npm - @directus/api - Versions diffs - 21.0.0-rc.0 → 21.0.1 - Mend

@directus/api 21.0.0-rc.0 → 21.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (286) hide show

package/dist/middleware/error-handler.js CHANGED Viewed

@@ -1,40 +1,38 @@
-import { ErrorCode, MethodNotAllowedError, isDirectusError } from '@directus/errors';
-import { isObject, toArray } from '@directus/utils';
+import { ErrorCode, InternalServerError, isDirectusError } from '@directus/errors';
+import { isObject } from '@directus/utils';
 import { getNodeEnv } from '@directus/utils/node';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
-// Note: keep all 4 parameters here. That's how Express recognizes it's the error handler, even if
-// we don't use next
-const errorHandler = (err, req, res, _next) => {
+const FALLBACK_ERROR = new InternalServerError();
+export const errorHandler = asyncErrorHandler(async (err, req, res) => {
     const logger = useLogger();
-    let payload = {
-        errors: [],
-    };
-    const errors = toArray(err);
+    let errors = [];
     let status = null;
-    for (const error of errors) {
-        if (getNodeEnv() === 'development') {
-            if (isObject(error)) {
-                error['extensions'] = {
-                    ...(error['extensions'] || {}),
-                    stack: error['stack'],
-                };
-            }
+    // It can be assumed that at least one error is given
+    const receivedErrors = Array.isArray(err) ? err : [err];
+    for (const error of receivedErrors) {
+        // In dev mode, if available, expose stack trace under error's extensions data
+        if (getNodeEnv() === 'development' && error instanceof Error && error.stack) {
+            (error.extensions ??= {})['stack'] = error.stack;
         }
         if (isDirectusError(error)) {
             logger.debug(error);
-            if (!status) {
+            if (status === null) {
+                // Use current error status as response status
                 status = error.status;
             }
             else if (status !== error.status) {
-                status = 500;
+                // Fallback if status has already been set by a preceding error
+                // and doesn't match the current one
+                status = FALLBACK_ERROR.status;
             }
-            payload.errors.push({
+            errors.push({
                 message: error.message,
                 extensions: {
-                    code: error.code,
                     ...(error.extensions ?? {}),
+                    // Expose error code under error's extensions data
+                    code: error.code,
                 },
             });
             if (isDirectusError(error, ErrorCode.MethodNotAllowed)) {
@@ -43,45 +41,50 @@ const errorHandler = (err, req, res, _next) => {
         }
         else {
             logger.error(error);
-            status = 500;
+            status = FALLBACK_ERROR.status;
             if (req.accountability?.admin === true) {
                 const localError = isObject(error) ? error : {};
-                const message = localError['message'] ?? typeof error === 'string' ? error : null;
-                payload = {
-                    errors: [
-                        {
-                            message: message || 'An unexpected error occurred.',
-                            extensions: {
-                                code: 'INTERNAL_SERVER_ERROR',
-                                ...(localError['extensions'] ?? {}),
-                            },
+                // Use 'message' prop if available, otherwise if 'error' is a string use that
+                const message = (typeof localError['message'] === 'string' ? localError['message'] : null) ??
+                    (typeof error === 'string' ? error : null);
+                errors = [
+                    {
+                        message: message || FALLBACK_ERROR.message,
+                        extensions: {
+                            code: FALLBACK_ERROR.code,
+                            ...(localError['extensions'] ?? {}),
                         },
-                    ],
-                };
+                    },
+                ];
             }
             else {
-                payload = {
-                    errors: [
-                        {
-                            message: 'An unexpected error occurred.',
-                            extensions: {
-                                code: 'INTERNAL_SERVER_ERROR',
-                            },
-                        },
-                    ],
-                };
+                // Don't expose unknown errors to non-admin users
+                errors = [{ message: FALLBACK_ERROR.message, extensions: { code: FALLBACK_ERROR.code } }];
             }
         }
     }
-    res.status(status ?? 500);
-    emitter
-        .emitFilter('request.error', payload.errors, {}, {
+    res.status(status ?? FALLBACK_ERROR.status);
+    const updatedErrors = await emitter.emitFilter('request.error', errors, {}, {
         database: getDatabase(),
         schema: req.schema,
         accountability: req.accountability ?? null,
-    })
-        .then((updatedErrors) => {
-        return res.json({ ...payload, errors: updatedErrors });
     });
-};
-export default errorHandler;
+    return res.json({ errors: updatedErrors });
+});
+function asyncErrorHandler(fn) {
+    return (err, req, res, next) => fn(err, req, res, next).catch((error) => {
+        // To be on the safe side and ensure this doesn't lead to an unhandled (potentially crashing) error
+        try {
+            const logger = useLogger();
+            logger.error(error, 'Unexpected error in error handler');
+        }
+        catch {
+            // Ignore
+        }
+        // Delegate to default error handler to close the connection
+        if (res.headersSent)
+            return next(err);
+        res.status(FALLBACK_ERROR.status);
+        return res.json({ errors: [{ message: FALLBACK_ERROR.message, extensions: { code: FALLBACK_ERROR.code } }] });
+    });
+}

package/dist/middleware/get-permissions.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+declare const getPermissions: RequestHandler;
+export default getPermissions;

package/dist/middleware/get-permissions.js ADDED Viewed

@@ -0,0 +1,10 @@
+import asyncHandler from '../utils/async-handler.js';
+import { getPermissions as getPermissionsUtil } from '../utils/get-permissions.js';
+const getPermissions = asyncHandler(async (req, _res, next) => {
+    if (!req.accountability) {
+        throw new Error('getPermissions middleware needs to be called after authenticate');
+    }
+    req.accountability.permissions = await getPermissionsUtil(req.accountability, req.schema);
+    return next();
+});
+export default getPermissions;

package/dist/middleware/respond.js CHANGED Viewed

@@ -20,12 +20,13 @@ export const respond = asyncHandler(async (req, res) => {
         exceedsMaxSize = valueSize > maxSize;
     }
     if ((req.method.toLowerCase() === 'get' || req.originalUrl?.startsWith('/graphql')) &&
+        req.originalUrl?.startsWith('/auth') === false &&
         env['CACHE_ENABLED'] === true &&
         cache &&
         !req.sanitizedQuery.export &&
         res.locals['cache'] !== false &&
         exceedsMaxSize === false) {
-        const key = await getCacheKey(req);
+        const key = getCacheKey(req);
         try {
             await setCacheValue(cache, key, res.locals['payload'], getMilliseconds(env['CACHE_TTL']));
             await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + getMilliseconds(env['CACHE_TTL'], 0) });

package/dist/request/is-denied-ip.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { useEnv } from '@directus/env';
+import { matches } from 'ip-matching';
 import os from 'node:os';
 import { useLogger } from '../logger/index.js';
 import { ipInNetworks } from '../utils/ip-in-networks.js';
@@ -24,8 +25,13 @@ export function isDeniedIp(ip) {
             if (!networkInfo)
                 continue;
             for (const info of networkInfo) {
-                if (info.address === ip)
+                if (info.internal && info.cidr) {
+                    if (matches(ip, info.cidr))
+                        return true;
+                }
+                else if (info.address === ip) {
                     return true;
+                }
             }
         }
     }

package/dist/services/activity.js CHANGED Viewed

@@ -3,13 +3,11 @@ import { useEnv } from '@directus/env';
 import { ErrorCode, isDirectusError } from '@directus/errors';
 import { uniq } from 'lodash-es';
 import { useLogger } from '../logger/index.js';
-import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
-import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
-import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
+import { getPermissions } from '../utils/get-permissions.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
+import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
@@ -33,29 +31,19 @@ export class ActivityService extends ItemsService {
             for (const mention of mentions) {
                 const userID = mention.substring(1);
                 const user = await this.usersService.readOne(userID, {
-                    fields: ['id', 'first_name', 'last_name', 'email', 'role'],
+                    fields: ['id', 'first_name', 'last_name', 'email', 'role.id', 'role.admin_access', 'role.app_access'],
                 });
-                const roles = await fetchRolesTree(user['role'], this.knex);
-                const globalAccess = await fetchGlobalAccess({ user: user['id'], roles, ip: null }, this.knex);
-                const accountability = createDefaultAccountability({
+                const accountability = {
                     user: userID,
                     role: user['role']?.id ?? null,
-                    roles,
-                    ...globalAccess,
-                });
+                    admin: user['role']?.admin_access ?? null,
+                    app: user['role']?.app_access ?? null,
+                };
+                accountability.permissions = await getPermissions(accountability, this.schema);
+                const authorizationService = new AuthorizationService({ schema: this.schema, accountability });
                 const usersService = new UsersService({ schema: this.schema, accountability });
                 try {
-                    if (this.accountability) {
-                        await validateAccess({
-                            accountability: this.accountability,
-                            action: 'read',
-                            collection: data['collection'],
-                            primaryKeys: [data['item']],
-                        }, {
-                            knex: this.knex,
-                            schema: this.schema,
-                        });
-                    }
+                    await authorizationService.checkAccess('read', data['collection'], data['item']);
                     const templateData = await usersService.readByQuery({
                         fields: ['id', 'first_name', 'last_name', 'email'],
                         filter: { id: { _in: mentions.map((mention) => mention.substring(1)) } },

package/dist/services/assets.d.ts CHANGED Viewed

@@ -1,14 +1,15 @@
 /// <reference types="node" resolution-mode="require"/>
 import type { Range, Stat } from '@directus/storage';
-import type { Accountability, SchemaOverview } from '@directus/types';
+import type { Accountability } from '@directus/types';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
 import type { AbstractServiceOptions, TransformationSet } from '../types/index.js';
+import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 export declare class AssetsService {
     knex: Knex;
     accountability: Accountability | null;
-    schema: SchemaOverview;
+    authorizationService: AuthorizationService;
     filesService: FilesService;
     constructor(options: AbstractServiceOptions);
     getAsset(id: string, transformation?: TransformationSet, range?: Range): Promise<{

package/dist/services/assets.js CHANGED Viewed

@@ -8,24 +8,25 @@ import sharp from 'sharp';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger/index.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
+import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
+import { getSharpInstance } from './files/lib/get-sharp-instance.js';
 const env = useEnv();
 const logger = useLogger();
 export class AssetsService {
     knex;
     accountability;
-    schema;
+    authorizationService;
     filesService;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.accountability = options.accountability || null;
-        this.schema = options.schema;
         this.filesService = new FilesService({ ...options, accountability: null });
+        this.authorizationService = new AuthorizationService(options);
     }
     async getAsset(id, transformation, range) {
         const storage = await getStorage();
@@ -41,13 +42,8 @@ export class AssetsService {
          */
         if (!isValidUuid(id))
             throw new ForbiddenError();
-        if (systemPublicKeys.includes(id) === false && this.accountability) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'read',
-                collection: 'directus_files',
-                primaryKeys: [id],
-            }, { knex: this.knex, schema: this.schema });
+        if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
+            await this.authorizationService.checkAccess('read', 'directus_files', id);
         }
         const file = (await this.filesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);
@@ -121,11 +117,7 @@ export class AssetsService {
                 });
             }
             const readStream = await storage.location(file.storage).read(file.filename_disk, range);
-            const transformer = sharp({
-                limitInputPixels: Math.pow(env['ASSETS_TRANSFORM_IMAGE_MAX_DIMENSION'], 2),
-                sequentialRead: true,
-                failOn: env['ASSETS_INVALID_IMAGE_SENSITIVITY_LEVEL'],
-            });
+            const transformer = getSharpInstance();
             transformer.timeout({
                 seconds: clamp(Math.round(getMilliseconds(env['ASSETS_TRANSFORM_TIMEOUT'], 0) / 1000), 1, 3600),
             });

package/dist/services/authentication.js CHANGED Viewed

@@ -1,5 +1,3 @@
-import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
-import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
@@ -50,9 +48,10 @@ export class AuthenticationService {
             throw err;
         }
         const user = await this.knex
-            .select('id', 'first_name', 'last_name', 'email', 'password', 'status', 'role', 'tfa_secret', 'provider', 'external_identifier', 'auth_data')
-            .from('directus_users')
-            .where('id', userId)
+            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'r.admin_access', 'r.app_access', 'u.tfa_secret', 'u.provider', 'u.external_identifier', 'u.auth_data')
+            .from('directus_users as u')
+            .leftJoin('directus_roles as r', 'u.role', 'r.id')
+            .where('u.id', userId)
             .first();
         const updatedPayload = await emitter.emitFilter('auth.login', payload, {
             status: 'pending',
@@ -129,13 +128,11 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
-        const roles = await fetchRolesTree(user.role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
         const tokenPayload = {
             id: user.id,
             role: user.role,
-            app_access: globalAccess.app,
-            admin_access: globalAccess.admin,
+            app_access: user.app_access,
+            admin_access: user.admin_access,
         };
         const refreshToken = nanoid(64);
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
@@ -210,7 +207,9 @@ export class AuthenticationService {
             user_provider: 'u.provider',
             user_external_identifier: 'u.external_identifier',
             user_auth_data: 'u.auth_data',
-            user_role: 'u.role',
+            role_id: 'r.id',
+            role_admin_access: 'r.admin_access',
+            role_app_access: 'r.app_access',
             share_id: 'd.id',
             share_item: 'd.item',
             share_role: 'd.role',
@@ -223,6 +222,9 @@ export class AuthenticationService {
             .from('directus_sessions AS s')
             .leftJoin('directus_users AS u', 's.user', 'u.id')
             .leftJoin('directus_shares AS d', 's.share', 'd.id')
+            .leftJoin('directus_roles AS r', (join) => {
+            join.onIn('r.id', [this.knex.ref('u.role'), this.knex.ref('d.role')]);
+        })
             .where('s.token', refreshToken)
             .andWhere('s.expires', '>=', new Date())
             .andWhere((subQuery) => {
@@ -246,8 +248,6 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
-        const roles = await fetchRolesTree(record.user_role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({
@@ -260,9 +260,9 @@ export class AuthenticationService {
                 provider: record.user_provider,
                 external_identifier: record.user_external_identifier,
                 auth_data: record.user_auth_data,
-                role: record.user_role,
-                app_access: globalAccess.app,
-                admin_access: globalAccess.admin,
+                role: record.role_id,
+                app_access: record.role_app_access,
+                admin_access: record.role_admin_access,
             });
         }
         let newRefreshToken = record.session_next_token ?? nanoid(64);
@@ -270,9 +270,9 @@ export class AuthenticationService {
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
         const tokenPayload = {
             id: record.user_id,
-            role: record.user_role,
-            app_access: globalAccess.app,
-            admin_access: globalAccess.admin,
+            role: record.role_id,
+            app_access: record.role_app_access,
+            admin_access: record.role_admin_access,
         };
         if (options?.session) {
             newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);

package/dist/services/authorization.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { Accountability, Item, PermissionsAction, PrimaryKey, SchemaOverview } from '@directus/types';
+import type { Knex } from 'knex';
+import type { AST, AbstractServiceOptions } from '../types/index.js';
+import { PayloadService } from './payload.js';
+export declare class AuthorizationService {
+    knex: Knex;
+    accountability: Accountability | null;
+    payloadService: PayloadService;
+    schema: SchemaOverview;
+    constructor(options: AbstractServiceOptions);
+    processAST(ast: AST, action?: PermissionsAction): Promise<AST>;
+    /**
+     * Checks if the provided payload matches the configured permissions, and adds the presets to the payload.
+     */
+    validatePayload(action: PermissionsAction, collection: string, data: Partial<Item>): Partial<Item>;
+    checkAccess(action: PermissionsAction, collection: string, pk?: PrimaryKey | PrimaryKey[]): Promise<void>;
+}