@directus/api 34.0.0 → 34.0.1

package/dist/ai/tools/fields/index.d.ts

@@ -29,7 +29,7 @@ export declare const FieldsValidateSchema: z.ZodDiscriminatedUnion<[z.ZodObject<
     action: z.ZodLiteral<"update">;
     data: z.ZodArray<z.ZodObject<{
         field: z.ZodString;
-        type: z.ZodString;
+        type: z.ZodOptional<z.ZodString>;
         name: z.ZodOptional<z.ZodString>;
         children: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodAny>>, z.ZodNull]>>;
         collection: z.ZodOptional<z.ZodString>;
@@ -51,7 +51,7 @@ export declare const FieldsInputSchema: z.ZodObject<{
     collection: z.ZodOptional<z.ZodString>;
     field: z.ZodOptional<z.ZodString>;
     data: z.ZodOptional<z.ZodArray<z.ZodObject<{
-        field: z.ZodOptional<z.ZodString>;
+        field: z.ZodNonOptional<z.ZodOptional<z.ZodString>>;
         type: z.ZodOptional<z.ZodNullable<z.ZodString>>;
         name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
         collection: z.ZodOptional<z.ZodOptional<z.ZodString>>;
@@ -87,7 +87,7 @@ export declare const fields: import("../types.js").ToolConfig<{
     action: "update";
     data: {
         field: string;
-        type: string;
+        type?: string | undefined;
         name?: string | undefined;
         children?: Record<string, any>[] | null | undefined;
         collection?: string | undefined;

package/dist/ai/tools/fields/index.js

@@ -28,7 +28,7 @@ export const FieldsValidateSchema = z.discriminatedUnion('action', [
     }),
     FieldsBaseValidateSchema.extend({
         action: z.literal('update'),
-        data: z.array(RawFieldItemValidateSchema),
+        data: z.array(RawFieldItemValidateSchema.partial({ type: true })),
     }),
     FieldsBaseValidateSchema.extend({
         action: z.literal('delete'),
@@ -38,11 +38,17 @@ export const FieldsValidateSchema = z.discriminatedUnion('action', [
 export const FieldsInputSchema = z.object({
     action: z.enum(['read', 'create', 'update', 'delete']).describe('The operation to perform'),
     collection: z.string().describe('The name of the collection').optional(),
-    field: z.string().optional(),
+    field: z
+        .string()
+        .describe('The name of the field. Required for delete. Optional for read (omit to read all fields). Do not use for create or update.')
+        .optional(),
     data: z
         .array(FieldItemInputSchema.extend({
         children: RawFieldItemInputSchema.shape.children,
-    }).partial())
+    })
+        .partial()
+        .required({ field: true }))
+        .describe('Array of field objects for create/update actions. Each object must include "field" (the field name).')
         .optional(),
 });
 export const fields = defineTool({

package/dist/auth/drivers/oauth2.js

@@ -21,7 +21,7 @@ import { getSecret } from '../../utils/get-secret.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
 import { generateCallbackUrl } from '../utils/generate-callback-url.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
+import { resolveLoginRedirect } from '../utils/resolve-login-redirect.js';
 import { LocalAuthDriver } from './local.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
     client;
@@ -273,8 +273,12 @@ export function createOAuth2AuthRouter(providerName) {
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
         const otp = req.query['otp'];
-        const redirect = req.query['redirect'];
-        if (!isLoginRedirectAllowed(providerName, redirect)) {
+        let redirect = req.query['redirect'];
+        try {
+            redirect = resolveLoginRedirect(redirect, { provider: providerName });
+        }
+        catch (e) {
+            useLogger().error(e);
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
         const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
@@ -356,8 +360,10 @@ export function createOAuth2AuthRouter(providerName) {
             const claims = verifyJWT(accessToken, getSecret());
             if (claims?.enforce_tfa === true) {
                 const url = new Url(env['PUBLIC_URL']).addPath('admin', 'tfa-setup');
-                if (redirect)
+                if (redirect) {
                     url.setQuery('redirect', redirect);
+                    url.setQuery('provider', providerName);
+                }
                 redirect = url.toString();
             }
         }

package/dist/auth/drivers/openid.js

@@ -21,7 +21,7 @@ import { getSecret } from '../../utils/get-secret.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
 import { generateCallbackUrl } from '../utils/generate-callback-url.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
+import { resolveLoginRedirect } from '../utils/resolve-login-redirect.js';
 import { LocalAuthDriver } from './local.js';
 export class OpenIDAuthDriver extends LocalAuthDriver {
     client;
@@ -324,9 +324,13 @@ export function createOpenIDAuthRouter(providerName) {
         const provider = getAuthProvider(providerName);
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
-        const redirect = req.query['redirect'];
+        let redirect = req.query['redirect'];
         const otp = req.query['otp'];
-        if (!isLoginRedirectAllowed(providerName, redirect)) {
+        try {
+            redirect = resolveLoginRedirect(redirect, { provider: providerName });
+        }
+        catch (e) {
+            useLogger().error(e);
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
         const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
@@ -418,8 +422,10 @@ export function createOpenIDAuthRouter(providerName) {
             const claims = verifyJWT(accessToken, getSecret());
             if (claims?.enforce_tfa === true) {
                 const url = new Url(env['PUBLIC_URL']).addPath('admin', 'tfa-setup');
-                if (redirect)
+                if (redirect) {
                     url.setQuery('redirect', redirect);
+                    url.setQuery('provider', providerName);
+                }
                 redirect = url.toString();
             }
         }

package/dist/auth/drivers/saml.js

@@ -13,7 +13,7 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
+import { resolveLoginRedirect } from '../utils/resolve-login-redirect.js';
 import { LocalAuthDriver } from './local.js';
 // Register the samlify schema validator
 samlify.setSchemaValidator(validator);
@@ -94,8 +94,12 @@ export function createSAMLAuthRouter(providerName) {
         const { context: url } = sp.createLoginRequest(idp, 'redirect');
         const parsedUrl = new URL(url);
         if (req.query['redirect']) {
-            const redirect = req.query['redirect'];
-            if (!isLoginRedirectAllowed(providerName, redirect)) {
+            let redirect = req.query['redirect'];
+            try {
+                redirect = resolveLoginRedirect(redirect, { provider: providerName });
+            }
+            catch (e) {
+                useLogger().error(e);
                 throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
             }
             parsedUrl.searchParams.append('RelayState', redirect);
@@ -115,10 +119,16 @@ export function createSAMLAuthRouter(providerName) {
     }));
     router.post('/acs', express.urlencoded({ extended: false }), asyncHandler(async (req, res, next) => {
         const logger = useLogger();
-        const relayState = req.body?.RelayState;
+        let redirect = req.body?.RelayState;
         const authMode = (env[`AUTH_${providerName.toUpperCase()}_MODE`] ?? 'session');
-        if (relayState && isLoginRedirectAllowed(providerName, relayState) === false) {
-            throw new InvalidPayloadError({ reason: `URL "${relayState}" can't be used to redirect after login` });
+        if (redirect) {
+            try {
+                redirect = resolveLoginRedirect(redirect, { provider: providerName });
+            }
+            catch (e) {
+                useLogger().error(e);
+                throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
+            }
         }
         try {
             const { sp, idp } = getAuthProvider(providerName);
@@ -134,19 +144,19 @@ export function createSAMLAuthRouter(providerName) {
                     expires,
                 },
             };
-            if (relayState) {
+            if (redirect) {
                 if (authMode === 'session') {
                     res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
                 }
                 else {
                     res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
                 }
-                return res.redirect(relayState);
+                return res.redirect(redirect);
             }
             return next();
         }
         catch (error) {
-            if (relayState) {
+            if (redirect) {
                 let reason = 'UNKNOWN_EXCEPTION';
                 if (isDirectusError(error)) {
                     reason = error.code;
@@ -154,7 +164,7 @@ export function createSAMLAuthRouter(providerName) {
                 else {
                     logger.warn(error, `[SAML] Unexpected error during SAML login`);
                 }
-                return res.redirect(`${relayState.split('?')[0]}?reason=${reason}`);
+                return res.redirect(`${redirect.split('?')[0]}?reason=${reason}`);
             }
             logger.warn(error, `[SAML] Unexpected error during SAML login`);
             throw error;

package/dist/auth/utils/resolve-login-redirect.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Resolves and validates the redirect URL after a successful SSO login.
+ * Returns a safe redirect path or URL, or throws if the redirect is invalid or not allowed.
+ * @param redirect URL or relative path to redirect to after login
+ * @param opts.provider SSO provider name, used to check provider-specific allow lists
+ * @returns Resolved redirect path or URL string
+ * @throws If the redirect is not a string, PUBLIC_URL is not defined, or the redirect is not allowed
+ */
+export declare function resolveLoginRedirect(redirect: unknown, opts?: {
+    provider?: string | undefined;
+}): string;

package/dist/auth/utils/resolve-login-redirect.js

@@ -0,0 +1,62 @@
+import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
+import isUrlAllowed from '../../utils/is-url-allowed.js';
+/**
+ * Resolves and validates the redirect URL after a successful SSO login.
+ * Returns a safe redirect path or URL, or throws if the redirect is invalid or not allowed.
+ * @param redirect URL or relative path to redirect to after login
+ * @param opts.provider SSO provider name, used to check provider-specific allow lists
+ * @returns Resolved redirect path or URL string
+ * @throws If the redirect is not a string, PUBLIC_URL is not defined, or the redirect is not allowed
+ */
+export function resolveLoginRedirect(redirect, opts = {}) {
+    const env = useEnv();
+    const publicURL = env['PUBLIC_URL'];
+    // Default empty redirect to root
+    if (!redirect)
+        return '/';
+    if (typeof redirect !== 'string')
+        throw new Error('"redirect" must be a string');
+    if (!publicURL)
+        throw new Error('"PUBLIC_URL" must be defined');
+    // Relative URL
+    if (URL.canParse(redirect) === false) {
+        try {
+            const dummyDomain = 'http://dummy.local';
+            const { protocol: dummyProtocol, host: dummyHost } = new URL(dummyDomain);
+            const parsedRelativeURL = new URL(redirect, dummyDomain);
+            if (dummyProtocol !== parsedRelativeURL.protocol || dummyHost !== parsedRelativeURL.host) {
+                throw new Error('Relative URL mismatch');
+            }
+            // If the protocol & host match then it is a safe relative path
+            return parsedRelativeURL.toString().replace(dummyDomain, '');
+        }
+        catch {
+            // Unparsable URL
+            throw new Error('Invalid relative URL');
+        }
+    }
+    // Absolute redirect
+    const parsedAbsoluteURL = new URL(redirect);
+    if (!['http:', 'https:'].includes(parsedAbsoluteURL.protocol)) {
+        throw new Error('Only http/https redirect protocols are allowed');
+    }
+    if (opts.provider) {
+        const envKey = `AUTH_${opts.provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
+        if (envKey in env) {
+            const allowedList = toArray(String(env[envKey]));
+            allowedList.push(publicURL);
+            if (isUrlAllowed(redirect, allowedList)) {
+                return parsedAbsoluteURL.toString();
+            }
+        }
+    }
+    if (URL.canParse(publicURL) === false)
+        throw new Error('PUBLIC_URL must be a valid URL');
+    const { protocol: publicProtocol, host: publicHost } = new URL(publicURL);
+    // Reject "app" redirects not matching PUBLIC_URL
+    if (publicProtocol !== parsedAbsoluteURL.protocol || publicHost !== parsedAbsoluteURL.host) {
+        throw new Error('App "redirect" must match PUBLIC_URL');
+    }
+    return parsedAbsoluteURL.toString();
+}

package/dist/controllers/server.js

@@ -1,3 +1,4 @@
+import { useEnv } from '@directus/env';
 import { ErrorCode, ForbiddenError, isDirectusError, RouteNotFoundError } from '@directus/errors';
 import { format } from 'date-fns';
 import { Router } from 'express';
@@ -8,32 +9,37 @@ import { SpecificationService } from '../services/specifications.js';
 import asyncHandler from '../utils/async-handler.js';
 import { createAdmin } from '../utils/create-admin.js';
 const router = Router();
-router.get('/specs/oas', asyncHandler(async (req, res, next) => {
-    const service = new SpecificationService({
-        accountability: req.accountability,
-        schema: req.schema,
-    });
-    res.locals['payload'] = await service.oas.generate(req.headers.host);
-    return next();
-}), respond);
-router.get('/specs/graphql/:scope?', asyncHandler(async (req, res) => {
-    const service = new SpecificationService({
-        accountability: req.accountability,
-        schema: req.schema,
-    });
-    const serverService = new ServerService({
-        accountability: req.accountability,
-        schema: req.schema,
-    });
-    const scope = req.params['scope'] || 'items';
-    if (['items', 'system'].includes(scope) === false)
-        throw new RouteNotFoundError({ path: req.path });
-    const info = await serverService.serverInfo();
-    const result = await service.graphql.generate(scope);
-    const filename = info['project'].project_name + '_' + format(new Date(), 'yyyy-MM-dd') + '.graphql';
-    res.attachment(filename);
-    res.send(result);
-}));
+const env = useEnv();
+if (env['OPENAPI_ENABLED'] !== false) {
+    router.get('/specs/oas', asyncHandler(async (req, res, next) => {
+        const service = new SpecificationService({
+            accountability: req.accountability,
+            schema: req.schema,
+        });
+        res.locals['payload'] = await service.oas.generate(req.headers.host);
+        return next();
+    }), respond);
+}
+if (env['GRAPHQL_INTROSPECTION'] !== false) {
+    router.get('/specs/graphql/:scope?', asyncHandler(async (req, res) => {
+        const service = new SpecificationService({
+            accountability: req.accountability,
+            schema: req.schema,
+        });
+        const serverService = new ServerService({
+            accountability: req.accountability,
+            schema: req.schema,
+        });
+        const scope = req.params['scope'] || 'items';
+        if (['items', 'system'].includes(scope) === false)
+            throw new RouteNotFoundError({ path: req.path });
+        const info = await serverService.serverInfo();
+        const result = await service.graphql.generate(scope);
+        const filename = info['project'].project_name + '_' + format(new Date(), 'yyyy-MM-dd') + '.graphql';
+        res.attachment(filename);
+        res.send(result);
+    }));
+}
 router.get('/info', asyncHandler(async (req, res, next) => {
     const service = new ServerService({
         accountability: req.accountability,

package/dist/controllers/tus.js

@@ -1,3 +1,5 @@
+import { createError } from '@directus/errors';
+import { ERRORS, Metadata } from '@tus/utils';
 import { Router } from 'express';
 import getDatabase from '../database/index.js';
 import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
@@ -18,11 +20,40 @@ const mapAction = (method) => {
 const checkFileAccess = asyncHandler(async (req, _res, next) => {
     if (req.accountability) {
         const action = mapAction(req.method);
-        await validateAccess({
+        const validateAccessOptions = {
             action,
             collection: 'directus_files',
             accountability: req.accountability,
-        }, {
+        };
+        if (req.method === 'POST' && req.header('upload-metadata')) {
+            let metadata;
+            try {
+                metadata = Metadata.parse(req.header('upload-metadata'));
+            }
+            catch {
+                throw new (createError('INVALID_METADATA', ERRORS.INVALID_METADATA.body, ERRORS.INVALID_METADATA.status_code))();
+            }
+            // On replacement ensure update for that record
+            if (metadata['id']) {
+                validateAccessOptions.action = 'update';
+                validateAccessOptions.primaryKeys = [metadata['id']];
+            }
+            // Validate permissions for any payload fields
+            const fields = [];
+            for (const field of Object.keys(req.schema.collections['directus_files'].fields)) {
+                // PK is not mutable, access to record is already checked via `primaryKeys` for updates
+                if (field === 'id') {
+                    continue;
+                }
+                if (field in metadata) {
+                    fields.push(field);
+                }
+            }
+            if (fields.length > 0) {
+                validateAccessOptions.fields = fields;
+            }
+        }
+        await validateAccess(validateAccessOptions, {
             schema: req.schema,
             knex: getDatabase(),
         });

package/dist/controllers/utils.js

@@ -3,6 +3,7 @@ import argon2 from 'argon2';
 import Busboy from 'busboy';
 import { Router } from 'express';
 import Joi from 'joi';
+import { resolveLoginRedirect } from '../auth/utils/resolve-login-redirect.js';
 import collectionExists from '../middleware/collection-exists.js';
 import { respond } from '../middleware/respond.js';
 import { ExportService, ImportService } from '../services/import-export.js';
@@ -125,4 +126,21 @@ router.post('/cache/clear', asyncHandler(async (req, res) => {
     await service.clearCache({ system: clearSystemCache });
     res.status(200).end();
 }));
+router.post('/resolve-redirect', asyncHandler(async (req, res) => {
+    if (!req.body?.redirect) {
+        throw new InvalidPayloadError({ reason: `"redirect" is required` });
+    }
+    if (req.body?.provider && typeof req.body.provider !== 'string') {
+        throw new InvalidPayloadError({ reason: `"provider" must be a string` });
+    }
+    try {
+        const resolved = resolveLoginRedirect(req.body.redirect, {
+            provider: req.body.provider,
+        });
+        return res.json({ data: resolved });
+    }
+    catch {
+        throw new InvalidPayloadError({ reason: `Invalid "redirect" provided` });
+    }
+}));
 export default router;

package/dist/database/run-ast/lib/apply-query/aggregate.js

@@ -2,11 +2,11 @@ export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins)
     for (const [operation, fields] of Object.entries(aggregate)) {
         if (!fields)
             continue;
+        if (operation === 'countAll') {
+            dbQuery.count('*', { as: 'countAll' });
+            continue;
+        }
         for (const field of fields) {
-            if (operation === 'countAll') {
-                dbQuery.count('*', { as: 'countAll' });
-                continue;
-            }
             if (operation === 'count' && field === '*') {
                 dbQuery.count('*', { as: 'count' });
                 continue;

package/dist/database/run-ast/lib/apply-query/filter/get-filter-type.d.ts

@@ -1,8 +1,8 @@
 import type { FieldOverview } from '@directus/types';
 export declare function getFilterType(fields: Record<string, FieldOverview>, key: string, collection?: string): {
-    type: "string" | "boolean" | "binary" | "time" | "integer" | "unknown" | "date" | "text" | "json" | "float" | "alias" | "uuid" | "dateTime" | "timestamp" | "bigInteger" | "decimal" | "hash" | "csv" | "geometry" | "geometry.Point" | "geometry.LineString" | "geometry.Polygon" | "geometry.MultiPoint" | "geometry.MultiLineString" | "geometry.MultiPolygon";
+    type: "string" | "boolean" | "binary" | "time" | "integer" | "unknown" | "date" | "text" | "float" | "alias" | "uuid" | "json" | "dateTime" | "timestamp" | "bigInteger" | "decimal" | "hash" | "csv" | "geometry" | "geometry.Point" | "geometry.LineString" | "geometry.Polygon" | "geometry.MultiPoint" | "geometry.MultiLineString" | "geometry.MultiPolygon";
     special?: never;
 } | {
-    type: "string" | "boolean" | "binary" | "time" | "integer" | "unknown" | "date" | "text" | "json" | "float" | "alias" | "uuid" | "dateTime" | "timestamp" | "bigInteger" | "decimal" | "hash" | "csv" | "geometry" | "geometry.Point" | "geometry.LineString" | "geometry.Polygon" | "geometry.MultiPoint" | "geometry.MultiLineString" | "geometry.MultiPolygon";
+    type: "string" | "boolean" | "binary" | "time" | "integer" | "unknown" | "date" | "text" | "float" | "alias" | "uuid" | "json" | "dateTime" | "timestamp" | "bigInteger" | "decimal" | "hash" | "csv" | "geometry" | "geometry.Point" | "geometry.LineString" | "geometry.Polygon" | "geometry.MultiPoint" | "geometry.MultiLineString" | "geometry.MultiPolygon";
     special: string[];
 };

package/dist/permissions/modules/validate-access/lib/validate-item-access.js

@@ -15,7 +15,7 @@ export async function validateItemAccess(options, context) {
     const hasPrimaryKeys = options.primaryKeys && options.primaryKeys.length > 0;
     // For non-singletons, we must have PKs to validate against
     if (!isSingleton && !hasPrimaryKeys) {
-        throw new Error(`Primary keys are required for non-singleton collection "${options.collection}"`);
+        return { accessAllowed: false };
     }
     // When we're looking up access to specific items, we have to read them from the database to
     // make sure you are allowed to access them.

package/dist/services/graphql/resolvers/system.js

@@ -135,35 +135,43 @@ export function injectSystemResolvers(gql, schemaComposer, { CreateCollectionTyp
             },
         });
     }
-    /** Globally available query */
-    schemaComposer.Query.addFields({
-        server_specs_oas: {
-            type: GraphQLJSON,
-            resolve: async () => {
-                const service = new SpecificationService({ schema: gql.schema, accountability: gql.accountability });
-                return await service.oas.generate();
-            },
-        },
-        server_specs_graphql: {
-            type: GraphQLString,
-            args: {
-                scope: new GraphQLEnumType({
-                    name: 'graphql_sdl_scope',
-                    values: {
-                        items: { value: 'items' },
-                        system: { value: 'system' },
-                    },
-                }),
+    if (env['OPENAPI_ENABLED'] !== false) {
+        schemaComposer.Query.addFields({
+            server_specs_oas: {
+                type: GraphQLJSON,
+                resolve: async () => {
+                    const service = new SpecificationService({ schema: gql.schema, accountability: gql.accountability });
+                    return await service.oas.generate();
+                },
             },
-            resolve: async (_, args) => {
-                const service = new GraphQLService({
-                    schema: gql.schema,
-                    accountability: gql.accountability,
-                    scope: args['scope'] ?? 'items',
-                });
-                return await generateSchema(service, 'sdl');
+        });
+    }
+    /** Globally available query */
+    if (env['GRAPHQL_INTROSPECTION'] !== false) {
+        schemaComposer.Query.addFields({
+            server_specs_graphql: {
+                type: GraphQLString,
+                args: {
+                    scope: new GraphQLEnumType({
+                        name: 'graphql_sdl_scope',
+                        values: {
+                            items: { value: 'items' },
+                            system: { value: 'system' },
+                        },
+                    }),
+                },
+                resolve: async (_, args) => {
+                    const service = new GraphQLService({
+                        schema: gql.schema,
+                        accountability: gql.accountability,
+                        scope: args['scope'] ?? 'items',
+                    });
+                    return await generateSchema(service, 'sdl');
+                },
             },
-        },
+        });
+    }
+    schemaComposer.Query.addFields({
         server_ping: {
             type: GraphQLString,
             resolve: () => 'pong',

package/dist/test-utils/README.md

@@ -17,6 +17,7 @@ This directory contains mock implementations for commonly used modules in servic
 - **[files-service.ts](#files-servicets)** - FilesService mocks
 - **[folders-service.ts](#folders-servicets)** - FoldersService mocks
 - **[test-helpers.ts](#test-helpersts)** - Test data factory functions
+- **[controllers.ts](#controllersts)** - Controller/router testing helpers
 
 ## Quick Start
 
@@ -521,6 +522,116 @@ const buildTreeSpy = vi.spyOn(FoldersService.prototype, 'buildTree').mockResolve
 
 ---
 
+### controllers.ts
+
+Provides helpers for extracting route handlers from Express routers and creating mock Express request/response objects
+for controller tests.
+
+#### `getRouteHandler(router, method, path)`
+
+Extracts the middleware/handler stack for a specific route from an Express router.
+
+**Parameters:**
+
+- `router`: The Express `Router` instance
+- `method`: HTTP method (`'GET'`, `'POST'`, `'PATCH'`, `'DELETE'`, etc.)
+- `path`: Route path (e.g. `'/'`, `'/:id'`)
+
+**Returns:** Array of `{ handle: (...args) => any }` layers for the matched route
+
+**Throws:** If no matching route is found
+
+**Example:**
+
+```typescript
+import { default as router } from './tus.js';
+import { getRouteHandler } from '../test-utils/controllers.js';
+
+const [checkAccess, handler] = getRouteHandler(router, 'POST', '/');
+await checkAccess?.handle(req, res, next);
+```
+
+#### `createMockRequest(overrides?)`
+
+Creates a mock Express Request pre-populated with common Directus properties (`accountability`, `schema`,
+`sanitizedQuery`, etc.).
+
+**Parameters:**
+
+- `overrides` (optional): Properties to merge into the mock request
+
+**Returns:** Mock `Request` object
+
+**Example:**
+
+```typescript
+import { createMockRequest } from '../test-utils/controllers.js';
+
+// Minimal request
+const req = createMockRequest({ schema });
+
+// With accountability and custom header
+const req = createMockRequest({
+	method: 'POST',
+	accountability,
+	schema,
+	header: vi.fn().mockReturnValue('some-value'),
+});
+```
+
+#### `createMockResponse(overrides?)`
+
+Creates a mock Express Response with chainable methods (`status`, `json`, `send`, `set`, `end`).
+
+**Parameters:**
+
+- `overrides` (optional): Properties to merge into the mock response
+
+**Returns:** Mock `Response` object
+
+**Example:**
+
+```typescript
+import { createMockResponse } from '../test-utils/controllers.js';
+
+const res = createMockResponse();
+```
+
+#### Full Controller Test Example
+
+```typescript
+import { SchemaBuilder } from '@directus/schema-builder';
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+import { createMockRequest, createMockResponse, getRouteHandler } from '../test-utils/controllers.js';
+import { default as router } from './controller.js';
+
+const schema = new SchemaBuilder()
+	.collection('collection', (c) => {
+		c.field('id').integer().primary();
+		c.field('title').string();
+	})
+	.build();
+
+describe('controller', () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	test('validates access on POST', async () => {
+		const req = createMockRequest({ method: 'POST', accountability, schema });
+		const res = createMockResponse();
+		const next = vi.fn();
+
+		const [firstHandler] = getRouteHandler(router, 'POST', '/');
+		await firstHandler?.handle(req, res, next);
+
+		expect(next).toHaveBeenCalled();
+	});
+});
+```
+
+---
+
 ## Common Patterns
 
 ### Full Service Test Setup
@@ -737,6 +848,7 @@ See these files for complete examples:
 
 - [collections.test.ts](../services/collections.test.ts) - Full service test with schema operations
 - [fields.test.ts](../services/fields.test.ts) - Complex service test with field management
+- [tus.test.ts](../controllers/tus.test.ts) - Controller test with route handler extraction and access validation
 
 ---
 

package/dist/test-utils/controllers.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Controller testing utilities
+ * Provides helpers for extracting route handlers and creating mock Express request/response objects
+ */
+import type { Request, Response, Router } from 'express';
+/**
+ * Get a route handler stack from an Express router
+ *
+ * @param router The Express router instance to search
+ * @param method HTTP method (GET, POST, PATCH, DELETE, etc.)
+ * @param path Route path (e.g. '/', '/:id')
+ * @returns Array of middleware/handler layers for the matched route
+ *
+ * @example
+ * ```typescript
+ * import { default as router } from './controller.js';
+
+ * const [firstHandler, secondHandler] = getRouteHandler(router, 'POST', '/');
+ * await firstHandler?.handle(req, res, next);
+ * ```
+ */
+export declare function getRouteHandler(router: Router, method: string, path: string): Array<{
+    handle: (...args: any[]) => any;
+}>;
+/**
+ * Creates a mock Express Request with common Directus properties.
+ *
+ * @param overrides Properties to merge into the mock request
+ * @returns Mock Express Request object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const req = createMockRequest({ method: 'POST', accountability });
+ *
+ * // With custom schema
+ * const req = createMockRequest({
+ *   method: 'PATCH',
+ *   params: { id: 'file-1' },
+ *   schema: mySchema,
+ * });
+ *
+ * // With custom header mock
+ * const req = createMockRequest({
+ *   header: vi.fn().mockReturnValue('some-header-value'),
+ * });
+ * ```
+ */
+export declare function createMockRequest(overrides?: Partial<Request>): Request;
+/**
+ * Creates a mock Express Response with chainable methods.
+ *
+ * @param overrides Properties to merge into the mock response
+ * @returns Mock Express Response object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const res = createMockResponse();
+ *
+ * // With custom locals
+ * const res = createMockResponse({ locals: { payload: { data: [] } } });
+ * ```
+ */
+export declare function createMockResponse(overrides?: Partial<Response>): Response;

package/dist/test-utils/controllers.js

@@ -0,0 +1,100 @@
+/**
+ * Controller testing utilities
+ * Provides helpers for extracting route handlers and creating mock Express request/response objects
+ */
+import { vi } from 'vitest';
+/**
+ * Get a route handler stack from an Express router
+ *
+ * @param router The Express router instance to search
+ * @param method HTTP method (GET, POST, PATCH, DELETE, etc.)
+ * @param path Route path (e.g. '/', '/:id')
+ * @returns Array of middleware/handler layers for the matched route
+ *
+ * @example
+ * ```typescript
+ * import { default as router } from './controller.js';
+
+ * const [firstHandler, secondHandler] = getRouteHandler(router, 'POST', '/');
+ * await firstHandler?.handle(req, res, next);
+ * ```
+ */
+export function getRouteHandler(router, method, path) {
+    const stack = router.stack;
+    const layer = stack.find((l) => l.route?.path === path && l.route?.methods[method.toLowerCase()]);
+    if (!layer)
+        throw new Error(`No route found for ${method} ${path}`);
+    return layer.route.stack;
+}
+/**
+ * Creates a mock Express Request with common Directus properties.
+ *
+ * @param overrides Properties to merge into the mock request
+ * @returns Mock Express Request object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const req = createMockRequest({ method: 'POST', accountability });
+ *
+ * // With custom schema
+ * const req = createMockRequest({
+ *   method: 'PATCH',
+ *   params: { id: 'file-1' },
+ *   schema: mySchema,
+ * });
+ *
+ * // With custom header mock
+ * const req = createMockRequest({
+ *   header: vi.fn().mockReturnValue('some-header-value'),
+ * });
+ * ```
+ */
+export function createMockRequest(overrides = {}) {
+    const headerFn = vi.fn().mockReturnValue(undefined);
+    return {
+        method: 'GET',
+        headers: {},
+        params: {},
+        body: {},
+        header: headerFn,
+        get: headerFn,
+        is: vi.fn().mockReturnValue(false),
+        token: null,
+        collection: '',
+        singleton: false,
+        accountability: undefined,
+        sanitizedQuery: {},
+        schema: {
+            collections: {},
+            relations: [],
+        },
+        ...overrides,
+    };
+}
+/**
+ * Creates a mock Express Response with chainable methods.
+ *
+ * @param overrides Properties to merge into the mock response
+ * @returns Mock Express Response object
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const res = createMockResponse();
+ *
+ * // With custom locals
+ * const res = createMockResponse({ locals: { payload: { data: [] } } });
+ * ```
+ */
+export function createMockResponse(overrides = {}) {
+    return {
+        locals: {},
+        status: vi.fn().mockReturnThis(),
+        json: vi.fn().mockReturnThis(),
+        send: vi.fn().mockReturnThis(),
+        set: vi.fn().mockReturnThis(),
+        end: vi.fn().mockReturnThis(),
+        ...overrides,
+    };
+}

package/dist/test-utils/database.d.ts

@@ -24,7 +24,7 @@ import type { DatabaseClient } from '@directus/types';
  * ```
  */
 export declare function mockDatabase(client?: DatabaseClient): {
-    default: import("vitest").Mock<(...args: any[]) => any>;
+    default: import("vitest").Mock<() => import("vitest").MockedFunction<import("knex").Knex<any, unknown[]>>>;
     getDatabaseClient: import("vitest").Mock<(...args: any[]) => any>;
     getSchemaInspector: import("vitest").Mock<(...args: any[]) => any>;
 };

package/dist/test-utils/database.js

@@ -3,6 +3,7 @@
  * Provides simplified mocks for src/database/index module used in service testing
  */
 import { vi } from 'vitest';
+import { createMockKnex } from './knex.js';
 /**
  * Creates a standard database mock for service tests
  * This matches the pattern used across all service test files
@@ -24,8 +25,9 @@ import { vi } from 'vitest';
  * ```
  */
 export function mockDatabase(client = 'postgres') {
+    const { db } = createMockKnex();
     return {
-        default: vi.fn(),
+        default: vi.fn(() => db),
         getDatabaseClient: vi.fn().mockReturnValue(client),
         getSchemaInspector: vi.fn(),
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "34.0.0",
+  "version": "34.0.1",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -58,10 +58,10 @@
     "dist"
   ],
   "dependencies": {
-    "@ai-sdk/anthropic": "3.0.9",
-    "@ai-sdk/google": "3.0.6",
-    "@ai-sdk/openai": "3.0.7",
-    "@ai-sdk/openai-compatible": "2.0.4",
+    "@ai-sdk/anthropic": "3.0.58",
+    "@ai-sdk/google": "3.0.43",
+    "@ai-sdk/openai": "3.0.41",
+    "@ai-sdk/openai-compatible": "2.0.35",
     "@authenio/samlify-node-xmllint": "2.0.0",
     "@aws-sdk/client-sesv2": "3.928.0",
     "@godaddy/terminus": "4.12.1",
@@ -72,7 +72,7 @@
     "@rollup/plugin-virtual": "3.0.2",
     "@tus/server": "2.3.0",
     "@tus/utils": "0.6.0",
-    "ai": "6.0.25",
+    "ai": "6.0.116",
     "archiver": "7.0.1",
     "argon2": "0.44.0",
     "async": "3.2.6",
@@ -118,8 +118,8 @@
     "keyv": "5.5.3",
     "knex": "3.1.0",
     "ldapts": "8.1.3",
-    "liquidjs": "10.24.0",
-    "lodash-es": "4.17.21",
+    "liquidjs": "10.25.0",
+    "lodash-es": "4.17.23",
     "marked": "16.4.1",
     "micromustache": "8.0.3",
     "mime-types": "3.0.1",
@@ -161,31 +161,31 @@
     "ws": "8.18.3",
     "zod": "4.1.12",
     "zod-validation-error": "4.0.2",
-    "@directus/ai": "1.2.0",
-    "@directus/env": "5.6.0",
-    "@directus/errors": "2.2.0",
+    "@directus/ai": "1.3.0",
     "@directus/constants": "14.2.0",
-    "@directus/extensions": "3.0.20",
-    "@directus/extensions-sdk": "17.0.10",
-    "@directus/extensions-registry": "3.0.20",
-    "@directus/app": "15.5.0",
+    "@directus/app": "15.5.1",
+    "@directus/env": "5.6.1",
+    "@directus/errors": "2.2.0",
+    "@directus/extensions": "3.0.21",
+    "@directus/extensions-registry": "3.0.21",
     "@directus/format-title": "12.1.1",
+    "@directus/memory": "3.1.4",
+    "@directus/pressure": "3.0.19",
     "@directus/schema": "13.0.5",
-    "@directus/pressure": "3.0.18",
-    "@directus/schema-builder": "0.0.15",
+    "@directus/schema-builder": "0.0.16",
+    "@directus/extensions-sdk": "17.0.11",
     "@directus/specs": "12.0.1",
-    "@directus/storage-driver-azure": "12.0.18",
     "@directus/storage": "12.0.3",
-    "@directus/storage-driver-gcs": "12.0.18",
+    "@directus/storage-driver-gcs": "12.0.19",
+    "@directus/storage-driver-cloudinary": "12.0.19",
+    "@directus/storage-driver-s3": "12.1.5",
     "@directus/storage-driver-local": "12.0.3",
-    "@directus/storage-driver-cloudinary": "12.0.18",
-    "@directus/storage-driver-s3": "12.1.4",
-    "@directus/storage-driver-supabase": "3.0.18",
-    "@directus/system-data": "4.2.0",
-    "@directus/utils": "13.3.0",
-    "@directus/validation": "2.0.18",
-    "@directus/memory": "3.1.3",
-    "directus": "11.16.0"
+    "@directus/system-data": "4.3.0",
+    "@directus/storage-driver-supabase": "3.0.19",
+    "@directus/validation": "2.0.19",
+    "@directus/utils": "13.3.1",
+    "directus": "11.16.1",
+    "@directus/storage-driver-azure": "12.0.19"
   },
   "devDependencies": {
     "@directus/tsconfig": "3.0.0",
@@ -228,8 +228,8 @@
     "knex-mock-client": "3.0.2",
     "typescript": "5.9.3",
     "vitest": "3.2.4",
-    "@directus/types": "14.3.0",
-    "@directus/schema-builder": "0.0.15"
+    "@directus/schema-builder": "0.0.16",
+    "@directus/types": "14.3.1"
   },
   "optionalDependencies": {
     "@keyv/redis": "3.0.1",

package/dist/auth/utils/is-login-redirect-allowed.d.ts

@@ -1,7 +0,0 @@
-/**
- * Checks if the defined redirect after successful SSO login is in the allow list
- * @param provider SSO provider name
- * @param redirect URL to redirect to after login
- * @returns True if the redirect is allowed, false otherwise
- */
-export declare function isLoginRedirectAllowed(provider: string, redirect: unknown): boolean;

package/dist/auth/utils/is-login-redirect-allowed.js

@@ -1,39 +0,0 @@
-import { useEnv } from '@directus/env';
-import { toArray } from '@directus/utils';
-import { useLogger } from '../../logger/index.js';
-import isUrlAllowed from '../../utils/is-url-allowed.js';
-/**
- * Checks if the defined redirect after successful SSO login is in the allow list
- * @param provider SSO provider name
- * @param redirect URL to redirect to after login
- * @returns True if the redirect is allowed, false otherwise
- */
-export function isLoginRedirectAllowed(provider, redirect) {
-    if (!redirect)
-        return true; // empty redirect
-    if (typeof redirect !== 'string')
-        return false; // invalid type
-    const env = useEnv();
-    const publicUrl = env['PUBLIC_URL'];
-    if (!URL.canParse(redirect)) {
-        if (!redirect.startsWith('//')) {
-            // should be a relative path like `/admin/test`
-            return true;
-        }
-        // domain without protocol `//example.com/test`
-        return false;
-    }
-    const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
-    if (envKey in env) {
-        if (isUrlAllowed(redirect, [...toArray(env[envKey]), publicUrl]))
-            return true;
-    }
-    if (URL.canParse(publicUrl) === false) {
-        useLogger().error('Invalid PUBLIC_URL for login redirect');
-        return false;
-    }
-    const { protocol: redirectProtocol, host: redirectHost } = new URL(redirect);
-    const { protocol: publicProtocol, host: publicHost } = new URL(publicUrl);
-    // allow redirects to the defined PUBLIC_URL (protocol + host including port)
-    return `${redirectProtocol}//${redirectHost}` === `${publicProtocol}//${publicHost}`;
-}