@directus/api 32.2.0 → 33.1.0

package/dist/auth/drivers/saml.js

@@ -13,7 +13,7 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
+import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
 // Register the samlify schema validator
 samlify.setSchemaValidator(validator);
@@ -95,7 +95,7 @@ export function createSAMLAuthRouter(providerName) {
         const parsedUrl = new URL(url);
         if (req.query['redirect']) {
             const redirect = req.query['redirect'];
-            if (isLoginRedirectAllowed(redirect, providerName) === false) {
+            if (!isLoginRedirectAllowed(providerName, redirect)) {
                 throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
             }
             parsedUrl.searchParams.append('RelayState', redirect);
@@ -117,7 +117,7 @@ export function createSAMLAuthRouter(providerName) {
         const logger = useLogger();
         const relayState = req.body?.RelayState;
         const authMode = (env[`AUTH_${providerName.toUpperCase()}_MODE`] ?? 'session');
-        if (relayState && isLoginRedirectAllowed(relayState, providerName) === false) {
+        if (relayState && isLoginRedirectAllowed(providerName, relayState) === false) {
             throw new InvalidPayloadError({ reason: `URL "${relayState}" can't be used to redirect after login` });
         }
         try {

package/dist/auth/utils/generate-callback-url.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Dynamically generate the callback URL for OAuth2/OpenID SSO providers
+ *
+ * Uses AUTH_ALLOWED_PUBLIC_URLS to find an alternate PUBLIC_URL based on the origins protocol and host.
+ * Defaults to the PUBLIC_URL if no match is found.
+ *
+ * @param providerName SSO provider name
+ * @param requestOrigin Origin of the request (protocol + host)
+ * @returns Callback URL
+ */
+export declare function generateCallbackUrl(providerName: string, requestOrigin: string): string;

package/dist/auth/utils/generate-callback-url.js

@@ -0,0 +1,40 @@
+import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
+import { Url } from '../../utils/url.js';
+/**
+ * Find a matching public URL based on the request origins protocol and host
+ *
+ * @param requestOrigin - The origin of the request
+ * @param allowedPublicUrls - The allowed public URLs from AUTH_ALLOWED_PUBLIC_URLS
+ * @returns The matching public URL
+ */
+function findMatchingPublicUrl(requestOrigin, allowedPublicUrls) {
+    for (const allowedUrl of allowedPublicUrls) {
+        if (!URL.canParse(allowedUrl))
+            continue;
+        const { protocol, host } = new URL(allowedUrl);
+        const allowedUrlOrigin = `${protocol}//${host}`;
+        if (requestOrigin === allowedUrlOrigin) {
+            return allowedUrl;
+        }
+    }
+    return null;
+}
+/**
+ * Dynamically generate the callback URL for OAuth2/OpenID SSO providers
+ *
+ * Uses AUTH_ALLOWED_PUBLIC_URLS to find an alternate PUBLIC_URL based on the origins protocol and host.
+ * Defaults to the PUBLIC_URL if no match is found.
+ *
+ * @param providerName SSO provider name
+ * @param requestOrigin Origin of the request (protocol + host)
+ * @returns Callback URL
+ */
+export function generateCallbackUrl(providerName, requestOrigin) {
+    const env = useEnv();
+    const publicUrl = env['PUBLIC_URL'];
+    const allowedPublicUrls = env['AUTH_ALLOWED_PUBLIC_URLS'] ? toArray(env['AUTH_ALLOWED_PUBLIC_URLS']) : [];
+    const matchedUrl = findMatchingPublicUrl(requestOrigin, allowedPublicUrls);
+    // Use matched public URL or fallback to PUBLIC_URL for backward compatibility
+    return new Url(matchedUrl || publicUrl).addPath('auth', 'login', providerName, 'callback').toString();
+}

package/dist/auth/utils/is-login-redirect-allowed.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Checks if the defined redirect after successful SSO login is in the allow list
+ * @param provider SSO provider name
+ * @param redirect URL to redirect to after login
+ * @returns True if the redirect is allowed, false otherwise
+ */
+export declare function isLoginRedirectAllowed(provider: string, redirect: unknown): boolean;

package/dist/{utils → auth/utils}/is-login-redirect-allowed.js

@@ -1,26 +1,28 @@
 import { useEnv } from '@directus/env';
 import { toArray } from '@directus/utils';
-import { useLogger } from '../logger/index.js';
-import isUrlAllowed from './is-url-allowed.js';
+import { useLogger } from '../../logger/index.js';
+import isUrlAllowed from '../../utils/is-url-allowed.js';
 /**
  * Checks if the defined redirect after successful SSO login is in the allow list
+ * @param provider SSO provider name
+ * @param redirect URL to redirect to after login
+ * @returns True if the redirect is allowed, false otherwise
  */
-export function isLoginRedirectAllowed(redirect, provider) {
+export function isLoginRedirectAllowed(provider, redirect) {
     if (!redirect)
         return true; // empty redirect
     if (typeof redirect !== 'string')
         return false; // invalid type
     const env = useEnv();
     const publicUrl = env['PUBLIC_URL'];
-    if (URL.canParse(redirect) === false) {
-        if (redirect.startsWith('//') === false) {
+    if (!URL.canParse(redirect)) {
+        if (!redirect.startsWith('//')) {
             // should be a relative path like `/admin/test`
             return true;
         }
         // domain without protocol `//example.com/test`
         return false;
     }
-    const { protocol: redirectProtocol, hostname: redirectDomain } = new URL(redirect);
     const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
     if (envKey in env) {
         if (isUrlAllowed(redirect, [...toArray(env[envKey]), publicUrl]))
@@ -30,7 +32,8 @@ export function isLoginRedirectAllowed(redirect, provider) {
         useLogger().error('Invalid PUBLIC_URL for login redirect');
         return false;
     }
-    // allow redirects to the defined PUBLIC_URL
-    const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
-    return `${redirectProtocol}//${redirectDomain}` === `${publicProtocol}//${publicDomain}`;
+    const { protocol: redirectProtocol, host: redirectHost } = new URL(redirect);
+    const { protocol: publicProtocol, host: publicHost } = new URL(publicUrl);
+    // allow redirects to the defined PUBLIC_URL (protocol + host including port)
+    return `${redirectProtocol}//${redirectHost}` === `${publicProtocol}//${publicHost}`;
 }

package/dist/cache.d.ts

@@ -3,6 +3,7 @@ import Keyv from 'keyv';
 export declare function getCache(): {
     cache: Keyv | null;
     systemCache: Keyv;
+    deploymentCache: Keyv;
     localSchemaCache: Keyv;
     lockCache: Keyv;
 };
@@ -17,3 +18,14 @@ export declare function setMemorySchemaCache(schema: SchemaOverview): void;
 export declare function getMemorySchemaCache(): Readonly<SchemaOverview> | undefined;
 export declare function setCacheValue(cache: Keyv, key: string, value: Record<string, any> | Record<string, any>[], ttl?: number): Promise<void>;
 export declare function getCacheValue(cache: Keyv, key: string): Promise<any>;
+/**
+ * Store a value in cache with its expiration timestamp for TTL tracking
+ */
+export declare function setCacheValueWithExpiry(cache: Keyv, key: string, value: Record<string, any> | Record<string, any>[], ttl: number): Promise<void>;
+/**
+ * Get a cached value along with its remaining TTL
+ */
+export declare function getCacheValueWithTTL(cache: Keyv, key: string): Promise<{
+    data: any;
+    remainingTTL: number;
+} | undefined>;

package/dist/cache.js

@@ -1,3 +1,4 @@
+import { createRequire } from 'node:module';
 import { useEnv } from '@directus/env';
 import Keyv, {} from 'keyv';
 import { useBus } from './bus/index.js';
@@ -5,16 +6,16 @@ import { useLogger } from './logger/index.js';
 import { clearCache as clearPermissionCache } from './permissions/cache.js';
 import { redisConfigAvailable } from './redis/index.js';
 import { compress, decompress } from './utils/compress.js';
+import { freezeSchema, unfreezeSchema } from './utils/freeze-schema.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getMilliseconds } from './utils/get-milliseconds.js';
 import { validateEnv } from './utils/validate-env.js';
-import { createRequire } from 'node:module';
-import { freezeSchema, unfreezeSchema } from './utils/freeze-schema.js';
 const logger = useLogger();
 const env = useEnv();
 const require = createRequire(import.meta.url);
 let cache = null;
 let systemCache = null;
+let deploymentCache = null;
 let lockCache = null;
 let messengerSubscribed = false;
 let localSchemaCache = null;
@@ -40,6 +41,11 @@ export function getCache() {
         systemCache = getKeyvInstance(env['CACHE_STORE'], getMilliseconds(env['CACHE_SYSTEM_TTL']), '_system');
         systemCache.on('error', (err) => logger.warn(err, `[system-cache] ${err}`));
     }
+    if (deploymentCache === null) {
+        const ttl = getMilliseconds(env['CACHE_DEPLOYMENT_TTL']) || 5000; // Default 5s
+        deploymentCache = getKeyvInstance(env['CACHE_STORE'], ttl, '_deployment');
+        deploymentCache.on('error', (err) => logger.warn(err, `[deployment-cache] ${err}`));
+    }
     if (localSchemaCache === null) {
         localSchemaCache = getKeyvInstance('memory', getMilliseconds(env['CACHE_SYSTEM_TTL']), '_schema');
         localSchemaCache.on('error', (err) => logger.warn(err, `[schema-cache] ${err}`));
@@ -48,7 +54,7 @@ export function getCache() {
         lockCache = getKeyvInstance(env['CACHE_STORE'], undefined, '_lock');
         lockCache.on('error', (err) => logger.warn(err, `[lock-cache] ${err}`));
     }
-    return { cache, systemCache, localSchemaCache, lockCache };
+    return { cache, systemCache, deploymentCache, localSchemaCache, lockCache };
 }
 export async function flushCaches(forced) {
     const { cache } = getCache();
@@ -107,6 +113,24 @@ export async function getCacheValue(cache, key) {
     const decompressed = await decompress(value);
     return decompressed;
 }
+/**
+ * Store a value in cache with its expiration timestamp for TTL tracking
+ */
+export async function setCacheValueWithExpiry(cache, key, value, ttl) {
+    await setCacheValue(cache, key, value, ttl);
+    await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + ttl }, ttl);
+}
+/**
+ * Get a cached value along with its remaining TTL
+ */
+export async function getCacheValueWithTTL(cache, key) {
+    const value = await getCacheValue(cache, key);
+    if (!value)
+        return undefined;
+    const expiryData = await getCacheValue(cache, `${key}__expires_at`);
+    const remainingTTL = expiryData?.exp ? Math.max(0, expiryData.exp - Date.now()) : 0;
+    return { data: value, remainingTTL };
+}
 function getKeyvInstance(store, ttl, namespaceSuffix) {
     switch (store) {
         case 'redis':

package/dist/cli/commands/bootstrap/index.js

@@ -1,12 +1,12 @@
 import { useEnv } from '@directus/env';
+import { email } from 'zod';
 import getDatabase, { hasDatabaseConnection, isInstalled, validateDatabaseConnection, } from '../../../database/index.js';
 import runMigrations from '../../../database/migrations/run.js';
 import installDatabase from '../../../database/seeds/run.js';
 import { useLogger } from '../../../logger/index.js';
 import { SettingsService } from '../../../services/settings.js';
-import { getSchema } from '../../../utils/get-schema.js';
 import { createAdmin } from '../../../utils/create-admin.js';
-import { email } from 'zod';
+import { getSchema } from '../../../utils/get-schema.js';
 export default async function bootstrap({ skipAdminInit }) {
     const logger = useLogger();
     logger.info('Initializing bootstrap...');

package/dist/cli/commands/database/install.js

@@ -1,5 +1,5 @@
-import installSeeds from '../../../database/seeds/run.js';
 import getDatabase from '../../../database/index.js';
+import installSeeds from '../../../database/seeds/run.js';
 import { useLogger } from '../../../logger/index.js';
 export default async function start() {
     const database = getDatabase();

package/dist/cli/commands/database/migrate.js

@@ -1,5 +1,5 @@
-import run from '../../../database/migrations/run.js';
 import getDatabase from '../../../database/index.js';
+import run from '../../../database/migrations/run.js';
 import { useLogger } from '../../../logger/index.js';
 export default async function migrate(direction) {
     const database = getDatabase();

package/dist/cli/commands/init/index.js

@@ -1,15 +1,15 @@
+import { randomUUID } from 'node:crypto';
 import chalk from 'chalk';
 import { execa } from 'execa';
 import inquirer from 'inquirer';
 import Joi from 'joi';
-import { randomUUID } from 'node:crypto';
 import ora from 'ora';
 import runMigrations from '../../../database/migrations/run.js';
 import runSeed from '../../../database/seeds/run.js';
+import { defaultAdminPolicy, defaultAdminRole, defaultAdminUser } from '../../../utils/create-admin.js';
 import { generateHash } from '../../../utils/generate-hash.js';
 import createDBConnection from '../../utils/create-db-connection.js';
 import createEnv from '../../utils/create-env/index.js';
-import { defaultAdminPolicy, defaultAdminRole, defaultAdminUser } from '../../../utils/create-admin.js';
 import { drivers, getDriverForClient } from '../../utils/drivers.js';
 import { databaseQuestions } from './questions.js';
 export default async function init() {

package/dist/cli/commands/roles/create.js

@@ -1,9 +1,9 @@
-import { getSchema } from '../../../utils/get-schema.js';
-import { RolesService } from '../../../services/roles.js';
-import { PoliciesService } from '../../../services/index.js';
-import { AccessService } from '../../../services/index.js';
 import getDatabase from '../../../database/index.js';
 import { useLogger } from '../../../logger/index.js';
+import { PoliciesService } from '../../../services/index.js';
+import { AccessService } from '../../../services/index.js';
+import { RolesService } from '../../../services/roles.js';
+import { getSchema } from '../../../utils/get-schema.js';
 export default async function rolesCreate({ role: name, admin, app, }) {
     const database = getDatabase();
     const logger = useLogger();

package/dist/cli/commands/schema/apply.js

@@ -1,10 +1,10 @@
-import { parseJSON } from '@directus/utils';
+import { promises as fs } from 'fs';
+import path from 'path';
 import { DiffKind } from '@directus/types';
+import { parseJSON } from '@directus/utils';
 import chalk from 'chalk';
-import { promises as fs } from 'fs';
 import inquirer from 'inquirer';
 import { load as loadYaml } from 'js-yaml';
-import path from 'path';
 import getDatabase, { isInstalled, validateDatabaseConnection } from '../../../database/index.js';
 import { useLogger } from '../../../logger/index.js';
 import { isNestedMetaUpdate } from '../../../utils/apply-diff.js';

package/dist/cli/commands/schema/snapshot.js

@@ -1,7 +1,7 @@
 import { promises as fs, constants as fsConstants } from 'fs';
+import path from 'path';
 import inquirer from 'inquirer';
 import { dump as toYaml } from 'js-yaml';
-import path from 'path';
 import getDatabase from '../../../database/index.js';
 import { useLogger } from '../../../logger/index.js';
 import { getSnapshot } from '../../../utils/get-snapshot.js';

package/dist/cli/utils/create-db-connection.d.ts

@@ -1,5 +1,5 @@
-import type { Knex } from 'knex';
 import type { Driver } from '@directus/types';
+import type { Knex } from 'knex';
 export type Credentials = {
     filename?: string;
     host?: string;

package/dist/cli/utils/create-db-connection.js

@@ -1,7 +1,7 @@
-import knex from 'knex';
 import { dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import path from 'path';
+import knex from 'knex';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 export default function createDBConnection(client, credentials) {
     let connection = {};

package/dist/cli/utils/create-env/env-stub.liquid

@@ -148,6 +148,9 @@ CACHE_ENABLED=false
 # How long the cache is persisted ["5m"]
 # CACHE_TTL="30m"
 
+# How long deployment provider data is cached ["5s"]
+# CACHE_DEPLOYMENT_TTL="5s"
+
 # How to scope the cache data ["system-cache"]
 # CACHE_NAMESPACE="system-cache"
 

package/dist/cli/utils/create-env/index.js

@@ -1,9 +1,9 @@
 import fs from 'fs';
-import { Liquid } from 'liquidjs';
 import { dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import path from 'path';
 import { promisify } from 'util';
+import { Liquid } from 'liquidjs';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const readFile = promisify(fs.readFile);
 const writeFile = promisify(fs.writeFile);

package/dist/constants.d.ts

@@ -1,5 +1,5 @@
-import type { CookieOptions } from 'express';
 import type { TransformationParams } from '@directus/types';
+import type { CookieOptions } from 'express';
 export declare const SYSTEM_ASSET_ALLOW_LIST: TransformationParams[];
 export declare const ASSET_TRANSFORM_QUERY_KEYS: readonly ["key", "transforms", "width", "height", "format", "fit", "quality", "withoutEnlargement", "focal_point_x", "focal_point_y"];
 export declare const FILTER_VARIABLES: string[];
@@ -15,11 +15,15 @@ export declare const OAS_REQUIRED_SCHEMAS: string[];
 export declare const SUPPORTED_IMAGE_TRANSFORM_FORMATS: string[];
 /** Formats where metadata extraction is supported */
 export declare const SUPPORTED_IMAGE_METADATA_FORMATS: string[];
-/** Resumable uploads */
+/** File uploads */
+export declare const FILE_UPLOADS: {
+    MAX_SIZE: number | null;
+    MAX_CONCURRENCY: number;
+};
+/** Resumable uploads (TUS) */
 export declare const RESUMABLE_UPLOADS: {
     ENABLED: boolean;
     CHUNK_SIZE: number | null;
-    MAX_SIZE: number | null;
     EXPIRATION_TIME: number;
     SCHEDULE: string;
 };

package/dist/constants.js

@@ -1,7 +1,7 @@
-import { getMilliseconds } from './utils/get-milliseconds.js';
 import { useEnv } from '@directus/env';
 import { toBoolean } from '@directus/utils';
 import bytes from 'bytes';
+import { getMilliseconds } from './utils/get-milliseconds.js';
 const env = useEnv();
 export const SYSTEM_ASSET_ALLOW_LIST = [
     {
@@ -87,11 +87,15 @@ export const SUPPORTED_IMAGE_METADATA_FORMATS = [
     'image/tiff',
     'image/avif',
 ];
-/** Resumable uploads */
+/** File uploads */
+export const FILE_UPLOADS = {
+    MAX_SIZE: bytes.parse(env['FILES_MAX_UPLOAD_SIZE']),
+    MAX_CONCURRENCY: Number(env['FILES_MAX_UPLOAD_CONCURRENCY']),
+};
+/** Resumable uploads (TUS) */
 export const RESUMABLE_UPLOADS = {
     ENABLED: toBoolean(env['TUS_ENABLED']),
     CHUNK_SIZE: bytes.parse(env['TUS_CHUNK_SIZE']),
-    MAX_SIZE: bytes.parse(env['FILES_MAX_UPLOAD_SIZE']),
     EXPIRATION_TIME: getMilliseconds(env['TUS_UPLOAD_EXPIRATION'], 600_000 /* 10min */),
     SCHEDULE: String(env['TUS_CLEANUP_SCHEDULE']),
 };

package/dist/controllers/access.js

@@ -3,8 +3,8 @@ import express from 'express';
 import { respond } from '../middleware/respond.js';
 import useCollection from '../middleware/use-collection.js';
 import { validateBatch } from '../middleware/validate-batch.js';
-import { MetaService } from '../services/meta.js';
 import { AccessService } from '../services/access.js';
+import { MetaService } from '../services/meta.js';
 import asyncHandler from '../utils/async-handler.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
 const router = express.Router();

package/dist/controllers/assets.js

@@ -189,7 +189,7 @@ asyncHandler(async (req, res) => {
         }
     }
     const { stream, file, stat } = await service.getAsset(id, { transformationParams, acceptFormat }, range, true);
-    const filename = req.params['filename'] ?? file.filename_download;
+    const filename = req.params['filename'] ?? file.filename_download ?? file.id;
     res.attachment(filename);
     res.setHeader('Content-Type', file.type);
     res.setHeader('Accept-Ranges', 'bytes');