directus 9.2.0 → 9.4.0

package/dist/app.js

@@ -51,6 +51,7 @@ const settings_1 = __importDefault(require("./controllers/settings"));
 const users_1 = __importDefault(require("./controllers/users"));
 const utils_1 = __importDefault(require("./controllers/utils"));
 const webhooks_1 = __importDefault(require("./controllers/webhooks"));
+const shares_1 = __importDefault(require("./controllers/shares"));
 const database_1 = require("./database");
 const emitter_1 = __importDefault(require("./emitter"));
 const env_1 = __importDefault(require("./env"));
@@ -112,14 +113,14 @@ async function createApp() {
     });
     app.use((0, cookie_parser_1.default)());
     app.use(extract_token_1.default);
-    app.use((req, res, next) => {
+    app.use((_req, res, next) => {
         res.setHeader('X-Powered-By', 'Directus');
         next();
     });
     if (env_1.default.CORS_ENABLED === true) {
         app.use(cors_1.default);
     }
-    app.get('/', (req, res, next) => {
+    app.get('/', (_req, res, next) => {
         if (env_1.default.ROOT_REDIRECT) {
             res.redirect(env_1.default.ROOT_REDIRECT);
         }
@@ -133,7 +134,7 @@ async function createApp() {
         // Set the App's base path according to the APIs public URL
         const html = await fs_extra_1.default.readFile(adminPath, 'utf8');
         const htmlWithBase = html.replace(/<base \/>/, `<base href="${adminUrl.toString({ rootRelative: true })}/" />`);
-        const noCacheIndexHtmlHandler = (req, res) => {
+        const noCacheIndexHtmlHandler = (_req, res) => {
             res.setHeader('Cache-Control', 'no-cache');
             res.send(htmlWithBase);
         };
@@ -173,6 +174,7 @@ async function createApp() {
     app.use('/roles', roles_1.default);
     app.use('/server', server_1.default);
     app.use('/settings', settings_1.default);
+    app.use('/shares', shares_1.default);
     app.use('/users', users_1.default);
     app.use('/utils', utils_1.default);
     app.use('/webhooks', webhooks_1.default);

package/dist/auth/auth.d.ts

@@ -1,5 +1,5 @@
 import { Knex } from 'knex';
-import { AuthDriverOptions, SchemaOverview, User, SessionData } from '../types';
+import { AuthDriverOptions, SchemaOverview, User } from '../types';
 export declare abstract class AuthDriver {
     knex: Knex;
     schema: SchemaOverview;
@@ -28,20 +28,18 @@ export declare abstract class AuthDriver {
      * @throws InvalidCredentialsException
      * @returns Data to be stored with the session
      */
-    login(_user: User, _payload: Record<string, any>): Promise<SessionData>;
+    login(_user: User, _payload: Record<string, any>): Promise<void>;
     /**
      * Handle user session refresh
      *
      * @param _user User information
-     * @param _sessionData Session data
      * @throws InvalidCredentialsException
      */
-    refresh(_user: User, sessionData: SessionData): Promise<SessionData>;
+    refresh(_user: User): Promise<void>;
     /**
      * Handle user session termination
      *
      * @param _user User information
-     * @param _sessionData Session data
      */
-    logout(_user: User, _sessionData: SessionData): Promise<void>;
+    logout(_user: User): Promise<void>;
 }

package/dist/auth/auth.js

@@ -15,28 +15,24 @@ class AuthDriver {
      * @returns Data to be stored with the session
      */
     async login(_user, _payload) {
-        /* Optional, though should probably be set */
-        return null;
+        return;
     }
     /**
      * Handle user session refresh
      *
      * @param _user User information
-     * @param _sessionData Session data
      * @throws InvalidCredentialsException
      */
-    async refresh(_user, sessionData) {
-        /* Optional */
-        return sessionData;
+    async refresh(_user) {
+        return;
     }
     /**
      * Handle user session termination
      *
      * @param _user User information
-     * @param _sessionData Session data
      */
-    async logout(_user, _sessionData) {
-        /* Optional */
+    async logout(_user) {
+        return;
     }
 }
 exports.AuthDriver = AuthDriver;

package/dist/auth/drivers/ldap.d.ts

@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import { Client } from 'ldapjs';
 import { AuthDriver } from '../auth';
-import { AuthDriverOptions, User, SessionData } from '../../types';
+import { AuthDriverOptions, User } from '../../types';
 import { UsersService } from '../../services';
 export declare class LDAPAuthDriver extends AuthDriver {
     bindClient: Client;
@@ -15,7 +15,7 @@ export declare class LDAPAuthDriver extends AuthDriver {
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
     verify(user: User, password?: string): Promise<void>;
-    login(user: User, payload: Record<string, any>): Promise<SessionData>;
-    refresh(user: User): Promise<SessionData>;
+    login(user: User, payload: Record<string, any>): Promise<void>;
+    refresh(user: User): Promise<void>;
 }
 export declare function createLDAPAuthRouter(provider: string): Router;

package/dist/auth/drivers/ldap.js

@@ -87,6 +87,12 @@ class LDAPAuthDriver extends auth_1.AuthDriver {
                         }
                     });
                 });
+                res.on('end', (result) => {
+                    if ((result === null || result === void 0 ? void 0 : result.status) === 0) {
+                        // Handle edge case with IBM systems where authenticated bind user could not fetch their DN
+                        reject(new exceptions_1.UnexpectedResponseException('Failed to find bind user record'));
+                    }
+                });
             });
         });
     }
@@ -94,7 +100,10 @@ class LDAPAuthDriver extends auth_1.AuthDriver {
         const { userDn, userAttribute, userScope } = this.config;
         return new Promise((resolve, reject) => {
             // Search for the user in LDAP by attribute
-            this.bindClient.search(userDn, { filter: `(${userAttribute !== null && userAttribute !== void 0 ? userAttribute : 'cn'}=${identifier})`, scope: userScope !== null && userScope !== void 0 ? userScope : 'one' }, (err, res) => {
+            this.bindClient.search(userDn, {
+                filter: new ldapjs_1.EqualityFilter({ attribute: userAttribute !== null && userAttribute !== void 0 ? userAttribute : 'cn', value: identifier }),
+                scope: userScope !== null && userScope !== void 0 ? userScope : 'one',
+            }, (err, res) => {
                 if (err) {
                     reject(handleError(err));
                     return;
@@ -151,7 +160,7 @@ class LDAPAuthDriver extends auth_1.AuthDriver {
             // Search for the user info in LDAP by group attribute
             this.bindClient.search(groupDn, {
                 attributes: ['cn'],
-                filter: `(${groupAttribute !== null && groupAttribute !== void 0 ? groupAttribute : 'member'}=${userDn})`,
+                filter: new ldapjs_1.EqualityFilter({ attribute: groupAttribute !== null && groupAttribute !== void 0 ? groupAttribute : 'member', value: userDn }),
                 scope: groupScope !== null && groupScope !== void 0 ? groupScope : 'one',
             }, (err, res) => {
                 if (err) {
@@ -251,7 +260,6 @@ class LDAPAuthDriver extends auth_1.AuthDriver {
     }
     async login(user, payload) {
         await this.verify(user, payload.password);
-        return null;
     }
     async refresh(user) {
         await this.validateBindClient();
@@ -259,7 +267,6 @@ class LDAPAuthDriver extends auth_1.AuthDriver {
         if ((userInfo === null || userInfo === void 0 ? void 0 : userInfo.userAccountControl) && userInfo.userAccountControl & INVALID_ACCOUNT_FLAGS) {
             throw new exceptions_1.InvalidCredentialsException();
         }
-        return null;
     }
 }
 exports.LDAPAuthDriver = LDAPAuthDriver;

package/dist/auth/drivers/local.d.ts

@@ -1,9 +1,9 @@
 import { Router } from 'express';
 import { AuthDriver } from '../auth';
-import { User, SessionData } from '../../types';
+import { User } from '../../types';
 export declare class LocalAuthDriver extends AuthDriver {
     getUserID(payload: Record<string, any>): Promise<string>;
     verify(user: User, password?: string): Promise<void>;
-    login(user: User, payload: Record<string, any>): Promise<SessionData>;
+    login(user: User, payload: Record<string, any>): Promise<void>;
 }
 export declare function createLocalAuthRouter(provider: string): Router;

package/dist/auth/drivers/local.js

@@ -6,7 +6,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createLocalAuthRouter = exports.LocalAuthDriver = void 0;
 const express_1 = require("express");
 const argon2_1 = __importDefault(require("argon2"));
-const ms_1 = __importDefault(require("ms"));
 const joi_1 = __importDefault(require("joi"));
 const auth_1 = require("../auth");
 const exceptions_1 = require("../../exceptions");
@@ -14,6 +13,7 @@ const services_1 = require("../../services");
 const async_handler_1 = __importDefault(require("../../utils/async-handler"));
 const env_1 = __importDefault(require("../../env"));
 const respond_1 = require("../../middleware/respond");
+const constants_1 = require("../../constants");
 class LocalAuthDriver extends auth_1.AuthDriver {
     async getUserID(payload) {
         if (!payload.email) {
@@ -36,20 +36,19 @@ class LocalAuthDriver extends auth_1.AuthDriver {
     }
     async login(user, payload) {
         await this.verify(user, payload.password);
-        return null;
     }
 }
 exports.LocalAuthDriver = LocalAuthDriver;
 function createLocalAuthRouter(provider) {
     const router = (0, express_1.Router)();
-    const loginSchema = joi_1.default.object({
+    const userLoginSchema = joi_1.default.object({
         email: joi_1.default.string().email().required(),
         password: joi_1.default.string().required(),
         mode: joi_1.default.string().valid('cookie', 'json'),
         otp: joi_1.default.string(),
     }).unknown();
     router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
-        var _a, _b;
+        var _a;
         const accountability = {
             ip: req.ip,
             userAgent: req.get('user-agent'),
@@ -59,7 +58,7 @@ function createLocalAuthRouter(provider) {
             accountability: accountability,
             schema: req.schema,
         });
-        const { error } = loginSchema.validate(req.body);
+        const { error } = userLoginSchema.validate(req.body);
         if (error) {
             throw new exceptions_1.InvalidPayloadException(error.message);
         }
@@ -72,13 +71,7 @@ function createLocalAuthRouter(provider) {
             payload.data.refresh_token = refreshToken;
         }
         if (mode === 'cookie') {
-            res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, {
-                httpOnly: true,
-                domain: env_1.default.REFRESH_TOKEN_COOKIE_DOMAIN,
-                maxAge: (0, ms_1.default)(env_1.default.REFRESH_TOKEN_TTL),
-                secure: (_b = env_1.default.REFRESH_TOKEN_COOKIE_SECURE) !== null && _b !== void 0 ? _b : false,
-                sameSite: env_1.default.REFRESH_TOKEN_COOKIE_SAME_SITE || 'strict',
-            });
+            res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, constants_1.COOKIE_OPTIONS);
         }
         res.locals.payload = payload;
         return next();

package/dist/auth/drivers/oauth2.d.ts

@@ -2,7 +2,7 @@ import { Router } from 'express';
 import { Client } from 'openid-client';
 import { LocalAuthDriver } from './local';
 import { UsersService } from '../../services';
-import { AuthDriverOptions, User, SessionData } from '../../types';
+import { AuthDriverOptions, User } from '../../types';
 export declare class OAuth2AuthDriver extends LocalAuthDriver {
     client: Client;
     redirectUrl: string;
@@ -10,10 +10,10 @@ export declare class OAuth2AuthDriver extends LocalAuthDriver {
     config: Record<string, any>;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string): string;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean): string;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
-    login(user: User): Promise<SessionData>;
-    refresh(user: User, sessionData: SessionData): Promise<SessionData>;
+    login(user: User): Promise<void>;
+    refresh(user: User): Promise<void>;
 }
 export declare function createOAuth2AuthRouter(providerName: string): Router;

package/dist/auth/drivers/oauth2.js

@@ -32,7 +32,8 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
             authorization_endpoint: authorizeUrl,
             token_endpoint: accessUrl,
             userinfo_endpoint: profileUrl,
-            issuer: additionalConfig.provider,
+            // Required for openid providers (openid flow should be preferred!)
+            issuer: additionalConfig.issuerUrl,
         });
         this.client = new issuer.Client({
             client_id: clientId,
@@ -44,17 +45,20 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
     generateCodeVerifier() {
         return openid_client_1.generators.codeVerifier();
     }
-    generateAuthUrl(codeVerifier) {
+    generateAuthUrl(codeVerifier, prompt = false) {
         var _a;
         try {
             const codeChallenge = openid_client_1.generators.codeChallenge(codeVerifier);
+            const paramsConfig = typeof this.config.params === 'object' ? this.config.params : {};
             return this.client.authorizationUrl({
                 scope: (_a = this.config.scope) !== null && _a !== void 0 ? _a : 'email',
+                access_type: 'offline',
+                prompt: prompt ? 'consent' : undefined,
+                ...paramsConfig,
                 code_challenge: codeChallenge,
                 code_challenge_method: 'S256',
                 // Some providers require state even with PKCE
                 state: codeChallenge,
-                access_type: 'offline',
             });
         }
         catch (e) {
@@ -72,6 +76,7 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
     async getUserID(payload) {
         var _a;
         if (!payload.code || !payload.codeVerifier) {
+            logger_1.default.trace('[OAuth2] No code or codeVerifier in payload');
             throw new exceptions_1.InvalidCredentialsException();
         }
         let tokenSet;
@@ -112,6 +117,7 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
         }
         // Is public registration allowed?
         if (!allowPublicRegistration) {
+            logger_1.default.trace(`[OAuth2] User doesn't exist, and public registration not allowed for provider "${this.config.provider}"`);
             throw new exceptions_1.InvalidCredentialsException();
         }
         await this.usersService.createOne({
@@ -124,9 +130,9 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
         return (await this.fetchUserId(identifier));
     }
     async login(user) {
-        return this.refresh(user, null);
+        return this.refresh(user);
     }
-    async refresh(user, sessionData) {
+    async refresh(user) {
         let authData = user.auth_data;
         if (typeof authData === 'string') {
             try {
@@ -136,15 +142,19 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
                 logger_1.default.warn(`Session data isn't valid JSON: ${authData}`);
             }
         }
-        if (!(authData === null || authData === void 0 ? void 0 : authData.refreshToken)) {
-            return sessionData;
-        }
-        try {
-            const tokenSet = await this.client.refresh(authData.refreshToken);
-            return { accessToken: tokenSet.access_token };
-        }
-        catch (e) {
-            throw handleError(e);
+        if (authData === null || authData === void 0 ? void 0 : authData.refreshToken) {
+            try {
+                const tokenSet = await this.client.refresh(authData.refreshToken);
+                // Update user refreshToken if provided
+                if (tokenSet.refresh_token) {
+                    await this.usersService.updateOne(user.id, {
+                        auth_data: JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+                    });
+                }
+            }
+            catch (e) {
+                throw handleError(e);
+            }
         }
     }
 }
@@ -152,19 +162,23 @@ exports.OAuth2AuthDriver = OAuth2AuthDriver;
 const handleError = (e) => {
     if (e instanceof openid_client_1.errors.OPError) {
         if (e.error === 'invalid_grant') {
+            logger_1.default.trace(e, `[OAuth2] Invalid grant.`);
             // Invalid token
-            return new exceptions_1.InvalidCredentialsException();
+            return new exceptions_1.InvalidTokenException();
         }
+        logger_1.default.trace(e, `[OAuth2] Unknown OP error.`);
         // Server response error
         return new exceptions_1.ServiceUnavailableException('Service returned unexpected response', {
-            service: 'openid',
+            service: 'oauth2',
             message: e.error_description,
         });
     }
     else if (e instanceof openid_client_1.errors.RPError) {
         // Internal client error
+        logger_1.default.trace(e, `[OAuth2] Unknown RP error.`);
         return new exceptions_1.InvalidCredentialsException();
     }
+    logger_1.default.trace(e, `[OAuth2] Unknown error.`);
     return e;
 };
 function createOAuth2AuthRouter(providerName) {
@@ -172,7 +186,8 @@ function createOAuth2AuthRouter(providerName) {
     router.get('/', (req, res) => {
         const provider = (0, auth_1.getAuthProvider)(providerName);
         const codeVerifier = provider.generateCodeVerifier();
-        const token = jsonwebtoken_1.default.sign({ verifier: codeVerifier, redirect: req.query.redirect }, env_1.default.SECRET, {
+        const prompt = !!req.query.prompt;
+        const token = jsonwebtoken_1.default.sign({ verifier: codeVerifier, redirect: req.query.redirect, prompt }, env_1.default.SECRET, {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -180,7 +195,7 @@ function createOAuth2AuthRouter(providerName) {
             httpOnly: true,
             sameSite: 'lax',
         });
-        return res.redirect(provider.generateAuthUrl(codeVerifier));
+        return res.redirect(provider.generateAuthUrl(codeVerifier, prompt));
     }, respond_1.respond);
     router.get('/callback', (0, async_handler_1.default)(async (req, res, next) => {
         var _a;
@@ -189,9 +204,10 @@ function createOAuth2AuthRouter(providerName) {
             tokenData = jsonwebtoken_1.default.verify(req.cookies[`oauth2.${providerName}`], env_1.default.SECRET, { issuer: 'directus' });
         }
         catch (e) {
+            logger_1.default.warn(e, `[OAuth2] Couldn't verify OAuth2 cookie`);
             throw new exceptions_1.InvalidCredentialsException();
         }
-        const { verifier, redirect } = tokenData;
+        const { verifier, redirect, prompt } = tokenData;
         const authenticationService = new services_1.AuthenticationService({
             accountability: {
                 ip: req.ip,
@@ -204,7 +220,7 @@ function createOAuth2AuthRouter(providerName) {
         try {
             res.clearCookie(`oauth2.${providerName}`);
             if (!req.query.code || !req.query.state) {
-                logger_1.default.warn(`Couldn't extract OAuth2 code or state from query: ${JSON.stringify(req.query)}`);
+                logger_1.default.warn(`[OAuth2]Couldn't extract OAuth2 code or state from query: ${JSON.stringify(req.query)}`);
             }
             authResponse = await authenticationService.login(providerName, {
                 code: req.query.code,
@@ -213,7 +229,10 @@ function createOAuth2AuthRouter(providerName) {
             });
         }
         catch (error) {
-            logger_1.default.warn(error);
+            // Prompt user for a new refresh_token if invalidated
+            if (error instanceof exceptions_1.InvalidTokenException && !prompt) {
+                return res.redirect(`./?${redirect ? `redirect=${redirect}&` : ''}prompt=true`);
+            }
             if (redirect) {
                 let reason = 'UNKNOWN_EXCEPTION';
                 if (error instanceof exceptions_1.ServiceUnavailableException) {
@@ -222,8 +241,15 @@ function createOAuth2AuthRouter(providerName) {
                 else if (error instanceof exceptions_1.InvalidCredentialsException) {
                     reason = 'INVALID_USER';
                 }
+                else if (error instanceof exceptions_1.InvalidTokenException) {
+                    reason = 'INVALID_TOKEN';
+                }
+                else {
+                    logger_1.default.warn(error, `[OAuth2] Unexpected error during OAuth2 login`);
+                }
                 return res.redirect(`${redirect.split('?')[0]}?reason=${reason}`);
             }
+            logger_1.default.warn(error, `[OAuth2] Unexpected error during OAuth2 login`);
             throw error;
         }
         const { accessToken, refreshToken, expires } = authResponse;

package/dist/auth/drivers/openid.d.ts

@@ -2,7 +2,7 @@ import { Router } from 'express';
 import { Client } from 'openid-client';
 import { LocalAuthDriver } from './local';
 import { UsersService } from '../../services';
-import { AuthDriverOptions, User, SessionData } from '../../types';
+import { AuthDriverOptions, User } from '../../types';
 export declare class OpenIDAuthDriver extends LocalAuthDriver {
     client: Promise<Client>;
     redirectUrl: string;
@@ -10,10 +10,10 @@ export declare class OpenIDAuthDriver extends LocalAuthDriver {
     config: Record<string, any>;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string): Promise<string>;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean): Promise<string>;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
-    login(user: User): Promise<SessionData>;
-    refresh(user: User, sessionData: SessionData): Promise<SessionData>;
+    login(user: User): Promise<void>;
+    refresh(user: User): Promise<void>;
 }
 export declare function createOpenIDAuthRouter(providerName: string): Router;

package/dist/auth/drivers/openid.js

@@ -50,18 +50,21 @@ class OpenIDAuthDriver extends local_1.LocalAuthDriver {
     generateCodeVerifier() {
         return openid_client_1.generators.codeVerifier();
     }
-    async generateAuthUrl(codeVerifier) {
+    async generateAuthUrl(codeVerifier, prompt = false) {
         var _a;
         try {
             const client = await this.client;
             const codeChallenge = openid_client_1.generators.codeChallenge(codeVerifier);
+            const paramsConfig = typeof this.config.params === 'object' ? this.config.params : {};
             return client.authorizationUrl({
                 scope: (_a = this.config.scope) !== null && _a !== void 0 ? _a : 'openid profile email',
+                access_type: 'offline',
+                prompt: prompt ? 'consent' : undefined,
+                ...paramsConfig,
                 code_challenge: codeChallenge,
                 code_challenge_method: 'S256',
                 // Some providers require state even with PKCE
                 state: codeChallenge,
-                access_type: 'offline',
             });
         }
         catch (e) {
@@ -132,9 +135,9 @@ class OpenIDAuthDriver extends local_1.LocalAuthDriver {
         return (await this.fetchUserId(identifier));
     }
     async login(user) {
-        return this.refresh(user, null);
+        return this.refresh(user);
     }
-    async refresh(user, sessionData) {
+    async refresh(user) {
         let authData = user.auth_data;
         if (typeof authData === 'string') {
             try {
@@ -144,16 +147,20 @@ class OpenIDAuthDriver extends local_1.LocalAuthDriver {
                 logger_1.default.warn(`Session data isn't valid JSON: ${authData}`);
             }
         }
-        if (!(authData === null || authData === void 0 ? void 0 : authData.refreshToken)) {
-            return sessionData;
-        }
-        try {
-            const client = await this.client;
-            const tokenSet = await client.refresh(authData.refreshToken);
-            return { accessToken: tokenSet.access_token };
-        }
-        catch (e) {
-            throw handleError(e);
+        if (authData === null || authData === void 0 ? void 0 : authData.refreshToken) {
+            try {
+                const client = await this.client;
+                const tokenSet = await client.refresh(authData.refreshToken);
+                // Update user refreshToken if provided
+                if (tokenSet.refresh_token) {
+                    await this.usersService.updateOne(user.id, {
+                        auth_data: JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+                    });
+                }
+            }
+            catch (e) {
+                throw handleError(e);
+            }
         }
     }
 }
@@ -162,7 +169,7 @@ const handleError = (e) => {
     if (e instanceof openid_client_1.errors.OPError) {
         if (e.error === 'invalid_grant') {
             // Invalid token
-            return new exceptions_1.InvalidCredentialsException();
+            return new exceptions_1.InvalidTokenException();
         }
         // Server response error
         return new exceptions_1.ServiceUnavailableException('Service returned unexpected response', {
@@ -181,7 +188,8 @@ function createOpenIDAuthRouter(providerName) {
     router.get('/', (0, async_handler_1.default)(async (req, res) => {
         const provider = (0, auth_1.getAuthProvider)(providerName);
         const codeVerifier = provider.generateCodeVerifier();
-        const token = jsonwebtoken_1.default.sign({ verifier: codeVerifier, redirect: req.query.redirect }, env_1.default.SECRET, {
+        const prompt = !!req.query.prompt;
+        const token = jsonwebtoken_1.default.sign({ verifier: codeVerifier, redirect: req.query.redirect, prompt }, env_1.default.SECRET, {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -189,7 +197,7 @@ function createOpenIDAuthRouter(providerName) {
             httpOnly: true,
             sameSite: 'lax',
         });
-        return res.redirect(await provider.generateAuthUrl(codeVerifier));
+        return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt));
     }), respond_1.respond);
     router.get('/callback', (0, async_handler_1.default)(async (req, res, next) => {
         var _a;
@@ -198,9 +206,10 @@ function createOpenIDAuthRouter(providerName) {
             tokenData = jsonwebtoken_1.default.verify(req.cookies[`openid.${providerName}`], env_1.default.SECRET, { issuer: 'directus' });
         }
         catch (e) {
+            logger_1.default.warn(e, `[OpenID] Couldn't verify OpenID cookie`);
             throw new exceptions_1.InvalidCredentialsException();
         }
-        const { verifier, redirect } = tokenData;
+        const { verifier, redirect, prompt } = tokenData;
         const authenticationService = new services_1.AuthenticationService({
             accountability: {
                 ip: req.ip,
@@ -213,7 +222,7 @@ function createOpenIDAuthRouter(providerName) {
         try {
             res.clearCookie(`openid.${providerName}`);
             if (!req.query.code || !req.query.state) {
-                logger_1.default.warn(`Couldn't extract OpenID code or state from query: ${JSON.stringify(req.query)}`);
+                logger_1.default.warn(`[OpenID] Couldn't extract OpenID code or state from query: ${JSON.stringify(req.query)}`);
             }
             authResponse = await authenticationService.login(providerName, {
                 code: req.query.code,
@@ -222,6 +231,10 @@ function createOpenIDAuthRouter(providerName) {
             });
         }
         catch (error) {
+            // Prompt user for a new refresh_token if invalidated
+            if (error instanceof exceptions_1.InvalidTokenException && !prompt) {
+                return res.redirect(`./?${redirect ? `redirect=${redirect}&` : ''}prompt=true`);
+            }
             logger_1.default.warn(error);
             if (redirect) {
                 let reason = 'UNKNOWN_EXCEPTION';
@@ -231,6 +244,9 @@ function createOpenIDAuthRouter(providerName) {
                 else if (error instanceof exceptions_1.InvalidCredentialsException) {
                     reason = 'INVALID_USER';
                 }
+                else if (error instanceof exceptions_1.InvalidTokenException) {
+                    reason = 'INVALID_TOKEN';
+                }
                 return res.redirect(`${redirect.split('?')[0]}?reason=${reason}`);
             }
             throw error;

package/dist/cli/commands/bootstrap/index.js

@@ -30,6 +30,7 @@ const logger_1 = __importDefault(require("../../../logger"));
 const get_schema_1 = require("../../../utils/get-schema");
 const services_1 = require("../../../services");
 const database_1 = __importStar(require("../../../database"));
+const defaults_1 = require("../../utils/defaults");
 async function bootstrap({ skipAdminInit }) {
     logger_1.default.info('Initializing bootstrap...');
     const database = (0, database_1.default)();
@@ -75,7 +76,7 @@ async function waitForDatabase(database) {
 async function createDefaultAdmin(schema) {
     logger_1.default.info('Setting up first admin role...');
     const rolesService = new services_1.RolesService({ schema });
-    const role = await rolesService.createOne({ name: 'Admin', admin_access: true });
+    const role = await rolesService.createOne(defaults_1.defaultAdminRole);
     logger_1.default.info('Adding first admin user...');
     const usersService = new services_1.UsersService({ schema });
     let adminEmail = env_1.default.ADMIN_EMAIL;
@@ -88,5 +89,5 @@ async function createDefaultAdmin(schema) {
         adminPassword = (0, nanoid_1.nanoid)(12);
         logger_1.default.info(`No admin password provided. Defaulting to "${adminPassword}"`);
     }
-    await usersService.createOne({ email: adminEmail, password: adminPassword, role });
+    await usersService.createOne({ email: adminEmail, password: adminPassword, role, ...defaults_1.defaultAdminUser });
 }