npm - directus - Versions diffs - 9.0.0-rc.98 → 9.1.0 - Mend

directus 9.0.0-rc.98 → 9.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (147) hide show

package/dist/app.js +25 -19
package/dist/auth/auth.d.ts +4 -3
package/dist/auth/auth.js +5 -3
package/dist/auth/drivers/index.d.ts +3 -0
package/dist/auth/drivers/index.js +3 -0
package/dist/auth/drivers/ldap.d.ts +21 -0
package/dist/auth/drivers/ldap.js +322 -0
package/dist/auth/drivers/local.d.ts +3 -9
package/dist/auth/drivers/local.js +4 -12
package/dist/auth/drivers/oauth2.d.ts +19 -0
package/dist/auth/drivers/oauth2.js +247 -0
package/dist/auth/drivers/openid.d.ts +19 -0
package/dist/auth/drivers/openid.js +256 -0
package/dist/auth.d.ts +1 -0
package/dist/auth.js +21 -15
package/dist/cache.d.ts +1 -1
package/dist/cache.js +7 -7
package/dist/cli/commands/init/index.js +1 -1
package/dist/cli/index.js +3 -3
package/dist/cli/index.test.js +10 -5
package/dist/cli/utils/create-env/env-stub.liquid +2 -2
package/dist/constants.js +1 -1
package/dist/controllers/auth.js +10 -140
package/dist/controllers/extensions.js +2 -0
package/dist/controllers/files.js +19 -8
package/dist/controllers/not-found.js +8 -2
package/dist/controllers/notifications.d.ts +2 -0
package/dist/controllers/notifications.js +147 -0
package/dist/controllers/utils.js +11 -1
package/dist/database/helpers/date.d.ts +8 -0
package/dist/database/helpers/date.js +44 -0
package/dist/database/helpers/geometry.d.ts +4 -2
package/dist/database/helpers/geometry.js +48 -27
package/dist/database/index.d.ts +1 -1
package/dist/database/index.js +15 -21
package/dist/database/migrations/20211009A-add-auth-data.d.ts +3 -0
package/dist/database/migrations/20211009A-add-auth-data.js +15 -0
package/dist/database/migrations/20211016A-add-webhook-headers.d.ts +3 -0
package/dist/database/migrations/20211016A-add-webhook-headers.js +15 -0
package/dist/database/migrations/20211103A-set-unique-to-user-token.d.ts +3 -0
package/dist/database/migrations/20211103A-set-unique-to-user-token.js +15 -0
package/dist/database/migrations/20211103B-update-special-geometry.d.ts +3 -0
package/dist/database/migrations/20211103B-update-special-geometry.js +25 -0
package/dist/database/migrations/20211104A-remove-collections-listing.d.ts +3 -0
package/dist/database/migrations/20211104A-remove-collections-listing.js +15 -0
package/dist/database/migrations/20211118A-add-notifications.d.ts +3 -0
package/dist/database/migrations/20211118A-add-notifications.js +28 -0
package/dist/database/migrations/run.d.ts +1 -1
package/dist/database/migrations/run.js +10 -4
package/dist/database/run-ast.js +39 -55
package/dist/database/seeds/run.js +4 -2
package/dist/database/system-data/app-access-permissions/app-access-permissions.yaml +14 -0
package/dist/database/system-data/collections/collections.yaml +2 -0
package/dist/database/system-data/fields/activity.yaml +0 -2
package/dist/database/system-data/fields/files.yaml +0 -1
package/dist/database/system-data/fields/notifications.yaml +12 -0
package/dist/database/system-data/fields/roles.yaml +0 -53
package/dist/database/system-data/fields/settings.yaml +65 -69
package/dist/database/system-data/fields/users.yaml +8 -3
package/dist/database/system-data/fields/webhooks.yaml +32 -13
package/dist/database/system-data/relations/relations.yaml +6 -0
package/dist/emitter.d.ts +18 -8
package/dist/emitter.js +68 -23
package/dist/env.js +2 -2
package/dist/exceptions/database/translate.js +26 -5
package/dist/extensions.js +50 -27
package/dist/index.d.ts +3 -0
package/dist/index.js +20 -0
package/dist/mailer.js +12 -3
package/dist/middleware/authenticate.js +48 -48
package/dist/middleware/error-handler.js +10 -3
package/dist/middleware/get-permissions.d.ts +3 -0
package/dist/middleware/get-permissions.js +15 -0
package/dist/server.js +17 -7
package/dist/services/activity.d.ts +7 -5
package/dist/services/activity.js +82 -3
package/dist/services/authentication.js +67 -58
package/dist/services/authorization.d.ts +1 -1
package/dist/services/authorization.js +13 -13
package/dist/services/collections.d.ts +1 -1
package/dist/services/collections.js +25 -23
package/dist/services/fields.d.ts +1 -1
package/dist/services/fields.js +29 -37
package/dist/services/files.js +10 -11
package/dist/services/graphql.js +13 -12
package/dist/services/import.js +4 -4
package/dist/services/index.d.ts +1 -0
package/dist/services/index.js +1 -0
package/dist/services/items.js +43 -83
package/dist/services/mail/index.js +2 -2
package/dist/services/mail/templates/base.liquid +153 -85
package/dist/services/mail/templates/password-reset.liquid +3 -2
package/dist/services/mail/templates/user-invitation.liquid +4 -4
package/dist/services/meta.js +7 -8
package/dist/services/notifications.d.ts +12 -0
package/dist/services/notifications.js +41 -0
package/dist/services/payload.d.ts +1 -0
package/dist/services/payload.js +26 -11
package/dist/services/permissions.d.ts +13 -1
package/dist/services/permissions.js +56 -2
package/dist/services/relations.d.ts +1 -1
package/dist/services/relations.js +12 -18
package/dist/services/specifications.js +21 -2
package/dist/services/users.js +24 -23
package/dist/services/utils.js +3 -3
package/dist/services/webhooks.d.ts +2 -2
package/dist/types/auth.d.ts +10 -2
package/dist/types/collection.d.ts +1 -0
package/dist/types/extensions.d.ts +18 -2
package/dist/types/schema.d.ts +2 -2
package/dist/types/webhooks.d.ts +7 -2
package/dist/utils/apply-query.d.ts +3 -3
package/dist/utils/apply-query.js +54 -16
package/dist/utils/apply-snapshot.js +2 -2
package/dist/utils/get-ast-from-query.js +6 -6
package/dist/utils/get-auth-providers.d.ts +1 -0
package/dist/utils/get-auth-providers.js +1 -0
package/dist/utils/get-default-index-name.js +5 -6
package/dist/utils/get-default-value.js +1 -1
package/dist/utils/get-local-type.d.ts +2 -7
package/dist/utils/get-local-type.js +106 -112
package/dist/utils/get-permissions.d.ts +3 -0
package/dist/utils/get-permissions.js +106 -0
package/dist/utils/get-schema.js +11 -51
package/dist/utils/get-simple-hash.d.ts +5 -0
package/dist/utils/get-simple-hash.js +15 -0
package/dist/utils/md.d.ts +4 -0
package/dist/utils/md.js +15 -0
package/dist/utils/reduce-schema.d.ts +2 -2
package/dist/utils/reduce-schema.js +7 -10
package/dist/utils/sanitize-query.js +3 -3
package/dist/utils/track.js +2 -2
package/dist/utils/user-name.d.ts +2 -0
package/dist/utils/user-name.js +16 -0
package/dist/utils/validate-query.js +4 -0
package/dist/webhooks.js +18 -9
package/example.env +15 -9
package/package.json +41 -31
package/dist/grant.d.ts +0 -5
package/dist/grant.js +0 -24
package/dist/middleware/session.d.ts +0 -3
package/dist/middleware/session.js +0 -29
package/dist/utils/geometry.d.ts +0 -2
package/dist/utils/geometry.js +0 -20
package/dist/utils/get-email-from-profile.d.ts +0 -9
package/dist/utils/get-email-from-profile.js +0 -34
package/index.js +0 -5

package/dist/auth/drivers/oauth2.js ADDED Viewed

@@ -0,0 +1,247 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOAuth2AuthRouter = exports.OAuth2AuthDriver = void 0;
+const express_1 = require("express");
+const openid_client_1 = require("openid-client");
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const ms_1 = __importDefault(require("ms"));
+const local_1 = require("./local");
+const auth_1 = require("../../auth");
+const env_1 = __importDefault(require("../../env"));
+const services_1 = require("../../services");
+const exceptions_1 = require("../../exceptions");
+const respond_1 = require("../../middleware/respond");
+const async_handler_1 = __importDefault(require("../../utils/async-handler"));
+const url_1 = require("../../utils/url");
+const logger_1 = __importDefault(require("../../logger"));
+class OAuth2AuthDriver extends local_1.LocalAuthDriver {
+    constructor(options, config) {
+        super(options, config);
+        const { authorizeUrl, accessUrl, profileUrl, clientId, clientSecret, ...additionalConfig } = config;
+        if (!authorizeUrl || !accessUrl || !clientId || !clientSecret || !additionalConfig.provider) {
+            throw new exceptions_1.InvalidConfigException('Invalid provider config', { provider: additionalConfig.provider });
+        }
+        const redirectUrl = new url_1.Url(env_1.default.PUBLIC_URL).addPath('auth', 'login', additionalConfig.provider, 'callback');
+        this.redirectUrl = redirectUrl.toString();
+        this.usersService = new services_1.UsersService({ knex: this.knex, schema: this.schema });
+        this.config = additionalConfig;
+        const issuer = new openid_client_1.Issuer({
+            authorization_endpoint: authorizeUrl,
+            token_endpoint: accessUrl,
+            userinfo_endpoint: profileUrl,
+            issuer: additionalConfig.provider,
+        });
+        this.client = new issuer.Client({
+            client_id: clientId,
+            client_secret: clientSecret,
+            redirect_uris: [this.redirectUrl],
+            response_types: ['code'],
+        });
+    }
+    generateCodeVerifier() {
+        return openid_client_1.generators.codeVerifier();
+    }
+    generateAuthUrl(codeVerifier) {
+        var _a;
+        try {
+            const codeChallenge = openid_client_1.generators.codeChallenge(codeVerifier);
+            return this.client.authorizationUrl({
+                scope: (_a = this.config.scope) !== null && _a !== void 0 ? _a : 'email',
+                code_challenge: codeChallenge,
+                code_challenge_method: 'S256',
+                // Some providers require state even with PKCE
+                state: codeChallenge,
+                access_type: 'offline',
+            });
+        }
+        catch (e) {
+            throw handleError(e);
+        }
+    }
+    async fetchUserId(identifier) {
+        const user = await this.knex
+            .select('id')
+            .from('directus_users')
+            .whereRaw('LOWER(??) = ?', ['external_identifier', identifier.toLowerCase()])
+            .first();
+        return user === null || user === void 0 ? void 0 : user.id;
+    }
+    async getUserID(payload) {
+        var _a;
+        if (!payload.code || !payload.codeVerifier) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        let tokenSet;
+        let userInfo;
+        try {
+            tokenSet = await this.client.oauthCallback(this.redirectUrl, { code: payload.code, state: payload.state }, { code_verifier: payload.codeVerifier, state: openid_client_1.generators.codeChallenge(payload.codeVerifier) });
+            const issuer = this.client.issuer;
+            if (issuer.metadata.userinfo_endpoint) {
+                userInfo = await this.client.userinfo(tokenSet.access_token);
+            }
+            else if (tokenSet.id_token) {
+                userInfo = tokenSet.claims();
+            }
+            else {
+                throw new exceptions_1.InvalidConfigException('OAuth profile URL not defined', { provider: this.config.provider });
+            }
+        }
+        catch (e) {
+            throw handleError(e);
+        }
+        const { emailKey, identifierKey, allowPublicRegistration } = this.config;
+        const email = userInfo[emailKey !== null && emailKey !== void 0 ? emailKey : 'email'];
+        // Fallback to email if explicit identifier not found
+        const identifier = (_a = userInfo[identifierKey]) !== null && _a !== void 0 ? _a : email;
+        if (!identifier) {
+            logger_1.default.warn(`Failed to find user identifier for provider "${this.config.provider}"`);
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        const userId = await this.fetchUserId(identifier);
+        if (userId) {
+            // Update user refreshToken if provided
+            if (tokenSet.refresh_token) {
+                await this.usersService.updateOne(userId, {
+                    auth_data: JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+                });
+            }
+            return userId;
+        }
+        // Is public registration allowed?
+        if (!allowPublicRegistration) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        await this.usersService.createOne({
+            provider: this.config.provider,
+            email: email,
+            external_identifier: identifier,
+            role: this.config.defaultRoleId,
+            auth_data: tokenSet.refresh_token && JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+        });
+        return (await this.fetchUserId(identifier));
+    }
+    async login(user) {
+        return this.refresh(user, null);
+    }
+    async refresh(user, sessionData) {
+        let authData = user.auth_data;
+        if (typeof authData === 'string') {
+            try {
+                authData = JSON.parse(authData);
+            }
+            catch {
+                logger_1.default.warn(`Session data isn't valid JSON: ${authData}`);
+            }
+        }
+        if (!(authData === null || authData === void 0 ? void 0 : authData.refreshToken)) {
+            return sessionData;
+        }
+        try {
+            const tokenSet = await this.client.refresh(authData.refreshToken);
+            return { accessToken: tokenSet.access_token };
+        }
+        catch (e) {
+            throw handleError(e);
+        }
+    }
+}
+exports.OAuth2AuthDriver = OAuth2AuthDriver;
+const handleError = (e) => {
+    if (e instanceof openid_client_1.errors.OPError) {
+        if (e.error === 'invalid_grant') {
+            // Invalid token
+            return new exceptions_1.InvalidCredentialsException();
+        }
+        // Server response error
+        return new exceptions_1.ServiceUnavailableException('Service returned unexpected response', {
+            service: 'openid',
+            message: e.error_description,
+        });
+    }
+    else if (e instanceof openid_client_1.errors.RPError) {
+        // Internal client error
+        return new exceptions_1.InvalidCredentialsException();
+    }
+    return e;
+};
+function createOAuth2AuthRouter(providerName) {
+    const router = (0, express_1.Router)();
+    router.get('/', (req, res) => {
+        const provider = (0, auth_1.getAuthProvider)(providerName);
+        const codeVerifier = provider.generateCodeVerifier();
+        const token = jsonwebtoken_1.default.sign({ verifier: codeVerifier, redirect: req.query.redirect }, env_1.default.SECRET, {
+            expiresIn: '5m',
+            issuer: 'directus',
+        });
+        res.cookie(`oauth2.${providerName}`, token, {
+            httpOnly: true,
+            sameSite: 'lax',
+        });
+        return res.redirect(provider.generateAuthUrl(codeVerifier));
+    }, respond_1.respond);
+    router.get('/callback', (0, async_handler_1.default)(async (req, res, next) => {
+        var _a;
+        let tokenData;
+        try {
+            tokenData = jsonwebtoken_1.default.verify(req.cookies[`oauth2.${providerName}`], env_1.default.SECRET, { issuer: 'directus' });
+        }
+        catch (e) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        const { verifier, redirect } = tokenData;
+        const authenticationService = new services_1.AuthenticationService({
+            accountability: {
+                ip: req.ip,
+                userAgent: req.get('user-agent'),
+                role: null,
+            },
+            schema: req.schema,
+        });
+        let authResponse;
+        try {
+            res.clearCookie(`oauth2.${providerName}`);
+            if (!req.query.code || !req.query.state) {
+                logger_1.default.warn(`Couldn't extract OAuth2 code or state from query: ${JSON.stringify(req.query)}`);
+            }
+            authResponse = await authenticationService.login(providerName, {
+                code: req.query.code,
+                codeVerifier: verifier,
+                state: req.query.state,
+            });
+        }
+        catch (error) {
+            logger_1.default.warn(error);
+            if (redirect) {
+                let reason = 'UNKNOWN_EXCEPTION';
+                if (error instanceof exceptions_1.ServiceUnavailableException) {
+                    reason = 'SERVICE_UNAVAILABLE';
+                }
+                else if (error instanceof exceptions_1.InvalidCredentialsException) {
+                    reason = 'INVALID_USER';
+                }
+                return res.redirect(`${redirect.split('?')[0]}?reason=${reason}`);
+            }
+            throw error;
+        }
+        const { accessToken, refreshToken, expires } = authResponse;
+        if (redirect) {
+            res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, {
+                httpOnly: true,
+                domain: env_1.default.REFRESH_TOKEN_COOKIE_DOMAIN,
+                maxAge: (0, ms_1.default)(env_1.default.REFRESH_TOKEN_TTL),
+                secure: (_a = env_1.default.REFRESH_TOKEN_COOKIE_SECURE) !== null && _a !== void 0 ? _a : false,
+                sameSite: env_1.default.REFRESH_TOKEN_COOKIE_SAME_SITE || 'strict',
+            });
+            return res.redirect(redirect);
+        }
+        res.locals.payload = {
+            data: { access_token: accessToken, refresh_token: refreshToken, expires },
+        };
+        next();
+    }), respond_1.respond);
+    return router;
+}
+exports.createOAuth2AuthRouter = createOAuth2AuthRouter;

package/dist/auth/drivers/openid.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { Router } from 'express';
+import { Client } from 'openid-client';
+import { LocalAuthDriver } from './local';
+import { UsersService } from '../../services';
+import { AuthDriverOptions, User, SessionData } from '../../types';
+export declare class OpenIDAuthDriver extends LocalAuthDriver {
+    client: Promise<Client>;
+    redirectUrl: string;
+    usersService: UsersService;
+    config: Record<string, any>;
+    constructor(options: AuthDriverOptions, config: Record<string, any>);
+    generateCodeVerifier(): string;
+    generateAuthUrl(codeVerifier: string): Promise<string>;
+    private fetchUserId;
+    getUserID(payload: Record<string, any>): Promise<string>;
+    login(user: User): Promise<SessionData>;
+    refresh(user: User, sessionData: SessionData): Promise<SessionData>;
+}
+export declare function createOpenIDAuthRouter(providerName: string): Router;

package/dist/auth/drivers/openid.js ADDED Viewed

@@ -0,0 +1,256 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOpenIDAuthRouter = exports.OpenIDAuthDriver = void 0;
+const express_1 = require("express");
+const openid_client_1 = require("openid-client");
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const ms_1 = __importDefault(require("ms"));
+const local_1 = require("./local");
+const auth_1 = require("../../auth");
+const env_1 = __importDefault(require("../../env"));
+const services_1 = require("../../services");
+const exceptions_1 = require("../../exceptions");
+const respond_1 = require("../../middleware/respond");
+const async_handler_1 = __importDefault(require("../../utils/async-handler"));
+const url_1 = require("../../utils/url");
+const logger_1 = __importDefault(require("../../logger"));
+class OpenIDAuthDriver extends local_1.LocalAuthDriver {
+    constructor(options, config) {
+        super(options, config);
+        const { issuerUrl, clientId, clientSecret, ...additionalConfig } = config;
+        if (!issuerUrl || !clientId || !clientSecret || !additionalConfig.provider) {
+            throw new exceptions_1.InvalidConfigException('Invalid provider config', { provider: additionalConfig.provider });
+        }
+        const redirectUrl = new url_1.Url(env_1.default.PUBLIC_URL).addPath('auth', 'login', additionalConfig.provider, 'callback');
+        this.redirectUrl = redirectUrl.toString();
+        this.usersService = new services_1.UsersService({ knex: this.knex, schema: this.schema });
+        this.config = additionalConfig;
+        this.client = new Promise((resolve, reject) => {
+            openid_client_1.Issuer.discover(issuerUrl)
+                .then((issuer) => {
+                const supportedTypes = issuer.metadata.response_types_supported;
+                if (!(supportedTypes === null || supportedTypes === void 0 ? void 0 : supportedTypes.includes('code'))) {
+                    reject(new exceptions_1.InvalidConfigException('OpenID provider does not support required code flow', {
+                        provider: additionalConfig.provider,
+                    }));
+                }
+                resolve(new issuer.Client({
+                    client_id: clientId,
+                    client_secret: clientSecret,
+                    redirect_uris: [this.redirectUrl],
+                    response_types: ['code'],
+                }));
+            })
+                .catch(reject);
+        });
+    }
+    generateCodeVerifier() {
+        return openid_client_1.generators.codeVerifier();
+    }
+    async generateAuthUrl(codeVerifier) {
+        var _a;
+        try {
+            const client = await this.client;
+            const codeChallenge = openid_client_1.generators.codeChallenge(codeVerifier);
+            return client.authorizationUrl({
+                scope: (_a = this.config.scope) !== null && _a !== void 0 ? _a : 'openid profile email',
+                code_challenge: codeChallenge,
+                code_challenge_method: 'S256',
+                // Some providers require state even with PKCE
+                state: codeChallenge,
+                access_type: 'offline',
+            });
+        }
+        catch (e) {
+            throw handleError(e);
+        }
+    }
+    async fetchUserId(identifier) {
+        const user = await this.knex
+            .select('id')
+            .from('directus_users')
+            .whereRaw('LOWER(??) = ?', ['external_identifier', identifier.toLowerCase()])
+            .first();
+        return user === null || user === void 0 ? void 0 : user.id;
+    }
+    async getUserID(payload) {
+        var _a;
+        if (!payload.code || !payload.codeVerifier) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        let tokenSet;
+        let userInfo;
+        try {
+            const client = await this.client;
+            tokenSet = await client.callback(this.redirectUrl, { code: payload.code, state: payload.state }, { code_verifier: payload.codeVerifier, state: openid_client_1.generators.codeChallenge(payload.codeVerifier) });
+            const issuer = client.issuer;
+            if (issuer.metadata.userinfo_endpoint) {
+                userInfo = await client.userinfo(tokenSet.access_token);
+            }
+            else {
+                userInfo = tokenSet.claims();
+            }
+        }
+        catch (e) {
+            throw handleError(e);
+        }
+        const { identifierKey, allowPublicRegistration, requireVerifiedEmail } = this.config;
+        const email = userInfo.email;
+        // Fallback to email if explicit identifier not found
+        const identifier = (_a = userInfo[identifierKey !== null && identifierKey !== void 0 ? identifierKey : 'sub']) !== null && _a !== void 0 ? _a : email;
+        if (!identifier) {
+            logger_1.default.warn(`Failed to find user identifier for provider "${this.config.provider}"`);
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        const userId = await this.fetchUserId(identifier);
+        if (userId) {
+            // Update user refreshToken if provided
+            if (tokenSet.refresh_token) {
+                await this.usersService.updateOne(userId, {
+                    auth_data: JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+                });
+            }
+            return userId;
+        }
+        const isEmailVerified = !requireVerifiedEmail || userInfo.email_verified;
+        // Is public registration allowed?
+        if (!allowPublicRegistration || !isEmailVerified) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        await this.usersService.createOne({
+            provider: this.config.provider,
+            first_name: userInfo.given_name,
+            last_name: userInfo.family_name,
+            email: email,
+            external_identifier: identifier,
+            role: this.config.defaultRoleId,
+            auth_data: tokenSet.refresh_token && JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+        });
+        return (await this.fetchUserId(identifier));
+    }
+    async login(user) {
+        return this.refresh(user, null);
+    }
+    async refresh(user, sessionData) {
+        let authData = user.auth_data;
+        if (typeof authData === 'string') {
+            try {
+                authData = JSON.parse(authData);
+            }
+            catch {
+                logger_1.default.warn(`Session data isn't valid JSON: ${authData}`);
+            }
+        }
+        if (!(authData === null || authData === void 0 ? void 0 : authData.refreshToken)) {
+            return sessionData;
+        }
+        try {
+            const client = await this.client;
+            const tokenSet = await client.refresh(authData.refreshToken);
+            return { accessToken: tokenSet.access_token };
+        }
+        catch (e) {
+            throw handleError(e);
+        }
+    }
+}
+exports.OpenIDAuthDriver = OpenIDAuthDriver;
+const handleError = (e) => {
+    if (e instanceof openid_client_1.errors.OPError) {
+        if (e.error === 'invalid_grant') {
+            // Invalid token
+            return new exceptions_1.InvalidCredentialsException();
+        }
+        // Server response error
+        return new exceptions_1.ServiceUnavailableException('Service returned unexpected response', {
+            service: 'openid',
+            message: e.error_description,
+        });
+    }
+    else if (e instanceof openid_client_1.errors.RPError) {
+        // Internal client error
+        return new exceptions_1.InvalidCredentialsException();
+    }
+    return e;
+};
+function createOpenIDAuthRouter(providerName) {
+    const router = (0, express_1.Router)();
+    router.get('/', (0, async_handler_1.default)(async (req, res) => {
+        const provider = (0, auth_1.getAuthProvider)(providerName);
+        const codeVerifier = provider.generateCodeVerifier();
+        const token = jsonwebtoken_1.default.sign({ verifier: codeVerifier, redirect: req.query.redirect }, env_1.default.SECRET, {
+            expiresIn: '5m',
+            issuer: 'directus',
+        });
+        res.cookie(`openid.${providerName}`, token, {
+            httpOnly: true,
+            sameSite: 'lax',
+        });
+        return res.redirect(await provider.generateAuthUrl(codeVerifier));
+    }), respond_1.respond);
+    router.get('/callback', (0, async_handler_1.default)(async (req, res, next) => {
+        var _a;
+        let tokenData;
+        try {
+            tokenData = jsonwebtoken_1.default.verify(req.cookies[`openid.${providerName}`], env_1.default.SECRET, { issuer: 'directus' });
+        }
+        catch (e) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        const { verifier, redirect } = tokenData;
+        const authenticationService = new services_1.AuthenticationService({
+            accountability: {
+                ip: req.ip,
+                userAgent: req.get('user-agent'),
+                role: null,
+            },
+            schema: req.schema,
+        });
+        let authResponse;
+        try {
+            res.clearCookie(`openid.${providerName}`);
+            if (!req.query.code || !req.query.state) {
+                logger_1.default.warn(`Couldn't extract OpenID code or state from query: ${JSON.stringify(req.query)}`);
+            }
+            authResponse = await authenticationService.login(providerName, {
+                code: req.query.code,
+                codeVerifier: verifier,
+                state: req.query.state,
+            });
+        }
+        catch (error) {
+            logger_1.default.warn(error);
+            if (redirect) {
+                let reason = 'UNKNOWN_EXCEPTION';
+                if (error instanceof exceptions_1.ServiceUnavailableException) {
+                    reason = 'SERVICE_UNAVAILABLE';
+                }
+                else if (error instanceof exceptions_1.InvalidCredentialsException) {
+                    reason = 'INVALID_USER';
+                }
+                return res.redirect(`${redirect.split('?')[0]}?reason=${reason}`);
+            }
+            throw error;
+        }
+        const { accessToken, refreshToken, expires } = authResponse;
+        if (redirect) {
+            res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, {
+                httpOnly: true,
+                domain: env_1.default.REFRESH_TOKEN_COOKIE_DOMAIN,
+                maxAge: (0, ms_1.default)(env_1.default.REFRESH_TOKEN_TTL),
+                secure: (_a = env_1.default.REFRESH_TOKEN_COOKIE_SECURE) !== null && _a !== void 0 ? _a : false,
+                sameSite: env_1.default.REFRESH_TOKEN_COOKIE_SAME_SITE || 'strict',
+            });
+            return res.redirect(redirect);
+        }
+        res.locals.payload = {
+            data: { access_token: accessToken, refresh_token: refreshToken, expires },
+        };
+        next();
+    }), respond_1.respond);
+    return router;
+}
+exports.createOpenIDAuthRouter = createOpenIDAuthRouter;

package/dist/auth.d.ts CHANGED Viewed

@@ -1,2 +1,3 @@
 import { AuthDriver } from './auth/auth';
 export declare function getAuthProvider(provider: string): AuthDriver;
+export declare function registerAuthProviders(): Promise<void>;

package/dist/auth.js CHANGED Viewed

@@ -3,37 +3,30 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getAuthProvider = void 0;
+exports.registerAuthProviders = exports.getAuthProvider = void 0;
 const database_1 = __importDefault(require("./database"));
 const env_1 = __importDefault(require("./env"));
 const logger_1 = __importDefault(require("./logger"));
-const drivers_1 = require("./auth/drivers/");
+const drivers_1 = require("./auth/drivers");
 const constants_1 = require("./constants");
 const exceptions_1 = require("./exceptions");
 const get_config_from_env_1 = require("./utils/get-config-from-env");
+const get_schema_1 = require("./utils/get-schema");
 const utils_1 = require("@directus/shared/utils");
 const providerNames = (0, utils_1.toArray)(env_1.default.AUTH_PROVIDERS);
 const providers = new Map();
 function getAuthProvider(provider) {
-    // When providers haven't been registered yet
-    if (providerNames.length !== providers.size) {
-        registerProviders();
-    }
     if (!providers.has(provider)) {
         throw new exceptions_1.InvalidConfigException('Auth provider not configured', { provider });
     }
     return providers.get(provider);
 }
 exports.getAuthProvider = getAuthProvider;
-function getProviderInstance(driver, config) {
-    switch (driver) {
-        case 'local':
-            return new drivers_1.LocalAuthDriver((0, database_1.default)(), config);
-    }
-}
-function registerProviders() {
+async function registerAuthProviders() {
+    const options = { knex: (0, database_1.default)(), schema: await (0, get_schema_1.getSchema)() };
+    const defaultProvider = getProviderInstance('local', options);
     // Register default provider
-    providers.set(constants_1.DEFAULT_AUTH_PROVIDER, getProviderInstance('local', {}));
+    providers.set(constants_1.DEFAULT_AUTH_PROVIDER, defaultProvider);
     if (!env_1.default.AUTH_PROVIDERS) {
         return;
     }
@@ -49,7 +42,7 @@ function registerProviders() {
             logger_1.default.warn(`Missing driver definition for "${name}" auth provider.`);
             return;
         }
-        const provider = getProviderInstance(driver, { provider: name, ...config });
+        const provider = getProviderInstance(driver, options, { provider: name, ...config });
         if (!provider) {
             logger_1.default.warn(`Invalid "${driver}" auth driver.`);
             return;
@@ -57,3 +50,16 @@ function registerProviders() {
         providers.set(name, provider);
     });
 }
+exports.registerAuthProviders = registerAuthProviders;
+function getProviderInstance(driver, options, config = {}) {
+    switch (driver) {
+        case 'local':
+            return new drivers_1.LocalAuthDriver(options, config);
+        case 'oauth2':
+            return new drivers_1.OAuth2AuthDriver(options, config);
+        case 'openid':
+            return new drivers_1.OpenIDAuthDriver(options, config);
+        case 'ldap':
+            return new drivers_1.LDAPAuthDriver(options, config);
+    }
+}

package/dist/cache.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import Keyv from 'keyv';
 export declare function getCache(): {
     cache: Keyv | null;
-    schemaCache: Keyv | null;
+    systemCache: Keyv;
 };
 export declare function flushCaches(): Promise<void>;

package/dist/cache.js CHANGED Viewed

@@ -11,23 +11,23 @@ const logger_1 = __importDefault(require("./logger"));
 const get_config_from_env_1 = require("./utils/get-config-from-env");
 const validate_env_1 = require("./utils/validate-env");
 let cache = null;
-let schemaCache = null;
+let systemCache = null;
 function getCache() {
     if (env_1.default.CACHE_ENABLED === true && cache === null) {
         (0, validate_env_1.validateEnv)(['CACHE_NAMESPACE', 'CACHE_TTL', 'CACHE_STORE']);
         cache = getKeyvInstance((0, ms_1.default)(env_1.default.CACHE_TTL));
         cache.on('error', (err) => logger_1.default.warn(err, `[cache] ${err}`));
     }
-    if (env_1.default.CACHE_SCHEMA !== false && schemaCache === null) {
-        schemaCache = getKeyvInstance(typeof env_1.default.CACHE_SCHEMA === 'string' ? (0, ms_1.default)(env_1.default.CACHE_SCHEMA) : undefined, '_schema');
-        schemaCache.on('error', (err) => logger_1.default.warn(err, `[cache] ${err}`));
+    if (systemCache === null) {
+        systemCache = getKeyvInstance(undefined, '_system');
+        systemCache.on('error', (err) => logger_1.default.warn(err, `[cache] ${err}`));
     }
-    return { cache, schemaCache };
+    return { cache, systemCache };
 }
 exports.getCache = getCache;
 async function flushCaches() {
-    const { schemaCache, cache } = getCache();
-    await (schemaCache === null || schemaCache === void 0 ? void 0 : schemaCache.clear());
+    const { systemCache, cache } = getCache();
+    await (systemCache === null || systemCache === void 0 ? void 0 : systemCache.clear());
     await (cache === null || cache === void 0 ? void 0 : cache.clear());
 }
 exports.flushCaches = flushCaches;

package/dist/cli/commands/init/index.js CHANGED Viewed

@@ -36,7 +36,7 @@ async function init() {
         const db = (0, create_db_connection_1.default)(dbClient, credentials);
         try {
             await (0, run_2.default)(db);
-            await (0, run_1.default)(db, 'latest');
+            await (0, run_1.default)(db, 'latest', false);
         }
         catch (err) {
             process.stdout.write('\nSomething went wrong while seeding the database:\n');

package/dist/cli/index.js CHANGED Viewed

@@ -6,7 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createCli = void 0;
 const commander_1 = require("commander");
 const server_1 = require("../server");
-const emitter_1 = require("../emitter");
+const emitter_1 = __importDefault(require("../emitter"));
 const extensions_1 = require("../extensions");
 const bootstrap_1 = __importDefault(require("./commands/bootstrap"));
 const count_1 = __importDefault(require("./commands/count"));
@@ -23,7 +23,7 @@ async function createCli() {
     const program = new commander_1.Command();
     const extensionManager = (0, extensions_1.getExtensionManager)();
     await extensionManager.initialize({ schedule: false });
-    await (0, emitter_1.emitAsyncSafe)('cli.init.before', { program });
+    await emitter_1.default.emitInit('cli.before', { program });
     program.name('directus').usage('[command] [options]');
     program.version(pkg.version, '-v, --version');
     program.command('start').description('Start the Directus API').action(server_1.startServer);
@@ -83,7 +83,7 @@ async function createCli() {
         .option('-y, --yes', `Assume "yes" as answer to all prompts and run non-interactively`)
         .argument('<path>', 'Path to snapshot file')
         .action(apply_1.apply);
-    await (0, emitter_1.emitAsyncSafe)('cli.init.after', { program });
+    await emitter_1.default.emitInit('cli.after', { program });
     return program;
 }
 exports.createCli = createCli;