@directus/api 14.0.1 → 14.0.2

package/dist/auth/drivers/oauth2.js

@@ -54,8 +54,9 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
         return generators.codeVerifier();
     }
     generateAuthUrl(codeVerifier, prompt = false) {
+        const { plainCodeChallenge } = this.config;
         try {
-            const codeChallenge = generators.codeChallenge(codeVerifier);
+            const codeChallenge = plainCodeChallenge ? codeVerifier : generators.codeChallenge(codeVerifier);
             const paramsConfig = typeof this.config['params'] === 'object' ? this.config['params'] : {};
             return this.client.authorizationUrl({
                 scope: this.config['scope'] ?? 'email',
@@ -63,7 +64,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
                 prompt: prompt ? 'consent' : undefined,
                 ...paramsConfig,
                 code_challenge: codeChallenge,
-                code_challenge_method: 'S256',
+                code_challenge_method: plainCodeChallenge ? 'plain' : 'S256',
                 // Some providers require state even with PKCE
                 state: codeChallenge,
             });
@@ -85,10 +86,14 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
             logger.warn('[OAuth2] No code, codeVerifier or state in payload');
             throw new InvalidCredentialsError();
         }
+        const { plainCodeChallenge } = this.config;
         let tokenSet;
         let userInfo;
         try {
-            tokenSet = await this.client.oauthCallback(this.redirectUrl, { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: generators.codeChallenge(payload['codeVerifier']) });
+            const codeChallenge = plainCodeChallenge
+                ? payload['codeVerifier']
+                : generators.codeChallenge(payload['codeVerifier']);
+            tokenSet = await this.client.oauthCallback(this.redirectUrl, { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge });
             userInfo = await this.client.userinfo(tokenSet.access_token);
         }
         catch (e) {

package/dist/auth/drivers/openid.js

@@ -64,9 +64,10 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         return generators.codeVerifier();
     }
     async generateAuthUrl(codeVerifier, prompt = false) {
+        const { plainCodeChallenge } = this.config;
         try {
             const client = await this.client;
-            const codeChallenge = generators.codeChallenge(codeVerifier);
+            const codeChallenge = plainCodeChallenge ? codeVerifier : generators.codeChallenge(codeVerifier);
             const paramsConfig = typeof this.config['params'] === 'object' ? this.config['params'] : {};
             return client.authorizationUrl({
                 scope: this.config['scope'] ?? 'openid profile email',
@@ -74,7 +75,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
                 prompt: prompt ? 'consent' : undefined,
                 ...paramsConfig,
                 code_challenge: codeChallenge,
-                code_challenge_method: 'S256',
+                code_challenge_method: plainCodeChallenge ? 'plain' : 'S256',
                 // Some providers require state even with PKCE
                 state: codeChallenge,
                 nonce: codeChallenge,
@@ -97,11 +98,14 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             logger.warn('[OpenID] No code, codeVerifier or state in payload');
             throw new InvalidCredentialsError();
         }
+        const { plainCodeChallenge } = this.config;
         let tokenSet;
         let userInfo;
         try {
             const client = await this.client;
-            const codeChallenge = generators.codeChallenge(payload['codeVerifier']);
+            const codeChallenge = plainCodeChallenge
+                ? payload['codeVerifier']
+                : generators.codeChallenge(payload['codeVerifier']);
             tokenSet = await client.callback(this.redirectUrl, { code: payload['code'], state: payload['state'], iss: payload['iss'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge, nonce: codeChallenge });
             userInfo = tokenSet.claims();
             if (client.issuer.metadata['userinfo_endpoint']) {

package/dist/database/system-data/app-access-permissions/app-access-permissions.yaml

@@ -107,3 +107,8 @@
     - tfa_secret
     - status
     - role
+
+    # This is a temporary allowed field to help people migrate from
+    # 10.6 to 10.7 and should be removed in 10.8
+    # @TODO remove
+    - theme

package/dist/extensions/manager.js

@@ -566,7 +566,8 @@ export class ExtensionManager {
      */
     registerEndpoint(config, name) {
         const endpointRegistrationCallback = typeof config === 'function' ? config : config.handler;
-        const routeName = typeof config === 'function' ? name : config.id;
+        const nameWithoutType = name.includes(':') ? name.split(':')[0] : name;
+        const routeName = typeof config === 'function' ? nameWithoutType : config.id;
         const scopedRouter = express.Router();
         this.endpointRouter.use(`/${routeName}`, scopedRouter);
         endpointRegistrationCallback(scopedRouter, {

package/dist/middleware/validate-batch.js

@@ -2,6 +2,7 @@ import Joi from 'joi';
 import { InvalidPayloadError } from '@directus/errors';
 import asyncHandler from '../utils/async-handler.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
+import { validateQuery } from '../utils/validate-query.js';
 export const validateBatch = (scope) => asyncHandler(async (req, _res, next) => {
     if (req.method.toLowerCase() === 'get') {
         req.body = {};
@@ -18,6 +19,7 @@ export const validateBatch = (scope) => asyncHandler(async (req, _res, next) =>
     // In reads, the query in the body should override the query params for searching
     if (scope === 'read' && req.body.query) {
         req.sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        validateQuery(req.sanitizedQuery);
     }
     // Every cRUD action has either keys or query
     let batchSchema = Joi.object().keys({

package/dist/services/files.js

@@ -29,23 +29,23 @@ export class FilesService extends ItemsService {
      */
     async uploadOne(stream, data, primaryKey, opts) {
         const storage = await getStorage();
-        let existingFile = {};
+        let existingFile = null;
         if (primaryKey !== undefined) {
             existingFile =
                 (await this.knex
                     .select('folder', 'filename_download')
                     .from('directus_files')
                     .where({ id: primaryKey })
-                    .first()) ?? {};
+                    .first()) ?? null;
         }
-        const payload = { ...existingFile, ...clone(data) };
+        const payload = { ...(existingFile ?? {}), ...clone(data) };
         if ('folder' in payload === false) {
             const settings = await this.knex.select('storage_default_folder').from('directus_settings').first();
             if (settings?.storage_default_folder) {
                 payload.folder = settings.storage_default_folder;
             }
         }
-        if (primaryKey !== undefined) {
+        if (existingFile !== null && primaryKey !== undefined) {
             await this.updateOne(primaryKey, payload, { emitEvents: false });
             // If the file you're uploading already exists, we'll consider this upload a replace. In that case, we'll
             // delete the previously saved file and thumbnails to ensure they're generated fresh

package/dist/utils/delete-from-require-cache.js

@@ -1,5 +1,12 @@
 import { createRequire } from 'node:module';
+import logger from '../logger.js';
 const require = createRequire(import.meta.url);
 export function deleteFromRequireCache(modulePath) {
-    delete require.cache[require.resolve(modulePath)];
+    try {
+        const moduleCachePath = require.resolve(modulePath);
+        delete require.cache[moduleCachePath];
+    }
+    catch (error) {
+        logger.trace(`Module cache not found for ${modulePath}, skipped cache delete.`);
+    }
 }

package/dist/utils/sanitize-query.js

@@ -81,6 +81,7 @@ function sanitizeSort(rawSort) {
         fields = rawSort.split(',');
     else if (Array.isArray(rawSort))
         fields = rawSort;
+    fields = fields.map((field) => field.trim());
     return fields;
 }
 function sanitizeAggregate(rawAggregate) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "14.0.1",
+  "version": "14.0.2",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -144,23 +144,23 @@
     "ws": "8.14.2",
     "zod": "3.22.4",
     "zod-validation-error": "1.0.1",
-    "@directus/app": "10.11.0",
+    "@directus/app": "10.12.0",
     "@directus/constants": "11.0.1",
-    "@directus/errors": "0.2.0",
     "@directus/extensions": "0.1.1",
+    "@directus/errors": "0.2.0",
     "@directus/extensions-sdk": "10.1.14",
     "@directus/pressure": "1.0.12",
     "@directus/schema": "11.0.0",
     "@directus/specs": "10.2.1",
     "@directus/storage": "10.0.7",
     "@directus/storage-driver-azure": "10.0.13",
-    "@directus/storage-driver-cloudinary": "10.0.13",
     "@directus/storage-driver-gcs": "10.0.13",
-    "@directus/storage-driver-local": "10.0.13",
+    "@directus/storage-driver-cloudinary": "10.0.13",
     "@directus/storage-driver-s3": "10.0.13",
+    "@directus/storage-driver-local": "10.0.13",
     "@directus/storage-driver-supabase": "1.0.5",
-    "@directus/utils": "11.0.1",
-    "@directus/validation": "0.0.8"
+    "@directus/validation": "0.0.8",
+    "@directus/utils": "11.0.1"
   },
   "devDependencies": {
     "@ngneat/falso": "6.4.0",