granular authorization based on access policy

sacconazzo · sacconazzo · commit 9bf69b8c564b · 2025-11-04T15:28:14.000+01:00
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ Options:
 -   `publishedTags` _optional_ if specified, will be published definitions only for specified tags
 -   `paths` _optional_ openapi custom paths (will be merged with all standard and all customs paths)
 -   `components` _optional_ openapi custom components (will be merged with all standard and all customs tags)
--   `useAuthentication` _optional_ require Directus authentication to access the docs interface (default false). When enabled, users must be authenticated via Directus admin cookie, static token, or Bearer JWT token to access `/api-docs` and `/api-docs/oas` endpoints
+-   `useAuthentication` _optional_ (default false). When enabled, access to `/api-docs` and `/api-docs/oas` requires a Directus admin cookie, static token, or Bearer JWT. Authorization is applied per endpoint based on Directus Access Policies, ensuring users only see endpoints they are allowed to access.
 
 Example below:
 
diff --git a/src/index.ts b/src/index.ts
@@ -3,7 +3,7 @@ import { defineEndpoint } from '@directus/extensions-sdk';
 // import { SchemaOverview } from '@directus/shared/types';
 import { SchemaOverview } from '@directus/types';
 import { Router, Request, Response, NextFunction } from 'express';
-import { getConfig, getOas, getPackage, merge, filterPaths } from './utils';
+import { getConfig, getOas, getOasAll, getPackage, merge, filterPaths } from './utils';
 
 const swaggerUi = require('swagger-ui-express');
 const OpenApiValidator = require('express-openapi-validator');
@@ -12,23 +12,9 @@ const config = getConfig();
 
 const id = config.docsPath;
 
-async function checkIfApiDocsPublic(req: Request, res: Response, next: NextFunction): Promise<void | Response> {
-    if (config.useAuthentication) {
-        try {
-            const accountability = (req as any).accountability;
-            if (!accountability?.user) {
-                return res.status(401).json({ message: 'Unauthorized' });
-            }
-        } catch (error) {
-            return res.status(403).json({ message: 'Forbidden' });
-        }
-    }
-    return next();
-}
-
 async function validate(router: Router, services: any, schema: SchemaOverview, paths: Array<string>): Promise<Router> {
     if (config?.paths) {
-        const oas = await getOas(services, schema);
+        const oas = await getOasAll(services, schema);
 
         // replace with custom endpoints
         if (paths) {
@@ -76,15 +62,16 @@ export default {
             },
         };
 
-        router.use(checkIfApiDocsPublic);
-
         router.use('/', swaggerUi.serve);
         router.get('/', swaggerUi.setup({}, options));
 
-        router.get('/oas', async (_req: Request, res: Response, next: NextFunction) => {
+        router.get('/oas', async (req: Request, res: Response, next: NextFunction) => {
             try {
                 const schema = await getSchema();
-                const swagger = await getOas(services, schema);
+
+                const accountability = config.useAuthentication ? (req as any).accountability : { admin: true };
+
+                const swagger = await getOas(services, schema, accountability);
 
                 const pkg = await getPackage();
 
diff --git a/src/utils.ts b/src/utils.ts
@@ -113,12 +113,12 @@ export function getConfig(): oasConfig {
     }
 }
 
-export async function getOas(services: any, schema: SchemaOverview): Promise<oas> {
+export async function getOasAll(services: any, schema: SchemaOverview): Promise<oas> {
     if (oasBuffer) return JSON.parse(oasBuffer);
 
     const { SpecificationService } = services;
     const service = new SpecificationService({
-        accountability: { admin: true }, // null or accountability.admin = true needed
+        accountability: { admin: true },
         schema,
     });
 
@@ -127,6 +127,18 @@ export async function getOas(services: any, schema: SchemaOverview): Promise<oas
     return JSON.parse(oasBuffer);
 }
 
+export async function getOas(services: any, schema: SchemaOverview, accountability: any): Promise<oas> {
+    const { SpecificationService } = services;
+    const service = new SpecificationService({
+        accountability,
+        schema,
+    });
+
+    const oas = JSON.stringify(await service.oas.generate());
+
+    return JSON.parse(oas);
+}
+
 export async function getPackage() {
     try {
         const workspaceDir = await findWorkspaceDir('.');
