@directus/api 19.1.0 → 19.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/database/helpers/fn/types.js +9 -1
- package/dist/database/migrations/20240515A-add-session-window.d.ts +3 -0
- package/dist/database/migrations/20240515A-add-session-window.js +10 -0
- package/dist/middleware/authenticate.d.ts +1 -1
- package/dist/middleware/authenticate.js +17 -2
- package/dist/services/authentication.d.ts +1 -0
- package/dist/services/authentication.js +60 -8
- package/dist/utils/apply-query.js +7 -6
- package/dist/utils/verify-session-jwt.js +2 -2
- package/package.json +14 -14
|
@@ -14,13 +14,21 @@ export class FnHelper extends DatabaseHelper {
|
|
|
14
14
|
if (!relation) {
|
|
15
15
|
throw new Error(`Field ${collectionName}.${column} isn't a nested relational collection`);
|
|
16
16
|
}
|
|
17
|
+
// generate a unique alias for the relation collection, to prevent collisions in self referencing relations
|
|
17
18
|
const alias = generateAlias();
|
|
18
19
|
let countQuery = this.knex
|
|
19
20
|
.count('*')
|
|
20
21
|
.from({ [alias]: relation.collection })
|
|
21
22
|
.where(this.knex.raw(`??.??`, [alias, relation.field]), '=', this.knex.raw(`??.??`, [table, currentPrimary]));
|
|
22
23
|
if (options?.query?.filter) {
|
|
23
|
-
|
|
24
|
+
// set the newly aliased collection in the alias map as the default parent collection, indicated by '', for any nested filters
|
|
25
|
+
const aliasMap = {
|
|
26
|
+
'': {
|
|
27
|
+
alias,
|
|
28
|
+
collection: relation.collection,
|
|
29
|
+
},
|
|
30
|
+
};
|
|
31
|
+
countQuery = applyFilter(this.knex, this.schema, countQuery, options.query.filter, relation.collection, aliasMap).query;
|
|
24
32
|
}
|
|
25
33
|
return this.knex.raw('(' + countQuery.toQuery() + ')');
|
|
26
34
|
}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
export async function up(knex) {
|
|
2
|
+
await knex.schema.alterTable('directus_sessions', (table) => {
|
|
3
|
+
table.string('next_token', 64).nullable();
|
|
4
|
+
});
|
|
5
|
+
}
|
|
6
|
+
export async function down(knex) {
|
|
7
|
+
await knex.schema.alterTable('directus_sessions', (table) => {
|
|
8
|
+
table.dropColumn('next_token');
|
|
9
|
+
});
|
|
10
|
+
}
|
|
@@ -4,6 +4,6 @@ import type { NextFunction, Request, Response } from 'express';
|
|
|
4
4
|
/**
|
|
5
5
|
* Verify the passed JWT and assign the user ID and role to `req`
|
|
6
6
|
*/
|
|
7
|
-
export declare const handler: (req: Request,
|
|
7
|
+
export declare const handler: (req: Request, res: Response, next: NextFunction) => Promise<void>;
|
|
8
8
|
declare const _default: (req: Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>, res: Response<any, Record<string, any>>, next: NextFunction) => Promise<void>;
|
|
9
9
|
export default _default;
|
|
@@ -4,10 +4,14 @@ import emitter from '../emitter.js';
|
|
|
4
4
|
import asyncHandler from '../utils/async-handler.js';
|
|
5
5
|
import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
|
|
6
6
|
import { getIPFromReq } from '../utils/get-ip-from-req.js';
|
|
7
|
+
import { ErrorCode, isDirectusError } from '@directus/errors';
|
|
8
|
+
import { useEnv } from '@directus/env';
|
|
9
|
+
import { SESSION_COOKIE_OPTIONS } from '../constants.js';
|
|
7
10
|
/**
|
|
8
11
|
* Verify the passed JWT and assign the user ID and role to `req`
|
|
9
12
|
*/
|
|
10
|
-
export const handler = async (req,
|
|
13
|
+
export const handler = async (req, res, next) => {
|
|
14
|
+
const env = useEnv();
|
|
11
15
|
const defaultAccountability = {
|
|
12
16
|
user: null,
|
|
13
17
|
role: null,
|
|
@@ -33,7 +37,18 @@ export const handler = async (req, _res, next) => {
|
|
|
33
37
|
req.accountability = customAccountability;
|
|
34
38
|
return next();
|
|
35
39
|
}
|
|
36
|
-
|
|
40
|
+
try {
|
|
41
|
+
req.accountability = await getAccountabilityForToken(req.token, defaultAccountability);
|
|
42
|
+
}
|
|
43
|
+
catch (err) {
|
|
44
|
+
if (isDirectusError(err, ErrorCode.InvalidCredentials) || isDirectusError(err, ErrorCode.InvalidToken)) {
|
|
45
|
+
if (req.cookies[env['SESSION_COOKIE_NAME']] === req.token) {
|
|
46
|
+
// clear the session token if ended up in an invalid state
|
|
47
|
+
res.clearCookie(env['SESSION_COOKIE_NAME'], SESSION_COOKIE_OPTIONS);
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
throw err;
|
|
51
|
+
}
|
|
37
52
|
return next();
|
|
38
53
|
};
|
|
39
54
|
export default asyncHandler(handler);
|
|
@@ -21,6 +21,7 @@ export declare class AuthenticationService {
|
|
|
21
21
|
refresh(refreshToken: string, options?: Partial<{
|
|
22
22
|
session: boolean;
|
|
23
23
|
}>): Promise<LoginResult>;
|
|
24
|
+
private updateStatefulSession;
|
|
24
25
|
logout(refreshToken: string): Promise<void>;
|
|
25
26
|
verifyPassword(userID: string, password: string): Promise<void>;
|
|
26
27
|
}
|
|
@@ -207,6 +207,7 @@ export class AuthenticationService {
|
|
|
207
207
|
const record = await this.knex
|
|
208
208
|
.select({
|
|
209
209
|
session_expires: 's.expires',
|
|
210
|
+
session_next_token: 's.next_token',
|
|
210
211
|
user_id: 'u.id',
|
|
211
212
|
user_first_name: 'u.first_name',
|
|
212
213
|
user_last_name: 'u.last_name',
|
|
@@ -274,8 +275,9 @@ export class AuthenticationService {
|
|
|
274
275
|
admin_access: record.role_admin_access,
|
|
275
276
|
});
|
|
276
277
|
}
|
|
277
|
-
|
|
278
|
-
const
|
|
278
|
+
let newRefreshToken = record.session_next_token ?? nanoid(64);
|
|
279
|
+
const sessionDuration = env[options?.session ? 'SESSION_COOKIE_TTL' : 'REFRESH_TOKEN_TTL'];
|
|
280
|
+
const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
|
|
279
281
|
const tokenPayload = {
|
|
280
282
|
id: record.user_id,
|
|
281
283
|
role: record.role_id,
|
|
@@ -283,8 +285,18 @@ export class AuthenticationService {
|
|
|
283
285
|
admin_access: record.role_admin_access,
|
|
284
286
|
};
|
|
285
287
|
if (options?.session) {
|
|
288
|
+
newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);
|
|
286
289
|
tokenPayload.session = newRefreshToken;
|
|
287
290
|
}
|
|
291
|
+
else {
|
|
292
|
+
// Original stateless token behavior
|
|
293
|
+
await this.knex('directus_sessions')
|
|
294
|
+
.update({
|
|
295
|
+
token: newRefreshToken,
|
|
296
|
+
expires: refreshTokenExpiration,
|
|
297
|
+
})
|
|
298
|
+
.where({ token: refreshToken });
|
|
299
|
+
}
|
|
288
300
|
if (record.share_id) {
|
|
289
301
|
tokenPayload.share = record.share_id;
|
|
290
302
|
tokenPayload.role = record.share_role;
|
|
@@ -311,15 +323,14 @@ export class AuthenticationService {
|
|
|
311
323
|
expiresIn: TTL,
|
|
312
324
|
issuer: 'directus',
|
|
313
325
|
});
|
|
314
|
-
await this.knex('directus_sessions')
|
|
315
|
-
.update({
|
|
316
|
-
token: newRefreshToken,
|
|
317
|
-
expires: refreshTokenExpiration,
|
|
318
|
-
})
|
|
319
|
-
.where({ token: refreshToken });
|
|
320
326
|
if (record.user_id) {
|
|
321
327
|
await this.knex('directus_users').update({ last_access: new Date() }).where({ id: record.user_id });
|
|
322
328
|
}
|
|
329
|
+
// Clear expired sessions for the current user
|
|
330
|
+
await this.knex('directus_sessions')
|
|
331
|
+
.delete()
|
|
332
|
+
.where('user', '=', record.user_id)
|
|
333
|
+
.andWhere('expires', '<', new Date());
|
|
323
334
|
return {
|
|
324
335
|
accessToken,
|
|
325
336
|
refreshToken: newRefreshToken,
|
|
@@ -327,6 +338,47 @@ export class AuthenticationService {
|
|
|
327
338
|
id: record.user_id,
|
|
328
339
|
};
|
|
329
340
|
}
|
|
341
|
+
async updateStatefulSession(sessionRecord, oldSessionToken, newSessionToken, sessionExpiration) {
|
|
342
|
+
if (sessionRecord['session_next_token']) {
|
|
343
|
+
// The current session token was already refreshed and has a reference
|
|
344
|
+
// to the new session, update the new session timeout for the new refresh
|
|
345
|
+
await this.knex('directus_sessions')
|
|
346
|
+
.update({
|
|
347
|
+
expires: sessionExpiration,
|
|
348
|
+
})
|
|
349
|
+
.where({ token: newSessionToken });
|
|
350
|
+
return newSessionToken;
|
|
351
|
+
}
|
|
352
|
+
// Keep the old session active for a short period of time
|
|
353
|
+
const GRACE_PERIOD = getMilliseconds(env['SESSION_REFRESH_GRACE_PERIOD'], 10_000);
|
|
354
|
+
// Update the existing session record to have a short safety timeout
|
|
355
|
+
// before expiring, and add the reference to the new session token
|
|
356
|
+
const updatedSession = await this.knex('directus_sessions')
|
|
357
|
+
.update({
|
|
358
|
+
next_token: newSessionToken,
|
|
359
|
+
expires: new Date(Date.now() + GRACE_PERIOD),
|
|
360
|
+
}, ['next_token'])
|
|
361
|
+
.where({ token: oldSessionToken, next_token: null });
|
|
362
|
+
if (updatedSession.length === 0) {
|
|
363
|
+
// Don't create a new session record, we already have a "next_token" reference
|
|
364
|
+
const { next_token } = await this.knex('directus_sessions')
|
|
365
|
+
.select('next_token')
|
|
366
|
+
.where({ token: oldSessionToken })
|
|
367
|
+
.first();
|
|
368
|
+
return next_token;
|
|
369
|
+
}
|
|
370
|
+
// Instead of updating the current session record with a new token,
|
|
371
|
+
// create a new copy with the new token
|
|
372
|
+
await this.knex('directus_sessions').insert({
|
|
373
|
+
token: newSessionToken,
|
|
374
|
+
user: sessionRecord['user_id'],
|
|
375
|
+
expires: sessionExpiration,
|
|
376
|
+
ip: this.accountability?.ip,
|
|
377
|
+
user_agent: this.accountability?.userAgent,
|
|
378
|
+
origin: this.accountability?.origin,
|
|
379
|
+
});
|
|
380
|
+
return newSessionToken;
|
|
381
|
+
}
|
|
330
382
|
async logout(refreshToken) {
|
|
331
383
|
const record = await this.knex
|
|
332
384
|
.select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'u.provider', 'u.external_identifier', 'u.auth_data')
|
|
@@ -347,7 +347,8 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
|
|
|
347
347
|
else {
|
|
348
348
|
const { type, special } = getFilterType(schema.collections[collection].fields, filterPath[0], collection);
|
|
349
349
|
validateFilterOperator(type, filterOperator, special);
|
|
350
|
-
|
|
350
|
+
const aliasedCollection = aliasMap['']?.alias || collection;
|
|
351
|
+
applyFilterToQuery(`${aliasedCollection}.${filterPath[0]}`, filterOperator, filterValue, logical, collection);
|
|
351
352
|
}
|
|
352
353
|
}
|
|
353
354
|
function getFilterType(fields, key, collection = 'unknown') {
|
|
@@ -422,7 +423,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
|
|
|
422
423
|
const functionName = column.split('(')[0];
|
|
423
424
|
const type = getOutputTypeForFunction(functionName);
|
|
424
425
|
if (['integer', 'float', 'decimal'].includes(type)) {
|
|
425
|
-
compareValue = Number(compareValue);
|
|
426
|
+
compareValue = Array.isArray(compareValue) ? compareValue.map(Number) : Number(compareValue);
|
|
426
427
|
}
|
|
427
428
|
}
|
|
428
429
|
// Cast filter value (compareValue) based on type of field being filtered against
|
|
@@ -520,19 +521,19 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
|
|
|
520
521
|
dbQuery[logical].whereNotIn(selectionRaw, value);
|
|
521
522
|
}
|
|
522
523
|
if (operator === '_between') {
|
|
523
|
-
if (compareValue.length !== 2)
|
|
524
|
-
return;
|
|
525
524
|
let value = compareValue;
|
|
526
525
|
if (typeof value === 'string')
|
|
527
526
|
value = value.split(',');
|
|
527
|
+
if (value.length !== 2)
|
|
528
|
+
return;
|
|
528
529
|
dbQuery[logical].whereBetween(selectionRaw, value);
|
|
529
530
|
}
|
|
530
531
|
if (operator === '_nbetween') {
|
|
531
|
-
if (compareValue.length !== 2)
|
|
532
|
-
return;
|
|
533
532
|
let value = compareValue;
|
|
534
533
|
if (typeof value === 'string')
|
|
535
534
|
value = value.split(',');
|
|
535
|
+
if (value.length !== 2)
|
|
536
|
+
return;
|
|
536
537
|
dbQuery[logical].whereNotBetween(selectionRaw, value);
|
|
537
538
|
}
|
|
538
539
|
if (operator == '_intersects') {
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import getDatabase from '../database/index.js';
|
|
2
|
-
import {
|
|
2
|
+
import { InvalidCredentialsError } from '@directus/errors';
|
|
3
3
|
/**
|
|
4
4
|
* Verifies the associated session is still available and valid.
|
|
5
5
|
*
|
|
@@ -17,6 +17,6 @@ export async function verifySessionJWT(payload) {
|
|
|
17
17
|
.andWhere('expires', '>=', new Date())
|
|
18
18
|
.first();
|
|
19
19
|
if (!session) {
|
|
20
|
-
throw new
|
|
20
|
+
throw new InvalidCredentialsError();
|
|
21
21
|
}
|
|
22
22
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@directus/api",
|
|
3
|
-
"version": "19.1.
|
|
3
|
+
"version": "19.1.1",
|
|
4
4
|
"description": "Directus is a real-time API and App dashboard for managing SQL database content",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"directus",
|
|
@@ -140,35 +140,35 @@
|
|
|
140
140
|
"sharp": "0.33.3",
|
|
141
141
|
"snappy": "7.2.2",
|
|
142
142
|
"stream-json": "1.8.0",
|
|
143
|
-
"tar": "7.0
|
|
143
|
+
"tar": "7.1.0",
|
|
144
144
|
"tsx": "4.9.3",
|
|
145
145
|
"wellknown": "0.5.0",
|
|
146
146
|
"ws": "8.17.0",
|
|
147
|
-
"zod": "3.23.
|
|
147
|
+
"zod": "3.23.8",
|
|
148
148
|
"zod-validation-error": "3.2.0",
|
|
149
|
-
"@directus/app": "12.1.0",
|
|
150
|
-
"@directus/env": "1.1.3",
|
|
151
|
-
"@directus/errors": "0.3.0",
|
|
152
|
-
"@directus/extensions": "1.0.4",
|
|
153
149
|
"@directus/constants": "11.0.4",
|
|
154
|
-
"@directus/
|
|
155
|
-
"@directus/extensions
|
|
150
|
+
"@directus/app": "12.1.1",
|
|
151
|
+
"@directus/extensions": "1.0.5",
|
|
152
|
+
"@directus/env": "1.1.4",
|
|
153
|
+
"@directus/extensions-registry": "1.0.5",
|
|
154
|
+
"@directus/errors": "0.3.0",
|
|
156
155
|
"@directus/format-title": "10.1.2",
|
|
156
|
+
"@directus/extensions-sdk": "11.0.5",
|
|
157
157
|
"@directus/memory": "1.0.7",
|
|
158
158
|
"@directus/pressure": "1.0.19",
|
|
159
|
-
"@directus/specs": "10.2.9",
|
|
160
159
|
"@directus/schema": "11.0.2",
|
|
161
160
|
"@directus/storage": "10.0.12",
|
|
162
161
|
"@directus/storage-driver-azure": "10.0.20",
|
|
163
162
|
"@directus/storage-driver-cloudinary": "10.0.20",
|
|
164
|
-
"@directus/storage-driver-gcs": "10.0.
|
|
163
|
+
"@directus/storage-driver-gcs": "10.0.21",
|
|
165
164
|
"@directus/storage-driver-local": "10.0.19",
|
|
166
|
-
"@directus/
|
|
165
|
+
"@directus/specs": "10.2.9",
|
|
167
166
|
"@directus/storage-driver-s3": "10.0.21",
|
|
167
|
+
"@directus/storage-driver-supabase": "1.0.12",
|
|
168
168
|
"@directus/system-data": "1.0.3",
|
|
169
169
|
"@directus/utils": "11.0.8",
|
|
170
170
|
"@directus/validation": "0.0.15",
|
|
171
|
-
"directus": "10.11.
|
|
171
|
+
"directus": "10.11.1"
|
|
172
172
|
},
|
|
173
173
|
"devDependencies": {
|
|
174
174
|
"@ngneat/falso": "7.2.0",
|
|
@@ -193,7 +193,7 @@
|
|
|
193
193
|
"@types/lodash-es": "4.17.12",
|
|
194
194
|
"@types/mime-types": "2.1.4",
|
|
195
195
|
"@types/ms": "0.7.34",
|
|
196
|
-
"@types/node": "18.19.
|
|
196
|
+
"@types/node": "18.19.33",
|
|
197
197
|
"@types/node-schedule": "2.1.7",
|
|
198
198
|
"@types/nodemailer": "6.4.15",
|
|
199
199
|
"@types/object-hash": "3.0.6",
|