@directus/api 27.0.2 → 28.0.0

package/dist/auth/drivers/oauth2.js

@@ -1,6 +1,6 @@
 import { useEnv } from '@directus/env';
 import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, InvalidTokenError, isDirectusError, ServiceUnavailableError, } from '@directus/errors';
-import { parseJSON } from '@directus/utils';
+import { parseJSON, toArray } from '@directus/utils';
 import express, { Router } from 'express';
 import { flatten } from 'flat';
 import jwt from 'jsonwebtoken';
@@ -126,8 +126,8 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
         }
         let role = this.config['defaultRoleId'];
         const groupClaimName = this.config['groupClaimName'] ?? 'groups';
-        const groups = userInfo[groupClaimName];
-        if (Array.isArray(groups)) {
+        const groups = userInfo[groupClaimName] ? toArray(userInfo[groupClaimName]) : [];
+        if (groups.length > 0) {
             for (const key in this.roleMap) {
                 if (groups.includes(key)) {
                     // Overwrite default role if user is member of a group specified in roleMap
@@ -136,7 +136,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
                 }
             }
         }
-        else {
+        else if (Object.keys(this.roleMap).length > 0) {
             logger.debug(`[OAuth2] Configured group claim with name "${groupClaimName}" does not exist or is empty.`);
         }
         // Flatten response to support dot indexes

package/dist/auth/drivers/openid.d.ts

@@ -5,12 +5,13 @@ import type { AuthDriverOptions, User } from '../../types/index.js';
 import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OpenIDAuthDriver extends LocalAuthDriver {
-    client: Promise<Client>;
+    client: null | Client;
     redirectUrl: string;
     usersService: UsersService;
     config: Record<string, any>;
     roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
+    private getClient;
     generateCodeVerifier(): string;
     generateAuthUrl(codeVerifier: string, prompt?: boolean): Promise<string>;
     private fetchUserId;

package/dist/auth/drivers/openid.js

@@ -1,10 +1,10 @@
 import { useEnv } from '@directus/env';
 import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, InvalidTokenError, isDirectusError, ServiceUnavailableError, } from '@directus/errors';
-import { parseJSON } from '@directus/utils';
+import { parseJSON, toArray } from '@directus/utils';
 import express, { Router } from 'express';
 import { flatten } from 'flat';
 import jwt from 'jsonwebtoken';
-import { errors, generators, Issuer } from 'openid-client';
+import { custom, errors, generators, Issuer } from 'openid-client';
 import { getAuthProvider } from '../../auth.js';
 import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import getDatabase from '../../database/index.js';
@@ -32,23 +32,15 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         super(options, config);
         const env = useEnv();
         const logger = useLogger();
-        const { issuerUrl, clientId, clientSecret, ...additionalConfig } = config;
-        if (!issuerUrl || !clientId || !clientSecret || !additionalConfig['provider']) {
+        const { issuerUrl, clientId, clientSecret, provider, issuerDiscoveryMustSucceed } = config;
+        if (!issuerUrl || !clientId || !clientSecret || !provider) {
             logger.error('Invalid provider config');
-            throw new InvalidProviderConfigError({ provider: additionalConfig['provider'] });
+            throw new InvalidProviderConfigError({ provider });
         }
-        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', additionalConfig['provider'], 'callback');
-        // extract client overrides/options excluding CLIENT_ID and CLIENT_SECRET as they are passed directly
-        const clientOptionsOverrides = getConfigFromEnv(`AUTH_${config['provider'].toUpperCase()}_CLIENT_`, {
-            omitKey: [
-                `AUTH_${config['provider'].toUpperCase()}_CLIENT_ID`,
-                `AUTH_${config['provider'].toUpperCase()}_CLIENT_SECRET`,
-            ],
-            type: 'underscore',
-        });
+        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', provider, 'callback');
         this.redirectUrl = redirectUrl.toString();
         this.usersService = new UsersService({ knex: this.knex, schema: this.schema });
-        this.config = additionalConfig;
+        this.config = config;
         this.roleMap = {};
         const roleMapping = this.config['roleMapping'];
         if (roleMapping) {
@@ -60,29 +52,62 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             logger.error("[OpenID] Expected a JSON-Object as role mapping, got an Array instead. Make sure you declare the variable with 'json:' prefix.");
             throw new InvalidProviderError();
         }
-        this.client = new Promise((resolve, reject) => {
-            Issuer.discover(issuerUrl)
-                .then((issuer) => {
-                const supportedTypes = issuer.metadata['response_types_supported'];
-                if (!supportedTypes?.includes('code')) {
-                    logger.error('OpenID provider does not support required code flow');
-                    reject(new InvalidProviderConfigError({
-                        provider: additionalConfig['provider'],
-                    }));
-                }
-                resolve(new issuer.Client({
-                    client_id: clientId,
-                    client_secret: clientSecret,
-                    redirect_uris: [this.redirectUrl],
-                    response_types: ['code'],
-                    ...clientOptionsOverrides,
-                }));
-            })
-                .catch((e) => {
-                logger.error(e, '[OpenID] Failed to fetch provider config');
+        this.client = null;
+        // preload client
+        this.getClient().catch((e) => {
+            logger.error(e, '[OpenID] Failed to fetch provider config');
+            if (issuerDiscoveryMustSucceed !== false) {
+                logger.error(`AUTH_${provider.toUpperCase()}_ISSUER_DISCOVERY_MUST_SUCCEED is enabled and discovery failed, exiting`);
                 process.exit(1);
+            }
+        });
+    }
+    async getClient() {
+        if (this.client)
+            return this.client;
+        const logger = useLogger();
+        const { issuerUrl, clientId, clientSecret, provider } = this.config;
+        // extract client http overrides/options
+        const clientHttpOptions = getConfigFromEnv(`AUTH_${provider.toUpperCase()}_CLIENT_HTTP_`);
+        if (clientHttpOptions) {
+            Issuer[custom.http_options] = (_, options) => {
+                return {
+                    ...options,
+                    ...clientHttpOptions,
+                };
+            };
+        }
+        const issuer = await Issuer.discover(issuerUrl);
+        const supportedTypes = issuer.metadata['response_types_supported'];
+        if (!supportedTypes?.includes('code')) {
+            logger.error('OpenID provider does not support required code flow');
+            throw new InvalidProviderConfigError({
+                provider,
             });
+        }
+        // extract client overrides/options excluding CLIENT_ID and CLIENT_SECRET as they are passed directly
+        const clientOptionsOverrides = getConfigFromEnv(`AUTH_${provider.toUpperCase()}_CLIENT_`, {
+            omitKey: [`AUTH_${provider.toUpperCase()}_CLIENT_ID`, `AUTH_${provider.toUpperCase()}_CLIENT_SECRET`],
+            omitPrefix: [`AUTH_${provider.toUpperCase()}_CLIENT_HTTP_`],
+            type: 'underscore',
+        });
+        const client = new issuer.Client({
+            client_id: clientId,
+            client_secret: clientSecret,
+            redirect_uris: [this.redirectUrl],
+            response_types: ['code'],
+            ...clientOptionsOverrides,
         });
+        if (clientHttpOptions) {
+            client[custom.http_options] = (_, options) => {
+                return {
+                    ...options,
+                    ...clientHttpOptions,
+                };
+            };
+        }
+        this.client = client;
+        return client;
     }
     generateCodeVerifier() {
         return generators.codeVerifier();
@@ -90,7 +115,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
     async generateAuthUrl(codeVerifier, prompt = false) {
         const { plainCodeChallenge } = this.config;
         try {
-            const client = await this.client;
+            const client = await this.getClient();
             const codeChallenge = plainCodeChallenge ? codeVerifier : generators.codeChallenge(codeVerifier);
             const paramsConfig = typeof this.config['params'] === 'object' ? this.config['params'] : {};
             return client.authorizationUrl({
@@ -127,7 +152,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         let tokenSet;
         let userInfo;
         try {
-            const client = await this.client;
+            const client = await this.getClient();
             const codeChallenge = plainCodeChallenge
                 ? payload['codeVerifier']
                 : generators.codeChallenge(payload['codeVerifier']);
@@ -145,8 +170,8 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         }
         let role = this.config['defaultRoleId'];
         const groupClaimName = this.config['groupClaimName'] ?? 'groups';
-        const groups = userInfo[groupClaimName];
-        if (Array.isArray(groups)) {
+        const groups = userInfo[groupClaimName] ? toArray(userInfo[groupClaimName]) : [];
+        if (groups.length > 0) {
             for (const key in this.roleMap) {
                 if (groups.includes(key)) {
                     // Overwrite default role if user is member of a group specified in roleMap
@@ -155,7 +180,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
                 }
             }
         }
-        else {
+        else if (Object.keys(this.roleMap).length > 0) {
             logger.debug(`[OpenID] Configured group claim with name "${groupClaimName}" does not exist or is empty.`);
         }
         // Flatten response to support dot indexes
@@ -248,7 +273,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         }
         if (authData?.['refreshToken']) {
             try {
-                const client = await this.client;
+                const client = await this.getClient();
                 const tokenSet = await client.refresh(authData['refreshToken']);
                 // Update user refreshToken if provided
                 if (tokenSet.refresh_token) {
@@ -305,12 +330,21 @@ export function createOpenIDAuthRouter(providerName) {
             httpOnly: true,
             sameSite: 'lax',
         });
-        return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt));
+        try {
+            return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt));
+        }
+        catch {
+            return res.redirect(new Url(env['PUBLIC_URL'])
+                .addPath('admin', 'login')
+                .setQuery('reason', ErrorCode.ServiceUnavailable)
+                .toString());
+        }
     }), respond);
     router.post('/callback', express.urlencoded({ extended: false }), (req, res) => {
         res.redirect(303, `./callback?${new URLSearchParams(req.body)}`);
     }, respond);
     router.get('/callback', asyncHandler(async (req, res, next) => {
+        const env = useEnv();
         const logger = useLogger();
         let tokenData;
         try {
@@ -318,7 +352,8 @@ export function createOpenIDAuthRouter(providerName) {
         }
         catch (e) {
             logger.warn(e, `[OpenID] Couldn't verify OpenID cookie`);
-            throw new InvalidCredentialsError();
+            const url = new Url(env['PUBLIC_URL']).addPath('admin', 'login');
+            return res.redirect(`${url.toString()}?reason=${ErrorCode.InvalidCredentials}`);
         }
         const { verifier, redirect, prompt } = tokenData;
         const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });

package/dist/database/errors/dialects/mssql.d.ts

@@ -1,2 +1,3 @@
 import type { MSSQLError } from './types.js';
-export declare function extractError(error: MSSQLError): Promise<MSSQLError | Error>;
+import type { Item } from '@directus/types';
+export declare function extractError(error: MSSQLError, data: Partial<Item>): Promise<MSSQLError | Error>;

package/dist/database/errors/dialects/mssql.js

@@ -8,135 +8,139 @@ var MSSQLErrorCodes;
     MSSQLErrorCodes[MSSQLErrorCodes["UNIQUE_VIOLATION"] = 2601] = "UNIQUE_VIOLATION";
     MSSQLErrorCodes[MSSQLErrorCodes["VALUE_LIMIT_VIOLATION"] = 2628] = "VALUE_LIMIT_VIOLATION";
 })(MSSQLErrorCodes || (MSSQLErrorCodes = {}));
-export async function extractError(error) {
+export async function extractError(error, data) {
     switch (error.number) {
         case MSSQLErrorCodes.UNIQUE_VIOLATION:
         case 2627:
-            return await uniqueViolation(error);
+            return await uniqueViolation();
         case MSSQLErrorCodes.NUMERIC_VALUE_OUT_OF_RANGE:
-            return numericValueOutOfRange(error);
+            return numericValueOutOfRange();
         case MSSQLErrorCodes.VALUE_LIMIT_VIOLATION:
-            return valueLimitViolation(error);
+            return valueLimitViolation();
         case MSSQLErrorCodes.NOT_NULL_VIOLATION:
-            return notNullViolation(error);
+            return notNullViolation();
         case MSSQLErrorCodes.FOREIGN_KEY_VIOLATION:
-            return foreignKeyViolation(error);
+            return foreignKeyViolation();
     }
     return error;
-}
-async function uniqueViolation(error) {
-    /**
-     * NOTE:
-     * SQL Server doesn't return the name of the offending column when a unique constraint is thrown:
-     *
-     * insert into [articles] ([unique]) values (@p0)
-     * - Violation of UNIQUE KEY constraint 'UQ__articles__5A062640242004EB'.
-     * Cannot insert duplicate key in object 'dbo.articles'. The duplicate key value is (rijk).
-     *
-     * While it's not ideal, the best next thing we can do is extract the column name from
-     * information_schema when this happens
-     */
-    const betweenQuotes = /'([^']+)'/g;
-    const betweenParens = /\(([^)]+)\)/g;
-    const quoteMatches = error.message.match(betweenQuotes);
-    const parenMatches = error.message.match(betweenParens);
-    if (!quoteMatches || !parenMatches)
-        return error;
-    const keyName = quoteMatches[1].slice(1, -1);
-    let collection = quoteMatches[0].slice(1, -1);
-    let field = null;
-    if (keyName) {
-        const database = getDatabase();
-        const constraintUsage = await database
-            .select('sys.columns.name as field', database.raw('OBJECT_NAME(??) as collection', ['sys.columns.object_id']))
-            .from('sys.indexes')
-            .innerJoin('sys.index_columns', (join) => {
-            join
-                .on('sys.indexes.object_id', '=', 'sys.index_columns.object_id')
-                .andOn('sys.indexes.index_id', '=', 'sys.index_columns.index_id');
-        })
-            .innerJoin('sys.columns', (join) => {
-            join
-                .on('sys.index_columns.object_id', '=', 'sys.columns.object_id')
-                .andOn('sys.index_columns.column_id', '=', 'sys.columns.column_id');
-        })
-            .where('sys.indexes.name', '=', keyName)
-            .first();
-        collection = constraintUsage?.collection;
-        field = constraintUsage?.field;
+    async function uniqueViolation() {
+        /**
+         * NOTE:
+         * SQL Server doesn't return the name of the offending column when a unique constraint is thrown:
+         *
+         * insert into [articles] ([unique]) values (@p0)
+         * - Violation of UNIQUE KEY constraint 'UQ__articles__5A062640242004EB'.
+         * Cannot insert duplicate key in object 'dbo.articles'. The duplicate key value is (rijk).
+         *
+         * While it's not ideal, the best next thing we can do is extract the column name from
+         * information_schema when this happens
+         */
+        const betweenQuotes = /'([^']+)'/g;
+        const betweenParens = /\(([^)]+)\)/g;
+        const quoteMatches = error.message.match(betweenQuotes);
+        const parenMatches = error.message.match(betweenParens);
+        if (!quoteMatches || !parenMatches)
+            return error;
+        const keyName = quoteMatches[1].slice(1, -1);
+        let collection = quoteMatches[0].slice(1, -1);
+        let field = null;
+        if (keyName) {
+            const database = getDatabase();
+            const constraintUsage = await database
+                .select('sys.columns.name as field', database.raw('OBJECT_NAME(??) as collection', ['sys.columns.object_id']))
+                .from('sys.indexes')
+                .innerJoin('sys.index_columns', (join) => {
+                join
+                    .on('sys.indexes.object_id', '=', 'sys.index_columns.object_id')
+                    .andOn('sys.indexes.index_id', '=', 'sys.index_columns.index_id');
+            })
+                .innerJoin('sys.columns', (join) => {
+                join
+                    .on('sys.index_columns.object_id', '=', 'sys.columns.object_id')
+                    .andOn('sys.index_columns.column_id', '=', 'sys.columns.column_id');
+            })
+                .where('sys.indexes.name', '=', keyName)
+                .first();
+            collection = constraintUsage?.collection;
+            field = constraintUsage?.field;
+        }
+        return new RecordNotUniqueError({
+            collection,
+            field,
+            value: field ? data[field] : null,
+        });
     }
-    return new RecordNotUniqueError({
-        collection,
-        field,
-    });
-}
-function numericValueOutOfRange(error) {
-    const betweenBrackets = /\[([^\]]+)\]/g;
-    const bracketMatches = error.message.match(betweenBrackets);
-    if (!bracketMatches)
-        return error;
-    const collection = bracketMatches[0].slice(1, -1);
-    /**
-     * NOTE
-     * MS SQL Doesn't return the offending column name in the error, nor any other identifying information
-     * we can use to extract the column name :(
-     *
-     * insert into [test1] ([small]) values (@p0)
-     * - Arithmetic overflow error for data type tinyint, value = 50000.
-     */
-    const field = null;
-    return new ValueOutOfRangeError({
-        collection,
-        field,
-    });
-}
-function valueLimitViolation(error) {
-    const betweenBrackets = /\[([^\]]+)\]/g;
-    const betweenQuotes = /'([^']+)'/g;
-    const bracketMatches = error.message.match(betweenBrackets);
-    const quoteMatches = error.message.match(betweenQuotes);
-    if (!bracketMatches || !quoteMatches)
-        return error;
-    const collection = bracketMatches[0].slice(1, -1);
-    const field = quoteMatches[1].slice(1, -1);
-    return new ValueTooLongError({
-        collection,
-        field,
-    });
-}
-function notNullViolation(error) {
-    const betweenBrackets = /\[([^\]]+)\]/g;
-    const betweenQuotes = /'([^']+)'/g;
-    const bracketMatches = error.message.match(betweenBrackets);
-    const quoteMatches = error.message.match(betweenQuotes);
-    if (!bracketMatches || !quoteMatches)
-        return error;
-    const collection = bracketMatches[0].slice(1, -1);
-    const field = quoteMatches[0].slice(1, -1);
-    if (error.message.includes('Cannot insert the value NULL into column')) {
-        return new ContainsNullValuesError({ collection, field });
+    function numericValueOutOfRange() {
+        const betweenBrackets = /\[([^\]]+)\]/g;
+        const bracketMatches = error.message.match(betweenBrackets);
+        if (!bracketMatches)
+            return error;
+        const collection = bracketMatches[0].slice(1, -1);
+        /**
+         * NOTE
+         * MS SQL Doesn't return the offending column name in the error, nor any other identifying information
+         * we can use to extract the column name :(
+         *
+         * insert into [test1] ([small]) values (@p0)
+         * - Arithmetic overflow error for data type tinyint, value = 50000.
+         */
+        const field = null;
+        return new ValueOutOfRangeError({
+            collection,
+            field,
+            value: field ? data[field] : null,
+        });
+    }
+    function valueLimitViolation() {
+        const betweenBrackets = /\[([^\]]+)\]/g;
+        const betweenQuotes = /'([^']+)'/g;
+        const bracketMatches = error.message.match(betweenBrackets);
+        const quoteMatches = error.message.match(betweenQuotes);
+        if (!bracketMatches || !quoteMatches)
+            return error;
+        const collection = bracketMatches[0].slice(1, -1);
+        const field = quoteMatches[1].slice(1, -1);
+        return new ValueTooLongError({
+            collection,
+            field,
+            value: field ? data[field] : null,
+        });
+    }
+    function notNullViolation() {
+        const betweenBrackets = /\[([^\]]+)\]/g;
+        const betweenQuotes = /'([^']+)'/g;
+        const bracketMatches = error.message.match(betweenBrackets);
+        const quoteMatches = error.message.match(betweenQuotes);
+        if (!bracketMatches || !quoteMatches)
+            return error;
+        const collection = bracketMatches[0].slice(1, -1);
+        const field = quoteMatches[0].slice(1, -1);
+        if (error.message.includes('Cannot insert the value NULL into column')) {
+            return new ContainsNullValuesError({ collection, field });
+        }
+        return new NotNullViolationError({
+            collection,
+            field,
+        });
+    }
+    function foreignKeyViolation() {
+        const betweenUnderscores = /__(.+)__/g;
+        const betweenParens = /\(([^)]+)\)/g;
+        // NOTE:
+        // Seeing that MS SQL doesn't return the offending column name, we have to extract it from the
+        // foreign key constraint name as generated by the database. This'll probably fail if you have
+        // custom names for whatever reason.
+        const underscoreMatches = error.message.match(betweenUnderscores);
+        const parenMatches = error.message.match(betweenParens);
+        if (!underscoreMatches || !parenMatches)
+            return error;
+        const underscoreParts = underscoreMatches[0].split('__');
+        const collection = underscoreParts[1];
+        const field = underscoreParts[2];
+        return new InvalidForeignKeyError({
+            collection,
+            field,
+            value: field ? data[field] : null,
+        });
     }
-    return new NotNullViolationError({
-        collection,
-        field,
-    });
-}
-function foreignKeyViolation(error) {
-    const betweenUnderscores = /__(.+)__/g;
-    const betweenParens = /\(([^)]+)\)/g;
-    // NOTE:
-    // Seeing that MS SQL doesn't return the offending column name, we have to extract it from the
-    // foreign key constraint name as generated by the database. This'll probably fail if you have
-    // custom names for whatever reason.
-    const underscoreMatches = error.message.match(betweenUnderscores);
-    const parenMatches = error.message.match(betweenParens);
-    if (!underscoreMatches || !parenMatches)
-        return error;
-    const underscoreParts = underscoreMatches[0].split('__');
-    const collection = underscoreParts[1];
-    const field = underscoreParts[2];
-    return new InvalidForeignKeyError({
-        collection,
-        field,
-    });
 }

package/dist/database/errors/dialects/mysql.d.ts

@@ -1,2 +1,3 @@
 import type { MySQLError } from './types.js';
-export declare function extractError(error: MySQLError): MySQLError | Error;
+import type { Item } from '@directus/types';
+export declare function extractError(error: MySQLError, data: Partial<Item>): MySQLError | Error;