@directus/api 11.0.1 → 11.1.0

package/dist/services/websocket.js

@@ -0,0 +1,26 @@
+import { getWebSocketController } from '../websocket/controllers/index.js';
+import emitter from '../emitter.js';
+export class WebSocketService {
+    controller;
+    constructor() {
+        this.controller = getWebSocketController();
+    }
+    on(event, callback) {
+        emitter.onAction('websocket.' + event, callback);
+    }
+    off(event, callback) {
+        emitter.offAction('websocket.' + event, callback);
+    }
+    broadcast(message, filter) {
+        this.controller.clients.forEach((client) => {
+            if (filter && filter.user && filter.user !== client.accountability?.user)
+                return;
+            if (filter && filter.role && filter.role !== client.accountability?.role)
+                return;
+            client.send(typeof message === 'string' ? message : JSON.stringify(message));
+        });
+    }
+    clients() {
+        return this.controller.clients;
+    }
+}

package/dist/utils/apply-diff.js

@@ -121,7 +121,12 @@ export async function applyDiff(currentSnapshot, snapshotDiff, options) {
         // then continue with nested collections recursively
         await createCollections(snapshotDiff.collections.filter(filterCollectionsForCreation));
         // delete top level collections (no group) first, then continue with nested collections recursively
-        await deleteCollections(snapshotDiff.collections.filter(({ diff }) => diff[0]?.kind === DiffKind.DELETE && diff[0].lhs.meta?.group === null));
+        await deleteCollections(snapshotDiff.collections.filter(({ diff }) => {
+            if (diff.length === 0 || diff[0] === undefined)
+                return false;
+            const collectionDiff = diff[0];
+            return collectionDiff.kind === DiffKind.DELETE && collectionDiff.lhs?.meta?.group === null;
+        }));
         for (const { collection, diff } of snapshotDiff.collections) {
             if (diff?.[0]?.kind === DiffKind.EDIT || diff?.[0]?.kind === DiffKind.ARRAY) {
                 const currentCollection = currentSnapshot.collections.find((field) => {
@@ -198,7 +203,11 @@ export async function applyDiff(currentSnapshot, snapshotDiff, options) {
             }
             if (diff?.[0]?.kind === DiffKind.NEW) {
                 try {
-                    await relationsService.createOne(diff[0].rhs, mutationOptions);
+                    await relationsService.createOne({
+                        ...diff[0].rhs,
+                        collection,
+                        field,
+                    }, mutationOptions);
                 }
                 catch (err) {
                     logger.error(`Failed to create relation "${collection}.${field}"`);

package/dist/utils/apply-query.js

@@ -1,5 +1,6 @@
 import { getFilterOperatorsForType, getOutputTypeForFunction } from '@directus/utils';
 import { clone, isPlainObject } from 'lodash-es';
+import { customAlphabet } from 'nanoid/non-secure';
 import validate from 'uuid-validate';
 import { getHelpers } from '../database/helpers/index.js';
 import { InvalidQueryException } from '../exceptions/invalid-query.js';
@@ -7,8 +8,6 @@ import { getColumnPath } from './get-column-path.js';
 import { getColumn } from './get-column.js';
 import { getRelationInfo } from './get-relation-info.js';
 import { stripFunction } from './strip-function.js';
-// @ts-ignore
-import { customAlphabet } from 'nanoid/non-secure';
 export const generateAlias = customAlphabet('abcdefghijklmnopqrstuvwxyz', 5);
 /**
  * Apply the Query to a given Knex query builder instance
@@ -337,18 +336,18 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
             // Knex supports "raw" in the columnName parameter, but isn't typed as such. Too bad..
             // See https://github.com/knex/knex/issues/4518 @TODO remove as any once knex is updated
             // These operators don't rely on a value, and can thus be used without one (eg `?filter[field][_null]`)
-            if (operator === '_null' || (operator === '_nnull' && compareValue === false)) {
+            if ((operator === '_null' && compareValue !== false) || (operator === '_nnull' && compareValue === false)) {
                 dbQuery[logical].whereNull(selectionRaw);
             }
-            if (operator === '_nnull' || (operator === '_null' && compareValue === false)) {
+            if ((operator === '_nnull' && compareValue !== false) || (operator === '_null' && compareValue === false)) {
                 dbQuery[logical].whereNotNull(selectionRaw);
             }
-            if (operator === '_empty' || (operator === '_nempty' && compareValue === false)) {
+            if ((operator === '_empty' && compareValue !== false) || (operator === '_nempty' && compareValue === false)) {
                 dbQuery[logical].andWhere((query) => {
                     query.whereNull(key).orWhere(key, '=', '');
                 });
             }
-            if (operator === '_nempty' || (operator === '_empty' && compareValue === false)) {
+            if ((operator === '_nempty' && compareValue !== false) || (operator === '_empty' && compareValue === false)) {
                 dbQuery[logical].andWhere((query) => {
                     query.whereNotNull(key).andWhere(key, '!=', '');
                 });

package/dist/utils/get-accountability-for-token.d.ts

@@ -0,0 +1,2 @@
+import type { Accountability } from '@directus/types';
+export declare function getAccountabilityForToken(token?: string | null, accountability?: Accountability): Promise<Accountability>;

package/dist/utils/get-accountability-for-token.js

@@ -0,0 +1,50 @@
+import getDatabase from '../database/index.js';
+import isDirectusJWT from './is-directus-jwt.js';
+import { InvalidCredentialsException } from '../index.js';
+import env from '../env.js';
+import { verifyAccessJWT } from './jwt.js';
+export async function getAccountabilityForToken(token, accountability) {
+    if (!accountability) {
+        accountability = {
+            user: null,
+            role: null,
+            admin: false,
+            app: false,
+        };
+    }
+    if (token) {
+        if (isDirectusJWT(token)) {
+            const payload = verifyAccessJWT(token, env['SECRET']);
+            accountability.role = payload.role;
+            accountability.admin = payload.admin_access === true || payload.admin_access == 1;
+            accountability.app = payload.app_access === true || payload.app_access == 1;
+            if (payload.share)
+                accountability.share = payload.share;
+            if (payload.share_scope)
+                accountability.share_scope = payload.share_scope;
+            if (payload.id)
+                accountability.user = payload.id;
+        }
+        else {
+            // Try finding the user with the provided token
+            const database = getDatabase();
+            const user = await database
+                .select('directus_users.id', 'directus_users.role', 'directus_roles.admin_access', 'directus_roles.app_access')
+                .from('directus_users')
+                .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
+                .where({
+                'directus_users.token': token,
+                status: 'active',
+            })
+                .first();
+            if (!user) {
+                throw new InvalidCredentialsException();
+            }
+            accountability.user = user.id;
+            accountability.role = user.role;
+            accountability.admin = user.admin_access === true || user.admin_access == 1;
+            accountability.app = user.app_access === true || user.app_access == 1;
+        }
+    }
+    return accountability;
+}

package/dist/utils/get-service.d.ts

@@ -0,0 +1,7 @@
+import { ItemsService } from '../index.js';
+import type { AbstractServiceOptions } from '../types/services.js';
+/**
+ * Select the correct service for the given collection. This allows the individual services to run
+ * their custom checks (f.e. it allows UsersService to prevent updating TFA secret from outside)
+ */
+export declare function getService(collection: string, opts: AbstractServiceOptions): ItemsService;

package/dist/utils/get-service.js

@@ -0,0 +1,49 @@
+import { ActivityService, DashboardsService, FilesService, FlowsService, FoldersService, ItemsService, NotificationsService, OperationsService, PanelsService, PermissionsService, PresetsService, RevisionsService, RolesService, SettingsService, SharesService, UsersService, WebhooksService, } from '../index.js';
+/**
+ * Select the correct service for the given collection. This allows the individual services to run
+ * their custom checks (f.e. it allows UsersService to prevent updating TFA secret from outside)
+ */
+export function getService(collection, opts) {
+    switch (collection) {
+        case 'directus_activity':
+            return new ActivityService(opts);
+        // case 'directus_collections':
+        // 	return new CollectionsService(opts);
+        case 'directus_dashboards':
+            return new DashboardsService(opts);
+        // case 'directus_fields':
+        // 	return new FieldsService(opts);
+        case 'directus_files':
+            return new FilesService(opts);
+        case 'directus_flows':
+            return new FlowsService(opts);
+        case 'directus_folders':
+            return new FoldersService(opts);
+        case 'directus_notifications':
+            return new NotificationsService(opts);
+        case 'directus_operations':
+            return new OperationsService(opts);
+        case 'directus_panels':
+            return new PanelsService(opts);
+        case 'directus_permissions':
+            return new PermissionsService(opts);
+        case 'directus_presets':
+            return new PresetsService(opts);
+        // case 'directus_relations':
+        // 	return new RelationsService(opts);
+        case 'directus_revisions':
+            return new RevisionsService(opts);
+        case 'directus_roles':
+            return new RolesService(opts);
+        case 'directus_settings':
+            return new SettingsService(opts);
+        case 'directus_shares':
+            return new SharesService(opts);
+        case 'directus_users':
+            return new UsersService(opts);
+        case 'directus_webhooks':
+            return new WebhooksService(opts);
+        default:
+            return new ItemsService(collection, opts);
+    }
+}

package/dist/utils/redact.d.ts

@@ -8,4 +8,8 @@ type Paths = string[][];
  * @returns Redacted object.
  */
 export declare function redact(input: UnknownObject, paths: Paths, replacement: string): UnknownObject;
+/**
+ * Extract values from Error objects for use with JSON.stringify()
+ */
+export declare function errorReplacer(_key: string, value: unknown): unknown;
 export {};

package/dist/utils/redact.js

@@ -8,7 +8,7 @@ import { isObject } from '@directus/utils';
  */
 export function redact(input, paths, replacement) {
     const wildcardChars = ['*', '**'];
-    const clone = structuredClone(input);
+    const clone = JSON.parse(JSON.stringify(input, errorReplacer));
     const visited = new WeakSet();
     traverse(clone, paths);
     return clone;
@@ -73,3 +73,17 @@ export function redact(input, paths, replacement) {
         }
     }
 }
+/**
+ * Extract values from Error objects for use with JSON.stringify()
+ */
+export function errorReplacer(_key, value) {
+    if (value instanceof Error) {
+        return {
+            name: value.name,
+            message: value.message,
+            stack: value.stack,
+            cause: value.cause,
+        };
+    }
+    return value;
+}

package/dist/utils/to-boolean.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Convert environment variable to Boolean
+ */
+export declare function toBoolean(value: any): boolean;

package/dist/utils/to-boolean.js

@@ -0,0 +1,6 @@
+/**
+ * Convert environment variable to Boolean
+ */
+export function toBoolean(value) {
+    return value === 'true' || value === true || value === '1' || value === 1;
+}

package/dist/websocket/authenticate.d.ts

@@ -0,0 +1,6 @@
+import type { Accountability } from '@directus/types';
+import type { BasicAuthMessage } from './messages.js';
+import type { AuthenticationState } from './types.js';
+export declare function authenticateConnection(message: BasicAuthMessage & Record<string, any>): Promise<AuthenticationState>;
+export declare function refreshAccountability(accountability: Accountability | null | undefined): Promise<Accountability>;
+export declare function authenticationSuccess(uid?: string | number, refresh_token?: string): string;

package/dist/websocket/authenticate.js

@@ -0,0 +1,62 @@
+import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
+import getDatabase from '../database/index.js';
+import { InvalidCredentialsException } from '../exceptions/index.js';
+import { AuthenticationService } from '../services/index.js';
+import { getAccountabilityForRole } from '../utils/get-accountability-for-role.js';
+import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
+import { getSchema } from '../utils/get-schema.js';
+import { WebSocketException } from './exceptions.js';
+import { getExpiresAtForToken } from './utils/get-expires-at-for-token.js';
+export async function authenticateConnection(message) {
+    let access_token, refresh_token;
+    try {
+        if ('email' in message && 'password' in message) {
+            const authenticationService = new AuthenticationService({ schema: await getSchema() });
+            const { accessToken, refreshToken } = await authenticationService.login(DEFAULT_AUTH_PROVIDER, message);
+            access_token = accessToken;
+            refresh_token = refreshToken;
+        }
+        if ('refresh_token' in message) {
+            const authenticationService = new AuthenticationService({ schema: await getSchema() });
+            const { accessToken, refreshToken } = await authenticationService.refresh(message.refresh_token);
+            access_token = accessToken;
+            refresh_token = refreshToken;
+        }
+        if ('access_token' in message) {
+            access_token = message.access_token;
+        }
+        if (!access_token)
+            throw new Error();
+        const accountability = await getAccountabilityForToken(access_token);
+        const expires_at = getExpiresAtForToken(access_token);
+        return { accountability, expires_at, refresh_token };
+    }
+    catch (error) {
+        if (error instanceof InvalidCredentialsException && error.message === 'Token expired.') {
+            throw new WebSocketException('auth', 'TOKEN_EXPIRED', 'Token expired.', message['uid']);
+        }
+        throw new WebSocketException('auth', 'AUTH_FAILED', 'Authentication failed.', message['uid']);
+    }
+}
+export async function refreshAccountability(accountability) {
+    const result = await getAccountabilityForRole(accountability?.role || null, {
+        accountability: accountability || null,
+        schema: await getSchema(),
+        database: getDatabase(),
+    });
+    result.user = accountability?.user || null;
+    return result;
+}
+export function authenticationSuccess(uid, refresh_token) {
+    const message = {
+        type: 'auth',
+        status: 'ok',
+    };
+    if (uid !== undefined) {
+        message.uid = uid;
+    }
+    if (refresh_token !== undefined) {
+        message['refresh_token'] = refresh_token;
+    }
+    return JSON.stringify(message);
+}

package/dist/websocket/controllers/base.d.ts

@@ -0,0 +1,42 @@
+/// <reference types="node" resolution-mode="require"/>
+/// <reference types="node" resolution-mode="require"/>
+/// <reference types="node" resolution-mode="require"/>
+/// <reference types="node" resolution-mode="require"/>
+import type { IncomingMessage, Server as httpServer } from 'http';
+import type { ParsedUrlQuery } from 'querystring';
+import type { RateLimiterAbstract } from 'rate-limiter-flexible';
+import type internal from 'stream';
+import WebSocket from 'ws';
+import { AuthMode, WebSocketAuthMessage, WebSocketMessage } from '../messages.js';
+import type { AuthenticationState, UpgradeContext, WebSocketClient } from '../types.js';
+export default abstract class SocketController {
+    server: WebSocket.Server;
+    clients: Set<WebSocketClient>;
+    authentication: {
+        mode: AuthMode;
+        timeout: number;
+    };
+    endpoint: string;
+    maxConnections: number;
+    private rateLimiter;
+    private authInterval;
+    constructor(httpServer: httpServer, configPrefix: string);
+    protected getEnvironmentConfig(configPrefix: string): {
+        endpoint: string;
+        authentication: {
+            mode: AuthMode;
+            timeout: number;
+        };
+        maxConnections: number;
+    };
+    protected getRateLimiter(): RateLimiterAbstract | null;
+    protected handleUpgrade(request: IncomingMessage, socket: internal.Duplex, head: Buffer): Promise<void>;
+    protected handleStrictUpgrade({ request, socket, head }: UpgradeContext, query: ParsedUrlQuery): Promise<void>;
+    protected handleHandshakeUpgrade({ request, socket, head }: UpgradeContext): Promise<void>;
+    createClient(ws: WebSocket, { accountability, expires_at }: AuthenticationState): WebSocketClient;
+    protected parseMessage(data: string): WebSocketMessage;
+    protected handleAuthRequest(client: WebSocketClient, message: WebSocketAuthMessage): Promise<void>;
+    setTokenExpireTimer(client: WebSocketClient): void;
+    checkClientTokens(): void;
+    terminate(): void;
+}

package/dist/websocket/controllers/base.js

@@ -0,0 +1,276 @@
+import { parseJSON } from '@directus/utils';
+import { parse } from 'url';
+import { v4 as uuid } from 'uuid';
+import WebSocket, { WebSocketServer } from 'ws';
+import { fromZodError } from 'zod-validation-error';
+import emitter from '../../emitter.js';
+import env from '../../env.js';
+import { InvalidConfigException, TokenExpiredException } from '../../exceptions/index.js';
+import logger from '../../logger.js';
+import { createRateLimiter } from '../../rate-limiter.js';
+import { getAccountabilityForToken } from '../../utils/get-accountability-for-token.js';
+import { toBoolean } from '../../utils/to-boolean.js';
+import { authenticateConnection, authenticationSuccess } from '../authenticate.js';
+import { WebSocketException, handleWebSocketException } from '../exceptions.js';
+import { AuthMode, WebSocketAuthMessage, WebSocketMessage } from '../messages.js';
+import { getExpiresAtForToken } from '../utils/get-expires-at-for-token.js';
+import { getMessageType } from '../utils/message.js';
+import { waitForAnyMessage, waitForMessageType } from '../utils/wait-for-message.js';
+import { registerWebSocketEvents } from './hooks.js';
+const TOKEN_CHECK_INTERVAL = 15 * 60 * 1000; // 15 minutes
+export default class SocketController {
+    server;
+    clients;
+    authentication;
+    endpoint;
+    maxConnections;
+    rateLimiter;
+    authInterval;
+    constructor(httpServer, configPrefix) {
+        this.server = new WebSocketServer({ noServer: true });
+        this.clients = new Set();
+        this.authInterval = null;
+        const { endpoint, authentication, maxConnections } = this.getEnvironmentConfig(configPrefix);
+        this.endpoint = endpoint;
+        this.authentication = authentication;
+        this.maxConnections = maxConnections;
+        this.rateLimiter = this.getRateLimiter();
+        httpServer.on('upgrade', this.handleUpgrade.bind(this));
+        this.checkClientTokens();
+        registerWebSocketEvents();
+    }
+    getEnvironmentConfig(configPrefix) {
+        const endpoint = String(env[`${configPrefix}_PATH`]);
+        const authMode = AuthMode.safeParse(String(env[`${configPrefix}_AUTH`]).toLowerCase());
+        const authTimeout = Number(env[`${configPrefix}_AUTH_TIMEOUT`]) * 1000;
+        const maxConnections = `${configPrefix}_CONN_LIMIT` in env ? Number(env[`${configPrefix}_CONN_LIMIT`]) : Number.POSITIVE_INFINITY;
+        if (!authMode.success) {
+            throw new InvalidConfigException(fromZodError(authMode.error, { prefix: `${configPrefix}_AUTH` }).message);
+        }
+        return {
+            endpoint,
+            maxConnections,
+            authentication: {
+                mode: authMode.data,
+                timeout: authTimeout,
+            },
+        };
+    }
+    getRateLimiter() {
+        if (toBoolean(env['RATE_LIMITER_ENABLED']) === true) {
+            return createRateLimiter('RATE_LIMITER', {
+                keyPrefix: 'websocket',
+            });
+        }
+        return null;
+    }
+    async handleUpgrade(request, socket, head) {
+        const { pathname, query } = parse(request.url, true);
+        if (pathname !== this.endpoint)
+            return;
+        if (this.clients.size >= this.maxConnections) {
+            logger.debug('WebSocket upgrade denied - max connections reached');
+            socket.write('HTTP/1.1 403 Forbidden\r\n\r\n');
+            socket.destroy();
+            return;
+        }
+        const context = { request, socket, head };
+        if (this.authentication.mode === 'strict') {
+            await this.handleStrictUpgrade(context, query);
+            return;
+        }
+        if (this.authentication.mode === 'handshake') {
+            await this.handleHandshakeUpgrade(context);
+            return;
+        }
+        this.server.handleUpgrade(request, socket, head, async (ws) => {
+            const state = { accountability: null, expires_at: null };
+            this.server.emit('connection', ws, state);
+        });
+    }
+    async handleStrictUpgrade({ request, socket, head }, query) {
+        let accountability, expires_at;
+        try {
+            const token = query['access_token'];
+            accountability = await getAccountabilityForToken(token);
+            expires_at = getExpiresAtForToken(token);
+        }
+        catch {
+            accountability = null;
+            expires_at = null;
+        }
+        if (!accountability || !accountability.user) {
+            logger.debug('WebSocket upgrade denied - ' + JSON.stringify(accountability || 'invalid'));
+            socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+            socket.destroy();
+            return;
+        }
+        this.server.handleUpgrade(request, socket, head, async (ws) => {
+            const state = { accountability, expires_at };
+            this.server.emit('connection', ws, state);
+        });
+    }
+    async handleHandshakeUpgrade({ request, socket, head }) {
+        this.server.handleUpgrade(request, socket, head, async (ws) => {
+            try {
+                const payload = await waitForAnyMessage(ws, this.authentication.timeout);
+                if (getMessageType(payload) !== 'auth')
+                    throw new Error();
+                const state = await authenticateConnection(WebSocketAuthMessage.parse(payload));
+                ws.send(authenticationSuccess(payload['uid'], state.refresh_token));
+                this.server.emit('connection', ws, state);
+            }
+            catch {
+                logger.debug('WebSocket authentication handshake failed');
+                const error = new WebSocketException('auth', 'AUTH_FAILED', 'Authentication handshake failed.');
+                handleWebSocketException(ws, error, 'auth');
+                ws.close();
+            }
+        });
+    }
+    createClient(ws, { accountability, expires_at }) {
+        const client = ws;
+        client.accountability = accountability;
+        client.expires_at = expires_at;
+        client.uid = uuid();
+        client.auth_timer = null;
+        ws.on('message', async (data) => {
+            if (this.rateLimiter !== null) {
+                try {
+                    await this.rateLimiter.consume(client.uid);
+                }
+                catch (limit) {
+                    const timeout = limit?.msBeforeNext ?? this.rateLimiter.msDuration;
+                    const error = new WebSocketException('server', 'REQUESTS_EXCEEDED', `Too many messages, retry after ${timeout}ms.`);
+                    handleWebSocketException(client, error, 'server');
+                    logger.debug(`WebSocket#${client.uid} is rate limited`);
+                    return;
+                }
+            }
+            let message;
+            try {
+                message = this.parseMessage(data.toString());
+            }
+            catch (err) {
+                handleWebSocketException(client, err, 'server');
+                return;
+            }
+            if (getMessageType(message) === 'auth') {
+                try {
+                    await this.handleAuthRequest(client, WebSocketAuthMessage.parse(message));
+                }
+                catch {
+                    // ignore errors
+                }
+                return;
+            }
+            // this log cannot be higher in the function or it will leak credentials
+            logger.trace(`WebSocket#${client.uid} - ${JSON.stringify(message)}`);
+            ws.emit('parsed-message', message);
+        });
+        ws.on('error', () => {
+            logger.debug(`WebSocket#${client.uid} connection errored`);
+            if (client.auth_timer) {
+                clearTimeout(client.auth_timer);
+                client.auth_timer = null;
+            }
+            this.clients.delete(client);
+        });
+        ws.on('close', () => {
+            logger.debug(`WebSocket#${client.uid} connection closed`);
+            if (client.auth_timer) {
+                clearTimeout(client.auth_timer);
+                client.auth_timer = null;
+            }
+            this.clients.delete(client);
+        });
+        logger.debug(`WebSocket#${client.uid} connected`);
+        if (accountability) {
+            logger.trace(`WebSocket#${client.uid} authenticated as ${JSON.stringify(accountability)}`);
+        }
+        this.setTokenExpireTimer(client);
+        this.clients.add(client);
+        return client;
+    }
+    parseMessage(data) {
+        let message;
+        try {
+            message = WebSocketMessage.parse(parseJSON(data));
+        }
+        catch (err) {
+            throw new WebSocketException('server', 'INVALID_PAYLOAD', 'Unable to parse the incoming message.');
+        }
+        return message;
+    }
+    async handleAuthRequest(client, message) {
+        try {
+            const { accountability, expires_at, refresh_token } = await authenticateConnection(message);
+            client.accountability = accountability;
+            client.expires_at = expires_at;
+            this.setTokenExpireTimer(client);
+            emitter.emitAction('websocket.auth.success', { client });
+            client.send(authenticationSuccess(message.uid, refresh_token));
+            logger.trace(`WebSocket#${client.uid} authenticated as ${JSON.stringify(client.accountability)}`);
+        }
+        catch (error) {
+            logger.trace(`WebSocket#${client.uid} failed authentication`);
+            emitter.emitAction('websocket.auth.failure', { client });
+            client.accountability = null;
+            client.expires_at = null;
+            const _error = error instanceof WebSocketException
+                ? error
+                : new WebSocketException('auth', 'AUTH_FAILED', 'Authentication failed.', message.uid);
+            handleWebSocketException(client, _error, 'auth');
+            if (this.authentication.mode !== 'public') {
+                client.close();
+            }
+        }
+    }
+    setTokenExpireTimer(client) {
+        if (client.auth_timer !== null) {
+            // clear up old timeouts if needed
+            clearTimeout(client.auth_timer);
+            client.auth_timer = null;
+        }
+        if (!client.expires_at)
+            return;
+        const expiresIn = client.expires_at * 1000 - Date.now();
+        if (expiresIn > TOKEN_CHECK_INTERVAL)
+            return;
+        client.auth_timer = setTimeout(() => {
+            client.accountability = null;
+            client.expires_at = null;
+            handleWebSocketException(client, new TokenExpiredException(), 'auth');
+            waitForMessageType(client, 'auth', this.authentication.timeout).catch((msg) => {
+                const error = new WebSocketException('auth', 'AUTH_TIMEOUT', 'Authentication timed out.', msg?.uid);
+                handleWebSocketException(client, error, 'auth');
+                if (this.authentication.mode !== 'public') {
+                    client.close();
+                }
+            });
+        }, expiresIn);
+    }
+    checkClientTokens() {
+        this.authInterval = setInterval(() => {
+            if (this.clients.size === 0)
+                return;
+            // check the clients and set shorter timeouts if needed
+            for (const client of this.clients) {
+                if (client.expires_at === null || client.auth_timer !== null)
+                    continue;
+                this.setTokenExpireTimer(client);
+            }
+        }, TOKEN_CHECK_INTERVAL);
+    }
+    terminate() {
+        if (this.authInterval)
+            clearInterval(this.authInterval);
+        this.clients.forEach((client) => {
+            if (client.auth_timer)
+                clearTimeout(client.auth_timer);
+        });
+        this.server.clients.forEach((ws) => {
+            ws.terminate();
+        });
+    }
+}

package/dist/websocket/controllers/graphql.d.ts

@@ -0,0 +1,12 @@
+/// <reference types="node" resolution-mode="require"/>
+import type { Server } from 'graphql-ws';
+import type { Server as httpServer } from 'http';
+import type { GraphQLSocket, UpgradeContext, WebSocketClient } from '../types.js';
+import SocketController from './base.js';
+export declare class GraphQLSubscriptionController extends SocketController {
+    gql: Server<GraphQLSocket>;
+    constructor(httpServer: httpServer);
+    private bindEvents;
+    setTokenExpireTimer(client: WebSocketClient): void;
+    protected handleHandshakeUpgrade({ request, socket, head }: UpgradeContext): Promise<void>;
+}