@directus/api 33.3.1 → 34.0.1

package/dist/test-utils/README.md

@@ -17,6 +17,7 @@ This directory contains mock implementations for commonly used modules in servic
 - **[files-service.ts](#files-servicets)** - FilesService mocks
 - **[folders-service.ts](#folders-servicets)** - FoldersService mocks
 - **[test-helpers.ts](#test-helpersts)** - Test data factory functions
+- **[controllers.ts](#controllersts)** - Controller/router testing helpers
 
 ## Quick Start
 
@@ -521,6 +522,116 @@ const buildTreeSpy = vi.spyOn(FoldersService.prototype, 'buildTree').mockResolve
 
 ---
 
+### controllers.ts
+
+Provides helpers for extracting route handlers from Express routers and creating mock Express request/response objects
+for controller tests.
+
+#### `getRouteHandler(router, method, path)`
+
+Extracts the middleware/handler stack for a specific route from an Express router.
+
+**Parameters:**
+
+- `router`: The Express `Router` instance
+- `method`: HTTP method (`'GET'`, `'POST'`, `'PATCH'`, `'DELETE'`, etc.)
+- `path`: Route path (e.g. `'/'`, `'/:id'`)
+
+**Returns:** Array of `{ handle: (...args) => any }` layers for the matched route
+
+**Throws:** If no matching route is found
+
+**Example:**
+
+```typescript
+import { default as router } from './tus.js';
+import { getRouteHandler } from '../test-utils/controllers.js';
+
+const [checkAccess, handler] = getRouteHandler(router, 'POST', '/');
+await checkAccess?.handle(req, res, next);
+```
+
+#### `createMockRequest(overrides?)`
+
+Creates a mock Express Request pre-populated with common Directus properties (`accountability`, `schema`,
+`sanitizedQuery`, etc.).
+
+**Parameters:**
+
+- `overrides` (optional): Properties to merge into the mock request
+
+**Returns:** Mock `Request` object
+
+**Example:**
+
+```typescript
+import { createMockRequest } from '../test-utils/controllers.js';
+
+// Minimal request
+const req = createMockRequest({ schema });
+
+// With accountability and custom header
+const req = createMockRequest({
+	method: 'POST',
+	accountability,
+	schema,
+	header: vi.fn().mockReturnValue('some-value'),
+});
+```
+
+#### `createMockResponse(overrides?)`
+
+Creates a mock Express Response with chainable methods (`status`, `json`, `send`, `set`, `end`).
+
+**Parameters:**
+
+- `overrides` (optional): Properties to merge into the mock response
+
+**Returns:** Mock `Response` object
+
+**Example:**
+
+```typescript
+import { createMockResponse } from '../test-utils/controllers.js';
+
+const res = createMockResponse();
+```
+
+#### Full Controller Test Example
+
+```typescript
+import { SchemaBuilder } from '@directus/schema-builder';
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+import { createMockRequest, createMockResponse, getRouteHandler } from '../test-utils/controllers.js';
+import { default as router } from './controller.js';
+
+const schema = new SchemaBuilder()
+	.collection('collection', (c) => {
+		c.field('id').integer().primary();
+		c.field('title').string();
+	})
+	.build();
+
+describe('controller', () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	test('validates access on POST', async () => {
+		const req = createMockRequest({ method: 'POST', accountability, schema });
+		const res = createMockResponse();
+		const next = vi.fn();
+
+		const [firstHandler] = getRouteHandler(router, 'POST', '/');
+		await firstHandler?.handle(req, res, next);
+
+		expect(next).toHaveBeenCalled();
+	});
+});
+```
+
+---
+
 ## Common Patterns
 
 ### Full Service Test Setup
@@ -737,6 +848,7 @@ See these files for complete examples:
 
 - [collections.test.ts](../services/collections.test.ts) - Full service test with schema operations
 - [fields.test.ts](../services/fields.test.ts) - Complex service test with field management
+- [tus.test.ts](../controllers/tus.test.ts) - Controller test with route handler extraction and access validation
 
 ---
 

package/dist/test-utils/controllers.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Controller testing utilities
+ * Provides helpers for extracting route handlers and creating mock Express request/response objects
+ */
+import type { Request, Response, Router } from 'express';
+/**
+ * Get a route handler stack from an Express router
+ *
+ * @param router The Express router instance to search
+ * @param method HTTP method (GET, POST, PATCH, DELETE, etc.)
+ * @param path Route path (e.g. '/', '/:id')
+ * @returns Array of middleware/handler layers for the matched route
+ *
+ * @example
+ * ```typescript
+ * import { default as router } from './controller.js';
+
+ * const [firstHandler, secondHandler] = getRouteHandler(router, 'POST', '/');
+ * await firstHandler?.handle(req, res, next);
+ * ```
+ */
+export declare function getRouteHandler(router: Router, method: string, path: string): Array<{
+    handle: (...args: any[]) => any;
+}>;
+/**
+ * Creates a mock Express Request with common Directus properties.
+ *
+ * @param overrides Properties to merge into the mock request
+ * @returns Mock Express Request object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const req = createMockRequest({ method: 'POST', accountability });
+ *
+ * // With custom schema
+ * const req = createMockRequest({
+ *   method: 'PATCH',
+ *   params: { id: 'file-1' },
+ *   schema: mySchema,
+ * });
+ *
+ * // With custom header mock
+ * const req = createMockRequest({
+ *   header: vi.fn().mockReturnValue('some-header-value'),
+ * });
+ * ```
+ */
+export declare function createMockRequest(overrides?: Partial<Request>): Request;
+/**
+ * Creates a mock Express Response with chainable methods.
+ *
+ * @param overrides Properties to merge into the mock response
+ * @returns Mock Express Response object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const res = createMockResponse();
+ *
+ * // With custom locals
+ * const res = createMockResponse({ locals: { payload: { data: [] } } });
+ * ```
+ */
+export declare function createMockResponse(overrides?: Partial<Response>): Response;

package/dist/test-utils/controllers.js

@@ -0,0 +1,100 @@
+/**
+ * Controller testing utilities
+ * Provides helpers for extracting route handlers and creating mock Express request/response objects
+ */
+import { vi } from 'vitest';
+/**
+ * Get a route handler stack from an Express router
+ *
+ * @param router The Express router instance to search
+ * @param method HTTP method (GET, POST, PATCH, DELETE, etc.)
+ * @param path Route path (e.g. '/', '/:id')
+ * @returns Array of middleware/handler layers for the matched route
+ *
+ * @example
+ * ```typescript
+ * import { default as router } from './controller.js';
+
+ * const [firstHandler, secondHandler] = getRouteHandler(router, 'POST', '/');
+ * await firstHandler?.handle(req, res, next);
+ * ```
+ */
+export function getRouteHandler(router, method, path) {
+    const stack = router.stack;
+    const layer = stack.find((l) => l.route?.path === path && l.route?.methods[method.toLowerCase()]);
+    if (!layer)
+        throw new Error(`No route found for ${method} ${path}`);
+    return layer.route.stack;
+}
+/**
+ * Creates a mock Express Request with common Directus properties.
+ *
+ * @param overrides Properties to merge into the mock request
+ * @returns Mock Express Request object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const req = createMockRequest({ method: 'POST', accountability });
+ *
+ * // With custom schema
+ * const req = createMockRequest({
+ *   method: 'PATCH',
+ *   params: { id: 'file-1' },
+ *   schema: mySchema,
+ * });
+ *
+ * // With custom header mock
+ * const req = createMockRequest({
+ *   header: vi.fn().mockReturnValue('some-header-value'),
+ * });
+ * ```
+ */
+export function createMockRequest(overrides = {}) {
+    const headerFn = vi.fn().mockReturnValue(undefined);
+    return {
+        method: 'GET',
+        headers: {},
+        params: {},
+        body: {},
+        header: headerFn,
+        get: headerFn,
+        is: vi.fn().mockReturnValue(false),
+        token: null,
+        collection: '',
+        singleton: false,
+        accountability: undefined,
+        sanitizedQuery: {},
+        schema: {
+            collections: {},
+            relations: [],
+        },
+        ...overrides,
+    };
+}
+/**
+ * Creates a mock Express Response with chainable methods.
+ *
+ * @param overrides Properties to merge into the mock response
+ * @returns Mock Express Response object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const res = createMockResponse();
+ *
+ * // With custom locals
+ * const res = createMockResponse({ locals: { payload: { data: [] } } });
+ * ```
+ */
+export function createMockResponse(overrides = {}) {
+    return {
+        locals: {},
+        status: vi.fn().mockReturnThis(),
+        json: vi.fn().mockReturnThis(),
+        send: vi.fn().mockReturnThis(),
+        set: vi.fn().mockReturnThis(),
+        end: vi.fn().mockReturnThis(),
+        ...overrides,
+    };
+}

package/dist/test-utils/database.d.ts

@@ -24,7 +24,7 @@ import type { DatabaseClient } from '@directus/types';
  * ```
  */
 export declare function mockDatabase(client?: DatabaseClient): {
-    default: import("vitest").Mock<(...args: any[]) => any>;
+    default: import("vitest").Mock<() => import("vitest").MockedFunction<import("knex").Knex<any, unknown[]>>>;
     getDatabaseClient: import("vitest").Mock<(...args: any[]) => any>;
     getSchemaInspector: import("vitest").Mock<(...args: any[]) => any>;
 };

package/dist/test-utils/database.js

@@ -3,6 +3,7 @@
  * Provides simplified mocks for src/database/index module used in service testing
  */
 import { vi } from 'vitest';
+import { createMockKnex } from './knex.js';
 /**
  * Creates a standard database mock for service tests
  * This matches the pattern used across all service test files
@@ -24,8 +25,9 @@ import { vi } from 'vitest';
  * ```
  */
 export function mockDatabase(client = 'postgres') {
+    const { db } = createMockKnex();
     return {
-        default: vi.fn(),
+        default: vi.fn(() => db),
         getDatabaseClient: vi.fn().mockReturnValue(client),
         getSchemaInspector: vi.fn(),
     };

package/dist/utils/get-field-relational-depth.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Counts the number of relational segments in a field path. Handles function syntax
+ * (e.g. json(), year()) by counting relational segments in the prefix and in the first argument
+ * separately, while ignoring subsequent arguments (e.g. json paths).
+ *
+ * @example
+ * getFieldRelationalDepth('a.b.c')                              // 3
+ * getFieldRelationalDepth('year(user.date_created)')            // 2
+ * getFieldRelationalDepth('category_id.json(metadata, a.b.c)') // 2
+ * getFieldRelationalDepth('json(a.b.field, some.path)')         // 3
+ * getFieldRelationalDepth('json(metadata, path.to.value)')      // 1
+ */
+export declare function getFieldRelationalDepth(field: string): number;

package/dist/utils/get-field-relational-depth.js

@@ -0,0 +1,22 @@
+/**
+ * Counts the number of relational segments in a field path. Handles function syntax
+ * (e.g. json(), year()) by counting relational segments in the prefix and in the first argument
+ * separately, while ignoring subsequent arguments (e.g. json paths).
+ *
+ * @example
+ * getFieldRelationalDepth('a.b.c')                              // 3
+ * getFieldRelationalDepth('year(user.date_created)')            // 2
+ * getFieldRelationalDepth('category_id.json(metadata, a.b.c)') // 2
+ * getFieldRelationalDepth('json(a.b.field, some.path)')         // 3
+ * getFieldRelationalDepth('json(metadata, path.to.value)')      // 1
+ */
+export function getFieldRelationalDepth(field) {
+    const openParenIndex = field.indexOf('(');
+    if (openParenIndex === -1) {
+        return field.split('.').length;
+    }
+    const functionDepth = field.slice(0, openParenIndex).split('.').length - 1;
+    const commaIndex = field.indexOf(',', openParenIndex);
+    const fieldDepth = field.slice(openParenIndex, commaIndex).split('.').length;
+    return functionDepth + fieldDepth;
+}

package/dist/utils/parse-value.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Parse a value that might be a JSON string, returning a typed result or fallback.
+ */
+export declare function parseValue<T>(value: unknown, fallback: T): T;

package/dist/utils/parse-value.js

@@ -0,0 +1,11 @@
+import { parseJSON } from '@directus/utils';
+/**
+ * Parse a value that might be a JSON string, returning a typed result or fallback.
+ */
+export function parseValue(value, fallback) {
+    if (!value)
+        return fallback;
+    if (typeof value === 'string')
+        return parseJSON(value);
+    return value;
+}

package/dist/utils/sanitize-query.js

@@ -9,6 +9,7 @@ import { contextHasDynamicVariables } from '../permissions/modules/process-ast/u
 import { extractRequiredDynamicVariableContext } from '../permissions/utils/extract-required-dynamic-variable-context.js';
 import { fetchDynamicVariableData } from '../permissions/utils/fetch-dynamic-variable-data.js';
 import { Meta } from '../types/index.js';
+import { splitFields } from './split-fields.js';
 /**
  * Sanitize the query parameters and parse them where necessary.
  */
@@ -81,7 +82,7 @@ function sanitizeFields(rawFields) {
         return null;
     let fields = [];
     if (typeof rawFields === 'string') {
-        fields = rawFields.split(',');
+        fields = splitFields(rawFields);
     }
     else if (Array.isArray(rawFields)) {
         fields = rawFields;
@@ -90,7 +91,7 @@ function sanitizeFields(rawFields) {
         throw new InvalidQueryError({ reason: '"fields" must be a string or array' });
     }
     // Case where array item includes CSV (fe fields[]=id,name):
-    fields = flatten(fields.map((field) => (field.includes(',') ? field.split(',') : field)));
+    fields = flatten(fields.map((field) => (field.includes(',') ? splitFields(field) : field)));
     fields = fields.map((field) => field.trim());
     return fields;
 }

package/dist/utils/split-fields.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Parenthesis aware splitting of fields allowing for `json(a, b)` field functions
+ */
+export declare function splitFields(input: string): string[];

package/dist/utils/split-fields.js

@@ -0,0 +1,32 @@
+import { InvalidQueryError } from '@directus/errors';
+/**
+ * Parenthesis aware splitting of fields allowing for `json(a, b)` field functions
+ */
+export function splitFields(input) {
+    const fields = [];
+    let current = '';
+    let depth = 0;
+    for (const char of input) {
+        if (char === '(') {
+            depth++;
+            if (depth > 1) {
+                throw new InvalidQueryError({ reason: 'Nested functions are not supported in "fields"' });
+            }
+        }
+        else if (char === ')') {
+            depth--;
+        }
+        if (char === ',' && depth === 0) {
+            fields.push(current);
+            current = '';
+        }
+        else {
+            current += char;
+        }
+    }
+    if (depth !== 0) {
+        throw new InvalidQueryError({ reason: 'Missing closing parenthesis in "fields"' });
+    }
+    fields.push(current);
+    return fields;
+}

package/dist/utils/validate-query.js

@@ -4,6 +4,7 @@ import Joi from 'joi';
 import { isPlainObject, uniq } from 'lodash-es';
 import { stringify } from 'wellknown';
 import { calculateFieldDepth } from './calculate-field-depth.js';
+import { getFieldRelationalDepth } from './get-field-relational-depth.js';
 const env = useEnv();
 const querySchema = Joi.object({
     fields: Joi.array().items(Joi.string()),
@@ -186,7 +187,7 @@ function validateRelationalDepth(query) {
     }
     fields = uniq(fields);
     for (const field of fields) {
-        if (field.split('.').length > maxRelationalDepth) {
+        if (getFieldRelationalDepth(field) > maxRelationalDepth) {
             throw new InvalidQueryError({ reason: 'Max relational depth exceeded' });
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "33.3.1",
+  "version": "34.0.1",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -58,10 +58,10 @@
     "dist"
   ],
   "dependencies": {
-    "@ai-sdk/anthropic": "3.0.9",
-    "@ai-sdk/google": "3.0.6",
-    "@ai-sdk/openai": "3.0.7",
-    "@ai-sdk/openai-compatible": "2.0.4",
+    "@ai-sdk/anthropic": "3.0.58",
+    "@ai-sdk/google": "3.0.43",
+    "@ai-sdk/openai": "3.0.41",
+    "@ai-sdk/openai-compatible": "2.0.35",
     "@authenio/samlify-node-xmllint": "2.0.0",
     "@aws-sdk/client-sesv2": "3.928.0",
     "@godaddy/terminus": "4.12.1",
@@ -72,12 +72,12 @@
     "@rollup/plugin-virtual": "3.0.2",
     "@tus/server": "2.3.0",
     "@tus/utils": "0.6.0",
-    "ai": "6.0.25",
+    "ai": "6.0.116",
     "archiver": "7.0.1",
     "argon2": "0.44.0",
     "async": "3.2.6",
     "async-mutex": "0.5.0",
-    "axios": "1.12.2",
+    "axios": "1.13.5",
     "busboy": "1.6.0",
     "bytes": "3.1.2",
     "camelcase": "8.0.0",
@@ -118,12 +118,12 @@
     "keyv": "5.5.3",
     "knex": "3.1.0",
     "ldapts": "8.1.3",
-    "liquidjs": "10.24.0",
-    "lodash-es": "4.17.21",
+    "liquidjs": "10.25.0",
+    "lodash-es": "4.17.23",
     "marked": "16.4.1",
     "micromustache": "8.0.3",
     "mime-types": "3.0.1",
-    "minimatch": "10.1.1",
+    "minimatch": "10.2.3",
     "mnemonist": "0.40.3",
     "ms": "2.1.3",
     "nanoid": "5.1.6",
@@ -144,48 +144,48 @@
     "pm2": "6.0.14",
     "prom-client": "15.1.3",
     "proxy-addr": "2.0.7",
-    "qs": "6.14.1",
+    "qs": "6.14.2",
     "rate-limiter-flexible": "7.2.0",
     "rolldown": "1.0.0-beta.31",
-    "rollup": "4.52.5",
+    "rollup": "4.59.0",
     "samlify": "2.10.2",
     "sanitize-filename": "1.6.3",
     "sanitize-html": "2.17.0",
     "sharp": "0.34.5",
     "snappy": "7.3.3",
     "stream-json": "1.9.1",
-    "tar": "7.5.4",
+    "tar": "7.5.8",
     "tsx": "4.20.6",
     "uuid": "11.1.0",
     "wellknown": "0.5.0",
     "ws": "8.18.3",
     "zod": "4.1.12",
     "zod-validation-error": "4.0.2",
-    "@directus/ai": "1.1.0",
-    "@directus/app": "15.4.0",
-    "@directus/constants": "14.1.0",
-    "@directus/env": "5.5.3",
+    "@directus/ai": "1.3.0",
+    "@directus/constants": "14.2.0",
+    "@directus/app": "15.5.1",
+    "@directus/env": "5.6.1",
     "@directus/errors": "2.2.0",
-    "@directus/extensions": "3.0.19",
-    "@directus/extensions-registry": "3.0.19",
-    "@directus/extensions-sdk": "17.0.9",
-    "@directus/memory": "3.1.2",
-    "@directus/schema": "13.0.5",
+    "@directus/extensions": "3.0.21",
+    "@directus/extensions-registry": "3.0.21",
     "@directus/format-title": "12.1.1",
-    "@directus/schema-builder": "0.0.14",
-    "@directus/specs": "12.0.0",
-    "@directus/pressure": "3.0.17",
+    "@directus/memory": "3.1.4",
+    "@directus/pressure": "3.0.19",
+    "@directus/schema": "13.0.5",
+    "@directus/schema-builder": "0.0.16",
+    "@directus/extensions-sdk": "17.0.11",
+    "@directus/specs": "12.0.1",
     "@directus/storage": "12.0.3",
-    "@directus/storage-driver-azure": "12.0.17",
-    "@directus/storage-driver-cloudinary": "12.0.17",
-    "@directus/storage-driver-s3": "12.1.3",
+    "@directus/storage-driver-gcs": "12.0.19",
+    "@directus/storage-driver-cloudinary": "12.0.19",
+    "@directus/storage-driver-s3": "12.1.5",
     "@directus/storage-driver-local": "12.0.3",
-    "@directus/storage-driver-supabase": "3.0.17",
-    "@directus/system-data": "4.1.0",
-    "@directus/storage-driver-gcs": "12.0.17",
-    "@directus/utils": "13.2.2",
-    "directus": "11.15.4",
-    "@directus/validation": "2.0.17"
+    "@directus/system-data": "4.3.0",
+    "@directus/storage-driver-supabase": "3.0.19",
+    "@directus/validation": "2.0.19",
+    "@directus/utils": "13.3.1",
+    "directus": "11.16.1",
+    "@directus/storage-driver-azure": "12.0.19"
   },
   "devDependencies": {
     "@directus/tsconfig": "3.0.0",
@@ -228,8 +228,8 @@
     "knex-mock-client": "3.0.2",
     "typescript": "5.9.3",
     "vitest": "3.2.4",
-    "@directus/schema-builder": "0.0.14",
-    "@directus/types": "14.2.1"
+    "@directus/schema-builder": "0.0.16",
+    "@directus/types": "14.3.1"
   },
   "optionalDependencies": {
     "@keyv/redis": "3.0.1",

package/dist/auth/utils/is-login-redirect-allowed.d.ts

@@ -1,7 +0,0 @@
-/**
- * Checks if the defined redirect after successful SSO login is in the allow list
- * @param provider SSO provider name
- * @param redirect URL to redirect to after login
- * @returns True if the redirect is allowed, false otherwise
- */
-export declare function isLoginRedirectAllowed(provider: string, redirect: unknown): boolean;

package/dist/auth/utils/is-login-redirect-allowed.js

@@ -1,39 +0,0 @@
-import { useEnv } from '@directus/env';
-import { toArray } from '@directus/utils';
-import { useLogger } from '../../logger/index.js';
-import isUrlAllowed from '../../utils/is-url-allowed.js';
-/**
- * Checks if the defined redirect after successful SSO login is in the allow list
- * @param provider SSO provider name
- * @param redirect URL to redirect to after login
- * @returns True if the redirect is allowed, false otherwise
- */
-export function isLoginRedirectAllowed(provider, redirect) {
-    if (!redirect)
-        return true; // empty redirect
-    if (typeof redirect !== 'string')
-        return false; // invalid type
-    const env = useEnv();
-    const publicUrl = env['PUBLIC_URL'];
-    if (!URL.canParse(redirect)) {
-        if (!redirect.startsWith('//')) {
-            // should be a relative path like `/admin/test`
-            return true;
-        }
-        // domain without protocol `//example.com/test`
-        return false;
-    }
-    const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
-    if (envKey in env) {
-        if (isUrlAllowed(redirect, [...toArray(env[envKey]), publicUrl]))
-            return true;
-    }
-    if (URL.canParse(publicUrl) === false) {
-        useLogger().error('Invalid PUBLIC_URL for login redirect');
-        return false;
-    }
-    const { protocol: redirectProtocol, host: redirectHost } = new URL(redirect);
-    const { protocol: publicProtocol, host: publicHost } = new URL(publicUrl);
-    // allow redirects to the defined PUBLIC_URL (protocol + host including port)
-    return `${redirectProtocol}//${redirectHost}` === `${publicProtocol}//${publicHost}`;
-}