1
import { InvalidCredentialsError } from '@directus/errors';
2
import type { Accountability } from '@directus/types';
3
import getDatabase from '../database/index.js';
4
import { getSecret } from './get-secret.js';
5
import isDirectusJWT from './is-directus-jwt.js';
6
import { verifySessionJWT } from './verify-session-jwt.js';
7
import { verifyAccessJWT } from './jwt.js';
9
export async function getAccountabilityForToken(
10
token?: string | null,
11
accountability?: Accountability,
12
): Promise<Accountability> {
13
if (!accountability) {
23
if (isDirectusJWT(token)) {
24
const payload = verifyAccessJWT(token, getSecret());
26
if ('session' in payload) {
27
await verifySessionJWT(payload);
30
accountability.role = payload.role;
31
accountability.admin = payload.admin_access === true || payload.admin_access == 1;
32
accountability.app = payload.app_access === true || payload.app_access == 1;
34
if (payload.share) accountability.share = payload.share;
35
if (payload.share_scope) accountability.share_scope = payload.share_scope;
36
if (payload.id) accountability.user = payload.id;
39
const database = getDatabase();
41
const user = await database
42
.select('directus_users.id', 'directus_users.role', 'directus_roles.admin_access', 'directus_roles.app_access')
43
.from('directus_users')
44
.leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
46
'directus_users.token': token,
52
throw new InvalidCredentialsError();
55
accountability.user = user.id;
56
accountability.role = user.role;
57
accountability.admin = user.admin_access === true || user.admin_access == 1;
58
accountability.app = user.app_access === true || user.app_access == 1;
62
return accountability;