npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

directus-token-endpoint

v1.0.1

Published

Directus extension endpoint to mint access and refresh tokens for authenticated users (desktop sessions)

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

litruvlitruv

Keywords

directusdirectus-extensiondirectus-extension-endpoint

Readme

directus-token-endpoint

Directus endpoint extension that mints access and refresh tokens for authenticated desktop sessions via a hardened /auth/mintsession route.

Overview

  • Introduces a dedicated endpoint that exchanges an authenticated Directus request for a fresh access/refresh token pair.
  • Persists refresh seeds in directus_sessions, mirroring core Directus semantics so existing administrative tooling continues to work.
  • Guards the flow with Directus accountability checks to ensure only logged-in users can mint desktop sessions.

Features

  • ✔️ Works with Directus v11+ endpoint interface.
  • ✔️ Generates cryptographically strong refresh seeds (48 random bytes, Base64URL encoded).
  • ✔️ Supports configurable refresh TTLs using native Directus duration strings (30m, 12h, 7d, etc.).
  • ✔️ Cleans up failed refresh attempts before surfacing errors to the caller.

Requirements

  • Directus ^11.0.0
  • Node.js 18+ (Directus 11 baseline).
  • Access to the Directus database so the endpoint can insert rows into directus_sessions.

Configuration

| Variable | Default | Description | | --- | --- | --- | | REFRESH_TOKEN_TTL | 30 days | Optional duration (e.g. 12h, 7d, 600000) that controls the lifetime of newly minted refresh tokens. Unsupported or missing values fall back to 30 days.

The duration parser accepts raw millisecond numbers or suffixed strings using one of ms, s, m, h, d, w.

Usage

Endpoint

  • Route: POST /auth/mintsession
  • Auth: Any valid Directus authentication method (cookie session, static token, personal access token).
  • Body: None required.

Example request:

curl -X POST https://your-directus.example.com/auth/mintsession \
  -H "Authorization: Bearer <existing_access_token>"

Example success response:

{
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIs...",
    "refreshToken": "g5H5...",
    "expiresIn": 3600,
    "issuedAt": "2025-01-01T12:00:00.000Z"
  }
}

Error responses

| HTTP | Code | When | | --- | --- | --- | | 403 | FORBIDDEN | Caller is anonymous or lacks req.accountability.user. | 500 | INTERNAL_SERVER_ERROR | Directus failed to mint access or refresh tokens after creating the session seed.

Token flow

  1. Caller authenticates with any Directus-supported method.
  2. /auth/mintsession writes a session row with the computed TTL to directus_sessions.
  3. The Directus AuthenticationService runs refresh() with the new seed and emits access/refresh tokens plus expiry metadata.
  4. On failure, the inserted session record is deleted before propagating the error.

Development

  1. Clone the repo and run pnpm install.
  2. Modify the source (currently the shipped entrypoint lives in dist/index.js; feel free to author a src/ structure and transpile into dist/).
  3. Use pnpm pack or pnpm publish to ship updates, then bump the version in package.json.
  4. Test against a local Directus instance by linking the package (pnpm link --global -> pnpm link directus-token-endpoint inside Directus) or via the manual drop-in method above.

Troubleshooting

  • You must be authenticated: ensure your request includes a valid cookie or Authorization header. Personal access tokens must belong to users allowed to create sessions.
  • Failed to mint desktop session tokens: usually reflects database misconfiguration or revoked Directus secrets. Check that directus_sessions is writable and the Directus instance can sign JWTs.
  • Custom TTL ignored: confirm that REFRESH_TOKEN_TTL is set in the Directus runtime environment (not only in .env.example) and uses a supported suffix.

License

Released under the MIT License.