@directus/api 19.0.1 → 19.1.0

package/dist/utils/apply-query.js

@@ -1,5 +1,6 @@
+import { NUMERIC_TYPES } from '@directus/constants';
 import { InvalidQueryError } from '@directus/errors';
-import { getFilterOperatorsForType, getOutputTypeForFunction } from '@directus/utils';
+import { getFilterOperatorsForType, getFunctionsForType, getOutputTypeForFunction, isIn } from '@directus/utils';
 import { clone, isPlainObject } from 'lodash-es';
 import { customAlphabet } from 'nanoid/non-secure';
 import { getHelpers } from '../database/helpers/index.js';
@@ -7,7 +8,8 @@ import { getColumnPath } from './get-column-path.js';
 import { getColumn } from './get-column.js';
 import { getRelationInfo } from './get-relation-info.js';
 import { isValidUuid } from './is-valid-uuid.js';
-import { stripFunction } from './strip-function.js';
+import { parseFilterKey } from './parse-filter-key.js';
+import { parseNumericString } from './parse-numeric-string.js';
 export const generateAlias = customAlphabet('abcdefghijklmnopqrstuvwxyz', 5);
 /**
  * Apply the Query to a given Knex query builder instance
@@ -30,7 +32,7 @@ export default function applyQuery(knex, collection, dbQuery, query, schema, opt
         }
     }
     if (query.search) {
-        applySearch(schema, dbQuery, query.search, collection);
+        applySearch(knex, schema, dbQuery, query.search, collection);
     }
     if (query.group) {
         dbQuery.groupBy(query.group.map((column) => getColumn(knex, collection, column, false, schema)));
@@ -84,7 +86,7 @@ function addJoin({ path, collection, aliasMap, rootQuery, schema, relations, kne
                 }
                 rootQuery.leftJoin({ [alias]: pathScope }, (joinClause) => {
                     joinClause
-                        .onVal(relation.meta.one_collection_field, '=', pathScope)
+                        .onVal(`${aliasedParentCollection}.${relation.meta.one_collection_field}`, '=', pathScope)
                         .andOn(`${aliasedParentCollection}.${relation.field}`, '=', knex.raw(getHelpers(knex).schema.castA2oPrimaryKey(), `${alias}.${schema.collections[pathScope].primary}`));
                 });
                 aliasMap[aliasKey].collection = pathScope;
@@ -93,7 +95,7 @@ function addJoin({ path, collection, aliasMap, rootQuery, schema, relations, kne
             else if (relationType === 'o2a') {
                 rootQuery.leftJoin({ [alias]: relation.collection }, (joinClause) => {
                     joinClause
-                        .onVal(relation.meta.one_collection_field, '=', parentCollection)
+                        .onVal(`${alias}.${relation.meta.one_collection_field}`, '=', parentCollection)
                         .andOn(`${alias}.${relation.field}`, '=', knex.raw(getHelpers(knex).schema.castA2oPrimaryKey(), `${aliasedParentCollection}.${schema.collections[parentCollection].primary}`));
                 });
                 aliasMap[aliasKey].collection = relation.collection;
@@ -288,7 +290,10 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
              */
             const pathRoot = filterPath[0].split(':')[0];
             const { relation, relationType } = getRelationInfo(relations, collection, pathRoot);
-            const { operator: filterOperator, value: filterValue } = getOperation(key, value);
+            const operation = getOperation(key, value);
+            if (!operation)
+                continue;
+            const { operator: filterOperator, value: filterValue } = operation;
             if (filterPath.length > 1 ||
                 (!(key.includes('(') && key.includes(')')) && schema.collections[collection]?.fields[key]?.type === 'alias')) {
                 if (!relation)
@@ -335,21 +340,32 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                 }
                 if (!columnPath)
                     continue;
-                const { type, special } = validateFilterField(schema.collections[targetCollection].fields, stripFunction(filterPath[filterPath.length - 1]), targetCollection);
+                const { type, special } = getFilterType(schema.collections[targetCollection].fields, filterPath.at(-1), targetCollection);
                 validateFilterOperator(type, filterOperator, special);
                 applyFilterToQuery(columnPath, filterOperator, filterValue, logical, targetCollection);
             }
             else {
-                const { type, special } = validateFilterField(schema.collections[collection].fields, stripFunction(filterPath[0]), collection);
+                const { type, special } = getFilterType(schema.collections[collection].fields, filterPath[0], collection);
                 validateFilterOperator(type, filterOperator, special);
                 applyFilterToQuery(`${collection}.${filterPath[0]}`, filterOperator, filterValue, logical);
             }
         }
-        function validateFilterField(fields, key, collection = 'unknown') {
-            if (fields[key] === undefined) {
+        function getFilterType(fields, key, collection = 'unknown') {
+            const { fieldName, functionName } = parseFilterKey(key);
+            const field = fields[fieldName];
+            if (!field) {
                 throw new InvalidQueryError({ reason: `Invalid filter key "${key}" on "${collection}"` });
             }
-            return fields[key];
+            const { type } = field;
+            if (functionName) {
+                const availableFunctions = getFunctionsForType(type);
+                if (!availableFunctions.includes(functionName)) {
+                    throw new InvalidQueryError({ reason: `Invalid filter key "${key}" on "${collection}"` });
+                }
+                const functionType = getOutputTypeForFunction(functionName);
+                return { type: functionType };
+            }
+            return { type, special: field.special };
         }
         function validateFilterOperator(type, filterOperator, special) {
             if (filterOperator.startsWith('_')) {
@@ -360,7 +376,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                     reason: `"${type}" field type does not contain the "_${filterOperator}" filter operator`,
                 });
             }
-            if (special.includes('conceal') &&
+            if (special?.includes('conceal') &&
                 !getFilterOperatorsForType('hash').includes(filterOperator)) {
                 throw new InvalidQueryError({
                     reason: `Field with "conceal" special does not allow the "_${filterOperator}" filter operator`,
@@ -534,33 +550,36 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
         }
     }
 }
-export async function applySearch(schema, dbQuery, searchQuery, collection) {
+export async function applySearch(knex, schema, dbQuery, searchQuery, collection) {
+    const { number: numberHelper } = getHelpers(knex);
     const fields = Object.entries(schema.collections[collection].fields);
     dbQuery.andWhere(function () {
+        let needsFallbackCondition = true;
         fields.forEach(([name, field]) => {
             if (['text', 'string'].includes(field.type)) {
                 this.orWhereRaw(`LOWER(??) LIKE ?`, [`${collection}.${name}`, `%${searchQuery.toLowerCase()}%`]);
+                needsFallbackCondition = false;
             }
-            else if (['bigInteger', 'integer', 'decimal', 'float'].includes(field.type)) {
-                const number = Number(searchQuery);
-                // only cast finite base10 numeric values
-                if (validateNumber(searchQuery, number)) {
-                    this.orWhere({ [`${collection}.${name}`]: number });
+            else if (isNumericField(field)) {
+                const number = parseNumericString(searchQuery);
+                if (number === null) {
+                    return; // unable to parse
+                }
+                if (numberHelper.isNumberValid(number, field)) {
+                    numberHelper.addSearchCondition(this, collection, name, number);
+                    needsFallbackCondition = false;
                 }
             }
             else if (field.type === 'uuid' && isValidUuid(searchQuery)) {
                 this.orWhere({ [`${collection}.${name}`]: searchQuery });
+                needsFallbackCondition = false;
             }
         });
+        if (needsFallbackCondition) {
+            this.orWhereRaw('1 = 0');
+        }
     });
 }
-function validateNumber(value, parsed) {
-    if (isNaN(parsed) || !Number.isFinite(parsed))
-        return false;
-    // casting parsed value back to string should be equal the original value
-    // (prevent unintended number parsing, e.g. String(7) !== "ob111")
-    return String(parsed) === value;
-}
 export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins) {
     for (const [operation, fields] of Object.entries(aggregate)) {
         if (!fields)
@@ -610,7 +629,7 @@ export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins)
 function getFilterPath(key, value) {
     const path = [key];
     const childKey = Object.keys(value)[0];
-    if (typeof childKey === 'string' && childKey.startsWith('_') === true && !['_none', '_some'].includes(childKey)) {
+    if (!childKey || (childKey.startsWith('_') === true && !['_none', '_some'].includes(childKey))) {
         return path;
     }
     if (isPlainObject(value)) {
@@ -622,8 +641,15 @@ function getOperation(key, value) {
     if (key.startsWith('_') && !['_and', '_or', '_none', '_some'].includes(key)) {
         return { operator: key, value };
     }
-    else if (isPlainObject(value) === false) {
+    else if (!isPlainObject(value)) {
         return { operator: '_eq', value };
     }
-    return getOperation(Object.keys(value)[0], Object.values(value)[0]);
+    const childKey = Object.keys(value)[0];
+    if (childKey) {
+        return getOperation(childKey, Object.values(value)[0]);
+    }
+    return null;
+}
+function isNumericField(field) {
+    return isIn(field.type, NUMERIC_TYPES);
 }

package/dist/utils/get-accountability-for-token.js

@@ -1,10 +1,10 @@
-import { useEnv } from '@directus/env';
 import { InvalidCredentialsError } from '@directus/errors';
 import getDatabase from '../database/index.js';
+import { getSecret } from './get-secret.js';
 import isDirectusJWT from './is-directus-jwt.js';
+import { verifySessionJWT } from './verify-session-jwt.js';
 import { verifyAccessJWT } from './jwt.js';
 export async function getAccountabilityForToken(token, accountability) {
-    const env = useEnv();
     if (!accountability) {
         accountability = {
             user: null,
@@ -15,7 +15,10 @@ export async function getAccountabilityForToken(token, accountability) {
     }
     if (token) {
         if (isDirectusJWT(token)) {
-            const payload = verifyAccessJWT(token, env['SECRET']);
+            const payload = verifyAccessJWT(token, getSecret());
+            if ('session' in payload) {
+                await verifySessionJWT(payload);
+            }
             accountability.role = payload.role;
             accountability.admin = payload.admin_access === true || payload.admin_access == 1;
             accountability.app = payload.app_access === true || payload.app_access == 1;

package/dist/utils/get-cache-headers.js

@@ -16,6 +16,9 @@ export function getCacheControlHeader(req, ttl, globalCacheSettings, personalize
     // When the resource / current request shouldn't be cached
     if (ttl === undefined || ttl < 0)
         return 'no-cache';
+    // When the API cache can invalidate at any moment
+    if (globalCacheSettings && env['CACHE_AUTO_PURGE'] === true)
+        return 'no-cache';
     const headerValues = [];
     // When caching depends on the authentication status of the users
     if (personalized) {

package/dist/utils/get-schema.js

@@ -34,24 +34,33 @@ export async function getSchema(options, attempt = 0) {
     const lockKey = 'schemaCache--preparing';
     const messageKey = 'schemaCache--done';
     const processId = await lock.increment(lockKey);
+    if (processId >= env['CACHE_SCHEMA_MAX_ITERATIONS']) {
+        await lock.delete(lockKey);
+    }
     const currentProcessShouldHandleOperation = processId === 1;
     if (currentProcessShouldHandleOperation === false) {
         logger.trace('Schema cache is prepared in another process, waiting for result.');
-        return new Promise((resolve) => {
+        return new Promise((resolve, reject) => {
             const TIMEOUT = 10000;
-            let timeout;
-            const callback = async () => {
-                if (timeout)
-                    clearTimeout(timeout);
-                const schema = await getSchema(options, attempt + 1);
-                resolve(schema);
-                bus.unsubscribe(messageKey, callback);
-            };
-            bus.subscribe(messageKey, callback);
-            timeout = setTimeout(async () => {
+            const timeout = setTimeout(() => {
                 logger.trace('Did not receive schema callback message in time. Pulling schema...');
-                callback();
+                callback().catch(reject);
             }, TIMEOUT);
+            bus.subscribe(messageKey, callback);
+            async function callback() {
+                try {
+                    if (timeout)
+                        clearTimeout(timeout);
+                    const schema = await getSchema(options, attempt + 1);
+                    resolve(schema);
+                }
+                catch (error) {
+                    reject(error);
+                }
+                finally {
+                    bus.unsubscribe(messageKey, callback);
+                }
+            }
         });
     }
     try {

package/dist/utils/get-secret.d.ts

@@ -0,0 +1,4 @@
+export declare const _cache: {
+    secret: string | null;
+};
+export declare const getSecret: () => string;

package/dist/utils/get-secret.js

@@ -0,0 +1,14 @@
+import { useEnv } from '@directus/env';
+import { nanoid } from 'nanoid';
+export const _cache = { secret: null };
+export const getSecret = () => {
+    if (_cache.secret) {
+        return _cache.secret;
+    }
+    const env = useEnv();
+    if (env['SECRET']) {
+        return env['SECRET'];
+    }
+    _cache.secret = nanoid(32);
+    return _cache.secret;
+};

package/dist/utils/parse-filter-key.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Parses a filter key, returning its field name and function name (if defined) separately.
+ */
+export declare function parseFilterKey(key: string): {
+    fieldName: string;
+    functionName: string | undefined;
+};

package/dist/utils/parse-filter-key.js

@@ -0,0 +1,22 @@
+/**
+ * Result for keys with a function (e.g. `year(date_created)`):
+ * - Group 1: Function (`year`)
+ * - Group 3: Field (`date_created`)
+ *
+ * If group 3 is undefined, it is a key without a function.
+ */
+const FILTER_KEY_REGEX = /^([^()]+)(\(([^)]+)\))?/;
+/**
+ * Parses a filter key, returning its field name and function name (if defined) separately.
+ */
+export function parseFilterKey(key) {
+    const match = key.match(FILTER_KEY_REGEX);
+    const fieldNameWithFunction = match?.[3]?.trim();
+    const fieldName = fieldNameWithFunction || key.trim();
+    let functionName;
+    if (fieldNameWithFunction) {
+        functionName = match?.[1]?.trim();
+        return { fieldName, functionName };
+    }
+    return { fieldName, functionName };
+}

package/dist/utils/parse-numeric-string.d.ts

@@ -0,0 +1,2 @@
+import type { NumericValue } from '@directus/types';
+export declare function parseNumericString(stringValue: string): NumericValue | null;

package/dist/utils/parse-numeric-string.js

@@ -0,0 +1,21 @@
+export function parseNumericString(stringValue) {
+    let number = Number(stringValue);
+    if (isNaN(number) || !Number.isFinite(number)) {
+        return null; // invalid numbers
+    }
+    if (number > Number.MAX_SAFE_INTEGER || number < Number.MIN_SAFE_INTEGER) {
+        try {
+            number = BigInt(stringValue);
+        }
+        catch {
+            // BigInt parsing failed, e.g. it was a float larger than MAX_SAFE_INTEGER
+            return null;
+        }
+    }
+    // casting parsed value back to string should be equal the original value
+    // (prevent unintended number parsing, e.g. String(7) !== "ob111")
+    if (String(number) !== stringValue) {
+        return null;
+    }
+    return number;
+}

package/dist/utils/sanitize-query.js

@@ -1,4 +1,5 @@
 import { useEnv } from '@directus/env';
+import { InvalidQueryError } from '@directus/errors';
 import { parseFilter, parseJSON } from '@directus/utils';
 import { flatten, get, isPlainObject, merge, set } from 'lodash-es';
 import { useLogger } from '../logger.js';
@@ -106,17 +107,21 @@ function sanitizeAggregate(rawAggregate) {
     return aggregate;
 }
 function sanitizeFilter(rawFilter, accountability) {
-    const logger = useLogger();
     let filters = rawFilter;
-    if (typeof rawFilter === 'string') {
+    if (typeof filters === 'string') {
         try {
-            filters = parseJSON(rawFilter);
+            filters = parseJSON(filters);
         }
         catch {
-            logger.warn('Invalid value passed for filter query parameter.');
+            throw new InvalidQueryError({ reason: 'Invalid JSON for filter object' });
         }
     }
-    return parseFilter(filters, accountability);
+    try {
+        return parseFilter(filters, accountability);
+    }
+    catch {
+        throw new InvalidQueryError({ reason: 'Invalid filter object' });
+    }
 }
 function sanitizeLimit(rawLimit) {
     if (rawLimit === undefined || rawLimit === null)

package/dist/utils/transaction.d.ts

@@ -1,4 +1,4 @@
-import type { Knex } from 'knex';
+import { type Knex } from 'knex';
 /**
  * Execute the given handler within the current transaction or a newly created one
  * if the current knex state isn't a transaction yet.

package/dist/utils/transaction.js

@@ -1,3 +1,6 @@
+import {} from 'knex';
+import { getDatabaseClient } from '../database/index.js';
+import { useLogger } from '../logger.js';
 /**
  * Execute the given handler within the current transaction or a newly created one
  * if the current knex state isn't a transaction yet.
@@ -5,11 +8,45 @@
  * Can be used to ensure the handler is run within a transaction,
  * while preventing nested transactions.
  */
-export const transaction = (knex, handler) => {
+export const transaction = async (knex, handler) => {
     if (knex.isTransaction) {
         return handler(knex);
     }
     else {
-        return knex.transaction((trx) => handler(trx));
+        try {
+            return await knex.transaction((trx) => handler(trx));
+        }
+        catch (error) {
+            const client = getDatabaseClient(knex);
+            /**
+             * This error code indicates that the transaction failed due to another
+             * concurrent or recent transaction attempting to write to the same data.
+             * This can usually be solved by restarting the transaction on client-side
+             * after a short delay, so that it is executed against the latest state.
+             *
+             * @link https://www.cockroachlabs.com/docs/stable/transaction-retry-error-reference
+             */
+            const COCKROACH_RETRY_ERROR_CODE = '40001';
+            if (client !== 'cockroachdb' || error?.code !== COCKROACH_RETRY_ERROR_CODE)
+                throw error;
+            const MAX_ATTEMPTS = 3;
+            const BASE_DELAY = 100;
+            const logger = useLogger();
+            for (let attempt = 0; attempt < MAX_ATTEMPTS; ++attempt) {
+                const delay = 2 ** attempt * BASE_DELAY;
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                logger.trace(`Restarting failed transaction (attempt ${attempt + 1}/${MAX_ATTEMPTS})`);
+                try {
+                    return await knex.transaction((trx) => handler(trx));
+                }
+                catch (error) {
+                    if (error?.code !== COCKROACH_RETRY_ERROR_CODE)
+                        throw error;
+                }
+            }
+            /** Initial execution + additional attempts */
+            const attempts = 1 + MAX_ATTEMPTS;
+            throw new Error(`Transaction failed after ${attempts} attempts`, { cause: error });
+        }
     }
 };

package/dist/utils/validate-query.js

@@ -42,8 +42,6 @@ export function validateQuery(query) {
     return query;
 }
 function validateFilter(filter) {
-    if (!filter)
-        throw new InvalidQueryError({ reason: 'Invalid filter object' });
     for (const [key, nested] of Object.entries(filter)) {
         if (key === '_and' || key === '_or') {
             nested.forEach(validateFilter);

package/dist/utils/verify-session-jwt.d.ts

@@ -0,0 +1,7 @@
+import type { DirectusTokenPayload } from '../types/index.js';
+/**
+ * Verifies the associated session is still available and valid.
+ *
+ * @throws If session not found.
+ */
+export declare function verifySessionJWT(payload: DirectusTokenPayload): Promise<void>;

package/dist/utils/verify-session-jwt.js

@@ -0,0 +1,22 @@
+import getDatabase from '../database/index.js';
+import { InvalidTokenError } from '@directus/errors';
+/**
+ * Verifies the associated session is still available and valid.
+ *
+ * @throws If session not found.
+ */
+export async function verifySessionJWT(payload) {
+    const database = getDatabase();
+    const session = await database
+        .select(1)
+        .from('directus_sessions')
+        .where({
+        token: payload['session'],
+        user: payload['id'],
+    })
+        .andWhere('expires', '>=', new Date())
+        .first();
+    if (!session) {
+        throw new InvalidTokenError();
+    }
+}