@directus/api 35.2.0 → 36.0.0-rc.1

package/dist/services/server.js

@@ -1,17 +1,25 @@
+import { useRedis } from "../redis/lib/use-redis.js";
+import { redisConfigAvailable } from "../redis/utils/redis-config-available.js";
+import "../redis/index.js";
 import { useLogger } from "../logger/index.js";
+import { getMilliseconds } from "../utils/get-milliseconds.js";
 import { FILE_UPLOADS, RESUMABLE_UPLOADS } from "../constants.js";
-import { getCache } from "../cache.js";
 import { getStorage } from "../storage/index.js";
 import database_default, { hasDatabaseConnection } from "../database/index.js";
+import { useStore } from "../utils/store.js";
 import getMailer from "../mailer.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { SettingsService } from "./settings.js";
-import { rateLimiterGlobal } from "../middleware/rate-limiter-global.js";
-import { rateLimiter } from "../middleware/rate-limiter-ip.js";
 import { getAllowedLogLevels } from "../utils/get-allowed-log-levels.js";
 import { SERVER_ONLINE } from "../server.js";
+import { isUnauthenticated } from "../utils/is-unauthenticated.js";
+import { getLicenseManager } from "../license/manager.js";
+import "../license/index.js";
 import { useEnv } from "@directus/env";
+import { ForbiddenError } from "@directus/errors";
 import { toArray, toBoolean } from "@directus/utils";
 import { merge } from "lodash-es";
+import { createKv } from "@directus/memory";
 import { performance } from "perf_hooks";
 import { Readable } from "node:stream";
 import { version } from "directus/version";
@@ -19,6 +27,8 @@ import { version } from "directus/version";
 //#region src/services/server.ts
 const env = useEnv();
 const logger = useLogger();
+const HEALTHCHECK_CACHE_TTL = getMilliseconds(env["HEALTHCHECK_CACHE_TTL"], 3e5);
+const store = useStore(env["HEALTHCHECK_NAMESPACE"] ?? "directus:healthcheck", { ttl: HEALTHCHECK_CACHE_TTL });
 var ServerService = class {
 	knex;
 	accountability;
@@ -38,9 +48,11 @@ var ServerService = class {
 	}
 	async serverInfo() {
 		const info = {};
-		const setupComplete = await this.isSetupCompleted();
-		info["project"] = await this.settingsService.readSingleton({ fields: [
+		const licenseManager = getLicenseManager();
+		const isSetupCompleted = await this.isSetupCompleted();
+		const { project_owner,...projectInfo } = await this.settingsService.readSingleton({ fields: [
 			"project_name",
+			"project_owner",
 			"project_descriptor",
 			"project_logo",
 			"project_color",
@@ -59,10 +71,18 @@ var ServerService = class {
 			"public_registration",
 			"public_registration_verify_email"
 		] });
-		info["setupCompleted"] = setupComplete;
+		info["project"] = projectInfo;
+		if (!isSetupCompleted) info["setup"] = {
+			license_complete: licenseManager.getSource() !== null,
+			owner_complete: Boolean(project_owner)
+		};
 		if (this.accountability?.user) {
 			info["mcp_enabled"] = toBoolean(env["MCP_ENABLED"] ?? true);
 			info["ai_enabled"] = toBoolean(env["AI_ENABLED"] ?? true);
+			info["mcp_oauth_enabled"] = toBoolean(env["MCP_OAUTH_ENABLED"] ?? false);
+			info["mcp_oauth_dcr_enabled"] = toBoolean(env["MCP_OAUTH_DCR_ENABLED"] ?? false);
+			info["mcp_oauth_cimd_enabled"] = toBoolean(env["MCP_OAUTH_CIMD_ENABLED"] ?? false);
+			info["autoSave"] = { revisionInterval: Number(env["AUTOSAVE_REVISION_INTERVAL"]) };
 			info["files"] = { mimeTypeAllowList: toArray(env["FILES_MIME_TYPE_ALLOW_LIST"]) };
 			if (env["RATE_LIMITER_ENABLED"]) info["rateLimit"] = {
 				points: env["RATE_LIMITER_POINTS"],
@@ -100,21 +120,33 @@ var ServerService = class {
 				chunkSize: RESUMABLE_UPLOADS.CHUNK_SIZE
 			};
 		}
-		if (this.accountability?.user || !setupComplete) info["version"] = version;
+		if (this.accountability?.user || !isSetupCompleted) info["version"] = version;
+		info["license"] = {
+			source: licenseManager.getSource(),
+			entitlements: getEntitlementManager().getAppEntitlements()
+		};
 		return info;
 	}
 	async health() {
+		if (isUnauthenticated(this.accountability)) throw new ForbiddenError();
+		const healthResult = await store(async (store$1) => {
+			try {
+				return await store$1.get("health");
+			} catch (err) {
+				logger.warn(err, "Failed to read health check cache");
+			}
+		});
+		if (healthResult) return this.accountability?.admin === true ? healthResult : { status: healthResult["status"] };
 		const { nanoid } = await import("nanoid");
 		const checkID = nanoid(5);
+		const enabledServices = toArray(env["HEALTHCHECK_SERVICES"]);
 		const data = {
 			status: "ok",
 			releaseId: version,
 			serviceId: env["PUBLIC_URL"],
 			checks: merge(...await Promise.all([
 				testDatabase(),
-				testCache(),
-				testRateLimiter(),
-				testRateLimiterGlobal(),
+				testRedis(),
 				testStorage(),
 				testEmail()
 			]))
@@ -135,9 +167,14 @@ var ServerService = class {
 			}
 			if (data.status === "error") break;
 		}
-		if (this.accountability?.admin !== true) return { status: data.status };
-		else return data;
+		await store(async (store$1) => {
+			await store$1.set("health", data).catch((err) => {
+				logger.warn(err, "Failed to write health check cache");
+			});
+		});
+		return this.accountability?.admin === true ? data : { status: data.status };
 		async function testDatabase() {
+			if (enabledServices.includes("database") === false) return {};
 			const database = database_default();
 			const client = env["DB_CLIENT"];
 			const checks = {};
@@ -169,10 +206,15 @@ var ServerService = class {
 			}];
 			return checks;
 		}
-		async function testCache() {
-			if (env["CACHE_ENABLED"] !== true) return {};
-			const { cache } = getCache();
-			const checks = { "cache:responseTime": [{
+		async function testRedis() {
+			if (enabledServices.includes("redis") === false || redisConfigAvailable() !== true) return {};
+			const redis = createKv({
+				type: "redis",
+				redis: useRedis(),
+				namespace: env["HEALTHCHECK_NAMESPACE"] ?? "directus:healthcheck",
+				ttl: HEALTHCHECK_CACHE_TTL
+			});
+			const checks = { "redis:responseTime": [{
 				status: "ok",
 				componentType: "cache",
 				observedValue: 0,
@@ -181,65 +223,20 @@ var ServerService = class {
 			}] };
 			const startTime = performance.now();
 			try {
-				await cache.set(`directus-health-${checkID}`, true, 5);
-				await cache.delete(`directus-health-${checkID}`);
-			} catch (err) {
-				checks["cache:responseTime"][0].status = "error";
-				checks["cache:responseTime"][0].output = err;
-			} finally {
-				const endTime = performance.now();
-				checks["cache:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
-				if (checks["cache:responseTime"][0].observedValue > checks["cache:responseTime"][0].threshold && checks["cache:responseTime"][0].status !== "error") checks["cache:responseTime"][0].status = "warn";
-			}
-			return checks;
-		}
-		async function testRateLimiter() {
-			if (env["RATE_LIMITER_ENABLED"] !== true) return {};
-			const checks = { "rateLimiter:responseTime": [{
-				status: "ok",
-				componentType: "ratelimiter",
-				observedValue: 0,
-				observedUnit: "ms",
-				threshold: env["RATE_LIMITER_HEALTHCHECK_THRESHOLD"] ? +env["RATE_LIMITER_HEALTHCHECK_THRESHOLD"] : 150
-			}] };
-			const startTime = performance.now();
-			try {
-				await rateLimiter.consume(`directus-health-${checkID}`, 1);
-				await rateLimiter.delete(`directus-health-${checkID}`);
-			} catch (err) {
-				checks["rateLimiter:responseTime"][0].status = "error";
-				checks["rateLimiter:responseTime"][0].output = err;
-			} finally {
-				const endTime = performance.now();
-				checks["rateLimiter:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
-				if (checks["rateLimiter:responseTime"][0].observedValue > checks["rateLimiter:responseTime"][0].threshold && checks["rateLimiter:responseTime"][0].status !== "error") checks["rateLimiter:responseTime"][0].status = "warn";
-			}
-			return checks;
-		}
-		async function testRateLimiterGlobal() {
-			if (env["RATE_LIMITER_GLOBAL_ENABLED"] !== true) return {};
-			const checks = { "rateLimiterGlobal:responseTime": [{
-				status: "ok",
-				componentType: "ratelimiter",
-				observedValue: 0,
-				observedUnit: "ms",
-				threshold: env["RATE_LIMITER_GLOBAL_HEALTHCHECK_THRESHOLD"] ? +env["RATE_LIMITER_GLOBAL_HEALTHCHECK_THRESHOLD"] : 150
-			}] };
-			const startTime = performance.now();
-			try {
-				await rateLimiterGlobal.consume(`directus-health-${checkID}`, 1);
-				await rateLimiterGlobal.delete(`directus-health-${checkID}`);
+				await redis.set(`directus-health-${checkID}`, 1);
+				await redis.delete(`directus-health-${checkID}`);
 			} catch (err) {
-				checks["rateLimiterGlobal:responseTime"][0].status = "error";
-				checks["rateLimiterGlobal:responseTime"][0].output = err;
+				checks["redis:responseTime"][0].status = "error";
+				checks["redis:responseTime"][0].output = err;
 			} finally {
 				const endTime = performance.now();
-				checks["rateLimiterGlobal:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
-				if (checks["rateLimiterGlobal:responseTime"][0].observedValue > checks["rateLimiterGlobal:responseTime"][0].threshold && checks["rateLimiterGlobal:responseTime"][0].status !== "error") checks["rateLimiterGlobal:responseTime"][0].status = "warn";
+				checks["redis:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
+				if (checks["redis:responseTime"][0].observedValue > checks["redis:responseTime"][0].threshold && checks["redis:responseTime"][0].status !== "error") checks["redis:responseTime"][0].status = "warn";
 			}
 			return checks;
 		}
 		async function testStorage() {
+			if (enabledServices.includes("storage") === false) return {};
 			const storage = await getStorage();
 			const checks = {};
 			for (const location of toArray(env["STORAGE_LOCATIONS"])) {
@@ -267,6 +264,7 @@ var ServerService = class {
 			return checks;
 		}
 		async function testEmail() {
+			if (enabledServices.includes("email") === false || toBoolean(env["EMAIL_VERIFY_SETUP"]) === false) return {};
 			const checks = { "email:connection": [{
 				status: "ok",
 				componentType: "email"

package/dist/services/settings.js

@@ -1,6 +1,10 @@
+import { CUSTOM_LLM_FIELDS } from "../constants.js";
 import { ItemsService } from "./items.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { sendReport } from "../telemetry/lib/send-report.js";
 import "../telemetry/index.js";
+import "../license/index.js";
+import { InvalidPayloadError, ResourceRestrictedError } from "@directus/errors";
 import { version } from "directus/version";
 
 //#region src/services/settings.ts
@@ -8,6 +12,37 @@ var SettingsService = class extends ItemsService {
 	constructor(options) {
 		super("directus_settings", options);
 	}
+	async createOne(data, opts) {
+		if (this.accountability !== null) {
+			if ("license_key" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_key" value manually` });
+			if ("license_token" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_token" value manually` });
+		}
+		const entitlementManager = getEntitlementManager();
+		const changesLLM = CUSTOM_LLM_FIELDS.some((field) => field in data && data[field] !== null);
+		if (!entitlementManager.isEntitled("custom_llms_enabled") && changesLLM) throw new ResourceRestrictedError({ category: "custom_llms_enabled" });
+		const result = await super.createOne(data, opts);
+		if (changesLLM) await getEntitlementManager().clearCache("custom_llms_enabled");
+		return result;
+	}
+	async updateMany(keys, data, opts) {
+		if (this.accountability !== null) {
+			if ("license_key" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_key" value manually` });
+			if ("license_token" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_token" value manually` });
+		}
+		const entitlementManager = getEntitlementManager();
+		const changesLLM = CUSTOM_LLM_FIELDS.some((field) => field in data && data[field] !== null);
+		if (!entitlementManager.isEntitled("custom_llms_enabled") && changesLLM) throw new ResourceRestrictedError({ category: "custom_llms_enabled" });
+		const result = await super.updateMany(keys, data, opts);
+		if (changesLLM) await entitlementManager.clearCache("custom_llms_enabled");
+		return result;
+	}
+	async readByQuery(query, opts) {
+		const data = await super.readByQuery(query, opts);
+		if (!getEntitlementManager().isEntitled("custom_llms_enabled") && this.accountability !== null) {
+			for (const record of data) for (const field of CUSTOM_LLM_FIELDS) if (record[field]) record[field] = null;
+		}
+		return data;
+	}
 	async setOwner(data) {
 		const { project_id } = await this.knex.select("project_id").from("directus_settings").first();
 		sendReport({
@@ -19,10 +54,9 @@ var SettingsService = class extends ItemsService {
 		});
 		return await this.upsertSingleton({
 			project_owner: data.project_owner,
-			project_usage: data.project_usage,
-			org_name: data.org_name,
 			product_updates: data.product_updates,
-			project_status: null
+			project_usage: data.project_usage,
+			org_name: data.org_name
 		});
 	}
 };

package/dist/services/users.js

@@ -12,11 +12,14 @@ import { createDefaultAccountability } from "../permissions/utils/create-default
 import isUrlAllowed from "../utils/is-url-allowed.js";
 import { verifyJWT } from "../utils/jwt.js";
 import { stall } from "../utils/stall.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { SettingsService } from "./settings.js";
+import "../license/index.js";
 import { useEnv } from "@directus/env";
 import { ForbiddenError, InvalidInviteError, InvalidPayloadError, RecordNotUniqueError } from "@directus/errors";
 import { getSimpleHash, toArray, validatePayload } from "@directus/utils";
 import { isEmpty } from "lodash-es";
+import { USER_INACTIVE_LICENSE_STATUS } from "@directus/constants";
 import { performance } from "perf_hooks";
 import Joi from "joi";
 import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from "@directus/validation";
@@ -114,6 +117,12 @@ var UsersService = class UsersService extends ItemsService {
 		}
 	}
 	/**
+	* Block setting a non-default auth provider when the current license isn't entitled to SSO
+	*/
+	checkProviderEntitlement(input) {
+		if ((Array.isArray(input) ? input : [input]).some((provider) => provider && provider !== DEFAULT_AUTH_PROVIDER) && !getEntitlementManager().isEntitled("sso_enabled")) throw new InvalidPayloadError({ reason: `Setting a custom "provider" isn't included in the current license` });
+	}
+	/**
 	* Create a new user
 	*/
 	async createOne(data, opts = {}) {
@@ -123,6 +132,7 @@ var UsersService = class UsersService extends ItemsService {
 				await this.checkUniqueEmails([data["email"]]);
 			}
 			if ("password" in data) await this.checkPasswordPolicy([data["password"]]);
+			if ("provider" in data) this.checkProviderEntitlement(data["provider"]);
 		} catch (err) {
 			opts.preMutationError = err;
 		}
@@ -138,6 +148,7 @@ var UsersService = class UsersService extends ItemsService {
 	async createMany(data, opts = {}) {
 		const emails = data.map((payload) => payload["email"]).filter((email) => email);
 		const passwords = data.map((payload) => payload["password"]).filter((password) => password);
+		const providers = data.map((payload) => payload["provider"]).filter((provider) => provider);
 		const someActive = data.some((payload) => !("status" in payload) || payload["status"] === "active");
 		try {
 			if (emails.length) {
@@ -145,6 +156,7 @@ var UsersService = class UsersService extends ItemsService {
 				await this.checkUniqueEmails(emails);
 			}
 			if (passwords.length) await this.checkPasswordPolicy(passwords);
+			if (providers.length) this.checkProviderEntitlement(providers);
 		} catch (err) {
 			opts.preMutationError = err;
 		}
@@ -176,6 +188,7 @@ var UsersService = class UsersService extends ItemsService {
 			if (data["tfa_secret"] !== void 0) throw new InvalidPayloadError({ reason: `You can't change the "tfa_secret" value manually` });
 			if (data["provider"] !== void 0) {
 				if (this.accountability && this.accountability.admin !== true) throw new InvalidPayloadError({ reason: `You can't change the "provider" value manually` });
+				this.checkProviderEntitlement(data["provider"]);
 				data["auth_data"] = null;
 			}
 			if (data["external_identifier"] !== void 0) {
@@ -187,7 +200,7 @@ var UsersService = class UsersService extends ItemsService {
 		}
 		if ("role" in data) opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
 		if ("status" in data) if (data["status"] === "active") opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
-		else opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+		else opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.RemainingAdmins;
 		if (opts.userIntegrityCheckFlags) opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
 		const result = await super.updateMany(keys, data, opts);
 		if (data["status"] !== void 0 && data["status"] !== "active") await this.clearUserSessions(keys);
@@ -213,6 +226,7 @@ var UsersService = class UsersService extends ItemsService {
 		await this.knex("directus_versions").update({ user_updated: null }).whereIn("user_updated", keys);
 		await super.deleteMany(keys, opts);
 		await this.clearUserSessions(keys);
+		await getEntitlementManager().clearCache("seats", "sso_enabled");
 		return keys;
 	}
 	async inviteUser(email, role, url, subject) {
@@ -258,12 +272,15 @@ var UsersService = class UsersService extends ItemsService {
 		if (scope !== "invite") throw new ForbiddenError();
 		const user = await this.getUserByEmail(email);
 		if (user?.status !== "invited") throw new InvalidInviteError();
-		await new UsersService({
+		const service = new UsersService({
 			knex: this.knex,
 			schema: this.schema
-		}).updateOne(user.id, {
+		});
+		const { allowed: isWithinLicenseLimits } = await getEntitlementManager().check("seats");
+		const status = isWithinLicenseLimits ? "active" : USER_INACTIVE_LICENSE_STATUS;
+		await service.updateOne(user.id, {
 			password,
-			status: "active"
+			status
 		});
 	}
 	async registerUser(input) {
@@ -310,7 +327,7 @@ var UsersService = class UsersService extends ItemsService {
 				email: input.email,
 				scope: "pending-registration"
 			};
-			const token = jwt.sign(payload, env["SECRET"], {
+			const token = jwt.sign(payload, getSecret(), {
 				expiresIn: env["EMAIL_VERIFICATION_TOKEN_TTL"],
 				issuer: "directus"
 			});
@@ -334,7 +351,7 @@ var UsersService = class UsersService extends ItemsService {
 		await stall(STALL_TIME, timeStart);
 	}
 	async verifyRegistration(token) {
-		const { email, scope } = verifyJWT(token, env["SECRET"]);
+		const { email, scope } = verifyJWT(token, getSecret());
 		if (scope !== "pending-registration") throw new ForbiddenError();
 		const user = await this.getUserByEmail(email);
 		if (user?.status !== "unverified") throw new InvalidPayloadError({ reason: "Invalid verification code" });

package/dist/services/utils.js

@@ -4,6 +4,8 @@ import { fetchAllowedFields } from "../permissions/modules/fetch-allowed-fields/
 import emitter_default from "../emitter.js";
 import { validateAccess } from "../permissions/modules/validate-access/validate-access.js";
 import { shouldClearCache } from "../utils/should-clear-cache.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
+import "../license/index.js";
 import { ForbiddenError, InvalidPayloadError } from "@directus/errors";
 import { systemCollectionRows } from "@directus/system-data";
 
@@ -74,7 +76,10 @@ var UtilsService = class {
 	async clearCache({ system }) {
 		if (this.accountability?.admin !== true) throw new ForbiddenError();
 		const { cache } = getCache();
-		if (system) await clearSystemCache({ forced: true });
+		if (system) {
+			await clearSystemCache({ forced: true });
+			await getEntitlementManager().clearCache();
+		}
 		return cache?.clear();
 	}
 };