@directus/api 33.0.0 → 33.1.0

package/dist/auth/drivers/ldap.js

@@ -2,7 +2,7 @@ import { useEnv } from '@directus/env';
 import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, isDirectusError, ServiceUnavailableError, UnexpectedResponseError, } from '@directus/errors';
 import { Router } from 'express';
 import Joi from 'joi';
-import ldap from 'ldapjs';
+import { Client, InappropriateAuthError, InsufficientAccessError, InvalidCredentialsError as LdapInvalidCredentialsError, } from 'ldapts';
 import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
@@ -34,127 +34,101 @@ export class LDAPAuthDriver extends AuthDriver {
             throw new InvalidProviderConfigError({ provider });
         }
         const clientConfig = typeof config['client'] === 'object' ? config['client'] : {};
-        this.bindClient = ldap.createClient({ url: clientUrl, reconnect: true, ...clientConfig });
-        this.bindClient.on('error', (err) => {
-            logger.warn(err);
+        this.bindClient = new Client({
+            url: clientUrl,
+            ...clientConfig,
         });
         this.config = config;
     }
     async validateBindClient() {
         const logger = useLogger();
         const { bindDn, bindPassword, provider } = this.config;
-        return new Promise((resolve, reject) => {
-            // Healthcheck bind user
-            this.bindClient.search(bindDn, {}, (err, res) => {
-                if (err) {
-                    reject(handleError(err));
-                    return;
-                }
-                res.on('searchEntry', () => {
-                    resolve();
-                });
-                res.on('error', () => {
-                    // Attempt to rebind on search error
-                    this.bindClient.bind(bindDn, bindPassword, (err) => {
-                        if (err) {
-                            const error = handleError(err);
-                            if (isDirectusError(error, ErrorCode.InvalidCredentials)) {
-                                logger.warn('Invalid bind user');
-                                reject(new InvalidProviderConfigError({ provider }));
-                            }
-                            else {
-                                reject(error);
-                            }
-                        }
-                        else {
-                            resolve();
-                        }
-                    });
-                });
-                res.on('end', (result) => {
-                    // Handle edge case where authenticated bind user cannot read their own DN
-                    // Status `0` is success
-                    if (result?.status !== 0) {
-                        logger.warn('[LDAP] Failed to find bind user record');
-                        reject(new UnexpectedResponseError());
-                    }
-                });
+        try {
+            // Attempt to bind with the configured credentials
+            await this.bindClient.bind(bindDn, bindPassword);
+            // Healthcheck: verify bind user can read their own DN
+            const { searchEntries } = await this.bindClient.search(bindDn, {
+                scope: 'base',
             });
-        });
+            if (searchEntries.length === 0) {
+                logger.warn('[LDAP] Failed to find bind user record');
+                throw new UnexpectedResponseError();
+            }
+        }
+        catch (err) {
+            const error = handleError(err);
+            if (isDirectusError(error, ErrorCode.InvalidCredentials)) {
+                logger.warn('Invalid bind user');
+                throw new InvalidProviderConfigError({ provider });
+            }
+            throw error;
+        }
     }
     async fetchUserInfo(baseDn, filter, scope) {
         let { firstNameAttribute, lastNameAttribute, mailAttribute } = this.config;
         firstNameAttribute ??= 'givenName';
         lastNameAttribute ??= 'sn';
         mailAttribute ??= 'mail';
-        return new Promise((resolve, reject) => {
-            // Search for the user in LDAP by filter
-            this.bindClient.search(baseDn, {
-                filter,
-                scope,
+        try {
+            const searchOptions = {
                 attributes: ['uid', firstNameAttribute, lastNameAttribute, mailAttribute, 'userAccountControl'],
-            }, (err, res) => {
-                if (err) {
-                    reject(handleError(err));
-                    return;
-                }
-                res.on('searchEntry', ({ object }) => {
-                    const user = {
-                        dn: object['dn'],
-                        userAccountControl: Number(getEntryValue(object['userAccountControl']) ?? 0),
-                    };
-                    const firstName = getEntryValue(object[firstNameAttribute]);
-                    if (firstName)
-                        user.firstName = firstName;
-                    const lastName = getEntryValue(object[lastNameAttribute]);
-                    if (lastName)
-                        user.lastName = lastName;
-                    const email = getEntryValue(object[mailAttribute]);
-                    if (email)
-                        user.email = email;
-                    const uid = getEntryValue(object['uid']);
-                    if (uid)
-                        user.uid = uid;
-                    resolve(user);
-                });
-                res.on('error', (err) => {
-                    reject(handleError(err));
-                });
-                res.on('end', () => {
-                    resolve(undefined);
-                });
-            });
-        });
+            };
+            if (filter !== undefined)
+                searchOptions.filter = filter;
+            if (scope !== undefined)
+                searchOptions.scope = scope;
+            const { searchEntries } = await this.bindClient.search(baseDn, searchOptions);
+            if (searchEntries.length === 0) {
+                return undefined;
+            }
+            const entry = searchEntries[0];
+            const user = {
+                dn: entry['dn'],
+                userAccountControl: Number(getEntryValue(entry['userAccountControl']) ?? 0),
+            };
+            const firstName = getEntryValue(entry[firstNameAttribute]);
+            if (firstName)
+                user.firstName = firstName;
+            const lastName = getEntryValue(entry[lastNameAttribute]);
+            if (lastName)
+                user.lastName = lastName;
+            const email = getEntryValue(entry[mailAttribute]);
+            if (email)
+                user.email = email;
+            const uid = getEntryValue(entry['uid']);
+            if (uid)
+                user.uid = uid;
+            return user;
+        }
+        catch (err) {
+            throw handleError(err);
+        }
     }
     async fetchUserGroups(baseDn, filter, scope) {
-        return new Promise((resolve, reject) => {
-            let userGroups = [];
-            // Search for the user info in LDAP by group attribute
-            this.bindClient.search(baseDn, {
-                filter,
-                scope,
+        try {
+            const searchOptions = {
                 attributes: ['cn'],
-            }, (err, res) => {
-                if (err) {
-                    reject(handleError(err));
-                    return;
+            };
+            if (filter !== undefined)
+                searchOptions.filter = filter;
+            if (scope !== undefined)
+                searchOptions.scope = scope;
+            const { searchEntries } = await this.bindClient.search(baseDn, searchOptions);
+            const userGroups = [];
+            for (const entry of searchEntries) {
+                const cn = entry['cn'];
+                if (Array.isArray(cn)) {
+                    userGroups.push(...cn.map((v) => String(v)));
                 }
-                res.on('searchEntry', ({ object }) => {
-                    if (typeof object['cn'] === 'object') {
-                        userGroups = [...userGroups, ...object['cn']];
-                    }
-                    else if (object['cn']) {
-                        userGroups.push(object['cn']);
-                    }
-                });
-                res.on('error', (err) => {
-                    reject(handleError(err));
-                });
-                res.on('end', () => {
-                    resolve(userGroups);
-                });
-            });
-        });
+                else if (cn) {
+                    userGroups.push(String(cn));
+                }
+            }
+            return userGroups;
+        }
+        catch (err) {
+            throw handleError(err);
+        }
     }
     async fetchUserId(userDn) {
         const user = await this.knex
@@ -171,19 +145,15 @@ export class LDAPAuthDriver extends AuthDriver {
         const logger = useLogger();
         await this.validateBindClient();
         const { userDn, userScope, userAttribute, groupDn, groupScope, groupAttribute, defaultRoleId, syncUserInfo } = this.config;
-        const userInfo = await this.fetchUserInfo(userDn, new ldap.EqualityFilter({
-            attribute: userAttribute ?? 'cn',
-            value: payload['identifier'],
-        }), userScope ?? 'one');
+        const userInfo = await this.fetchUserInfo(userDn, `(${validateLDAPAttribute(userAttribute ?? 'cn')}=${escapeFilterValue(payload['identifier'])})`, userScope ?? 'one');
         if (!userInfo?.dn) {
             throw new InvalidCredentialsError();
         }
         let userRole;
         if (groupDn) {
-            const userGroups = await this.fetchUserGroups(groupDn, new ldap.EqualityFilter({
-                attribute: groupAttribute ?? 'member',
-                value: groupAttribute?.toLowerCase() === 'memberuid' && userInfo.uid ? userInfo.uid : userInfo.dn,
-            }), groupScope ?? 'one');
+            const groupAttr = groupAttribute ?? 'member';
+            const memberValue = groupAttr.toLowerCase() === 'memberuid' && userInfo.uid ? userInfo.uid : userInfo.dn;
+            const userGroups = await this.fetchUserGroups(groupDn, `(${validateLDAPAttribute(groupAttr)}=${escapeFilterValue(memberValue)})`, groupScope ?? 'one');
             if (userGroups.length) {
                 userRole = await this.knex
                     .select('id')
@@ -253,51 +223,86 @@ export class LDAPAuthDriver extends AuthDriver {
         if (!user.external_identifier || !password) {
             throw new InvalidCredentialsError();
         }
-        return new Promise((resolve, reject) => {
-            const clientConfig = typeof this.config['client'] === 'object' ? this.config['client'] : {};
-            const client = ldap.createClient({
-                url: this.config['clientUrl'],
-                ...clientConfig,
-                reconnect: false,
-            });
-            client.on('error', (err) => {
-                reject(handleError(err));
-            });
-            client.bind(user.external_identifier, password, (err) => {
-                if (err) {
-                    reject(handleError(err));
-                }
-                else {
-                    resolve();
-                }
-                client.destroy();
-            });
+        const clientConfig = typeof this.config['client'] === 'object' ? this.config['client'] : {};
+        const client = new Client({
+            url: this.config['clientUrl'],
+            ...clientConfig,
         });
+        try {
+            await client.bind(user.external_identifier, password);
+        }
+        catch (err) {
+            throw handleError(err);
+        }
+        finally {
+            await client.unbind().catch(() => {
+                // Ignore unbind errors
+            });
+        }
     }
     async login(user, payload) {
         await this.verify(user, payload['password']);
     }
     async refresh(user) {
         await this.validateBindClient();
-        const userInfo = await this.fetchUserInfo(user.external_identifier);
+        // Use scope 'base' to search the specific DN entry
+        const userInfo = await this.fetchUserInfo(user.external_identifier, undefined, 'base');
         if (userInfo?.userAccountControl && userInfo.userAccountControl & INVALID_ACCOUNT_FLAGS) {
             throw new InvalidCredentialsError();
         }
     }
 }
 const handleError = (e) => {
-    if (e instanceof ldap.InappropriateAuthenticationError ||
-        e instanceof ldap.InvalidCredentialsError ||
-        e instanceof ldap.InsufficientAccessRightsError) {
+    if (e instanceof InappropriateAuthError ||
+        e instanceof LdapInvalidCredentialsError ||
+        e instanceof InsufficientAccessError) {
         return new InvalidCredentialsError();
     }
+    if (e instanceof Error) {
+        return new ServiceUnavailableError({
+            service: 'ldap',
+            reason: `Service returned unexpected error: ${e.message}`,
+        });
+    }
     return new ServiceUnavailableError({
         service: 'ldap',
-        reason: `Service returned unexpected error: ${e.message}`,
+        reason: 'Service returned unexpected error',
     });
 };
 const getEntryValue = (value) => {
-    return typeof value === 'object' ? value[0] : value;
+    if (value === undefined)
+        return undefined;
+    if (Buffer.isBuffer(value)) {
+        return value.toString();
+    }
+    if (Array.isArray(value)) {
+        const first = value[0];
+        if (Buffer.isBuffer(first)) {
+            return first.toString();
+        }
+        return first;
+    }
+    return value;
+};
+/**
+ * Escape special characters in LDAP filter values according to RFC 4515
+ */
+const escapeFilterValue = (value) => {
+    return value
+        .replace(/\\/g, '\\5c')
+        .replace(/\*/g, '\\2a')
+        .replace(/\(/g, '\\28')
+        .replace(/\)/g, '\\29')
+        .replace(/\0/g, '\\00');
+};
+/**
+ * Validate LDAP attribute name according to RFC 4512
+ */
+const validateLDAPAttribute = (name) => {
+    if (/^[a-zA-Z][a-zA-Z0-9-]*$/.test(name) === false) {
+        throw new Error(`Invalid LDAP attribute name: "${name}"`);
+    }
+    return name;
 };
 export function createLDAPAuthRouter(provider) {
     const router = Router();

package/dist/cache.d.ts

@@ -3,6 +3,7 @@ import Keyv from 'keyv';
 export declare function getCache(): {
     cache: Keyv | null;
     systemCache: Keyv;
+    deploymentCache: Keyv;
     localSchemaCache: Keyv;
     lockCache: Keyv;
 };
@@ -17,3 +18,14 @@ export declare function setMemorySchemaCache(schema: SchemaOverview): void;
 export declare function getMemorySchemaCache(): Readonly<SchemaOverview> | undefined;
 export declare function setCacheValue(cache: Keyv, key: string, value: Record<string, any> | Record<string, any>[], ttl?: number): Promise<void>;
 export declare function getCacheValue(cache: Keyv, key: string): Promise<any>;
+/**
+ * Store a value in cache with its expiration timestamp for TTL tracking
+ */
+export declare function setCacheValueWithExpiry(cache: Keyv, key: string, value: Record<string, any> | Record<string, any>[], ttl: number): Promise<void>;
+/**
+ * Get a cached value along with its remaining TTL
+ */
+export declare function getCacheValueWithTTL(cache: Keyv, key: string): Promise<{
+    data: any;
+    remainingTTL: number;
+} | undefined>;

package/dist/cache.js

@@ -15,6 +15,7 @@ const env = useEnv();
 const require = createRequire(import.meta.url);
 let cache = null;
 let systemCache = null;
+let deploymentCache = null;
 let lockCache = null;
 let messengerSubscribed = false;
 let localSchemaCache = null;
@@ -40,6 +41,11 @@ export function getCache() {
         systemCache = getKeyvInstance(env['CACHE_STORE'], getMilliseconds(env['CACHE_SYSTEM_TTL']), '_system');
         systemCache.on('error', (err) => logger.warn(err, `[system-cache] ${err}`));
     }
+    if (deploymentCache === null) {
+        const ttl = getMilliseconds(env['CACHE_DEPLOYMENT_TTL']) || 5000; // Default 5s
+        deploymentCache = getKeyvInstance(env['CACHE_STORE'], ttl, '_deployment');
+        deploymentCache.on('error', (err) => logger.warn(err, `[deployment-cache] ${err}`));
+    }
     if (localSchemaCache === null) {
         localSchemaCache = getKeyvInstance('memory', getMilliseconds(env['CACHE_SYSTEM_TTL']), '_schema');
         localSchemaCache.on('error', (err) => logger.warn(err, `[schema-cache] ${err}`));
@@ -48,7 +54,7 @@ export function getCache() {
         lockCache = getKeyvInstance(env['CACHE_STORE'], undefined, '_lock');
         lockCache.on('error', (err) => logger.warn(err, `[lock-cache] ${err}`));
     }
-    return { cache, systemCache, localSchemaCache, lockCache };
+    return { cache, systemCache, deploymentCache, localSchemaCache, lockCache };
 }
 export async function flushCaches(forced) {
     const { cache } = getCache();
@@ -107,6 +113,24 @@ export async function getCacheValue(cache, key) {
     const decompressed = await decompress(value);
     return decompressed;
 }
+/**
+ * Store a value in cache with its expiration timestamp for TTL tracking
+ */
+export async function setCacheValueWithExpiry(cache, key, value, ttl) {
+    await setCacheValue(cache, key, value, ttl);
+    await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + ttl }, ttl);
+}
+/**
+ * Get a cached value along with its remaining TTL
+ */
+export async function getCacheValueWithTTL(cache, key) {
+    const value = await getCacheValue(cache, key);
+    if (!value)
+        return undefined;
+    const expiryData = await getCacheValue(cache, `${key}__expires_at`);
+    const remainingTTL = expiryData?.exp ? Math.max(0, expiryData.exp - Date.now()) : 0;
+    return { data: value, remainingTTL };
+}
 function getKeyvInstance(store, ttl, namespaceSuffix) {
     switch (store) {
         case 'redis':

package/dist/cli/utils/create-env/env-stub.liquid

@@ -148,6 +148,9 @@ CACHE_ENABLED=false
 # How long the cache is persisted ["5m"]
 # CACHE_TTL="30m"
 
+# How long deployment provider data is cached ["5s"]
+# CACHE_DEPLOYMENT_TTL="5s"
+
 # How to scope the cache data ["system-cache"]
 # CACHE_NAMESPACE="system-cache"
 

package/dist/controllers/deployment.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;