@directus/api 32.1.0 → 32.1.1

package/dist/auth/drivers/oauth2.d.ts

@@ -5,11 +5,12 @@ import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OAuth2AuthDriver extends LocalAuthDriver {
     client: Client;
+    redirectUrl: string;
     config: Record<string, any>;
     roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string, prompt?: boolean, callbackUrl?: string): string;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean): string;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
     login(user: User): Promise<void>;

package/dist/auth/drivers/oauth2.js

@@ -16,37 +16,40 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { getSchema } from '../../utils/get-schema.js';
 import { getSecret } from '../../utils/get-secret.js';
+import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
-import { generateCallbackUrl } from '../utils/generate-callback-url.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
+import { getSchema } from '../../utils/get-schema.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
     client;
+    redirectUrl;
     config;
     roleMap;
     constructor(options, config) {
         super(options, config);
+        const env = useEnv();
         const logger = useLogger();
         const { authorizeUrl, accessUrl, profileUrl, clientId, clientSecret, ...additionalConfig } = config;
         if (!authorizeUrl || !accessUrl || !profileUrl || !clientId || !clientSecret || !additionalConfig['provider']) {
             logger.error('Invalid provider config');
             throw new InvalidProviderConfigError({ provider: additionalConfig['provider'] });
         }
+        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', additionalConfig['provider'], 'callback');
+        this.redirectUrl = redirectUrl.toString();
         this.config = additionalConfig;
         this.roleMap = {};
         const roleMapping = this.config['roleMapping'];
+        if (roleMapping) {
+            this.roleMap = roleMapping;
+        }
         // role mapping will fail on login if AUTH_<provider>_ROLE_MAPPING is an array instead of an object.
         // This happens if the 'json:' prefix is missing from the variable declaration. To save the user from exhaustive debugging, we'll try to fail early here.
         if (roleMapping instanceof Array) {
             logger.error("[OAuth2] Expected a JSON-Object as role mapping, got an Array instead. Make sure you declare the variable with 'json:' prefix.");
             throw new InvalidProviderError();
         }
-        if (roleMapping) {
-            this.roleMap = roleMapping;
-        }
         const issuer = new Issuer({
             authorization_endpoint: authorizeUrl,
             token_endpoint: accessUrl,
@@ -64,6 +67,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
         this.client = new issuer.Client({
             client_id: clientId,
             client_secret: clientSecret,
+            redirect_uris: [this.redirectUrl],
             response_types: ['code'],
             ...clientOptionsOverrides,
         });
@@ -71,7 +75,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
     generateCodeVerifier() {
         return generators.codeVerifier();
     }
-    generateAuthUrl(codeVerifier, prompt = false, callbackUrl) {
+    generateAuthUrl(codeVerifier, prompt = false) {
         const { plainCodeChallenge } = this.config;
         try {
             const codeChallenge = plainCodeChallenge ? codeVerifier : generators.codeChallenge(codeVerifier);
@@ -85,7 +89,6 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
                 code_challenge_method: plainCodeChallenge ? 'plain' : 'S256',
                 // Some providers require state even with PKCE
                 state: codeChallenge,
-                redirect_uri: callbackUrl,
             });
         }
         catch (e) {
@@ -113,7 +116,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
             const codeChallenge = plainCodeChallenge
                 ? payload['codeVerifier']
                 : generators.codeChallenge(payload['codeVerifier']);
-            tokenSet = await this.client.oauthCallback(payload['redirectUri'], { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge });
+            tokenSet = await this.client.oauthCallback(this.redirectUrl, { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge });
             userInfo = await this.client.userinfo(tokenSet.access_token);
         }
         catch (e) {
@@ -272,19 +275,12 @@ export function createOAuth2AuthRouter(providerName) {
         const provider = getAuthProvider(providerName);
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
-        const otp = req.query['otp'];
         const redirect = req.query['redirect'];
-        if (!isLoginRedirectAllowed(providerName, `${req.protocol}://${req.hostname}`, redirect)) {
+        const otp = req.query['otp'];
+        if (isLoginRedirectAllowed(redirect, providerName) === false) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
-        const token = jwt.sign({
-            verifier: codeVerifier,
-            redirect,
-            prompt,
-            otp,
-            callbackUrl,
-        }, getSecret(), {
+        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -292,7 +288,7 @@ export function createOAuth2AuthRouter(providerName) {
             httpOnly: true,
             sameSite: 'lax',
         });
-        return res.redirect(provider.generateAuthUrl(codeVerifier, prompt, callbackUrl));
+        return res.redirect(provider.generateAuthUrl(codeVerifier, prompt));
     }, respond);
     router.post('/callback', express.urlencoded({ extended: false }), (req, res) => {
         res.redirect(303, `./callback?${new URLSearchParams(req.body)}`);
@@ -307,7 +303,7 @@ export function createOAuth2AuthRouter(providerName) {
             logger.warn(e, `[OAuth2] Couldn't verify OAuth2 cookie`);
             throw new InvalidCredentialsError();
         }
-        const { verifier, prompt, otp, callbackUrl } = tokenData;
+        const { verifier, prompt, otp } = tokenData;
         let { redirect } = tokenData;
         const accountability = createDefaultAccountability({
             ip: getIPFromReq(req),
@@ -330,7 +326,6 @@ export function createOAuth2AuthRouter(providerName) {
                 code: req.query['code'],
                 codeVerifier: verifier,
                 state: req.query['state'],
-                callbackUrl,
             }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {

package/dist/auth/drivers/openid.d.ts

@@ -5,12 +5,13 @@ import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OpenIDAuthDriver extends LocalAuthDriver {
     client: null | Client;
+    redirectUrl: string;
     config: Record<string, any>;
     roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     private getClient;
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string, prompt?: boolean, callbackUrl?: string): Promise<string>;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean): Promise<string>;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
     login(user: User): Promise<void>;

package/dist/auth/drivers/openid.js

@@ -16,19 +16,20 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { getSchema } from '../../utils/get-schema.js';
 import { getSecret } from '../../utils/get-secret.js';
+import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
-import { generateCallbackUrl } from '../utils/generate-callback-url.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
+import { getSchema } from '../../utils/get-schema.js';
 export class OpenIDAuthDriver extends LocalAuthDriver {
     client;
+    redirectUrl;
     config;
     roleMap;
     constructor(options, config) {
         super(options, config);
+        const env = useEnv();
         const logger = useLogger();
         const { issuerUrl, clientId, clientSecret, clientPrivateKeys, clientTokenEndpointAuthMethod, provider, issuerDiscoveryMustSucceed, } = config;
         const isPrivateKeyJwtAuthMethod = clientTokenEndpointAuthMethod === 'private_key_jwt';
@@ -36,6 +37,8 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             logger.error('Invalid provider config');
             throw new InvalidProviderConfigError({ provider });
         }
+        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', provider, 'callback');
+        this.redirectUrl = redirectUrl.toString();
         this.config = config;
         this.roleMap = {};
         const roleMapping = this.config['roleMapping'];
@@ -95,6 +98,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         const client = new issuer.Client({
             client_id: clientId,
             ...(!isPrivateKeyJwtAuthMethod && { client_secret: clientSecret }),
+            redirect_uris: [this.redirectUrl],
             response_types: ['code'],
             ...clientOptionsOverrides,
         }, isPrivateKeyJwtAuthMethod ? { keys: clientPrivateKeys } : undefined);
@@ -112,7 +116,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
     generateCodeVerifier() {
         return generators.codeVerifier();
     }
-    async generateAuthUrl(codeVerifier, prompt = false, callbackUrl) {
+    async generateAuthUrl(codeVerifier, prompt = false) {
         const { plainCodeChallenge } = this.config;
         try {
             const client = await this.getClient();
@@ -128,7 +132,6 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
                 // Some providers require state even with PKCE
                 state: codeChallenge,
                 nonce: codeChallenge,
-                redirect_uri: callbackUrl,
             });
         }
         catch (e) {
@@ -157,7 +160,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             const codeChallenge = plainCodeChallenge
                 ? payload['codeVerifier']
                 : generators.codeChallenge(payload['codeVerifier']);
-            tokenSet = await client.callback(payload['callbackUrl'], { code: payload['code'], state: payload['state'], iss: payload['iss'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge, nonce: codeChallenge });
+            tokenSet = await client.callback(this.redirectUrl, { code: payload['code'], state: payload['state'], iss: payload['iss'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge, nonce: codeChallenge });
             userInfo = tokenSet.claims();
             if (client.issuer.metadata['userinfo_endpoint']) {
                 userInfo = {
@@ -326,17 +329,10 @@ export function createOpenIDAuthRouter(providerName) {
         const prompt = !!req.query['prompt'];
         const redirect = req.query['redirect'];
         const otp = req.query['otp'];
-        if (!isLoginRedirectAllowed(providerName, `${req.protocol}://${req.hostname}`, redirect)) {
+        if (isLoginRedirectAllowed(redirect, providerName) === false) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
-        const token = jwt.sign({
-            verifier: codeVerifier,
-            redirect,
-            prompt,
-            otp,
-            callbackUrl,
-        }, getSecret(), {
+        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
             expiresIn: (env[`AUTH_${providerName.toUpperCase()}_LOGIN_TIMEOUT`] ?? '5m'),
             issuer: 'directus',
         });
@@ -345,7 +341,7 @@ export function createOpenIDAuthRouter(providerName) {
             sameSite: 'lax',
         });
         try {
-            return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt, callbackUrl));
+            return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt));
         }
         catch {
             return res.redirect(new Url(env['PUBLIC_URL'])
@@ -369,7 +365,7 @@ export function createOpenIDAuthRouter(providerName) {
             const url = new Url(env['PUBLIC_URL']).addPath('admin', 'login');
             return res.redirect(`${url.toString()}?reason=${ErrorCode.InvalidCredentials}`);
         }
-        const { verifier, prompt, otp, callbackUrl } = tokenData;
+        const { verifier, prompt, otp } = tokenData;
         let { redirect } = tokenData;
         const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
         const userAgent = req.get('user-agent')?.substring(0, 1024);
@@ -391,7 +387,6 @@ export function createOpenIDAuthRouter(providerName) {
                 codeVerifier: verifier,
                 state: req.query['state'],
                 iss: req.query['iss'],
-                callbackUrl,
             }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {

package/dist/auth/drivers/saml.js

@@ -13,8 +13,8 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { LocalAuthDriver } from './local.js';
+import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 // Register the samlify schema validator
 samlify.setSchemaValidator(validator);
 export class SAMLAuthDriver extends LocalAuthDriver {
@@ -95,7 +95,7 @@ export function createSAMLAuthRouter(providerName) {
         const parsedUrl = new URL(url);
         if (req.query['redirect']) {
             const redirect = req.query['redirect'];
-            if (!isLoginRedirectAllowed(providerName, `${req.protocol}://${req.hostname}`, redirect)) {
+            if (isLoginRedirectAllowed(redirect, providerName) === false) {
                 throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
             }
             parsedUrl.searchParams.append('RelayState', redirect);

package/dist/services/graphql/resolvers/query.js

@@ -23,10 +23,10 @@ export async function resolveQuery(gql, info) {
         query = await getAggregateQuery(args, selections, gql.schema, gql.accountability, collection);
     }
     else {
-        query = await getQuery(args, gql.schema, selections, info.variableValues, gql.accountability, collection);
         if (collection.endsWith('_by_id') && collection in gql.schema.collections === false) {
             collection = collection.slice(0, -6);
         }
+        query = await getQuery(args, gql.schema, selections, info.variableValues, gql.accountability, collection);
         if (collection.endsWith('_by_version') && collection in gql.schema.collections === false) {
             collection = collection.slice(0, -11);
             query.versionRaw = true;

package/dist/telemetry/utils/get-settings.js

@@ -1,14 +1,18 @@
-import { toBoolean } from '@directus/utils';
+import { SettingsService } from '../../services/settings.js';
+import { getSchema } from '../../utils/get-schema.js';
 export const getSettings = async (db) => {
-    const settings = await db
-        .select('project_id', 'mcp_enabled', 'mcp_allow_deletes', 'mcp_system_prompt_enabled', 'visual_editor_urls')
-        .from('directus_settings')
-        .first();
+    const settingsService = new SettingsService({
+        knex: db,
+        schema: await getSchema({ database: db }),
+    });
+    const settings = (await settingsService.readSingleton({
+        fields: ['project_id', 'mcp_enabled', 'mcp_allow_deletes', 'mcp_system_prompt_enabled', 'visual_editor_urls'],
+    }));
     return {
         project_id: settings.project_id,
-        mcp_enabled: toBoolean(settings?.mcp_enabled),
-        mcp_allow_deletes: toBoolean(settings?.mcp_allow_deletes),
-        mcp_system_prompt_enabled: toBoolean(settings?.mcp_system_prompt_enabled),
-        visual_editor_urls: settings.visual_editor_urls ? JSON.parse(settings.visual_editor_urls).length : 0,
+        mcp_enabled: settings?.mcp_enabled || false,
+        mcp_allow_deletes: settings?.mcp_allow_deletes || false,
+        mcp_system_prompt_enabled: settings?.mcp_system_prompt_enabled || false,
+        visual_editor_urls: settings.visual_editor_urls?.length || 0,
     };
 };

package/dist/utils/is-login-redirect-allowed.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Checks if the defined redirect after successful SSO login is in the allow list
+ */
+export declare function isLoginRedirectAllowed(redirect: unknown, provider: string): boolean;

package/dist/{auth/utils → utils}/is-login-redirect-allowed.js

@@ -1,23 +1,19 @@
 import { useEnv } from '@directus/env';
 import { toArray } from '@directus/utils';
-import { useLogger } from '../../logger/index.js';
-import isUrlAllowed from '../../utils/is-url-allowed.js';
+import { useLogger } from '../logger/index.js';
+import isUrlAllowed from './is-url-allowed.js';
 /**
- * Check if the redirect URL is allowed
- * @param originUrl Origin URL
- * @param provider OAuth provider name
- * @param redirect URL to redirect to
- * @returns True if the redirect is allowed, false otherwise
+ * Checks if the defined redirect after successful SSO login is in the allow list
  */
-export function isLoginRedirectAllowed(provider, originUrl, redirect) {
+export function isLoginRedirectAllowed(redirect, provider) {
     if (!redirect)
         return true; // empty redirect
     if (typeof redirect !== 'string')
         return false; // invalid type
     const env = useEnv();
     const publicUrl = env['PUBLIC_URL'];
-    if (!URL.canParse(redirect)) {
-        if (!redirect.startsWith('//')) {
+    if (URL.canParse(redirect) === false) {
+        if (redirect.startsWith('//') === false) {
             // should be a relative path like `/admin/test`
             return true;
         }
@@ -25,10 +21,6 @@ export function isLoginRedirectAllowed(provider, originUrl, redirect) {
         return false;
     }
     const { protocol: redirectProtocol, hostname: redirectDomain } = new URL(redirect);
-    const redirectUrl = `${redirectProtocol}//${redirectDomain}`;
-    // Security check: redirect URL must match the request origin
-    if (redirectUrl !== originUrl)
-        return false;
     const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
     if (envKey in env) {
         if (isUrlAllowed(redirect, [...toArray(env[envKey]), publicUrl]))
@@ -38,7 +30,7 @@ export function isLoginRedirectAllowed(provider, originUrl, redirect) {
         useLogger().error('Invalid PUBLIC_URL for login redirect');
         return false;
     }
-    const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
     // allow redirects to the defined PUBLIC_URL
-    return redirectUrl === `${publicProtocol}//${publicDomain}`;
+    const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
+    return `${redirectProtocol}//${redirectDomain}` === `${publicProtocol}//${publicDomain}`;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "32.1.0",
+  "version": "32.1.1",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -153,30 +153,30 @@
     "ws": "8.18.3",
     "zod": "4.1.12",
     "zod-validation-error": "4.0.2",
-    "@directus/app": "14.2.0",
+    "@directus/app": "14.3.0",
     "@directus/env": "5.3.2",
-    "@directus/constants": "14.0.0",
-    "@directus/errors": "2.0.5",
     "@directus/extensions-registry": "3.0.14",
+    "@directus/extensions": "3.0.14",
+    "@directus/errors": "2.0.5",
+    "@directus/constants": "14.0.0",
     "@directus/extensions-sdk": "17.0.3",
+    "@directus/memory": "3.0.12",
     "@directus/format-title": "12.1.1",
-    "@directus/extensions": "3.0.14",
     "@directus/pressure": "3.0.12",
-    "@directus/schema": "13.0.4",
-    "@directus/memory": "3.0.12",
     "@directus/schema-builder": "0.0.9",
-    "@directus/storage": "12.0.3",
     "@directus/specs": "11.2.0",
-    "@directus/storage-driver-azure": "12.0.12",
+    "@directus/schema": "13.0.4",
+    "@directus/storage": "12.0.3",
     "@directus/storage-driver-cloudinary": "12.0.12",
-    "@directus/storage-driver-gcs": "12.0.12",
-    "@directus/storage-driver-s3": "12.0.12",
+    "@directus/storage-driver-azure": "12.0.12",
     "@directus/storage-driver-local": "12.0.3",
+    "@directus/storage-driver-gcs": "12.0.12",
     "@directus/storage-driver-supabase": "3.0.12",
-    "@directus/system-data": "3.4.2",
-    "@directus/validation": "2.0.12",
+    "@directus/storage-driver-s3": "12.0.12",
     "@directus/utils": "13.0.13",
-    "directus": "11.13.3"
+    "@directus/validation": "2.0.12",
+    "@directus/system-data": "3.4.2",
+    "directus": "11.13.4"
   },
   "devDependencies": {
     "@directus/tsconfig": "3.0.0",
@@ -219,8 +219,8 @@
     "knex-mock-client": "3.0.2",
     "typescript": "5.9.3",
     "vitest": "3.2.4",
-    "@directus/types": "13.4.0",
-    "@directus/schema-builder": "0.0.9"
+    "@directus/schema-builder": "0.0.9",
+    "@directus/types": "13.4.0"
   },
   "optionalDependencies": {
     "@keyv/redis": "3.0.1",

package/dist/auth/utils/generate-callback-url.d.ts

@@ -1,8 +0,0 @@
-/**
- * Generate callback URL from origin
- *
- * @param string Origin URL
- * @param providerName OAuth provider name
- * @returns url
- */
-export declare function generateCallbackUrl(providerName: string, originUrl: string): string;

package/dist/auth/utils/generate-callback-url.js

@@ -1,11 +0,0 @@
-import { Url } from '../../utils/url.js';
-/**
- * Generate callback URL from origin
- *
- * @param string Origin URL
- * @param providerName OAuth provider name
- * @returns url
- */
-export function generateCallbackUrl(providerName, originUrl) {
-    return new Url(originUrl).addPath('auth', 'login', providerName, 'callback').toString();
-}

package/dist/auth/utils/is-login-redirect-allowed.d.ts

@@ -1,8 +0,0 @@
-/**
- * Check if the redirect URL is allowed
- * @param originUrl Origin URL
- * @param provider OAuth provider name
- * @param redirect URL to redirect to
- * @returns True if the redirect is allowed, false otherwise
- */
-export declare function isLoginRedirectAllowed(provider: string, originUrl: string, redirect: unknown): boolean;