@directus/api 19.1.1 → 19.3.0

package/dist/controllers/users.js

@@ -358,6 +358,7 @@ router.post('/:pk/tfa/disable', asyncHandler(async (req, _res, next) => {
 const registerSchema = Joi.object({
     email: Joi.string().email().required(),
     password: Joi.string().required(),
+    verification_url: Joi.string().uri(),
     first_name: Joi.string(),
     last_name: Joi.string(),
 });

package/dist/controllers/utils.js

@@ -12,13 +12,15 @@ import asyncHandler from '../utils/async-handler.js';
 import { generateHash } from '../utils/generate-hash.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
 const router = Router();
+const randomStringSchema = Joi.object({
+    length: Joi.number().integer().min(1).max(500).default(32),
+});
 router.get('/random/string', asyncHandler(async (req, res) => {
     const { nanoid } = await import('nanoid');
-    if (req.query && req.query['length'] && Number(req.query['length']) > 500) {
-        throw new InvalidQueryError({ reason: `"length" can't be more than 500 characters` });
-    }
-    const string = nanoid(req.query?.['length'] ? Number(req.query['length']) : 32);
-    return res.json({ data: string });
+    const { error, value } = randomStringSchema.validate(req.query, { allowUnknown: true });
+    if (error)
+        throw new InvalidQueryError({ reason: error.message });
+    return res.json({ data: nanoid(value.length) });
 }));
 router.post('/hash/generate', asyncHandler(async (req, res) => {
     if (!req.body?.string) {

package/dist/database/helpers/index.d.ts

@@ -9,7 +9,7 @@ import * as numberHelpers from './number/index.js';
 export declare function getHelpers(database: Knex): {
     date: dateHelpers.postgres | dateHelpers.oracle | dateHelpers.mysql | dateHelpers.mssql | dateHelpers.sqlite;
     st: geometryHelpers.mysql | geometryHelpers.postgres | geometryHelpers.mssql | geometryHelpers.sqlite | geometryHelpers.oracle | geometryHelpers.redshift;
-    schema: schemaHelpers.mysql | schemaHelpers.cockroachdb | schemaHelpers.mssql | schemaHelpers.postgres | schemaHelpers.sqlite | schemaHelpers.oracle;
+    schema: schemaHelpers.mysql | schemaHelpers.cockroachdb | schemaHelpers.mssql | schemaHelpers.postgres | schemaHelpers.sqlite | schemaHelpers.oracle | schemaHelpers.redshift;
     sequence: sequenceHelpers.mysql | sequenceHelpers.postgres;
     number: numberHelpers.cockroachdb | numberHelpers.mssql | numberHelpers.postgres | numberHelpers.sqlite | numberHelpers.oracle;
 };

package/dist/database/helpers/schema/dialects/cockroachdb.d.ts

@@ -4,4 +4,5 @@ import { SchemaHelper } from '../types.js';
 export declare class SchemaHelperCockroachDb extends SchemaHelper {
     changeToType(table: string, column: string, type: (typeof KNEX_TYPES)[number], options?: Options): Promise<void>;
     constraintName(existingName: string): string;
+    getDatabaseSize(): Promise<number | null>;
 }

package/dist/database/helpers/schema/dialects/cockroachdb.js

@@ -1,4 +1,6 @@
 import { SchemaHelper } from '../types.js';
+import { useEnv } from '@directus/env';
+const env = useEnv();
 export class SchemaHelperCockroachDb extends SchemaHelper {
     async changeToType(table, column, type, options = {}) {
         await this.changeToTypeByCopy(table, column, type, options);
@@ -14,4 +16,15 @@ export class SchemaHelperCockroachDb extends SchemaHelper {
             return existingName + suffix;
         }
     }
+    async getDatabaseSize() {
+        try {
+            const result = await this.knex
+                .select(this.knex.raw('round(SUM(range_size_mb) * 1024 * 1024, 0) AS size'))
+                .from(this.knex.raw('[SHOW RANGES FROM database ??]', [env['DB_DATABASE']]));
+            return result[0]?.['size'] ? Number(result[0]?.['size']) : null;
+        }
+        catch {
+            return null;
+        }
+    }
 }

package/dist/database/helpers/schema/dialects/mssql.d.ts

@@ -4,4 +4,5 @@ export declare class SchemaHelperMSSQL extends SchemaHelper {
     applyLimit(rootQuery: Knex.QueryBuilder, limit: number): void;
     applyOffset(rootQuery: Knex.QueryBuilder, offset: number): void;
     formatUUID(uuid: string): string;
+    getDatabaseSize(): Promise<number | null>;
 }

package/dist/database/helpers/schema/dialects/mssql.js

@@ -17,4 +17,13 @@ export class SchemaHelperMSSQL extends SchemaHelper {
     formatUUID(uuid) {
         return uuid.toUpperCase();
     }
+    async getDatabaseSize() {
+        try {
+            const result = await this.knex.raw('SELECT SUM(size) * 8192 AS size FROM sys.database_files;');
+            return result[0]?.['size'] ? Number(result[0]?.['size']) : null;
+        }
+        catch {
+            return null;
+        }
+    }
 }

package/dist/database/helpers/schema/dialects/mysql.d.ts

@@ -2,4 +2,5 @@ import type { Knex } from 'knex';
 import { SchemaHelper } from '../types.js';
 export declare class SchemaHelperMySQL extends SchemaHelper {
     applyMultiRelationalSort(knex: Knex, dbQuery: Knex.QueryBuilder, table: string, primaryKey: string, orderByString: string, orderByFields: Knex.Raw[]): Knex.QueryBuilder;
+    getDatabaseSize(): Promise<number | null>;
 }

package/dist/database/helpers/schema/dialects/mysql.js

@@ -1,5 +1,7 @@
+import { useEnv } from '@directus/env';
 import { getDatabaseVersion } from '../../../index.js';
 import { SchemaHelper } from '../types.js';
+const env = useEnv();
 export class SchemaHelperMySQL extends SchemaHelper {
     applyMultiRelationalSort(knex, dbQuery, table, primaryKey, orderByString, orderByFields) {
         if (getDatabaseVersion()?.startsWith('5.7')) {
@@ -11,4 +13,19 @@ export class SchemaHelperMySQL extends SchemaHelper {
         }
         return super.applyMultiRelationalSort(knex, dbQuery, table, primaryKey, orderByString, orderByFields);
     }
+    async getDatabaseSize() {
+        try {
+            const result = (await this.knex
+                .sum('size AS size')
+                .from(this.knex
+                .select(this.knex.raw('data_length + index_length AS size'))
+                .from('information_schema.TABLES')
+                .where('table_schema', '=', String(env['DB_DATABASE']))
+                .as('size')));
+            return result[0]?.['size'] ? Number(result[0]?.['size']) : null;
+        }
+        catch {
+            return null;
+        }
+    }
 }

package/dist/database/helpers/schema/dialects/oracle.d.ts

@@ -7,4 +7,5 @@ export declare class SchemaHelperOracle extends SchemaHelper {
     castA2oPrimaryKey(): string;
     preRelationChange(relation: Partial<Relation>): void;
     processFieldType(field: Field): Type;
+    getDatabaseSize(): Promise<number | null>;
 }

package/dist/database/helpers/schema/dialects/oracle.js

@@ -29,4 +29,13 @@ export class SchemaHelperOracle extends SchemaHelper {
         }
         return field.type;
     }
+    async getDatabaseSize() {
+        try {
+            const result = await this.knex.raw('select SUM(bytes) from dba_segments');
+            return result[0]?.['SUM(BYTES)'] ? Number(result[0]?.['SUM(BYTES)']) : null;
+        }
+        catch {
+            return null;
+        }
+    }
 }

package/dist/database/helpers/schema/dialects/postgres.d.ts

@@ -0,0 +1,4 @@
+import { SchemaHelper } from '../types.js';
+export declare class SchemaHelperPostgres extends SchemaHelper {
+    getDatabaseSize(): Promise<number | null>;
+}

package/dist/database/helpers/schema/dialects/postgres.js

@@ -0,0 +1,14 @@
+import { useEnv } from '@directus/env';
+import { SchemaHelper } from '../types.js';
+const env = useEnv();
+export class SchemaHelperPostgres extends SchemaHelper {
+    async getDatabaseSize() {
+        try {
+            const result = await this.knex.select(this.knex.raw(`pg_database_size(?) as size;`, [env['DB_DATABASE']]));
+            return result[0]?.['size'] ? Number(result[0]?.['size']) : null;
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/database/helpers/schema/dialects/sqlite.d.ts

@@ -2,4 +2,5 @@ import { SchemaHelper } from '../types.js';
 export declare class SchemaHelperSQLite extends SchemaHelper {
     preColumnChange(): Promise<boolean>;
     postColumnChange(): Promise<void>;
+    getDatabaseSize(): Promise<number | null>;
 }

package/dist/database/helpers/schema/dialects/sqlite.js

@@ -10,4 +10,13 @@ export class SchemaHelperSQLite extends SchemaHelper {
     async postColumnChange() {
         await this.knex.raw('PRAGMA foreign_keys = ON');
     }
+    async getDatabaseSize() {
+        try {
+            const result = await this.knex.raw('SELECT page_count * page_size as "size" FROM pragma_page_count(), pragma_page_size();');
+            return result[0]?.['size'] ? Number(result[0]?.['size']) : null;
+        }
+        catch {
+            return null;
+        }
+    }
 }

package/dist/database/helpers/schema/index.d.ts

@@ -1,7 +1,7 @@
-export { SchemaHelperDefault as postgres } from './dialects/default.js';
 export { SchemaHelperCockroachDb as cockroachdb } from './dialects/cockroachdb.js';
 export { SchemaHelperDefault as redshift } from './dialects/default.js';
+export { SchemaHelperMSSQL as mssql } from './dialects/mssql.js';
+export { SchemaHelperMySQL as mysql } from './dialects/mysql.js';
 export { SchemaHelperOracle as oracle } from './dialects/oracle.js';
+export { SchemaHelperPostgres as postgres } from './dialects/postgres.js';
 export { SchemaHelperSQLite as sqlite } from './dialects/sqlite.js';
-export { SchemaHelperMySQL as mysql } from './dialects/mysql.js';
-export { SchemaHelperMSSQL as mssql } from './dialects/mssql.js';

package/dist/database/helpers/schema/index.js

@@ -1,7 +1,7 @@
-export { SchemaHelperDefault as postgres } from './dialects/default.js';
 export { SchemaHelperCockroachDb as cockroachdb } from './dialects/cockroachdb.js';
 export { SchemaHelperDefault as redshift } from './dialects/default.js';
+export { SchemaHelperMSSQL as mssql } from './dialects/mssql.js';
+export { SchemaHelperMySQL as mysql } from './dialects/mysql.js';
 export { SchemaHelperOracle as oracle } from './dialects/oracle.js';
+export { SchemaHelperPostgres as postgres } from './dialects/postgres.js';
 export { SchemaHelperSQLite as sqlite } from './dialects/sqlite.js';
-export { SchemaHelperMySQL as mysql } from './dialects/mysql.js';
-export { SchemaHelperMSSQL as mssql } from './dialects/mssql.js';

package/dist/database/helpers/schema/types.d.ts

@@ -23,4 +23,8 @@ export declare abstract class SchemaHelper extends DatabaseHelper {
     castA2oPrimaryKey(): string;
     applyMultiRelationalSort(knex: Knex, dbQuery: Knex.QueryBuilder, table: string, primaryKey: string, orderByString: string, orderByFields: Knex.Raw[]): Knex.QueryBuilder;
     formatUUID(uuid: string): string;
+    /**
+     * @returns Size of the database in bytes
+     */
+    getDatabaseSize(): Promise<number | null>;
 }

package/dist/database/helpers/schema/types.js

@@ -88,4 +88,10 @@ export class SchemaHelper extends DatabaseHelper {
     formatUUID(uuid) {
         return uuid; // no-op by default
     }
+    /**
+     * @returns Size of the database in bytes
+     */
+    async getDatabaseSize() {
+        return null;
+    }
 }

package/dist/middleware/graphql.js

@@ -3,6 +3,7 @@ import { getOperationAST, parse, Source } from 'graphql';
 import { InvalidPayloadError, InvalidQueryError, MethodNotAllowedError } from '@directus/errors';
 import { GraphQLValidationError } from '../services/graphql/errors/validation.js';
 import asyncHandler from '../utils/async-handler.js';
+import { useEnv } from '@directus/env';
 export const parseGraphQL = asyncHandler(async (req, res, next) => {
     if (req.method !== 'GET' && req.method !== 'POST') {
         throw new MethodNotAllowedError({ allowed: ['GET', 'POST'], current: req.method });
@@ -35,7 +36,10 @@ export const parseGraphQL = asyncHandler(async (req, res, next) => {
         throw new InvalidPayloadError({ reason: 'Must provide query string' });
     }
     try {
-        document = parse(new Source(query));
+        const env = useEnv();
+        document = parse(new Source(query), {
+            maxTokens: Number(env['GRAPHQL_QUERY_TOKEN_LIMIT']),
+        });
     }
     catch (err) {
         throw new GraphQLValidationError({

package/dist/services/extensions.js

@@ -52,7 +52,7 @@ export class ExtensionsService {
             const points = version.bundled.length ?? 1;
             const afterInstallCount = currentlyInstalledCount + points;
             if (afterInstallCount >= limit) {
-                throw new LimitExceededError();
+                throw new LimitExceededError({ category: 'Extensions' });
             }
         }
         return { extension, version };
@@ -188,16 +188,19 @@ export class ExtensionsService {
      *    - Entry status change resulted in all children being disabled then the parent bundle is disabled
      *    - Entry status change resulted in at least one child being enabled then the parent bundle is enabled
      */
-    async checkBundleAndSyncStatus(trx, bundleId, extension) {
+    async checkBundleAndSyncStatus(trx, extensionId, extension) {
         if (extension.bundle === null && extension.schema?.type === 'bundle') {
             // If extension is the parent bundle, set it and all nested extensions to enabled
             await trx('directus_extensions')
                 .update({ enabled: extension.meta.enabled })
-                .where({ bundle: bundleId })
-                .orWhere({ id: bundleId });
+                .where({ bundle: extensionId })
+                .orWhere({ id: extensionId });
             return;
         }
-        const parent = await this.readOne(bundleId);
+        const parentId = extension.bundle ?? extension.meta.bundle;
+        if (!parentId)
+            return;
+        const parent = await this.readOne(parentId);
         if (parent.schema?.type !== 'bundle') {
             return;
         }
@@ -207,14 +210,14 @@ export class ExtensionsService {
             });
         }
         const hasEnabledChildren = !!(await trx('directus_extensions')
-            .where({ bundle: bundleId })
+            .where({ bundle: parentId })
             .where({ enabled: true })
             .first());
         if (hasEnabledChildren) {
-            await trx('directus_extensions').update({ enabled: true }).where({ id: bundleId });
+            await trx('directus_extensions').update({ enabled: true }).where({ id: parentId });
         }
         else {
-            await trx('directus_extensions').update({ enabled: false }).where({ id: bundleId });
+            await trx('directus_extensions').update({ enabled: false }).where({ id: parentId });
         }
     }
 }

package/dist/services/graphql/index.js

@@ -47,6 +47,7 @@ import { GraphQLStringOrFloat } from './types/string-or-float.js';
 import { GraphQLVoid } from './types/void.js';
 import { addPathToValidationError } from './utils/add-path-to-validation-error.js';
 import processError from './utils/process-error.js';
+import { sanitizeGraphqlSchema } from './utils/sanitize-gql-schema.js';
 const env = useEnv();
 const validationRules = Array.from(specifiedRules);
 if (env['GRAPHQL_INTROSPECTION'] === false) {
@@ -115,19 +116,20 @@ export class GraphQLService {
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new SchemaComposer();
+        const sanitizedSchema = sanitizeGraphqlSchema(this.schema);
         const schema = {
             read: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['read']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['read']),
             create: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['create']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['create']),
             update: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['update']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['update']),
             delete: this.accountability?.admin === true
-                ? this.schema
-                : reduceSchema(this.schema, this.accountability?.permissions || null, ['delete']),
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['delete']),
         };
         const subscriptionEventType = schemaComposer.createEnumTC({
             name: 'EventEnum',
@@ -2074,10 +2076,10 @@ export class GraphQLService {
                 },
                 resolve: async (_, args) => {
                     const { nanoid } = await import('nanoid');
-                    if (args['length'] && Number(args['length']) > 500) {
-                        throw new InvalidPayloadError({ reason: `"length" can't be more than 500 characters` });
+                    if (args['length'] !== undefined && (args['length'] < 1 || args['length'] > 500)) {
+                        throw new InvalidPayloadError({ reason: `"length" must be between 1 and 500` });
                     }
-                    return nanoid(args['length'] ? Number(args['length']) : 32);
+                    return nanoid(args['length'] ? args['length'] : 32);
                 },
             },
             utils_hash_generate: {
@@ -2162,6 +2164,7 @@ export class GraphQLService {
                 args: {
                     email: new GraphQLNonNull(GraphQLString),
                     password: new GraphQLNonNull(GraphQLString),
+                    verification_url: GraphQLString,
                     first_name: GraphQLString,
                     last_name: GraphQLString,
                 },
@@ -2174,6 +2177,7 @@ export class GraphQLService {
                     await service.registerUser({
                         email: args.email,
                         password: args.password,
+                        verification_url: args.verification_url,
                         first_name: args.first_name,
                         last_name: args.last_name,
                     });

package/dist/services/graphql/utils/sanitize-gql-schema.d.ts

@@ -0,0 +1,8 @@
+import type { SchemaOverview } from '@directus/types';
+/**
+ * Filters out invalid collections to prevent graphql from errorring on schema generation
+ *
+ * @param schema
+ * @returns sanitized schema
+ */
+export declare function sanitizeGraphqlSchema(schema: SchemaOverview): SchemaOverview;

package/dist/services/graphql/utils/sanitize-gql-schema.js

@@ -0,0 +1,80 @@
+import { useLogger } from '../../../logger.js';
+/**
+ * Regex was taken from the spec
+ * https://spec.graphql.org/June2018/#sec-Names
+ */
+const GRAPHQL_NAME_REGEX = /^[_A-Za-z][_0-9A-Za-z]*$/;
+/**
+ * Manually curated list of GraphQL reserved names to cover the most likely naming footguns.
+ * This list is not exhaustive and does not cover generated type names.
+ */
+const GRAPHQL_RESERVED_NAMES = [
+    'Subscription',
+    'Query',
+    'Mutation',
+    'Int',
+    'Float',
+    'String',
+    'Boolean',
+    'DateTime',
+    'ID',
+    'uid',
+    'Point',
+    'PointList',
+    'Polygon',
+    'MultiPolygon',
+    'JSON',
+    'Hash',
+    'Date',
+    'Void',
+];
+/**
+ * Filters out invalid collections to prevent graphql from errorring on schema generation
+ *
+ * @param schema
+ * @returns sanitized schema
+ */
+export function sanitizeGraphqlSchema(schema) {
+    const logger = useLogger();
+    const collections = Object.entries(schema.collections).filter(([collectionName, _data]) => {
+        // double underscore __ is reserved for GraphQL introspection
+        if (collectionName.startsWith('__') || !collectionName.match(GRAPHQL_NAME_REGEX)) {
+            logger.warn(`GraphQL skipping collection "${collectionName}" because it is not a valid name matching /^[_A-Za-z][_0-9A-Za-z]*$/ or starts with __`);
+            return false;
+        }
+        if (GRAPHQL_RESERVED_NAMES.includes(collectionName)) {
+            logger.warn(`GraphQL skipping collection "${collectionName}" because it is a reserved keyword`);
+            return false;
+        }
+        return true;
+    });
+    schema.collections = Object.fromEntries(collections);
+    const collectionExists = (collection) => Boolean(schema.collections[collection]);
+    const skipRelation = (relation) => {
+        const relationName = relation.schema?.constraint_name ?? `${relation.collection}.${relation.field}`;
+        logger.warn(`GraphQL skipping relation "${relationName}" because it links to a non-existent or invalid collection.`);
+        return false;
+    };
+    schema.relations = schema.relations.filter((relation) => {
+        if (relation.collection && !collectionExists(relation.collection)) {
+            return skipRelation(relation);
+        }
+        if (relation.related_collection && !collectionExists(relation.related_collection)) {
+            return skipRelation(relation);
+        }
+        if (relation.meta) {
+            if (relation.meta.many_collection && !collectionExists(relation.meta.many_collection)) {
+                return skipRelation(relation);
+            }
+            if (relation.meta.one_collection && !collectionExists(relation.meta.one_collection)) {
+                return skipRelation(relation);
+            }
+            if (relation.meta.one_allowed_collections &&
+                relation.meta.one_allowed_collections.some((allowed_collection) => !collectionExists(allowed_collection))) {
+                return skipRelation(relation);
+            }
+        }
+        return true;
+    });
+    return schema;
+}

package/dist/services/roles.d.ts

@@ -7,6 +7,7 @@ export declare class RolesService extends ItemsService {
     private checkForOtherAdminUsers;
     private isIpAccessValid;
     private assertValidIpAccess;
+    private getRoleAccessType;
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     updateOne(key: PrimaryKey, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;