directus 9.0.0-rc.99 → 9.1.1

package/dist/app.js

@@ -40,6 +40,7 @@ const graphql_1 = __importDefault(require("./controllers/graphql"));
 const items_1 = __importDefault(require("./controllers/items"));
 const not_found_1 = __importDefault(require("./controllers/not-found"));
 const panels_1 = __importDefault(require("./controllers/panels"));
+const notifications_1 = __importDefault(require("./controllers/notifications"));
 const permissions_1 = __importDefault(require("./controllers/permissions"));
 const presets_1 = __importDefault(require("./controllers/presets"));
 const relations_1 = __importDefault(require("./controllers/relations"));
@@ -51,12 +52,13 @@ const users_1 = __importDefault(require("./controllers/users"));
 const utils_1 = __importDefault(require("./controllers/utils"));
 const webhooks_1 = __importDefault(require("./controllers/webhooks"));
 const database_1 = require("./database");
-const emitter_1 = require("./emitter");
+const emitter_1 = __importDefault(require("./emitter"));
 const env_1 = __importDefault(require("./env"));
 const exceptions_1 = require("./exceptions");
 const extensions_2 = require("./extensions");
 const logger_1 = __importStar(require("./logger"));
 const authenticate_1 = __importDefault(require("./middleware/authenticate"));
+const get_permissions_1 = __importDefault(require("./middleware/get-permissions"));
 const cache_1 = __importDefault(require("./middleware/cache"));
 const check_ip_1 = require("./middleware/check-ip");
 const cors_1 = __importDefault(require("./middleware/cors"));
@@ -95,8 +97,8 @@ async function createApp() {
     app.disable('x-powered-by');
     app.set('trust proxy', true);
     app.set('query parser', (str) => qs_1.default.parse(str, { depth: 10 }));
-    await (0, emitter_1.emitAsyncSafe)('init.before', { app });
-    await (0, emitter_1.emitAsyncSafe)('middlewares.init.before', { app });
+    await emitter_1.default.emitInit('app.before', { app });
+    await emitter_1.default.emitInit('middlewares.before', { app });
     app.use(logger_1.expressLogger);
     app.use((req, res, next) => {
         express_1.default.json({
@@ -126,16 +128,18 @@ async function createApp() {
         }
     });
     if (env_1.default.SERVE_APP) {
-        const adminPath = require.resolve('@directus/app/dist/index.html');
+        const adminPath = require.resolve('@directus/app');
         const adminUrl = new url_1.Url(env_1.default.PUBLIC_URL).addPath('admin');
         // Set the App's base path according to the APIs public URL
-        let html = fs_extra_1.default.readFileSync(adminPath, 'utf-8');
-        html = html.replace(/<meta charset="utf-8" \/>/, `<meta charset="utf-8" />\n\t\t<base href="${adminUrl.toString({ rootRelative: true })}/">`);
-        app.get('/admin', (req, res) => res.send(html));
+        const html = await fs_extra_1.default.readFile(adminPath, 'utf8');
+        const htmlWithBase = html.replace(/<base \/>/, `<base href="${adminUrl.toString({ rootRelative: true })}/" />`);
+        const noCacheIndexHtmlHandler = (req, res) => {
+            res.setHeader('Cache-Control', 'no-cache');
+            res.send(htmlWithBase);
+        };
+        app.get('/admin', noCacheIndexHtmlHandler);
         app.use('/admin', express_1.default.static(path_1.default.join(adminPath, '..')));
-        app.use('/admin/*', (req, res) => {
-            res.send(html);
-        });
+        app.use('/admin/*', noCacheIndexHtmlHandler);
     }
     // use the rate limiter - all routes for now
     if (env_1.default.RATE_LIMITER_ENABLED === true) {
@@ -144,10 +148,11 @@ async function createApp() {
     app.use(authenticate_1.default);
     app.use(check_ip_1.checkIP);
     app.use(sanitize_query_1.default);
-    await (0, emitter_1.emitAsyncSafe)('middlewares.init.after', { app });
-    await (0, emitter_1.emitAsyncSafe)('routes.init.before', { app });
     app.use(cache_1.default);
     app.use(schema_1.default);
+    app.use(get_permissions_1.default);
+    await emitter_1.default.emitInit('middlewares.after', { app });
+    await emitter_1.default.emitInit('routes.before', { app });
     app.use('/auth', auth_1.default);
     app.use('/graphql', graphql_1.default);
     app.use('/activity', activity_1.default);
@@ -159,6 +164,7 @@ async function createApp() {
     app.use('/files', files_1.default);
     app.use('/folders', folders_1.default);
     app.use('/items', items_1.default);
+    app.use('/notifications', notifications_1.default);
     app.use('/panels', panels_1.default);
     app.use('/permissions', permissions_1.default);
     app.use('/presets', presets_1.default);
@@ -170,16 +176,17 @@ async function createApp() {
     app.use('/users', users_1.default);
     app.use('/utils', utils_1.default);
     app.use('/webhooks', webhooks_1.default);
-    await (0, emitter_1.emitAsyncSafe)('routes.custom.init.before', { app });
+    // Register custom endpoints
+    await emitter_1.default.emitInit('routes.custom.before', { app });
     app.use(extensionManager.getEndpointRouter());
-    await (0, emitter_1.emitAsyncSafe)('routes.custom.init.after', { app });
+    await emitter_1.default.emitInit('routes.custom.after', { app });
     app.use(not_found_1.default);
     app.use(error_handler_1.default);
-    await (0, emitter_1.emitAsyncSafe)('routes.init.after', { app });
+    await emitter_1.default.emitInit('routes.after', { app });
     // Register all webhooks
     await (0, webhooks_2.register)();
     (0, track_1.track)('serverStarted');
-    (0, emitter_1.emitAsyncSafe)('init');
+    await emitter_1.default.emitInit('app.after', { app });
     return app;
 }
 exports.default = createApp;

package/dist/auth/drivers/index.d.ts

@@ -1,3 +1,4 @@
 export * from './local';
 export * from './oauth2';
 export * from './openid';
+export * from './ldap';

package/dist/auth/drivers/index.js

@@ -13,3 +13,4 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./local"), exports);
 __exportStar(require("./oauth2"), exports);
 __exportStar(require("./openid"), exports);
+__exportStar(require("./ldap"), exports);

package/dist/auth/drivers/ldap.d.ts

@@ -0,0 +1,21 @@
+import { Router } from 'express';
+import { Client } from 'ldapjs';
+import { AuthDriver } from '../auth';
+import { AuthDriverOptions, User, SessionData } from '../../types';
+import { UsersService } from '../../services';
+export declare class LDAPAuthDriver extends AuthDriver {
+    bindClient: Client;
+    usersService: UsersService;
+    config: Record<string, any>;
+    constructor(options: AuthDriverOptions, config: Record<string, any>);
+    private validateBindClient;
+    private fetchUserDn;
+    private fetchUserInfo;
+    private fetchUserGroups;
+    private fetchUserId;
+    getUserID(payload: Record<string, any>): Promise<string>;
+    verify(user: User, password?: string): Promise<void>;
+    login(user: User, payload: Record<string, any>): Promise<SessionData>;
+    refresh(user: User): Promise<SessionData>;
+}
+export declare function createLDAPAuthRouter(provider: string): Router;

package/dist/auth/drivers/ldap.js

@@ -0,0 +1,322 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createLDAPAuthRouter = exports.LDAPAuthDriver = void 0;
+const express_1 = require("express");
+const ldapjs_1 = __importStar(require("ldapjs"));
+const ms_1 = __importDefault(require("ms"));
+const joi_1 = __importDefault(require("joi"));
+const auth_1 = require("../auth");
+const exceptions_1 = require("../../exceptions");
+const services_1 = require("../../services");
+const async_handler_1 = __importDefault(require("../../utils/async-handler"));
+const env_1 = __importDefault(require("../../env"));
+const respond_1 = require("../../middleware/respond");
+const logger_1 = __importDefault(require("../../logger"));
+// 0x2: ACCOUNTDISABLE
+// 0x10: LOCKOUT
+// 0x800000: PASSWORD_EXPIRED
+const INVALID_ACCOUNT_FLAGS = 0x800012;
+class LDAPAuthDriver extends auth_1.AuthDriver {
+    constructor(options, config) {
+        var _a;
+        super(options, config);
+        const { bindDn, bindPassword, userDn, provider, clientUrl } = config;
+        if (!bindDn || !bindPassword || !userDn || !provider || (!clientUrl && !((_a = config.client) === null || _a === void 0 ? void 0 : _a.socketPath))) {
+            throw new exceptions_1.InvalidConfigException('Invalid provider config', { provider });
+        }
+        const clientConfig = typeof config.client === 'object' ? config.client : {};
+        this.bindClient = ldapjs_1.default.createClient({ url: clientUrl, reconnect: true, ...clientConfig });
+        this.bindClient.on('error', (err) => {
+            logger_1.default.warn(err);
+        });
+        this.usersService = new services_1.UsersService({ knex: this.knex, schema: this.schema });
+        this.config = config;
+    }
+    async validateBindClient() {
+        const { bindDn, bindPassword, provider } = this.config;
+        return new Promise((resolve, reject) => {
+            // Healthcheck bind user
+            this.bindClient.search(bindDn, {}, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', () => {
+                    resolve();
+                });
+                res.on('error', (err) => {
+                    if (!(err instanceof ldapjs_1.OperationsError)) {
+                        reject(handleError(err));
+                        return;
+                    }
+                    // Rebind on OperationsError
+                    this.bindClient.bind(bindDn, bindPassword, (err) => {
+                        if (err) {
+                            const error = handleError(err);
+                            if (error instanceof exceptions_1.InvalidCredentialsException) {
+                                reject(new exceptions_1.InvalidConfigException('Invalid bind user', { provider }));
+                            }
+                            else {
+                                reject(error);
+                            }
+                        }
+                        else {
+                            resolve();
+                        }
+                    });
+                });
+            });
+        });
+    }
+    async fetchUserDn(identifier) {
+        const { userDn, userAttribute, userScope } = this.config;
+        return new Promise((resolve, reject) => {
+            // Search for the user in LDAP by attribute
+            this.bindClient.search(userDn, { filter: `(${userAttribute !== null && userAttribute !== void 0 ? userAttribute : 'cn'}=${identifier})`, scope: userScope !== null && userScope !== void 0 ? userScope : 'one' }, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', ({ object }) => {
+                    resolve(object.dn.toLowerCase());
+                });
+                res.on('error', (err) => {
+                    reject(handleError(err));
+                });
+                res.on('end', () => {
+                    resolve(undefined);
+                });
+            });
+        });
+    }
+    async fetchUserInfo(userDn) {
+        const { mailAttribute } = this.config;
+        return new Promise((resolve, reject) => {
+            // Fetch user info in LDAP by domain component
+            this.bindClient.search(userDn, { attributes: ['givenName', 'sn', mailAttribute !== null && mailAttribute !== void 0 ? mailAttribute : 'mail', 'userAccountControl'] }, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', ({ object }) => {
+                    const email = object[mailAttribute !== null && mailAttribute !== void 0 ? mailAttribute : 'mail'];
+                    const user = {
+                        firstName: typeof object.givenName === 'object' ? object.givenName[0] : object.givenName,
+                        lastName: typeof object.sn === 'object' ? object.sn[0] : object.sn,
+                        email: typeof email === 'object' ? email[0] : email,
+                        userAccountControl: typeof object.userAccountControl === 'object'
+                            ? Number(object.userAccountControl[0])
+                            : Number(object.userAccountControl),
+                    };
+                    resolve(user);
+                });
+                res.on('error', (err) => {
+                    reject(handleError(err));
+                });
+                res.on('end', () => {
+                    resolve(undefined);
+                });
+            });
+        });
+    }
+    async fetchUserGroups(userDn) {
+        const { groupDn, groupAttribute, groupScope } = this.config;
+        if (!groupDn) {
+            return Promise.resolve([]);
+        }
+        return new Promise((resolve, reject) => {
+            let userGroups = [];
+            // Search for the user info in LDAP by group attribute
+            this.bindClient.search(groupDn, {
+                attributes: ['cn'],
+                filter: `(${groupAttribute !== null && groupAttribute !== void 0 ? groupAttribute : 'member'}=${userDn})`,
+                scope: groupScope !== null && groupScope !== void 0 ? groupScope : 'one',
+            }, (err, res) => {
+                if (err) {
+                    reject(handleError(err));
+                    return;
+                }
+                res.on('searchEntry', ({ object }) => {
+                    if (typeof object.cn === 'object') {
+                        userGroups = [...userGroups, ...object.cn];
+                    }
+                    else if (object.cn) {
+                        userGroups.push(object.cn);
+                    }
+                });
+                res.on('error', (err) => {
+                    reject(handleError(err));
+                });
+                res.on('end', () => {
+                    resolve(userGroups);
+                });
+            });
+        });
+    }
+    async fetchUserId(userDn) {
+        const user = await this.knex
+            .select('id')
+            .from('directus_users')
+            .orWhereRaw('LOWER(??) = ?', ['external_identifier', userDn.toLowerCase()])
+            .first();
+        return user === null || user === void 0 ? void 0 : user.id;
+    }
+    async getUserID(payload) {
+        var _a;
+        if (!payload.identifier) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        await this.validateBindClient();
+        const userDn = await this.fetchUserDn(payload.identifier);
+        if (!userDn) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        const userId = await this.fetchUserId(userDn);
+        const userGroups = await this.fetchUserGroups(userDn);
+        let userRole;
+        if (userGroups.length) {
+            userRole = await this.knex
+                .select('id')
+                .from('directus_roles')
+                .whereRaw(`LOWER(??) IN (${userGroups.map(() => '?')})`, [
+                'name',
+                ...userGroups.map((group) => group.toLowerCase()),
+            ])
+                .first();
+        }
+        if (userId) {
+            await this.usersService.updateOne(userId, { role: (_a = userRole === null || userRole === void 0 ? void 0 : userRole.id) !== null && _a !== void 0 ? _a : null });
+            return userId;
+        }
+        const userInfo = await this.fetchUserInfo(userDn);
+        if (!userInfo) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        await this.usersService.createOne({
+            provider: this.config.provider,
+            first_name: userInfo.firstName,
+            last_name: userInfo.lastName,
+            email: userInfo.email,
+            external_identifier: userDn,
+            role: userRole === null || userRole === void 0 ? void 0 : userRole.id,
+        });
+        return (await this.fetchUserId(userDn));
+    }
+    async verify(user, password) {
+        if (!user.external_identifier || !password) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        return new Promise((resolve, reject) => {
+            const clientConfig = typeof this.config.client === 'object' ? this.config.client : {};
+            const client = ldapjs_1.default.createClient({
+                url: this.config.clientUrl,
+                ...clientConfig,
+                reconnect: false,
+            });
+            client.on('error', (err) => {
+                reject(handleError(err));
+            });
+            client.bind(user.external_identifier, password, (err) => {
+                if (err) {
+                    reject(handleError(err));
+                }
+                else {
+                    resolve();
+                }
+                client.destroy();
+            });
+        });
+    }
+    async login(user, payload) {
+        await this.verify(user, payload.password);
+        return null;
+    }
+    async refresh(user) {
+        await this.validateBindClient();
+        const userInfo = await this.fetchUserInfo(user.external_identifier);
+        if ((userInfo === null || userInfo === void 0 ? void 0 : userInfo.userAccountControl) && userInfo.userAccountControl & INVALID_ACCOUNT_FLAGS) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        return null;
+    }
+}
+exports.LDAPAuthDriver = LDAPAuthDriver;
+const handleError = (e) => {
+    if (e instanceof ldapjs_1.InappropriateAuthenticationError ||
+        e instanceof ldapjs_1.InvalidCredentialsError ||
+        e instanceof ldapjs_1.InsufficientAccessRightsError) {
+        return new exceptions_1.InvalidCredentialsException();
+    }
+    return new exceptions_1.ServiceUnavailableException('Service returned unexpected error', {
+        service: 'ldap',
+        message: e.message,
+    });
+};
+function createLDAPAuthRouter(provider) {
+    const router = (0, express_1.Router)();
+    const loginSchema = joi_1.default.object({
+        identifier: joi_1.default.string().required(),
+        password: joi_1.default.string().required(),
+        mode: joi_1.default.string().valid('cookie', 'json'),
+        otp: joi_1.default.string(),
+    }).unknown();
+    router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
+        var _a, _b;
+        const accountability = {
+            ip: req.ip,
+            userAgent: req.get('user-agent'),
+            role: null,
+        };
+        const authenticationService = new services_1.AuthenticationService({
+            accountability: accountability,
+            schema: req.schema,
+        });
+        const { error } = loginSchema.validate(req.body);
+        if (error) {
+            throw new exceptions_1.InvalidPayloadException(error.message);
+        }
+        const mode = req.body.mode || 'json';
+        const { accessToken, refreshToken, expires } = await authenticationService.login(provider, req.body, (_a = req.body) === null || _a === void 0 ? void 0 : _a.otp);
+        const payload = {
+            data: { access_token: accessToken, expires },
+        };
+        if (mode === 'json') {
+            payload.data.refresh_token = refreshToken;
+        }
+        if (mode === 'cookie') {
+            res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, {
+                httpOnly: true,
+                domain: env_1.default.REFRESH_TOKEN_COOKIE_DOMAIN,
+                maxAge: (0, ms_1.default)(env_1.default.REFRESH_TOKEN_TTL),
+                secure: (_b = env_1.default.REFRESH_TOKEN_COOKIE_SECURE) !== null && _b !== void 0 ? _b : false,
+                sameSite: env_1.default.REFRESH_TOKEN_COOKIE_SAME_SITE || 'strict',
+            });
+        }
+        res.locals.payload = payload;
+        return next();
+    }), respond_1.respond);
+    return router;
+}
+exports.createLDAPAuthRouter = createLDAPAuthRouter;

package/dist/auth/drivers/local.d.ts

@@ -1,6 +1,6 @@
+import { Router } from 'express';
 import { AuthDriver } from '../auth';
 import { User, SessionData } from '../../types';
-import { Router } from 'express';
 export declare class LocalAuthDriver extends AuthDriver {
     getUserID(payload: Record<string, any>): Promise<string>;
     verify(user: User, password?: string): Promise<void>;

package/dist/auth/drivers/local.js

@@ -4,15 +4,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createLocalAuthRouter = exports.LocalAuthDriver = void 0;
+const express_1 = require("express");
 const argon2_1 = __importDefault(require("argon2"));
+const ms_1 = __importDefault(require("ms"));
+const joi_1 = __importDefault(require("joi"));
 const auth_1 = require("../auth");
 const exceptions_1 = require("../../exceptions");
 const services_1 = require("../../services");
-const express_1 = require("express");
-const joi_1 = __importDefault(require("joi"));
 const async_handler_1 = __importDefault(require("../../utils/async-handler"));
 const env_1 = __importDefault(require("../../env"));
-const ms_1 = __importDefault(require("ms"));
 const respond_1 = require("../../middleware/respond");
 class LocalAuthDriver extends auth_1.AuthDriver {
     async getUserID(payload) {

package/dist/auth/drivers/oauth2.d.ts

@@ -13,7 +13,7 @@ export declare class OAuth2AuthDriver extends LocalAuthDriver {
     generateAuthUrl(codeVerifier: string): string;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
-    login(user: User, sessionData: SessionData): Promise<SessionData>;
+    login(user: User): Promise<SessionData>;
     refresh(user: User, sessionData: SessionData): Promise<SessionData>;
 }
 export declare function createOAuth2AuthRouter(providerName: string): Router;

package/dist/auth/drivers/oauth2.js

@@ -21,7 +21,7 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
     constructor(options, config) {
         super(options, config);
         const { authorizeUrl, accessUrl, profileUrl, clientId, clientSecret, ...additionalConfig } = config;
-        if (!authorizeUrl || !accessUrl || !profileUrl || !clientId || !clientSecret || !additionalConfig.provider) {
+        if (!authorizeUrl || !accessUrl || !clientId || !clientSecret || !additionalConfig.provider) {
             throw new exceptions_1.InvalidConfigException('Invalid provider config', { provider: additionalConfig.provider });
         }
         const redirectUrl = new url_1.Url(env_1.default.PUBLIC_URL).addPath('auth', 'login', additionalConfig.provider, 'callback');
@@ -47,10 +47,13 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
     generateAuthUrl(codeVerifier) {
         var _a;
         try {
+            const codeChallenge = openid_client_1.generators.codeChallenge(codeVerifier);
             return this.client.authorizationUrl({
                 scope: (_a = this.config.scope) !== null && _a !== void 0 ? _a : 'email',
-                code_challenge: openid_client_1.generators.codeChallenge(codeVerifier),
+                code_challenge: codeChallenge,
                 code_challenge_method: 'S256',
+                // Some providers require state even with PKCE
+                state: codeChallenge,
                 access_type: 'offline',
             });
         }
@@ -62,8 +65,7 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
         const user = await this.knex
             .select('id')
             .from('directus_users')
-            .whereRaw('LOWER(??) = ?', ['email', identifier.toLowerCase()])
-            .orWhereRaw('LOWER(??) = ?', ['external_identifier', identifier.toLowerCase()])
+            .whereRaw('LOWER(??) = ?', ['external_identifier', identifier.toLowerCase()])
             .first();
         return user === null || user === void 0 ? void 0 : user.id;
     }
@@ -75,13 +77,17 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
         let tokenSet;
         let userInfo;
         try {
-            tokenSet = await this.client.grant({
-                grant_type: 'authorization_code',
-                code: payload.code,
-                redirect_uri: this.redirectUrl,
-                code_verifier: payload.codeVerifier,
-            });
-            userInfo = await this.client.userinfo(tokenSet);
+            tokenSet = await this.client.oauthCallback(this.redirectUrl, { code: payload.code, state: payload.state }, { code_verifier: payload.codeVerifier, state: openid_client_1.generators.codeChallenge(payload.codeVerifier) });
+            const issuer = this.client.issuer;
+            if (issuer.metadata.userinfo_endpoint) {
+                userInfo = await this.client.userinfo(tokenSet.access_token);
+            }
+            else if (tokenSet.id_token) {
+                userInfo = tokenSet.claims();
+            }
+            else {
+                throw new exceptions_1.InvalidConfigException('OAuth profile URL not defined', { provider: this.config.provider });
+            }
         }
         catch (e) {
             throw handleError(e);
@@ -108,19 +114,17 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
         if (!allowPublicRegistration) {
             throw new exceptions_1.InvalidCredentialsException();
         }
-        // If email matches identifier, don't set "external_identifier"
-        const emailIsIdentifier = (email === null || email === void 0 ? void 0 : email.toLowerCase()) === identifier.toLowerCase();
         await this.usersService.createOne({
             provider: this.config.provider,
             email: email,
-            external_identifier: !emailIsIdentifier ? identifier : undefined,
+            external_identifier: identifier,
             role: this.config.defaultRoleId,
             auth_data: tokenSet.refresh_token && JSON.stringify({ refreshToken: tokenSet.refresh_token }),
         });
         return (await this.fetchUserId(identifier));
     }
-    async login(user, sessionData) {
-        return this.refresh(user, sessionData);
+    async login(user) {
+        return this.refresh(user, null);
     }
     async refresh(user, sessionData) {
         let authData = user.auth_data;
@@ -180,11 +184,14 @@ function createOAuth2AuthRouter(providerName) {
     }, respond_1.respond);
     router.get('/callback', (0, async_handler_1.default)(async (req, res, next) => {
         var _a;
-        const token = req.cookies[`oauth2.${providerName}`];
-        if (!token) {
+        let tokenData;
+        try {
+            tokenData = jsonwebtoken_1.default.verify(req.cookies[`oauth2.${providerName}`], env_1.default.SECRET, { issuer: 'directus' });
+        }
+        catch (e) {
             throw new exceptions_1.InvalidCredentialsException();
         }
-        const { verifier, redirect } = jsonwebtoken_1.default.verify(token, env_1.default.SECRET, { issuer: 'directus' });
+        const { verifier, redirect } = tokenData;
         const authenticationService = new services_1.AuthenticationService({
             accountability: {
                 ip: req.ip,
@@ -196,13 +203,13 @@ function createOAuth2AuthRouter(providerName) {
         let authResponse;
         try {
             res.clearCookie(`oauth2.${providerName}`);
-            const { code } = req.query;
-            if (!code) {
-                logger_1.default.warn(`Couldn't extract oAuth2 code from query: ${JSON.stringify(req.query)}`);
+            if (!req.query.code || !req.query.state) {
+                logger_1.default.warn(`Couldn't extract OAuth2 code or state from query: ${JSON.stringify(req.query)}`);
             }
             authResponse = await authenticationService.login(providerName, {
                 code: req.query.code,
                 codeVerifier: verifier,
+                state: req.query.state,
             });
         }
         catch (error) {

package/dist/auth/drivers/openid.d.ts

@@ -13,7 +13,7 @@ export declare class OpenIDAuthDriver extends LocalAuthDriver {
     generateAuthUrl(codeVerifier: string): Promise<string>;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
-    login(user: User, sessionData: SessionData): Promise<SessionData>;
+    login(user: User): Promise<SessionData>;
     refresh(user: User, sessionData: SessionData): Promise<SessionData>;
 }
 export declare function createOpenIDAuthRouter(providerName: string): Router;