Universal API Token for local Directus "admin" user#160
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6a9a99d10d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 'Content-Type': 'application/json', | ||
| 'Authorization': `Bearer ${tmpToken}`, | ||
| }, | ||
| body: JSON.stringify({ token: DIRECTUS_LOCAL_ADMIN_TOKEN }), |
There was a problem hiding this comment.
This line unconditionally sets the admin user's API token to a repo-known constant, but DIRECTUS_URL is environment-configurable, so running setup-local.mjs against a shared/staging URL will silently rotate that environment to a predictable admin credential. That is a security regression introduced by this commit: a mispointed run can both break existing admin auth flows and expose full admin API access to anyone who knows the checked-in token value.
Useful? React with 👍 / 👎.
1 participant
For local development, we use the setup script at
directus-cms/utils/setup-local.mjs. This scripts loads data from a remote system (or uses fake data, if unavailable) and saves it in your local database / directus instance. For this the script needs to have admin access to your local directus instance. This was previously handled via the use of an ephemeral API token (obtained during login via user credentials).Now, the local website also needs to have an API token that is usable with the local directus instance.
Hence harmonization was suggested.
We now use a fixed API token for the local website. The setup script in turn ensures that this local API token is set up during the setup process. And then conveniently also uses this token instead of the expiring login token used beforehand.