npm - @directus/api - Versions diffs - 20.0.0-rc.0 → 20.0.0 - Mend

@directus/api 20.0.0-rc.0 → 20.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (291) hide show

package/dist/middleware/check-ip.js ADDED Viewed

@@ -0,0 +1,37 @@
+import { InvalidIpError } from '@directus/errors';
+import getDatabase from '../database/index.js';
+import { useLogger } from '../logger.js';
+import asyncHandler from '../utils/async-handler.js';
+import { ipInNetworks } from '../utils/ip-in-networks.js';
+export const checkIP = asyncHandler(async (req, _res, next) => {
+    const database = getDatabase();
+    const logger = useLogger();
+    const { role: roleId, ip } = req.accountability;
+    const query = database.select('ip_access').from('directus_roles');
+    if (roleId) {
+        query.where({ id: roleId });
+    }
+    else {
+        query.whereNull('id');
+    }
+    const role = await query.first();
+    if (!role?.ip_access)
+        return next();
+    const ipAllowList = role.ip_access.split(',').filter((ip) => ip);
+    if (ipAllowList.length > 0) {
+        if (!ip)
+            throw new InvalidIpError();
+        let allowed;
+        try {
+            allowed = ipInNetworks(ip, ipAllowList);
+        }
+        catch (error) {
+            logger.warn(`Invalid IP access configuration for role "${roleId}"`);
+            logger.warn(error);
+            throw new InvalidIpError();
+        }
+        if (!allowed)
+            throw new InvalidIpError();
+    }
+    return next();
+});

package/dist/middleware/get-permissions.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+declare const getPermissions: RequestHandler;
+export default getPermissions;

package/dist/middleware/get-permissions.js ADDED Viewed

@@ -0,0 +1,10 @@
+import asyncHandler from '../utils/async-handler.js';
+import { getPermissions as getPermissionsUtil } from '../utils/get-permissions.js';
+const getPermissions = asyncHandler(async (req, _res, next) => {
+    if (!req.accountability) {
+        throw new Error('getPermissions middleware needs to be called after authenticate');
+    }
+    req.accountability.permissions = await getPermissionsUtil(req.accountability, req.schema);
+    return next();
+});
+export default getPermissions;

package/dist/middleware/respond.js CHANGED Viewed

@@ -25,7 +25,7 @@ export const respond = asyncHandler(async (req, res) => {
         !req.sanitizedQuery.export &&
         res.locals['cache'] !== false &&
         exceedsMaxSize === false) {
-        const key = await getCacheKey(req);
+        const key = getCacheKey(req);
         try {
             await setCacheValue(cache, key, res.locals['payload'], getMilliseconds(env['CACHE_TTL']));
             await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + getMilliseconds(env['CACHE_TTL'], 0) });

package/dist/services/activity.js CHANGED Viewed

@@ -3,13 +3,11 @@ import { useEnv } from '@directus/env';
 import { ErrorCode, isDirectusError } from '@directus/errors';
 import { uniq } from 'lodash-es';
 import { useLogger } from '../logger.js';
-import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
-import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
-import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
+import { getPermissions } from '../utils/get-permissions.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
+import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
@@ -33,29 +31,19 @@ export class ActivityService extends ItemsService {
             for (const mention of mentions) {
                 const userID = mention.substring(1);
                 const user = await this.usersService.readOne(userID, {
-                    fields: ['id', 'first_name', 'last_name', 'email', 'role'],
+                    fields: ['id', 'first_name', 'last_name', 'email', 'role.id', 'role.admin_access', 'role.app_access'],
                 });
-                const roles = await fetchRolesTree(user['role'], this.knex);
-                const globalAccess = await fetchGlobalAccess({ user: user['id'], roles, ip: null }, this.knex);
-                const accountability = createDefaultAccountability({
+                const accountability = {
                     user: userID,
                     role: user['role']?.id ?? null,
-                    roles,
-                    ...globalAccess,
-                });
+                    admin: user['role']?.admin_access ?? null,
+                    app: user['role']?.app_access ?? null,
+                };
+                accountability.permissions = await getPermissions(accountability, this.schema);
+                const authorizationService = new AuthorizationService({ schema: this.schema, accountability });
                 const usersService = new UsersService({ schema: this.schema, accountability });
                 try {
-                    if (this.accountability) {
-                        await validateAccess({
-                            accountability: this.accountability,
-                            action: 'read',
-                            collection: data['collection'],
-                            primaryKeys: [data['item']],
-                        }, {
-                            knex: this.knex,
-                            schema: this.schema,
-                        });
-                    }
+                    await authorizationService.checkAccess('read', data['collection'], data['item']);
                     const templateData = await usersService.readByQuery({
                         fields: ['id', 'first_name', 'last_name', 'email'],
                         filter: { id: { _in: mentions.map((mention) => mention.substring(1)) } },

package/dist/services/assets.d.ts CHANGED Viewed

@@ -1,14 +1,15 @@
 /// <reference types="node" resolution-mode="require"/>
 import type { Range, Stat } from '@directus/storage';
-import type { Accountability, SchemaOverview } from '@directus/types';
+import type { Accountability } from '@directus/types';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
 import type { AbstractServiceOptions, TransformationSet } from '../types/index.js';
+import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 export declare class AssetsService {
     knex: Knex;
     accountability: Accountability | null;
-    schema: SchemaOverview;
+    authorizationService: AuthorizationService;
     filesService: FilesService;
     constructor(options: AbstractServiceOptions);
     getAsset(id: string, transformation?: TransformationSet, range?: Range): Promise<{

package/dist/services/assets.js CHANGED Viewed

@@ -8,24 +8,24 @@ import sharp from 'sharp';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
+import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 const env = useEnv();
 const logger = useLogger();
 export class AssetsService {
     knex;
     accountability;
-    schema;
+    authorizationService;
     filesService;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.accountability = options.accountability || null;
-        this.schema = options.schema;
         this.filesService = new FilesService({ ...options, accountability: null });
+        this.authorizationService = new AuthorizationService(options);
     }
     async getAsset(id, transformation, range) {
         const storage = await getStorage();
@@ -41,13 +41,8 @@ export class AssetsService {
          */
         if (!isValidUuid(id))
             throw new ForbiddenError();
-        if (systemPublicKeys.includes(id) === false && this.accountability) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'read',
-                collection: 'directus_files',
-                primaryKeys: [id],
-            }, { knex: this.knex, schema: this.schema });
+        if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
+            await this.authorizationService.checkAccess('read', 'directus_files', id);
         }
         const file = (await this.filesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);

package/dist/services/authentication.js CHANGED Viewed

@@ -1,8 +1,6 @@
-import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
-import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
-import { InvalidCredentialsError, InvalidOtpError, InvalidProviderError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
+import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
 import jwt from 'jsonwebtoken';
 import { clone, cloneDeep } from 'lodash-es';
 import { performance } from 'perf_hooks';
@@ -50,9 +48,10 @@ export class AuthenticationService {
             throw err;
         }
         const user = await this.knex
-            .select('id', 'first_name', 'last_name', 'email', 'password', 'status', 'role', 'tfa_secret', 'provider', 'external_identifier', 'auth_data')
-            .from('directus_users')
-            .where('id', userId)
+            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'r.admin_access', 'r.app_access', 'u.tfa_secret', 'u.provider', 'u.external_identifier', 'u.auth_data')
+            .from('directus_users as u')
+            .leftJoin('directus_roles as r', 'u.role', 'r.id')
+            .where('u.id', userId)
             .first();
         const updatedPayload = await emitter.emitFilter('auth.login', payload, {
             status: 'pending',
@@ -75,20 +74,10 @@ export class AuthenticationService {
                 accountability: this.accountability,
             });
         };
-        if (user?.status !== 'active') {
+        if (user?.status !== 'active' || user?.provider !== providerName) {
             emitStatus('fail');
-            if (user?.status === 'suspended') {
-                await stall(STALL_TIME, timeStart);
-                throw new UserSuspendedError();
-            }
-            else {
-                await stall(STALL_TIME, timeStart);
-                throw new InvalidCredentialsError();
-            }
-        }
-        else if (user.provider !== providerName) {
             await stall(STALL_TIME, timeStart);
-            throw new InvalidProviderError();
+            throw new InvalidCredentialsError();
         }
         const settingsService = new SettingsService({
             knex: this.knex,
@@ -139,13 +128,11 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
-        const roles = await fetchRolesTree(user.role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
         const tokenPayload = {
             id: user.id,
             role: user.role,
-            app_access: globalAccess.app,
-            admin_access: globalAccess.admin,
+            app_access: user.app_access,
+            admin_access: user.admin_access,
         };
         const refreshToken = nanoid(64);
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
@@ -220,7 +207,9 @@ export class AuthenticationService {
             user_provider: 'u.provider',
             user_external_identifier: 'u.external_identifier',
             user_auth_data: 'u.auth_data',
-            user_role: 'u.role',
+            role_id: 'r.id',
+            role_admin_access: 'r.admin_access',
+            role_app_access: 'r.app_access',
             share_id: 'd.id',
             share_item: 'd.item',
             share_role: 'd.role',
@@ -233,6 +222,9 @@ export class AuthenticationService {
             .from('directus_sessions AS s')
             .leftJoin('directus_users AS u', 's.user', 'u.id')
             .leftJoin('directus_shares AS d', 's.share', 'd.id')
+            .leftJoin('directus_roles AS r', (join) => {
+            join.onIn('r.id', [this.knex.ref('u.role'), this.knex.ref('d.role')]);
+        })
             .where('s.token', refreshToken)
             .andWhere('s.expires', '>=', new Date())
             .andWhere((subQuery) => {
@@ -256,8 +248,6 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
-        const roles = await fetchRolesTree(record.user_role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({
@@ -270,9 +260,9 @@ export class AuthenticationService {
                 provider: record.user_provider,
                 external_identifier: record.user_external_identifier,
                 auth_data: record.user_auth_data,
-                role: record.user_role,
-                app_access: globalAccess.app,
-                admin_access: globalAccess.admin,
+                role: record.role_id,
+                app_access: record.role_app_access,
+                admin_access: record.role_admin_access,
             });
         }
         let newRefreshToken = record.session_next_token ?? nanoid(64);
@@ -280,9 +270,9 @@ export class AuthenticationService {
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
         const tokenPayload = {
             id: record.user_id,
-            role: record.user_role,
-            app_access: globalAccess.app,
-            admin_access: globalAccess.admin,
+            role: record.role_id,
+            app_access: record.role_app_access,
+            admin_access: record.role_admin_access,
         };
         if (options?.session) {
             newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);
@@ -329,7 +319,10 @@ export class AuthenticationService {
         // Clear expired sessions for the current user
         await this.knex('directus_sessions')
             .delete()
-            .where('user', '=', record.user_id)
+            .where({
+            user: record.user_id,
+            share: record.share_id,
+        })
             .andWhere('expires', '<', new Date());
         return {
             accessToken,
@@ -372,6 +365,7 @@ export class AuthenticationService {
         await this.knex('directus_sessions').insert({
             token: newSessionToken,
             user: sessionRecord['user_id'],
+            share: sessionRecord['share_id'],
             expires: sessionExpiration,
             ip: this.accountability?.ip,
             user_agent: this.accountability?.userAgent,

package/dist/services/authorization.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { Accountability, Item, PermissionsAction, PrimaryKey, SchemaOverview } from '@directus/types';
+import type { Knex } from 'knex';
+import type { AST, AbstractServiceOptions } from '../types/index.js';
+import { PayloadService } from './payload.js';
+export declare class AuthorizationService {
+    knex: Knex;
+    accountability: Accountability | null;
+    payloadService: PayloadService;
+    schema: SchemaOverview;
+    constructor(options: AbstractServiceOptions);
+    processAST(ast: AST, action?: PermissionsAction): Promise<AST>;
+    /**
+     * Checks if the provided payload matches the configured permissions, and adds the presets to the payload.
+     */
+    validatePayload(action: PermissionsAction, collection: string, data: Partial<Item>): Partial<Item>;
+    checkAccess(action: PermissionsAction, collection: string, pk?: PrimaryKey | PrimaryKey[]): Promise<void>;
+}