
+				workflowSettings: undefined,
+			};
+
+			await credentialsHelper.getDecrypted(
+				additionalDataWithoutSettings,
+				nodeCredentials,
+				credentialType,
+				'manual',
+				undefined,
+				true,
+			);
+
+			const call = mockCredentialResolutionProvider.resolveIfNeeded.mock.calls[0];
+			expect(call[3]).toBeUndefined();
+		});
+	});
 });

packages/cli/src/__tests__/workflow-execute-additional-data.test.ts

@@ -550,5 +550,17 @@ describe('WorkflowExecuteAdditionalData', () => {
 
 			expect(additionalData.executionTimeoutTimestamp).toBe(executionTimeoutTimestamp);
 		});
+
+		it('should include workflowSettings when provided', async () => {
+			const workflowSettings = {
+				executionTimeout: 300,
+				credentialResolverId: 'test-resolver-123',
+			};
+			const additionalData = await getBase({
+				workflowSettings,
+			});
+
+			expect(additionalData.workflowSettings).toBe(workflowSettings);
+		});
 	});
 });

packages/cli/src/active-workflow-manager.ts

@@ -263,7 +263,10 @@ export class ActiveWorkflowManager {
 
 		const mode = 'internal';
 
-		const additionalData = await WorkflowExecuteAdditionalData.getBase({ workflowId: workflow.id });
+		const additionalData = await WorkflowExecuteAdditionalData.getBase({
+			workflowId: workflow.id,
+			workflowSettings: workflowData.settings,
+		});
 
 		const webhooks = WebhookHelpers.getWorkflowWebhooks(workflow, additionalData, undefined, true);
 
@@ -615,6 +618,7 @@ export class ActiveWorkflowManager {
 
 			const additionalData = await WorkflowExecuteAdditionalData.getBase({
 				workflowId: workflow.id,
+				workflowSettings: dbWorkflow.settings,
 			});
 
 			if (shouldAddWebhooks) {

packages/cli/src/credential-resolution-provider.interface.ts

@@ -0,0 +1,29 @@
+import type { CredentialsEntity } from '@n8n/db';
+import type {
+	ICredentialDataDecryptedObject,
+	IExecutionContext,
+	IWorkflowSettings,
+} from 'n8n-workflow';
+
+/**
+ * Interface for credential resolution providers.
+ * Implementations can provide dynamic credential resolution logic.
+ * This allows EE modules to hook into credential resolution without tight coupling.
+ */
+export interface ICredentialResolutionProvider {
+	/**
+	 * Resolves credentials dynamically if configured, otherwise returns static data.
+	 *
+	 * @param credentialsEntity The credential entity from database
+	 * @param staticData The decrypted static credential data
+	 * @param executionContext Optional execution context containing credential context
+	 * @param workflowSettings Optional workflow settings containing resolver ID fallback
+	 * @returns Resolved credential data (either dynamic or static)
+	 */
+	resolveIfNeeded(
+		credentialsEntity: CredentialsEntity,
+		staticData: ICredentialDataDecryptedObject,
+		executionContext?: IExecutionContext,
+		workflowSettings?: IWorkflowSettings,
+	): Promise<ICredentialDataDecryptedObject>;
+}

packages/cli/src/credentials-helper.ts

@@ -42,13 +42,14 @@ import {
 	isExpression,
 } from 'n8n-workflow';
 
-import { CredentialTypes } from '@/credential-types';
-import { CredentialsOverwrites } from '@/credentials-overwrites';
-
 import { RESPONSE_ERROR_MESSAGES } from './constants';
 import { CredentialNotFoundError } from './errors/credential-not-found.error';
 import { CacheService } from './services/cache/cache.service';
 
+import type { ICredentialResolutionProvider } from '@/credential-resolution-provider.interface';
+import { CredentialTypes } from '@/credential-types';
+import { CredentialsOverwrites } from '@/credentials-overwrites';
+
 const mockNode = {
 	name: '',
 	typeVersion: 1,
@@ -85,6 +86,8 @@ const mockNodeTypes: INodeTypes = {
 
 @Service()
 export class CredentialsHelper extends ICredentialsHelper {
+	private credentialResolutionProvider?: ICredentialResolutionProvider;
+
 	constructor(
 		private readonly credentialTypes: CredentialTypes,
 		private readonly credentialsOverwrites: CredentialsOverwrites,
@@ -95,6 +98,14 @@ export class CredentialsHelper extends ICredentialsHelper {
 		super();
 	}
 
+	/**
+	 * Registers a credential resolution provider (EE feature).
+	 * Called by the dynamic credentials module during initialization.
+	 */
+	setCredentialResolutionProvider(provider: ICredentialResolutionProvider): void {
+		this.credentialResolutionProvider = provider;
+	}
+
 	/**
 	 * Add the required authentication information to the request
 	 */
@@ -254,6 +265,22 @@ export class CredentialsHelper extends ICredentialsHelper {
 		nodeCredential: INodeCredentialsDetails,
 		type: string,
 	): Promise<Credentials> {
+		const credential = await this.getCredentialsEntity(nodeCredential, type);
+
+		return new Credentials(
+			{ id: credential.id, name: credential.name },
+			credential.type,
+			credential.data,
+		);
+	}
+
+	/**
+	 * Loads the credentials entity from the database
+	 */
+	private async getCredentialsEntity(
+		nodeCredential: INodeCredentialsDetails,
+		type: string,
+	): Promise<CredentialsEntity> {
 		if (!nodeCredential.id) {
 			throw new UnexpectedError('Found credential with no ID.', {
 				extra: { credentialName: nodeCredential.name },
@@ -276,11 +303,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 			throw error;
 		}
 
-		return new Credentials(
-			{ id: credential.id, name: credential.name },
-			credential.type,
-			credential.data,
-		);
+		return credential;
 	}
 
 	/**
@@ -336,8 +359,23 @@ export class CredentialsHelper extends ICredentialsHelper {
 		raw?: boolean,
 		expressionResolveValues?: ICredentialsExpressionResolveValues,
 	): Promise<ICredentialDataDecryptedObject> {
-		const credentials = await this.getCredentials(nodeCredentials, type);
-		const decryptedDataOriginal = credentials.getData();
+		const credentialsEntity = await this.getCredentialsEntity(nodeCredentials, type);
+		const credentials = new Credentials(
+			{ id: credentialsEntity.id, name: credentialsEntity.name },
+			credentialsEntity.type,
+			credentialsEntity.data,
+		);
+		let decryptedDataOriginal = credentials.getData();
+
+		// Resolve dynamic credentials if configured (EE feature)
+		if (this.credentialResolutionProvider) {
+			decryptedDataOriginal = await this.credentialResolutionProvider.resolveIfNeeded(
+				credentialsEntity,
+				decryptedDataOriginal,
+				additionalData.executionContext,
+				additionalData.workflowSettings,
+			);
+		}
 
 		if (raw === true) {
 			return decryptedDataOriginal;

packages/cli/src/modules/dynamic-credentials.ee/dynamic-credentials.module.ts

@@ -7,9 +7,17 @@ export class DynamicCredentialsModule implements ModuleInterface {
 	async init() {
 		await import('./context-establishment-hooks');
 		await import('./credential-resolvers');
-		const { DynamicCredentialResolverRegistry } = await import('./services');
+		const { DynamicCredentialResolverRegistry, DynamicCredentialService } = await import(
+			'./services'
+		);
 
 		await Container.get(DynamicCredentialResolverRegistry).init();
+
+		// Register the credential resolution provider with CredentialsHelper
+		const { CredentialsHelper } = await import('@/credentials-helper');
+		const credentialsHelper = Container.get(CredentialsHelper);
+		const dynamicCredentialService = Container.get(DynamicCredentialService);
+		credentialsHelper.setCredentialResolutionProvider(dynamicCredentialService);
 	}
 
 	async entities() {

packages/cli/src/modules/dynamic-credentials.ee/errors/credential-resolution.error.ts

@@ -0,0 +1,8 @@
+import { OperationalError } from 'n8n-workflow';
+
+export class CredentialResolutionError extends OperationalError {
+	constructor(message: string, options?: { cause?: unknown }) {
+		super(message, options);
+		this.name = 'CredentialResolutionError';
+	}
+}