Authentication in Custom Endpoints

[PieturP]

Hi!

I've looked at the docs and the Q&A from @keesvanbemmel regarding this topic, but I'm unable to figure out how this should work.

While trying to make a custom endpoint available only for users currently logged in with Directus, I'm unable to receive user data / role data, as the req.accountability object contains nothing pointing to the currently logged in user...

// endpoints/my-endpoint/index.js

module.exports = (router) => {
    router.get('/', (req, res) => {
        res.json(req.accountability);
    });
};

Resulting JSON when calling the endpoint at http://localhost:8055/my-endpoint/ in the browser:

{
  "user": null,
  "role": null,
  "admin": false,
  "app": false,
  "ip": "172.23.0.1",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:95.0) Gecko/20100101 Firefox/95.0",
  "permissions": [
    {
      "id": 89,
      "role": null,
      "collection": "directus_files",
      "action": "create"
  ~
    },
    {
      "id": 90,
      "role": null,
      "collection": "directus_files",
      "action": "update",
  ~
    },
    {
      "id": 91,
      "role": null,
      "collection": "directus_files",
      "action": "read",
  ~
    },
    {
      "id": 92,
      "role": null,
      "collection": "directus_files",
      "action": "delete",
  ~
    }
  ]
}

Should I maybe do something (call some service) before registering the route? Or is there some configuration option I looked over?

Any help is much appreciated! 🙂

[rijkvanzanten]

Heya! When you're opening that URL in the browser, without any authentication header or query params, you're not authenticated as any user, which is reflected in the accountability object you've shared 🙂 Note how it says user: null / role: null, which means you're not authenticated in any way. The shown permissions are the permissions for the public role 👍🏻

[PieturP]

Thanks! I was under the false impression the directus_refresh_cookie would authenticate the user here, but I see it doesn't work this way.

Ideally, I'd like my users to be able to log into Directus admin, and let them then be able to also simply browse to my custom endpoint URL, without entering credentials anymore.

Would that be possible (without using a query parameter or auth headers)?

[rijkvanzanten]

What do you mean exactly by browse to your custom endpoint? Do you want them to open it in the browser, or are you looking to make a request from something like a custom module?

[PieturP]

(edited)

Indeed I meant by opening the URL in their browser manually, not from a custom module.

[rijkvanzanten]

Ah gotcha. There's no way to set authorization headers when opening a browser page, so the next best thing you can do is to navigate your users to the endpoint, and add a ?access_token=abc query parameter 🤔

[rijkvanzanten]

To give you an answer that's more applicable to your prompt:

trying to make a custom endpoint available only for users currently logged in with Directus

You can simply add a

if (!req.accountability.user) {
  throw new ForbiddenException();
}

🙂

[keesvanbemmel]

Or get the directus cookies from the request and build a valid session from those

[PieturP]

Hmmm. That sounds like an interesting idea! I'll give that a try. Thanks both! 🙂

[PieturP]

I've created a simple helper function that refreshes the directus_refresh_token, which I'm now using in a couple of endpoints that I want to be only accessible for logged-in CMS users:

require('dotenv').config();
const fetch = require('node-fetch');

module.exports = async(req, res) => {

    try {
        const resp = await fetch(`${process.env.PUBLIC_URL}auth/refresh`, {
            method: 'post',
            body: JSON.stringify({
                refresh_token: req.cookies.directus_refresh_token
            }),
            headers: { 'Content-Type': 'application/json' }
        });
        const json = await resp.json();

        if (json && json.data && json.data.refresh_token) {
            res.cookie('directus_refresh_token', json.data.refresh_token, {
                maxAge: json.data.expires,
                httpOnly: true
            });
            return true;
        }
    } catch (e) {
        console.log('Error while refreshing token: ', e);
    }
    return false;
}

I'm sure there's other (and much better) ways, but when this function returns true, the user is simply logged in—which is what I was after :)
The function also sets a new token cookie, otherwise it would of-course log the current user out.

The thing that is probably most inefficient is it now uses the API via an external network route. I'm pretty sure it could also use internal code for this as well, but I didn't want to lookup much in Directus source code for this...

Thanks again @keesvanbemmel and @rijkvanzanten ! 🎉

[LucidCarson]

Just wanted to share this version using the SDK for anyone else who ends up here:

export default defineEndpoint({
  handler: (router, context) => {
    router.get('/endpoint', (req, res) => {
      Promise.resolve().then(async () => {
        try {
          const client = createDirectus(context.env.PUBLIC_URL).with(authentication()).with(rest());
          if (!req.cookies.directus_refresh_token) {
            res.send({ status: 403, code: 'Must be logged in.' });
            return;
          }

          const result = await client.request(refresh('json', req.cookies.directus_refresh_token));

          if (!result.refresh_token) {
            res.send({ status: 403, code: 'Must be logged in' });
            return;
          }

          // your endpoint logic here

        } catch (error) {
          res.send({ status: 500, code: 'Endpoint failed.', data: error.message });
        }
      });
    });
  },
});

[NilsBaumgartner1994]

Sadly i dont get "directus_refresh_token" any more but instead: "directus_session_token" which is not the same?