@directus/api 19.0.2 → 19.1.0

package/dist/extensions/lib/get-extensions-settings.js

@@ -15,9 +15,33 @@ export const getExtensionsSettings = async ({ local, module, registry, }) => {
     });
     const existingSettings = await service.extensionsItemService.readByQuery({ limit: -1 });
     const newSettings = [];
+    const removedSettingIds = [];
     const localSettings = existingSettings.filter(({ source }) => source === 'local');
     const registrySettings = existingSettings.filter(({ source }) => source === 'registry');
     const moduleSettings = existingSettings.filter(({ source }) => source === 'module');
+    const updateBundleEntriesSettings = (bundle, bundleSettings, allSettings) => {
+        const bundleEntriesSettings = allSettings.filter(({ bundle }) => bundle === bundleSettings.id);
+        // Remove settings of removed bundle entries from the DB
+        for (const entry of bundleEntriesSettings) {
+            const entryInBundle = bundle.entries.some(({ name }) => name === entry.folder);
+            if (entryInBundle)
+                continue;
+            removedSettingIds.push(entry.id);
+        }
+        // Add new bundle entries to the settings
+        for (const entry of bundle.entries) {
+            const settingsExist = bundleEntriesSettings.some(({ folder }) => folder === entry.name);
+            if (settingsExist)
+                continue;
+            newSettings.push({
+                id: randomUUID(),
+                enabled: bundleSettings.enabled,
+                source: bundleSettings.source,
+                bundle: bundleSettings.id,
+                folder: entry.name,
+            });
+        }
+    };
     const generateSettingsEntry = (folder, extension, source) => {
         if (extension.type === 'bundle') {
             const bundleId = randomUUID();
@@ -49,9 +73,13 @@ export const getExtensionsSettings = async ({ local, module, registry, }) => {
         }
     };
     for (const [folder, extension] of local.entries()) {
-        const settingsExist = localSettings.some((settings) => settings.folder === folder);
-        if (settingsExist)
+        const existingSettings = localSettings.find((settings) => settings.folder === folder);
+        if (existingSettings) {
+            if (extension.type === 'bundle') {
+                updateBundleEntriesSettings(extension, existingSettings, localSettings);
+            }
             continue;
+        }
         const settingsForName = localSettings.find((settings) => settings.folder === extension.name);
         /*
          * TODO: Consider removing this in follow-up versions after v10.10.0
@@ -66,22 +94,31 @@ export const getExtensionsSettings = async ({ local, module, registry, }) => {
             await service.extensionsItemService.updateOne(settingsForName.id, { folder });
             continue;
         }
-        if (!settingsExist)
-            generateSettingsEntry(folder, extension, 'local');
+        generateSettingsEntry(folder, extension, 'local');
     }
     for (const [folder, extension] of module.entries()) {
-        const settingsExist = moduleSettings.some((settings) => settings.folder === folder);
-        if (!settingsExist)
+        const existingSettings = moduleSettings.find((settings) => settings.folder === folder);
+        if (!existingSettings) {
             generateSettingsEntry(folder, extension, 'module');
+        }
+        else if (extension.type === 'bundle') {
+            updateBundleEntriesSettings(extension, existingSettings, moduleSettings);
+        }
     }
     for (const [folder, extension] of registry.entries()) {
-        const settingsExist = registrySettings.some((settings) => settings.folder === folder);
-        if (!settingsExist)
+        const existingSettings = registrySettings.find((settings) => settings.folder === folder);
+        if (!existingSettings) {
             generateSettingsEntry(folder, extension, 'registry');
+        }
+        else if (extension.type === 'bundle') {
+            updateBundleEntriesSettings(extension, existingSettings, registrySettings);
+        }
+    }
+    if (removedSettingIds.length > 0) {
+        await service.extensionsItemService.deleteMany(removedSettingIds);
     }
     if (newSettings.length > 0) {
-        await database.insert(newSettings).into('directus_extensions');
+        await service.extensionsItemService.createMany(newSettings);
     }
-    const settings = [...existingSettings, ...newSettings];
-    return settings;
+    return [...existingSettings.filter(({ id }) => !removedSettingIds.includes(id)), ...newSettings];
 };

package/dist/extensions/lib/installation/manager.js

@@ -8,7 +8,7 @@ import { mkdir, readFile, rm } from 'node:fs/promises';
 import { Readable } from 'node:stream';
 import Queue from 'p-queue';
 import { join } from 'path';
-import tar from 'tar';
+import { extract } from 'tar';
 import { useLogger } from '../../../logger.js';
 import { getStorage } from '../../../storage/index.js';
 import { getExtensionsPath } from '../get-extensions-path.js';
@@ -36,7 +36,7 @@ export class InstallationManager {
              * NPM modules that are packed are always tarballed in a folder called "package"
              */
             const extractedPath = 'package';
-            await tar.extract({
+            await extract({
                 file: tarPath,
                 cwd: tempDir,
             });

package/dist/middleware/rate-limiter-global.js

@@ -10,7 +10,7 @@ const logger = useLogger();
 let checkRateLimit = (_req, _res, next) => next();
 export let rateLimiterGlobal;
 if (env['RATE_LIMITER_GLOBAL_ENABLED'] === true) {
-    validateEnv(['RATE_LIMITER_GLOBAL_STORE', 'RATE_LIMITER_GLOBAL_DURATION', 'RATE_LIMITER_GLOBAL_POINTS']);
+    validateEnv(['RATE_LIMITER_GLOBAL_DURATION', 'RATE_LIMITER_GLOBAL_POINTS']);
     validateConfiguration();
     rateLimiterGlobal = createRateLimiter('RATE_LIMITER_GLOBAL');
     checkRateLimit = asyncHandler(async (_req, res, next) => {

package/dist/middleware/rate-limiter-registration.d.ts

@@ -0,0 +1,5 @@
+import type { RequestHandler } from 'express';
+import type { RateLimiterMemory, RateLimiterRedis } from 'rate-limiter-flexible';
+declare let checkRateLimit: RequestHandler;
+export declare let rateLimiter: RateLimiterRedis | RateLimiterMemory;
+export default checkRateLimit;

package/dist/middleware/rate-limiter-registration.js

@@ -0,0 +1,32 @@
+import { useEnv } from '@directus/env';
+import { HitRateLimitError } from '@directus/errors';
+import { createRateLimiter } from '../rate-limiter.js';
+import asyncHandler from '../utils/async-handler.js';
+import { getIPFromReq } from '../utils/get-ip-from-req.js';
+import { validateEnv } from '../utils/validate-env.js';
+let checkRateLimit = (_req, _res, next) => next();
+export let rateLimiter;
+const env = useEnv();
+if (env['RATE_LIMITER_REGISTRATION_ENABLED'] === true) {
+    validateEnv(['RATE_LIMITER_REGISTRATION_DURATION', 'RATE_LIMITER_REGISTRATION_POINTS']);
+    rateLimiter = createRateLimiter('RATE_LIMITER_REGISTRATION');
+    checkRateLimit = asyncHandler(async (req, res, next) => {
+        const ip = getIPFromReq(req);
+        if (ip) {
+            try {
+                await rateLimiter.consume(ip, 1);
+            }
+            catch (rateLimiterRes) {
+                if (rateLimiterRes instanceof Error)
+                    throw rateLimiterRes;
+                res.set('Retry-After', String(Math.round(rateLimiterRes.msBeforeNext / 1000)));
+                throw new HitRateLimitError({
+                    limit: +env['RATE_LIMITER_REGISTRATION_POINTS'],
+                    reset: new Date(Date.now() + rateLimiterRes.msBeforeNext),
+                });
+            }
+        }
+        next();
+    });
+}
+export default checkRateLimit;

package/dist/services/authentication.js

@@ -10,6 +10,7 @@ import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { RateLimiterRes, createRateLimiter } from '../rate-limiter.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
+import { getSecret } from '../utils/get-secret.js';
 import { stall } from '../utils/stall.js';
 import { ActivityService } from './activity.js';
 import { SettingsService } from './settings.js';
@@ -159,7 +160,7 @@ export class AuthenticationService {
             accountability: this.accountability,
         });
         const TTL = env[options?.session ? 'SESSION_COOKIE_TTL' : 'ACCESS_TOKEN_TTL'];
-        const accessToken = jwt.sign(customClaims, env['SECRET'], {
+        const accessToken = jwt.sign(customClaims, getSecret(), {
             expiresIn: TTL,
             issuer: 'directus',
         });
@@ -306,7 +307,7 @@ export class AuthenticationService {
             accountability: this.accountability,
         });
         const TTL = env[options?.session ? 'SESSION_COOKIE_TTL' : 'ACCESS_TOKEN_TTL'];
-        const accessToken = jwt.sign(customClaims, env['SECRET'], {
+        const accessToken = jwt.sign(customClaims, getSecret(), {
             expiresIn: TTL,
             issuer: 'directus',
         });

package/dist/services/authorization.js

@@ -5,7 +5,7 @@ import { cloneDeep, flatten, isArray, isNil, merge, reduce, uniq, uniqWith } fro
 import { GENERATE_SPECIAL } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { getRelationInfo } from '../utils/get-relation-info.js';
-import { stripFunction } from '../utils/strip-function.js';
+import { parseFilterKey } from '../utils/parse-filter-key.js';
 import { ItemsService } from './items.js';
 import { PayloadService } from './payload.js';
 export class AuthorizationService {
@@ -105,8 +105,8 @@ export class AuthorizationService {
                     }
                     if (allowedFields.includes('*'))
                         continue;
-                    const fieldKey = stripFunction(childNode.name);
-                    if (allowedFields.includes(fieldKey) === false) {
+                    const { fieldName } = parseFilterKey(childNode.name);
+                    if (allowedFields.includes(fieldName) === false) {
                         throw new ForbiddenError();
                     }
                 }
@@ -282,7 +282,7 @@ export class AuthorizationService {
                     for (const field of requiredPermissions[collection]) {
                         if (field.startsWith('$FOLLOW'))
                             continue;
-                        const fieldName = stripFunction(field);
+                        const { fieldName } = parseFilterKey(field);
                         let originalFieldName = fieldName;
                         if (collection === rootCollection && aliasMap?.[fieldName]) {
                             originalFieldName = aliasMap[fieldName];

package/dist/services/fields.js

@@ -1,4 +1,4 @@
-import { KNEX_TYPES, REGEX_BETWEEN_PARENS } from '@directus/constants';
+import { KNEX_TYPES, REGEX_BETWEEN_PARENS, DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, } from '@directus/constants';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { createInspector } from '@directus/schema';
 import { addFieldFlag, toArray } from '@directus/utils';
@@ -586,7 +586,7 @@ export class FieldsService {
         }
         else if (['float', 'decimal'].includes(field.type)) {
             const type = field.type;
-            column = table[type](field.field, field.schema?.numeric_precision ?? 10, field.schema?.numeric_scale ?? 5);
+            column = table[type](field.field, field.schema?.numeric_precision ?? DEFAULT_NUMERIC_PRECISION, field.schema?.numeric_scale ?? DEFAULT_NUMERIC_SCALE);
         }
         else if (field.type === 'csv') {
             column = table.text(field.field);

package/dist/services/graphql/index.js

@@ -10,8 +10,11 @@ import { flatten, get, mapKeys, merge, omit, pick, set, transform, uniq } from '
 import { clearSystemCache, getCache } from '../../cache.js';
 import { DEFAULT_AUTH_PROVIDER, GENERATE_SPECIAL, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS, } from '../../constants.js';
 import getDatabase from '../../database/index.js';
+import { rateLimiter } from '../../middleware/rate-limiter-registration.js';
 import { generateHash } from '../../utils/generate-hash.js';
 import { getGraphQLType } from '../../utils/get-graphql-type.js';
+import { getIPFromReq } from '../../utils/get-ip-from-req.js';
+import { getSecret } from '../../utils/get-secret.js';
 import { getService } from '../../utils/get-service.js';
 import isDirectusJWT from '../../utils/is-directus-jwt.js';
 import { verifyAccessJWT } from '../../utils/jwt.js';
@@ -1637,6 +1640,8 @@ export class GraphQLService {
                             public_background: { type: GraphQLString },
                             public_note: { type: GraphQLString },
                             custom_css: { type: GraphQLString },
+                            public_registration: { type: GraphQLBoolean },
+                            public_registration_verify_email: { type: GraphQLBoolean },
                         },
                     }),
                 },
@@ -1872,7 +1877,7 @@ export class GraphQLService {
                     else if (mode === 'session') {
                         const token = req?.cookies[env['SESSION_COOKIE_NAME']];
                         if (isDirectusJWT(token)) {
-                            const payload = verifyAccessJWT(token, env['SECRET']);
+                            const payload = verifyAccessJWT(token, getSecret());
                             currentRefreshToken = payload.session;
                         }
                     }
@@ -1930,7 +1935,7 @@ export class GraphQLService {
                     else if (mode === 'session') {
                         const token = req?.cookies[env['SESSION_COOKIE_NAME']];
                         if (isDirectusJWT(token)) {
-                            const payload = verifyAccessJWT(token, env['SECRET']);
+                            const payload = verifyAccessJWT(token, getSecret());
                             currentRefreshToken = payload.session;
                         }
                     }
@@ -2152,6 +2157,40 @@ export class GraphQLService {
                     return true;
                 },
             },
+            users_register: {
+                type: GraphQLBoolean,
+                args: {
+                    email: new GraphQLNonNull(GraphQLString),
+                    password: new GraphQLNonNull(GraphQLString),
+                    first_name: GraphQLString,
+                    last_name: GraphQLString,
+                },
+                resolve: async (_, args, { req }) => {
+                    const service = new UsersService({ accountability: null, schema: this.schema });
+                    const ip = req ? getIPFromReq(req) : null;
+                    if (ip) {
+                        await rateLimiter.consume(ip);
+                    }
+                    await service.registerUser({
+                        email: args.email,
+                        password: args.password,
+                        first_name: args.first_name,
+                        last_name: args.last_name,
+                    });
+                    return true;
+                },
+            },
+            users_register_verify: {
+                type: GraphQLBoolean,
+                args: {
+                    token: new GraphQLNonNull(GraphQLString),
+                },
+                resolve: async (_, args) => {
+                    const service = new UsersService({ accountability: null, schema: this.schema });
+                    await service.verifyRegistration(args.token);
+                    return true;
+                },
+            },
         });
         if ('directus_collections' in schema.read.collections) {
             Collection.addFields({

package/dist/services/mail/templates/user-registration.liquid

@@ -0,0 +1,37 @@
+{% layout 'base' %} {% block content %}
+
+<h1>Verify your email address</h1>
+
+<p style='padding-bottom: 30px'>
+  Thanks for registering at <i>{{ projectName }}</i>.
+  To complete your registration you need to verify your email address by opening the following verification-link.
+  Please feel free to ignore this email if you have not personally initiated the registration.
+</p>
+
+<a
+  class='button'
+  rel='noopener'
+  target='_blank'
+  href='{{url}}'
+  style='
+    font-size: 16px;
+    font-weight: 600;
+    color: #ffffff;
+    text-decoration: none;
+    display: inline-block;
+    padding: 11px 24px;
+    border-radius: 8px;
+    background: #171717;
+    border: 1px solid #ffffff;
+  '
+>
+  <!--[if mso]>
+    <i style="letter-spacing: 25px; mso-font-width: -100%; mso-text-raise: 30pt"
+      >&nbsp;</i
+    >
+  <![endif]-->
+  <span style='mso-text-raise: 15pt'>Verify email</span>
+  <!--[if mso]> <i style="letter-spacing: 25px; mso-font-width: -100%">&nbsp;</i> <![endif]-->
+</a>
+
+{% endblock %}

package/dist/services/meta.js

@@ -63,7 +63,7 @@ export class MetaService {
             ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}));
         }
         if (query.search) {
-            applySearch(this.schema, dbQuery, query.search, collection);
+            applySearch(this.knex, this.schema, dbQuery, query.search, collection);
         }
         if (hasJoins) {
             const primaryKeyName = this.schema.collections[collection].primary;

package/dist/services/payload.d.ts

@@ -27,6 +27,8 @@ export declare class PayloadService {
     transformers: Transformers;
     processValues(action: Action, payloads: Partial<Item>[]): Promise<Partial<Item>[]>;
     processValues(action: Action, payload: Partial<Item>): Promise<Partial<Item>>;
+    processValues(action: Action, payloads: Partial<Item>[], aliasMap: Record<string, string>): Promise<Partial<Item>[]>;
+    processValues(action: Action, payload: Partial<Item>, aliasMap: Record<string, string>): Promise<Partial<Item>>;
     processAggregates(payload: Partial<Item>[]): void;
     processField(field: SchemaOverview['collections'][string]['fields'][string], payload: Partial<Item>, action: Action, accountability: Accountability | null): Promise<any>;
     /**

package/dist/services/payload.js

@@ -121,19 +121,31 @@ export class PayloadService {
             return value;
         },
     };
-    async processValues(action, payload) {
+    async processValues(action, payload, aliasMap = {}) {
         const processedPayload = toArray(payload);
         if (processedPayload.length === 0)
             return [];
         const fieldsInPayload = Object.keys(processedPayload[0]);
-        let specialFieldsInCollection = Object.entries(this.schema.collections[this.collection].fields).filter(([_name, field]) => field.special && field.special.length > 0);
+        const fieldEntries = Object.entries(this.schema.collections[this.collection].fields);
+        const aliasEntries = Object.entries(aliasMap);
+        let specialFields = [];
+        for (const [name, field] of fieldEntries) {
+            if (field.special && field.special.length > 0) {
+                specialFields.push([name, field]);
+                for (const [aliasName, fieldName] of aliasEntries) {
+                    if (fieldName === name) {
+                        specialFields.push([aliasName, { ...field, field: aliasName }]);
+                    }
+                }
+            }
+        }
         if (action === 'read') {
-            specialFieldsInCollection = specialFieldsInCollection.filter(([name]) => {
+            specialFields = specialFields.filter(([name]) => {
                 return fieldsInPayload.includes(name);
             });
         }
         await Promise.all(processedPayload.map(async (record) => {
-            await Promise.all(specialFieldsInCollection.map(async ([name, field]) => {
+            await Promise.all(specialFields.map(async ([name, field]) => {
                 const newValue = await this.processField(field, record, action, this.accountability);
                 if (newValue !== undefined)
                     record[name] = newValue;

package/dist/services/server.js

@@ -46,6 +46,8 @@ export class ServerService {
                 'public_favicon',
                 'public_note',
                 'custom_css',
+                'public_registration',
+                'public_registration_verify_email',
             ],
         });
         info['project'] = projectInfo;
@@ -106,7 +108,7 @@ export class ServerService {
         const data = {
             status: 'ok',
             releaseId: version,
-            serviceId: env['KEY'],
+            serviceId: env['PUBLIC_URL'],
             checks: merge(...(await Promise.all([
                 testDatabase(),
                 testCache(),

package/dist/services/shares.js

@@ -4,6 +4,7 @@ import argon2 from 'argon2';
 import jwt from 'jsonwebtoken';
 import { useLogger } from '../logger.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
+import { getSecret } from '../utils/get-secret.js';
 import { md } from '../utils/md.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
@@ -78,7 +79,7 @@ export class SharesService extends ItemsService {
             tokenPayload.session = refreshToken;
         }
         const TTL = env[options?.session ? 'SESSION_COOKIE_TTL' : 'ACCESS_TOKEN_TTL'];
-        const accessToken = jwt.sign(tokenPayload, env['SECRET'], {
+        const accessToken = jwt.sign(tokenPayload, getSecret(), {
             expiresIn: TTL,
             issuer: 'directus',
         });

package/dist/services/users.d.ts

@@ -1,4 +1,4 @@
-import type { Item, PrimaryKey, Query } from '@directus/types';
+import type { Item, PrimaryKey, Query, RegisterUserInput } from '@directus/types';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
 import { ItemsService } from './items.js';
 export declare class UsersService extends ItemsService {
@@ -62,6 +62,8 @@ export declare class UsersService extends ItemsService {
     deleteByQuery(query: Query, opts?: MutationOptions): Promise<PrimaryKey[]>;
     inviteUser(email: string | string[], role: string, url: string | null, subject?: string | null): Promise<void>;
     acceptInvite(token: string, password: string): Promise<void>;
+    registerUser(input: RegisterUserInput): Promise<void>;
+    verifyRegistration(token: string): Promise<string>;
     requestPasswordReset(email: string, url: string | null, subject?: string | null): Promise<void>;
     resetPassword(token: string, password: string): Promise<void>;
 }

package/dist/services/users.js

@@ -1,6 +1,6 @@
 import { useEnv } from '@directus/env';
 import { ForbiddenError, InvalidPayloadError, RecordNotUniqueError, UnprocessableContentError } from '@directus/errors';
-import { getSimpleHash, toArray } from '@directus/utils';
+import { getSimpleHash, toArray, validatePayload } from '@directus/utils';
 import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '@directus/validation';
 import Joi from 'joi';
 import jwt from 'jsonwebtoken';
@@ -8,6 +8,7 @@ import { cloneDeep, isEmpty } from 'lodash-es';
 import { performance } from 'perf_hooks';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger.js';
+import { getSecret } from '../utils/get-secret.js';
 import isUrlAllowed from '../utils/is-url-allowed.js';
 import { verifyJWT } from '../utils/jwt.js';
 import { stall } from '../utils/stall.js';
@@ -129,7 +130,7 @@ export class UsersService extends ItemsService {
      */
     inviteUrl(email, url) {
         const payload = { email, scope: 'invite' };
-        const token = jwt.sign(payload, env['SECRET'], { expiresIn: '7d', issuer: 'directus' });
+        const token = jwt.sign(payload, getSecret(), { expiresIn: '7d', issuer: 'directus' });
         const inviteURL = url ? new Url(url) : new Url(env['PUBLIC_URL']).addPath('admin', 'accept-invite');
         inviteURL.setQuery('token', token);
         return inviteURL.toString();
@@ -357,7 +358,7 @@ export class UsersService extends ItemsService {
         }
     }
     async acceptInvite(token, password) {
-        const { email, scope } = verifyJWT(token, env['SECRET']);
+        const { email, scope } = verifyJWT(token, getSecret());
         if (scope !== 'invite')
             throw new ForbiddenError();
         const user = await this.getUserByEmail(email);
@@ -371,6 +372,92 @@ export class UsersService extends ItemsService {
         });
         await service.updateOne(user.id, { password, status: 'active' });
     }
+    async registerUser(input) {
+        const STALL_TIME = env['REGISTER_STALL_TIME'];
+        const timeStart = performance.now();
+        const serviceOptions = { accountability: this.accountability, schema: this.schema };
+        const settingsService = new SettingsService(serviceOptions);
+        const settings = await settingsService.readSingleton({
+            fields: [
+                'public_registration',
+                'public_registration_verify_email',
+                'public_registration_role',
+                'public_registration_email_filter',
+            ],
+        });
+        if (settings?.['public_registration'] == false) {
+            throw new ForbiddenError();
+        }
+        const publicRegistrationRole = settings?.['public_registration_role'] ?? null;
+        const hasEmailVerification = settings?.['public_registration_verify_email'];
+        const emailFilter = settings?.['public_registration_email_filter'];
+        const first_name = input.first_name ?? null;
+        const last_name = input.last_name ?? null;
+        const partialUser = {
+            // Required fields
+            email: input.email,
+            password: input.password,
+            role: publicRegistrationRole,
+            status: hasEmailVerification ? 'unverified' : 'active',
+            // Optional fields
+            first_name,
+            last_name,
+        };
+        if (emailFilter && validatePayload(emailFilter, { email: input.email }).length !== 0) {
+            await stall(STALL_TIME, timeStart);
+            throw new ForbiddenError();
+        }
+        const user = await this.getUserByEmail(input.email);
+        if (isEmpty(user)) {
+            await this.createOne(partialUser);
+        }
+        // We want to be able to re-send the verification email
+        else if (user.status !== ('unverified')) {
+            // To avoid giving attackers infos about registered emails we dont fail for violated unique constraints
+            await stall(STALL_TIME, timeStart);
+            return;
+        }
+        if (hasEmailVerification) {
+            const mailService = new MailService(serviceOptions);
+            const payload = { email: input.email, scope: 'pending-registration' };
+            const token = jwt.sign(payload, env['SECRET'], {
+                expiresIn: env['EMAIL_VERIFICATION_TOKEN_TTL'],
+                issuer: 'directus',
+            });
+            const verificationURL = new Url(env['PUBLIC_URL'])
+                .addPath('users', 'register', 'verify-email')
+                .setQuery('token', token);
+            mailService
+                .send({
+                to: input.email,
+                subject: 'Verify your email address', // TODO: translate after theres support for internationalized emails
+                template: {
+                    name: 'user-registration',
+                    data: {
+                        url: verificationURL.toString(),
+                        email: input.email,
+                        first_name,
+                        last_name,
+                    },
+                },
+            })
+                .catch((error) => {
+                logger.error(error, 'Could not send email verification mail');
+            });
+        }
+        await stall(STALL_TIME, timeStart);
+    }
+    async verifyRegistration(token) {
+        const { email, scope } = verifyJWT(token, env['SECRET']);
+        if (scope !== 'pending-registration')
+            throw new ForbiddenError();
+        const user = await this.getUserByEmail(email);
+        if (user?.status !== ('unverified')) {
+            throw new InvalidPayloadError({ reason: 'Invalid verification code' });
+        }
+        await this.updateOne(user.id, { status: 'active' });
+        return user.id;
+    }
     async requestPasswordReset(email, url, subject) {
         const STALL_TIME = 500;
         const timeStart = performance.now();
@@ -388,7 +475,7 @@ export class UsersService extends ItemsService {
             accountability: this.accountability,
         });
         const payload = { email: user.email, scope: 'password-reset', hash: getSimpleHash('' + user.password) };
-        const token = jwt.sign(payload, env['SECRET'], { expiresIn: '1d', issuer: 'directus' });
+        const token = jwt.sign(payload, getSecret(), { expiresIn: '1d', issuer: 'directus' });
         const acceptURL = url
             ? new Url(url).setQuery('token', token).toString()
             : new Url(env['PUBLIC_URL']).addPath('admin', 'reset-password').setQuery('token', token).toString();
@@ -411,7 +498,7 @@ export class UsersService extends ItemsService {
         await stall(STALL_TIME, timeStart);
     }
     async resetPassword(token, password) {
-        const { email, scope, hash } = jwt.verify(token, env['SECRET'], { issuer: 'directus' });
+        const { email, scope, hash } = jwt.verify(token, getSecret(), { issuer: 'directus' });
         if (scope !== 'password-reset' || !hash)
             throw new ForbiddenError();
         const opts = {};

package/dist/utils/apply-query.d.ts

@@ -37,5 +37,5 @@ export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuer
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;
 };
-export declare function applySearch(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
+export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
 export declare function applyAggregate(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, aggregate: Aggregate, collection: string, hasJoins: boolean): void;