Merge branch 'main' into fix-21658-collection-sorting

api/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@directus/api",
-	"version": "19.0.2",
+	"version": "19.1.0",
 	"description": "Directus is a real-time API and App dashboard for managing SQL database content",
 	"keywords": [
 		"directus",
@@ -170,7 +170,7 @@
 		"snappy": "7.2.2",
 		"stream-json": "1.8.0",
 		"tar": "7.0.1",
-		"tsx": "4.9.0",
+		"tsx": "4.9.3",
 		"wellknown": "0.5.0",
 		"ws": "8.17.0",
 		"zod": "3.23.6",

api/src/app.test.ts

@@ -71,7 +71,6 @@ vi.mock('./utils/validate-env.js');
 
 beforeEach(() => {
 	vi.mocked(useEnv).mockReturnValue({
-		KEY: 'xxxxxxx-xxxxxx-xxxxxxxx-xxxxxxxxxx',
 		SECRET: 'abcdef',
 		SERVE_APP: 'true',
 		PUBLIC_URL: 'http://localhost:8055/directus',

api/src/app.ts

@@ -65,7 +65,6 @@ import schema from './middleware/schema.js';
 import { initTelemetry } from './telemetry/index.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { Url } from './utils/url.js';
-import { validateEnv } from './utils/validate-env.js';
 import { validateStorage } from './utils/validate-storage.js';
 
 const require = createRequire(import.meta.url);
@@ -75,16 +74,7 @@ export default async function createApp(): Promise<express.Application> {
 	const logger = useLogger();
 	const helmet = await import('helmet');
 
-	validateEnv(['KEY', 'SECRET']);
-
-	if (!new Url(env['PUBLIC_URL'] as string).isAbsolute()) {
-		logger.warn('PUBLIC_URL should be a full URL');
-	}
-
-	await validateStorage();
-
 	await validateDatabaseConnection();
-	await validateDatabaseExtensions();
 
 	if ((await isInstalled()) === false) {
 		logger.error(`Database doesn't have Directus tables installed.`);
@@ -95,6 +85,19 @@ export default async function createApp(): Promise<express.Application> {
 		logger.warn(`Database migrations have not all been run`);
 	}
 
+	if (!env['SECRET']) {
+		logger.warn(
+			`"SECRET" env variable is missing. Using a random value instead. Tokens will not persist between restarts. This is not appropriate for production usage.`,
+		);
+	}
+
+	if (!new Url(env['PUBLIC_URL'] as string).isAbsolute()) {
+		logger.warn('"PUBLIC_URL" should be a full URL');
+	}
+
+	await validateDatabaseExtensions();
+	await validateStorage();
+
 	await registerAuthProviders();
 
 	const extensionManager = getExtensionManager();

api/src/auth/drivers/oauth2.ts

@@ -31,6 +31,7 @@ import { getIPFromReq } from '../../utils/get-ip-from-req.js';
 import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { Url } from '../../utils/url.js';
 import { LocalAuthDriver } from './local.js';
+import { getSecret } from '../../utils/get-secret.js';
 
 export class OAuth2AuthDriver extends LocalAuthDriver {
 	client: Client;
@@ -306,7 +307,7 @@ export function createOAuth2AuthRouter(providerName: string): Router {
 				throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
 			}
 
-			const token = jwt.sign({ verifier: codeVerifier, redirect, prompt }, env['SECRET'] as string, {
+			const token = jwt.sign({ verifier: codeVerifier, redirect, prompt }, getSecret(), {
 				expiresIn: '5m',
 				issuer: 'directus',
 			});
@@ -338,7 +339,7 @@ export function createOAuth2AuthRouter(providerName: string): Router {
 			let tokenData;
 
 			try {
-				tokenData = jwt.verify(req.cookies[`oauth2.${providerName}`], env['SECRET'] as string, {
+				tokenData = jwt.verify(req.cookies[`oauth2.${providerName}`], getSecret(), {
 					issuer: 'directus',
 				}) as {
 					verifier: string;