@directus/api 19.1.0 → 19.2.0

package/dist/controllers/users.js

@@ -358,6 +358,7 @@ router.post('/:pk/tfa/disable', asyncHandler(async (req, _res, next) => {
 const registerSchema = Joi.object({
     email: Joi.string().email().required(),
     password: Joi.string().required(),
+    verification_url: Joi.string().uri(),
     first_name: Joi.string(),
     last_name: Joi.string(),
 });

package/dist/controllers/utils.js

@@ -12,13 +12,15 @@ import asyncHandler from '../utils/async-handler.js';
 import { generateHash } from '../utils/generate-hash.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
 const router = Router();
+const randomStringSchema = Joi.object({
+    length: Joi.number().integer().min(1).max(500).default(32),
+});
 router.get('/random/string', asyncHandler(async (req, res) => {
     const { nanoid } = await import('nanoid');
-    if (req.query && req.query['length'] && Number(req.query['length']) > 500) {
-        throw new InvalidQueryError({ reason: `"length" can't be more than 500 characters` });
-    }
-    const string = nanoid(req.query?.['length'] ? Number(req.query['length']) : 32);
-    return res.json({ data: string });
+    const { error, value } = randomStringSchema.validate(req.query, { allowUnknown: true });
+    if (error)
+        throw new InvalidQueryError({ reason: error.message });
+    return res.json({ data: nanoid(value.length) });
 }));
 router.post('/hash/generate', asyncHandler(async (req, res) => {
     if (!req.body?.string) {

package/dist/database/helpers/fn/types.js

@@ -14,13 +14,21 @@ export class FnHelper extends DatabaseHelper {
         if (!relation) {
             throw new Error(`Field ${collectionName}.${column} isn't a nested relational collection`);
         }
+        // generate a unique alias for the relation collection, to prevent collisions in self referencing relations
         const alias = generateAlias();
         let countQuery = this.knex
             .count('*')
             .from({ [alias]: relation.collection })
             .where(this.knex.raw(`??.??`, [alias, relation.field]), '=', this.knex.raw(`??.??`, [table, currentPrimary]));
         if (options?.query?.filter) {
-            countQuery = applyFilter(this.knex, this.schema, countQuery, options.query.filter, relation.collection, {}).query;
+            // set the newly aliased collection in the alias map as the default parent collection, indicated by '', for any nested filters
+            const aliasMap = {
+                '': {
+                    alias,
+                    collection: relation.collection,
+                },
+            };
+            countQuery = applyFilter(this.knex, this.schema, countQuery, options.query.filter, relation.collection, aliasMap).query;
         }
         return this.knex.raw('(' + countQuery.toQuery() + ')');
     }

package/dist/database/migrations/20240515A-add-session-window.d.ts

@@ -0,0 +1,3 @@
+import type { Knex } from 'knex';
+export declare function up(knex: Knex): Promise<void>;
+export declare function down(knex: Knex): Promise<void>;

package/dist/database/migrations/20240515A-add-session-window.js

@@ -0,0 +1,10 @@
+export async function up(knex) {
+    await knex.schema.alterTable('directus_sessions', (table) => {
+        table.string('next_token', 64).nullable();
+    });
+}
+export async function down(knex) {
+    await knex.schema.alterTable('directus_sessions', (table) => {
+        table.dropColumn('next_token');
+    });
+}

package/dist/middleware/authenticate.d.ts

@@ -4,6 +4,6 @@ import type { NextFunction, Request, Response } from 'express';
 /**
  * Verify the passed JWT and assign the user ID and role to `req`
  */
-export declare const handler: (req: Request, _res: Response, next: NextFunction) => Promise<void>;
+export declare const handler: (req: Request, res: Response, next: NextFunction) => Promise<void>;
 declare const _default: (req: Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>, res: Response<any, Record<string, any>>, next: NextFunction) => Promise<void>;
 export default _default;

package/dist/middleware/authenticate.js

@@ -4,10 +4,14 @@ import emitter from '../emitter.js';
 import asyncHandler from '../utils/async-handler.js';
 import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
 import { getIPFromReq } from '../utils/get-ip-from-req.js';
+import { ErrorCode, isDirectusError } from '@directus/errors';
+import { useEnv } from '@directus/env';
+import { SESSION_COOKIE_OPTIONS } from '../constants.js';
 /**
  * Verify the passed JWT and assign the user ID and role to `req`
  */
-export const handler = async (req, _res, next) => {
+export const handler = async (req, res, next) => {
+    const env = useEnv();
     const defaultAccountability = {
         user: null,
         role: null,
@@ -33,7 +37,18 @@ export const handler = async (req, _res, next) => {
         req.accountability = customAccountability;
         return next();
     }
-    req.accountability = await getAccountabilityForToken(req.token, defaultAccountability);
+    try {
+        req.accountability = await getAccountabilityForToken(req.token, defaultAccountability);
+    }
+    catch (err) {
+        if (isDirectusError(err, ErrorCode.InvalidCredentials) || isDirectusError(err, ErrorCode.InvalidToken)) {
+            if (req.cookies[env['SESSION_COOKIE_NAME']] === req.token) {
+                // clear the session token if ended up in an invalid state
+                res.clearCookie(env['SESSION_COOKIE_NAME'], SESSION_COOKIE_OPTIONS);
+            }
+        }
+        throw err;
+    }
     return next();
 };
 export default asyncHandler(handler);

package/dist/services/authentication.d.ts

@@ -21,6 +21,7 @@ export declare class AuthenticationService {
     refresh(refreshToken: string, options?: Partial<{
         session: boolean;
     }>): Promise<LoginResult>;
+    private updateStatefulSession;
     logout(refreshToken: string): Promise<void>;
     verifyPassword(userID: string, password: string): Promise<void>;
 }

package/dist/services/authentication.js

@@ -207,6 +207,7 @@ export class AuthenticationService {
         const record = await this.knex
             .select({
             session_expires: 's.expires',
+            session_next_token: 's.next_token',
             user_id: 'u.id',
             user_first_name: 'u.first_name',
             user_last_name: 'u.last_name',
@@ -274,8 +275,9 @@ export class AuthenticationService {
                 admin_access: record.role_admin_access,
             });
         }
-        const newRefreshToken = nanoid(64);
-        const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
+        let newRefreshToken = record.session_next_token ?? nanoid(64);
+        const sessionDuration = env[options?.session ? 'SESSION_COOKIE_TTL' : 'REFRESH_TOKEN_TTL'];
+        const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
         const tokenPayload = {
             id: record.user_id,
             role: record.role_id,
@@ -283,8 +285,18 @@ export class AuthenticationService {
             admin_access: record.role_admin_access,
         };
         if (options?.session) {
+            newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);
             tokenPayload.session = newRefreshToken;
         }
+        else {
+            // Original stateless token behavior
+            await this.knex('directus_sessions')
+                .update({
+                token: newRefreshToken,
+                expires: refreshTokenExpiration,
+            })
+                .where({ token: refreshToken });
+        }
         if (record.share_id) {
             tokenPayload.share = record.share_id;
             tokenPayload.role = record.share_role;
@@ -311,15 +323,14 @@ export class AuthenticationService {
             expiresIn: TTL,
             issuer: 'directus',
         });
-        await this.knex('directus_sessions')
-            .update({
-            token: newRefreshToken,
-            expires: refreshTokenExpiration,
-        })
-            .where({ token: refreshToken });
         if (record.user_id) {
             await this.knex('directus_users').update({ last_access: new Date() }).where({ id: record.user_id });
         }
+        // Clear expired sessions for the current user
+        await this.knex('directus_sessions')
+            .delete()
+            .where('user', '=', record.user_id)
+            .andWhere('expires', '<', new Date());
         return {
             accessToken,
             refreshToken: newRefreshToken,
@@ -327,6 +338,47 @@ export class AuthenticationService {
             id: record.user_id,
         };
     }
+    async updateStatefulSession(sessionRecord, oldSessionToken, newSessionToken, sessionExpiration) {
+        if (sessionRecord['session_next_token']) {
+            // The current session token was already refreshed and has a reference
+            // to the new session, update the new session timeout for the new refresh
+            await this.knex('directus_sessions')
+                .update({
+                expires: sessionExpiration,
+            })
+                .where({ token: newSessionToken });
+            return newSessionToken;
+        }
+        // Keep the old session active for a short period of time
+        const GRACE_PERIOD = getMilliseconds(env['SESSION_REFRESH_GRACE_PERIOD'], 10_000);
+        // Update the existing session record to have a short safety timeout
+        // before expiring, and add the reference to the new session token
+        const updatedSession = await this.knex('directus_sessions')
+            .update({
+            next_token: newSessionToken,
+            expires: new Date(Date.now() + GRACE_PERIOD),
+        }, ['next_token'])
+            .where({ token: oldSessionToken, next_token: null });
+        if (updatedSession.length === 0) {
+            // Don't create a new session record, we already have a "next_token" reference
+            const { next_token } = await this.knex('directus_sessions')
+                .select('next_token')
+                .where({ token: oldSessionToken })
+                .first();
+            return next_token;
+        }
+        // Instead of updating the current session record with a new token,
+        // create a new copy with the new token
+        await this.knex('directus_sessions').insert({
+            token: newSessionToken,
+            user: sessionRecord['user_id'],
+            expires: sessionExpiration,
+            ip: this.accountability?.ip,
+            user_agent: this.accountability?.userAgent,
+            origin: this.accountability?.origin,
+        });
+        return newSessionToken;
+    }
     async logout(refreshToken) {
         const record = await this.knex
             .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'u.provider', 'u.external_identifier', 'u.auth_data')

package/dist/services/extensions.js

@@ -188,16 +188,19 @@ export class ExtensionsService {
      *    - Entry status change resulted in all children being disabled then the parent bundle is disabled
      *    - Entry status change resulted in at least one child being enabled then the parent bundle is enabled
      */
-    async checkBundleAndSyncStatus(trx, bundleId, extension) {
+    async checkBundleAndSyncStatus(trx, extensionId, extension) {
         if (extension.bundle === null && extension.schema?.type === 'bundle') {
             // If extension is the parent bundle, set it and all nested extensions to enabled
             await trx('directus_extensions')
                 .update({ enabled: extension.meta.enabled })
-                .where({ bundle: bundleId })
-                .orWhere({ id: bundleId });
+                .where({ bundle: extensionId })
+                .orWhere({ id: extensionId });
             return;
         }
-        const parent = await this.readOne(bundleId);
+        const parentId = extension.bundle ?? extension.meta.bundle;
+        if (!parentId)
+            return;
+        const parent = await this.readOne(parentId);
         if (parent.schema?.type !== 'bundle') {
             return;
         }
@@ -207,14 +210,14 @@ export class ExtensionsService {
             });
         }
         const hasEnabledChildren = !!(await trx('directus_extensions')
-            .where({ bundle: bundleId })
+            .where({ bundle: parentId })
             .where({ enabled: true })
             .first());
         if (hasEnabledChildren) {
-            await trx('directus_extensions').update({ enabled: true }).where({ id: bundleId });
+            await trx('directus_extensions').update({ enabled: true }).where({ id: parentId });
         }
         else {
-            await trx('directus_extensions').update({ enabled: false }).where({ id: bundleId });
+            await trx('directus_extensions').update({ enabled: false }).where({ id: parentId });
         }
     }
 }

package/dist/services/graphql/index.js

@@ -47,6 +47,7 @@ import { GraphQLStringOrFloat } from './types/string-or-float.js';
 import { GraphQLVoid } from './types/void.js';
 import { addPathToValidationError } from './utils/add-path-to-validation-error.js';
 import processError from './utils/process-error.js';
+import { sanitizeGraphqlSchema } from './utils/sanitize-gql-schema.js';
 const env = useEnv();
 const validationRules = Array.from(specifiedRules);
 if (env['GRAPHQL_INTROSPECTION'] === false) {
@@ -115,19 +116,20 @@ export class GraphQLService {
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new SchemaComposer();
+        const sanitizedSchema = sanitizeGraphqlSchema(this.schema);
         const schema = {
             read: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['read']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['read']),
             create: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['create']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['create']),
             update: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['update']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['update']),
             delete: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['delete']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['delete']),
         };
         const subscriptionEventType = schemaComposer.createEnumTC({
             name: 'EventEnum',
@@ -2074,10 +2076,10 @@ export class GraphQLService {
                 },
                 resolve: async (_, args) => {
                     const { nanoid } = await import('nanoid');
-                    if (args['length'] && Number(args['length']) > 500) {
-                        throw new InvalidPayloadError({ reason: `"length" can't be more than 500 characters` });
+                    if (args['length'] !== undefined && (args['length'] < 1 || args['length'] > 500)) {
+                        throw new InvalidPayloadError({ reason: `"length" must be between 1 and 500` });
                     }
-                    return nanoid(args['length'] ? Number(args['length']) : 32);
+                    return nanoid(args['length'] ? args['length'] : 32);
                 },
             },
             utils_hash_generate: {
@@ -2162,6 +2164,7 @@ export class GraphQLService {
                 args: {
                     email: new GraphQLNonNull(GraphQLString),
                     password: new GraphQLNonNull(GraphQLString),
+                    verification_url: GraphQLString,
                     first_name: GraphQLString,
                     last_name: GraphQLString,
                 },
@@ -2174,6 +2177,7 @@ export class GraphQLService {
                     await service.registerUser({
                         email: args.email,
                         password: args.password,
+                        verification_url: args.verification_url,
                         first_name: args.first_name,
                         last_name: args.last_name,
                     });

package/dist/services/graphql/utils/sanitize-gql-schema.d.ts

@@ -0,0 +1,8 @@
+import type { SchemaOverview } from '@directus/types';
+/**
+ * Filters out invalid collections to prevent graphql from errorring on schema generation
+ *
+ * @param schema
+ * @returns sanitized schema
+ */
+export declare function sanitizeGraphqlSchema(schema: SchemaOverview): SchemaOverview;

package/dist/services/graphql/utils/sanitize-gql-schema.js

@@ -0,0 +1,80 @@
+import { useLogger } from '../../../logger.js';
+/**
+ * Regex was taken from the spec
+ * https://spec.graphql.org/June2018/#sec-Names
+ */
+const GRAPHQL_NAME_REGEX = /^[_A-Za-z][_0-9A-Za-z]*$/;
+/**
+ * Manually curated list of GraphQL reserved names to cover the most likely naming footguns.
+ * This list is not exhaustive and does not cover generated type names.
+ */
+const GRAPHQL_RESERVED_NAMES = [
+    'Subscription',
+    'Query',
+    'Mutation',
+    'Int',
+    'Float',
+    'String',
+    'Boolean',
+    'DateTime',
+    'ID',
+    'uid',
+    'Point',
+    'PointList',
+    'Polygon',
+    'MultiPolygon',
+    'JSON',
+    'Hash',
+    'Date',
+    'Void',
+];
+/**
+ * Filters out invalid collections to prevent graphql from errorring on schema generation
+ *
+ * @param schema
+ * @returns sanitized schema
+ */
+export function sanitizeGraphqlSchema(schema) {
+    const logger = useLogger();
+    const collections = Object.entries(schema.collections).filter(([collectionName, _data]) => {
+        // double underscore __ is reserved for GraphQL introspection
+        if (collectionName.startsWith('__') || !collectionName.match(GRAPHQL_NAME_REGEX)) {
+            logger.warn(`GraphQL skipping collection "${collectionName}" because it is not a valid name matching /^[_A-Za-z][_0-9A-Za-z]*$/ or starts with __`);
+            return false;
+        }
+        if (GRAPHQL_RESERVED_NAMES.includes(collectionName)) {
+            logger.warn(`GraphQL skipping collection "${collectionName}" because it is a reserved keyword`);
+            return false;
+        }
+        return true;
+    });
+    schema.collections = Object.fromEntries(collections);
+    const collectionExists = (collection) => Boolean(schema.collections[collection]);
+    const skipRelation = (relation) => {
+        const relationName = relation.schema?.constraint_name ?? `${relation.collection}.${relation.field}`;
+        logger.warn(`GraphQL skipping relation "${relationName}" because it links to a non-existent or invalid collection.`);
+        return false;
+    };
+    schema.relations = schema.relations.filter((relation) => {
+        if (relation.collection && !collectionExists(relation.collection)) {
+            return skipRelation(relation);
+        }
+        if (relation.related_collection && !collectionExists(relation.related_collection)) {
+            return skipRelation(relation);
+        }
+        if (relation.meta) {
+            if (relation.meta.many_collection && !collectionExists(relation.meta.many_collection)) {
+                return skipRelation(relation);
+            }
+            if (relation.meta.one_collection && !collectionExists(relation.meta.one_collection)) {
+                return skipRelation(relation);
+            }
+            if (relation.meta.one_allowed_collections &&
+                relation.meta.one_allowed_collections.some((allowed_collection) => !collectionExists(allowed_collection))) {
+                return skipRelation(relation);
+            }
+        }
+        return true;
+    });
+    return schema;
+}

package/dist/services/users.d.ts

@@ -23,7 +23,7 @@ export declare class UsersService extends ItemsService {
      */
     private getUserByEmail;
     /**
-     * Create url for inviting users
+     * Create URL for inviting users
      */
     private inviteUrl;
     /**

package/dist/services/users.js

@@ -126,14 +126,14 @@ export class UsersService extends ItemsService {
             .first();
     }
     /**
-     * Create url for inviting users
+     * Create URL for inviting users
      */
     inviteUrl(email, url) {
         const payload = { email, scope: 'invite' };
         const token = jwt.sign(payload, getSecret(), { expiresIn: '7d', issuer: 'directus' });
-        const inviteURL = url ? new Url(url) : new Url(env['PUBLIC_URL']).addPath('admin', 'accept-invite');
-        inviteURL.setQuery('token', token);
-        return inviteURL.toString();
+        return (url ? new Url(url) : new Url(env['PUBLIC_URL']).addPath('admin', 'accept-invite'))
+            .setQuery('token', token)
+            .toString();
     }
     /**
      * Validate array of emails. Intended to be used with create/update users
@@ -314,7 +314,7 @@ export class UsersService extends ItemsService {
         const opts = {};
         try {
             if (url && isUrlAllowed(url, env['USER_INVITE_URL_ALLOW_LIST']) === false) {
-                throw new InvalidPayloadError({ reason: `Url "${url}" can't be used to invite users` });
+                throw new InvalidPayloadError({ reason: `URL "${url}" can't be used to invite users` });
             }
         }
         catch (err) {
@@ -373,6 +373,12 @@ export class UsersService extends ItemsService {
         await service.updateOne(user.id, { password, status: 'active' });
     }
     async registerUser(input) {
+        if (input.verification_url &&
+            isUrlAllowed(input.verification_url, env['USER_REGISTER_URL_ALLOW_LIST']) === false) {
+            throw new InvalidPayloadError({
+                reason: `URL "${input.verification_url}" can't be used to verify registered users`,
+            });
+        }
         const STALL_TIME = env['REGISTER_STALL_TIME'];
         const timeStart = performance.now();
         const serviceOptions = { accountability: this.accountability, schema: this.schema };
@@ -424,9 +430,11 @@ export class UsersService extends ItemsService {
                 expiresIn: env['EMAIL_VERIFICATION_TOKEN_TTL'],
                 issuer: 'directus',
             });
-            const verificationURL = new Url(env['PUBLIC_URL'])
-                .addPath('users', 'register', 'verify-email')
-                .setQuery('token', token);
+            const verificationUrl = (input.verification_url
+                ? new Url(input.verification_url)
+                : new Url(env['PUBLIC_URL']).addPath('users', 'register', 'verify-email'))
+                .setQuery('token', token)
+                .toString();
             mailService
                 .send({
                 to: input.email,
@@ -434,7 +442,7 @@ export class UsersService extends ItemsService {
                 template: {
                     name: 'user-registration',
                     data: {
-                        url: verificationURL.toString(),
+                        url: verificationUrl,
                         email: input.email,
                         first_name,
                         last_name,
@@ -467,7 +475,7 @@ export class UsersService extends ItemsService {
             throw new ForbiddenError();
         }
         if (url && isUrlAllowed(url, env['PASSWORD_RESET_URL_ALLOW_LIST']) === false) {
-            throw new InvalidPayloadError({ reason: `Url "${url}" can't be used to reset passwords` });
+            throw new InvalidPayloadError({ reason: `URL "${url}" can't be used to reset passwords` });
         }
         const mailService = new MailService({
             schema: this.schema,
@@ -476,9 +484,9 @@ export class UsersService extends ItemsService {
         });
         const payload = { email: user.email, scope: 'password-reset', hash: getSimpleHash('' + user.password) };
         const token = jwt.sign(payload, getSecret(), { expiresIn: '1d', issuer: 'directus' });
-        const acceptURL = url
-            ? new Url(url).setQuery('token', token).toString()
-            : new Url(env['PUBLIC_URL']).addPath('admin', 'reset-password').setQuery('token', token).toString();
+        const acceptUrl = (url ? new Url(url) : new Url(env['PUBLIC_URL']).addPath('admin', 'reset-password'))
+            .setQuery('token', token)
+            .toString();
         const subjectLine = subject ? subject : 'Password Reset Request';
         mailService
             .send({
@@ -487,7 +495,7 @@ export class UsersService extends ItemsService {
             template: {
                 name: 'password-reset',
                 data: {
-                    url: acceptURL,
+                    url: acceptUrl,
                     email: user.email,
                 },
             },

package/dist/utils/apply-query.js

@@ -347,7 +347,8 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
             else {
                 const { type, special } = getFilterType(schema.collections[collection].fields, filterPath[0], collection);
                 validateFilterOperator(type, filterOperator, special);
-                applyFilterToQuery(`${collection}.${filterPath[0]}`, filterOperator, filterValue, logical);
+                const aliasedCollection = aliasMap['']?.alias || collection;
+                applyFilterToQuery(`${aliasedCollection}.${filterPath[0]}`, filterOperator, filterValue, logical, collection);
             }
         }
         function getFilterType(fields, key, collection = 'unknown') {
@@ -422,7 +423,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                 const functionName = column.split('(')[0];
                 const type = getOutputTypeForFunction(functionName);
                 if (['integer', 'float', 'decimal'].includes(type)) {
-                    compareValue = Number(compareValue);
+                    compareValue = Array.isArray(compareValue) ? compareValue.map(Number) : Number(compareValue);
                 }
             }
             // Cast filter value (compareValue) based on type of field being filtered against
@@ -520,19 +521,19 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                 dbQuery[logical].whereNotIn(selectionRaw, value);
             }
             if (operator === '_between') {
-                if (compareValue.length !== 2)
-                    return;
                 let value = compareValue;
                 if (typeof value === 'string')
                     value = value.split(',');
+                if (value.length !== 2)
+                    return;
                 dbQuery[logical].whereBetween(selectionRaw, value);
             }
             if (operator === '_nbetween') {
-                if (compareValue.length !== 2)
-                    return;
                 let value = compareValue;
                 if (typeof value === 'string')
                     value = value.split(',');
+                if (value.length !== 2)
+                    return;
                 dbQuery[logical].whereNotBetween(selectionRaw, value);
             }
             if (operator == '_intersects') {

package/dist/utils/verify-session-jwt.js

@@ -1,5 +1,5 @@
 import getDatabase from '../database/index.js';
-import { InvalidTokenError } from '@directus/errors';
+import { InvalidCredentialsError } from '@directus/errors';
 /**
  * Verifies the associated session is still available and valid.
  *
@@ -17,6 +17,6 @@ export async function verifySessionJWT(payload) {
         .andWhere('expires', '>=', new Date())
         .first();
     if (!session) {
-        throw new InvalidTokenError();
+        throw new InvalidCredentialsError();
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "19.1.0",
+  "version": "19.2.0",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -67,7 +67,7 @@
     "@types/cookie": "0.6.0",
     "argon2": "0.40.1",
     "async": "3.2.5",
-    "axios": "1.6.8",
+    "axios": "1.7.2",
     "busboy": "1.6.0",
     "bytes": "3.1.2",
     "camelcase": "8.0.0",
@@ -92,11 +92,11 @@
     "fs-extra": "11.2.0",
     "glob-to-regexp": "0.4.1",
     "graphql": "16.8.1",
-    "graphql-compose": "9.0.10",
+    "graphql-compose": "9.0.11",
     "graphql-ws": "5.16.0",
     "helmet": "7.1.0",
     "icc": "3.0.0",
-    "inquirer": "9.2.20",
+    "inquirer": "9.2.22",
     "ioredis": "5.4.1",
     "ip-matching": "2.1.2",
     "isolated-vm": "4.7.2",
@@ -140,35 +140,35 @@
     "sharp": "0.33.3",
     "snappy": "7.2.2",
     "stream-json": "1.8.0",
-    "tar": "7.0.1",
+    "tar": "7.1.0",
     "tsx": "4.9.3",
     "wellknown": "0.5.0",
     "ws": "8.17.0",
-    "zod": "3.23.6",
+    "zod": "3.23.8",
     "zod-validation-error": "3.2.0",
-    "@directus/app": "12.1.0",
-    "@directus/env": "1.1.3",
-    "@directus/errors": "0.3.0",
-    "@directus/extensions": "1.0.4",
+    "@directus/app": "12.1.2",
     "@directus/constants": "11.0.4",
-    "@directus/extensions-registry": "1.0.4",
-    "@directus/extensions-sdk": "11.0.4",
-    "@directus/format-title": "10.1.2",
-    "@directus/memory": "1.0.7",
+    "@directus/env": "1.1.5",
+    "@directus/errors": "0.3.1",
+    "@directus/extensions": "1.0.6",
+    "@directus/extensions-registry": "1.0.6",
+    "@directus/extensions-sdk": "11.0.6",
+    "@directus/memory": "1.0.8",
     "@directus/pressure": "1.0.19",
-    "@directus/specs": "10.2.9",
     "@directus/schema": "11.0.2",
-    "@directus/storage": "10.0.12",
-    "@directus/storage-driver-azure": "10.0.20",
-    "@directus/storage-driver-cloudinary": "10.0.20",
-    "@directus/storage-driver-gcs": "10.0.20",
-    "@directus/storage-driver-local": "10.0.19",
-    "@directus/storage-driver-supabase": "1.0.12",
-    "@directus/storage-driver-s3": "10.0.21",
+    "@directus/specs": "10.2.9",
+    "@directus/format-title": "10.1.2",
+    "@directus/storage": "10.0.13",
+    "@directus/storage-driver-cloudinary": "10.0.21",
+    "@directus/storage-driver-azure": "10.0.21",
+    "@directus/storage-driver-gcs": "10.0.22",
+    "@directus/storage-driver-local": "10.0.20",
+    "@directus/storage-driver-supabase": "1.0.13",
     "@directus/system-data": "1.0.3",
+    "@directus/storage-driver-s3": "10.0.22",
     "@directus/utils": "11.0.8",
-    "@directus/validation": "0.0.15",
-    "directus": "10.11.0"
+    "directus": "10.11.2",
+    "@directus/validation": "0.0.16"
   },
   "devDependencies": {
     "@ngneat/falso": "7.2.0",
@@ -193,7 +193,7 @@
     "@types/lodash-es": "4.17.12",
     "@types/mime-types": "2.1.4",
     "@types/ms": "0.7.34",
-    "@types/node": "18.19.31",
+    "@types/node": "18.19.33",
     "@types/node-schedule": "2.1.7",
     "@types/nodemailer": "6.4.15",
     "@types/object-hash": "3.0.6",
@@ -210,8 +210,8 @@
     "typescript": "5.4.5",
     "vitest": "1.5.3",
     "@directus/random": "0.2.8",
-    "@directus/tsconfig": "1.0.1",
-    "@directus/types": "11.1.1"
+    "@directus/types": "11.1.2",
+    "@directus/tsconfig": "1.0.1"
   },
   "optionalDependencies": {
     "@keyv/redis": "2.8.4",