1
import { useEnv } from '@directus/env';
2
import { InvalidPayloadError, ServiceUnavailableError } from '@directus/errors';
3
import { handlePressure } from '@directus/pressure';
4
import cookieParser from 'cookie-parser';
5
import type { Request, RequestHandler, Response } from 'express';
6
import express from 'express';
7
import type { ServerResponse } from 'http';
8
import { merge } from 'lodash-es';
9
import { readFile } from 'node:fs/promises';
10
import { createRequire } from 'node:module';
11
import path from 'path';
13
import { registerAuthProviders } from './auth.js';
14
import activityRouter from './controllers/activity.js';
15
import assetsRouter from './controllers/assets.js';
16
import authRouter from './controllers/auth.js';
17
import collectionsRouter from './controllers/collections.js';
18
import dashboardsRouter from './controllers/dashboards.js';
19
import extensionsRouter from './controllers/extensions.js';
20
import fieldsRouter from './controllers/fields.js';
21
import filesRouter from './controllers/files.js';
22
import flowsRouter from './controllers/flows.js';
23
import foldersRouter from './controllers/folders.js';
24
import graphqlRouter from './controllers/graphql.js';
25
import itemsRouter from './controllers/items.js';
26
import notFoundHandler from './controllers/not-found.js';
27
import notificationsRouter from './controllers/notifications.js';
28
import operationsRouter from './controllers/operations.js';
29
import panelsRouter from './controllers/panels.js';
30
import permissionsRouter from './controllers/permissions.js';
31
import presetsRouter from './controllers/presets.js';
32
import relationsRouter from './controllers/relations.js';
33
import revisionsRouter from './controllers/revisions.js';
34
import rolesRouter from './controllers/roles.js';
35
import schemaRouter from './controllers/schema.js';
36
import serverRouter from './controllers/server.js';
37
import settingsRouter from './controllers/settings.js';
38
import sharesRouter from './controllers/shares.js';
39
import translationsRouter from './controllers/translations.js';
40
import usersRouter from './controllers/users.js';
41
import utilsRouter from './controllers/utils.js';
42
import versionsRouter from './controllers/versions.js';
43
import webhooksRouter from './controllers/webhooks.js';
46
validateDatabaseConnection,
47
validateDatabaseExtensions,
49
} from './database/index.js';
50
import emitter from './emitter.js';
51
import { getExtensionManager } from './extensions/index.js';
52
import { getFlowManager } from './flows.js';
53
import { createExpressLogger, useLogger } from './logger.js';
54
import authenticate from './middleware/authenticate.js';
55
import cache from './middleware/cache.js';
56
import { checkIP } from './middleware/check-ip.js';
57
import cors from './middleware/cors.js';
58
import errorHandler from './middleware/error-handler.js';
59
import extractToken from './middleware/extract-token.js';
60
import getPermissions from './middleware/get-permissions.js';
61
import rateLimiterGlobal from './middleware/rate-limiter-global.js';
62
import rateLimiter from './middleware/rate-limiter-ip.js';
63
import sanitizeQuery from './middleware/sanitize-query.js';
64
import schema from './middleware/schema.js';
65
import { initTelemetry } from './telemetry/index.js';
66
import { getConfigFromEnv } from './utils/get-config-from-env.js';
67
import { Url } from './utils/url.js';
68
import { validateStorage } from './utils/validate-storage.js';
70
const require = createRequire(import.meta.url);
72
export default async function createApp(): Promise<express.Application> {
74
const logger = useLogger();
75
const helmet = await import('helmet');
77
await validateDatabaseConnection();
79
if ((await isInstalled()) === false) {
80
logger.error(`Database doesn't have Directus tables installed.`);
84
if ((await validateMigrations()) === false) {
85
logger.warn(`Database migrations have not all been run`);
90
`"SECRET" env variable is missing. Using a random value instead. Tokens will not persist between restarts. This is not appropriate for production usage.`,
94
if (!new Url(env['PUBLIC_URL'] as string).isAbsolute()) {
95
logger.warn('"PUBLIC_URL" should be a full URL');
98
await validateDatabaseExtensions();
99
await validateStorage();
101
await registerAuthProviders();
103
const extensionManager = getExtensionManager();
104
const flowManager = getFlowManager();
106
await extensionManager.initialize();
107
await flowManager.initialize();
109
const app = express();
111
app.disable('x-powered-by');
112
app.set('trust proxy', env['IP_TRUST_PROXY']);
113
app.set('query parser', (str: string) => qs.parse(str, { depth: 10 }));
115
if (env['PRESSURE_LIMITER_ENABLED']) {
116
const sampleInterval = Number(env['PRESSURE_LIMITER_SAMPLE_INTERVAL']);
118
if (Number.isNaN(sampleInterval) === true || Number.isFinite(sampleInterval) === false) {
119
throw new Error(`Invalid value for PRESSURE_LIMITER_SAMPLE_INTERVAL environment variable`);
125
maxEventLoopUtilization: env['PRESSURE_LIMITER_MAX_EVENT_LOOP_UTILIZATION'] as number,
126
maxEventLoopDelay: env['PRESSURE_LIMITER_MAX_EVENT_LOOP_DELAY'] as number,
127
maxMemoryRss: env['PRESSURE_LIMITER_MAX_MEMORY_RSS'] as number,
128
maxMemoryHeapUsed: env['PRESSURE_LIMITER_MAX_MEMORY_HEAP_USED'] as number,
129
error: new ServiceUnavailableError({ service: 'api', reason: 'Under pressure' }),
130
retryAfter: env['PRESSURE_LIMITER_RETRY_AFTER'] as string,
136
helmet.contentSecurityPolicy(
142
scriptSrc: ["'self'", "'unsafe-eval'"],
147
upgradeInsecureRequests: null,
150
workerSrc: ["'self'", 'blob:'],
151
childSrc: ["'self'", 'blob:'],
156
'https://raw.githubusercontent.com',
157
'https://avatars.githubusercontent.com',
159
mediaSrc: ["'self'"],
160
connectSrc: ["'self'", 'https://*'],
163
getConfigFromEnv('CONTENT_SECURITY_POLICY_'),
168
if (env['HSTS_ENABLED']) {
169
app.use(helmet.hsts(getConfigFromEnv('HSTS_', ['HSTS_ENABLED'])));
172
await emitter.emitInit('app.before', { app });
174
await emitter.emitInit('middlewares.before', { app });
176
app.use(createExpressLogger());
178
app.use((_req, res, next) => {
179
res.setHeader('X-Powered-By', 'Directus');
183
if (env['CORS_ENABLED'] === true) {
187
app.use((req, res, next) => {
190
limit: env['MAX_PAYLOAD_SIZE'] as string,
192
)(req, res, (err: any) => {
194
return next(new InvalidPayloadError({ reason: err.message }));
201
app.use(cookieParser());
203
app.use(extractToken);
205
app.get('/', (_req, res, next) => {
206
if (env['ROOT_REDIRECT']) {
207
res.redirect(env['ROOT_REDIRECT'] as string);
213
app.get('/robots.txt', (_, res) => {
214
res.set('Content-Type', 'text/plain');
216
res.send(env['ROBOTS_TXT']);
219
if (env['SERVE_APP']) {
220
const adminPath = require.resolve('@directus/app');
221
const adminUrl = new Url(env['PUBLIC_URL'] as string).addPath('admin');
223
const embeds = extensionManager.getEmbeds();
226
const html = await readFile(adminPath, 'utf8');
228
const htmlWithVars = html
229
.replace(/<base \/>/, `<base href="${adminUrl.toString({ rootRelative: true })}/" />`)
230
.replace('<!-- directus-embed-head -->', embeds.head)
231
.replace('<!-- directus-embed-body -->', embeds.body);
233
const sendHtml = (_req: Request, res: Response) => {
234
res.setHeader('Cache-Control', 'no-cache');
235
res.setHeader('Vary', 'Origin, Cache-Control');
236
res.send(htmlWithVars);
239
const setStaticHeaders = (res: ServerResponse) => {
240
res.setHeader('Cache-Control', 'max-age=31536000, immutable');
241
res.setHeader('Vary', 'Origin, Cache-Control');
244
app.get('/admin', sendHtml);
245
app.use('/admin', express.static(path.join(adminPath, '..'), { setHeaders: setStaticHeaders }));
246
app.use('/admin/*', sendHtml);
250
if (env['RATE_LIMITER_GLOBAL_ENABLED'] === true) {
251
app.use(rateLimiterGlobal);
254
if (env['RATE_LIMITER_ENABLED'] === true) {
255
app.use(rateLimiter);
258
app.get('/server/ping', (_req, res) => res.send('pong'));
260
app.use(authenticate);
264
app.use(sanitizeQuery);
270
app.use(getPermissions);
272
await emitter.emitInit('middlewares.after', { app });
274
await emitter.emitInit('routes.before', { app });
276
app.use('/auth', authRouter);
278
app.use('/graphql', graphqlRouter);
280
app.use('/activity', activityRouter);
281
app.use('/assets', assetsRouter);
282
app.use('/collections', collectionsRouter);
283
app.use('/dashboards', dashboardsRouter);
284
app.use('/extensions', extensionsRouter);
285
app.use('/fields', fieldsRouter);
286
app.use('/files', filesRouter);
287
app.use('/flows', flowsRouter);
288
app.use('/folders', foldersRouter);
289
app.use('/items', itemsRouter);
290
app.use('/notifications', notificationsRouter);
291
app.use('/operations', operationsRouter);
292
app.use('/panels', panelsRouter);
293
app.use('/permissions', permissionsRouter);
294
app.use('/presets', presetsRouter);
295
app.use('/translations', translationsRouter);
296
app.use('/relations', relationsRouter);
297
app.use('/revisions', revisionsRouter);
298
app.use('/roles', rolesRouter);
299
app.use('/schema', schemaRouter);
300
app.use('/server', serverRouter);
301
app.use('/settings', settingsRouter);
302
app.use('/shares', sharesRouter);
303
app.use('/users', usersRouter);
304
app.use('/utils', utilsRouter);
305
app.use('/versions', versionsRouter);
306
app.use('/webhooks', webhooksRouter);
309
await emitter.emitInit('routes.custom.before', { app });
310
app.use(extensionManager.getEndpointRouter());
311
await emitter.emitInit('routes.custom.after', { app });
313
app.use(notFoundHandler);
314
app.use(errorHandler);
316
await emitter.emitInit('routes.after', { app });
320
await emitter.emitInit('app.after', { app });