@directus/api 35.1.0 → 36.0.0-rc.0

package/dist/ai/tools/system/index.js

@@ -1,13 +1,13 @@
 import { requireText } from "../../../utils/require-text.js";
 import { defineTool } from "../define-tool.js";
 import { fileURLToPath } from "node:url";
-import { z } from "zod";
+import { z as z$1 } from "zod";
 import { dirname, resolve } from "node:path";
 
 //#region src/ai/tools/system/index.ts
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const SystemPromptInputSchema = z.object({});
-const SystemPromptValidateSchema = z.object({ promptOverride: z.union([z.string(), z.null()]).optional() });
+const SystemPromptInputSchema = z$1.object({});
+const SystemPromptValidateSchema = z$1.object({ promptOverride: z$1.union([z$1.string(), z$1.null()]).optional() });
 const system = defineTool({
 	name: "system-prompt",
 	description: requireText(resolve(__dirname, "./prompt-description.md")),

package/dist/ai/tools/trigger-flow/index.js

@@ -1,11 +1,11 @@
 import { requireText } from "../../../utils/require-text.js";
 import { defineTool } from "../define-tool.js";
-import { TriggerFlowInputSchema, TriggerFlowValidateSchema } from "../schema.js";
-import { getFlowManager } from "../../../flows.js";
 import { FlowsService } from "../../../services/flows.js";
+import { getFlowManager } from "../../../flows.js";
+import { TriggerFlowInputSchema, TriggerFlowValidateSchema } from "../schema.js";
 import { InvalidPayloadError } from "@directus/errors";
 import { fileURLToPath } from "node:url";
-import { z } from "zod";
+import { z as z$1 } from "zod";
 import { dirname, resolve } from "node:path";
 
 //#region src/ai/tools/trigger-flow/index.ts

package/dist/app.js

@@ -4,13 +4,17 @@ import { initAIDevTools } from "./ai/devtools/index.js";
 import { initAITelemetry } from "./ai/telemetry/index.js";
 import { isInstalled, validateDatabaseConnection, validateDatabaseExtensions, validateMigrations } from "./database/index.js";
 import emitter_default from "./emitter.js";
+import schedule from "./schedules/license.js";
 import { Url } from "./utils/url.js";
+import { getEntitlementManager } from "./license/entitlements/manager.js";
+import { getFlowManager } from "./flows.js";
 import { getExtensionManager } from "./extensions/index.js";
 import { registerAuthProviders } from "./auth.js";
 import { ensureDeploymentWebhooks, registerDeploymentDrivers } from "./deployment.js";
 import rate_limiter_global_default from "./middleware/rate-limiter-global.js";
 import rate_limiter_ip_default from "./middleware/rate-limiter-ip.js";
-import { getFlowManager } from "./flows.js";
+import { getLicenseManager } from "./license/manager.js";
+import "./license/index.js";
 import { aiRouter } from "./ai/chat/router.js";
 import { aiFilesRouter } from "./ai/files/router.js";
 import access_default from "./controllers/access.js";
@@ -29,7 +33,10 @@ import flows_default from "./controllers/flows.js";
 import folders_default from "./controllers/folders.js";
 import graphql_default from "./controllers/graphql.js";
 import items_default from "./controllers/items.js";
-import mcp_default from "./controllers/mcp.js";
+import license_default from "./controllers/license.js";
+import mcp_default from "./controllers/mcp/index.js";
+import oauth_clients_default from "./controllers/mcp/oauth-clients.js";
+import { mcpOAuthProtectedRouter, mcpOAuthPublicRouter } from "./controllers/mcp/oauth.js";
 import metrics_default from "./controllers/metrics.js";
 import not_found_default from "./controllers/not-found.js";
 import notifications_default from "./controllers/notifications.js";
@@ -55,14 +62,16 @@ import cache_default from "./middleware/cache.js";
 import cors_default from "./middleware/cors.js";
 import { errorHandler } from "./middleware/error-handler.js";
 import extract_token_default from "./middleware/extract-token.js";
+import mcp_oauth_guard_default from "./middleware/mcp-oauth-guard.js";
 import request_counter_default from "./middleware/request-counter.js";
 import sanitize_query_default from "./middleware/sanitize-query.js";
 import schema_default$1 from "./middleware/schema.js";
-import schedule from "./schedules/metrics.js";
-import schedule$1 from "./schedules/project.js";
-import schedule$2 from "./schedules/retention.js";
-import schedule$3 from "./schedules/telemetry.js";
-import schedule$4 from "./schedules/tus.js";
+import schedule$1 from "./schedules/metrics.js";
+import scheduleOAuthCleanup from "./schedules/oauth-cleanup.js";
+import schedule$2 from "./schedules/project.js";
+import schedule$3 from "./schedules/retention.js";
+import schedule$4 from "./schedules/telemetry.js";
+import schedule$5 from "./schedules/tus.js";
 import { validateStorage } from "./utils/validate-storage.js";
 import { createRequire } from "node:module";
 import { readFile } from "node:fs/promises";
@@ -91,8 +100,16 @@ async function createApp() {
 	if (!env["SECRET"]) logger.warn(`"SECRET" env variable is missing. Using a random value instead. Tokens will not persist between restarts. This is not appropriate for production usage.`);
 	if (typeof env["SECRET"] === "string" && Buffer.byteLength(env["SECRET"]) < 32) logger.warn("\"SECRET\" env variable is shorter than 32 bytes which is insecure. This is not appropriate for production usage.");
 	if (!new Url(env["PUBLIC_URL"]).isAbsolute()) logger.warn("\"PUBLIC_URL\" should be a full URL");
+	if (env["MCP_OAUTH_ENABLED"] === true) {
+		if (toBoolean(env["MCP_ENABLED"]) !== true) {
+			logger.warn("MCP_OAUTH_ENABLED requires MCP_ENABLED=true. OAuth disabled.");
+			env["MCP_OAUTH_ENABLED"] = false;
+		}
+	}
 	await validateDatabaseExtensions();
 	await validateStorage();
+	await getLicenseManager().initialize();
+	getEntitlementManager().initialize();
 	await registerAuthProviders();
 	registerDeploymentDrivers();
 	await ensureDeploymentWebhooks();
@@ -199,7 +216,10 @@ async function createApp() {
 	if (env["RATE_LIMITER_ENABLED"] === true) app.use(rate_limiter_ip_default);
 	app.get("/server/ping", (_req, res) => res.send("pong"));
 	app.use("/deployments/webhooks", deployment_webhooks_default);
+	if (env["MCP_OAUTH_ENABLED"] === true) app.use(mcpOAuthPublicRouter);
 	app.use(authenticate_default);
+	app.use(mcp_oauth_guard_default);
+	if (env["MCP_OAUTH_ENABLED"] === true) app.use(mcpOAuthProtectedRouter);
 	app.use(schema_default$1);
 	app.use(sanitize_query_default);
 	app.use(request_counter_default);
@@ -222,6 +242,7 @@ async function createApp() {
 	app.use("/flows", flows_default);
 	app.use("/folders", folders_default);
 	app.use("/items", items_default);
+	app.use("/license", license_default);
 	if (toBoolean(env["MCP_ENABLED"]) === true) app.use("/mcp", mcp_default);
 	if (toBoolean(env["AI_ENABLED"]) === true) {
 		await initAIDevTools();
@@ -240,6 +261,7 @@ async function createApp() {
 	app.use("/relations", relations_default);
 	app.use("/revisions", revisions_default);
 	app.use("/roles", roles_default);
+	if (toBoolean(env["MCP_OAUTH_ENABLED"]) === true) app.use("/mcp-oauth/clients", oauth_clients_default);
 	app.use("/schema", schema_default);
 	app.use("/server", server_default);
 	app.use("/settings", settings_default);
@@ -253,11 +275,13 @@ async function createApp() {
 	app.use(not_found_default);
 	app.use(errorHandler);
 	await emitter_default.emitInit("routes.after", { app });
-	await schedule$2();
 	await schedule$3();
 	await schedule$4();
-	await schedule();
+	await schedule$5();
 	await schedule$1();
+	await schedule$2();
+	await schedule();
+	if (env["MCP_OAUTH_ENABLED"] === true) await scheduleOAuthCleanup();
 	await emitter_default.emitInit("app.after", { app });
 	return app;
 }

package/dist/auth/drivers/ldap.js

@@ -3,11 +3,12 @@ import { useLogger } from "../../logger/index.js";
 import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from "../../constants.js";
 import database_default from "../../database/index.js";
 import emitter_default from "../../emitter.js";
-import { getSchema } from "../../utils/get-schema.js";
 import { createDefaultAccountability } from "../../permissions/utils/create-default-accountability.js";
+import { getSchema } from "../../utils/get-schema.js";
 import { respond } from "../../middleware/respond.js";
 import { getIPFromReq } from "../../utils/get-ip-from-req.js";
 import { AuthDriver } from "../auth.js";
+import { checkSsoEnabled } from "../utils/check-sso-enabled.js";
 import { AuthenticationService } from "../../services/authentication.js";
 import { useEnv } from "@directus/env";
 import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProviderConfigError, InvalidProviderError, ServiceUnavailableError, UnexpectedResponseError, isDirectusError } from "@directus/errors";
@@ -247,6 +248,7 @@ function createLDAPAuthRouter(provider) {
 		mode: Joi.string().valid("cookie", "json", "session"),
 		otp: Joi.string()
 	}).unknown();
+	router.use(checkSsoEnabled);
 	router.post("/", async_handler_default(async (req, res, next) => {
 		const env = useEnv();
 		const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });

package/dist/auth/drivers/local.js

@@ -5,6 +5,7 @@ import { stall } from "../../utils/stall.js";
 import { respond } from "../../middleware/respond.js";
 import { getIPFromReq } from "../../utils/get-ip-from-req.js";
 import { AuthDriver } from "../auth.js";
+import { checkLocalAuthDisabled } from "../utils/check-local-disabled.js";
 import { AuthenticationService } from "../../services/authentication.js";
 import { useEnv } from "@directus/env";
 import { InvalidCredentialsError, InvalidPayloadError } from "@directus/errors";
@@ -31,6 +32,7 @@ var LocalAuthDriver = class extends AuthDriver {
 function createLocalAuthRouter(provider) {
 	const env = useEnv();
 	const router = Router();
+	router.use(checkLocalAuthDisabled);
 	const userLoginSchema = Joi.object({
 		email: Joi.string().email().required(),
 		password: Joi.string().required(),

package/dist/auth/drivers/oauth2.js

@@ -5,13 +5,14 @@ import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from "../../constants.
 import database_default from "../../database/index.js";
 import emitter_default from "../../emitter.js";
 import { getSecret } from "../../utils/get-secret.js";
-import { getSchema } from "../../utils/get-schema.js";
 import { Url } from "../../utils/url.js";
 import { createDefaultAccountability } from "../../permissions/utils/create-default-accountability.js";
 import { verifyJWT } from "../../utils/jwt.js";
+import { getSchema } from "../../utils/get-schema.js";
 import { respond } from "../../middleware/respond.js";
 import { getIPFromReq } from "../../utils/get-ip-from-req.js";
 import { LocalAuthDriver } from "./local.js";
+import { checkSsoEnabled } from "../utils/check-sso-enabled.js";
 import { generateCallbackUrl } from "../utils/generate-callback-url.js";
 import { resolveLoginRedirect } from "../utils/resolve-login-redirect.js";
 import { getAuthProvider } from "../../auth.js";
@@ -232,6 +233,7 @@ const handleError = (e) => {
 function createOAuth2AuthRouter(providerName) {
 	const router = Router();
 	const env = useEnv();
+	router.use(checkSsoEnabled);
 	router.get("/", (req, res) => {
 		const provider = getAuthProvider(providerName);
 		const codeVerifier = provider.generateCodeVerifier();

package/dist/auth/drivers/openid.js

@@ -5,13 +5,14 @@ import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from "../../constants.
 import database_default from "../../database/index.js";
 import emitter_default from "../../emitter.js";
 import { getSecret } from "../../utils/get-secret.js";
-import { getSchema } from "../../utils/get-schema.js";
 import { Url } from "../../utils/url.js";
 import { createDefaultAccountability } from "../../permissions/utils/create-default-accountability.js";
 import { verifyJWT } from "../../utils/jwt.js";
+import { getSchema } from "../../utils/get-schema.js";
 import { respond } from "../../middleware/respond.js";
 import { getIPFromReq } from "../../utils/get-ip-from-req.js";
 import { LocalAuthDriver } from "./local.js";
+import { checkSsoEnabled } from "../utils/check-sso-enabled.js";
 import { generateCallbackUrl } from "../utils/generate-callback-url.js";
 import { resolveLoginRedirect } from "../utils/resolve-login-redirect.js";
 import { getAuthProvider } from "../../auth.js";
@@ -275,6 +276,7 @@ const handleError = (e) => {
 function createOpenIDAuthRouter(providerName) {
 	const env = useEnv();
 	const router = Router();
+	router.use(checkSsoEnabled);
 	router.get("/", async_handler_default(async (req, res) => {
 		const provider = getAuthProvider(providerName);
 		const codeVerifier = provider.generateCodeVerifier();

package/dist/auth/drivers/saml.js

@@ -7,6 +7,7 @@ import emitter_default from "../../emitter.js";
 import { getSchema } from "../../utils/get-schema.js";
 import { respond } from "../../middleware/respond.js";
 import { LocalAuthDriver } from "./local.js";
+import { checkSsoEnabled } from "../utils/check-sso-enabled.js";
 import { resolveLoginRedirect } from "../utils/resolve-login-redirect.js";
 import { getAuthProvider } from "../../auth.js";
 import { AuthenticationService } from "../../services/authentication.js";
@@ -79,6 +80,7 @@ var SAMLAuthDriver = class extends LocalAuthDriver {
 function createSAMLAuthRouter(providerName) {
 	const router = Router();
 	const env = useEnv();
+	router.use(checkSsoEnabled);
 	router.get("/metadata", async_handler_default(async (_req, res) => {
 		const { sp } = getAuthProvider(providerName);
 		return res.header("Content-Type", "text/xml").send(sp.getMetadata());

package/dist/auth/utils/check-local-disabled.js

@@ -0,0 +1,16 @@
+import async_handler_default from "../../utils/async-handler.js";
+import { getEntitlementManager } from "../../license/entitlements/manager.js";
+import "../../license/index.js";
+import { useEnv } from "@directus/env";
+import { RouteNotFoundError } from "@directus/errors";
+import { toBoolean } from "@directus/utils";
+
+//#region src/auth/utils/check-local-disabled.ts
+const checkLocalAuthDisabled = async_handler_default(async (req, _res, next) => {
+	const env = useEnv();
+	if (getEntitlementManager().isEntitled("sso_enabled") && toBoolean(env["AUTH_DISABLE_DEFAULT"])) throw new RouteNotFoundError({ path: req.path });
+	return next();
+});
+
+//#endregion
+export { checkLocalAuthDisabled };

package/dist/auth/utils/check-sso-enabled.js

@@ -0,0 +1,14 @@
+import async_handler_default from "../../utils/async-handler.js";
+import { getEntitlementManager } from "../../license/entitlements/manager.js";
+import { isSSOBypassAllowed } from "../../license/utils/is-sso-bypass-allowed.js";
+import "../../license/index.js";
+import { RouteNotFoundError } from "@directus/errors";
+
+//#region src/auth/utils/check-sso-enabled.ts
+const checkSsoEnabled = async_handler_default(async (req, _res, next) => {
+	if (!(getEntitlementManager().isEntitled("sso_enabled") || await isSSOBypassAllowed())) throw new RouteNotFoundError({ path: req.path });
+	return next();
+});
+
+//#endregion
+export { checkSsoEnabled };

package/dist/auth.js

@@ -2,15 +2,17 @@ import { getConfigFromEnv } from "./utils/get-config-from-env.js";
 import { useLogger } from "./logger/index.js";
 import { DEFAULT_AUTH_PROVIDER } from "./constants.js";
 import database_default from "./database/index.js";
+import { getEntitlementManager } from "./license/entitlements/manager.js";
 import { LocalAuthDriver } from "./auth/drivers/local.js";
 import { OAuth2AuthDriver } from "./auth/drivers/oauth2.js";
 import { OpenIDAuthDriver } from "./auth/drivers/openid.js";
 import { LDAPAuthDriver } from "./auth/drivers/ldap.js";
 import { SAMLAuthDriver } from "./auth/drivers/saml.js";
 import "./auth/drivers/index.js";
+import "./license/index.js";
 import { useEnv } from "@directus/env";
 import { InvalidProviderConfigError } from "@directus/errors";
-import { toArray } from "@directus/utils";
+import { toArray, toBoolean } from "@directus/utils";
 
 //#region src/auth.ts
 const providers = /* @__PURE__ */ new Map();
@@ -27,10 +29,11 @@ async function registerAuthProviders() {
 	const logger = useLogger();
 	const options = { knex: database_default() };
 	const providerNames = toArray(env["AUTH_PROVIDERS"]);
-	if (!env["AUTH_DISABLE_DEFAULT"]) {
-		const defaultProvider = getProviderInstance("local", options);
-		providers.set(DEFAULT_AUTH_PROVIDER, defaultProvider);
-	}
+	const sso_allowed = getEntitlementManager().isEntitled("sso_enabled");
+	if (sso_allowed === false && env["AUTH_PROVIDERS"] && providerNames.length > 0) logger.warn("you have SSO providers configured these will be unavailable under the current license tier");
+	if (sso_allowed === false && toBoolean(env["AUTH_DISABLE_DEFAULT"])) logger.warn("you cannot disable the default auth provider under the current license tier");
+	const defaultProvider = getProviderInstance("local", options);
+	providers.set(DEFAULT_AUTH_PROVIDER, defaultProvider);
 	if (!env["AUTH_PROVIDERS"]) return;
 	providerNames.forEach((name) => {
 		name = name.trim();

package/dist/cli/commands/bootstrap/index.js

@@ -1,7 +1,9 @@
 import { useLogger } from "../../../logger/index.js";
 import database_default, { hasDatabaseConnection, isInstalled, validateDatabaseConnection } from "../../../database/index.js";
 import { getSchema } from "../../../utils/get-schema.js";
+import { getEntitlementManager } from "../../../license/entitlements/manager.js";
 import { SettingsService } from "../../../services/settings.js";
+import "../../../license/index.js";
 import { createAdmin } from "../../../utils/create-admin.js";
 import run from "../../../database/migrations/run.js";
 import runSeed from "../../../database/seeds/run.js";
@@ -21,6 +23,7 @@ async function bootstrap({ skipAdminInit }) {
 		logger.info("Running migrations...");
 		await run(database, "latest");
 		const schema = await getSchema();
+		getEntitlementManager();
 		if (skipAdminInit == null) await createAdmin(schema);
 		else logger.info("Skipping creation of default Admin user and role...");
 		const settingsService = new SettingsService({ schema });

package/dist/cli/commands/cache/clear.js

@@ -1,5 +1,7 @@
 import { useLogger } from "../../../logger/index.js";
 import { clearSystemCache, getCache } from "../../../cache.js";
+import { getEntitlementManager } from "../../../license/entitlements/manager.js";
+import "../../../license/index.js";
 import { useEnv } from "@directus/env";
 
 //#region src/cli/commands/cache/clear.ts
@@ -12,7 +14,10 @@ async function cacheClear({ system, data }) {
 	} else {
 		const clearAll = !system && !data;
 		try {
-			if (clearAll || system) await clearSystemCache({ forced: true });
+			if (clearAll || system) {
+				await clearSystemCache({ forced: true });
+				await getEntitlementManager().clearCache();
+			}
 			if (clearAll || data) {
 				const { cache } = getCache();
 				await cache?.clear();

package/dist/cli/commands/roles/create.js

@@ -1,10 +1,12 @@
 import { useLogger } from "../../../logger/index.js";
 import database_default from "../../../database/index.js";
-import { getSchema } from "../../../utils/get-schema.js";
 import { AccessService } from "../../../services/access.js";
+import { getSchema } from "../../../utils/get-schema.js";
 import { RolesService } from "../../../services/roles.js";
 import { PoliciesService } from "../../../services/policies.js";
 import "../../../services/index.js";
+import { getLicenseManager } from "../../../license/manager.js";
+import "../../../license/index.js";
 
 //#region src/cli/commands/roles/create.ts
 async function rolesCreate({ role: name, admin, app }) {
@@ -14,6 +16,7 @@ async function rolesCreate({ role: name, admin, app }) {
 		logger.error("Name is required");
 		process.exit(1);
 	}
+	await getLicenseManager().initialize();
 	try {
 		const schema = await getSchema();
 		const rolesService = new RolesService({

package/dist/cli/commands/users/create.js

@@ -2,6 +2,8 @@ import { useLogger } from "../../../logger/index.js";
 import database_default from "../../../database/index.js";
 import { getSchema } from "../../../utils/get-schema.js";
 import { UsersService } from "../../../services/users.js";
+import { getLicenseManager } from "../../../license/manager.js";
+import "../../../license/index.js";
 
 //#region src/cli/commands/users/create.ts
 async function usersCreate({ email, password, role }) {
@@ -11,6 +13,7 @@ async function usersCreate({ email, password, role }) {
 		logger.error("Email, password, role are required");
 		process.exit(1);
 	}
+	await getLicenseManager().initialize();
 	try {
 		const id = await new UsersService({
 			schema: await getSchema(),

package/dist/constants.js

@@ -140,6 +140,13 @@ const RESUMABLE_UPLOADS = {
 	SCHEDULE: String(env["TUS_CLEANUP_SCHEDULE"])
 };
 const ALLOWED_DB_DEFAULT_FUNCTIONS = ["gen_random_uuid()"];
+const CUSTOM_LLM_FIELDS = [
+	"ai_openai_compatible_api_key",
+	"ai_openai_compatible_base_url",
+	"ai_openai_compatible_name",
+	"ai_openai_compatible_models",
+	"ai_openai_compatible_headers"
+];
 
 //#endregion
-export { ALIAS_TYPES, ALLOWED_DB_DEFAULT_FUNCTIONS, ASSET_TRANSFORM_QUERY_KEYS, COLUMN_TRANSFORMS, DEFAULT_AUTH_PROVIDER, FILE_UPLOADS, FILTER_VARIABLES, OAS_REQUIRED_SCHEMAS, REFRESH_COOKIE_OPTIONS, RESUMABLE_UPLOADS, SESSION_COOKIE_OPTIONS, SUPPORTED_IMAGE_METADATA_FORMATS, SUPPORTED_IMAGE_TRANSFORM_FORMATS, SYSTEM_ASSET_ALLOW_LIST, UUID_REGEX };
+export { ALIAS_TYPES, ALLOWED_DB_DEFAULT_FUNCTIONS, ASSET_TRANSFORM_QUERY_KEYS, COLUMN_TRANSFORMS, CUSTOM_LLM_FIELDS, DEFAULT_AUTH_PROVIDER, FILE_UPLOADS, FILTER_VARIABLES, OAS_REQUIRED_SCHEMAS, REFRESH_COOKIE_OPTIONS, RESUMABLE_UPLOADS, SESSION_COOKIE_OPTIONS, SUPPORTED_IMAGE_METADATA_FORMATS, SUPPORTED_IMAGE_TRANSFORM_FORMATS, SYSTEM_ASSET_ALLOW_LIST, UUID_REGEX };

package/dist/controllers/access.js

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { AccessService } from "../services/access.js";
 import { respond } from "../middleware/respond.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";

package/dist/controllers/activity.js

@@ -22,7 +22,8 @@ const readHandler = async_handler_default(async (req, res, next) => {
 	if (req.singleton) result = await service.readSingleton(req.sanitizedQuery);
 	else if (req.body.keys) result = await service.readMany(req.body.keys, req.sanitizedQuery);
 	else result = await service.readByQuery(req.sanitizedQuery);
-	const meta = await metaService.getMetaForQuery("directus_activity", req.sanitizedQuery);
+	const historyQuery = service.getLimitedHistoryQuery(req.sanitizedQuery);
+	const meta = await metaService.getMetaForQuery("directus_activity", historyQuery);
 	res.locals["payload"] = {
 		data: result,
 		meta

package/dist/controllers/assets.js

@@ -6,10 +6,13 @@ import { getMilliseconds } from "../utils/get-milliseconds.js";
 import { ASSET_TRANSFORM_QUERY_KEYS, SYSTEM_ASSET_ALLOW_LIST } from "../constants.js";
 import { isValidUuid } from "../utils/is-valid-uuid.js";
 import database_default from "../database/index.js";
+import { validateAccess } from "../permissions/modules/validate-access/validate-access.js";
 import { PayloadService } from "../services/payload.js";
+import { FilesService } from "../services/files.js";
 import { AssetsService } from "../services/assets.js";
 import { getCacheControlHeader } from "../utils/get-cache-headers.js";
 import use_collection_default from "../middleware/use-collection.js";
+import is_locked_default from "../middleware/is-locked.js";
 import { useEnv } from "@directus/env";
 import { InvalidPayloadError, InvalidQueryError, RangeNotSatisfiableError } from "@directus/errors";
 import { getDateTimeFormatted, parseJSON } from "@directus/utils";
@@ -23,6 +26,7 @@ import contentDisposition from "content-disposition";
 const router = Router();
 const env = useEnv();
 router.use(use_collection_default("directus_files"));
+router.use(is_locked_default("assets"));
 router.post("/folder/:pk", async_handler_default(async (req, res) => {
 	const logger = useLogger();
 	const { archive, complete, metadata } = await new AssetsService({
@@ -170,6 +174,44 @@ router.get("/:pk/:filename?", async_handler_default(async (req, res, next) => {
 			}
 		}
 	}
+	const revalidate = env["ASSETS_CACHE_REVALIDATE"] === true;
+	if (revalidate) {
+		const ifNoneMatch = req.headers["if-none-match"];
+		const ifModifiedSince = req.headers["if-modified-since"];
+		if (ifNoneMatch || ifModifiedSince) {
+			if (req.accountability) await validateAccess({
+				accountability: req.accountability,
+				action: "read",
+				collection: "directus_files",
+				primaryKeys: [id]
+			}, {
+				knex: database_default(),
+				schema: req.schema
+			});
+			const fileRecord = await new FilesService({ schema: req.schema }).readOne(id, { fields: ["modified_on"] });
+			if (fileRecord?.modified_on) {
+				const modifiedOnTime = new Date(fileRecord.modified_on).getTime();
+				const etag = `"${Math.floor(modifiedOnTime / 1e3)}"`;
+				if (ifNoneMatch === etag) {
+					res.setHeader("Cache-Control", "max-age=0, must-revalidate");
+					res.setHeader("ETag", etag);
+					res.setHeader("Last-Modified", new Date(modifiedOnTime).toUTCString());
+					res.status(304);
+					return res.end();
+				}
+				if (ifModifiedSince) {
+					const ifModifiedSinceTime = new Date(ifModifiedSince).getTime();
+					if (Math.floor(modifiedOnTime / 1e3) <= Math.floor(ifModifiedSinceTime / 1e3)) {
+						res.setHeader("Cache-Control", "max-age=0, must-revalidate");
+						res.setHeader("ETag", etag);
+						res.setHeader("Last-Modified", new Date(modifiedOnTime).toUTCString());
+						res.status(304);
+						return res.end();
+					}
+				}
+			}
+		}
+	}
 	const { stream, file, stat } = await service.getAsset(id, {
 		transformationParams,
 		acceptFormat
@@ -178,12 +220,14 @@ router.get("/:pk/:filename?", async_handler_default(async (req, res, next) => {
 	res.attachment(filename);
 	res.setHeader("Content-Type", file.type);
 	res.setHeader("Accept-Ranges", "bytes");
-	res.setHeader("Cache-Control", getCacheControlHeader(req, getMilliseconds(env["ASSETS_CACHE_TTL"]), false, true));
+	if (revalidate) res.setHeader("Cache-Control", "max-age=0, must-revalidate");
+	else res.setHeader("Cache-Control", getCacheControlHeader(req, getMilliseconds(env["ASSETS_CACHE_TTL"]), false, true));
 	res.setHeader("Vary", vary.join(", "));
 	const unixTime = Date.parse(file.modified_on);
 	if (!Number.isNaN(unixTime)) {
 		const lastModifiedDate = new Date(unixTime);
 		res.setHeader("Last-Modified", lastModifiedDate.toUTCString());
+		res.setHeader("ETag", `"${Math.floor(unixTime / 1e3)}"`);
 	}
 	if (range) {
 		res.setHeader("Content-Range", `bytes ${range.start}-${range.end || stat.size - 1}/${stat.size}`);

package/dist/controllers/auth.js

@@ -2,13 +2,15 @@ import async_handler_default from "../utils/async-handler.js";
 import { useLogger } from "../logger/index.js";
 import { DEFAULT_AUTH_PROVIDER, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from "../constants.js";
 import { getSecret } from "../utils/get-secret.js";
-import { getAuthProviders } from "../utils/get-auth-providers.js";
 import { createDefaultAccountability } from "../permissions/utils/create-default-accountability.js";
 import { verifyAccessJWT } from "../utils/jwt.js";
+import { getAuthProviders } from "../utils/get-auth-providers.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { UsersService } from "../services/users.js";
 import { respond } from "../middleware/respond.js";
 import { getIPFromReq } from "../utils/get-ip-from-req.js";
 import { createLocalAuthRouter } from "../auth/drivers/local.js";
+import { isSSOBypassAllowed } from "../license/utils/is-sso-bypass-allowed.js";
 import { createOAuth2AuthRouter } from "../auth/drivers/oauth2.js";
 import { createOpenIDAuthRouter } from "../auth/drivers/openid.js";
 import { createLDAPAuthRouter } from "../auth/drivers/ldap.js";
@@ -16,8 +18,10 @@ import { createSAMLAuthRouter } from "../auth/drivers/saml.js";
 import "../auth/drivers/index.js";
 import { AuthenticationService } from "../services/authentication.js";
 import isDirectusJWT from "../utils/is-directus-jwt.js";
+import "../license/index.js";
 import { useEnv } from "@directus/env";
 import { ErrorCode, InvalidPayloadError, isDirectusError } from "@directus/errors";
+import { toBoolean } from "@directus/utils";
 import { Router } from "express";
 
 //#region src/controllers/auth.ts
@@ -50,7 +54,6 @@ for (const authProvider of authProviders) {
 	}
 	router.use(`/login/${authProvider.name}`, authRouter);
 }
-if (!env["AUTH_DISABLE_DEFAULT"]) router.use("/login", createLocalAuthRouter(DEFAULT_AUTH_PROVIDER));
 function getCurrentMode(req) {
 	if (req.body.mode) return req.body.mode;
 	if (req.body.refresh_token) return "json";
@@ -64,6 +67,7 @@ function getCurrentRefreshToken(req, mode) {
 		if (isDirectusJWT(token)) return verifyAccessJWT(token, getSecret()).session;
 	}
 }
+router.use("/login", createLocalAuthRouter(DEFAULT_AUTH_PROVIDER));
 router.post("/refresh", async_handler_default(async (req, res, next) => {
 	const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
 	const userAgent = req.get("user-agent")?.substring(0, 1024);
@@ -145,10 +149,14 @@ router.post("/password/reset", async_handler_default(async (req, _res, next) =>
 	return next();
 }), respond);
 router.get("/", async_handler_default(async (req, res, next) => {
-	const sessionOnly = "sessionOnly" in req.query && (req.query["sessionOnly"] === "" || Boolean(req.query["sessionOnly"]));
+	let providers = getAuthProviders({ sessionOnly: "sessionOnly" in req.query && (req.query["sessionOnly"] === "" || Boolean(req.query["sessionOnly"])) });
+	const isSSOEnabled = getEntitlementManager().isEntitled("sso_enabled");
+	if (providers.length > 0 && !isSSOEnabled) {
+		if (!await isSSOBypassAllowed()) providers = [];
+	}
 	res.locals["payload"] = {
-		data: getAuthProviders({ sessionOnly }),
-		disableDefault: env["AUTH_DISABLE_DEFAULT"]
+		data: providers,
+		disableDefault: isSSOEnabled ? toBoolean(env["AUTH_DISABLE_DEFAULT"]) : false
 	};
 	return next();
 }), respond);

package/dist/controllers/collections.js

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
-import { CollectionsService } from "../services/collections.js";
 import { respond } from "../middleware/respond.js";
 import { MetaService } from "../services/meta.js";
+import { CollectionsService } from "../services/collections.js";
 import { validateBatch } from "../middleware/validate-batch.js";
 import { ErrorCode, isDirectusError } from "@directus/errors";
 import { Router } from "express";

package/dist/controllers/comments.js

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
 import { CommentsService } from "../services/comments.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";

package/dist/controllers/dashboards.js

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
 import { DashboardsService } from "../services/dashboards.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";

package/dist/controllers/fields.js

@@ -1,7 +1,7 @@
 import async_handler_default from "../utils/async-handler.js";
 import { ALIAS_TYPES } from "../constants.js";
-import { FieldsService, systemFieldUpdateSchema } from "../services/fields.js";
 import { respond } from "../middleware/respond.js";
+import { FieldsService, systemFieldUpdateSchema } from "../services/fields.js";
 import use_collection_default from "../middleware/use-collection.js";
 import collection_exists_default from "../middleware/collection-exists.js";
 import { ErrorCode, ForbiddenError, InvalidPayloadError, isDirectusError } from "@directus/errors";