@directus/api 19.0.2 → 19.1.1

package/dist/services/users.js

@@ -1,6 +1,6 @@
 import { useEnv } from '@directus/env';
 import { ForbiddenError, InvalidPayloadError, RecordNotUniqueError, UnprocessableContentError } from '@directus/errors';
-import { getSimpleHash, toArray } from '@directus/utils';
+import { getSimpleHash, toArray, validatePayload } from '@directus/utils';
 import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '@directus/validation';
 import Joi from 'joi';
 import jwt from 'jsonwebtoken';
@@ -8,6 +8,7 @@ import { cloneDeep, isEmpty } from 'lodash-es';
 import { performance } from 'perf_hooks';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger.js';
+import { getSecret } from '../utils/get-secret.js';
 import isUrlAllowed from '../utils/is-url-allowed.js';
 import { verifyJWT } from '../utils/jwt.js';
 import { stall } from '../utils/stall.js';
@@ -129,7 +130,7 @@ export class UsersService extends ItemsService {
      */
     inviteUrl(email, url) {
         const payload = { email, scope: 'invite' };
-        const token = jwt.sign(payload, env['SECRET'], { expiresIn: '7d', issuer: 'directus' });
+        const token = jwt.sign(payload, getSecret(), { expiresIn: '7d', issuer: 'directus' });
         const inviteURL = url ? new Url(url) : new Url(env['PUBLIC_URL']).addPath('admin', 'accept-invite');
         inviteURL.setQuery('token', token);
         return inviteURL.toString();
@@ -357,7 +358,7 @@ export class UsersService extends ItemsService {
         }
     }
     async acceptInvite(token, password) {
-        const { email, scope } = verifyJWT(token, env['SECRET']);
+        const { email, scope } = verifyJWT(token, getSecret());
         if (scope !== 'invite')
             throw new ForbiddenError();
         const user = await this.getUserByEmail(email);
@@ -371,6 +372,92 @@ export class UsersService extends ItemsService {
         });
         await service.updateOne(user.id, { password, status: 'active' });
     }
+    async registerUser(input) {
+        const STALL_TIME = env['REGISTER_STALL_TIME'];
+        const timeStart = performance.now();
+        const serviceOptions = { accountability: this.accountability, schema: this.schema };
+        const settingsService = new SettingsService(serviceOptions);
+        const settings = await settingsService.readSingleton({
+            fields: [
+                'public_registration',
+                'public_registration_verify_email',
+                'public_registration_role',
+                'public_registration_email_filter',
+            ],
+        });
+        if (settings?.['public_registration'] == false) {
+            throw new ForbiddenError();
+        }
+        const publicRegistrationRole = settings?.['public_registration_role'] ?? null;
+        const hasEmailVerification = settings?.['public_registration_verify_email'];
+        const emailFilter = settings?.['public_registration_email_filter'];
+        const first_name = input.first_name ?? null;
+        const last_name = input.last_name ?? null;
+        const partialUser = {
+            // Required fields
+            email: input.email,
+            password: input.password,
+            role: publicRegistrationRole,
+            status: hasEmailVerification ? 'unverified' : 'active',
+            // Optional fields
+            first_name,
+            last_name,
+        };
+        if (emailFilter && validatePayload(emailFilter, { email: input.email }).length !== 0) {
+            await stall(STALL_TIME, timeStart);
+            throw new ForbiddenError();
+        }
+        const user = await this.getUserByEmail(input.email);
+        if (isEmpty(user)) {
+            await this.createOne(partialUser);
+        }
+        // We want to be able to re-send the verification email
+        else if (user.status !== ('unverified')) {
+            // To avoid giving attackers infos about registered emails we dont fail for violated unique constraints
+            await stall(STALL_TIME, timeStart);
+            return;
+        }
+        if (hasEmailVerification) {
+            const mailService = new MailService(serviceOptions);
+            const payload = { email: input.email, scope: 'pending-registration' };
+            const token = jwt.sign(payload, env['SECRET'], {
+                expiresIn: env['EMAIL_VERIFICATION_TOKEN_TTL'],
+                issuer: 'directus',
+            });
+            const verificationURL = new Url(env['PUBLIC_URL'])
+                .addPath('users', 'register', 'verify-email')
+                .setQuery('token', token);
+            mailService
+                .send({
+                to: input.email,
+                subject: 'Verify your email address', // TODO: translate after theres support for internationalized emails
+                template: {
+                    name: 'user-registration',
+                    data: {
+                        url: verificationURL.toString(),
+                        email: input.email,
+                        first_name,
+                        last_name,
+                    },
+                },
+            })
+                .catch((error) => {
+                logger.error(error, 'Could not send email verification mail');
+            });
+        }
+        await stall(STALL_TIME, timeStart);
+    }
+    async verifyRegistration(token) {
+        const { email, scope } = verifyJWT(token, env['SECRET']);
+        if (scope !== 'pending-registration')
+            throw new ForbiddenError();
+        const user = await this.getUserByEmail(email);
+        if (user?.status !== ('unverified')) {
+            throw new InvalidPayloadError({ reason: 'Invalid verification code' });
+        }
+        await this.updateOne(user.id, { status: 'active' });
+        return user.id;
+    }
     async requestPasswordReset(email, url, subject) {
         const STALL_TIME = 500;
         const timeStart = performance.now();
@@ -388,7 +475,7 @@ export class UsersService extends ItemsService {
             accountability: this.accountability,
         });
         const payload = { email: user.email, scope: 'password-reset', hash: getSimpleHash('' + user.password) };
-        const token = jwt.sign(payload, env['SECRET'], { expiresIn: '1d', issuer: 'directus' });
+        const token = jwt.sign(payload, getSecret(), { expiresIn: '1d', issuer: 'directus' });
         const acceptURL = url
             ? new Url(url).setQuery('token', token).toString()
             : new Url(env['PUBLIC_URL']).addPath('admin', 'reset-password').setQuery('token', token).toString();
@@ -411,7 +498,7 @@ export class UsersService extends ItemsService {
         await stall(STALL_TIME, timeStart);
     }
     async resetPassword(token, password) {
-        const { email, scope, hash } = jwt.verify(token, env['SECRET'], { issuer: 'directus' });
+        const { email, scope, hash } = jwt.verify(token, getSecret(), { issuer: 'directus' });
         if (scope !== 'password-reset' || !hash)
             throw new ForbiddenError();
         const opts = {};

package/dist/utils/apply-query.d.ts

@@ -37,5 +37,5 @@ export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuer
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;
 };
-export declare function applySearch(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
+export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
 export declare function applyAggregate(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, aggregate: Aggregate, collection: string, hasJoins: boolean): void;

package/dist/utils/apply-query.js

@@ -1,5 +1,6 @@
+import { NUMERIC_TYPES } from '@directus/constants';
 import { InvalidQueryError } from '@directus/errors';
-import { getFilterOperatorsForType, getOutputTypeForFunction } from '@directus/utils';
+import { getFilterOperatorsForType, getFunctionsForType, getOutputTypeForFunction, isIn } from '@directus/utils';
 import { clone, isPlainObject } from 'lodash-es';
 import { customAlphabet } from 'nanoid/non-secure';
 import { getHelpers } from '../database/helpers/index.js';
@@ -7,7 +8,8 @@ import { getColumnPath } from './get-column-path.js';
 import { getColumn } from './get-column.js';
 import { getRelationInfo } from './get-relation-info.js';
 import { isValidUuid } from './is-valid-uuid.js';
-import { stripFunction } from './strip-function.js';
+import { parseFilterKey } from './parse-filter-key.js';
+import { parseNumericString } from './parse-numeric-string.js';
 export const generateAlias = customAlphabet('abcdefghijklmnopqrstuvwxyz', 5);
 /**
  * Apply the Query to a given Knex query builder instance
@@ -30,7 +32,7 @@ export default function applyQuery(knex, collection, dbQuery, query, schema, opt
         }
     }
     if (query.search) {
-        applySearch(schema, dbQuery, query.search, collection);
+        applySearch(knex, schema, dbQuery, query.search, collection);
     }
     if (query.group) {
         dbQuery.groupBy(query.group.map((column) => getColumn(knex, collection, column, false, schema)));
@@ -84,7 +86,7 @@ function addJoin({ path, collection, aliasMap, rootQuery, schema, relations, kne
                 }
                 rootQuery.leftJoin({ [alias]: pathScope }, (joinClause) => {
                     joinClause
-                        .onVal(relation.meta.one_collection_field, '=', pathScope)
+                        .onVal(`${aliasedParentCollection}.${relation.meta.one_collection_field}`, '=', pathScope)
                         .andOn(`${aliasedParentCollection}.${relation.field}`, '=', knex.raw(getHelpers(knex).schema.castA2oPrimaryKey(), `${alias}.${schema.collections[pathScope].primary}`));
                 });
                 aliasMap[aliasKey].collection = pathScope;
@@ -93,7 +95,7 @@ function addJoin({ path, collection, aliasMap, rootQuery, schema, relations, kne
             else if (relationType === 'o2a') {
                 rootQuery.leftJoin({ [alias]: relation.collection }, (joinClause) => {
                     joinClause
-                        .onVal(relation.meta.one_collection_field, '=', parentCollection)
+                        .onVal(`${alias}.${relation.meta.one_collection_field}`, '=', parentCollection)
                         .andOn(`${alias}.${relation.field}`, '=', knex.raw(getHelpers(knex).schema.castA2oPrimaryKey(), `${aliasedParentCollection}.${schema.collections[parentCollection].primary}`));
                 });
                 aliasMap[aliasKey].collection = relation.collection;
@@ -288,7 +290,10 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
              */
             const pathRoot = filterPath[0].split(':')[0];
             const { relation, relationType } = getRelationInfo(relations, collection, pathRoot);
-            const { operator: filterOperator, value: filterValue } = getOperation(key, value);
+            const operation = getOperation(key, value);
+            if (!operation)
+                continue;
+            const { operator: filterOperator, value: filterValue } = operation;
             if (filterPath.length > 1 ||
                 (!(key.includes('(') && key.includes(')')) && schema.collections[collection]?.fields[key]?.type === 'alias')) {
                 if (!relation)
@@ -335,21 +340,33 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                 }
                 if (!columnPath)
                     continue;
-                const { type, special } = validateFilterField(schema.collections[targetCollection].fields, stripFunction(filterPath[filterPath.length - 1]), targetCollection);
+                const { type, special } = getFilterType(schema.collections[targetCollection].fields, filterPath.at(-1), targetCollection);
                 validateFilterOperator(type, filterOperator, special);
                 applyFilterToQuery(columnPath, filterOperator, filterValue, logical, targetCollection);
             }
             else {
-                const { type, special } = validateFilterField(schema.collections[collection].fields, stripFunction(filterPath[0]), collection);
+                const { type, special } = getFilterType(schema.collections[collection].fields, filterPath[0], collection);
                 validateFilterOperator(type, filterOperator, special);
-                applyFilterToQuery(`${collection}.${filterPath[0]}`, filterOperator, filterValue, logical);
+                const aliasedCollection = aliasMap['']?.alias || collection;
+                applyFilterToQuery(`${aliasedCollection}.${filterPath[0]}`, filterOperator, filterValue, logical, collection);
             }
         }
-        function validateFilterField(fields, key, collection = 'unknown') {
-            if (fields[key] === undefined) {
+        function getFilterType(fields, key, collection = 'unknown') {
+            const { fieldName, functionName } = parseFilterKey(key);
+            const field = fields[fieldName];
+            if (!field) {
                 throw new InvalidQueryError({ reason: `Invalid filter key "${key}" on "${collection}"` });
             }
-            return fields[key];
+            const { type } = field;
+            if (functionName) {
+                const availableFunctions = getFunctionsForType(type);
+                if (!availableFunctions.includes(functionName)) {
+                    throw new InvalidQueryError({ reason: `Invalid filter key "${key}" on "${collection}"` });
+                }
+                const functionType = getOutputTypeForFunction(functionName);
+                return { type: functionType };
+            }
+            return { type, special: field.special };
         }
         function validateFilterOperator(type, filterOperator, special) {
             if (filterOperator.startsWith('_')) {
@@ -360,7 +377,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                     reason: `"${type}" field type does not contain the "_${filterOperator}" filter operator`,
                 });
             }
-            if (special.includes('conceal') &&
+            if (special?.includes('conceal') &&
                 !getFilterOperatorsForType('hash').includes(filterOperator)) {
                 throw new InvalidQueryError({
                     reason: `Field with "conceal" special does not allow the "_${filterOperator}" filter operator`,
@@ -406,7 +423,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                 const functionName = column.split('(')[0];
                 const type = getOutputTypeForFunction(functionName);
                 if (['integer', 'float', 'decimal'].includes(type)) {
-                    compareValue = Number(compareValue);
+                    compareValue = Array.isArray(compareValue) ? compareValue.map(Number) : Number(compareValue);
                 }
             }
             // Cast filter value (compareValue) based on type of field being filtered against
@@ -504,19 +521,19 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                 dbQuery[logical].whereNotIn(selectionRaw, value);
             }
             if (operator === '_between') {
-                if (compareValue.length !== 2)
-                    return;
                 let value = compareValue;
                 if (typeof value === 'string')
                     value = value.split(',');
+                if (value.length !== 2)
+                    return;
                 dbQuery[logical].whereBetween(selectionRaw, value);
             }
             if (operator === '_nbetween') {
-                if (compareValue.length !== 2)
-                    return;
                 let value = compareValue;
                 if (typeof value === 'string')
                     value = value.split(',');
+                if (value.length !== 2)
+                    return;
                 dbQuery[logical].whereNotBetween(selectionRaw, value);
             }
             if (operator == '_intersects') {
@@ -534,33 +551,36 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
         }
     }
 }
-export async function applySearch(schema, dbQuery, searchQuery, collection) {
+export async function applySearch(knex, schema, dbQuery, searchQuery, collection) {
+    const { number: numberHelper } = getHelpers(knex);
     const fields = Object.entries(schema.collections[collection].fields);
     dbQuery.andWhere(function () {
+        let needsFallbackCondition = true;
         fields.forEach(([name, field]) => {
             if (['text', 'string'].includes(field.type)) {
                 this.orWhereRaw(`LOWER(??) LIKE ?`, [`${collection}.${name}`, `%${searchQuery.toLowerCase()}%`]);
+                needsFallbackCondition = false;
             }
-            else if (['bigInteger', 'integer', 'decimal', 'float'].includes(field.type)) {
-                const number = Number(searchQuery);
-                // only cast finite base10 numeric values
-                if (validateNumber(searchQuery, number)) {
-                    this.orWhere({ [`${collection}.${name}`]: number });
+            else if (isNumericField(field)) {
+                const number = parseNumericString(searchQuery);
+                if (number === null) {
+                    return; // unable to parse
+                }
+                if (numberHelper.isNumberValid(number, field)) {
+                    numberHelper.addSearchCondition(this, collection, name, number);
+                    needsFallbackCondition = false;
                 }
             }
             else if (field.type === 'uuid' && isValidUuid(searchQuery)) {
                 this.orWhere({ [`${collection}.${name}`]: searchQuery });
+                needsFallbackCondition = false;
             }
         });
+        if (needsFallbackCondition) {
+            this.orWhereRaw('1 = 0');
+        }
     });
 }
-function validateNumber(value, parsed) {
-    if (isNaN(parsed) || !Number.isFinite(parsed))
-        return false;
-    // casting parsed value back to string should be equal the original value
-    // (prevent unintended number parsing, e.g. String(7) !== "ob111")
-    return String(parsed) === value;
-}
 export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins) {
     for (const [operation, fields] of Object.entries(aggregate)) {
         if (!fields)
@@ -610,7 +630,7 @@ export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins)
 function getFilterPath(key, value) {
     const path = [key];
     const childKey = Object.keys(value)[0];
-    if (typeof childKey === 'string' && childKey.startsWith('_') === true && !['_none', '_some'].includes(childKey)) {
+    if (!childKey || (childKey.startsWith('_') === true && !['_none', '_some'].includes(childKey))) {
         return path;
     }
     if (isPlainObject(value)) {
@@ -622,8 +642,15 @@ function getOperation(key, value) {
     if (key.startsWith('_') && !['_and', '_or', '_none', '_some'].includes(key)) {
         return { operator: key, value };
     }
-    else if (isPlainObject(value) === false) {
+    else if (!isPlainObject(value)) {
         return { operator: '_eq', value };
     }
-    return getOperation(Object.keys(value)[0], Object.values(value)[0]);
+    const childKey = Object.keys(value)[0];
+    if (childKey) {
+        return getOperation(childKey, Object.values(value)[0]);
+    }
+    return null;
+}
+function isNumericField(field) {
+    return isIn(field.type, NUMERIC_TYPES);
 }

package/dist/utils/get-accountability-for-token.js

@@ -1,10 +1,10 @@
-import { useEnv } from '@directus/env';
 import { InvalidCredentialsError } from '@directus/errors';
 import getDatabase from '../database/index.js';
+import { getSecret } from './get-secret.js';
 import isDirectusJWT from './is-directus-jwt.js';
+import { verifySessionJWT } from './verify-session-jwt.js';
 import { verifyAccessJWT } from './jwt.js';
 export async function getAccountabilityForToken(token, accountability) {
-    const env = useEnv();
     if (!accountability) {
         accountability = {
             user: null,
@@ -15,7 +15,10 @@ export async function getAccountabilityForToken(token, accountability) {
     }
     if (token) {
         if (isDirectusJWT(token)) {
-            const payload = verifyAccessJWT(token, env['SECRET']);
+            const payload = verifyAccessJWT(token, getSecret());
+            if ('session' in payload) {
+                await verifySessionJWT(payload);
+            }
             accountability.role = payload.role;
             accountability.admin = payload.admin_access === true || payload.admin_access == 1;
             accountability.app = payload.app_access === true || payload.app_access == 1;

package/dist/utils/get-secret.d.ts

@@ -0,0 +1,4 @@
+export declare const _cache: {
+    secret: string | null;
+};
+export declare const getSecret: () => string;

package/dist/utils/get-secret.js

@@ -0,0 +1,14 @@
+import { useEnv } from '@directus/env';
+import { nanoid } from 'nanoid';
+export const _cache = { secret: null };
+export const getSecret = () => {
+    if (_cache.secret) {
+        return _cache.secret;
+    }
+    const env = useEnv();
+    if (env['SECRET']) {
+        return env['SECRET'];
+    }
+    _cache.secret = nanoid(32);
+    return _cache.secret;
+};

package/dist/utils/parse-filter-key.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Parses a filter key, returning its field name and function name (if defined) separately.
+ */
+export declare function parseFilterKey(key: string): {
+    fieldName: string;
+    functionName: string | undefined;
+};

package/dist/utils/parse-filter-key.js

@@ -0,0 +1,22 @@
+/**
+ * Result for keys with a function (e.g. `year(date_created)`):
+ * - Group 1: Function (`year`)
+ * - Group 3: Field (`date_created`)
+ *
+ * If group 3 is undefined, it is a key without a function.
+ */
+const FILTER_KEY_REGEX = /^([^()]+)(\(([^)]+)\))?/;
+/**
+ * Parses a filter key, returning its field name and function name (if defined) separately.
+ */
+export function parseFilterKey(key) {
+    const match = key.match(FILTER_KEY_REGEX);
+    const fieldNameWithFunction = match?.[3]?.trim();
+    const fieldName = fieldNameWithFunction || key.trim();
+    let functionName;
+    if (fieldNameWithFunction) {
+        functionName = match?.[1]?.trim();
+        return { fieldName, functionName };
+    }
+    return { fieldName, functionName };
+}

package/dist/utils/parse-numeric-string.d.ts

@@ -0,0 +1,2 @@
+import type { NumericValue } from '@directus/types';
+export declare function parseNumericString(stringValue: string): NumericValue | null;

package/dist/utils/parse-numeric-string.js

@@ -0,0 +1,21 @@
+export function parseNumericString(stringValue) {
+    let number = Number(stringValue);
+    if (isNaN(number) || !Number.isFinite(number)) {
+        return null; // invalid numbers
+    }
+    if (number > Number.MAX_SAFE_INTEGER || number < Number.MIN_SAFE_INTEGER) {
+        try {
+            number = BigInt(stringValue);
+        }
+        catch {
+            // BigInt parsing failed, e.g. it was a float larger than MAX_SAFE_INTEGER
+            return null;
+        }
+    }
+    // casting parsed value back to string should be equal the original value
+    // (prevent unintended number parsing, e.g. String(7) !== "ob111")
+    if (String(number) !== stringValue) {
+        return null;
+    }
+    return number;
+}

package/dist/utils/sanitize-query.js

@@ -1,4 +1,5 @@
 import { useEnv } from '@directus/env';
+import { InvalidQueryError } from '@directus/errors';
 import { parseFilter, parseJSON } from '@directus/utils';
 import { flatten, get, isPlainObject, merge, set } from 'lodash-es';
 import { useLogger } from '../logger.js';
@@ -106,17 +107,21 @@ function sanitizeAggregate(rawAggregate) {
     return aggregate;
 }
 function sanitizeFilter(rawFilter, accountability) {
-    const logger = useLogger();
     let filters = rawFilter;
-    if (typeof rawFilter === 'string') {
+    if (typeof filters === 'string') {
         try {
-            filters = parseJSON(rawFilter);
+            filters = parseJSON(filters);
         }
         catch {
-            logger.warn('Invalid value passed for filter query parameter.');
+            throw new InvalidQueryError({ reason: 'Invalid JSON for filter object' });
         }
     }
-    return parseFilter(filters, accountability);
+    try {
+        return parseFilter(filters, accountability);
+    }
+    catch {
+        throw new InvalidQueryError({ reason: 'Invalid filter object' });
+    }
 }
 function sanitizeLimit(rawLimit) {
     if (rawLimit === undefined || rawLimit === null)

package/dist/utils/transaction.d.ts

@@ -1,4 +1,4 @@
-import type { Knex } from 'knex';
+import { type Knex } from 'knex';
 /**
  * Execute the given handler within the current transaction or a newly created one
  * if the current knex state isn't a transaction yet.

package/dist/utils/transaction.js

@@ -1,3 +1,6 @@
+import {} from 'knex';
+import { getDatabaseClient } from '../database/index.js';
+import { useLogger } from '../logger.js';
 /**
  * Execute the given handler within the current transaction or a newly created one
  * if the current knex state isn't a transaction yet.
@@ -5,11 +8,45 @@
  * Can be used to ensure the handler is run within a transaction,
  * while preventing nested transactions.
  */
-export const transaction = (knex, handler) => {
+export const transaction = async (knex, handler) => {
     if (knex.isTransaction) {
         return handler(knex);
     }
     else {
-        return knex.transaction((trx) => handler(trx));
+        try {
+            return await knex.transaction((trx) => handler(trx));
+        }
+        catch (error) {
+            const client = getDatabaseClient(knex);
+            /**
+             * This error code indicates that the transaction failed due to another
+             * concurrent or recent transaction attempting to write to the same data.
+             * This can usually be solved by restarting the transaction on client-side
+             * after a short delay, so that it is executed against the latest state.
+             *
+             * @link https://www.cockroachlabs.com/docs/stable/transaction-retry-error-reference
+             */
+            const COCKROACH_RETRY_ERROR_CODE = '40001';
+            if (client !== 'cockroachdb' || error?.code !== COCKROACH_RETRY_ERROR_CODE)
+                throw error;
+            const MAX_ATTEMPTS = 3;
+            const BASE_DELAY = 100;
+            const logger = useLogger();
+            for (let attempt = 0; attempt < MAX_ATTEMPTS; ++attempt) {
+                const delay = 2 ** attempt * BASE_DELAY;
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                logger.trace(`Restarting failed transaction (attempt ${attempt + 1}/${MAX_ATTEMPTS})`);
+                try {
+                    return await knex.transaction((trx) => handler(trx));
+                }
+                catch (error) {
+                    if (error?.code !== COCKROACH_RETRY_ERROR_CODE)
+                        throw error;
+                }
+            }
+            /** Initial execution + additional attempts */
+            const attempts = 1 + MAX_ATTEMPTS;
+            throw new Error(`Transaction failed after ${attempts} attempts`, { cause: error });
+        }
     }
 };

package/dist/utils/validate-query.js

@@ -42,8 +42,6 @@ export function validateQuery(query) {
     return query;
 }
 function validateFilter(filter) {
-    if (!filter)
-        throw new InvalidQueryError({ reason: 'Invalid filter object' });
     for (const [key, nested] of Object.entries(filter)) {
         if (key === '_and' || key === '_or') {
             nested.forEach(validateFilter);

package/dist/utils/verify-session-jwt.d.ts

@@ -0,0 +1,7 @@
+import type { DirectusTokenPayload } from '../types/index.js';
+/**
+ * Verifies the associated session is still available and valid.
+ *
+ * @throws If session not found.
+ */
+export declare function verifySessionJWT(payload: DirectusTokenPayload): Promise<void>;

package/dist/utils/verify-session-jwt.js

@@ -0,0 +1,22 @@
+import getDatabase from '../database/index.js';
+import { InvalidCredentialsError } from '@directus/errors';
+/**
+ * Verifies the associated session is still available and valid.
+ *
+ * @throws If session not found.
+ */
+export async function verifySessionJWT(payload) {
+    const database = getDatabase();
+    const session = await database
+        .select(1)
+        .from('directus_sessions')
+        .where({
+        token: payload['session'],
+        user: payload['id'],
+    })
+        .andWhere('expires', '>=', new Date())
+        .first();
+    if (!session) {
+        throw new InvalidCredentialsError();
+    }
+}