@directus/api 30.0.0 → 31.0.0

package/dist/app.js

@@ -1,6 +1,7 @@
 import { useEnv } from '@directus/env';
 import { InvalidPayloadError, ServiceUnavailableError } from '@directus/errors';
 import { handlePressure } from '@directus/pressure';
+import { toBoolean } from '@directus/utils';
 import cookieParser from 'cookie-parser';
 import express from 'express';
 import { merge } from 'lodash-es';
@@ -23,6 +24,7 @@ import flowsRouter from './controllers/flows.js';
 import foldersRouter from './controllers/folders.js';
 import graphqlRouter from './controllers/graphql.js';
 import itemsRouter from './controllers/items.js';
+import mcpRouter from './controllers/mcp.js';
 import metricsRouter from './controllers/metrics.js';
 import notFoundHandler from './controllers/not-found.js';
 import notificationsRouter from './controllers/notifications.js';
@@ -225,6 +227,9 @@ export default async function createApp() {
     app.use('/flows', flowsRouter);
     app.use('/folders', foldersRouter);
     app.use('/items', itemsRouter);
+    if (toBoolean(env['MCP_ENABLED']) === true) {
+        app.use('/mcp', mcpRouter);
+    }
     if (env['METRICS_ENABLED'] === true) {
         app.use('/metrics', metricsRouter);
     }

package/dist/auth/drivers/oauth2.js

@@ -273,10 +273,11 @@ export function createOAuth2AuthRouter(providerName) {
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
         const redirect = req.query['redirect'];
+        const otp = req.query['otp'];
         if (isLoginRedirectAllowed(redirect, providerName) === false) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt }, getSecret(), {
+        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -299,7 +300,8 @@ export function createOAuth2AuthRouter(providerName) {
             logger.warn(e, `[OAuth2] Couldn't verify OAuth2 cookie`);
             throw new InvalidCredentialsError();
         }
-        const { verifier, redirect, prompt } = tokenData;
+        const { verifier, prompt, otp } = tokenData;
+        let { redirect } = tokenData;
         const accountability = createDefaultAccountability({
             ip: getIPFromReq(req),
         });
@@ -321,7 +323,7 @@ export function createOAuth2AuthRouter(providerName) {
                 code: req.query['code'],
                 codeVerifier: verifier,
                 state: req.query['state'],
-            }, { session: authMode === 'session' });
+            }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {
             // Prompt user for a new refresh_token if invalidated
@@ -342,6 +344,18 @@ export function createOAuth2AuthRouter(providerName) {
             throw error;
         }
         const { accessToken, refreshToken, expires } = authResponse;
+        try {
+            const claims = verifyJWT(accessToken, getSecret());
+            if (claims?.enforce_tfa === true) {
+                const url = new Url(env['PUBLIC_URL']).addPath('admin', 'tfa-setup');
+                if (redirect)
+                    url.setQuery('redirect', redirect);
+                redirect = url.toString();
+            }
+        }
+        catch (e) {
+            logger.warn(e, `[OAuth2] Unexpected error during OAuth2 login`);
+        }
         if (redirect) {
             if (authMode === 'session') {
                 res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);

package/dist/auth/drivers/openid.js

@@ -325,10 +325,11 @@ export function createOpenIDAuthRouter(providerName) {
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
         const redirect = req.query['redirect'];
+        const otp = req.query['otp'];
         if (isLoginRedirectAllowed(redirect, providerName) === false) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt }, getSecret(), {
+        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
             expiresIn: (env[`AUTH_${providerName.toUpperCase()}_LOGIN_TIMEOUT`] ?? '5m'),
             issuer: 'directus',
         });
@@ -361,7 +362,8 @@ export function createOpenIDAuthRouter(providerName) {
             const url = new Url(env['PUBLIC_URL']).addPath('admin', 'login');
             return res.redirect(`${url.toString()}?reason=${ErrorCode.InvalidCredentials}`);
         }
-        const { verifier, redirect, prompt } = tokenData;
+        const { verifier, prompt, otp } = tokenData;
+        let { redirect } = tokenData;
         const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
@@ -382,7 +384,7 @@ export function createOpenIDAuthRouter(providerName) {
                 codeVerifier: verifier,
                 state: req.query['state'],
                 iss: req.query['iss'],
-            }, { session: authMode === 'session' });
+            }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {
             // Prompt user for a new refresh_token if invalidated
@@ -404,6 +406,18 @@ export function createOpenIDAuthRouter(providerName) {
             throw error;
         }
         const { accessToken, refreshToken, expires } = authResponse;
+        try {
+            const claims = verifyJWT(accessToken, getSecret());
+            if (claims?.enforce_tfa === true) {
+                const url = new Url(env['PUBLIC_URL']).addPath('admin', 'tfa-setup');
+                if (redirect)
+                    url.setQuery('redirect', redirect);
+                redirect = url.toString();
+            }
+        }
+        catch (e) {
+            logger.warn(e, `[OpenID] Unexpected error during OpenID login`);
+        }
         if (redirect) {
             if (authMode === 'session') {
                 res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);

package/dist/controllers/mcp.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/dist/controllers/mcp.js

@@ -0,0 +1,33 @@
+import { ForbiddenError } from '@directus/errors';
+import { Router } from 'express';
+import { DirectusMCP } from '../mcp/index.js';
+import { SettingsService } from '../services/settings.js';
+import asyncHandler from '../utils/async-handler.js';
+const router = Router();
+const mcpHandler = asyncHandler(async (req, res) => {
+    const settings = new SettingsService({
+        schema: req.schema,
+    });
+    const { mcp_enabled, mcp_allow_deletes, mcp_prompts_collection, mcp_system_prompt, mcp_system_prompt_enabled } = await settings.readSingleton({
+        fields: [
+            'mcp_enabled',
+            'mcp_allow_deletes',
+            'mcp_prompts_collection',
+            'mcp_system_prompt',
+            'mcp_system_prompt_enabled',
+        ],
+    });
+    if (!mcp_enabled) {
+        throw new ForbiddenError({ reason: 'MCP must be enabled' });
+    }
+    const mcp = new DirectusMCP({
+        promptsCollection: mcp_prompts_collection,
+        allowDeletes: mcp_allow_deletes,
+        systemPromptEnabled: mcp_system_prompt_enabled,
+        systemPrompt: mcp_system_prompt,
+    });
+    mcp.handleRequest(req, res);
+});
+router.get('/', mcpHandler);
+router.post('/', mcpHandler);
+export default router;

package/dist/controllers/users.js

@@ -11,6 +11,8 @@ import { TFAService } from '../services/tfa.js';
 import { UsersService } from '../services/users.js';
 import asyncHandler from '../utils/async-handler.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
+import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
+import { getDatabase } from '../database/index.js';
 const router = express.Router();
 router.use(useCollection('directus_users'));
 router.post('/', asyncHandler(async (req, res, next) => {
@@ -231,19 +233,27 @@ router.post('/me/tfa/generate/', asyncHandler(async (req, res, next) => {
     if (!req.accountability?.user) {
         throw new InvalidCredentialsError();
     }
-    if (!req.body.password) {
+    const currentUser = await getDatabase()
+        .select('provider')
+        .from('directus_users')
+        .where({ id: req.accountability.user })
+        .first();
+    const requiresPassword = currentUser?.['provider'] === DEFAULT_AUTH_PROVIDER;
+    if (requiresPassword && !req.body.password) {
         throw new InvalidPayloadError({ reason: `"password" is required` });
     }
     const service = new TFAService({
         accountability: req.accountability,
         schema: req.schema,
     });
-    const authService = new AuthenticationService({
-        accountability: req.accountability,
-        schema: req.schema,
-    });
-    await authService.verifyPassword(req.accountability.user, req.body.password);
-    const { url, secret } = await service.generateTFA(req.accountability.user);
+    if (requiresPassword) {
+        const authService = new AuthenticationService({
+            accountability: req.accountability,
+            schema: req.schema,
+        });
+        await authService.verifyPassword(req.accountability.user, req.body.password);
+    }
+    const { url, secret } = await service.generateTFA(req.accountability.user, requiresPassword);
     res.locals['payload'] = { data: { secret, otpauth_url: url } };
     return next();
 }), respond);

package/dist/controllers/versions.js

@@ -154,9 +154,10 @@ router.get('/:pk/compare', asyncHandler(async (req, res, next) => {
     });
     const version = await service.readOne(req.params['pk']);
     const { outdated, mainHash } = await service.verifyHash(version['collection'], version['item'], version['hash']);
-    const current = assign({}, version['delta']);
+    const delta = version.delta ?? {};
+    delta[req.schema.collections[version.collection].primary] = version.item;
     const main = await service.getMainItem(version['collection'], version['item']);
-    res.locals['payload'] = { data: { outdated, mainHash, current, main } };
+    res.locals['payload'] = { data: { outdated, mainHash, current: delta, main } };
     return next();
 }), respond);
 router.post('/:pk/save', asyncHandler(async (req, res, next) => {

package/dist/database/errors/dialects/mssql.d.ts

@@ -1,3 +1,3 @@
-import type { MSSQLError } from './types.js';
 import type { Item } from '@directus/types';
+import type { MSSQLError } from './types.js';
 export declare function extractError(error: MSSQLError, data: Partial<Item>): Promise<MSSQLError | Error>;

package/dist/database/errors/dialects/mssql.js

@@ -5,14 +5,15 @@ var MSSQLErrorCodes;
     MSSQLErrorCodes[MSSQLErrorCodes["FOREIGN_KEY_VIOLATION"] = 547] = "FOREIGN_KEY_VIOLATION";
     MSSQLErrorCodes[MSSQLErrorCodes["NOT_NULL_VIOLATION"] = 515] = "NOT_NULL_VIOLATION";
     MSSQLErrorCodes[MSSQLErrorCodes["NUMERIC_VALUE_OUT_OF_RANGE"] = 220] = "NUMERIC_VALUE_OUT_OF_RANGE";
-    MSSQLErrorCodes[MSSQLErrorCodes["UNIQUE_VIOLATION"] = 2601] = "UNIQUE_VIOLATION";
+    MSSQLErrorCodes[MSSQLErrorCodes["UNIQUE_VIOLATION_INDEX"] = 2601] = "UNIQUE_VIOLATION_INDEX";
+    MSSQLErrorCodes[MSSQLErrorCodes["UNIQUE_VIOLATION_CONSTRAINT"] = 2627] = "UNIQUE_VIOLATION_CONSTRAINT";
     MSSQLErrorCodes[MSSQLErrorCodes["VALUE_LIMIT_VIOLATION"] = 2628] = "VALUE_LIMIT_VIOLATION";
 })(MSSQLErrorCodes || (MSSQLErrorCodes = {}));
 export async function extractError(error, data) {
     switch (error.number) {
-        case MSSQLErrorCodes.UNIQUE_VIOLATION:
-        case 2627:
-            return await uniqueViolation();
+        case MSSQLErrorCodes.UNIQUE_VIOLATION_CONSTRAINT:
+        case MSSQLErrorCodes.UNIQUE_VIOLATION_INDEX:
+            return await uniqueViolation(error);
         case MSSQLErrorCodes.NUMERIC_VALUE_OUT_OF_RANGE:
             return numericValueOutOfRange();
         case MSSQLErrorCodes.VALUE_LIMIT_VIOLATION:
@@ -23,14 +24,20 @@ export async function extractError(error, data) {
             return foreignKeyViolation();
     }
     return error;
-    async function uniqueViolation() {
+    async function uniqueViolation(error) {
         /**
          * NOTE:
-         * SQL Server doesn't return the name of the offending column when a unique constraint is thrown:
+         * SQL Server doesn't return the name of the offending column when a unique error is thrown:
          *
+         * Constraint:
          * insert into [articles] ([unique]) values (@p0)
-         * - Violation of UNIQUE KEY constraint 'UQ__articles__5A062640242004EB'.
-         * Cannot insert duplicate key in object 'dbo.articles'. The duplicate key value is (rijk).
+         * - Violation of UNIQUE KEY constraint 'unique_contraint_name'. Cannot insert duplicate key in object 'dbo.article'.
+         * The duplicate key value is (rijk).
+         *
+         * Index:
+         * insert into [articles] ([unique]) values (@p0)
+         * - Cannot insert duplicate key row in object 'dbo.articles' with unique index 'unique_index_name'.
+         * The duplicate key value is (rijk).
          *
          * While it's not ideal, the best next thing we can do is extract the column name from
          * information_schema when this happens
@@ -41,8 +48,9 @@ export async function extractError(error, data) {
         const parenMatches = error.message.match(betweenParens);
         if (!quoteMatches || !parenMatches)
             return error;
-        const keyName = quoteMatches[1].slice(1, -1);
-        let collection = quoteMatches[0].slice(1, -1);
+        const [keyNameMatchIndex, collectionNameMatchIndex] = error.number === MSSQLErrorCodes.UNIQUE_VIOLATION_INDEX ? [1, 0] : [0, 1];
+        const keyName = quoteMatches[keyNameMatchIndex].slice(1, -1);
+        let collection = quoteMatches[collectionNameMatchIndex].slice(1, -1);
         let field = null;
         if (keyName) {
             const database = getDatabase();

package/dist/database/migrations/20250813A-add-mcp.d.ts

@@ -0,0 +1,3 @@
+import type { Knex } from 'knex';
+export declare function up(knex: Knex): Promise<void>;
+export declare function down(knex: Knex): Promise<void>;

package/dist/database/migrations/20250813A-add-mcp.js

@@ -0,0 +1,18 @@
+export async function up(knex) {
+    await knex.schema.alterTable('directus_settings', (table) => {
+        table.boolean('mcp_enabled').defaultTo(false).notNullable();
+        table.boolean('mcp_allow_deletes').defaultTo(false).notNullable();
+        table.string('mcp_prompts_collection').defaultTo(null).nullable();
+        table.boolean('mcp_system_prompt_enabled').defaultTo(true).notNullable();
+        table.text('mcp_system_prompt').defaultTo(null).nullable();
+    });
+}
+export async function down(knex) {
+    await knex.schema.alterTable('directus_settings', (table) => {
+        table.dropColumn('mcp_enabled');
+        table.dropColumn('mcp_allow_deletes');
+        table.dropColumn('mcp_prompts_collection');
+        table.dropColumn('mcp_system_prompt_enabled');
+        table.dropColumn('mcp_system_prompt');
+    });
+}

package/dist/database/run-ast/README.md

@@ -0,0 +1,46 @@
+# Internal RunAst Documentation
+
+As the `runAst()` function is a crucial and complex part of Directus, this document intends to get you started by
+providing a high level overview.
+
+## AST
+
+When a request is made through REST, GQL or WebSockets, we internally turn this request into an AST before this AST
+get's translated into one or more SQL requests which are then send to the database.
+
+On the root level of an AST is the root node which then references a list of child nodes. Each child node can be either
+a primitive field (FieldNode), a relational field (M2ONode, O2MNode, A2MNode) or a function field (FunctionFieldNode).
+Relational fields can also have additional children and nested queries.
+
+### FieldNode
+
+Describes a primitive field and is also a leaf node of the AST.
+
+### Relational Fields
+
+The M2ONode, O2MNode and A2MNode all will recursively call the `runAst()` function and the resulting data will then be
+injected into the data of the level above.
+
+### FunctionFieldNode
+
+The only case where a function field node get's inserted into the ast, is for the count(o2m_relation) case, all other
+functions are kept as FieldNode's with the name containing the function.
+
+## RunAst()
+
+The `runAst()` does translates the AST into an executable SQL request, requests the appropiate data from the database
+and then returns a single or a list of items as the result.
+
+### GetDBQuery()
+
+The RootNode and relational fields have each their own query parameters. These parameters need to be applied to the SQL
+query. This is done by the `getDBQuery()` function which internally uses `applyQuery()`.
+
+<!-- TODO: Describe in larger detail what the GetDBQuery exactly does, i.e. why and when does it need an inner query, why does it sometimes call applyQuery() multiple times in different places -->
+
+#### ApplyQuery()
+
+`applyQuery()` takes the query and modifies the SQL request so that filters, sorts and all the other variants of query
+parameters are applied.A special behaviour is filtering, sorting or other parameters on nested fields. To make this
+possible, the `addJoin()` joins the required tables and then registers itself into the aliasMap so that the next time
+the same collection should be joined, instead it will just reuse the already existing join.

package/dist/mcp/define.d.ts

@@ -0,0 +1,2 @@
+import type { ToolConfig } from './types.js';
+export declare function defineTool<Args>(tool: ToolConfig<Args>): ToolConfig<Args>;

package/dist/mcp/define.js

@@ -0,0 +1,3 @@
+export function defineTool(tool) {
+    return tool;
+}

package/dist/mcp/index.d.ts

@@ -0,0 +1 @@
+export * from './server.js';

package/dist/mcp/index.js

@@ -0,0 +1 @@
+export * from './server.js';