@ymys/directus-extension-sso 1.3.6

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Yusuf M (ymys)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,167 @@
+# Directus SSO - Directus Extension
+
+This extension allows you to use the web and mobile OAuth callback and logout endpoints directly through your Directus domain.
+
+## Installation
+
+1. **Build the extension:**
+   ```bash
+   cd extensions/endpoints/directus-extension-sso
+   npm install
+   npm run build
+   ```
+
+2. **The extension will be automatically loaded by Directus** when you restart it.
+
+## Endpoints
+
+Once installed, the following endpoints will be available on your Directus domain:
+
+- **Health Check:** `GET /sso/health`
+- **Mobile/Browser Callback (Keycloak):** `GET /sso/mobile-callback`
+- **Mobile/Browser Callback (Google):** `GET /sso/google-callback`
+- **Mobile Logout:** `POST /sso/mobile-logout`
+
+## Configuration
+
+The extension uses environment variables from your Directus configuration:
+
+# Add these to your Directus .env file
+KEYCLOAK_URL=http://keycloak:8080
+KEYCLOAK_REALM=testing
+KEYCLOAK_CLIENT_ID=admin-cli
+KEYCLOAK_ADMIN_USER=admin
+KEYCLOAK_ADMIN_PASSWORD=admin
+PUBLIC_URL=http://localhost:8055
+MOBILE_APP_SCHEME=portalpipq
+MOBILE_APP_CALLBACK_PATH=/auth/callback
+GOOGLE_CALLBACK_PATH=/auth/callback/google
+COOKIE_DOMAIN=.your-domain.com
+COOKIE_SECURE=true
+COOKIE_SAME_SITE=lax
+```
+
+### Security Note
+
+Ensure specific values like `KEYCLOAK_Admin_PASSWORD` are kept secure and not committed to version control. The extension now uses environment variables for all sensitive configuration.
+
+## Usage
+
+### Browser Authentication Flow
+
+The extension now supports **both browser and mobile app authentication** with automatic detection. After successful Keycloak login:
+
+- **Browser requests**: Session is saved with cookies, allowing SSO across multiple services
+- **Mobile app requests**: Access token is returned via deep link as before
+
+#### Browser Login Example:
+
+**For Keycloak:**
+```javascript
+// Simply navigate to the login URL
+window.location.href = 'http://your-directus-domain.com/auth/login/keycloak';
+
+// Or with a custom redirect after login
+window.location.href = 'http://your-directus-domain.com/auth/login/keycloak?redirect_uri=/dashboard';
+```
+
+**For Google:**
+```javascript
+// Simply navigate to the Google login URL
+window.location.href = 'http://your-directus-domain.com/auth/login/google';
+
+// Or with a custom redirect after login
+window.location.href = 'http://your-directus-domain.com/auth/login/google?redirect_uri=/dashboard';
+```
+
+After successful login, the user will see a success page and the session cookie will be saved. The user can then access other URLs using the same SSO without logging in again.
+
+#### Forcing Browser Mode:
+
+If auto-detection doesn't work correctly, you can force browser mode:
+
+```javascript
+window.location.href = 'http://your-directus-domain.com/auth/login/keycloak?type=browser';
+```
+
+#### Query Parameters:
+
+- `type`: Force `browser` or `mobile` mode (optional, auto-detected if not provided)
+- `redirect_uri` or `redirect`: URL to redirect to after successful login (optional, defaults to `/admin`)
+
+### Mobile App Authentication Flow
+
+Update your mobile app to use the new Directus domain URLs:
+
+### Before (separate proxy server):
+```javascript
+const PROXY_URL = 'http://your-proxy-domain.com:3000';
+const callbackUrl = `${PROXY_URL}/mobile-callback`;
+```
+
+### After (Directus extension):
+```javascript
+const DIRECTUS_URL = 'http://your-directus-domain.com';
+const callbackUrl = `${DIRECTUS_URL}/sso/mobile-callback`;
+```
+
+### Login Flow:
+```javascript
+import * as WebBrowser from 'expo-web-browser';
+
+const result = await WebBrowser.openAuthSessionAsync(
+  `${DIRECTUS_URL}/auth/login/keycloak`,
+  'myapp://auth/callback'
+);
+```
+
+### Logout:
+```javascript
+const response = await fetch(`${DIRECTUS_URL}/sso/mobile-logout`, {
+  method: 'POST',
+  headers: {
+    'Authorization': `Bearer ${accessToken}`,
+  },
+});
+```
+
+## Advantages Over Standalone Proxy
+
+1. **Single Domain:** No need to deploy a separate server
+2. **Unified Management:** Managed alongside your Directus instance
+3. **Same Environment:** Uses Directus environment variables and configuration
+4. **Built-in Logging:** Uses Directus logger for consistent logging
+5. **Easier Deployment:** Deployed automatically with Directus
+
+## Development
+
+To make changes and test locally:
+
+```bash
+cd extensions/endpoints/directus-extension-sso
+npm run dev
+```
+
+This will watch for changes and rebuild automatically.
+
+## Keycloak Client Configuration
+
+Update your Keycloak client's redirect URI to use the Directus domain:
+
+**Valid Redirect URIs:**
+```
+http://your-directus-domain.com/auth/login/keycloak/callback
+http://your-directus-domain.com/sso/mobile-callback
+myapp://auth/callback
+```
+
+**Web Origins:**
+```
+http://your-directus-domain.com
+```
+
+## Notes
+
+- The extension requires Directus 11.0.0 or higher
+- Make sure cookie-parser middleware is available (Directus includes this by default)
+- The extension has access to the same network as Directus, so internal service URLs (like `http://keycloak:8080`) will work if using Docker

package/dist/index.js

@@ -0,0 +1 @@
+var t={id:"sso",handler:(t,{env:e,logger:o})=>{const n=e.KEYCLOAK_URL||"http://keycloak:8080",r=e.KEYCLOAK_REALM||"testing",i=e.KEYCLOAK_ADMIN_USER||"admin",a=e.KEYCLOAK_ADMIN_PASSWORD||"admin",s=e.PUBLIC_URL||"http://localhost:8055",c=e.MOBILE_APP_SCHEME||"portalpipq",d=e.MOBILE_APP_CALLBACK_PATH||"/auth/callback",l=e.GOOGLE_CALLBACK_PATH||"/auth/callback/google",u=e.KEYCLOAK_CLIENT_ID||"admin-cli",g=e.COOKIE_DOMAIN||null,f="false"!==e.COOKIE_SECURE,h=e.COOKIE_SAME_SITE||"lax";o.info("🚀 Mobile Auth Proxy Extension loaded"),o.info("🔐 Keycloak URL: "+n),o.info("🌐 Keycloak Realm: "+r),o.info("📱 Mobile App Scheme: "+c+"://"+d),o.info("🔵 Google OAuth enabled"),t.get("/health",(t,e)=>{e.json({status:"ok",service:"directus-mobile-auth-proxy"})}),t.get("/mobile-callback",async(t,e)=>{o.info("📱 Mobile callback received"),o.info("Cookies: "+JSON.stringify(t.cookies)),o.info("Query: "+JSON.stringify(t.query));try{const n=t.cookies.directus_session_token;if(!n)return o.error("❌ No session token found in cookies"),e.send(`\n\t\t\t\t\t<html>\n\t\t\t\t\t\t<body>\n\t\t\t\t\t\t\t<h2>Authentication Failed</h2>\n\t\t\t\t\t\t\t<p>No session token found. Please try logging in again.</p>\n\t\t\t\t\t\t\t<a href="${s}/auth/login/keycloak">Try Again</a>\n\t\t\t\t\t\t</body>\n\t\t\t\t\t</html>\n\t\t\t\t`);o.info("✅ Session token found: "+n.substring(0,20)+"...");const r=await fetch(`${s}/users/me`,{headers:{Cookie:`directus_session_token=${n}`}});if(!r.ok)throw new Error("Failed to get user info: "+await r.text());const i=await r.json(),a=i.data.id,l=i.data.email;o.info("👤 User authenticated: "+a+", "+l);const u=n;if(o.info("🎫 Using session token as access token"),isBrowser){o.info("🌐 Browser request detected - maintaining session"),e.cookie("directus_session_token",n,{httpOnly:!0,secure:f,domain:g,sameSite:h,maxAge:6048e5,path:"/"});const r=t.query.redirect_uri||t.query.redirect||"/";return o.info("🔄 Redirecting browser to: "+r),e.redirect(r)}const p=new URL(`${c}://${d}`);p.searchParams.set("access_token",u),p.searchParams.set("user_id",a),p.searchParams.set("email",l||""),o.info("🔄 Redirecting to app: "+p.toString()),e.redirect(p.toString())}catch(t){o.error("❌ Error in callback:",t),e.status(500).send(`\n\t\t\t\t<html>\n\t\t\t\t\t<body>\n\t\t\t\t\t\t<h2>Error</h2>\n\t\t\t\t\t\t<p>${t.message}</p>\n\t\t\t\t\t\t<a href="${s}/auth/login/keycloak">Try Again</a>\n\t\t\t\t\t</body>\n\t\t\t\t</html>\n\t\t\t`)}}),t.get("/google-callback",async(t,e)=>{const n=function(t){if("browser"===t.query.type)return!0;if("mobile"===t.query.type)return!1;const e=t.headers["user-agent"]||"";return/Mozilla|Chrome|Safari|Firefox|Edge|Opera/i.test(e)&&!/Mobile.*App|ReactNative|Expo/i.test(e)}(t);o.info(`${n?"🌐":"📱"} ${n?"Browser":"Mobile"} Google callback received`),o.info("Cookies: "+JSON.stringify(t.cookies)),o.info("Query: "+JSON.stringify(t.query));try{const r=t.cookies.directus_session_token;if(!r)return o.error("❌ No session token found in cookies"),e.send("\n\t\t\t\t\t\t<html>\n\t\t\t\t\t\t\t<head>\n\t\t\t\t\t\t\t\t<title>Authentication Failed</title>\n\t\t\t\t\t\t\t\t<style>\n\t\t\t\t\t\t\t\t\tbody { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; \n\t\t\t\t\t\t\t\t\t       padding: 40px; text-align: center; background: #f5f5f5; }\n\t\t\t\t\t\t\t\t\t.container { max-width: 500px; margin: 0 auto; background: white; \n\t\t\t\t\t\t\t\t\t           padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }\n\t\t\t\t\t\t\t\t\th2 { color: #e74c3c; }\n\t\t\t\t\t\t\t\t\ta { display: inline-block; margin-top: 20px; padding: 10px 20px; \n\t\t\t\t\t\t\t\t\t    background: #4285f4; color: white; text-decoration: none; border-radius: 4px; }\n\t\t\t\t\t\t\t\t\ta:hover { background: #357ae8; }\n\t\t\t\t\t\t\t\t</style>\n\t\t\t\t\t\t\t</head>\n\t\t\t\t\t\t\t<body>\n\t\t\t\t\t\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<h2>Authentication Failed</h2>\n\t\t\t\t\t\t\t\t\t<p>No session token found. Please close this and try logging in again.</p>\n\t\t\t\t\t\t\t\t</div>\n\t\t\t\t\t\t\t</body>\n\t\t\t\t\t\t</html>\n\t\t\t\t\t");o.info("✅ Session token found: "+r.substring(0,20)+"...");const i=await fetch(`${s}/users/me`,{headers:{Cookie:`directus_session_token=${r}`}});if(!i.ok)throw new Error("Failed to get user info: "+await i.text());const a=await i.json(),d=a.data.id,u=a.data.email,p=a.data.first_name||a.data.email;o.info("👤 User authenticated via Google: "+d+", "+u);const m=r;if(o.info("🎫 Using session token as access token"),n){o.info("🌐 Browser request detected - maintaining session"),e.cookie("directus_session_token",r,{httpOnly:!0,secure:f,domain:g,sameSite:h,maxAge:6048e5,path:"/"});const n=t.query.redirect_uri||t.query.redirect||"/";return o.info("🔄 Redirecting browser to: "+n),e.send(`\n\t\t\t\t\t\t<html>\n\t\t\t\t\t\t\t<head>\n\t\t\t\t\t\t\t\t<title>Login Successful</title>\n\t\t\t\t\t\t\t\t<meta http-equiv="refresh" content="2;url=${n}">\n\t\t\t\t\t\t\t\t<style>\n\t\t\t\t\t\t\t\t\tbody { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; \n\t\t\t\t\t\t\t\t\t       padding: 40px; text-align: center; background: #f5f5f5; }\n\t\t\t\t\t\t\t\t\t.container { max-width: 500px; margin: 0 auto; background: white; \n\t\t\t\t\t\t\t\t\t           padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }\n\t\t\t\t\t\t\t\t\th2 { color: #27ae60; }\n\t\t\t\t\t\t\t\t\t.checkmark { font-size: 48px; color: #27ae60; margin-bottom: 20px; }\n\t\t\t\t\t\t\t\t\tp { color: #666; margin: 10px 0; }\n\t\t\t\t\t\t\t\t\t.spinner { border: 3px solid #f3f3f3; border-top: 3px solid #4285f4; \n\t\t\t\t\t\t\t\t\t          border-radius: 50%; width: 40px; height: 40px; \n\t\t\t\t\t\t\t\t\t          animation: spin 1s linear infinite; margin: 20px auto; }\n\t\t\t\t\t\t\t\t\t@keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } }\n\t\t\t\t\t\t\t\t\ta { color: #4285f4; text-decoration: none; }\n\t\t\t\t\t\t\t\t\ta:hover { text-decoration: underline; }\n\t\t\t\t\t\t\t\t\t.google-icon { color: #4285f4; margin-right: 5px; }\n\t\t\t\t\t\t\t\t</style>\n\t\t\t\t\t\t\t</head>\n\t\t\t\t\t\t\t<body>\n\t\t\t\t\t\t\t\t<div class="container">\n\t\t\t\t\t\t\t\t\t<div class="checkmark">✓</div>\n\t\t\t\t\t\t\t\t\t<h2><span class="google-icon">🔵</span>Google Login Successful!</h2>\n\t\t\t\t\t\t\t\t\t<p>Welcome, ${p}!</p>\n\t\t\t\t\t\t\t\t\t<p>Your session has been saved. You can now access other services using the same login.</p>\n\t\t\t\t\t\t\t\t\t<div class="spinner"></div>\n\t\t\t\t\t\t\t\t\t<p style="margin-top: 20px;">Redirecting you automatically...</p>\n\t\t\t\t\t\t\t\t\t<p style="font-size: 14px; margin-top: 20px;">\n\t\t\t\t\t\t\t\t\t\t<a href="${n}">Click here if not redirected automatically</a>\n\t\t\t\t\t\t\t\t\t</p>\n\t\t\t\t\t\t\t\t</div>\n\t\t\t\t\t\t\t</body>\n\t\t\t\t\t\t</html>\n\t\t\t\t\t`)}o.info("📱 Mobile app request - redirecting with token");const k=new URL(`${c}://${l}`);k.searchParams.set("access_token",m),k.searchParams.set("user_id",d),k.searchParams.set("email",u||""),k.searchParams.set("provider","google"),o.info("🔄 Redirecting to app (Google): "+k.toString()),e.redirect(k.toString())}catch(t){o.error("❌ Error in Google callback:",t),e.status(500).send(`\n\t\t\t\t\t<html>\n\t\t\t\t\t\t<head>\n\t\t\t\t\t\t\t<title>Error</title>\n\t\t\t\t\t\t\t<style>\n\t\t\t\t\t\t\t\tbody { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; \n\t\t\t\t\t\t\t\t       padding: 40px; text-align: center; background: #f5f5f5; }\n\t\t\t\t\t\t\t\t.container { max-width: 500px; margin: 0 auto; background: white; \n\t\t\t\t\t\t\t\t           padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }\n\t\t\t\t\t\t\t\th2 { color: #e74c3c; }\n\t\t\t\t\t\t\t\t.error-icon { font-size: 48px; color: #e74c3c; margin-bottom: 20px; }\n\t\t\t\t\t\t\t\tpre { background: #f8f8f8; padding: 15px; border-radius: 4px; \n\t\t\t\t\t\t\t\t      text-align: left; overflow-x: auto; font-size: 12px; }\n\t\t\t\t\t\t\t\ta { display: inline-block; margin-top: 20px; padding: 10px 20px; \n\t\t\t\t\t\t\t\t    background: #4285f4; color: white; text-decoration: none; border-radius: 4px; }\n\t\t\t\t\t\t\t\ta:hover { background: #357ae8; }\n\t\t\t\t\t\t\t</style>\n\t\t\t\t\t\t</head>\n\t\t\t\t\t\t<body>\n\t\t\t\t\t\t\t<div class="container">\n\t\t\t\t\t\t\t\t<div class="error-icon">⚠️</div>\n\t\t\t\t\t\t\t\t<h2>Error</h2>\n\t\t\t\t\t\t\t\t<p>An error occurred during Google authentication:</p>\n\t\t\t\t\t\t\t\t<pre>${t.message}</pre>\n\t\t\t\t\t\t\t\t<a href="${s}/auth/login/google">Try Again</a>\n\t\t\t\t\t\t\t</div>\n\t\t\t\t\t\t</body>\n\t\t\t\t\t</html>\n\t\t\t\t`)}}),t.post("/mobile-logout",async(t,e)=>{o.info("🚪 Logout request received");try{const c=t.headers.authorization,d=c?.replace("Bearer ","");if(!d)return e.status(400).json({error:"No token provided",message:"Authorization header with Bearer token is required"});o.info("🎫 Token received: "+d.substring(0,20)+"...");let l=null;try{const t=await fetch(`${s}/users/me`,{headers:{Authorization:`Bearer ${d}`}});if(t.ok){l=(await t.json()).data.email,o.info("👤 User email: "+l)}}catch(t){o.error("⚠️ Error getting user info: "+t.message)}try{const t=await fetch(`${s}/auth/logout`,{method:"POST",headers:{Authorization:`Bearer ${d}`,"Content-Type":"application/json"},body:JSON.stringify({refresh_token:d})});t.ok?o.info("✅ Directus session invalidated"):o.info("⚠️ Directus logout response: "+t.status)}catch(t){o.error("⚠️ Error logging out from Directus: "+t.message)}if(l)try{o.info("🔐 Getting Keycloak admin token...");const t=await async function(){try{const t=await fetch(`${n}/realms/master/protocol/openid-connect/token`,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"password",client_id:u,username:i,password:a}).toString()});if(!t.ok)throw new Error("Failed to get admin token");return(await t.json()).access_token}catch(t){return o.error("Error getting admin token:",t),null}}();if(t){o.info("🔍 Looking up Keycloak user...");const e=await async function(t,e){try{const o=await fetch(`${n}/admin/realms/${r}/users?email=${encodeURIComponent(e)}`,{headers:{Authorization:`Bearer ${t}`}});if(!o.ok)throw new Error("Failed to get user");const i=await o.json();return i.length>0?i[0].id:null}catch(t){return o.error("Error getting user ID:",t),null}}(t,l);if(e){o.info("🚪 Logging out from Keycloak...");const i=await async function(t,e){try{const o=await fetch(`${n}/admin/realms/${r}/users/${e}/logout`,{method:"POST",headers:{Authorization:`Bearer ${t}`}});return o.ok||204===o.status}catch(t){return o.error("Error logging out user from Keycloak:",t),!1}}(t,e);i?o.info("✅ Keycloak sessions terminated"):o.info("⚠️ Failed to logout from Keycloak")}else o.info("⚠️ User not found in Keycloak")}else o.info("⚠️ Failed to get Keycloak admin token")}catch(t){o.error("⚠️ Error logging out from Keycloak: "+t.message)}o.info("🎉 Logout completed"),e.json({success:!0,message:"Logged out successfully from Directus and Keycloak"})}catch(t){o.error("❌ Error in logout:",t),e.status(500).json({error:t.message,message:"Failed to logout"})}})}};export{t as default};

package/package.json

@@ -0,0 +1,53 @@
+{
+	"name": "@ymys/directus-extension-sso",
+	"description": "Mobile OAuth proxy endpoints for Directus + Keycloak + Google",
+	"icon": "smartphone",
+	"version": "1.3.6",
+	"keywords": [
+		"directus",
+		"directus-extension",
+		"directus-extension-endpoint",
+		"sso",
+		"keycloak",
+		"google",
+		"oauth",
+		"mobile",
+		"auth",
+		"proxy"
+	],
+	"author": "Yusuf M <ymys@users.noreply.github.com>",
+	"license": "MIT",
+	"homepage": "https://github.com/ymys/directus-sso#readme",
+	"bugs": {
+		"url": "https://github.com/ymys/directus-sso/issues"
+	},
+	"publishConfig": {
+		"access": "public"
+	},
+	"type": "module",
+	"files": [
+		"dist",
+		"package.json",
+		"README.md",
+		"LICENSE"
+	],
+	"directus:extension": {
+		"type": "endpoint",
+		"path": "dist/index.js",
+		"source": "src/index.js",
+		"host": "^11.0.0",
+		"id": "sso"
+	},
+	"scripts": {
+		"build": "directus-extension build",
+		"dev": "directus-extension build -w --no-minify",
+		"link": "directus-extension link"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/ymys/directus-sso.git"
+	},
+	"devDependencies": {
+		"@directus/extensions-sdk": "^12.0.2"
+	}
+}