@directus/api 17.0.1 → 18.0.0

package/dist/app.js

@@ -107,7 +107,7 @@ export default async function createApp() {
     app.use(helmet.contentSecurityPolicy(merge({
         useDefaults: true,
         directives: {
-            // Unsafe-eval is required for vue3 / vue-i18n / app extensions
+            // Unsafe-eval is required for app extensions
             scriptSrc: ["'self'", "'unsafe-eval'"],
             // Even though this is recommended to have enabled, it breaks most local
             // installations. Making this opt-in rather than opt-out is a little more
@@ -116,7 +116,13 @@ export default async function createApp() {
             // These are required for MapLibre
             workerSrc: ["'self'", 'blob:'],
             childSrc: ["'self'", 'blob:'],
-            imgSrc: ["'self'", 'data:', 'blob:'],
+            imgSrc: [
+                "'self'",
+                'data:',
+                'blob:',
+                'https://raw.githubusercontent.com',
+                'https://avatars.githubusercontent.com',
+            ],
             mediaSrc: ["'self'"],
             connectSrc: ["'self'", 'https://*'],
         },

package/dist/auth/drivers/ldap.js

@@ -11,8 +11,8 @@ import { AuthenticationService } from '../../services/authentication.js';
 import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { getMilliseconds } from '../../utils/get-milliseconds.js';
 import { AuthDriver } from '../auth.js';
+import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 // 0x2: ACCOUNTDISABLE
 // 0x10: LOCKOUT
 // 0x800000: PASSWORD_EXPIRED
@@ -290,7 +290,7 @@ export function createLDAPAuthRouter(provider) {
     const loginSchema = Joi.object({
         identifier: Joi.string().required(),
         password: Joi.string().required(),
-        mode: Joi.string().valid('cookie', 'json'),
+        mode: Joi.string().valid('cookie', 'json', 'session'),
         otp: Joi.string(),
     }).unknown();
     router.post('/', asyncHandler(async (req, res, next) => {
@@ -313,24 +313,22 @@ export function createLDAPAuthRouter(provider) {
         if (error) {
             throw new InvalidPayloadError({ reason: error.message });
         }
-        const mode = req.body.mode || 'json';
-        const { accessToken, refreshToken, expires } = await authenticationService.login(provider, req.body, req.body?.otp);
-        const payload = {
-            data: { access_token: accessToken, expires },
-        };
+        const mode = req.body.mode ?? 'json';
+        const { accessToken, refreshToken, expires } = await authenticationService.login(provider, req.body, {
+            session: mode === 'session',
+            otp: req.body?.otp,
+        });
+        const payload = { access_token: accessToken, expires };
         if (mode === 'json') {
-            payload['data']['refresh_token'] = refreshToken;
+            payload.refresh_token = refreshToken;
         }
         if (mode === 'cookie') {
-            res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, {
-                httpOnly: true,
-                domain: env['REFRESH_TOKEN_COOKIE_DOMAIN'],
-                maxAge: getMilliseconds(env['REFRESH_TOKEN_TTL']),
-                secure: env['REFRESH_TOKEN_COOKIE_SECURE'] ?? false,
-                sameSite: env['REFRESH_TOKEN_COOKIE_SAME_SITE'] || 'strict',
-            });
+            res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
+        }
+        if (mode === 'session') {
+            res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
         }
-        res.locals['payload'] = payload;
+        res.locals['payload'] = { data: payload };
         return next();
     }), respond);
     return router;

package/dist/auth/drivers/local.js

@@ -3,7 +3,7 @@ import argon2 from 'argon2';
 import { Router } from 'express';
 import Joi from 'joi';
 import { performance } from 'perf_hooks';
-import { COOKIE_OPTIONS } from '../../constants.js';
+import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import { useEnv } from '@directus/env';
 import { respond } from '../../middleware/respond.js';
 import { AuthenticationService } from '../../services/authentication.js';
@@ -41,7 +41,7 @@ export function createLocalAuthRouter(provider) {
     const userLoginSchema = Joi.object({
         email: Joi.string().email().required(),
         password: Joi.string().required(),
-        mode: Joi.string().valid('cookie', 'json'),
+        mode: Joi.string().valid('cookie', 'json', 'session'),
         otp: Joi.string(),
     }).unknown();
     router.post('/', asyncHandler(async (req, res, next) => {
@@ -66,18 +66,24 @@ export function createLocalAuthRouter(provider) {
             await stall(STALL_TIME, timeStart);
             throw new InvalidPayloadError({ reason: error.message });
         }
-        const mode = req.body.mode || 'json';
-        const { accessToken, refreshToken, expires } = await authenticationService.login(provider, req.body, req.body?.otp);
-        const payload = {
-            data: { access_token: accessToken, expires },
-        };
+        const mode = req.body.mode ?? 'json';
+        const { accessToken, refreshToken, expires } = await authenticationService.login(provider, req.body, {
+            session: mode === 'session',
+            otp: req.body?.otp,
+        });
+        const payload = { expires };
         if (mode === 'json') {
-            payload['data']['refresh_token'] = refreshToken;
+            payload.refresh_token = refreshToken;
+            payload.access_token = accessToken;
         }
         if (mode === 'cookie') {
-            res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, COOKIE_OPTIONS);
+            res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
+            payload.access_token = accessToken;
+        }
+        if (mode === 'session') {
+            res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
         }
-        res.locals['payload'] = payload;
+        res.locals['payload'] = { data: payload };
         return next();
     }), respond);
     return router;

package/dist/auth/drivers/oauth2.js

@@ -1,11 +1,12 @@
 import { useEnv } from '@directus/env';
-import { ErrorCode, InvalidCredentialsError, InvalidProviderConfigError, InvalidProviderError, InvalidTokenError, isDirectusError, ServiceUnavailableError, } from '@directus/errors';
+import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, InvalidTokenError, isDirectusError, ServiceUnavailableError, } from '@directus/errors';
 import { parseJSON } from '@directus/utils';
 import express, { Router } from 'express';
 import { flatten } from 'flat';
 import jwt from 'jsonwebtoken';
 import { errors, generators, Issuer } from 'openid-client';
 import { getAuthProvider } from '../../auth.js';
+import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
@@ -15,7 +16,7 @@ import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { getMilliseconds } from '../../utils/get-milliseconds.js';
+import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { Url } from '../../utils/url.js';
 import { LocalAuthDriver } from './local.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
@@ -219,7 +220,11 @@ export function createOAuth2AuthRouter(providerName) {
         const provider = getAuthProvider(providerName);
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
-        const token = jwt.sign({ verifier: codeVerifier, redirect: req.query['redirect'], prompt }, env['SECRET'], {
+        const redirect = req.query['redirect'];
+        if (isLoginRedirectAllowed(redirect, providerName) === false) {
+            throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
+        }
+        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt }, env['SECRET'], {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -259,6 +264,7 @@ export function createOAuth2AuthRouter(providerName) {
             accountability,
             schema: req.schema,
         });
+        const authMode = (env[`AUTH_${providerName.toUpperCase()}_MODE`] ?? 'session');
         let authResponse;
         try {
             res.clearCookie(`oauth2.${providerName}`);
@@ -266,7 +272,7 @@ export function createOAuth2AuthRouter(providerName) {
                 code: req.query['code'],
                 codeVerifier: verifier,
                 state: req.query['state'],
-            });
+            }, { session: authMode === 'session' });
         }
         catch (error) {
             // Prompt user for a new refresh_token if invalidated
@@ -288,13 +294,12 @@ export function createOAuth2AuthRouter(providerName) {
         }
         const { accessToken, refreshToken, expires } = authResponse;
         if (redirect) {
-            res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, {
-                httpOnly: true,
-                domain: env['REFRESH_TOKEN_COOKIE_DOMAIN'],
-                maxAge: getMilliseconds(env['REFRESH_TOKEN_TTL']),
-                secure: env['REFRESH_TOKEN_COOKIE_SECURE'] ?? false,
-                sameSite: env['REFRESH_TOKEN_COOKIE_SAME_SITE'] || 'strict',
-            });
+            if (authMode === 'session') {
+                res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
+            }
+            else {
+                res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
+            }
             return res.redirect(redirect);
         }
         res.locals['payload'] = {

package/dist/auth/drivers/openid.js

@@ -1,11 +1,12 @@
 import { useEnv } from '@directus/env';
-import { ErrorCode, InvalidCredentialsError, InvalidProviderConfigError, InvalidProviderError, InvalidTokenError, isDirectusError, ServiceUnavailableError, } from '@directus/errors';
+import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, InvalidTokenError, isDirectusError, ServiceUnavailableError, } from '@directus/errors';
 import { parseJSON } from '@directus/utils';
 import express, { Router } from 'express';
 import { flatten } from 'flat';
 import jwt from 'jsonwebtoken';
 import { errors, generators, Issuer } from 'openid-client';
 import { getAuthProvider } from '../../auth.js';
+import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
@@ -15,7 +16,7 @@ import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { getMilliseconds } from '../../utils/get-milliseconds.js';
+import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { Url } from '../../utils/url.js';
 import { LocalAuthDriver } from './local.js';
 export class OpenIDAuthDriver extends LocalAuthDriver {
@@ -240,7 +241,11 @@ export function createOpenIDAuthRouter(providerName) {
         const provider = getAuthProvider(providerName);
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
-        const token = jwt.sign({ verifier: codeVerifier, redirect: req.query['redirect'], prompt }, env['SECRET'], {
+        const redirect = req.query['redirect'];
+        if (isLoginRedirectAllowed(redirect, providerName) === false) {
+            throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
+        }
+        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt }, env['SECRET'], {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -280,6 +285,7 @@ export function createOpenIDAuthRouter(providerName) {
             accountability,
             schema: req.schema,
         });
+        const authMode = (env[`AUTH_${providerName.toUpperCase()}_MODE`] ?? 'session');
         let authResponse;
         try {
             res.clearCookie(`openid.${providerName}`);
@@ -288,7 +294,7 @@ export function createOpenIDAuthRouter(providerName) {
                 codeVerifier: verifier,
                 state: req.query['state'],
                 iss: req.query['iss'],
-            });
+            }, { session: authMode === 'session' });
         }
         catch (error) {
             // Prompt user for a new refresh_token if invalidated
@@ -311,13 +317,12 @@ export function createOpenIDAuthRouter(providerName) {
         }
         const { accessToken, refreshToken, expires } = authResponse;
         if (redirect) {
-            res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, {
-                httpOnly: true,
-                domain: env['REFRESH_TOKEN_COOKIE_DOMAIN'],
-                maxAge: getMilliseconds(env['REFRESH_TOKEN_TTL']),
-                secure: env['REFRESH_TOKEN_COOKIE_SECURE'] ?? false,
-                sameSite: env['REFRESH_TOKEN_COOKIE_SAME_SITE'] || 'strict',
-            });
+            if (authMode === 'session') {
+                res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
+            }
+            else {
+                res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
+            }
             return res.redirect(redirect);
         }
         res.locals['payload'] = {

package/dist/auth/drivers/saml.js

@@ -1,10 +1,10 @@
 import * as validator from '@authenio/samlify-node-xmllint';
 import { useEnv } from '@directus/env';
-import { ErrorCode, InvalidCredentialsError, InvalidProviderError, isDirectusError } from '@directus/errors';
+import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderError, isDirectusError, } from '@directus/errors';
 import express, { Router } from 'express';
 import * as samlify from 'samlify';
 import { getAuthProvider } from '../../auth.js';
-import { COOKIE_OPTIONS } from '../../constants.js';
+import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
@@ -14,6 +14,7 @@ import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { LocalAuthDriver } from './local.js';
+import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 // Register the samlify schema validator
 samlify.setSchemaValidator(validator);
 export class SAMLAuthDriver extends LocalAuthDriver {
@@ -40,7 +41,11 @@ export class SAMLAuthDriver extends LocalAuthDriver {
         const logger = useLogger();
         const { provider, emailKey, identifierKey, givenNameKey, familyNameKey, allowPublicRegistration } = this.config;
         const email = payload[emailKey ?? 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'];
-        const identifier = payload[identifierKey ?? 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'];
+        const identifier = payload[identifierKey || 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'];
+        if (!identifier) {
+            logger.warn(`[SAML] Failed to find user identifier for provider "${provider}"`);
+            throw new InvalidCredentialsError();
+        }
         const userID = await this.fetchUserID(identifier);
         if (userID)
             return userID;
@@ -89,7 +94,11 @@ export function createSAMLAuthRouter(providerName) {
         const { context: url } = sp.createLoginRequest(idp, 'redirect');
         const parsedUrl = new URL(url);
         if (req.query['redirect']) {
-            parsedUrl.searchParams.append('RelayState', req.query['redirect']);
+            const redirect = req.query['redirect'];
+            if (isLoginRedirectAllowed(redirect, providerName) === false) {
+                throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
+            }
+            parsedUrl.searchParams.append('RelayState', redirect);
         }
         return res.redirect(parsedUrl.toString());
     }));
@@ -97,23 +106,24 @@ export function createSAMLAuthRouter(providerName) {
         const { sp, idp } = getAuthProvider(providerName);
         const { context } = sp.createLogoutRequest(idp, 'redirect', req.body);
         const authService = new AuthenticationService({ accountability: req.accountability, schema: req.schema });
-        if (req.cookies[env['REFRESH_TOKEN_COOKIE_NAME']]) {
-            const currentRefreshToken = req.cookies[env['REFRESH_TOKEN_COOKIE_NAME']];
-            if (currentRefreshToken) {
-                await authService.logout(currentRefreshToken);
-                res.clearCookie(env['REFRESH_TOKEN_COOKIE_NAME'], COOKIE_OPTIONS);
-            }
+        const sessionCookieName = env['SESSION_COOKIE_NAME'];
+        if (req.cookies[sessionCookieName]) {
+            await authService.logout(req.cookies[sessionCookieName]);
+            res.clearCookie(sessionCookieName, SESSION_COOKIE_OPTIONS);
         }
         return res.redirect(context);
     }));
     router.post('/acs', express.urlencoded({ extended: false }), asyncHandler(async (req, res, next) => {
         const logger = useLogger();
         const relayState = req.body?.RelayState;
+        const authMode = (env[`AUTH_${providerName.toUpperCase()}_MODE`] ?? 'session');
         try {
             const { sp, idp } = getAuthProvider(providerName);
             const { extract } = await sp.parseLoginResponse(idp, 'post', req);
             const authService = new AuthenticationService({ accountability: req.accountability, schema: req.schema });
-            const { accessToken, refreshToken, expires } = await authService.login(providerName, extract.attributes);
+            const { accessToken, refreshToken, expires } = await authService.login(providerName, extract.attributes, {
+                session: authMode === 'session',
+            });
             res.locals['payload'] = {
                 data: {
                     access_token: accessToken,
@@ -122,7 +132,12 @@ export function createSAMLAuthRouter(providerName) {
                 },
             };
             if (relayState) {
-                res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, COOKIE_OPTIONS);
+                if (authMode === 'session') {
+                    res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
+                }
+                else {
+                    res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
+                }
                 return res.redirect(relayState);
             }
             return next();

package/dist/cli/commands/init/index.js

@@ -2,8 +2,8 @@ import chalk from 'chalk';
 import { execa } from 'execa';
 import inquirer from 'inquirer';
 import Joi from 'joi';
+import { randomUUID } from 'node:crypto';
 import ora from 'ora';
-import { v4 as uuid } from 'uuid';
 import runMigrations from '../../../database/migrations/run.js';
 import runSeed from '../../../database/seeds/run.js';
 import { generateHash } from '../../../utils/generate-hash.js';
@@ -79,8 +79,8 @@ export default async function init() {
         },
     ]);
     firstUser.password = await generateHash(firstUser.password);
-    const userID = uuid();
-    const roleID = uuid();
+    const userID = randomUUID();
+    const roleID = randomUUID();
     await db('directus_roles').insert({
         id: roleID,
         ...defaultAdminRole,

package/dist/cli/commands/security/key.js

@@ -1,5 +1,5 @@
-import { v4 as uuidv4 } from 'uuid';
+import { randomUUID } from 'node:crypto';
 export default async function generateKey() {
-    process.stdout.write(uuidv4());
+    process.stdout.write(randomUUID());
     process.exit(0);
 }

package/dist/cli/utils/create-env/env-stub.liquid

@@ -204,21 +204,36 @@ STORAGE_LOCAL_ROOT="./uploads"
 # The duration that the access token is valid ["15m"]
 ACCESS_TOKEN_TTL="15m"
 
-# The duration that the refresh token is valid, and also how long users stay logged-in to the App ["7d"]
+# The duration that the refresh token is valid. This value should be higher than ACCESS_TOKEN_TTL resp. SESSION_COOKIE_TTL. ["7d"]
 REFRESH_TOKEN_TTL="7d"
 
-# Whether or not to use a secure cookie for the refresh token in cookie mode [false]
+# Whether or not to set the secure attribute for the refresh token cookie [false]
 REFRESH_TOKEN_COOKIE_SECURE=false
 
-# Value for sameSite in the refresh token cookie when in cookie mode ["lax"]
+# Value for sameSite in the refresh token cookie ["lax"]
 REFRESH_TOKEN_COOKIE_SAME_SITE="lax"
 
-# Name of refresh token cookie ["directus_refresh_token"]
+# Name of the refresh token cookie ["directus_refresh_token"]
 REFRESH_TOKEN_COOKIE_NAME="directus_refresh_token"
 
 # Which domain to use for the refresh cookie. Useful for development mode.
 # REFRESH_TOKEN_COOKIE_DOMAIN
 
+# The duration that the session cookie/token is valid, and also how long users stay logged-in to the App ["1d"]
+SESSION_COOKIE_TTL="1d"
+
+# Whether or not to set the secure attribute for the session cookie [false]
+SESSION_COOKIE_SECURE=false
+
+# Value of sameSite for the session cookie ["lax"]
+SESSION_COOKIE_SAME_SITE="lax"
+
+# Name of the session cookie ["directus_refresh_token"]
+SESSION_COOKIE_NAME="directus_session_token"
+
+# Which domain to use for the session cookie. Useful for development mode.
+# SESSION_COOKIE_DOMAIN
+
 # The duration in milliseconds that a login request will be stalled for,
 # and it should be greater than the time taken for a login request with an invalid password [500]
 # LOGIN_STALL_TIME=500

package/dist/cli/utils/create-env/index.js

@@ -1,10 +1,10 @@
 import fs from 'fs';
 import { Liquid } from 'liquidjs';
+import { randomUUID } from 'node:crypto';
 import { dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import path from 'path';
 import { promisify } from 'util';
-import { v4 as uuid } from 'uuid';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const readFile = promisify(fs.readFile);
 const writeFile = promisify(fs.writeFile);
@@ -17,7 +17,7 @@ export default async function createEnv(client, credentials, directory) {
     const { nanoid } = await import('nanoid');
     const config = {
         security: {
-            KEY: uuid(),
+            KEY: randomUUID(),
             SECRET: nanoid(32),
         },
         database: {

package/dist/constants.d.ts

@@ -8,7 +8,8 @@ export declare const DEFAULT_AUTH_PROVIDER = "default";
 export declare const COLUMN_TRANSFORMS: string[];
 export declare const GENERATE_SPECIAL: string[];
 export declare const UUID_REGEX = "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}";
-export declare const COOKIE_OPTIONS: CookieOptions;
+export declare const REFRESH_COOKIE_OPTIONS: CookieOptions;
+export declare const SESSION_COOKIE_OPTIONS: CookieOptions;
 export declare const OAS_REQUIRED_SCHEMAS: string[];
 /** Formats from which transformation is supported */
 export declare const SUPPORTED_IMAGE_TRANSFORM_FORMATS: string[];

package/dist/constants.js

@@ -1,5 +1,5 @@
-import { useEnv } from '@directus/env';
 import { getMilliseconds } from './utils/get-milliseconds.js';
+import { useEnv } from '@directus/env';
 const env = useEnv();
 export const SYSTEM_ASSET_ALLOW_LIST = [
     {
@@ -51,12 +51,19 @@ export const DEFAULT_AUTH_PROVIDER = 'default';
 export const COLUMN_TRANSFORMS = ['year', 'month', 'day', 'weekday', 'hour', 'minute', 'second'];
 export const GENERATE_SPECIAL = ['uuid', 'date-created', 'role-created', 'user-created'];
 export const UUID_REGEX = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}';
-export const COOKIE_OPTIONS = {
+export const REFRESH_COOKIE_OPTIONS = {
     httpOnly: true,
     domain: env['REFRESH_TOKEN_COOKIE_DOMAIN'],
     maxAge: getMilliseconds(env['REFRESH_TOKEN_TTL']),
-    secure: env['REFRESH_TOKEN_COOKIE_SECURE'] ?? false,
-    sameSite: env['REFRESH_TOKEN_COOKIE_SAME_SITE'] || 'strict',
+    secure: Boolean(env['REFRESH_TOKEN_COOKIE_SECURE']),
+    sameSite: (env['REFRESH_TOKEN_COOKIE_SAME_SITE'] || 'strict'),
+};
+export const SESSION_COOKIE_OPTIONS = {
+    httpOnly: true,
+    domain: env['SESSION_COOKIE_DOMAIN'],
+    maxAge: getMilliseconds(env['SESSION_COOKIE_TTL']),
+    secure: Boolean(env['SESSION_COOKIE_SECURE']),
+    sameSite: (env['SESSION_COOKIE_SAME_SITE'] || 'strict'),
 };
 export const OAS_REQUIRED_SCHEMAS = ['Query', 'x-metadata'];
 /** Formats from which transformation is supported */

package/dist/controllers/auth.js

@@ -2,7 +2,7 @@ import { useEnv } from '@directus/env';
 import { ErrorCode, InvalidPayloadError, isDirectusError } from '@directus/errors';
 import { Router } from 'express';
 import { createLDAPAuthRouter, createLocalAuthRouter, createOAuth2AuthRouter, createOpenIDAuthRouter, createSAMLAuthRouter, } from '../auth/drivers/index.js';
-import { COOKIE_OPTIONS, DEFAULT_AUTH_PROVIDER } from '../constants.js';
+import { REFRESH_COOKIE_OPTIONS, DEFAULT_AUTH_PROVIDER, SESSION_COOKIE_OPTIONS } from '../constants.js';
 import { useLogger } from '../logger.js';
 import { respond } from '../middleware/respond.js';
 import { AuthenticationService } from '../services/authentication.js';
@@ -10,6 +10,8 @@ import { UsersService } from '../services/users.js';
 import asyncHandler from '../utils/async-handler.js';
 import { getAuthProviders } from '../utils/get-auth-providers.js';
 import { getIPFromReq } from '../utils/get-ip-from-req.js';
+import isDirectusJWT from '../utils/is-directus-jwt.js';
+import { verifyAccessJWT } from '../utils/jwt.js';
 const router = Router();
 const env = useEnv();
 const logger = useLogger();
@@ -42,6 +44,31 @@ for (const authProvider of authProviders) {
 if (!env['AUTH_DISABLE_DEFAULT']) {
     router.use('/login', createLocalAuthRouter(DEFAULT_AUTH_PROVIDER));
 }
+function getCurrentMode(req) {
+    if (req.body.mode) {
+        return req.body.mode;
+    }
+    if (req.body.refresh_token) {
+        return 'json';
+    }
+    return 'cookie';
+}
+function getCurrentRefreshToken(req, mode) {
+    if (mode === 'json') {
+        return req.body.refresh_token;
+    }
+    if (mode === 'cookie') {
+        return req.cookies[env['REFRESH_TOKEN_COOKIE_NAME']];
+    }
+    if (mode === 'session') {
+        const token = req.cookies[env['SESSION_COOKIE_NAME']];
+        if (isDirectusJWT(token)) {
+            const payload = verifyAccessJWT(token, env['SECRET']);
+            return payload.session;
+        }
+    }
+    return undefined;
+}
 router.post('/refresh', asyncHandler(async (req, res, next) => {
     const accountability = {
         ip: getIPFromReq(req),
@@ -57,22 +84,29 @@ router.post('/refresh', asyncHandler(async (req, res, next) => {
         accountability: accountability,
         schema: req.schema,
     });
-    const currentRefreshToken = req.body.refresh_token || req.cookies[env['REFRESH_TOKEN_COOKIE_NAME']];
+    const mode = getCurrentMode(req);
+    const currentRefreshToken = getCurrentRefreshToken(req, mode);
     if (!currentRefreshToken) {
-        throw new InvalidPayloadError({ reason: `"refresh_token" is required in either the JSON payload or Cookie` });
+        throw new InvalidPayloadError({
+            reason: `The refresh token is required in either the payload or cookie`,
+        });
     }
-    const mode = req.body.mode || (req.body.refresh_token ? 'json' : 'cookie');
-    const { accessToken, refreshToken, expires } = await authenticationService.refresh(currentRefreshToken);
-    const payload = {
-        data: { access_token: accessToken, expires },
-    };
+    const { accessToken, refreshToken, expires } = await authenticationService.refresh(currentRefreshToken, {
+        session: mode === 'session',
+    });
+    const payload = { expires };
     if (mode === 'json') {
-        payload['data']['refresh_token'] = refreshToken;
+        payload.refresh_token = refreshToken;
+        payload.access_token = accessToken;
     }
     if (mode === 'cookie') {
-        res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, COOKIE_OPTIONS);
+        res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
+        payload.access_token = accessToken;
     }
-    res.locals['payload'] = payload;
+    if (mode === 'session') {
+        res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
+    }
+    res.locals['payload'] = { data: payload };
     return next();
 }), respond);
 router.post('/logout', asyncHandler(async (req, res, next) => {
@@ -90,18 +124,19 @@ router.post('/logout', asyncHandler(async (req, res, next) => {
         accountability: accountability,
         schema: req.schema,
     });
-    const currentRefreshToken = req.body.refresh_token || req.cookies[env['REFRESH_TOKEN_COOKIE_NAME']];
+    const mode = getCurrentMode(req);
+    const currentRefreshToken = getCurrentRefreshToken(req, mode);
     if (!currentRefreshToken) {
-        throw new InvalidPayloadError({ reason: `"refresh_token" is required in either the JSON payload or Cookie` });
+        throw new InvalidPayloadError({
+            reason: `The refresh token is required in either the payload or cookie`,
+        });
     }
     await authenticationService.logout(currentRefreshToken);
     if (req.cookies[env['REFRESH_TOKEN_COOKIE_NAME']]) {
-        res.clearCookie(env['REFRESH_TOKEN_COOKIE_NAME'], {
-            httpOnly: true,
-            domain: env['REFRESH_TOKEN_COOKIE_DOMAIN'],
-            secure: env['REFRESH_TOKEN_COOKIE_SECURE'] ?? false,
-            sameSite: env['REFRESH_TOKEN_COOKIE_SAME_SITE'] || 'strict',
-        });
+        res.clearCookie(env['REFRESH_TOKEN_COOKIE_NAME'], REFRESH_COOKIE_OPTIONS);
+    }
+    if (req.cookies[env['SESSION_COOKIE_NAME']]) {
+        res.clearCookie(env['SESSION_COOKIE_NAME'], SESSION_COOKIE_OPTIONS);
     }
     return next();
 }), respond);