#✅ Extensions <-> Authentification

I have created an endpoint extension that basically just creates a new item entry when the URL is hit. However, after creating the entry, I apparently cannot read it because You don't have permission to access this. I was under the assumption that everything I am doing server side in my extension would not need special authentication/authorization, as it is running as part of the system. But apparently that was a false assumption.

How can I best address this ? How should my extension even be authenticated ? It does not have any credentials ? (Not do I really think it should have/need any ...)

Thanks for posting! This is a community powered server, so you may or may not get an answer based on available help and expertise. To increase your chances of somebody being able to help you, please help us help you making sure you:

• Adding an explanation of exactly what you're trying to achieve.
• Adding any and all related code or previous attempts.
• Describing the exact issue or error you are facing.
• Posting any screenshots if applicable.
• Reading through https://stackoverflow.com/help/how-to-ask.

When you're done with this thread, please close it. Thanks! ✨

(If you have a support agreement and need help, please contact the core team via email.)

inside the backend extensions, you will have to use accountability

if you want to not use the user permissions, you can just not pass in the accountability object into the ItemsService (or whatever service you are using)

Thanks, but I don't quite understand what you are referring to. So far I simply use:
const monitorService = new ItemsService('Monitors', { schema: req.schema });

Where is the accountability configured in that?

const monitorService = new ItemsService('Monitors', { schema: req.schema, accountability: req.accountability });

And what exactly does it do? Inpersonate a user?

in this example it uses the accountability from the request, so the permissions for the authentication provided when calling the endpoint

But the endpoint is being called unauthorized

That's the whole point. It is a public webhook that needs to trigger internal stuff

Then the service will use public permissions

You can elevate the permissions but beware that that can open up security issues when people can call an endpoint unauthentication which then takes admin actions

In this case that could be okay. How can I elevate ?

accountability: { ...req.accountability, admin: true }

            const monitorService = new ItemsService('Monitors', {
                schema: req.schema,
                accountability: { ...req.accountability, admin: true },
            });

Like so ?

Still no access

then you're likely accessing either an unknown collection or ID 🤔 what action is throwing the forbidden error?

It's not the collection. Because the creation part works. It only fails when reading. Let me confirm ...

const monitorId = await monitorService.createOne({
title: title,
});

        console.log(monitorId);

        const monitor = await monitorService.readOne({
            id: monitorId,
        });

Yeah so the creation works

I get the correct ID back from createOne

But the query fails

So just as before 🙂

ah wai

t

const monitor = await monitorService.readOne(monitorId);

https://github.com/br41nslug/directus-extension-reference/blob/main/reference/classes/ItemsService.md#readone

the query is messed up right? It just needs the IT

*id

yaa

ahh my bad

Sorry

Of course if could not access that weird object-as-id 😄

No worries 🙂 docs need some love on this subject

Thanks! Will mark this as resolved

✅ Extensions <-> Authentification

This post is now closed. If you want or need to continue this topic, just send another message and it will be unarchived.

Hi and thanks for those explanations. Can we authenticate with a special user using a static token ? I 'd rather give this public endoint limited authorizations and not give it admin access

You can provide any custom accountability you need 🙂 (but you need to provide permissions manually if its a non-existent role) https://github.com/directus/directus/blob/e38767de2/packages/types/src/accountability.ts#L8

Thanks @pallid stag ! I did not realise I could just fill the accountability fields myself. If I already know the role id maybe I can start sending just this, or even the user id if I need to go a bit further.

yeah the role is the only required field as thats directly linked to permissions

Amazing thanks!

Maybe I did not understand correctly, but here is what I did :

const courses: Course[] = await coursesService.readByQuery({ filter: { my_field: "my_value" } });```

And I got this error : Error [DirectusError]: You don't have permission to access this. webservice-directus-1 | at AuthorizationService.processAST (file:///directus/node_modules/.pnpm/file+api/node_modules/@directus/api/dist/services/authorization.js:34:19) webservice-directus-1 | at ItemsService.readByQuery (file:///directus/node_modules/.pnpm/file+api/node_modules/@directus/api/dist/services/items.js:299:46)

does the role have access 🤷‍♂️ if you dont set admin then you need to make sure the role has the perms you require

Yes it does (I forgot to post the screenshots of the permissions table). Here it is, I gave it the full read access. (the collection name is courses (with a translation as "Orientation")

If I add the admin: true, then it works flawlessly. But I would like to avoid that. Should I create a user for this role and paste the user id too ?

hmmm perhaps i was wrong and looks like when directly calling the ItemsService from an extension you need to provide permissions (which admin would bypass)\

would be perfect if you could import https://github.com/directus/directus/blob/main/api/src/utils/get-permissions.ts#L15C23-L15C37

but perhaps the services should just fetch permissions if not provided 🤔