npm - @directus/api - Versions diffs - 32.2.0 → 33.0.0 - Mend

@directus/api 32.2.0 → 33.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (201) hide show

package/dist/ai/chat/lib/create-ui-stream.d.ts +1 -1
package/dist/ai/tools/assets/index.js +1 -1
package/dist/ai/tools/collections/index.js +2 -2
package/dist/ai/tools/fields/index.js +2 -2
package/dist/ai/tools/files/index.js +1 -1
package/dist/ai/tools/flows/index.js +1 -1
package/dist/ai/tools/folders/index.js +1 -1
package/dist/ai/tools/items/index.js +2 -2
package/dist/ai/tools/relations/index.js +1 -1
package/dist/ai/tools/trigger-flow/index.js +1 -1
package/dist/app.js +8 -8
package/dist/auth/drivers/ldap.js +2 -2
package/dist/auth/drivers/local.js +1 -1
package/dist/auth/drivers/oauth2.d.ts +1 -2
package/dist/auth/drivers/oauth2.js +22 -17
package/dist/auth/drivers/openid.d.ts +1 -2
package/dist/auth/drivers/openid.js +18 -13
package/dist/auth/drivers/saml.js +3 -3
package/dist/auth/utils/generate-callback-url.d.ts +11 -0
package/dist/auth/utils/generate-callback-url.js +40 -0
package/dist/auth/utils/is-login-redirect-allowed.d.ts +7 -0
package/dist/{utils → auth/utils}/is-login-redirect-allowed.js +12 -9
package/dist/cache.js +2 -2
package/dist/cli/commands/bootstrap/index.js +2 -2
package/dist/cli/commands/database/install.js +1 -1
package/dist/cli/commands/database/migrate.js +1 -1
package/dist/cli/commands/init/index.js +2 -2
package/dist/cli/commands/roles/create.js +4 -4
package/dist/cli/commands/schema/apply.js +3 -3
package/dist/cli/commands/schema/snapshot.js +1 -1
package/dist/cli/utils/create-db-connection.d.ts +1 -1
package/dist/cli/utils/create-db-connection.js +1 -1
package/dist/cli/utils/create-env/index.js +1 -1
package/dist/constants.d.ts +7 -3
package/dist/constants.js +7 -3
package/dist/controllers/access.js +1 -1
package/dist/controllers/assets.js +1 -1
package/dist/controllers/extensions.js +1 -1
package/dist/controllers/fields.js +2 -2
package/dist/controllers/files.js +1 -1
package/dist/controllers/items.js +1 -1
package/dist/controllers/not-found.js +1 -1
package/dist/controllers/relations.js +1 -1
package/dist/database/errors/dialects/mysql.d.ts +1 -1
package/dist/database/errors/dialects/postgres.d.ts +1 -1
package/dist/database/errors/dialects/sqlite.d.ts +1 -1
package/dist/database/errors/translate.d.ts +1 -1
package/dist/database/errors/translate.js +1 -1
package/dist/database/helpers/date/dialects/mssql.js +1 -1
package/dist/database/helpers/date/dialects/mysql.js +1 -1
package/dist/database/helpers/date/types.js +1 -1
package/dist/database/helpers/schema/dialects/cockroachdb.d.ts +1 -0
package/dist/database/helpers/schema/dialects/cockroachdb.js +24 -1
package/dist/database/helpers/schema/dialects/mssql.d.ts +1 -1
package/dist/database/helpers/schema/dialects/mysql.d.ts +2 -1
package/dist/database/helpers/schema/dialects/mysql.js +16 -3
package/dist/database/helpers/schema/dialects/postgres.d.ts +1 -1
package/dist/database/helpers/schema/types.d.ts +13 -0
package/dist/database/helpers/schema/types.js +24 -0
package/dist/database/index.js +4 -4
package/dist/database/migrations/20220429A-add-flows.js +1 -1
package/dist/database/migrations/20230526A-migrate-translation-strings.js +1 -1
package/dist/database/migrations/20231009A-update-csv-fields-to-text.js +1 -1
package/dist/database/migrations/20240204A-marketplace.js +9 -7
package/dist/database/migrations/20240311A-deprecate-webhooks.d.ts +15 -0
package/dist/database/migrations/20240311A-deprecate-webhooks.js +1 -1
package/dist/database/migrations/20240806A-permissions-policies.js +2 -2
package/dist/database/migrations/20240924A-migrate-legacy-comments.js +1 -1
package/dist/database/migrations/20251014A-add-project-owner.js +1 -1
package/dist/database/migrations/20251224A-remove-webhooks.d.ts +3 -0
package/dist/database/migrations/20251224A-remove-webhooks.js +19 -0
package/dist/database/migrations/20260113A-add-revisions-index.d.ts +3 -0
package/dist/database/migrations/20260113A-add-revisions-index.js +41 -0
package/dist/database/migrations/run.js +3 -3
package/dist/database/run-ast/lib/apply-query/filter/get-filter-type.d.ts +2 -2
package/dist/database/run-ast/lib/apply-query/filter/get-filter-type.js +1 -1
package/dist/database/run-ast/lib/apply-query/filter/operator.js +1 -1
package/dist/database/run-ast/lib/apply-query/sort.js +1 -1
package/dist/database/run-ast/utils/get-column-pre-processor.js +2 -2
package/dist/database/run-ast/utils/get-column.js +1 -1
package/dist/database/seeds/run.js +3 -3
package/dist/extensions/lib/get-extensions-path.js +1 -1
package/dist/extensions/lib/get-extensions-settings.js +1 -1
package/dist/extensions/lib/get-extensions.js +1 -1
package/dist/extensions/lib/get-shared-deps-mapping.js +3 -3
package/dist/extensions/lib/installation/manager.js +3 -3
package/dist/extensions/lib/sandbox/register/route.d.ts +1 -1
package/dist/extensions/lib/sync/status.js +1 -1
package/dist/extensions/lib/sync/sync.js +7 -7
package/dist/extensions/lib/sync/utils.js +2 -2
package/dist/extensions/manager.d.ts +1 -1
package/dist/extensions/manager.js +8 -8
package/dist/flows.d.ts +1 -1
package/dist/logger/index.js +1 -1
package/dist/logger/logs-stream.d.ts +1 -1
package/dist/logger/logs-stream.js +1 -1
package/dist/mailer.js +1 -1
package/dist/metrics/lib/create-metrics.js +2 -2
package/dist/middleware/authenticate.js +3 -3
package/dist/middleware/collection-exists.js +1 -1
package/dist/middleware/extract-token.js +1 -1
package/dist/middleware/graphql.js +2 -2
package/dist/middleware/validate-batch.js +1 -1
package/dist/operations/exec/index.js +2 -1
package/dist/operations/mail/index.js +1 -1
package/dist/operations/mail/rate-limiter.js +2 -2
package/dist/permissions/cache.js +5 -0
package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js +1 -1
package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js +1 -1
package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js +2 -2
package/dist/permissions/modules/process-ast/lib/inject-cases.js +1 -1
package/dist/permissions/modules/process-ast/process-ast.js +1 -1
package/dist/permissions/modules/process-payload/process-payload.js +1 -1
package/dist/permissions/modules/validate-access/lib/validate-item-access.d.ts +13 -1
package/dist/permissions/modules/validate-access/lib/validate-item-access.js +54 -6
package/dist/permissions/modules/validate-access/validate-access.js +3 -2
package/dist/rate-limiter.js +1 -1
package/dist/request/is-denied-ip.js +1 -1
package/dist/schedules/project.js +1 -1
package/dist/schedules/telemetry.js +1 -1
package/dist/schedules/tus.js +1 -1
package/dist/server.js +4 -4
package/dist/services/assets.d.ts +2 -1
package/dist/services/assets.js +35 -8
package/dist/services/authentication.js +2 -2
package/dist/services/collections.js +1 -1
package/dist/services/extensions.d.ts +1 -1
package/dist/services/files/utils/get-metadata.d.ts +1 -1
package/dist/services/files/utils/get-metadata.js +1 -1
package/dist/services/files.d.ts +1 -1
package/dist/services/files.js +4 -4
package/dist/services/graphql/index.d.ts +1 -1
package/dist/services/graphql/index.js +1 -1
package/dist/services/graphql/resolvers/mutation.js +1 -1
package/dist/services/graphql/schema/get-types.d.ts +1 -1
package/dist/services/graphql/schema/read.js +1 -1
package/dist/services/graphql/subscription.d.ts +1 -1
package/dist/services/graphql/types/date.js +1 -1
package/dist/services/graphql/types/hash.js +1 -1
package/dist/services/graphql/utils/add-path-to-validation-error.js +1 -1
package/dist/services/import-export.d.ts +1 -1
package/dist/services/import-export.js +2 -2
package/dist/services/index.d.ts +0 -1
package/dist/services/index.js +0 -1
package/dist/services/mail/index.js +2 -2
package/dist/services/mail/rate-limiter.js +2 -2
package/dist/services/payload.js +2 -2
package/dist/services/schema.js +1 -1
package/dist/services/server.js +12 -4
package/dist/services/settings.js +2 -2
package/dist/services/tfa.js +1 -1
package/dist/services/translations.js +1 -1
package/dist/services/tus/data-store.d.ts +1 -3
package/dist/services/tus/data-store.js +2 -5
package/dist/services/tus/server.js +6 -6
package/dist/services/users.js +4 -4
package/dist/services/versions.js +1 -1
package/dist/telemetry/lib/send-report.d.ts +1 -1
package/dist/telemetry/lib/send-report.js +1 -1
package/dist/telemetry/lib/track.js +1 -1
package/dist/test-utils/knex.js +1 -1
package/dist/types/collection.d.ts +1 -1
package/dist/utils/async-handler.d.ts +1 -1
package/dist/utils/calculate-field-depth.js +1 -1
package/dist/utils/compress.js +1 -1
package/dist/utils/deep-map-response.js +2 -2
package/dist/utils/get-cache-key.js +1 -1
package/dist/utils/get-field-system-rows.js +1 -1
package/dist/utils/get-ip-from-req.d.ts +1 -1
package/dist/utils/get-ip-from-req.js +1 -1
package/dist/utils/get-local-type.js +7 -3
package/dist/utils/get-service.js +1 -3
package/dist/utils/get-snapshot-diff.js +1 -1
package/dist/utils/is-url-allowed.js +1 -1
package/dist/utils/jwt.js +1 -1
package/dist/utils/sanitize-schema.d.ts +1 -1
package/dist/utils/should-clear-cache.d.ts +1 -1
package/dist/utils/should-skip-cache.js +2 -2
package/dist/utils/validate-diff.js +1 -1
package/dist/utils/validate-snapshot.js +3 -3
package/dist/utils/validate-storage.js +2 -2
package/dist/utils/verify-session-jwt.js +1 -1
package/dist/utils/versioning/deep-map-with-schema.js +2 -2
package/dist/websocket/controllers/base.d.ts +2 -2
package/dist/websocket/controllers/base.js +3 -3
package/dist/websocket/controllers/graphql.d.ts +1 -1
package/dist/websocket/controllers/graphql.js +1 -1
package/dist/websocket/controllers/logs.d.ts +1 -1
package/dist/websocket/controllers/rest.d.ts +1 -1
package/dist/websocket/controllers/rest.js +2 -2
package/dist/websocket/handlers/heartbeat.js +1 -1
package/dist/websocket/handlers/items.js +2 -2
package/dist/websocket/handlers/subscribe.js +1 -1
package/dist/websocket/types.d.ts +1 -1
package/dist/websocket/utils/wait-for-message.js +1 -1
package/package.json +24 -24
package/dist/controllers/webhooks.d.ts +0 -2
package/dist/controllers/webhooks.js +0 -74
package/dist/services/webhooks.d.ts +0 -14
package/dist/services/webhooks.js +0 -32
package/dist/utils/is-login-redirect-allowed.d.ts +0 -4

package/dist/ai/chat/lib/create-ui-stream.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { type LanguageModelUsage, type Tool, type UIMessage, type StreamTextResult } from 'ai';
+import { type LanguageModelUsage, type StreamTextResult, type Tool, type UIMessage } from 'ai';
 export interface CreateUiStreamOptions {
     provider: 'openai' | 'anthropic';
     model: string;

package/dist/ai/tools/assets/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { UnsupportedMediaTypeError } from '@directus/errors';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { UnsupportedMediaTypeError } from '@directus/errors';
 import { z } from 'zod';
 import { AssetsService } from '../../../services/assets.js';
 import { FilesService } from '../../../services/files.js';

package/dist/ai/tools/collections/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
-import { InvalidPayloadError } from '@directus/errors';
-import { isObject, toArray } from '@directus/utils';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { InvalidPayloadError } from '@directus/errors';
+import { isObject, toArray } from '@directus/utils';
 import { z } from 'zod';
 import { CollectionsService } from '../../../services/collections.js';
 import { requireText } from '../../../utils/require-text.js';

package/dist/ai/tools/fields/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
-import { InvalidPayloadError } from '@directus/errors';
-import { toArray } from '@directus/utils';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { InvalidPayloadError } from '@directus/errors';
+import { toArray } from '@directus/utils';
 import { z } from 'zod';
 import { clearSystemCache } from '../../../cache.js';
 import getDatabase from '../../../database/index.js';

package/dist/ai/tools/files/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { isObject } from '@directus/utils';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { isObject } from '@directus/utils';
 import { z } from 'zod';
 import { FilesService } from '../../../services/files.js';
 import { requireText } from '../../../utils/require-text.js';

package/dist/ai/tools/flows/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { isObject } from '@directus/utils';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { isObject } from '@directus/utils';
 import { z } from 'zod';
 import { FlowsService } from '../../../services/flows.js';
 import { requireText } from '../../../utils/require-text.js';

package/dist/ai/tools/folders/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { toArray } from '@directus/utils';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { toArray } from '@directus/utils';
 import { z } from 'zod';
 import { FoldersService } from '../../../services/folders.js';
 import { requireText } from '../../../utils/require-text.js';

package/dist/ai/tools/items/index.js CHANGED Viewed

@@ -1,9 +1,9 @@
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { isSystemCollection } from '@directus/system-data';
 import { toArray } from '@directus/utils';
 import { isObject } from 'graphql-compose';
-import { dirname, resolve } from 'node:path';
-import { fileURLToPath } from 'node:url';
 import { z } from 'zod';
 import { ItemsService } from '../../../services/items.js';
 import { requireText } from '../../../utils/require-text.js';

package/dist/ai/tools/relations/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { InvalidPayloadError } from '@directus/errors';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { InvalidPayloadError } from '@directus/errors';
 import { z } from 'zod';
 import { RelationsService } from '../../../services/relations.js';
 import { requireText } from '../../../utils/require-text.js';

package/dist/ai/tools/trigger-flow/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { InvalidPayloadError } from '@directus/errors';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { InvalidPayloadError } from '@directus/errors';
 import { z } from 'zod';
 import { getFlowManager } from '../../../flows.js';
 import { FlowsService } from '../../../services/flows.js';

package/dist/app.js CHANGED Viewed

@@ -1,3 +1,6 @@
+import { readFile } from 'node:fs/promises';
+import { createRequire } from 'node:module';
+import path from 'path';
 import { useEnv } from '@directus/env';
 import { InvalidPayloadError, ServiceUnavailableError } from '@directus/errors';
 import { handlePressure } from '@directus/pressure';
@@ -5,10 +8,8 @@ import { toBoolean } from '@directus/utils';
 import cookieParser from 'cookie-parser';
 import express from 'express';
 import { merge } from 'lodash-es';
-import { readFile } from 'node:fs/promises';
-import { createRequire } from 'node:module';
-import path from 'path';
 import qs from 'qs';
+import { aiChatRouter } from './ai/chat/router.js';
 import { registerAuthProviders } from './auth.js';
 import accessRouter from './controllers/access.js';
 import activityRouter from './controllers/activity.js';
@@ -45,7 +46,6 @@ import tusRouter from './controllers/tus.js';
 import usersRouter from './controllers/users.js';
 import utilsRouter from './controllers/utils.js';
 import versionsRouter from './controllers/versions.js';
-import webhooksRouter from './controllers/webhooks.js';
 import { isInstalled, validateDatabaseConnection, validateDatabaseExtensions, validateMigrations, } from './database/index.js';
 import emitter from './emitter.js';
 import { getExtensionManager } from './extensions/index.js';
@@ -61,14 +61,13 @@ import rateLimiter from './middleware/rate-limiter-ip.js';
 import sanitizeQuery from './middleware/sanitize-query.js';
 import schema from './middleware/schema.js';
 import metricsSchedule from './schedules/metrics.js';
+import projectSchedule from './schedules/project.js';
 import retentionSchedule from './schedules/retention.js';
 import telemetrySchedule from './schedules/telemetry.js';
 import tusSchedule from './schedules/tus.js';
-import projectSchedule from './schedules/project.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { Url } from './utils/url.js';
 import { validateStorage } from './utils/validate-storage.js';
-import { aiChatRouter } from './ai/chat/router.js';
 const require = createRequire(import.meta.url);
 export default async function createApp() {
     const env = useEnv();
@@ -235,7 +234,9 @@ export default async function createApp() {
     if (toBoolean(env['MCP_ENABLED']) === true) {
         app.use('/mcp', mcpRouter);
     }
-    app.use('/ai/chat', aiChatRouter);
+    if (toBoolean(env['AI_ENABLED']) === true) {
+        app.use('/ai/chat', aiChatRouter);
+    }
     if (env['METRICS_ENABLED'] === true) {
         app.use('/metrics', metricsRouter);
     }
@@ -256,7 +257,6 @@ export default async function createApp() {
     app.use('/users', usersRouter);
     app.use('/utils', utilsRouter);
     app.use('/versions', versionsRouter);
-    app.use('/webhooks', webhooksRouter);
     // Register custom endpoints
     await emitter.emitInit('routes.custom.before', { app });
     app.use(extensionManager.getEndpointRouter());

package/dist/auth/drivers/ldap.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { useEnv } from '@directus/env';
-import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, ServiceUnavailableError, UnexpectedResponseError, isDirectusError, } from '@directus/errors';
+import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, isDirectusError, ServiceUnavailableError, UnexpectedResponseError, } from '@directus/errors';
 import { Router } from 'express';
 import Joi from 'joi';
 import ldap from 'ldapjs';
@@ -12,8 +12,8 @@ import { createDefaultAccountability } from '../../permissions/utils/create-defa
 import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { AuthDriver } from '../auth.js';
 import { getSchema } from '../../utils/get-schema.js';
+import { AuthDriver } from '../auth.js';
 // 0x2: ACCOUNTDISABLE
 // 0x10: LOCKOUT
 // 0x800000: PASSWORD_EXPIRED

package/dist/auth/drivers/local.js CHANGED Viewed

@@ -1,9 +1,9 @@
+import { performance } from 'perf_hooks';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidPayloadError } from '@directus/errors';
 import argon2 from 'argon2';
 import { Router } from 'express';
 import Joi from 'joi';
-import { performance } from 'perf_hooks';
 import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import { respond } from '../../middleware/respond.js';
 import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';

package/dist/auth/drivers/oauth2.d.ts CHANGED Viewed

@@ -5,12 +5,11 @@ import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OAuth2AuthDriver extends LocalAuthDriver {
     client: Client;
-    redirectUrl: string;
     config: Record<string, any>;
     roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string, prompt?: boolean): string;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean, callbackUrl?: string): string;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
     login(user: User): Promise<void>;

package/dist/auth/drivers/oauth2.js CHANGED Viewed

@@ -16,40 +16,37 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
+import { getSchema } from '../../utils/get-schema.js';
 import { getSecret } from '../../utils/get-secret.js';
-import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
+import { generateCallbackUrl } from '../utils/generate-callback-url.js';
+import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
-import { getSchema } from '../../utils/get-schema.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
     client;
-    redirectUrl;
     config;
     roleMap;
     constructor(options, config) {
         super(options, config);
-        const env = useEnv();
         const logger = useLogger();
         const { authorizeUrl, accessUrl, profileUrl, clientId, clientSecret, ...additionalConfig } = config;
         if (!authorizeUrl || !accessUrl || !profileUrl || !clientId || !clientSecret || !additionalConfig['provider']) {
             logger.error('Invalid provider config');
             throw new InvalidProviderConfigError({ provider: additionalConfig['provider'] });
         }
-        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', additionalConfig['provider'], 'callback');
-        this.redirectUrl = redirectUrl.toString();
         this.config = additionalConfig;
         this.roleMap = {};
         const roleMapping = this.config['roleMapping'];
-        if (roleMapping) {
-            this.roleMap = roleMapping;
-        }
         // role mapping will fail on login if AUTH_<provider>_ROLE_MAPPING is an array instead of an object.
         // This happens if the 'json:' prefix is missing from the variable declaration. To save the user from exhaustive debugging, we'll try to fail early here.
         if (roleMapping instanceof Array) {
             logger.error("[OAuth2] Expected a JSON-Object as role mapping, got an Array instead. Make sure you declare the variable with 'json:' prefix.");
             throw new InvalidProviderError();
         }
+        if (roleMapping) {
+            this.roleMap = roleMapping;
+        }
         const issuer = new Issuer({
             authorization_endpoint: authorizeUrl,
             token_endpoint: accessUrl,
@@ -67,7 +64,6 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
         this.client = new issuer.Client({
             client_id: clientId,
             client_secret: clientSecret,
-            redirect_uris: [this.redirectUrl],
             response_types: ['code'],
             ...clientOptionsOverrides,
         });
@@ -75,7 +71,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
     generateCodeVerifier() {
         return generators.codeVerifier();
     }
-    generateAuthUrl(codeVerifier, prompt = false) {
+    generateAuthUrl(codeVerifier, prompt = false, callbackUrl) {
         const { plainCodeChallenge } = this.config;
         try {
             const codeChallenge = plainCodeChallenge ? codeVerifier : generators.codeChallenge(codeVerifier);
@@ -89,6 +85,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
                 code_challenge_method: plainCodeChallenge ? 'plain' : 'S256',
                 // Some providers require state even with PKCE
                 state: codeChallenge,
+                redirect_uri: callbackUrl,
             });
         }
         catch (e) {
@@ -116,7 +113,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
             const codeChallenge = plainCodeChallenge
                 ? payload['codeVerifier']
                 : generators.codeChallenge(payload['codeVerifier']);
-            tokenSet = await this.client.oauthCallback(this.redirectUrl, { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge });
+            tokenSet = await this.client.oauthCallback(payload['callbackUrl'], { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge });
             userInfo = await this.client.userinfo(tokenSet.access_token);
         }
         catch (e) {
@@ -275,12 +272,19 @@ export function createOAuth2AuthRouter(providerName) {
         const provider = getAuthProvider(providerName);
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
-        const redirect = req.query['redirect'];
         const otp = req.query['otp'];
-        if (isLoginRedirectAllowed(redirect, providerName) === false) {
+        const redirect = req.query['redirect'];
+        if (!isLoginRedirectAllowed(providerName, redirect)) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
+        const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
+        const token = jwt.sign({
+            verifier: codeVerifier,
+            redirect,
+            prompt,
+            otp,
+            callbackUrl,
+        }, getSecret(), {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -288,7 +292,7 @@ export function createOAuth2AuthRouter(providerName) {
             httpOnly: true,
             sameSite: 'lax',
         });
-        return res.redirect(provider.generateAuthUrl(codeVerifier, prompt));
+        return res.redirect(provider.generateAuthUrl(codeVerifier, prompt, callbackUrl));
     }, respond);
     router.post('/callback', express.urlencoded({ extended: false }), (req, res) => {
         res.redirect(303, `./callback?${new URLSearchParams(req.body)}`);
@@ -303,7 +307,7 @@ export function createOAuth2AuthRouter(providerName) {
             logger.warn(e, `[OAuth2] Couldn't verify OAuth2 cookie`);
             throw new InvalidCredentialsError();
         }
-        const { verifier, prompt, otp } = tokenData;
+        const { verifier, prompt, otp, callbackUrl } = tokenData;
         let { redirect } = tokenData;
         const accountability = createDefaultAccountability({
             ip: getIPFromReq(req),
@@ -326,6 +330,7 @@ export function createOAuth2AuthRouter(providerName) {
                 code: req.query['code'],
                 codeVerifier: verifier,
                 state: req.query['state'],
+                callbackUrl,
             }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {

package/dist/auth/drivers/openid.d.ts CHANGED Viewed

@@ -5,13 +5,12 @@ import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OpenIDAuthDriver extends LocalAuthDriver {
     client: null | Client;
-    redirectUrl: string;
     config: Record<string, any>;
     roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     private getClient;
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string, prompt?: boolean): Promise<string>;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean, callbackUrl?: string): Promise<string>;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
     login(user: User): Promise<void>;

package/dist/auth/drivers/openid.js CHANGED Viewed

@@ -16,20 +16,19 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
+import { getSchema } from '../../utils/get-schema.js';
 import { getSecret } from '../../utils/get-secret.js';
-import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
+import { generateCallbackUrl } from '../utils/generate-callback-url.js';
+import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
-import { getSchema } from '../../utils/get-schema.js';
 export class OpenIDAuthDriver extends LocalAuthDriver {
     client;
-    redirectUrl;
     config;
     roleMap;
     constructor(options, config) {
         super(options, config);
-        const env = useEnv();
         const logger = useLogger();
         const { issuerUrl, clientId, clientSecret, clientPrivateKeys, clientTokenEndpointAuthMethod, provider, issuerDiscoveryMustSucceed, } = config;
         const isPrivateKeyJwtAuthMethod = clientTokenEndpointAuthMethod === 'private_key_jwt';
@@ -37,8 +36,6 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             logger.error('Invalid provider config');
             throw new InvalidProviderConfigError({ provider });
         }
-        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', provider, 'callback');
-        this.redirectUrl = redirectUrl.toString();
         this.config = config;
         this.roleMap = {};
         const roleMapping = this.config['roleMapping'];
@@ -98,7 +95,6 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         const client = new issuer.Client({
             client_id: clientId,
             ...(!isPrivateKeyJwtAuthMethod && { client_secret: clientSecret }),
-            redirect_uris: [this.redirectUrl],
             response_types: ['code'],
             ...clientOptionsOverrides,
         }, isPrivateKeyJwtAuthMethod ? { keys: clientPrivateKeys } : undefined);
@@ -116,7 +112,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
     generateCodeVerifier() {
         return generators.codeVerifier();
     }
-    async generateAuthUrl(codeVerifier, prompt = false) {
+    async generateAuthUrl(codeVerifier, prompt = false, callbackUrl) {
         const { plainCodeChallenge } = this.config;
         try {
             const client = await this.getClient();
@@ -132,6 +128,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
                 // Some providers require state even with PKCE
                 state: codeChallenge,
                 nonce: codeChallenge,
+                redirect_uri: callbackUrl,
             });
         }
         catch (e) {
@@ -160,7 +157,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             const codeChallenge = plainCodeChallenge
                 ? payload['codeVerifier']
                 : generators.codeChallenge(payload['codeVerifier']);
-            tokenSet = await client.callback(this.redirectUrl, { code: payload['code'], state: payload['state'], iss: payload['iss'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge, nonce: codeChallenge });
+            tokenSet = await client.callback(payload['callbackUrl'], { code: payload['code'], state: payload['state'], iss: payload['iss'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge, nonce: codeChallenge });
             userInfo = tokenSet.claims();
             if (client.issuer.metadata['userinfo_endpoint']) {
                 userInfo = {
@@ -329,10 +326,17 @@ export function createOpenIDAuthRouter(providerName) {
         const prompt = !!req.query['prompt'];
         const redirect = req.query['redirect'];
         const otp = req.query['otp'];
-        if (isLoginRedirectAllowed(redirect, providerName) === false) {
+        if (!isLoginRedirectAllowed(providerName, redirect)) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
+        const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
+        const token = jwt.sign({
+            verifier: codeVerifier,
+            redirect,
+            prompt,
+            otp,
+            callbackUrl,
+        }, getSecret(), {
             expiresIn: (env[`AUTH_${providerName.toUpperCase()}_LOGIN_TIMEOUT`] ?? '5m'),
             issuer: 'directus',
         });
@@ -341,7 +345,7 @@ export function createOpenIDAuthRouter(providerName) {
             sameSite: 'lax',
         });
         try {
-            return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt));
+            return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt, callbackUrl));
         }
         catch {
             return res.redirect(new Url(env['PUBLIC_URL'])
@@ -365,7 +369,7 @@ export function createOpenIDAuthRouter(providerName) {
             const url = new Url(env['PUBLIC_URL']).addPath('admin', 'login');
             return res.redirect(`${url.toString()}?reason=${ErrorCode.InvalidCredentials}`);
         }
-        const { verifier, prompt, otp } = tokenData;
+        const { verifier, prompt, otp, callbackUrl } = tokenData;
         let { redirect } = tokenData;
         const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
         const userAgent = req.get('user-agent')?.substring(0, 1024);
@@ -387,6 +391,7 @@ export function createOpenIDAuthRouter(providerName) {
                 codeVerifier: verifier,
                 state: req.query['state'],
                 iss: req.query['iss'],
+                callbackUrl,
             }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {

package/dist/auth/drivers/saml.js CHANGED Viewed

@@ -13,7 +13,7 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
+import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
 // Register the samlify schema validator
 samlify.setSchemaValidator(validator);
@@ -95,7 +95,7 @@ export function createSAMLAuthRouter(providerName) {
         const parsedUrl = new URL(url);
         if (req.query['redirect']) {
             const redirect = req.query['redirect'];
-            if (isLoginRedirectAllowed(redirect, providerName) === false) {
+            if (!isLoginRedirectAllowed(providerName, redirect)) {
                 throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
             }
             parsedUrl.searchParams.append('RelayState', redirect);
@@ -117,7 +117,7 @@ export function createSAMLAuthRouter(providerName) {
         const logger = useLogger();
         const relayState = req.body?.RelayState;
         const authMode = (env[`AUTH_${providerName.toUpperCase()}_MODE`] ?? 'session');
-        if (relayState && isLoginRedirectAllowed(relayState, providerName) === false) {
+        if (relayState && isLoginRedirectAllowed(providerName, relayState) === false) {
             throw new InvalidPayloadError({ reason: `URL "${relayState}" can't be used to redirect after login` });
         }
         try {

package/dist/auth/utils/generate-callback-url.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Dynamically generate the callback URL for OAuth2/OpenID SSO providers
+ *
+ * Uses AUTH_ALLOWED_PUBLIC_URLS to find an alternate PUBLIC_URL based on the origins protocol and host.
+ * Defaults to the PUBLIC_URL if no match is found.
+ *
+ * @param providerName SSO provider name
+ * @param requestOrigin Origin of the request (protocol + host)
+ * @returns Callback URL
+ */
+export declare function generateCallbackUrl(providerName: string, requestOrigin: string): string;

package/dist/auth/utils/generate-callback-url.js ADDED Viewed

@@ -0,0 +1,40 @@
+import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
+import { Url } from '../../utils/url.js';
+/**
+ * Find a matching public URL based on the request origins protocol and host
+ *
+ * @param requestOrigin - The origin of the request
+ * @param allowedPublicUrls - The allowed public URLs from AUTH_ALLOWED_PUBLIC_URLS
+ * @returns The matching public URL
+ */
+function findMatchingPublicUrl(requestOrigin, allowedPublicUrls) {
+    for (const allowedUrl of allowedPublicUrls) {
+        if (!URL.canParse(allowedUrl))
+            continue;
+        const { protocol, host } = new URL(allowedUrl);
+        const allowedUrlOrigin = `${protocol}//${host}`;
+        if (requestOrigin === allowedUrlOrigin) {
+            return allowedUrl;
+        }
+    }
+    return null;
+}
+/**
+ * Dynamically generate the callback URL for OAuth2/OpenID SSO providers
+ *
+ * Uses AUTH_ALLOWED_PUBLIC_URLS to find an alternate PUBLIC_URL based on the origins protocol and host.
+ * Defaults to the PUBLIC_URL if no match is found.
+ *
+ * @param providerName SSO provider name
+ * @param requestOrigin Origin of the request (protocol + host)
+ * @returns Callback URL
+ */
+export function generateCallbackUrl(providerName, requestOrigin) {
+    const env = useEnv();
+    const publicUrl = env['PUBLIC_URL'];
+    const allowedPublicUrls = env['AUTH_ALLOWED_PUBLIC_URLS'] ? toArray(env['AUTH_ALLOWED_PUBLIC_URLS']) : [];
+    const matchedUrl = findMatchingPublicUrl(requestOrigin, allowedPublicUrls);
+    // Use matched public URL or fallback to PUBLIC_URL for backward compatibility
+    return new Url(matchedUrl || publicUrl).addPath('auth', 'login', providerName, 'callback').toString();
+}

package/dist/auth/utils/is-login-redirect-allowed.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Checks if the defined redirect after successful SSO login is in the allow list
+ * @param provider SSO provider name
+ * @param redirect URL to redirect to after login
+ * @returns True if the redirect is allowed, false otherwise
+ */
+export declare function isLoginRedirectAllowed(provider: string, redirect: unknown): boolean;

package/dist/{utils → auth/utils}/is-login-redirect-allowed.js RENAMED Viewed

@@ -1,26 +1,28 @@
 import { useEnv } from '@directus/env';
 import { toArray } from '@directus/utils';
-import { useLogger } from '../logger/index.js';
-import isUrlAllowed from './is-url-allowed.js';
+import { useLogger } from '../../logger/index.js';
+import isUrlAllowed from '../../utils/is-url-allowed.js';
 /**
  * Checks if the defined redirect after successful SSO login is in the allow list
+ * @param provider SSO provider name
+ * @param redirect URL to redirect to after login
+ * @returns True if the redirect is allowed, false otherwise
  */
-export function isLoginRedirectAllowed(redirect, provider) {
+export function isLoginRedirectAllowed(provider, redirect) {
     if (!redirect)
         return true; // empty redirect
     if (typeof redirect !== 'string')
         return false; // invalid type
     const env = useEnv();
     const publicUrl = env['PUBLIC_URL'];
-    if (URL.canParse(redirect) === false) {
-        if (redirect.startsWith('//') === false) {
+    if (!URL.canParse(redirect)) {
+        if (!redirect.startsWith('//')) {
             // should be a relative path like `/admin/test`
             return true;
         }
         // domain without protocol `//example.com/test`
         return false;
     }
-    const { protocol: redirectProtocol, hostname: redirectDomain } = new URL(redirect);
     const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
     if (envKey in env) {
         if (isUrlAllowed(redirect, [...toArray(env[envKey]), publicUrl]))
@@ -30,7 +32,8 @@ export function isLoginRedirectAllowed(redirect, provider) {
         useLogger().error('Invalid PUBLIC_URL for login redirect');
         return false;
     }
-    // allow redirects to the defined PUBLIC_URL
-    const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
-    return `${redirectProtocol}//${redirectDomain}` === `${publicProtocol}//${publicDomain}`;
+    const { protocol: redirectProtocol, host: redirectHost } = new URL(redirect);
+    const { protocol: publicProtocol, host: publicHost } = new URL(publicUrl);
+    // allow redirects to the defined PUBLIC_URL (protocol + host including port)
+    return `${redirectProtocol}//${redirectHost}` === `${publicProtocol}//${publicHost}`;
 }

package/dist/cache.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { createRequire } from 'node:module';
 import { useEnv } from '@directus/env';
 import Keyv, {} from 'keyv';
 import { useBus } from './bus/index.js';
@@ -5,11 +6,10 @@ import { useLogger } from './logger/index.js';
 import { clearCache as clearPermissionCache } from './permissions/cache.js';
 import { redisConfigAvailable } from './redis/index.js';
 import { compress, decompress } from './utils/compress.js';
+import { freezeSchema, unfreezeSchema } from './utils/freeze-schema.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getMilliseconds } from './utils/get-milliseconds.js';
 import { validateEnv } from './utils/validate-env.js';
-import { createRequire } from 'node:module';
-import { freezeSchema, unfreezeSchema } from './utils/freeze-schema.js';
 const logger = useLogger();
 const env = useEnv();
 const require = createRequire(import.meta.url);

package/dist/cli/commands/bootstrap/index.js CHANGED Viewed

@@ -1,12 +1,12 @@
 import { useEnv } from '@directus/env';
+import { email } from 'zod';
 import getDatabase, { hasDatabaseConnection, isInstalled, validateDatabaseConnection, } from '../../../database/index.js';
 import runMigrations from '../../../database/migrations/run.js';
 import installDatabase from '../../../database/seeds/run.js';
 import { useLogger } from '../../../logger/index.js';
 import { SettingsService } from '../../../services/settings.js';
-import { getSchema } from '../../../utils/get-schema.js';
 import { createAdmin } from '../../../utils/create-admin.js';
-import { email } from 'zod';
+import { getSchema } from '../../../utils/get-schema.js';
 export default async function bootstrap({ skipAdminInit }) {
     const logger = useLogger();
     logger.info('Initializing bootstrap...');

package/dist/cli/commands/database/install.js CHANGED Viewed

@@ -1,5 +1,5 @@
-import installSeeds from '../../../database/seeds/run.js';
 import getDatabase from '../../../database/index.js';
+import installSeeds from '../../../database/seeds/run.js';
 import { useLogger } from '../../../logger/index.js';
 export default async function start() {
     const database = getDatabase();