directus 9.0.0-rc.98 → 9.1.0

package/dist/app.js

@@ -40,6 +40,7 @@ const graphql_1 = __importDefault(require("./controllers/graphql"));
 const items_1 = __importDefault(require("./controllers/items"));
 const not_found_1 = __importDefault(require("./controllers/not-found"));
 const panels_1 = __importDefault(require("./controllers/panels"));
+const notifications_1 = __importDefault(require("./controllers/notifications"));
 const permissions_1 = __importDefault(require("./controllers/permissions"));
 const presets_1 = __importDefault(require("./controllers/presets"));
 const relations_1 = __importDefault(require("./controllers/relations"));
@@ -51,12 +52,13 @@ const users_1 = __importDefault(require("./controllers/users"));
 const utils_1 = __importDefault(require("./controllers/utils"));
 const webhooks_1 = __importDefault(require("./controllers/webhooks"));
 const database_1 = require("./database");
-const emitter_1 = require("./emitter");
+const emitter_1 = __importDefault(require("./emitter"));
 const env_1 = __importDefault(require("./env"));
 const exceptions_1 = require("./exceptions");
 const extensions_2 = require("./extensions");
 const logger_1 = __importStar(require("./logger"));
 const authenticate_1 = __importDefault(require("./middleware/authenticate"));
+const get_permissions_1 = __importDefault(require("./middleware/get-permissions"));
 const cache_1 = __importDefault(require("./middleware/cache"));
 const check_ip_1 = require("./middleware/check-ip");
 const cors_1 = __importDefault(require("./middleware/cors"));
@@ -69,8 +71,8 @@ const track_1 = require("./utils/track");
 const validate_env_1 = require("./utils/validate-env");
 const validate_storage_1 = require("./utils/validate-storage");
 const webhooks_2 = require("./webhooks");
-const session_1 = require("./middleware/session");
 const cache_2 = require("./cache");
+const auth_2 = require("./auth");
 const url_1 = require("./utils/url");
 async function createApp() {
     (0, validate_env_1.validateEnv)(['KEY', 'SECRET']);
@@ -88,14 +90,15 @@ async function createApp() {
         logger_1.default.warn(`Database migrations have not all been run`);
     }
     await (0, cache_2.flushCaches)();
+    await (0, auth_2.registerAuthProviders)();
     const extensionManager = (0, extensions_2.getExtensionManager)();
     await extensionManager.initialize();
     const app = (0, express_1.default)();
     app.disable('x-powered-by');
     app.set('trust proxy', true);
     app.set('query parser', (str) => qs_1.default.parse(str, { depth: 10 }));
-    await (0, emitter_1.emitAsyncSafe)('init.before', { app });
-    await (0, emitter_1.emitAsyncSafe)('middlewares.init.before', { app });
+    await emitter_1.default.emitInit('app.before', { app });
+    await emitter_1.default.emitInit('middlewares.before', { app });
     app.use(logger_1.expressLogger);
     app.use((req, res, next) => {
         express_1.default.json({
@@ -125,30 +128,31 @@ async function createApp() {
         }
     });
     if (env_1.default.SERVE_APP) {
-        const adminPath = require.resolve('@directus/app/dist/index.html');
+        const adminPath = require.resolve('@directus/app');
         const adminUrl = new url_1.Url(env_1.default.PUBLIC_URL).addPath('admin');
         // Set the App's base path according to the APIs public URL
-        let html = fs_extra_1.default.readFileSync(adminPath, 'utf-8');
-        html = html.replace(/<meta charset="utf-8" \/>/, `<meta charset="utf-8" />\n\t\t<base href="${adminUrl.toString({ rootRelative: true })}/">`);
-        app.get('/admin', (req, res) => res.send(html));
+        const html = await fs_extra_1.default.readFile(adminPath, 'utf8');
+        const htmlWithBase = html.replace(/<base \/>/, `<base href="${adminUrl.toString({ rootRelative: true })}/" />`);
+        const noCacheIndexHtmlHandler = (req, res) => {
+            res.setHeader('Cache-Control', 'no-cache');
+            res.send(htmlWithBase);
+        };
+        app.get('/admin', noCacheIndexHtmlHandler);
         app.use('/admin', express_1.default.static(path_1.default.join(adminPath, '..')));
-        app.use('/admin/*', (req, res) => {
-            res.send(html);
-        });
+        app.use('/admin/*', noCacheIndexHtmlHandler);
     }
     // use the rate limiter - all routes for now
     if (env_1.default.RATE_LIMITER_ENABLED === true) {
         app.use(rate_limiter_1.default);
     }
-    // We only rely on cookie-sessions in the oAuth flow where it's required
-    app.use(session_1.session);
     app.use(authenticate_1.default);
     app.use(check_ip_1.checkIP);
     app.use(sanitize_query_1.default);
-    await (0, emitter_1.emitAsyncSafe)('middlewares.init.after', { app });
-    await (0, emitter_1.emitAsyncSafe)('routes.init.before', { app });
     app.use(cache_1.default);
     app.use(schema_1.default);
+    app.use(get_permissions_1.default);
+    await emitter_1.default.emitInit('middlewares.after', { app });
+    await emitter_1.default.emitInit('routes.before', { app });
     app.use('/auth', auth_1.default);
     app.use('/graphql', graphql_1.default);
     app.use('/activity', activity_1.default);
@@ -160,6 +164,7 @@ async function createApp() {
     app.use('/files', files_1.default);
     app.use('/folders', folders_1.default);
     app.use('/items', items_1.default);
+    app.use('/notifications', notifications_1.default);
     app.use('/panels', panels_1.default);
     app.use('/permissions', permissions_1.default);
     app.use('/presets', presets_1.default);
@@ -171,16 +176,17 @@ async function createApp() {
     app.use('/users', users_1.default);
     app.use('/utils', utils_1.default);
     app.use('/webhooks', webhooks_1.default);
-    await (0, emitter_1.emitAsyncSafe)('routes.custom.init.before', { app });
+    // Register custom endpoints
+    await emitter_1.default.emitInit('routes.custom.before', { app });
     app.use(extensionManager.getEndpointRouter());
-    await (0, emitter_1.emitAsyncSafe)('routes.custom.init.after', { app });
+    await emitter_1.default.emitInit('routes.custom.after', { app });
     app.use(not_found_1.default);
     app.use(error_handler_1.default);
-    await (0, emitter_1.emitAsyncSafe)('routes.init.after', { app });
+    await emitter_1.default.emitInit('routes.after', { app });
     // Register all webhooks
     await (0, webhooks_2.register)();
     (0, track_1.track)('serverStarted');
-    (0, emitter_1.emitAsyncSafe)('init');
+    await emitter_1.default.emitInit('app.after', { app });
     return app;
 }
 exports.default = createApp;

package/dist/auth/auth.d.ts

@@ -1,8 +1,9 @@
 import { Knex } from 'knex';
-import { User, SessionData } from '../types';
+import { AuthDriverOptions, SchemaOverview, User, SessionData } from '../types';
 export declare abstract class AuthDriver {
     knex: Knex;
-    constructor(knex: Knex, _config: Record<string, any>);
+    schema: SchemaOverview;
+    constructor(options: AuthDriverOptions, _config: Record<string, any>);
     /**
      * Get user id for a given provider payload
      *
@@ -35,7 +36,7 @@ export declare abstract class AuthDriver {
      * @param _sessionData Session data
      * @throws InvalidCredentialsException
      */
-    refresh(_user: User, _sessionData: SessionData): Promise<void>;
+    refresh(_user: User, sessionData: SessionData): Promise<SessionData>;
     /**
      * Handle user session termination
      *

package/dist/auth/auth.js

@@ -2,8 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthDriver = void 0;
 class AuthDriver {
-    constructor(knex, _config) {
-        this.knex = knex;
+    constructor(options, _config) {
+        this.knex = options.knex;
+        this.schema = options.schema;
     }
     /**
      * Check with the (external) provider if the user is allowed entry to Directus
@@ -24,8 +25,9 @@ class AuthDriver {
      * @param _sessionData Session data
      * @throws InvalidCredentialsException
      */
-    async refresh(_user, _sessionData) {
+    async refresh(_user, sessionData) {
         /* Optional */
+        return sessionData;
     }
     /**
      * Handle user session termination

package/dist/auth/drivers/index.d.ts

@@ -1 +1,4 @@
 export * from './local';
+export * from './oauth2';
+export * from './openid';
+export * from './ldap';

package/dist/auth/drivers/index.js

@@ -11,3 +11,6 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./local"), exports);
+__exportStar(require("./oauth2"), exports);
+__exportStar(require("./openid"), exports);
+__exportStar(require("./ldap"), exports);

package/dist/auth/drivers/ldap.d.ts

@@ -0,0 +1,21 @@
+import { Router } from 'express';
+import { Client } from 'ldapjs';
+import { AuthDriver } from '../auth';
+import { AuthDriverOptions, User, SessionData } from '../../types';
+import { UsersService } from '../../services';
+export declare class LDAPAuthDriver extends AuthDriver {
+    bindClient: Client;
+    usersService: UsersService;
+    config: Record<string, any>;
+    constructor(options: AuthDriverOptions, config: Record<string, any>);
+    private validateBindClient;
+    private fetchUserDn;
+    private fetchUserInfo;
+    private fetchUserGroups;
+    private fetchUserId;
+    getUserID(payload: Record<string, any>): Promise<string>;
+    verify(user: User, password?: string): Promise<void>;
+    login(user: User, payload: Record<string, any>): Promise<SessionData>;
+    refresh(user: User): Promise<SessionData>;
+}
+export declare function createLDAPAuthRouter(provider: string): Router;

package/dist/auth/drivers/ldap.js

@@ -0,0 +1,322 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createLDAPAuthRouter = exports.LDAPAuthDriver = void 0;
+const express_1 = require("express");
+const ldapjs_1 = __importStar(require("ldapjs"));
+const ms_1 = __importDefault(require("ms"));
+const joi_1 = __importDefault(require("joi"));
+const auth_1 = require("../auth");
+const exceptions_1 = require("../../exceptions");
+const services_1 = require("../../services");
+const async_handler_1 = __importDefault(require("../../utils/async-handler"));
+const env_1 = __importDefault(require("../../env"));
+const respond_1 = require("../../middleware/respond");
+const logger_1 = __importDefault(require("../../logger"));
+// 0x2: ACCOUNTDISABLE
+// 0x10: LOCKOUT
+// 0x800000: PASSWORD_EXPIRED
+const INVALID_ACCOUNT_FLAGS = 0x800012;
+class LDAPAuthDriver extends auth_1.AuthDriver {
+    constructor(options, config) {
+        var _a;
+        super(options, config);
+        const { bindDn, bindPassword, userDn, provider, clientUrl } = config;
+        if (!bindDn || !bindPassword || !userDn || !provider || (!clientUrl && !((_a = config.client) === null || _a === void 0 ? void 0 : _a.socketPath))) {
+            throw new exceptions_1.InvalidConfigException('Invalid provider config', { provider });
+        }
+        const clientConfig = typeof config.client === 'object' ? config.client : {};
+        this.bindClient = ldapjs_1.default.createClient({ url: clientUrl, reconnect: true, ...clientConfig });
+        this.bindClient.on('error', (err) => {
+            logger_1.default.warn(err);
+        });
+        this.usersService = new services_1.UsersService({ knex: this.knex, schema: this.schema });
+        this.config = config;
+    }
+    async validateBindClient() {
+        const { bindDn, bindPassword, provider } = this.config;
+        return new Promise((resolve, reject) => {
+            // Healthcheck bind user
+            this.bindClient.search(bindDn, {}, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', () => {
+                    resolve();
+                });
+                res.on('error', (err) => {
+                    if (!(err instanceof ldapjs_1.OperationsError)) {
+                        reject(handleError(err));
+                        return;
+                    }
+                    // Rebind on OperationsError
+                    this.bindClient.bind(bindDn, bindPassword, (err) => {
+                        if (err) {
+                            const error = handleError(err);
+                            if (error instanceof exceptions_1.InvalidCredentialsException) {
+                                reject(new exceptions_1.InvalidConfigException('Invalid bind user', { provider }));
+                            }
+                            else {
+                                reject(error);
+                            }
+                        }
+                        else {
+                            resolve();
+                        }
+                    });
+                });
+            });
+        });
+    }
+    async fetchUserDn(identifier) {
+        const { userDn, userAttribute, userScope } = this.config;
+        return new Promise((resolve, reject) => {
+            // Search for the user in LDAP by attribute
+            this.bindClient.search(userDn, { filter: `(${userAttribute !== null && userAttribute !== void 0 ? userAttribute : 'cn'}=${identifier})`, scope: userScope !== null && userScope !== void 0 ? userScope : 'one' }, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', ({ object }) => {
+                    resolve(object.dn.toLowerCase());
+                });
+                res.on('error', (err) => {
+                    reject(handleError(err));
+                });
+                res.on('end', () => {
+                    resolve(undefined);
+                });
+            });
+        });
+    }
+    async fetchUserInfo(userDn) {
+        const { mailAttribute } = this.config;
+        return new Promise((resolve, reject) => {
+            // Fetch user info in LDAP by domain component
+            this.bindClient.search(userDn, { attributes: ['givenName', 'sn', mailAttribute !== null && mailAttribute !== void 0 ? mailAttribute : 'mail', 'userAccountControl'] }, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', ({ object }) => {
+                    const email = object[mailAttribute !== null && mailAttribute !== void 0 ? mailAttribute : 'mail'];
+                    const user = {
+                        firstName: typeof object.givenName === 'object' ? object.givenName[0] : object.givenName,
+                        lastName: typeof object.sn === 'object' ? object.sn[0] : object.sn,
+                        email: typeof email === 'object' ? email[0] : email,
+                        userAccountControl: typeof object.userAccountControl === 'object'
+                            ? Number(object.userAccountControl[0])
+                            : Number(object.userAccountControl),
+                    };
+                    resolve(user);
+                });
+                res.on('error', (err) => {
+                    reject(handleError(err));
+                });
+                res.on('end', () => {
+                    resolve(undefined);
+                });
+            });
+        });
+    }
+    async fetchUserGroups(userDn) {
+        const { groupDn, groupAttribute, groupScope } = this.config;
+        if (!groupDn) {
+            return Promise.resolve([]);
+        }
+        return new Promise((resolve, reject) => {
+            let userGroups = [];
+            // Search for the user info in LDAP by group attribute
+            this.bindClient.search(groupDn, {
+                attributes: ['cn'],
+                filter: `(${groupAttribute !== null && groupAttribute !== void 0 ? groupAttribute : 'member'}=${userDn})`,
+                scope: groupScope !== null && groupScope !== void 0 ? groupScope : 'one',
+            }, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', ({ object }) => {
+                    if (typeof object.cn === 'object') {
+                        userGroups = [...userGroups, ...object.cn];
+                    }
+                    else if (object.cn) {
+                        userGroups.push(object.cn);
+                    }
+                });
+                res.on('error', (err) => {
+                    reject(handleError(err));
+                });
+                res.on('end', () => {
+                    resolve(userGroups);
+                });
+            });
+        });
+    }
+    async fetchUserId(userDn) {
+        const user = await this.knex
+            .select('id')
+            .from('directus_users')
+            .orWhereRaw('LOWER(??) = ?', ['external_identifier', userDn.toLowerCase()])
+            .first();
+        return user === null || user === void 0 ? void 0 : user.id;
+    }
+    async getUserID(payload) {
+        var _a;
+        if (!payload.identifier) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        await this.validateBindClient();
+        const userDn = await this.fetchUserDn(payload.identifier);
+        if (!userDn) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        const userId = await this.fetchUserId(userDn);
+        const userGroups = await this.fetchUserGroups(userDn);
+        let userRole;
+        if (userGroups.length) {
+            userRole = await this.knex
+                .select('id')
+                .from('directus_roles')
+                .whereRaw(`LOWER(??) IN (${userGroups.map(() => '?')})`, [
+                'name',
+                ...userGroups.map((group) => group.toLowerCase()),
+            ])
+                .first();
+        }
+        if (userId) {
+            await this.usersService.updateOne(userId, { role: (_a = userRole === null || userRole === void 0 ? void 0 : userRole.id) !== null && _a !== void 0 ? _a : null });
+            return userId;
+        }
+        const userInfo = await this.fetchUserInfo(userDn);
+        if (!userInfo) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        await this.usersService.createOne({
+            provider: this.config.provider,
+            first_name: userInfo.firstName,
+            last_name: userInfo.lastName,
+            email: userInfo.email,
+            external_identifier: userDn,
+            role: userRole === null || userRole === void 0 ? void 0 : userRole.id,
+        });
+        return (await this.fetchUserId(userDn));
+    }
+    async verify(user, password) {
+        if (!user.external_identifier || !password) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        return new Promise((resolve, reject) => {
+            const clientConfig = typeof this.config.client === 'object' ? this.config.client : {};
+            const client = ldapjs_1.default.createClient({
+                url: this.config.clientUrl,
+                ...clientConfig,
+                reconnect: false,
+            });
+            client.on('error', (err) => {
+                reject(handleError(err));
+            });
+            client.bind(user.external_identifier, password, (err) => {
+                if (err) {
+                    reject(handleError(err));
+                }
+                else {
+                    resolve();
+                }
+                client.destroy();
+            });
+        });
+    }
+    async login(user, payload) {
+        await this.verify(user, payload.password);
+        return null;
+    }
+    async refresh(user) {
+        await this.validateBindClient();
+        const userInfo = await this.fetchUserInfo(user.external_identifier);
+        if ((userInfo === null || userInfo === void 0 ? void 0 : userInfo.userAccountControl) && userInfo.userAccountControl & INVALID_ACCOUNT_FLAGS) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        return null;
+    }
+}
+exports.LDAPAuthDriver = LDAPAuthDriver;
+const handleError = (e) => {
+    if (e instanceof ldapjs_1.InappropriateAuthenticationError ||
+        e instanceof ldapjs_1.InvalidCredentialsError ||
+        e instanceof ldapjs_1.InsufficientAccessRightsError) {
+        return new exceptions_1.InvalidCredentialsException();
+    }
+    return new exceptions_1.ServiceUnavailableException('Service returned unexpected error', {
+        service: 'ldap',
+        message: e.message,
+    });
+};
+function createLDAPAuthRouter(provider) {
+    const router = (0, express_1.Router)();
+    const loginSchema = joi_1.default.object({
+        identifier: joi_1.default.string().required(),
+        password: joi_1.default.string().required(),
+        mode: joi_1.default.string().valid('cookie', 'json'),
+        otp: joi_1.default.string(),
+    }).unknown();
+    router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
+        var _a, _b;
+        const accountability = {
+            ip: req.ip,
+            userAgent: req.get('user-agent'),
+            role: null,
+        };
+        const authenticationService = new services_1.AuthenticationService({
+            accountability: accountability,
+            schema: req.schema,
+        });
+        const { error } = loginSchema.validate(req.body);
+        if (error) {
+            throw new exceptions_1.InvalidPayloadException(error.message);
+        }
+        const mode = req.body.mode || 'json';
+        const { accessToken, refreshToken, expires } = await authenticationService.login(provider, req.body, (_a = req.body) === null || _a === void 0 ? void 0 : _a.otp);
+        const payload = {
+            data: { access_token: accessToken, expires },
+        };
+        if (mode === 'json') {
+            payload.data.refresh_token = refreshToken;
+        }
+        if (mode === 'cookie') {
+            res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, {
+                httpOnly: true,
+                domain: env_1.default.REFRESH_TOKEN_COOKIE_DOMAIN,
+                maxAge: (0, ms_1.default)(env_1.default.REFRESH_TOKEN_TTL),
+                secure: (_b = env_1.default.REFRESH_TOKEN_COOKIE_SECURE) !== null && _b !== void 0 ? _b : false,
+                sameSite: env_1.default.REFRESH_TOKEN_COOKIE_SAME_SITE || 'strict',
+            });
+        }
+        res.locals.payload = payload;
+        return next();
+    }), respond_1.respond);
+    return router;
+}
+exports.createLDAPAuthRouter = createLDAPAuthRouter;

package/dist/auth/drivers/local.d.ts

@@ -1,15 +1,9 @@
-import { AuthDriver } from '../auth';
-import { User } from '../../types';
 import { Router } from 'express';
+import { AuthDriver } from '../auth';
+import { User, SessionData } from '../../types';
 export declare class LocalAuthDriver extends AuthDriver {
-    /**
-     * Get user id by email
-     */
     getUserID(payload: Record<string, any>): Promise<string>;
-    /**
-     * Verify user password
-     */
     verify(user: User, password?: string): Promise<void>;
-    login(user: User, payload: Record<string, any>): Promise<null>;
+    login(user: User, payload: Record<string, any>): Promise<SessionData>;
 }
 export declare function createLocalAuthRouter(provider: string): Router;

package/dist/auth/drivers/local.js

@@ -4,20 +4,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createLocalAuthRouter = exports.LocalAuthDriver = void 0;
+const express_1 = require("express");
 const argon2_1 = __importDefault(require("argon2"));
+const ms_1 = __importDefault(require("ms"));
+const joi_1 = __importDefault(require("joi"));
 const auth_1 = require("../auth");
 const exceptions_1 = require("../../exceptions");
 const services_1 = require("../../services");
-const express_1 = require("express");
-const joi_1 = __importDefault(require("joi"));
 const async_handler_1 = __importDefault(require("../../utils/async-handler"));
 const env_1 = __importDefault(require("../../env"));
-const ms_1 = __importDefault(require("ms"));
 const respond_1 = require("../../middleware/respond");
 class LocalAuthDriver extends auth_1.AuthDriver {
-    /**
-     * Get user id by email
-     */
     async getUserID(payload) {
         if (!payload.email) {
             throw new exceptions_1.InvalidCredentialsException();
@@ -32,18 +29,13 @@ class LocalAuthDriver extends auth_1.AuthDriver {
         }
         return user.id;
     }
-    /**
-     * Verify user password
-     */
     async verify(user, password) {
         if (!user.password || !(await argon2_1.default.verify(user.password, password))) {
             throw new exceptions_1.InvalidCredentialsException();
         }
     }
     async login(user, payload) {
-        if (payload.password) {
-            await this.verify(user, payload.password);
-        }
+        await this.verify(user, payload.password);
         return null;
     }
 }

package/dist/auth/drivers/oauth2.d.ts

@@ -0,0 +1,19 @@
+import { Router } from 'express';
+import { Client } from 'openid-client';
+import { LocalAuthDriver } from './local';
+import { UsersService } from '../../services';
+import { AuthDriverOptions, User, SessionData } from '../../types';
+export declare class OAuth2AuthDriver extends LocalAuthDriver {
+    client: Client;
+    redirectUrl: string;
+    usersService: UsersService;
+    config: Record<string, any>;
+    constructor(options: AuthDriverOptions, config: Record<string, any>);
+    generateCodeVerifier(): string;
+    generateAuthUrl(codeVerifier: string): string;
+    private fetchUserId;
+    getUserID(payload: Record<string, any>): Promise<string>;
+    login(user: User): Promise<SessionData>;
+    refresh(user: User, sessionData: SessionData): Promise<SessionData>;
+}
+export declare function createOAuth2AuthRouter(providerName: string): Router;