@directus/api 17.1.0 → 18.0.0

package/dist/utils/filter-items.d.ts

@@ -1,2 +1,2 @@
-import type { Query } from '@directus/types';
-export declare function filterItems(items: Record<string, any>[], filter: Query['filter']): Record<string, any>[];
+import type { Item, Query } from '@directus/types';
+export declare function filterItems<T extends Item[]>(items: T, filter: Query['filter']): T;

package/dist/utils/filter-items.js

@@ -6,9 +6,7 @@ import { generateJoi } from '@directus/utils';
 export function filterItems(items, filter) {
     if (!filter)
         return items;
-    return items.filter((item) => {
-        return passesFilter(item, filter);
-    });
+    return items.filter((item) => passesFilter(item, filter));
     function passesFilter(item, filter) {
         if (!filter || Object.keys(filter).length === 0)
             return true;

package/dist/utils/get-cache-headers.d.ts

@@ -1,3 +1,4 @@
+/// <reference types="cookie-parser" />
 import type { Request } from 'express';
 /**
  * Returns the Cache-Control header for the current request

package/dist/utils/get-cache-key.d.ts

@@ -1,2 +1,3 @@
+/// <reference types="cookie-parser" />
 import type { Request } from 'express';
 export declare function getCacheKey(req: Request): string;

package/dist/utils/get-graphql-query-and-variables.d.ts

@@ -1,2 +1,3 @@
+/// <reference types="cookie-parser" />
 import type { Request } from 'express';
 export declare function getGraphqlQueryAndVariables(req: Request): Pick<any, "query" | "variables">;

package/dist/utils/get-ip-from-req.d.ts

@@ -1,2 +1,3 @@
+/// <reference types="cookie-parser" />
 import type { Request } from 'express';
 export declare function getIPFromReq(req: Request): string | null;

package/dist/utils/get-milliseconds.d.ts

@@ -1,4 +1,4 @@
 /**
  * Safely parse human readable time format into milliseconds
  */
-export declare function getMilliseconds<T>(value: unknown, fallback?: T): number | T;
+export declare function getMilliseconds<T = undefined>(value: unknown, fallback?: T): number | T;

package/dist/utils/get-milliseconds.js

@@ -1,5 +1,8 @@
 import ms from 'ms';
-export function getMilliseconds(value, fallback = undefined) {
+/**
+ * Safely parse human readable time format into milliseconds
+ */
+export function getMilliseconds(value, fallback) {
     if ((typeof value !== 'string' && typeof value !== 'number') || value === '') {
         return fallback;
     }

package/dist/utils/is-login-redirect-allowed.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Checks if the defined redirect after successful SSO login is in the allow list
+ */
+export declare function isLoginRedirectAllowed(redirect: unknown, provider: string): boolean;

package/dist/utils/is-login-redirect-allowed.js

@@ -0,0 +1,34 @@
+import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
+import isUrlAllowed from './is-url-allowed.js';
+/**
+ * Checks if the defined redirect after successful SSO login is in the allow list
+ */
+export function isLoginRedirectAllowed(redirect, provider) {
+    if (!redirect)
+        return true; // empty redirect
+    if (typeof redirect !== 'string')
+        return false; // invalid type
+    const env = useEnv();
+    const publicUrl = env['PUBLIC_URL'];
+    if (URL.canParse(redirect) === false) {
+        if (redirect.startsWith('//') === false) {
+            // should be a relative path like `/admin/test`
+            return true;
+        }
+        // domain without protocol `//example.com/test`
+        return false;
+    }
+    const { protocol: redirectProtocol, hostname: redirectDomain } = new URL(redirect);
+    const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
+    if (envKey in env) {
+        if (isUrlAllowed(redirect, [...toArray(env[envKey]), publicUrl]))
+            return true;
+    }
+    if (URL.canParse(publicUrl) === false) {
+        return false;
+    }
+    // allow redirects to the defined PUBLIC_URL
+    const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
+    return `${redirectProtocol}//${redirectDomain}` === `${publicProtocol}//${publicDomain}`;
+}

package/dist/utils/is-url-allowed.d.ts

@@ -1,4 +1,4 @@
 /**
- * Check if url matches allow list either exactly or by domain+path
+ * Check if URL matches allow list either exactly or by origin (protocol+domain+port) + pathname
  */
 export default function isUrlAllowed(url: string, allowList: string | string[]): boolean;

package/dist/utils/is-url-allowed.js

@@ -2,7 +2,7 @@ import { toArray } from '@directus/utils';
 import { URL } from 'url';
 import { useLogger } from '../logger.js';
 /**
- * Check if url matches allow list either exactly or by domain+path
+ * Check if URL matches allow list either exactly or by origin (protocol+domain+port) + pathname
  */
 export default function isUrlAllowed(url, allowList) {
     const logger = useLogger();
@@ -12,8 +12,8 @@ export default function isUrlAllowed(url, allowList) {
     const parsedWhitelist = urlAllowList
         .map((allowedURL) => {
         try {
-            const { hostname, pathname } = new URL(allowedURL);
-            return hostname + pathname;
+            const { origin, pathname } = new URL(allowedURL);
+            return origin + pathname;
         }
         catch {
             logger.warn(`Invalid URL used "${url}"`);
@@ -22,8 +22,8 @@ export default function isUrlAllowed(url, allowList) {
     })
         .filter((f) => f);
     try {
-        const { hostname, pathname } = new URL(url);
-        return parsedWhitelist.includes(hostname + pathname);
+        const { origin, pathname } = new URL(url);
+        return parsedWhitelist.includes(origin + pathname);
     }
     catch {
         return false;

package/dist/utils/is-valid-uuid.d.ts

@@ -0,0 +1,3 @@
+type UUID = `${string}-${string}-${string}-${string}-${string}`;
+export declare function isValidUuid(value: string): value is UUID;
+export {};

package/dist/utils/is-valid-uuid.js

@@ -0,0 +1,21 @@
+/**
+ * Based on the patterns found in the 'uuid' and 'uuid-validate' npm packages, both of which are MIT licensed.
+ *
+ * The primary difference between this pattern and the patterns found in the referenced packages is that
+ * no validation over the version component (the 14th character) is performed, while the
+ * packages fail if the version is not a known one (only versions 1 through 5 are accepted).
+ *
+ * This specification complies with all major database vendors.
+ *
+ * e22f209d-9e85-4ef5-b1fe-7dc09d2b67cf
+ *               ^ version
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc4122
+ * @see https://github.com/uuidjs/uuid/blob/bc46e198ab06311a9d82d3c9c6222062dd27f760/src/regex.js
+ * @see https://github.com/microsoft/uuid-validate/blob/06554db1b093aa6bb429156fa8964e1cde2b750c/index.js
+ * @see https://github.com/directus/directus/issues/21573
+ */
+const regex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+export function isValidUuid(value) {
+    return regex.test(value);
+}

package/dist/utils/jwt.d.ts

@@ -1,3 +1,3 @@
 import type { DirectusTokenPayload } from '../types/index.js';
-export declare function verifyJWT(token: string, secret: string): Record<string, any>;
+export declare function verifyJWT(token: string, secret: string): Record<string, unknown>;
 export declare function verifyAccessJWT(token: string, secret: string): DirectusTokenPayload;

package/dist/utils/jwt.js

@@ -21,9 +21,9 @@ export function verifyJWT(token, secret) {
     return payload;
 }
 export function verifyAccessJWT(token, secret) {
-    const { id, role, app_access, admin_access, share, share_scope } = verifyJWT(token, secret);
-    if (role === undefined || app_access === undefined || admin_access === undefined) {
+    const payload = verifyJWT(token, secret);
+    if (payload.role === undefined || payload.app_access === undefined || payload.admin_access === undefined) {
         throw new InvalidTokenError();
     }
-    return { id, role, app_access, admin_access, share, share_scope };
+    return payload;
 }

package/dist/utils/merge-version-data.d.ts

@@ -0,0 +1,3 @@
+import type { Item, SchemaOverview } from '@directus/types';
+export declare function mergeVersionsRaw(item: Item, versionData: Partial<Item>[]): Item;
+export declare function mergeVersionsRecursive(item: Item, versionData: Item[], collection: string, schema: SchemaOverview): Item;

package/dist/utils/merge-version-data.js

@@ -0,0 +1,134 @@
+import Joi from 'joi';
+import { isObject } from '@directus/utils';
+import { cloneDeep } from 'lodash-es';
+const alterationSchema = Joi.object({
+    create: Joi.array().items(Joi.object().unknown()),
+    update: Joi.array().items(Joi.object().unknown()),
+    delete: Joi.array().items(Joi.string(), Joi.number()),
+});
+export function mergeVersionsRaw(item, versionData) {
+    const result = cloneDeep(item);
+    for (const versionRecord of versionData) {
+        for (const key of Object.keys(versionRecord)) {
+            result[key] = versionRecord[key];
+        }
+    }
+    return result;
+}
+export function mergeVersionsRecursive(item, versionData, collection, schema) {
+    if (versionData.length === 0)
+        return item;
+    return recursiveMerging(item, versionData, collection, schema);
+}
+function recursiveMerging(data, versionData, collection, schema) {
+    const result = cloneDeep(data);
+    const relations = getRelations(collection, schema);
+    for (const versionRecord of versionData) {
+        if (!isObject(versionRecord)) {
+            continue;
+        }
+        for (const key of Object.keys(data)) {
+            if (key in versionRecord === false) {
+                continue;
+            }
+            const currentValue = data[key];
+            const newValue = versionRecord[key];
+            if (typeof newValue !== 'object' || newValue === null) {
+                // primitive type substitution, json and non relational array values are handled in the next check
+                result[key] = newValue;
+                continue;
+            }
+            if (key in relations === false) {
+                // check for m2a exception
+                if (isManyToAnyCollection(collection, schema) && key === 'item') {
+                    const item = addMissingKeys(isObject(currentValue) ? currentValue : {}, newValue);
+                    result[key] = recursiveMerging(item, [newValue], data['collection'], schema);
+                }
+                else {
+                    // item is not a relation
+                    result[key] = newValue;
+                }
+                continue;
+            }
+            const { error } = alterationSchema.validate(newValue);
+            if (error) {
+                if (typeof newValue === 'object' && key in relations) {
+                    const newItem = !currentValue || typeof currentValue !== 'object' ? newValue : currentValue;
+                    result[key] = recursiveMerging(newItem, [newValue], relations[key], schema);
+                }
+                continue;
+            }
+            const alterations = newValue;
+            const currentPrimaryKeyField = schema.collections[collection].primary;
+            const relatedPrimaryKeyField = schema.collections[relations[key]].primary;
+            const mergedRelation = [];
+            if (Array.isArray(currentValue)) {
+                if (alterations.delete.length > 0) {
+                    for (const currentItem of currentValue) {
+                        const currentId = typeof currentItem === 'object' ? currentItem[currentPrimaryKeyField] : currentItem;
+                        if (alterations.delete.includes(currentId) === false) {
+                            mergedRelation.push(currentItem);
+                        }
+                    }
+                }
+                else {
+                    mergedRelation.push(...currentValue);
+                }
+                if (alterations.update.length > 0) {
+                    for (const updatedItem of alterations.update) {
+                        // find existing item to update
+                        const itemIndex = mergedRelation.findIndex((currentItem) => currentItem[relatedPrimaryKeyField] === updatedItem[currentPrimaryKeyField]);
+                        if (itemIndex === -1) {
+                            // check for raw primary keys
+                            const pkIndex = mergedRelation.findIndex((currentItem) => currentItem === updatedItem[currentPrimaryKeyField]);
+                            if (pkIndex === -1) {
+                                // nothing to update so add the item as is
+                                mergedRelation.push(updatedItem);
+                            }
+                            else {
+                                mergedRelation[pkIndex] = updatedItem;
+                            }
+                            continue;
+                        }
+                        const item = addMissingKeys(mergedRelation[itemIndex], updatedItem);
+                        mergedRelation[itemIndex] = recursiveMerging(item, [updatedItem], relations[key], schema);
+                    }
+                }
+            }
+            if (alterations.create.length > 0) {
+                for (const createdItem of alterations.create) {
+                    const item = addMissingKeys({}, createdItem);
+                    mergedRelation.push(recursiveMerging(item, [createdItem], relations[key], schema));
+                }
+            }
+            result[key] = mergedRelation;
+        }
+    }
+    return result;
+}
+function addMissingKeys(item, edits) {
+    const result = { ...item };
+    for (const key of Object.keys(edits)) {
+        if (key in item === false) {
+            result[key] = null;
+        }
+    }
+    return result;
+}
+function isManyToAnyCollection(collection, schema) {
+    const relation = schema.relations.find((relation) => relation.collection === collection && relation.meta?.many_collection === collection);
+    if (!relation || !relation.meta?.one_field || !relation.related_collection)
+        return false;
+    return Boolean(schema.collections[relation.related_collection]?.fields[relation.meta.one_field]?.special.includes('m2a'));
+}
+function getRelations(collection, schema) {
+    return schema.relations.reduce((result, relation) => {
+        if (relation.related_collection === collection && relation.meta?.one_field) {
+            result[relation.meta.one_field] = relation.collection;
+        }
+        if (relation.collection === collection && relation.related_collection) {
+            result[relation.field] = relation.related_collection;
+        }
+        return result;
+    }, {});
+}

package/dist/utils/sanitize-query.js

@@ -48,6 +48,8 @@ export function sanitizeQuery(rawQuery, accountability) {
     }
     if (rawQuery['version']) {
         query.version = rawQuery['version'];
+        // whether or not to merge the relational results
+        query.versionRaw = Boolean('versionRaw' in rawQuery && (rawQuery['versionRaw'] === '' || rawQuery['versionRaw'] === 'true'));
     }
     if (rawQuery['export']) {
         query.export = rawQuery['export'];

package/dist/utils/should-skip-cache.d.ts

@@ -1,3 +1,4 @@
+/// <reference types="cookie-parser" />
 import type { Request } from 'express';
 /**
  * Whether to skip caching for the current request

package/dist/utils/validate-keys.js

@@ -1,5 +1,5 @@
 import { ForbiddenError } from '@directus/errors';
-import validateUUID from 'uuid-validate';
+import { isValidUuid } from './is-valid-uuid.js';
 /**
  * Validate keys based on its type
  */
@@ -11,7 +11,7 @@ export function validateKeys(schema, collection, keyField, keys) {
     }
     else {
         const primaryKeyFieldType = schema.collections[collection]?.fields[keyField]?.type;
-        if (primaryKeyFieldType === 'uuid' && !validateUUID(String(keys))) {
+        if (primaryKeyFieldType === 'uuid' && !isValidUuid(String(keys))) {
             throw new ForbiddenError();
         }
         else if (primaryKeyFieldType === 'integer' && !Number.isInteger(Number(keys))) {

package/dist/utils/validate-query.js

@@ -22,6 +22,7 @@ const querySchema = Joi.object({
     search: Joi.string(),
     export: Joi.string().valid('csv', 'json', 'xml', 'yaml'),
     version: Joi.string(),
+    versionRaw: Joi.boolean(),
     aggregate: Joi.object(),
     deep: Joi.object(),
     alias: Joi.object(),

package/dist/websocket/controllers/base.js

@@ -1,8 +1,8 @@
 import { useEnv } from '@directus/env';
 import { InvalidProviderConfigError, TokenExpiredError } from '@directus/errors';
 import { parseJSON, toBoolean } from '@directus/utils';
+import { randomUUID } from 'node:crypto';
 import { parse } from 'url';
-import { v4 as uuid } from 'uuid';
 import WebSocket, { WebSocketServer } from 'ws';
 import { fromZodError } from 'zod-validation-error';
 import emitter from '../../emitter.js';
@@ -157,7 +157,7 @@ export default class SocketController {
         const client = ws;
         client.accountability = accountability;
         client.expires_at = expires_at;
-        client.uid = uuid();
+        client.uid = randomUUID();
         client.auth_timer = null;
         ws.on('message', async (data) => {
             if (this.rateLimiter !== null) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "17.1.0",
+  "version": "18.0.0",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -59,13 +59,13 @@
   ],
   "dependencies": {
     "@authenio/samlify-node-xmllint": "2.0.0",
-    "@aws-sdk/client-ses": "3.513.0",
+    "@aws-sdk/client-ses": "3.525.0",
     "@directus/format-title": "10.1.0",
     "@godaddy/terminus": "4.12.1",
     "@rollup/plugin-alias": "5.1.0",
     "@rollup/plugin-node-resolve": "15.2.3",
     "@rollup/plugin-virtual": "3.0.2",
-    "argon2": "0.31.2",
+    "argon2": "0.40.1",
     "async": "3.2.5",
     "axios": "1.6.7",
     "busboy": "1.6.0",
@@ -81,12 +81,12 @@
     "date-fns": "3.3.1",
     "deep-diff": "1.0.2",
     "destroy": "1.2.0",
-    "dotenv": "16.4.4",
+    "dotenv": "16.4.5",
     "encodeurl": "1.0.2",
     "eventemitter2": "6.4.9",
     "execa": "8.0.1",
     "exif-reader": "2.0.1",
-    "express": "4.18.2",
+    "express": "4.18.3",
     "flat": "6.0.1",
     "fs-extra": "11.2.0",
     "glob-to-regexp": "0.4.1",
@@ -99,7 +99,7 @@
     "ioredis": "5.3.2",
     "ip-matching": "2.1.2",
     "isolated-vm": "4.7.2",
-    "joi": "17.12.1",
+    "joi": "17.12.2",
     "js-yaml": "4.1.0",
     "js2xmlparser": "5.0.0",
     "json2csv": "5.0.7",
@@ -117,9 +117,9 @@
     "nanoid": "5.0.6",
     "node-machine-id": "1.1.12",
     "node-schedule": "2.1.1",
-    "nodemailer": "6.9.9",
+    "nodemailer": "6.9.11",
     "object-hash": "3.0.0",
-    "openapi3-ts": "4.2.1",
+    "openapi3-ts": "4.2.2",
     "openid-client": "5.6.4",
     "ora": "8.0.1",
     "otplib": "12.0.1",
@@ -131,41 +131,41 @@
     "pino-http-print": "3.1.0",
     "pino-pretty": "10.3.1",
     "qs": "6.11.2",
-    "rate-limiter-flexible": "4.0.1",
-    "rollup": "4.10.0",
-    "samlify": "2.8.10",
-    "sanitize-html": "2.12.0",
+    "rate-limiter-flexible": "5.0.0",
+    "rollup": "4.12.0",
+    "samlify": "2.8.11",
+    "sanitize-html": "2.12.1",
     "sharp": "0.33.2",
     "snappy": "7.2.2",
     "stream-json": "1.8.0",
+    "tar": "6.2.0",
     "tsx": "4.7.1",
-    "uuid": "9.0.1",
-    "uuid-validate": "0.0.3",
     "wellknown": "0.5.0",
     "ws": "8.16.0",
     "zod": "3.22.4",
-    "zod-validation-error": "3.0.2",
-    "@directus/app": "10.15.2",
+    "zod-validation-error": "3.0.3",
+    "@directus/app": "11.0.0",
     "@directus/constants": "11.0.3",
-    "@directus/errors": "0.2.3",
-    "@directus/env": "1.0.2",
-    "@directus/extensions": "0.3.3",
-    "@directus/extensions-sdk": "10.3.4",
-    "@directus/memory": "1.0.3",
+    "@directus/env": "1.0.3",
+    "@directus/errors": "0.2.4",
+    "@directus/extensions-registry": "1.0.0",
+    "@directus/extensions": "1.0.0",
+    "@directus/extensions-sdk": "11.0.0",
+    "@directus/memory": "1.0.4",
+    "@directus/pressure": "1.0.17",
     "@directus/schema": "11.0.1",
-    "@directus/specs": "10.2.6",
-    "@directus/pressure": "1.0.16",
-    "@directus/storage-driver-azure": "10.0.17",
-    "@directus/storage": "10.0.10",
-    "@directus/storage-driver-cloudinary": "10.0.17",
-    "@directus/storage-driver-gcs": "10.0.17",
-    "@directus/storage-driver-s3": "10.0.18",
-    "@directus/storage-driver-local": "10.0.17",
-    "@directus/storage-driver-supabase": "1.0.9",
-    "@directus/system-data": "1.0.0",
-    "@directus/utils": "11.0.5",
-    "directus": "10.9.3",
-    "@directus/validation": "0.0.12"
+    "@directus/specs": "10.2.7",
+    "@directus/storage": "10.0.11",
+    "@directus/storage-driver-azure": "10.0.18",
+    "@directus/storage-driver-cloudinary": "10.0.18",
+    "@directus/storage-driver-gcs": "10.0.18",
+    "@directus/storage-driver-s3": "10.0.19",
+    "@directus/storage-driver-local": "10.0.18",
+    "@directus/storage-driver-supabase": "1.0.10",
+    "@directus/system-data": "1.0.1",
+    "@directus/utils": "11.0.6",
+    "directus": "10.10.0",
+    "@directus/validation": "0.0.13"
   },
   "devDependencies": {
     "@ngneat/falso": "7.2.0",
@@ -173,7 +173,7 @@
     "@types/busboy": "1.5.3",
     "@types/bytes": "3.1.4",
     "@types/content-disposition": "0.5.8",
-    "@types/cookie-parser": "1.4.6",
+    "@types/cookie-parser": "1.4.7",
     "@types/cors": "2.8.17",
     "@types/deep-diff": "1.0.5",
     "@types/destroy": "1.0.3",
@@ -185,21 +185,20 @@
     "@types/inquirer": "9.0.7",
     "@types/js-yaml": "4.0.9",
     "@types/json2csv": "5.0.7",
-    "@types/jsonwebtoken": "9.0.5",
+    "@types/jsonwebtoken": "9.0.6",
     "@types/ldapjs": "2.2.5",
     "@types/lodash-es": "4.17.12",
     "@types/mime-types": "2.1.4",
     "@types/ms": "0.7.34",
-    "@types/node": "18.19.17",
+    "@types/node": "18.19.21",
     "@types/node-schedule": "2.1.6",
     "@types/nodemailer": "6.4.14",
     "@types/object-hash": "3.0.6",
     "@types/papaparse": "5.3.14",
-    "@types/qs": "6.9.11",
+    "@types/qs": "6.9.12",
     "@types/sanitize-html": "2.11.0",
     "@types/stream-json": "1.7.7",
-    "@types/uuid": "9.0.8",
-    "@types/uuid-validate": "0.0.3",
+    "@types/tar": "6.1.11",
     "@types/wellknown": "0.5.8",
     "@types/ws": "8.5.10",
     "@vitest/coverage-v8": "1.3.1",
@@ -207,10 +206,10 @@
     "form-data": "4.0.0",
     "knex-mock-client": "2.0.1",
     "typescript": "5.3.3",
-    "vitest": "1.3.0",
+    "vitest": "1.3.1",
+    "@directus/random": "0.2.7",
     "@directus/tsconfig": "1.0.1",
-    "@directus/random": "0.2.6",
-    "@directus/types": "11.0.6"
+    "@directus/types": "11.0.7"
   },
   "optionalDependencies": {
     "@keyv/redis": "2.8.4",
@@ -220,7 +219,7 @@
     "oracledb": "6.3.0",
     "pg": "8.11.3",
     "sqlite3": "5.1.7",
-    "tedious": "16.7.1"
+    "tedious": "17.0.0"
   },
   "engines": {
     "node": ">=18.17.0"
@@ -228,7 +227,7 @@
   "scripts": {
     "build": "tsc --project tsconfig.prod.json && copyfiles \"src/**/*.{yaml,liquid}\" -u 1 dist",
     "cli": "NODE_ENV=development SERVE_APP=false tsx src/cli/run.ts",
-    "dev": "NODE_ENV=development SERVE_APP=false tsx watch --clear-screen=false src/start.ts",
+    "dev": "NODE_ENV=development SERVE_APP=true tsx watch --clear-screen=false src/start.ts",
     "test": "vitest --watch=false"
   }
 }