@directus/api 35.2.0 → 36.0.0-rc.0

package/dist/utils/sanitize-query.js

@@ -61,7 +61,7 @@ function sanitizeFields(rawFields) {
 }
 function sanitizeSort(rawSort) {
 	let fields = [];
-	if (typeof rawSort === "string") fields = rawSort.split(",");
+	if (typeof rawSort === "string") fields = splitFields(rawSort);
 	else if (Array.isArray(rawSort)) fields = rawSort;
 	fields = fields.map((field) => field.trim());
 	return fields;

package/dist/utils/split-field-path.js

@@ -0,0 +1,29 @@
+//#region src/utils/split-field-path.ts
+/**
+* Splits a field path on dots that are outside parentheses.
+*
+* A plain `.split('.')` breaks when a path segment contains a function call
+* whose arguments include dots (e.g. `category_id.json(metadata, settings.theme)`).
+* This helper only splits on dots at paren-depth 0.
+*
+* @example
+* splitFieldPath('a.b.c')                              // ['a', 'b', 'c']
+* splitFieldPath('category_id.json(metadata, color)')  // ['category_id', 'json(metadata, color)']
+* splitFieldPath('a.json(meta, x.y.z)')                // ['a', 'json(meta, x.y.z)']
+*/
+function splitFieldPath(path) {
+	const parts = [];
+	let depth = 0;
+	let start = 0;
+	for (let i = 0; i < path.length; i++) if (path[i] === "(") depth++;
+	else if (path[i] === ")") depth--;
+	else if (path[i] === "." && depth === 0) {
+		parts.push(path.slice(start, i));
+		start = i + 1;
+	}
+	parts.push(path.slice(start));
+	return parts;
+}
+
+//#endregion
+export { splitFieldPath };

package/dist/utils/transaction.js

@@ -11,8 +11,8 @@ import "knex";
 * Can be used to ensure the handler is run within a transaction,
 * while preventing nested transactions.
 */
-const transaction = async (knex$1, handler) => {
-	if (knex$1.isTransaction) return handler(knex$1);
+const transaction = async (knex$1, handler, forceNewTransaction = false) => {
+	if (knex$1.isTransaction && forceNewTransaction === false) return handler(knex$1);
 	else try {
 		return await knex$1.transaction((trx) => handler(trx));
 	} catch (error) {

package/dist/utils/translations-validation.js

@@ -1,9 +1,9 @@
-import { z } from "zod";
+import { z as z$1 } from "zod";
 import { REGEX_DB_SAFE_IDENTIFIER } from "@directus/constants";
 
 //#region src/utils/translations-validation.ts
 const DB_SAFE_IDENTIFIER_MESSAGE = "must be a db-safe identifier (letters, numbers, underscores; cannot start with a number)";
-const dbSafeIdentifierSchema = z.string().trim().min(1).max(63).regex(REGEX_DB_SAFE_IDENTIFIER, DB_SAFE_IDENTIFIER_MESSAGE);
+const dbSafeIdentifierSchema = z$1.string().trim().min(1).max(63).regex(REGEX_DB_SAFE_IDENTIFIER, DB_SAFE_IDENTIFIER_MESSAGE);
 
 //#endregion
 export { dbSafeIdentifierSchema };

package/dist/utils/validate-query.js

@@ -1,3 +1,5 @@
+import { parseJsonFunction, parseJsonPath } from "../database/helpers/fn/json/parse-function.js";
+import { extractFunctionName } from "./extract-function-name.js";
 import { calculateFieldDepth } from "./calculate-field-depth.js";
 import { getFieldRelationalDepth } from "./get-field-relational-depth.js";
 import { useEnv } from "@directus/env";
@@ -30,6 +32,7 @@ function validateQuery(query) {
 	const { error } = querySchema.validate(query);
 	if (query.filter && Object.keys(query.filter).length > 0) validateFilter(query.filter);
 	if (query.alias) validateAlias(query.alias);
+	if (query.sort) validateSort(query.sort);
 	validateRelationalDepth(query);
 	if (error) throw new InvalidQueryError({ reason: error.message });
 	return query;
@@ -57,6 +60,9 @@ function validateFilter(filter) {
 			case "_nintersects_bbox":
 				validateGeometry(value, key);
 				break;
+			case "_json":
+				validateJsonFilter(value);
+				break;
 			case "_none":
 			case "_some":
 				validateFilter(nested);
@@ -110,12 +116,36 @@ function validateGeometry(value, key) {
 	}
 	return true;
 }
+function validateJsonFilter(value) {
+	if (!isPlainObject(value)) throw new InvalidQueryError({ reason: `"_json" filter value must be an object` });
+	for (const [path, innerFilter] of Object.entries(value)) {
+		if (path.length === 0) throw new InvalidQueryError({ reason: `"_json" path key must be a non-empty string` });
+		if (path === "_or" || path === "_and") {
+			if (!Array.isArray(innerFilter)) throw new InvalidQueryError({ reason: `"_json" logical operator "${path}" must be an array` });
+			for (const subFilter of innerFilter) validateJsonFilter(subFilter);
+			continue;
+		}
+		parseJsonPath(path);
+		if (!isPlainObject(innerFilter)) throw new InvalidQueryError({ reason: `"_json" inner filter for path "${path}" must be an object` });
+		const nestedPathKey = Object.keys(innerFilter).find((k) => !k.startsWith("_"));
+		if (nestedPathKey) throw new InvalidQueryError({ reason: `"_json" path "${path}" cannot contain a nested path "${nestedPathKey}"; use a single flat path like "${path}.${nestedPathKey}"` });
+		validateFilter(innerFilter);
+	}
+}
 function validateAlias(alias) {
 	if (isPlainObject(alias) === false) throw new InvalidQueryError({ reason: `"alias" has to be an object` });
 	for (const [key, value] of Object.entries(alias)) {
 		if (typeof key !== "string") throw new InvalidQueryError({ reason: `"alias" key has to be a string. "${typeof key}" given` });
 		if (typeof value !== "string") throw new InvalidQueryError({ reason: `"alias" value has to be a string. "${typeof key}" given` });
-		if (key.includes(".") || value.includes(".")) throw new InvalidQueryError({ reason: `"alias" key/value can't contain a period character \`.\`` });
+		if (key.includes(".")) throw new InvalidQueryError({ reason: `"alias" key can't contain a period character \`.\`` });
+		if (extractFunctionName(value) === "json") parseJsonFunction(value);
+		else if (value.includes(".")) throw new InvalidQueryError({ reason: `"alias" value can't contain a period character \`.\`` });
+	}
+}
+function validateSort(sort) {
+	for (const sortField of sort) {
+		const field = sortField.startsWith("-") ? sortField.slice(1) : sortField;
+		if (extractFunctionName(field) === "json") parseJsonFunction(field);
 	}
 }
 function validateRelationalDepth(query) {
@@ -133,12 +163,13 @@ function validateRelationalDepth(query) {
 	*/
 	if (query.group) fields = query.group;
 	fields = uniq(fields);
-	for (const field of fields) if (getFieldRelationalDepth(field) > maxRelationalDepth) throw new InvalidQueryError({ reason: "Max relational depth exceeded" });
+	for (const field of fields) if (getFieldRelationalDepth(query.alias?.[field] ?? field) > maxRelationalDepth) throw new InvalidQueryError({ reason: "Max relational depth exceeded" });
 	if (query.filter) {
 		if (calculateFieldDepth(query.filter) > maxRelationalDepth) throw new InvalidQueryError({ reason: "Max relational depth exceeded" });
 	}
-	if (query.sort) {
-		for (const sort of query.sort) if (sort.split(".").length > maxRelationalDepth) throw new InvalidQueryError({ reason: "Max relational depth exceeded" });
+	if (query.sort) for (const sort of query.sort) {
+		const field = sort.startsWith("-") ? sort.slice(1) : sort;
+		if (getFieldRelationalDepth(query.alias?.[field] ?? field) > maxRelationalDepth) throw new InvalidQueryError({ reason: "Max relational depth exceeded" });
 	}
 	if (query.deep) {
 		if (calculateFieldDepth(query.deep, ["_sort"]) > maxRelationalDepth) throw new InvalidQueryError({ reason: "Max relational depth exceeded" });

package/dist/utils/validate-user-count-integrity.js

@@ -3,21 +3,44 @@ import { validateRemainingAdminCount } from "../permissions/modules/validate-rem
 import { fetchUserCount } from "./fetch-user-count/fetch-user-count.js";
 import { checkUserLimits } from "../telemetry/utils/check-user-limits.js";
 import { shouldCheckUserLimits } from "../telemetry/utils/should-check-user-limits.js";
+import { LimitExceededError } from "@directus/errors";
 
 //#region src/utils/validate-user-count-integrity.ts
 async function validateUserCountIntegrity(options) {
 	const validateUserLimits = (options.flags & UserIntegrityCheckFlag.UserLimits) !== 0;
 	const validateRemainingAdminUsers = (options.flags & UserIntegrityCheckFlag.RemainingAdmins) !== 0;
-	const limitCheck = validateUserLimits && shouldCheckUserLimits();
-	if (!validateRemainingAdminUsers && !limitCheck) return;
-	const adminOnly = validateRemainingAdminUsers && !limitCheck;
+	const envLimitCheck = validateUserLimits && shouldCheckUserLimits();
+	if (!validateRemainingAdminUsers && !validateUserLimits) return;
+	const adminOnly = validateRemainingAdminUsers && !validateUserLimits;
 	const userCounts = await fetchUserCount({
 		...options,
 		adminOnly
 	});
-	if (limitCheck) await checkUserLimits(userCounts);
+	if (validateUserLimits) await checkSeatsCount(userCounts, options.previousSeatCount);
+	if (envLimitCheck) await checkUserLimits(userCounts);
 	if (validateRemainingAdminUsers) validateRemainingAdminCount(userCounts.admin);
+	if (validateUserLimits && options.previousSeatCount !== userCounts.admin + userCounts.app) {
+		const { getEntitlementManager } = await import("../license/entitlements/manager.js");
+		await getEntitlementManager().clearCache("seats", "sso_enabled");
+	}
+}
+async function checkSeatsCount(userCounts, previousSeatCount) {
+	const { getEntitlementManager } = await import("../license/entitlements/manager.js");
+	const seatLimit = getEntitlementManager().getEntitlementLimit("seats");
+	const newCount = userCounts.admin + userCounts.app;
+	if (seatLimit === -1 || newCount <= seatLimit) return;
+	if (previousSeatCount === void 0 || newCount > previousSeatCount) throw new LimitExceededError({ category: "seats" });
+}
+/**
+* Must be called at the top of a mutation transaction, before any writes, using
+* the transactional `knex` — that's the only way to read pre-state correctly on
+* every database.
+*/
+async function captureSeatCount(knex, flags = UserIntegrityCheckFlag.None) {
+	if ((flags & UserIntegrityCheckFlag.UserLimits) === 0) return void 0;
+	const { countActiveSeats } = await import("../license/entitlements/lib/seats.js");
+	return await countActiveSeats({ knex });
 }
 
 //#endregion
-export { validateUserCountIntegrity };
+export { captureSeatCount, validateUserCountIntegrity };

package/dist/utils/verify-session-jwt.js

@@ -5,14 +5,17 @@ import { InvalidCredentialsError } from "@directus/errors";
 /**
 * Verifies the associated session is still available and valid.
 *
+* @returns The oauth_client for the session, or null for regular sessions.
 * @throws If session not found.
 */
 async function verifySessionJWT(payload) {
-	if (!await database_default().select(1).from("directus_sessions").where({
+	const session = await database_default().select("oauth_client").from("directus_sessions").where({
 		token: payload["session"],
 		user: payload["id"] || null,
 		share: payload["share"] || null
-	}).andWhere("expires", ">=", /* @__PURE__ */ new Date()).first()) throw new InvalidCredentialsError();
+	}).andWhere("expires", ">=", /* @__PURE__ */ new Date()).first();
+	if (!session) throw new InvalidCredentialsError();
+	return { oauth_client: session.oauth_client ?? null };
 }
 
 //#endregion

package/dist/utils/versioning/handle-version.js

@@ -1,77 +1,159 @@
 import { transaction } from "../transaction.js";
+import { removeCircular } from "./remove-circular.js";
 import { splitRecursive } from "./split-recursive.js";
+import { useEnv } from "@directus/env";
 import { ForbiddenError } from "@directus/errors";
-import { deepMapWithSchema } from "@directus/utils";
+import { deepMapWithSchema, getRelationInfo } from "@directus/utils";
+import { cloneDeep, intersection, pick, uniq } from "lodash-es";
+import { getNodeEnv } from "@directus/utils/node";
 
 //#region src/utils/versioning/handle-version.ts
-async function handleVersion(self, key, queryWithKey, opts) {
+async function handleVersion(self, key, query, opts) {
 	const { VersionsService } = await import("../../services/versions.js");
 	const { ItemsService } = await import("../../services/items.js");
-	if (queryWithKey.versionRaw) {
-		const originalData = await self.readByQuery(queryWithKey, opts);
+	if (key && query.versionRaw) {
+		const version = query.version;
+		delete query.version;
+		delete query.versionRaw;
+		const originalData = await self.readByQuery(query, opts);
 		if (originalData.length === 0) throw new ForbiddenError();
-		const version$1 = await new VersionsService({
+		const versions$1 = await new VersionsService({
 			schema: self.schema,
 			accountability: self.accountability,
 			knex: self.knex
-		}).getVersionSave(queryWithKey.version, self.collection, key);
-		return Object.assign(originalData[0], version$1?.delta);
+		}).getVersionSaves(version, self.collection, key);
+		return [Object.assign(originalData[0], versions$1?.[0]?.delta)];
 	}
-	let result;
-	const versionsService = new VersionsService({
+	const versions = await new VersionsService({
 		schema: self.schema,
 		accountability: self.accountability,
 		knex: self.knex
-	});
+	}).getVersionSaves(query.version, self.collection, key, false);
+	if (key && versions.length === 0) throw new ForbiddenError();
+	if (versions.length === 0) return [];
+	let results = [];
 	const createdIDs = {};
-	const version = await versionsService.getVersionSave(queryWithKey.version, self.collection, key, false);
-	if (!version) throw new ForbiddenError();
-	const { delta } = version;
+	const itemlessErrors = [];
+	const itemMeta = {};
+	const primaryKeyField = self.schema.collections[self.collection].primary;
+	const hasPrimaryKeyInQuery = query.fields?.includes(primaryKeyField) || query.fields?.includes("*") || query.fields?.length === 0;
 	await transaction(self.knex, async (trx) => {
-		const itemsServiceAdmin = new ItemsService(self.collection, {
-			schema: self.schema,
-			accountability: { admin: true },
-			knex: trx
-		});
-		if (delta) {
+		for (const version of versions) {
+			const { id, item } = version;
+			let delta = version.delta;
+			if (!delta && item) {
+				itemMeta[item] = {
+					version_id: id,
+					delta: {}
+				};
+				continue;
+			}
+			delta = delta ?? {};
 			const { rawDelta, defaultOverwrites } = splitRecursive(delta);
-			await itemsServiceAdmin.updateOne(key, rawDelta, {
-				emitEvents: false,
-				autoPurgeCache: false,
-				skipTracking: true,
-				overwriteDefaults: defaultOverwrites,
-				onItemCreate: (collection, pk) => {
-					if (collection in createdIDs === false) createdIDs[collection] = [];
-					createdIDs[collection].push(pk);
-				}
-			});
+			try {
+				await transaction(trx, async (trxInner) => {
+					const sudoItemsService = new ItemsService(self.collection, {
+						schema: self.schema,
+						knex: trxInner
+					});
+					if (!item) {
+						const item$1 = await sudoItemsService.createOne(rawDelta, {
+							emitEvents: false,
+							autoPurgeCache: false,
+							skipTracking: true,
+							overwriteDefaults: defaultOverwrites,
+							onItemCreate: (collection, pk) => {
+								if (collection in createdIDs === false) createdIDs[collection] = [];
+								createdIDs[collection].push(pk);
+							}
+						});
+						itemMeta[item$1] = { version_id: id };
+					} else {
+						await sudoItemsService.updateOne(item, rawDelta, {
+							emitEvents: false,
+							autoPurgeCache: false,
+							skipTracking: true,
+							overwriteDefaults: defaultOverwrites,
+							onItemCreate: (collection, pk) => {
+								if (collection in createdIDs === false) createdIDs[collection] = [];
+								createdIDs[collection].push(pk);
+							}
+						});
+						itemMeta[item] = { version_id: id };
+					}
+				}, true);
+			} catch (error) {
+				if (key) throw error;
+				sanitizeError(error);
+				if (!item) itemlessErrors.push({
+					error,
+					version_id: id,
+					delta
+				});
+				else itemMeta[item] = {
+					error,
+					version_id: id,
+					delta
+				};
+			}
 		}
-		result = (await new ItemsService(self.collection, {
+		const itemsServiceUser = new ItemsService(self.collection, {
 			schema: self.schema,
 			accountability: self.accountability,
 			knex: trx
-		}).readByQuery(queryWithKey, opts))[0];
+		});
+		query = cloneDeep(query);
+		delete query.version;
+		const ids = uniq([...createdIDs[self.collection] ?? [], ...versions.map((version) => version.item).filter(Boolean)]);
+		query.filter = { _and: [...query.filter ? [query.filter] : [], { [primaryKeyField]: { _in: ids } }] };
+		if (!hasPrimaryKeyInQuery) query.fields = [primaryKeyField, ...query.fields ?? []];
+		results = await itemsServiceUser.readByQuery(query, { ...opts });
 		await trx.rollback();
 	});
-	if (!result) throw new ForbiddenError();
-	return deepMapWithSchema(result, ([key$1, value], context) => {
-		if (context.relationType === "m2o" || context.relationType === "a2o") {
-			if (createdIDs[context.relation.related_collection]?.find((id) => String(id) === String(value))) return [key$1, null];
-		} else if (context.relationType === "o2m" && Array.isArray(value)) {
-			const ids = createdIDs[context.relation.collection];
-			return [key$1, value.map((val) => {
-				if (ids?.find((id) => String(id) === String(val))) return null;
-				return val;
-			})];
-		}
-		if (context.field.field === context.collection.primary) {
-			if (createdIDs[context.collection.collection]?.find((id) => String(id) === String(value))) return [key$1, null];
+	let requestedFields = Object.values(self.schema.collections[self.collection].fields).filter((field) => {
+		return getRelationInfo(self.schema.relations, self.collection, field.field).relationType === null;
+	}).map((field) => field.field);
+	const queryFields = query.fields?.map((field) => field.split(".")[0]) ?? [];
+	if (!queryFields?.includes("*")) requestedFields = intersection(requestedFields, queryFields);
+	const defaultItem = Object.fromEntries(requestedFields.map((field) => [field, null]));
+	results = results.map((result) => {
+		const meta = itemMeta[result[primaryKeyField]];
+		if (!hasPrimaryKeyInQuery) delete result[primaryKeyField];
+		result = deepMapWithSchema(result, ([key$1, value], context) => {
+			if (context.relationType === "m2o" || context.relationType === "a2o") {
+				if (createdIDs[context.relation.related_collection]?.find((id) => String(id) === String(value))) return [key$1, null];
+			} else if (context.relationType === "o2m" && Array.isArray(value)) {
+				const ids = createdIDs[context.relation.collection];
+				return [key$1, value.map((val) => {
+					if (ids?.find((id) => String(id) === String(val))) return null;
+					return val;
+				})];
+			}
+			if (context.field.field === context.collection.primary) {
+				if (createdIDs[context.collection.collection]?.find((id) => String(id) === String(value))) return [key$1, null];
+			}
+			return [key$1, value];
+		}, {
+			collection: self.collection,
+			schema: self.schema
+		});
+		if (meta) {
+			result["$meta"] = meta;
+			if (meta.error) result = Object.assign({}, defaultItem, result, pick(meta.delta, requestedFields));
 		}
-		return [key$1, value];
-	}, {
-		collection: self.collection,
-		schema: self.schema
+		return result;
 	});
+	const env = useEnv();
+	if (results.length < (query.limit ?? Number(env["QUERY_LIMIT_DEFAULT"]))) results.push(...itemlessErrors.map((errorMeta) => {
+		let item = { $meta: errorMeta };
+		if (errorMeta.error) item = Object.assign({}, defaultItem, item, pick(errorMeta.delta, requestedFields));
+		return item;
+	}));
+	return results;
+}
+function sanitizeError(error) {
+	if (getNodeEnv() !== "development") delete error.stack;
+	removeCircular(error);
 }
 
 //#endregion

package/dist/utils/versioning/remove-circular.js

@@ -0,0 +1,17 @@
+//#region src/utils/versioning/remove-circular.ts
+function removeCircular(obj, seen = /* @__PURE__ */ new WeakSet()) {
+	if (assertIsRecord(obj)) {
+		if (seen.has(obj)) return null;
+		seen.add(obj);
+		for (const key in obj) if (typeof obj[key] === "object") {
+			if (removeCircular(obj[key], seen) === null) delete obj[key];
+		}
+	}
+	return obj;
+}
+function assertIsRecord(val) {
+	return typeof val === "object" && val !== null;
+}
+
+//#endregion
+export { removeCircular };

package/dist/websocket/authenticate.js

@@ -1,8 +1,8 @@
 import { DEFAULT_AUTH_PROVIDER } from "../constants.js";
 import database_default from "../database/index.js";
 import emitter_default from "../emitter.js";
-import { getSchema } from "../utils/get-schema.js";
 import { createDefaultAccountability } from "../permissions/utils/create-default-accountability.js";
+import { getSchema } from "../utils/get-schema.js";
 import { AuthenticationService } from "../services/authentication.js";
 import { getAccountabilityForToken } from "../utils/get-accountability-for-token.js";
 import { WebSocketError } from "./errors.js";
@@ -39,6 +39,7 @@ async function authenticateConnection(message, accountabilityOverrides) {
 		});
 		if (customAccountability && isEqual(customAccountability, defaultAccountability) === false) authenticationState.accountability = customAccountability;
 		else authenticationState.accountability = await getAccountabilityForToken(access_token, defaultAccountability);
+		if (authenticationState.accountability.oauth) throw new Error("OAuth sessions are not allowed on WebSocket connections");
 		return authenticationState;
 	} catch {
 		throw new WebSocketError("auth", "AUTH_FAILED", "Authentication failed.", message["uid"]);

package/dist/websocket/collab/collab.js

@@ -3,8 +3,8 @@ import { ClientMessage, TYPE } from "../../packages/types/dist/index.js";
 import database_default from "../../database/index.js";
 import { validateItemAccess } from "../../permissions/modules/validate-access/lib/validate-item-access.js";
 import emitter_default from "../../emitter.js";
-import { getSchema } from "../../utils/get-schema.js";
 import { scheduleSynchronizedJob } from "../../utils/schedule.js";
+import { getSchema } from "../../utils/get-schema.js";
 import { SettingsService } from "../../services/settings.js";
 import { getMessageType } from "../utils/message.js";
 import { isFieldAllowed } from "../../utils/is-field-allowed.js";

package/dist/websocket/collab/room.js

@@ -1,8 +1,8 @@
 import { useLogger } from "../../logger/index.js";
 import { ACTION, COLORS, TYPE } from "../../packages/types/dist/index.js";
 import database_default from "../../database/index.js";
-import { getSchema } from "../../utils/get-schema.js";
 import { getService } from "../../utils/get-service.js";
+import { getSchema } from "../../utils/get-schema.js";
 import { isFieldAllowed } from "../../utils/is-field-allowed.js";
 import { useStore } from "./store.js";
 import { Messenger } from "./messenger.js";

package/dist/websocket/controllers/base.js

@@ -9,6 +9,7 @@ import { authenticateConnection, authenticationSuccess } from "../authenticate.j
 import { AuthMode, WebSocketAuthMessage } from "../messages.js";
 import { getMessageType } from "../utils/message.js";
 import { waitForAnyMessage, waitForMessageType } from "../utils/wait-for-message.js";
+import { getLicenseManager } from "../../license/manager.js";
 import { useEnv } from "@directus/env";
 import { InvalidProviderConfigError, TokenExpiredError } from "@directus/errors";
 import { parseJSON, toBoolean } from "@directus/utils";
@@ -81,6 +82,12 @@ var SocketController = class {
 	async handleUpgrade(request, socket, head) {
 		const { pathname, query } = parse(request.url, true);
 		if (pathname !== this.endpoint) return;
+		if (await getLicenseManager().isLocked()) {
+			logger.debug("WebSocket upgrade denied - License is in a locked state and must be resolved");
+			socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
+			socket.destroy();
+			return;
+		}
 		if (this.clients.size >= this.maxConnections) {
 			logger.debug("WebSocket upgrade denied - max connections reached");
 			socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
@@ -186,6 +193,11 @@ var SocketController = class {
 				logger.debug(`WebSocket#${client.uid} is rate limited`);
 				return;
 			}
+			if (await getLicenseManager().isLocked()) {
+				handleWebSocketError(client, new WebSocketError("license", "SERVICE_UNAVAILABLE", `License is in a locked state and must be resolved`), "server");
+				logger.debug(`WebSocket#${client.uid} closed due to license in locked state`);
+				return;
+			}
 			let message;
 			try {
 				message = this.parseMessage(data.toString());

package/dist/websocket/controllers/graphql.js

@@ -1,6 +1,6 @@
 import { useLogger } from "../../logger/index.js";
-import { getSchema } from "../../utils/get-schema.js";
 import { createDefaultAccountability } from "../../permissions/utils/create-default-accountability.js";
+import { getSchema } from "../../utils/get-schema.js";
 import { getAddress } from "../../utils/get-address.js";
 import { bindPubSub } from "../../services/graphql/subscription.js";
 import { handleWebSocketError } from "../errors.js";

package/dist/websocket/handlers/subscribe.js

@@ -2,8 +2,8 @@ import { useBus } from "../../bus/lib/use-bus.js";
 import "../../bus/index.js";
 import emitter_default from "../../emitter.js";
 import { getSchema } from "../../utils/get-schema.js";
-import { sanitizeQuery } from "../../utils/sanitize-query.js";
 import { getPayload } from "../utils/items.js";
+import { sanitizeQuery } from "../../utils/sanitize-query.js";
 import { WebSocketError, handleWebSocketError } from "../errors.js";
 import { WebSocketSubscribeMessage } from "../messages.js";
 import { fmtMessage, getMessageType } from "../utils/message.js";