@directus/api 25.0.0 → 26.0.0

package/dist/app.js

@@ -94,7 +94,7 @@ export default async function createApp() {
     const app = express();
     app.disable('x-powered-by');
     app.set('trust proxy', env['IP_TRUST_PROXY']);
-    app.set('query parser', (str) => qs.parse(str, { depth: 10 }));
+    app.set('query parser', (str) => qs.parse(str, { depth: Number(env['QUERYSTRING_MAX_PARSE_DEPTH']) }));
     if (env['PRESSURE_LIMITER_ENABLED']) {
         const sampleInterval = Number(env['PRESSURE_LIMITER_SAMPLE_INTERVAL']);
         if (Number.isNaN(sampleInterval) === true || Number.isFinite(sampleInterval) === false) {
@@ -134,7 +134,7 @@ export default async function createApp() {
         },
     }, getConfigFromEnv('CONTENT_SECURITY_POLICY_'))));
     if (env['HSTS_ENABLED']) {
-        app.use(helmet.hsts(getConfigFromEnv('HSTS_', ['HSTS_ENABLED'])));
+        app.use(helmet.hsts(getConfigFromEnv('HSTS_', { omitPrefix: 'HSTS_ENABLED' })));
     }
     await emitter.emitInit('app.before', { app });
     await emitter.emitInit('middlewares.before', { app });
@@ -203,9 +203,9 @@ export default async function createApp() {
     }
     app.get('/server/ping', (_req, res) => res.send('pong'));
     app.use(authenticate);
+    app.use(schema);
     app.use(sanitizeQuery);
     app.use(cache);
-    app.use(schema);
     await emitter.emitInit('middlewares.after', { app });
     await emitter.emitInit('routes.before', { app });
     app.use('/auth', authRouter);

package/dist/auth/drivers/oauth2.d.ts

@@ -2,12 +2,14 @@ import { Router } from 'express';
 import type { Client } from 'openid-client';
 import { UsersService } from '../../services/users.js';
 import type { AuthDriverOptions, User } from '../../types/index.js';
+import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OAuth2AuthDriver extends LocalAuthDriver {
     client: Client;
     redirectUrl: string;
     usersService: UsersService;
     config: Record<string, any>;
+    roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     generateCodeVerifier(): string;
     generateAuthUrl(codeVerifier: string, prompt?: boolean): string;

package/dist/auth/drivers/oauth2.js

@@ -27,6 +27,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
     redirectUrl;
     usersService;
     config;
+    roleMap;
     constructor(options, config) {
         super(options, config);
         const env = useEnv();
@@ -40,13 +41,31 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
         this.redirectUrl = redirectUrl.toString();
         this.usersService = new UsersService({ knex: this.knex, schema: this.schema });
         this.config = additionalConfig;
+        this.roleMap = {};
+        const roleMapping = this.config['roleMapping'];
+        if (roleMapping) {
+            this.roleMap = roleMapping;
+        }
+        // role mapping will fail on login if AUTH_<provider>_ROLE_MAPPING is an array instead of an object.
+        // This happens if the 'json:' prefix is missing from the variable declaration. To save the user from exhaustive debugging, we'll try to fail early here.
+        if (roleMapping instanceof Array) {
+            logger.error("[OAuth2] Expected a JSON-Object as role mapping, got an Array instead. Make sure you declare the variable with 'json:' prefix.");
+            throw new InvalidProviderError();
+        }
         const issuer = new Issuer({
             authorization_endpoint: authorizeUrl,
             token_endpoint: accessUrl,
             userinfo_endpoint: profileUrl,
             issuer: additionalConfig['provider'],
         });
-        const clientOptionsOverrides = getConfigFromEnv(`AUTH_${config['provider'].toUpperCase()}_CLIENT_`, [`AUTH_${config['provider'].toUpperCase()}_CLIENT_ID`, `AUTH_${config['provider'].toUpperCase()}_CLIENT_SECRET`], 'underscore');
+        // extract client overrides/options excluding CLIENT_ID and CLIENT_SECRET as they are passed directly
+        const clientOptionsOverrides = getConfigFromEnv(`AUTH_${config['provider'].toUpperCase()}_CLIENT_`, {
+            omitKey: [
+                `AUTH_${config['provider'].toUpperCase()}_CLIENT_ID`,
+                `AUTH_${config['provider'].toUpperCase()}_CLIENT_SECRET`,
+            ],
+            type: 'underscore',
+        });
         this.client = new issuer.Client({
             client_id: clientId,
             client_secret: clientSecret,
@@ -105,6 +124,21 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
         catch (e) {
             throw handleError(e);
         }
+        let role = this.config['defaultRoleId'];
+        const groupClaimName = this.config['groupClaimName'] ?? 'groups';
+        const groups = userInfo[groupClaimName];
+        if (Array.isArray(groups)) {
+            for (const key in this.roleMap) {
+                if (groups.includes(key)) {
+                    // Overwrite default role if user is member of a group specified in roleMap
+                    role = this.roleMap[key];
+                    break;
+                }
+            }
+        }
+        else {
+            logger.debug(`[OAuth2] Configured group claim with name "${groupClaimName}" does not exist or is empty.`);
+        }
         // Flatten response to support dot indexes
         userInfo = flatten(userInfo);
         const { provider, emailKey, identifierKey, allowPublicRegistration, syncUserInfo } = this.config;
@@ -121,7 +155,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
             last_name: userInfo[this.config['lastNameKey']],
             email: email,
             external_identifier: identifier,
-            role: this.config['defaultRoleId'],
+            role: role,
             auth_data: tokenSet.refresh_token && JSON.stringify({ refreshToken: tokenSet.refresh_token }),
         };
         const userId = await this.fetchUserId(identifier);
@@ -131,6 +165,10 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
             let emitPayload = {
                 auth_data: userPayload.auth_data,
             };
+            // Make sure a user's role gets updated if their oauth group or role mapping changes
+            if (this.config['roleMapping']) {
+                emitPayload['role'] = role;
+            }
             if (syncUserInfo) {
                 emitPayload = {
                     ...emitPayload,

package/dist/auth/drivers/openid.js

@@ -38,7 +38,14 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             throw new InvalidProviderConfigError({ provider: additionalConfig['provider'] });
         }
         const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', additionalConfig['provider'], 'callback');
-        const clientOptionsOverrides = getConfigFromEnv(`AUTH_${config['provider'].toUpperCase()}_CLIENT_`, [`AUTH_${config['provider'].toUpperCase()}_CLIENT_ID`, `AUTH_${config['provider'].toUpperCase()}_CLIENT_SECRET`], 'underscore');
+        // extract client overrides/options excluding CLIENT_ID and CLIENT_SECRET as they are passed directly
+        const clientOptionsOverrides = getConfigFromEnv(`AUTH_${config['provider'].toUpperCase()}_CLIENT_`, {
+            omitKey: [
+                `AUTH_${config['provider'].toUpperCase()}_CLIENT_ID`,
+                `AUTH_${config['provider'].toUpperCase()}_CLIENT_SECRET`,
+            ],
+            type: 'underscore',
+        });
         this.redirectUrl = redirectUrl.toString();
         this.usersService = new UsersService({ knex: this.knex, schema: this.schema });
         this.config = additionalConfig;

package/dist/controllers/access.js

@@ -87,7 +87,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -132,7 +132,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/comments.js

@@ -85,7 +85,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -130,7 +130,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/dashboards.js

@@ -79,7 +79,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -124,7 +124,7 @@ router.delete('/', asyncHandler(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/files.js

@@ -220,7 +220,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -265,7 +265,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/flows.js

@@ -101,7 +101,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -146,7 +146,7 @@ router.delete('/', asyncHandler(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/folders.js

@@ -88,7 +88,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -133,7 +133,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/items.js

@@ -111,7 +111,7 @@ router.patch('/:collection', collectionExists, validateBatch('update'), asyncHan
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -163,7 +163,7 @@ router.delete('/:collection', collectionExists, validateBatch('delete'), asyncHa
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/notifications.js

@@ -88,7 +88,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -133,7 +133,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/operations.js

@@ -79,7 +79,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -124,7 +124,7 @@ router.delete('/', asyncHandler(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/panels.js

@@ -79,7 +79,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -124,7 +124,7 @@ router.delete('/', asyncHandler(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/permissions.js

@@ -105,7 +105,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -150,7 +150,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/policies.js

@@ -108,7 +108,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -153,7 +153,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/presets.js

@@ -88,7 +88,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -133,7 +133,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/roles.js

@@ -100,7 +100,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -145,7 +145,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/shares.js

@@ -168,7 +168,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -213,7 +213,7 @@ router.delete('/', asyncHandler(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/translations.js

@@ -88,7 +88,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -133,7 +133,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/users.js

@@ -138,7 +138,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -183,7 +183,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/utils.js

@@ -36,8 +36,13 @@ router.post('/hash/verify', asyncHandler(async (req, res) => {
     if (!req.body?.hash) {
         throw new InvalidPayloadError({ reason: `"hash" is required` });
     }
-    const result = await argon2.verify(req.body.hash, req.body.string);
-    return res.json({ data: result });
+    try {
+        const result = await argon2.verify(req.body.hash, req.body.string);
+        return res.json({ data: result });
+    }
+    catch {
+        throw new InvalidPayloadError({ reason: `Invalid "hash" or "string"` });
+    }
 }));
 const SortSchema = Joi.object({
     item: Joi.alternatives(Joi.string(), Joi.number()).required(),
@@ -104,7 +109,7 @@ router.post('/export/:collection', collectionExists, asyncHandler(async (req, _r
         accountability: req.accountability,
         schema: req.schema,
     });
-    const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability ?? null);
+    const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability ?? null);
     // We're not awaiting this, as it's supposed to run async in the background
     service.exportToFile(req.params['collection'], sanitizedQuery, req.body.format, {
         file: req.body.file,

package/dist/controllers/versions.js

@@ -89,7 +89,7 @@ router.patch('/', validateBatch('update'), asyncHandler(async (req, res, next) =
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
@@ -134,7 +134,7 @@ router.delete('/', validateBatch('delete'), asyncHandler(async (req, _res, next)
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/controllers/webhooks.js

@@ -58,7 +58,7 @@ router.delete('/', asyncHandler(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        const sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         await service.deleteByQuery(sanitizedQuery);
     }
     return next();

package/dist/database/helpers/capabilities/dialects/default.d.ts

@@ -0,0 +1,3 @@
+import { CapabilitiesHelper } from '../types.js';
+export declare class CapabilitiesHelperDefault extends CapabilitiesHelper {
+}

package/dist/database/helpers/capabilities/dialects/default.js

@@ -0,0 +1,3 @@
+import { CapabilitiesHelper } from '../types.js';
+export class CapabilitiesHelperDefault extends CapabilitiesHelper {
+}

package/dist/database/helpers/capabilities/dialects/mysql.d.ts

@@ -0,0 +1,4 @@
+import { CapabilitiesHelper } from '../types.js';
+export declare class CapabilitiesHelperMySQL extends CapabilitiesHelper {
+    supportsColumnPositionInGroupBy(): boolean;
+}

package/dist/database/helpers/capabilities/dialects/mysql.js

@@ -0,0 +1,9 @@
+import { CapabilitiesHelper } from '../types.js';
+export class CapabilitiesHelperMySQL extends CapabilitiesHelper {
+    supportsColumnPositionInGroupBy() {
+        // Supported in MySQL https://dev.mysql.com/doc/refman/8.4/en/select.html#id756773
+        // > Columns selected for output can be referred to in ORDER BY and GROUP BY clauses using column names,
+        //   column aliases, or column positions. Column positions are integers and begin with 1:
+        return true;
+    }
+}

package/dist/database/helpers/capabilities/dialects/postgres.d.ts

@@ -0,0 +1,5 @@
+import { CapabilitiesHelper } from '../types.js';
+export declare class CapabilitiesHelperPostgres extends CapabilitiesHelper {
+    supportsColumnPositionInGroupBy(): boolean;
+    supportsDeduplicationOfParameters(): boolean;
+}

package/dist/database/helpers/capabilities/dialects/postgres.js

@@ -0,0 +1,14 @@
+import { CapabilitiesHelper } from '../types.js';
+export class CapabilitiesHelperPostgres extends CapabilitiesHelper {
+    supportsColumnPositionInGroupBy() {
+        // Supported in Postgres https://www.postgresql.org/docs/8.3/sql-select.html#SQL-GROUPBY
+        // Supported in CockroachDB (tested manually)
+        return true;
+    }
+    supportsDeduplicationOfParameters() {
+        // Postgres infers the type from the context in which the parameter is first referenced.
+        // This causes issues when the same parameter is used in different contexts with different types.
+        // See https://www.postgresql.org/docs/current/sql-prepare.html
+        return false;
+    }
+}

package/dist/database/helpers/capabilities/index.d.ts

@@ -0,0 +1,7 @@
+export { CapabilitiesHelperPostgres as postgres } from './dialects/postgres.js';
+export { CapabilitiesHelperPostgres as redshift } from './dialects/postgres.js';
+export { CapabilitiesHelperPostgres as cockroachdb } from './dialects/postgres.js';
+export { CapabilitiesHelperDefault as oracle } from './dialects/default.js';
+export { CapabilitiesHelperMySQL as mysql } from './dialects/mysql.js';
+export { CapabilitiesHelperDefault as mssql } from './dialects/default.js';
+export { CapabilitiesHelperDefault as sqlite } from './dialects/default.js';

package/dist/database/helpers/capabilities/index.js

@@ -0,0 +1,7 @@
+export { CapabilitiesHelperPostgres as postgres } from './dialects/postgres.js';
+export { CapabilitiesHelperPostgres as redshift } from './dialects/postgres.js';
+export { CapabilitiesHelperPostgres as cockroachdb } from './dialects/postgres.js';
+export { CapabilitiesHelperDefault as oracle } from './dialects/default.js';
+export { CapabilitiesHelperMySQL as mysql } from './dialects/mysql.js';
+export { CapabilitiesHelperDefault as mssql } from './dialects/default.js';
+export { CapabilitiesHelperDefault as sqlite } from './dialects/default.js';

package/dist/database/helpers/capabilities/types.d.ts

@@ -0,0 +1,11 @@
+import { DatabaseHelper } from '../types.js';
+export declare class CapabilitiesHelper extends DatabaseHelper {
+    supportsColumnPositionInGroupBy(): boolean;
+    /**
+     * Indicates if the values within the list of parameters can be safely deduplicated.
+     * This is useful for databases that do not automatically cast the value for cases when a parameter is referenced multiple times in the query,
+     * but the targeting type is different. For example when referencing a parameter which a UUID, postgres cannot use the same parameter reference
+     * to compare it against column of type UUID and at the same time against a column of type a string.
+     */
+    supportsDeduplicationOfParameters(): boolean;
+}

package/dist/database/helpers/capabilities/types.js

@@ -0,0 +1,15 @@
+import { DatabaseHelper } from '../types.js';
+export class CapabilitiesHelper extends DatabaseHelper {
+    supportsColumnPositionInGroupBy() {
+        return false;
+    }
+    /**
+     * Indicates if the values within the list of parameters can be safely deduplicated.
+     * This is useful for databases that do not automatically cast the value for cases when a parameter is referenced multiple times in the query,
+     * but the targeting type is different. For example when referencing a parameter which a UUID, postgres cannot use the same parameter reference
+     * to compare it against column of type UUID and at the same time against a column of type a string.
+     */
+    supportsDeduplicationOfParameters() {
+        return true;
+    }
+}

package/dist/database/helpers/index.d.ts

@@ -1,5 +1,6 @@
 import type { SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
+import * as capabilitiesHelpers from './capabilities/index.js';
 import * as dateHelpers from './date/index.js';
 import * as fnHelpers from './fn/index.js';
 import * as geometryHelpers from './geometry/index.js';
@@ -12,6 +13,7 @@ export declare function getHelpers(database: Knex): {
     schema: schemaHelpers.cockroachdb | schemaHelpers.mssql | schemaHelpers.mysql | schemaHelpers.postgres | schemaHelpers.sqlite | schemaHelpers.oracle | schemaHelpers.redshift;
     sequence: sequenceHelpers.mysql | sequenceHelpers.postgres;
     number: numberHelpers.cockroachdb | numberHelpers.mssql | numberHelpers.postgres | numberHelpers.sqlite | numberHelpers.oracle;
+    capabilities: capabilitiesHelpers.postgres | capabilitiesHelpers.oracle | capabilitiesHelpers.mysql;
 };
 export declare function getFunctions(database: Knex, schema: SchemaOverview): fnHelpers.postgres | fnHelpers.mssql | fnHelpers.mysql | fnHelpers.sqlite | fnHelpers.oracle;
 export type Helpers = ReturnType<typeof getHelpers>;