@directus/api 17.0.1 → 18.0.0

package/dist/middleware/extract-token.js

@@ -1,12 +1,16 @@
+import { InvalidPayloadError } from '@directus/errors';
+import { useEnv } from '@directus/env';
 /**
- * Extract access token from:
+ * Extract access token from
  *
- * Authorization: Bearer
- * access_token query parameter
+ * - 'access_token' query parameter
+ * - 'Authorization' header
+ * - Session cookie
  *
- * and store in req.token
+ * and store it under req.token
  */
 const extractToken = (req, _res, next) => {
+    const env = useEnv();
     let token = null;
     if (req.query && req.query['access_token']) {
         token = req.query['access_token'];
@@ -14,16 +18,28 @@ const extractToken = (req, _res, next) => {
     if (req.headers && req.headers.authorization) {
         const parts = req.headers.authorization.split(' ');
         if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {
+            if (token !== null) {
+                /*
+                 * RFC6750 compliance (https://datatracker.ietf.org/doc/html/rfc6750#section-2)
+                 * > Clients MUST NOT use more than one method to transmit the token in each request.
+                 */
+                throw new InvalidPayloadError({
+                    reason: 'The request uses more than one method for including an access token',
+                });
+            }
             token = parts[1];
         }
     }
-    /**
-     * @TODO
-     * Look into RFC6750 compliance:
-     * In order to be fully compliant with RFC6750, we have to throw a 400 error when you have the
-     * token in more than 1 place afaik. We also might have to support "access_token" as a post body
-     * key
-     */
+    if (req.cookies && req.cookies[env['SESSION_COOKIE_NAME']]) {
+        /*
+         * Exclude session cookie from "RFC6750 multi auth method" rule, e.g.
+         * - allow using a different token to perform requests from within the Data Studio (static token in WYSIWYG interface / Extensions)
+         * - to not break external apps running under the same domain as the Data Studio while using a different method
+         */
+        if (token === null) {
+            token = req.cookies[env['SESSION_COOKIE_NAME']];
+        }
+    }
     req.token = token;
     next();
 };

package/dist/middleware/merge-content-versions.d.ts

@@ -0,0 +1,2 @@
+import type { RequestHandler } from 'express';
+export declare const mergeContentVersions: RequestHandler;

package/dist/middleware/merge-content-versions.js

@@ -0,0 +1,26 @@
+import { isObject } from '@directus/utils';
+import { VersionsService } from '../services/versions.js';
+import asyncHandler from '../utils/async-handler.js';
+import { mergeVersionsRaw, mergeVersionsRecursive } from '../utils/merge-version-data.js';
+export const mergeContentVersions = asyncHandler(async (req, res, next) => {
+    if (req.sanitizedQuery.version &&
+        req.collection &&
+        (req.singleton || req.params['pk']) &&
+        'data' in res.locals['payload']) {
+        const originalData = res.locals['payload'].data;
+        // only act on single item requests
+        if (!isObject(originalData))
+            return next();
+        const versionsService = new VersionsService({ accountability: req.accountability ?? null, schema: req.schema });
+        const versionData = await versionsService.getVersionSaves(req.sanitizedQuery.version, req.collection, req.params['pk']);
+        if (!versionData || versionData.length === 0)
+            return next();
+        if (req.sanitizedQuery.versionRaw) {
+            res.locals['payload'].data = mergeVersionsRaw(originalData, versionData);
+        }
+        else {
+            res.locals['payload'].data = mergeVersionsRecursive(originalData, versionData, req.collection, req.schema);
+        }
+    }
+    return next();
+});

package/dist/middleware/respond.js

@@ -1,10 +1,8 @@
 import { useEnv } from '@directus/env';
 import { parse as parseBytesConfiguration } from 'bytes';
-import { assign } from 'lodash-es';
 import { getCache, setCacheValue } from '../cache.js';
 import { useLogger } from '../logger.js';
 import { ExportService } from '../services/import-export.js';
-import { VersionsService } from '../services/versions.js';
 import asyncHandler from '../utils/async-handler.js';
 import { getCacheControlHeader } from '../utils/get-cache-headers.js';
 import { getCacheKey } from '../utils/get-cache-key.js';
@@ -21,16 +19,6 @@ export const respond = asyncHandler(async (req, res) => {
         const maxSize = parseBytesConfiguration(env['CACHE_VALUE_MAX_SIZE']);
         exceedsMaxSize = valueSize > maxSize;
     }
-    if (req.sanitizedQuery.version &&
-        req.collection &&
-        (req.singleton || req.params['pk']) &&
-        'data' in res.locals['payload']) {
-        const versionsService = new VersionsService({ accountability: req.accountability ?? null, schema: req.schema });
-        const saves = await versionsService.getVersionSaves(req.sanitizedQuery.version, req.collection, req.params['pk']);
-        if (saves) {
-            assign(res.locals['payload'].data, ...saves);
-        }
-    }
     if ((req.method.toLowerCase() === 'get' || req.originalUrl?.startsWith('/graphql')) &&
         env['CACHE_ENABLED'] === true &&
         cache &&

package/dist/middleware/validate-batch.d.ts

@@ -1,3 +1,4 @@
 /// <reference types="qs" />
 /// <reference types="express" />
+/// <reference types="cookie-parser" />
 export declare const validateBatch: (scope: 'read' | 'update' | 'delete') => (req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>, res: import("express").Response<any, Record<string, any>>, next: import("express").NextFunction) => Promise<void>;

package/dist/operations/item-update/index.js

@@ -32,7 +32,10 @@ export default defineOperationApi({
             return null;
         }
         let result;
-        if (!key || (Array.isArray(key) && key.length === 0)) {
+        if (Array.isArray(payloadObject)) {
+            result = await itemsService.updateBatch(payloadObject, { emitEvents: !!emitEvents });
+        }
+        else if (!key || (Array.isArray(key) && key.length === 0)) {
             result = await itemsService.updateByQuery(sanitizedQueryObject, payloadObject, { emitEvents: !!emitEvents });
         }
         else {

package/dist/request/agent-with-ip-validation.d.ts

@@ -5,7 +5,7 @@ import type { Agent, ClientRequestArgs } from 'node:http';
  * https://github.com/nodejs/node/blob/8a41d9b636be86350cd32847c3f89d327c4f6ff7/lib/_http_agent.js#L215
  */
 export type _Agent = Agent & {
-    createConnection: NonNullable<ClientRequestArgs['createConnection']>;
+    createConnection: ClientRequestArgs['createConnection'];
 };
 /** Extends a HTTP agent with IP validation */
 export declare const agentWithIpValidation: (agent: Agent) => Agent;

package/dist/request/agent-with-ip-validation.js

@@ -21,7 +21,11 @@ export const agentWithIpValidation = (agent) => {
          */
         if (isIP(host) !== 0 && isDeniedIp(host))
             throw deniedError(host);
-        const socket = createConnection.call(this, options, oncreate);
+        const socket = createConnection?.call(this, options, oncreate);
+        // Unexpected, but in that case the request is denied to be on the safe side
+        if (!socket) {
+            throw new Error('Request cannot be verified due to lost socket');
+        }
         // Emitted after resolving the host name but before connecting.
         socket.on('lookup', (error, address) => {
             if (error || !isDeniedIp(address))

package/dist/services/activity.js

@@ -2,9 +2,9 @@ import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { ErrorCode, isDirectusError } from '@directus/errors';
 import { uniq } from 'lodash-es';
-import validateUUID from 'uuid-validate';
 import { useLogger } from '../logger.js';
 import { getPermissions } from '../utils/get-permissions.js';
+import { isValidUuid } from '../utils/is-valid-uuid.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
 import { AuthorizationService } from './authorization.js';
@@ -55,8 +55,8 @@ export class ActivityService extends ItemsService {
                     let comment = data['comment'];
                     for (const mention of mentions) {
                         const uuid = mention.substring(1);
-                        // We only match on UUIDs in the first place. This is just an extra sanity check
-                        if (validateUUID(uuid) === false)
+                        // We only match on UUIDs in the first place. This is just an extra sanity check.
+                        if (isValidUuid(uuid) === false)
                             continue;
                         comment = comment.replace(new RegExp(mention, 'gm'), userPreviews[uuid] ?? '@Unknown User');
                     }

package/dist/services/assets.js

@@ -5,12 +5,12 @@ import { contentType } from 'mime-types';
 import hash from 'object-hash';
 import path from 'path';
 import sharp from 'sharp';
-import validateUUID from 'uuid-validate';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
+import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
 import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
@@ -39,8 +39,7 @@ export class AssetsService {
          * with a wrong type. In case of directus_files where id is a uuid, we'll have to verify the
          * validity of the uuid ahead of time.
          */
-        const isValidUUID = validateUUID(id, 4);
-        if (isValidUUID === false)
+        if (!isValidUuid(id))
             throw new ForbiddenError();
         if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
             await this.authorizationService.checkAccess('read', 'directus_files', id);

package/dist/services/authentication.d.ts

@@ -14,8 +14,13 @@ export declare class AuthenticationService {
      * Password is optional to allow usage of this function within the SSO flow and extensions. Make sure
      * to handle password existence checks elsewhere
      */
-    login(providerName: string | undefined, payload: Record<string, any>, otp?: string): Promise<LoginResult>;
-    refresh(refreshToken: string): Promise<Record<string, any>>;
+    login(providerName: string | undefined, payload: Record<string, any>, options?: Partial<{
+        otp: string;
+        session: boolean;
+    }>): Promise<LoginResult>;
+    refresh(refreshToken: string, options?: Partial<{
+        session: boolean;
+    }>): Promise<LoginResult>;
     logout(refreshToken: string): Promise<void>;
     verifyPassword(userID: string, password: string): Promise<void>;
 }

package/dist/services/authentication.js

@@ -33,7 +33,7 @@ export class AuthenticationService {
      * Password is optional to allow usage of this function within the SSO flow and extensions. Make sure
      * to handle password existence checks elsewhere
      */
-    async login(providerName = DEFAULT_AUTH_PROVIDER, payload, otp) {
+    async login(providerName = DEFAULT_AUTH_PROVIDER, payload, options) {
         const { nanoid } = await import('nanoid');
         const STALL_TIME = env['LOGIN_STALL_TIME'];
         const timeStart = performance.now();
@@ -123,14 +123,14 @@ export class AuthenticationService {
             await stall(STALL_TIME, timeStart);
             throw e;
         }
-        if (user.tfa_secret && !otp) {
+        if (user.tfa_secret && !options?.otp) {
             emitStatus('fail');
             await stall(STALL_TIME, timeStart);
             throw new InvalidOtpError();
         }
-        if (user.tfa_secret && otp) {
+        if (user.tfa_secret && options?.otp) {
             const tfaService = new TFAService({ knex: this.knex, schema: this.schema });
-            const otpValid = await tfaService.verifyOTP(user.id, otp);
+            const otpValid = await tfaService.verifyOTP(user.id, options?.otp);
             if (otpValid === false) {
                 emitStatus('fail');
                 await stall(STALL_TIME, timeStart);
@@ -143,6 +143,11 @@ export class AuthenticationService {
             app_access: user.app_access,
             admin_access: user.admin_access,
         };
+        const refreshToken = nanoid(64);
+        const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
+        if (options?.session) {
+            tokenPayload.session = refreshToken;
+        }
         const customClaims = await emitter.emitFilter('auth.jwt', tokenPayload, {
             status: 'pending',
             user: user?.id,
@@ -153,12 +158,11 @@ export class AuthenticationService {
             schema: this.schema,
             accountability: this.accountability,
         });
+        const TTL = env[options?.session ? 'SESSION_COOKIE_TTL' : 'ACCESS_TOKEN_TTL'];
         const accessToken = jwt.sign(customClaims, env['SECRET'], {
-            expiresIn: env['ACCESS_TOKEN_TTL'],
+            expiresIn: TTL,
             issuer: 'directus',
         });
-        const refreshToken = nanoid(64);
-        const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
         await this.knex('directus_sessions').insert({
             token: refreshToken,
             user: user.id,
@@ -188,11 +192,11 @@ export class AuthenticationService {
         return {
             accessToken,
             refreshToken,
-            expires: getMilliseconds(env['ACCESS_TOKEN_TTL']),
+            expires: getMilliseconds(TTL),
             id: user.id,
         };
     }
-    async refresh(refreshToken) {
+    async refresh(refreshToken, options) {
         const { nanoid } = await import('nanoid');
         const STALL_TIME = env['LOGIN_STALL_TIME'];
         const timeStart = performance.now();
@@ -269,12 +273,17 @@ export class AuthenticationService {
                 admin_access: record.role_admin_access,
             });
         }
+        const newRefreshToken = nanoid(64);
+        const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
         const tokenPayload = {
             id: record.user_id,
             role: record.role_id,
             app_access: record.role_app_access,
             admin_access: record.role_admin_access,
         };
+        if (options?.session) {
+            tokenPayload.session = newRefreshToken;
+        }
         if (record.share_id) {
             tokenPayload.share = record.share_id;
             tokenPayload.role = record.share_role;
@@ -296,12 +305,11 @@ export class AuthenticationService {
             schema: this.schema,
             accountability: this.accountability,
         });
+        const TTL = env[options?.session ? 'SESSION_COOKIE_TTL' : 'ACCESS_TOKEN_TTL'];
         const accessToken = jwt.sign(customClaims, env['SECRET'], {
-            expiresIn: env['ACCESS_TOKEN_TTL'],
+            expiresIn: TTL,
             issuer: 'directus',
         });
-        const newRefreshToken = nanoid(64);
-        const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
         await this.knex('directus_sessions')
             .update({
             token: newRefreshToken,
@@ -314,7 +322,7 @@ export class AuthenticationService {
         return {
             accessToken,
             refreshToken: newRefreshToken,
-            expires: getMilliseconds(env['ACCESS_TOKEN_TTL']),
+            expires: getMilliseconds(TTL),
             id: record.user_id,
         };
     }

package/dist/services/extensions.d.ts

@@ -15,10 +15,11 @@ export declare class ExtensionsService {
     extensionsItemService: ItemsService<ExtensionSettings>;
     extensionsManager: ExtensionManager;
     constructor(options: AbstractServiceOptions);
+    install(extensionId: string, versionId: string): Promise<void>;
     readAll(): Promise<ApiOutput[]>;
-    readOne(bundle: string | null, name: string): Promise<ApiOutput>;
-    updateOne(bundle: string | null, name: string, data: DeepPartial<ApiOutput>): Promise<ApiOutput>;
-    private getKey;
+    readOne(id: string): Promise<ApiOutput>;
+    updateOne(id: string, data: DeepPartial<ApiOutput>): Promise<ApiOutput>;
+    deleteOne(id: string): Promise<void>;
     /**
      * Sync a bundles enabled status
      *  - If the extension or extensions parent is not a bundle changes are skipped
@@ -29,9 +30,4 @@ export declare class ExtensionsService {
      *    - Entry status change resulted in at least one child being enabled then the parent bundle is enabled
      */
     private checkBundleAndSyncStatus;
-    /**
-     * Combine the settings stored in the database with the information available from the installed
-     * extensions into the standardized extensions api output
-     */
-    private stitch;
 }

package/dist/services/extensions.js

@@ -1,6 +1,7 @@
-import { ForbiddenError, InvalidPayloadError, UnprocessableContentError } from '@directus/errors';
+import { useEnv } from '@directus/env';
+import { ForbiddenError, InvalidPayloadError, LimitExceededError, UnprocessableContentError } from '@directus/errors';
+import { describe } from '@directus/extensions-registry';
 import { isObject } from '@directus/utils';
-import { omit, pick } from 'lodash-es';
 import getDatabase from '../database/index.js';
 import { getExtensionManager } from '../extensions/index.js';
 import { ItemsService } from './items.js';
@@ -28,21 +29,88 @@ export class ExtensionsService {
             accountability: this.accountability,
         });
     }
+    async install(extensionId, versionId) {
+        const env = useEnv();
+        const describeOptions = {};
+        if (typeof env['MARKETPLACE_REGISTRY'] === 'string') {
+            describeOptions.registry = env['MARKETPLACE_REGISTRY'];
+        }
+        const extension = await describe(extensionId, describeOptions);
+        const version = extension.data.versions.find((version) => version.id === versionId);
+        if (!version) {
+            throw new ForbiddenError();
+        }
+        const limit = env['EXTENSIONS_LIMIT'] ? Number(env['EXTENSIONS_LIMIT']) : null;
+        if (limit !== null) {
+            const currentlyInstalledCount = this.extensionsManager.extensions.length;
+            /**
+             * Bundle extensions should be counted as the number of nested entries rather than a single
+             * extension to avoid a vulnerability where you can get around the technical limit by bundling
+             * all extensions you want
+             */
+            const points = version.bundled.length ?? 1;
+            const afterInstallCount = currentlyInstalledCount + points;
+            if (afterInstallCount >= limit) {
+                throw new LimitExceededError();
+            }
+        }
+        await this.extensionsItemService.createOne({
+            id: extensionId,
+            enabled: true,
+            folder: versionId,
+            source: 'registry',
+            bundle: null,
+        });
+        if (extension.data.type === 'bundle' && version.bundled.length > 0) {
+            await this.extensionsItemService.createMany(version.bundled.map((entry) => ({
+                enabled: true,
+                folder: entry.name,
+                source: 'registry',
+                bundle: extensionId,
+            })));
+        }
+        await this.extensionsManager.install(versionId);
+    }
     async readAll() {
-        const installedExtensions = this.extensionsManager.getExtensions();
-        const configuredExtensions = await this.extensionsItemService.readByQuery({ limit: -1 });
-        return this.stitch(installedExtensions, configuredExtensions);
+        const settings = await this.extensionsItemService.readByQuery({ limit: -1 });
+        const regular = settings.filter(({ bundle }) => bundle === null);
+        const bundled = settings.filter(({ bundle }) => bundle !== null);
+        const output = [];
+        for (const meta of regular) {
+            output.push({
+                id: meta.id,
+                bundle: meta.bundle,
+                meta: meta,
+                schema: this.extensionsManager.getExtension(meta.source, meta.folder) ?? null,
+            });
+        }
+        for (const meta of bundled) {
+            const parentBundle = output.find((ext) => ext.id === meta.bundle);
+            if (!parentBundle)
+                continue;
+            const schema = parentBundle.schema?.entries.find((entry) => entry.name === meta.folder);
+            if (!schema)
+                continue;
+            output.push({
+                id: meta.id,
+                bundle: meta.bundle,
+                meta: meta,
+                schema: schema,
+            });
+        }
+        return output;
     }
-    async readOne(bundle, name) {
-        const key = this.getKey(bundle, name);
-        const schema = this.extensionsManager.getExtensions().find((extension) => extension.name === (bundle ?? name));
-        const meta = await this.extensionsItemService.readOne(key);
-        const stitched = this.stitch(schema ? [schema] : [], [meta])[0];
-        if (stitched)
-            return stitched;
-        throw new ForbiddenError();
+    async readOne(id) {
+        const meta = await this.extensionsItemService.readOne(id);
+        const schema = this.extensionsManager.getExtension(meta.source, meta.folder) ?? null;
+        return {
+            id: meta.id,
+            bundle: meta.bundle,
+            schema,
+            meta,
+        };
     }
-    async updateOne(bundle, name, data) {
+    async updateOne(id, data) {
         const result = await this.knex.transaction(async (trx) => {
             if (!isObject(data.meta)) {
                 throw new InvalidPayloadError({ reason: `"meta" is required` });
@@ -52,25 +120,32 @@ export class ExtensionsService {
                 accountability: this.accountability,
                 schema: this.schema,
             });
-            const key = this.getKey(bundle, name);
-            await service.extensionsItemService.updateOne(key, data.meta);
+            await service.extensionsItemService.updateOne(id, data.meta);
             let extension;
             try {
-                extension = await service.readOne(bundle, name);
+                extension = await service.readOne(id);
             }
             catch (error) {
                 throw new ExtensionReadError(error);
             }
             if ('enabled' in data.meta) {
-                await service.checkBundleAndSyncStatus(trx, extension);
+                await service.checkBundleAndSyncStatus(trx, id, extension);
             }
             return extension;
         });
         this.extensionsManager.reload();
         return result;
     }
-    getKey(bundle, name) {
-        return bundle ? `${bundle}/${name}` : name;
+    async deleteOne(id) {
+        const settings = await this.extensionsItemService.readOne(id);
+        if (settings.source !== 'registry') {
+            throw new InvalidPayloadError({
+                reason: 'Cannot uninstall extensions that were not installed from the marketplace registry',
+            });
+        }
+        await this.extensionsItemService.deleteOne(id);
+        await this.extensionsItemService.deleteByQuery({ filter: { bundle: { _eq: id } } });
+        await this.extensionsManager.uninstall(settings.folder);
     }
     /**
      * Sync a bundles enabled status
@@ -81,16 +156,16 @@ export class ExtensionsService {
      *    - Entry status change resulted in all children being disabled then the parent bundle is disabled
      *    - Entry status change resulted in at least one child being enabled then the parent bundle is enabled
      */
-    async checkBundleAndSyncStatus(trx, extension) {
-        if (extension.bundle === null) {
-            if (extension.schema?.type === 'bundle') {
-                await trx('directus_extensions')
-                    .update({ enabled: extension.meta.enabled })
-                    .where('name', 'LIKE', this.getKey(extension.name, '%'));
-            }
+    async checkBundleAndSyncStatus(trx, bundleId, extension) {
+        if (extension.bundle === null && extension.schema?.type === 'bundle') {
+            // If extension is the parent bundle, set it and all nested extensions to enabled
+            await trx('directus_extensions')
+                .update({ enabled: extension.meta.enabled })
+                .where({ bundle: bundleId })
+                .orWhere({ id: bundleId });
             return;
         }
-        const parent = await this.readOne(null, extension.bundle);
+        const parent = await this.readOne(bundleId);
         if (parent.schema?.type !== 'bundle') {
             return;
         }
@@ -99,73 +174,15 @@ export class ExtensionsService {
                 reason: 'Unable to toggle status of an entry for a bundle marked as non partial',
             });
         }
-        const child = await trx('directus_extensions')
-            .where('name', 'LIKE', this.getKey(extension.bundle, '%'))
+        const hasEnabledChildren = !!(await trx('directus_extensions')
+            .where({ bundle: bundleId })
             .where({ enabled: true })
-            .first();
-        if (!child && parent.meta.enabled) {
-            await trx('directus_extensions').update({ enabled: false }).where({ name: parent.name });
+            .first());
+        if (hasEnabledChildren) {
+            await trx('directus_extensions').update({ enabled: true }).where({ id: bundleId });
         }
-        else if (child && !parent.meta.enabled) {
-            await trx('directus_extensions').update({ enabled: true }).where({ name: parent.name });
+        else {
+            await trx('directus_extensions').update({ enabled: false }).where({ id: bundleId });
         }
     }
-    /**
-     * Combine the settings stored in the database with the information available from the installed
-     * extensions into the standardized extensions api output
-     */
-    stitch(installed, configured) {
-        /**
-         * On startup, the extensions manager will automatically create the rows for installed
-         * extensions that don't have configured settings yet, so there should always be equal or more
-         * settings rows than installed extensions.
-         */
-        return configured.map((meta) => {
-            let bundleName = null;
-            let name = meta.name;
-            if (name.includes('/')) {
-                const parts = name.split('/');
-                // NPM packages can have an optional organization scope in the format
-                // `@<org>/<package>`. This is limited to a single `/`.
-                //
-                // `foo` -> extension
-                // `foo/bar` -> bundle
-                // `@rijk/foo` -> extension
-                // `@rijk/foo/bar -> bundle
-                const hasOrg = parts.at(0).startsWith('@');
-                if (hasOrg && parts.length > 2) {
-                    name = parts.pop();
-                    bundleName = parts.join('/');
-                }
-                else if (hasOrg === false) {
-                    [bundleName, name] = parts;
-                }
-            }
-            let schema;
-            if (bundleName) {
-                const bundle = installed.find((extension) => extension.name === bundleName);
-                if (bundle && 'entries' in bundle) {
-                    const entry = bundle.entries.find((entry) => entry.name === name) ?? null;
-                    if (entry) {
-                        schema = {
-                            type: entry.type,
-                            local: bundle.local,
-                        };
-                    }
-                }
-                else {
-                    schema = null;
-                }
-            }
-            else {
-                schema = installed.find((extension) => extension.name === name) ?? null;
-            }
-            return {
-                name,
-                bundle: bundleName,
-                schema: schema ? pick(schema, 'type', 'local', 'version', 'partial') : null,
-                meta: omit(meta, 'name'),
-            };
-        });
-    }
 }