@directus/api 35.2.0 → 36.0.0-rc.1

package/dist/controllers/users.js

@@ -1,11 +1,11 @@
 import async_handler_default from "../utils/async-handler.js";
 import { DEFAULT_AUTH_PROVIDER } from "../constants.js";
 import { getDatabase } from "../database/index.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { UsersService } from "../services/users.js";
 import { respond } from "../middleware/respond.js";
 import { TFAService } from "../services/tfa.js";
 import { AuthenticationService } from "../services/authentication.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import rate_limiter_registration_default from "../middleware/rate-limiter-registration.js";
 import { MetaService } from "../services/meta.js";
 import use_collection_default from "../middleware/use-collection.js";

package/dist/controllers/utils.js

@@ -3,11 +3,11 @@ import { useLogger } from "../logger/index.js";
 import { clearSystemCache } from "../cache.js";
 import { getDatabase } from "../database/index.js";
 import { generateHash } from "../utils/generate-hash.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
+import { RevisionsService } from "../services/revisions.js";
 import { ExportService, ImportService } from "../services/import-export.js";
 import { respond } from "../middleware/respond.js";
 import { resolveLoginRedirect } from "../auth/utils/resolve-login-redirect.js";
-import { RevisionsService } from "../services/revisions.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { UtilsService } from "../services/utils.js";
 import collection_exists_default from "../middleware/collection-exists.js";
 import { generateTranslations } from "../utils/generate-translations.js";

package/dist/controllers/versions.js

@@ -1,11 +1,11 @@
 import async_handler_default from "../utils/async-handler.js";
-import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { respond } from "../middleware/respond.js";
+import { sanitizeQuery } from "../utils/sanitize-query.js";
 import { MetaService } from "../services/meta.js";
 import { VersionsService } from "../services/versions.js";
 import use_collection_default from "../middleware/use-collection.js";
 import { validateBatch } from "../middleware/validate-batch.js";
-import { ErrorCode, InvalidPayloadError, isDirectusError } from "@directus/errors";
+import { ErrorCode, ForbiddenError, isDirectusError } from "@directus/errors";
 import express from "express";
 import { assign } from "lodash-es";
 
@@ -131,6 +131,7 @@ router.get("/:pk/compare", async_handler_default(async (req, res, next) => {
 		schema: req.schema
 	});
 	const version = await service.readOne(req.params["pk"]);
+	if (!version.item) throw new ForbiddenError({ reason: `Version with key ${req.params["pk"]} does not have an associated item` });
 	const { outdated, mainHash } = await service.verifyHash(version["collection"], version["item"], version["hash"]);
 	const delta = version.delta ?? {};
 	delta[req.schema.collections[version.collection].primary] = version.item;
@@ -149,16 +150,22 @@ router.post("/:pk/save", async_handler_default(async (req, res, next) => {
 		schema: req.schema
 	});
 	const version = await service.readOne(req.params["pk"]);
-	const result = assign(await service.getMainItem(version["collection"], version["item"]), await service.save(req.params["pk"], req.body));
+	let mainItem = {};
+	if (version.item) mainItem = await service.getMainItem(version["collection"], version["item"]);
+	const patchRevision = req.query["patchRevision"] !== void 0 && req.query["patchRevision"] !== "false";
+	const updatedVersion = await service.save(req.params["pk"], req.body, { patchRevision });
+	const result = assign(mainItem, updatedVersion);
 	res.locals["payload"] = { data: result || null };
 	return next();
 }), respond);
 router.post("/:pk/promote", async_handler_default(async (req, res, next) => {
-	if (typeof req.body.mainHash !== "string") throw new InvalidPayloadError({ reason: `"mainHash" field is required` });
 	const updatedItemKey = await new VersionsService({
 		accountability: req.accountability,
 		schema: req.schema
-	}).promote(req.params["pk"], req.body.mainHash, req.body?.["fields"]);
+	}).promote(req.params["pk"], {
+		mainHash: req.body?.mainHash,
+		fields: req.body?.["fields"]
+	});
 	res.locals["payload"] = { data: updatedItemKey || null };
 	return next();
 }), respond);

package/dist/database/get-ast-from-query/lib/convert-wildcards.js

@@ -1,3 +1,5 @@
+import { parseJsonFunction } from "../../helpers/fn/json/parse-function.js";
+import { extractFunctionName } from "../../../utils/extract-function-name.js";
 import { parseFilterKey } from "../../../utils/parse-filter-key.js";
 import { fetchAllowedFields } from "../../../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js";
 import { getRelation } from "@directus/utils";
@@ -23,7 +25,14 @@ async function convertWildcards(options, context) {
 			if (allowedFields.includes("*")) fields.splice(index, 1, ...fieldsInCollection, ...aliases);
 			else {
 				const allowedAliases = aliases.filter((fieldKey$1) => {
-					const { fieldName } = parseFilterKey(options.alias[fieldKey$1]);
+					const aliasValue = options.alias[fieldKey$1];
+					if (extractFunctionName(aliasValue) === "json") try {
+						const { field } = parseJsonFunction(aliasValue);
+						return allowedFields.includes(field);
+					} catch {
+						return false;
+					}
+					const { fieldName } = parseFilterKey(aliasValue);
 					return allowedFields.includes(fieldName);
 				});
 				fields.splice(index, 1, ...allowedFields, ...allowedAliases);

package/dist/database/get-ast-from-query/lib/parse-fields.js

@@ -1,3 +1,4 @@
+import { splitFieldPath } from "../../../utils/split-field-path.js";
 import { fetchPolicies } from "../../../permissions/lib/fetch-policies.js";
 import { fetchPermissions } from "../../../permissions/lib/fetch-permissions.js";
 import { getAllowedSort } from "../utils/get-allowed-sort.js";
@@ -68,7 +69,7 @@ async function parseFields(options, context) {
 		}
 		const isRelationalFunctionCall = isFunctionCall && name.includes(".") && name.indexOf(".") < name.indexOf("(");
 		if ((!isFunctionCall || isRelationalFunctionCall) && (name.includes(".") || !!context.schema.relations.find((relation) => relation.related_collection === options.parentCollection && relation.meta?.one_field === name))) {
-			const parts = (isFunctionCall ? name : fieldKey).split(".");
+			const parts = splitFieldPath(isFunctionCall ? name : fieldKey);
 			let rootField = parts[0];
 			let collectionScope = null;
 			if (rootField.includes(":")) {

package/dist/database/helpers/fn/dialects/mysql.js

@@ -1,6 +1,6 @@
 import { FnHelper } from "../types.js";
+import { convertToMySQLPath } from "../json/mysql-json-path.js";
 import { InvalidQueryError } from "@directus/errors";
-import { toPath } from "lodash-es";
 
 //#region src/database/helpers/fn/dialects/mysql.ts
 var FnHelperMySQL = class extends FnHelper {
@@ -40,6 +40,11 @@ var FnHelperMySQL = class extends FnHelper {
 		const fieldSchema = this.schema.collections?.[collectionName]?.fields?.[column];
 		if (!fieldSchema || fieldSchema.type !== "json" || !options?.jsonPath) throw new InvalidQueryError({ reason: `${collectionName}.${column} is not a JSON field` });
 		const jsonPath = convertToMySQLPath(options.jsonPath);
+		if (options?.jsonReturnType === "numeric") return this.knex.raw(`JSON_EXTRACT(??.??, ?)`, [
+			table,
+			column,
+			jsonPath
+		]);
 		return this.knex.raw(`JSON_UNQUOTE(JSON_EXTRACT(??.??, ?))`, [
 			table,
 			column,
@@ -47,16 +52,6 @@ var FnHelperMySQL = class extends FnHelper {
 		]);
 	}
 };
-function convertToMySQLPath(path) {
-	const parts = toPath(path.startsWith(".") ? path.slice(1) : path);
-	let result = "$";
-	for (const part of parts) {
-		const num = Number(part);
-		if (Number.isInteger(num) && num >= 0 && String(num) === part) result += `[${part}]`;
-		else result += `.${part}`;
-	}
-	return result;
-}
 
 //#endregion
-export { FnHelperMySQL, convertToMySQLPath };
+export { FnHelperMySQL };

package/dist/database/helpers/fn/dialects/oracle.js

@@ -43,13 +43,12 @@ var FnHelperOracle = class extends FnHelper {
 		const fieldSchema = this.schema.collections?.[collectionName]?.fields?.[column];
 		if (!fieldSchema || fieldSchema.type !== "json" || !options?.jsonPath) throw new InvalidQueryError({ reason: `${collectionName}.${column} is not a JSON field` });
 		const jsonPath = "$" + options.jsonPath;
-		return this.knex.raw(`COALESCE(JSON_QUERY(??.??, ?), JSON_VALUE(??.??, ?))`, [
+		if (options?.jsonReturnType === "numeric") return this.knex.raw(`JSON_VALUE(??.??, '${jsonPath}' RETURNING NUMBER)`, [table, column]);
+		return this.knex.raw(`COALESCE(JSON_QUERY(??.??, '${jsonPath}'), JSON_VALUE(??.??, '${jsonPath}'))`, [
 			table,
 			column,
-			jsonPath,
 			table,
-			column,
-			jsonPath
+			column
 		]);
 	}
 };

package/dist/database/helpers/fn/dialects/postgres.js

@@ -1,6 +1,6 @@
+import { buildPostgresJsonPath } from "../json/postgres-json-path.js";
 import { FnHelper } from "../types.js";
 import { InvalidQueryError } from "@directus/errors";
-import { toPath } from "lodash-es";
 
 //#region src/database/helpers/fn/dialects/postgres.ts
 const parseLocaltime = (columnType) => {
@@ -49,34 +49,12 @@ var FnHelperPostgres = class extends FnHelper {
 		const collectionName = options?.originalCollectionName || table;
 		const fieldSchema = this.schema.collections?.[collectionName]?.fields?.[column];
 		if (!fieldSchema || fieldSchema.type !== "json" || !options?.jsonPath) throw new InvalidQueryError({ reason: `${collectionName}.${column} is not a JSON field` });
-		const { template, bindings } = buildPostgresJsonPath(options.jsonPath);
+		const { template, bindings } = buildPostgresJsonPath(options.jsonPath, { asText: options.jsonReturnType !== void 0 });
 		const cast = fieldSchema.dbType === "jsonb" ? "jsonb" : "json";
+		if (options.jsonReturnType === "numeric") return this.knex.raw(`(??::${cast}${template})::numeric`, [table + "." + column, ...bindings]);
 		return this.knex.raw(`??::${cast}${template}`, [table + "." + column, ...bindings]);
 	}
 };
-/**
-* Build a parameterized PostgreSQL JSON path using -> operators.
-* Returns a template string containing only operators and ? placeholders,
-* plus a bindings array with the actual values.
-*
-* @example ".color" → { template: "->?", bindings: ["color"] }
-* @example ".items[0].name" → { template: "->?->?->?", bindings: ["items", 0, "name"] }
-*/
-function buildPostgresJsonPath(path) {
-	const parts = toPath(path.startsWith(".") ? path.slice(1) : path);
-	let template = "";
-	const bindings = [];
-	for (let i = 0; i < parts.length; i++) {
-		const num = Number(parts[i]);
-		template += "->?";
-		if (!isNaN(num) && num >= 0 && Number.isInteger(num)) bindings.push(num);
-		else bindings.push(parts[i]);
-	}
-	return {
-		template,
-		bindings
-	};
-}
 
 //#endregion
-export { FnHelperPostgres, buildPostgresJsonPath };
+export { FnHelperPostgres };

package/dist/database/helpers/fn/json/mysql-json-path.js

@@ -0,0 +1,22 @@
+import { toPath } from "lodash-es";
+
+//#region src/database/helpers/fn/json/mysql-json-path.ts
+/**
+* Build a MySQL/MariaDB JSON path string using dot notation.
+*
+* @example ".color" → "$.color"
+* @example ".items[0].name" → "$.items[0].name"
+*/
+function convertToMySQLPath(path) {
+	const parts = toPath(path.startsWith(".") ? path.slice(1) : path);
+	let result = "$";
+	for (const part of parts) {
+		const num = Number(part);
+		if (Number.isInteger(num) && num >= 0 && String(num) === part) result += `[${part}]`;
+		else result += `.${part}`;
+	}
+	return result;
+}
+
+//#endregion
+export { convertToMySQLPath };

package/dist/database/helpers/fn/json/parse-function.js

@@ -17,6 +17,18 @@ function calculateJsonPathDepth(path) {
 	return depth;
 }
 /**
+* Validates and normalizes a bare JSON path string (e.g. "color" or "settings.theme").
+* Adds a leading dot if absent. Throws on unsupported expressions or depth overflow.
+*/
+function parseJsonPath(path) {
+	const normalized = path.startsWith("[") ? path : `.${path}`;
+	if (/\[\]|\.\.|[*?@$]|\[-/.test(normalized)) throw new InvalidQueryError({ reason: "Invalid JSON path: unsupported path expression" });
+	if (!/^[\p{L}\p{N}\p{Extended_Pictographic}\w.[\]]+$/u.test(normalized)) throw new InvalidQueryError({ reason: "Invalid JSON path: unsupported path expression" });
+	const depth = calculateJsonPathDepth(normalized);
+	if (depth > MAX_JSON_QUERY_DEPTH) throw new InvalidQueryError({ reason: `JSON path depth (${depth}) exceeds allowed maximum of ${MAX_JSON_QUERY_DEPTH}` });
+	return normalized;
+}
+/**
 * Parses a json function selection into its field and path components.
 * Expects relational prefixes to have already been extracted by parseFilterFunctionPath,
 * so the field should always be a simple column name.
@@ -33,15 +45,11 @@ function parseJsonFunction(functionString) {
 	const field = content.substring(0, commaIndex).trim();
 	const pathContent = content.substring(commaIndex + 1).trim();
 	if (!pathContent) throw new InvalidQueryError({ reason: "Invalid json() syntax: missing path" });
-	if (pathContent.includes("[]") || /[*?@$]/.test(pathContent)) throw new InvalidQueryError({ reason: "Invalid json() syntax: unsupported path expression" });
-	const path = pathContent.startsWith("[") ? pathContent : "." + pathContent;
-	const depth = calculateJsonPathDepth(path);
-	if (depth > MAX_JSON_QUERY_DEPTH) throw new InvalidQueryError({ reason: `JSON path depth (${depth}) exceeds allowed maximum of ${MAX_JSON_QUERY_DEPTH}` });
 	return {
 		field,
-		path
+		path: parseJsonPath(pathContent)
 	};
 }
 
 //#endregion
-export { calculateJsonPathDepth, parseJsonFunction };
+export { calculateJsonPathDepth, parseJsonFunction, parseJsonPath };

package/dist/database/helpers/fn/json/postgres-json-path.js

@@ -0,0 +1,54 @@
+import { toPath } from "lodash-es";
+
+//#region src/database/helpers/fn/json/postgres-json-path.ts
+/**
+* Build a parameterized PostgreSQL JSON path using -> operators.
+* Returns a template string containing only operators and ? placeholders,
+* plus a bindings array with the actual values.
+*
+* When asText is true, the final step uses ->> to return text instead of json,
+* which is required for WHERE clause comparisons (LIKE, =, etc.) and ORDER BY.
+*
+* @example ".color" → { template: "->?", bindings: ["color"] }
+* @example ".color" (asText) → { template: "->>?", bindings: ["color"] }
+* @example ".items[0].name" → { template: "->?->?->?", bindings: ["items", 0, "name"] }
+* @example ".items[0].name" (asText) → { template: "->?->?->>?", bindings: ["items", 0, "name"] }
+*/
+function buildPostgresJsonPath(path, options) {
+	const parts = toPath(path.startsWith(".") ? path.slice(1) : path);
+	let template = "";
+	const bindings = [];
+	for (let i = 0; i < parts.length - 1; i++) {
+		const part$1 = parts[i];
+		if (isArrayIndex(part$1)) template += `->${part$1}`;
+		else {
+			template += "->?";
+			bindings.push(part$1);
+		}
+	}
+	const part = parts[parts.length - 1];
+	const operator = options?.asText ? "->>" : "->";
+	if (isArrayIndex(part)) template += operator + part;
+	else {
+		template += operator + "?";
+		bindings.push(part);
+	}
+	return {
+		template,
+		bindings
+	};
+}
+/**
+* Checks if a provided value is a valid positive number for array access
+*/
+function isArrayIndex(value) {
+	if (typeof value === "number") return value >= 0 && Number.isInteger(value);
+	if (typeof value === "string") {
+		const num = Number(value);
+		return String(num) === value && num >= 0 && Number.isInteger(num);
+	}
+	return false;
+}
+
+//#endregion
+export { buildPostgresJsonPath };

package/dist/database/migrations/20260110A-add-ai-provider-settings.js

@@ -1,10 +1,10 @@
 //#region src/database/migrations/20260110A-add-ai-provider-settings.ts
 const DEFAULT_OPENAI_MODELS = [
-	"gpt-5-nano",
-	"gpt-5-mini",
-	"gpt-5"
+	"gpt-5.4-nano",
+	"gpt-5.4-mini",
+	"gpt-5.4"
 ];
-const DEFAULT_ANTHROPIC_MODELS = ["claude-haiku-4-5", "claude-sonnet-4-5"];
+const DEFAULT_ANTHROPIC_MODELS = ["claude-haiku-4-5", "claude-sonnet-4-6"];
 const DEFAULT_GOOGLE_MODELS = [
 	"gemini-3-pro-preview",
 	"gemini-3-flash-preview",

package/dist/database/migrations/20260217A-null-item-versions.js

@@ -0,0 +1,14 @@
+//#region src/database/migrations/20260217A-null-item-versions.ts
+async function up(knex) {
+	await knex.schema.alterTable("directus_versions", (table) => {
+		table.string("item").nullable().alter();
+	});
+}
+async function down(knex) {
+	await knex.schema.alterTable("directus_versions", (table) => {
+		table.string("item").notNullable().alter();
+	});
+}
+
+//#endregion
+export { down, up };

package/dist/database/migrations/20260312A-add-ai-translation-settings.js

@@ -0,0 +1,18 @@
+//#region src/database/migrations/20260312A-add-ai-translation-settings.ts
+async function up(knex) {
+	await knex.schema.alterTable("directus_settings", (table) => {
+		table.text("ai_translation_default_model").nullable();
+		table.json("ai_translation_glossary").nullable();
+		table.text("ai_translation_style_guide").nullable();
+	});
+}
+async function down(knex) {
+	await knex.schema.alterTable("directus_settings", (table) => {
+		table.dropColumn("ai_translation_default_model");
+		table.dropColumn("ai_translation_glossary");
+		table.dropColumn("ai_translation_style_guide");
+	});
+}
+
+//#endregion
+export { down, up };

package/dist/database/migrations/20260507A-add-licensing.js

@@ -0,0 +1,22 @@
+//#region src/database/migrations/20260507A-add-licensing.ts
+async function up(knex) {
+	await knex.schema.alterTable("directus_settings", (table) => {
+		table.string("license_key").nullable().defaultTo(null);
+		table.text("license_token").nullable().defaultTo(null);
+	});
+	await knex.schema.alterTable("directus_collections", (table) => {
+		table.string("status").notNullable().defaultTo("active");
+	});
+}
+async function down(knex) {
+	await knex.schema.alterTable("directus_settings", (table) => {
+		table.dropColumn("license_key");
+		table.dropColumn("license_token");
+	});
+	await knex.schema.alterTable("directus_collections", (table) => {
+		table.dropColumn("status");
+	});
+}
+
+//#endregion
+export { down, up };

package/dist/database/migrations/20260512A-add-autosave-revision-interval.js

@@ -0,0 +1,14 @@
+//#region src/database/migrations/20260512A-add-autosave-revision-interval.ts
+async function up(knex) {
+	await knex.schema.alterTable("directus_collections", (table) => {
+		table.float("autosave_revision_interval").nullable();
+	});
+}
+async function down(knex) {
+	await knex.schema.alterTable("directus_collections", (table) => {
+		table.dropColumn("autosave_revision_interval");
+	});
+}
+
+//#endregion
+export { down, up };

package/dist/database/migrations/20260512B-add-mcp-oauth.js

@@ -0,0 +1,87 @@
+//#region src/database/migrations/20260512B-add-mcp-oauth.ts
+async function up(knex) {
+	await knex.schema.alterTable("directus_settings", (table) => {
+		table.boolean("mcp_oauth_enabled").defaultTo(false).notNullable();
+		table.boolean("mcp_oauth_dcr_enabled").defaultTo(false).notNullable();
+		table.boolean("mcp_oauth_cimd_enabled").defaultTo(false).notNullable();
+	});
+	await knex.schema.createTable("directus_oauth_clients", (table) => {
+		table.string("client_id", 255).primary().notNullable();
+		table.string("client_name", 200).notNullable();
+		table.json("redirect_uris").notNullable();
+		table.json("grant_types").notNullable();
+		table.string("token_endpoint_auth_method").notNullable().defaultTo("none");
+		table.string("client_secret_hash", 64).nullable();
+		table.string("registration_type", 10).notNullable().defaultTo("dcr");
+		table.text("client_uri").nullable();
+		table.text("logo_uri").nullable();
+		table.text("tos_uri").nullable();
+		table.text("policy_uri").nullable();
+		table.timestamp("metadata_fetched_at").nullable();
+		table.timestamp("metadata_expires_at").nullable();
+		table.string("metadata_etag", 255).nullable();
+		table.timestamp("date_created").notNullable().defaultTo(knex.fn.now()).index();
+	});
+	await knex.schema.createTable("directus_oauth_consents", (table) => {
+		table.uuid("id").primary().notNullable();
+		table.uuid("user").notNullable().references("id").inTable("directus_users").onDelete("CASCADE");
+		table.string("client", 255).notNullable().references("client_id").inTable("directus_oauth_clients").onDelete("CASCADE");
+		table.string("redirect_uri", 255).notNullable();
+		table.string("scope").nullable();
+		table.timestamp("date_created").notNullable();
+		table.timestamp("date_updated").notNullable();
+		table.unique([
+			"user",
+			"client",
+			"redirect_uri"
+		]);
+		table.index("client");
+	});
+	await knex.schema.createTable("directus_oauth_codes", (table) => {
+		table.uuid("id").primary().notNullable();
+		table.string("code_hash", 64).notNullable().unique();
+		table.string("client", 255).notNullable().references("client_id").inTable("directus_oauth_clients").onDelete("CASCADE");
+		table.uuid("user").notNullable().references("id").inTable("directus_users").onDelete("CASCADE");
+		table.string("redirect_uri", 255).notNullable();
+		table.string("resource").notNullable();
+		table.string("code_challenge", 128).notNullable();
+		table.string("code_challenge_method", 10).notNullable();
+		table.string("scope").nullable();
+		table.timestamp("expires_at").notNullable().index();
+		table.timestamp("used_at").nullable().index();
+	});
+	await knex.schema.createTable("directus_oauth_tokens", (table) => {
+		table.uuid("id").primary().notNullable();
+		table.string("client", 255).notNullable().references("client_id").inTable("directus_oauth_clients").onDelete("CASCADE");
+		table.uuid("user").notNullable().references("id").inTable("directus_users").onDelete("CASCADE");
+		table.string("session", 64).notNullable().index();
+		table.string("previous_session", 64).nullable().index();
+		table.string("resource").notNullable();
+		table.string("code_hash", 64).notNullable().index();
+		table.string("scope").nullable();
+		table.timestamp("expires_at").notNullable().index();
+		table.timestamp("date_created").notNullable();
+		table.unique(["client", "user"]);
+	});
+	await knex.schema.alterTable("directus_sessions", (table) => {
+		table.string("oauth_client", 255).nullable().references("client_id").inTable("directus_oauth_clients").onDelete("CASCADE").index();
+	});
+}
+async function down(knex) {
+	await knex.schema.alterTable("directus_sessions", (table) => {
+		table.dropForeign("oauth_client");
+		table.dropColumn("oauth_client");
+	});
+	await knex.schema.dropTable("directus_oauth_tokens");
+	await knex.schema.dropTable("directus_oauth_codes");
+	await knex.schema.dropTable("directus_oauth_consents");
+	await knex.schema.dropTable("directus_oauth_clients");
+	await knex.schema.alterTable("directus_settings", (table) => {
+		table.dropColumn("mcp_oauth_enabled");
+		table.dropColumn("mcp_oauth_dcr_enabled");
+		table.dropColumn("mcp_oauth_cimd_enabled");
+	});
+}
+
+//#endregion
+export { down, up };