@directus/api 9.25.0

package/dist/middleware/authenticate.js

@@ -0,0 +1,75 @@
+import { isEqual } from 'lodash-es';
+import getDatabase from '../database/index.js';
+import emitter from '../emitter.js';
+import env from '../env.js';
+import { InvalidCredentialsException } from '../exceptions/index.js';
+import asyncHandler from '../utils/async-handler.js';
+import { getIPFromReq } from '../utils/get-ip-from-req.js';
+import isDirectusJWT from '../utils/is-directus-jwt.js';
+import { verifyAccessJWT } from '../utils/jwt.js';
+/**
+ * Verify the passed JWT and assign the user ID and role to `req`
+ */
+export const handler = async (req, _res, next) => {
+    const defaultAccountability = {
+        user: null,
+        role: null,
+        admin: false,
+        app: false,
+        ip: getIPFromReq(req),
+    };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        defaultAccountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        defaultAccountability.origin = origin;
+    const database = getDatabase();
+    const customAccountability = await emitter.emitFilter('authenticate', defaultAccountability, {
+        req,
+    }, {
+        database,
+        schema: null,
+        accountability: null,
+    });
+    if (customAccountability && isEqual(customAccountability, defaultAccountability) === false) {
+        req.accountability = customAccountability;
+        return next();
+    }
+    req.accountability = defaultAccountability;
+    if (req.token) {
+        if (isDirectusJWT(req.token)) {
+            const payload = verifyAccessJWT(req.token, env['SECRET']);
+            req.accountability.role = payload.role;
+            req.accountability.admin = payload.admin_access === true || payload.admin_access == 1;
+            req.accountability.app = payload.app_access === true || payload.app_access == 1;
+            if (payload.share)
+                req.accountability.share = payload.share;
+            if (payload.share_scope)
+                req.accountability.share_scope = payload.share_scope;
+            if (payload.id)
+                req.accountability.user = payload.id;
+        }
+        else {
+            // Try finding the user with the provided token
+            const user = await database
+                .select('directus_users.id', 'directus_users.role', 'directus_roles.admin_access', 'directus_roles.app_access')
+                .from('directus_users')
+                .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
+                .where({
+                'directus_users.token': req.token,
+                status: 'active',
+            })
+                .first();
+            if (!user) {
+                throw new InvalidCredentialsException();
+            }
+            req.accountability.user = user.id;
+            req.accountability.role = user.role;
+            req.accountability.admin = user.admin_access === true || user.admin_access == 1;
+            req.accountability.app = user.app_access === true || user.app_access == 1;
+        }
+    }
+    return next();
+};
+export default asyncHandler(handler);

package/dist/middleware/authenticate.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/cache.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+declare const checkCacheMiddleware: RequestHandler;
+export default checkCacheMiddleware;

package/dist/middleware/cache.js

@@ -0,0 +1,56 @@
+import { getCache, getCacheValue } from '../cache.js';
+import env from '../env.js';
+import logger from '../logger.js';
+import asyncHandler from '../utils/async-handler.js';
+import { getCacheControlHeader } from '../utils/get-cache-headers.js';
+import { getCacheKey } from '../utils/get-cache-key.js';
+import { shouldSkipCache } from '../utils/should-skip-cache.js';
+const checkCacheMiddleware = asyncHandler(async (req, res, next) => {
+    const { cache } = getCache();
+    if (req.method.toLowerCase() !== 'get' && req.originalUrl?.startsWith('/graphql') === false)
+        return next();
+    if (env['CACHE_ENABLED'] !== true)
+        return next();
+    if (!cache)
+        return next();
+    if (shouldSkipCache(req)) {
+        if (env['CACHE_STATUS_HEADER'])
+            res.setHeader(`${env['CACHE_STATUS_HEADER']}`, 'MISS');
+        return next();
+    }
+    const key = getCacheKey(req);
+    let cachedData;
+    try {
+        cachedData = await getCacheValue(cache, key);
+    }
+    catch (err) {
+        logger.warn(err, `[cache] Couldn't read key ${key}. ${err.message}`);
+        if (env['CACHE_STATUS_HEADER'])
+            res.setHeader(`${env['CACHE_STATUS_HEADER']}`, 'MISS');
+        return next();
+    }
+    if (cachedData) {
+        let cacheExpiryDate;
+        try {
+            cacheExpiryDate = (await getCacheValue(cache, `${key}__expires_at`))?.exp;
+        }
+        catch (err) {
+            logger.warn(err, `[cache] Couldn't read key ${`${key}__expires_at`}. ${err.message}`);
+            if (env['CACHE_STATUS_HEADER'])
+                res.setHeader(`${env['CACHE_STATUS_HEADER']}`, 'MISS');
+            return next();
+        }
+        const cacheTTL = cacheExpiryDate ? cacheExpiryDate - Date.now() : undefined;
+        res.setHeader('Cache-Control', getCacheControlHeader(req, cacheTTL, true, true));
+        res.setHeader('Vary', 'Origin, Cache-Control');
+        if (env['CACHE_STATUS_HEADER'])
+            res.setHeader(`${env['CACHE_STATUS_HEADER']}`, 'HIT');
+        return res.json(cachedData);
+    }
+    else {
+        if (env['CACHE_STATUS_HEADER'])
+            res.setHeader(`${env['CACHE_STATUS_HEADER']}`, 'MISS');
+        return next();
+    }
+});
+export default checkCacheMiddleware;

package/dist/middleware/check-ip.d.ts

@@ -0,0 +1,2 @@
+import type { RequestHandler } from 'express';
+export declare const checkIP: RequestHandler;

package/dist/middleware/check-ip.js

@@ -0,0 +1,18 @@
+import getDatabase from '../database/index.js';
+import { InvalidIPException } from '../exceptions/index.js';
+import asyncHandler from '../utils/async-handler.js';
+export const checkIP = asyncHandler(async (req, _res, next) => {
+    const database = getDatabase();
+    const query = database.select('ip_access').from('directus_roles');
+    if (req.accountability.role) {
+        query.where({ id: req.accountability.role });
+    }
+    else {
+        query.whereNull('id');
+    }
+    const role = await query.first();
+    const ipAllowlist = (role?.ip_access || '').split(',').filter((ip) => ip);
+    if (ipAllowlist.length > 0 && ipAllowlist.includes(req.accountability.ip) === false)
+        throw new InvalidIPException();
+    return next();
+});

package/dist/middleware/collection-exists.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Check if requested collection exists, and save it to req.collection
+ */
+import type { RequestHandler } from 'express';
+declare const collectionExists: RequestHandler;
+export default collectionExists;

package/dist/middleware/collection-exists.js

@@ -0,0 +1,25 @@
+/**
+ * Check if requested collection exists, and save it to req.collection
+ */
+import { systemCollectionRows } from '../database/system-data/collections/index.js';
+import { ForbiddenException } from '../exceptions/index.js';
+import asyncHandler from '../utils/async-handler.js';
+const collectionExists = asyncHandler(async (req, _res, next) => {
+    if (!req.params['collection'])
+        return next();
+    if (req.params['collection'] in req.schema.collections === false) {
+        throw new ForbiddenException();
+    }
+    req.collection = req.params['collection'];
+    if (req.collection.startsWith('directus_')) {
+        const systemRow = systemCollectionRows.find((collection) => {
+            return collection?.collection === req.collection;
+        });
+        req.singleton = !!systemRow?.singleton;
+    }
+    else {
+        req.singleton = req.schema.collections[req.collection]?.singleton ?? false;
+    }
+    return next();
+});
+export default collectionExists;

package/dist/middleware/cors.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+declare let corsMiddleware: RequestHandler;
+export default corsMiddleware;

package/dist/middleware/cors.js

@@ -0,0 +1,14 @@
+import cors from 'cors';
+import env from '../env.js';
+let corsMiddleware = (_req, _res, next) => next();
+if (env['CORS_ENABLED'] === true) {
+    corsMiddleware = cors({
+        origin: env['CORS_ORIGIN'] || true,
+        methods: env['CORS_METHODS'] || 'GET,POST,PATCH,DELETE',
+        allowedHeaders: env['CORS_ALLOWED_HEADERS'],
+        exposedHeaders: env['CORS_EXPOSED_HEADERS'],
+        credentials: env['CORS_CREDENTIALS'] || undefined,
+        maxAge: env['CORS_MAX_AGE'] || undefined,
+    });
+}
+export default corsMiddleware;

package/dist/middleware/error-handler.d.ts

@@ -0,0 +1,3 @@
+import type { ErrorRequestHandler } from 'express';
+declare const errorHandler: ErrorRequestHandler;
+export default errorHandler;

package/dist/middleware/error-handler.js

@@ -0,0 +1,90 @@
+import { BaseException } from '@directus/exceptions';
+import { toArray } from '@directus/utils';
+import getDatabase from '../database/index.js';
+import emitter from '../emitter.js';
+import env from '../env.js';
+import { MethodNotAllowedException } from '../exceptions/index.js';
+import logger from '../logger.js';
+// Note: keep all 4 parameters here. That's how Express recognizes it's the error handler, even if
+// we don't use next
+const errorHandler = (err, req, res, _next) => {
+    let payload = {
+        errors: [],
+    };
+    const errors = toArray(err);
+    if (errors.some((err) => err instanceof BaseException === false)) {
+        res.status(500);
+    }
+    else {
+        let status = errors[0].status;
+        for (const err of errors) {
+            if (status !== err.status) {
+                // If there's multiple different status codes in the errors, use 500
+                status = 500;
+                break;
+            }
+        }
+        res.status(status);
+    }
+    for (const err of errors) {
+        if (env['NODE_ENV'] === 'development') {
+            err.extensions = {
+                ...(err.extensions || {}),
+                stack: err.stack,
+            };
+        }
+        if (err instanceof BaseException) {
+            logger.debug(err);
+            res.status(err.status);
+            payload.errors.push({
+                message: err.message,
+                extensions: {
+                    code: err.code,
+                    ...err.extensions,
+                },
+            });
+            if (err instanceof MethodNotAllowedException) {
+                res.header('Allow', err.extensions['allow'].join(', '));
+            }
+        }
+        else {
+            logger.error(err);
+            res.status(500);
+            if (req.accountability?.admin === true) {
+                payload = {
+                    errors: [
+                        {
+                            message: err.message,
+                            extensions: {
+                                code: 'INTERNAL_SERVER_ERROR',
+                                ...err.extensions,
+                            },
+                        },
+                    ],
+                };
+            }
+            else {
+                payload = {
+                    errors: [
+                        {
+                            message: 'An unexpected error occurred.',
+                            extensions: {
+                                code: 'INTERNAL_SERVER_ERROR',
+                            },
+                        },
+                    ],
+                };
+            }
+        }
+    }
+    emitter
+        .emitFilter('request.error', payload.errors, {}, {
+        database: getDatabase(),
+        schema: req.schema,
+        accountability: req.accountability ?? null,
+    })
+        .then((updatedErrors) => {
+        return res.json({ ...payload, errors: updatedErrors });
+    });
+};
+export default errorHandler;

package/dist/middleware/extract-token.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Extract access token from:
+ *
+ * Authorization: Bearer
+ * access_token query parameter
+ *
+ * and store in req.token
+ */
+import type { RequestHandler } from 'express';
+declare const extractToken: RequestHandler;
+export default extractToken;

package/dist/middleware/extract-token.js

@@ -0,0 +1,30 @@
+/**
+ * Extract access token from:
+ *
+ * Authorization: Bearer
+ * access_token query parameter
+ *
+ * and store in req.token
+ */
+const extractToken = (req, _res, next) => {
+    let token = null;
+    if (req.query && req.query['access_token']) {
+        token = req.query['access_token'];
+    }
+    if (req.headers && req.headers.authorization) {
+        const parts = req.headers.authorization.split(' ');
+        if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {
+            token = parts[1];
+        }
+    }
+    /**
+     * @TODO
+     * Look into RFC6750 compliance:
+     * In order to be fully compliant with RFC6750, we have to throw a 400 error when you have the
+     * token in more than 1 place afaik. We also might have to support "access_token" as a post body
+     * key
+     */
+    req.token = token;
+    next();
+};
+export default extractToken;

package/dist/middleware/extract-token.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/get-permissions.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+declare const getPermissions: RequestHandler;
+export default getPermissions;

package/dist/middleware/get-permissions.js

@@ -0,0 +1,10 @@
+import asyncHandler from '../utils/async-handler.js';
+import { getPermissions as getPermissionsUtil } from '../utils/get-permissions.js';
+const getPermissions = asyncHandler(async (req, _res, next) => {
+    if (!req.accountability) {
+        throw new Error('getPermissions middleware needs to be called after authenticate');
+    }
+    req.accountability.permissions = await getPermissionsUtil(req.accountability, req.schema);
+    return next();
+});
+export default getPermissions;

package/dist/middleware/graphql.d.ts

@@ -0,0 +1,2 @@
+import type { RequestHandler } from 'express';
+export declare const parseGraphQL: RequestHandler;

package/dist/middleware/graphql.js

@@ -0,0 +1,63 @@
+import { parseJSON } from '@directus/utils';
+import { getOperationAST, parse, Source } from 'graphql';
+import { InvalidPayloadException, InvalidQueryException, MethodNotAllowedException } from '../exceptions/index.js';
+import asyncHandler from '../utils/async-handler.js';
+export const parseGraphQL = asyncHandler(async (req, res, next) => {
+    if (req.method !== 'GET' && req.method !== 'POST') {
+        throw new MethodNotAllowedException('GraphQL only supports GET and POST requests.', { allow: ['GET', 'POST'] });
+    }
+    let query = null;
+    let variables = null;
+    let operationName = null;
+    let document;
+    if (req.method === 'GET') {
+        query = req.query['query'] || null;
+        if (req.query['variables']) {
+            try {
+                variables = parseJSON(req.query['variables']);
+            }
+            catch {
+                throw new InvalidQueryException(`Variables are invalid JSON.`);
+            }
+        }
+        else {
+            variables = {};
+        }
+        operationName = req.query['operationName'] || null;
+    }
+    else {
+        query = req.body.query || null;
+        variables = req.body.variables || null;
+        operationName = req.body.operationName || null;
+    }
+    if (query === null) {
+        throw new InvalidPayloadException('Must provide query string.');
+    }
+    try {
+        document = parse(new Source(query));
+    }
+    catch (err) {
+        throw new InvalidPayloadException(`GraphQL schema validation error.`, {
+            graphqlErrors: [err],
+        });
+    }
+    const operationAST = getOperationAST(document, operationName);
+    // You can only do `query` through GET
+    if (req.method === 'GET' && operationAST?.operation !== 'query') {
+        throw new MethodNotAllowedException(`Can only perform a ${operationAST?.operation} from a POST request.`, {
+            allow: ['POST'],
+        });
+    }
+    // Prevent caching responses when mutations are made
+    if (operationAST?.operation === 'mutation') {
+        res.locals['cache'] = false;
+    }
+    res.locals['graphqlParams'] = {
+        document,
+        query,
+        variables,
+        operationName,
+        contextValue: { req, res },
+    };
+    return next();
+});

package/dist/middleware/rate-limiter-global.d.ts

@@ -0,0 +1,5 @@
+import type { RequestHandler } from 'express';
+import type { RateLimiterMemcache, RateLimiterMemory, RateLimiterRedis } from 'rate-limiter-flexible';
+declare let checkRateLimit: RequestHandler;
+export declare let rateLimiterGlobal: RateLimiterRedis | RateLimiterMemcache | RateLimiterMemory;
+export default checkRateLimit;

package/dist/middleware/rate-limiter-global.js

@@ -0,0 +1,43 @@
+import ms from 'ms';
+import env from '../env.js';
+import { HitRateLimitException } from '../exceptions/index.js';
+import logger from '../logger.js';
+import { createRateLimiter } from '../rate-limiter.js';
+import asyncHandler from '../utils/async-handler.js';
+import { validateEnv } from '../utils/validate-env.js';
+const RATE_LIMITER_GLOBAL_KEY = 'global-rate-limit';
+let checkRateLimit = (_req, _res, next) => next();
+export let rateLimiterGlobal;
+if (env['RATE_LIMITER_GLOBAL_ENABLED'] === true) {
+    validateEnv(['RATE_LIMITER_GLOBAL_STORE', 'RATE_LIMITER_GLOBAL_DURATION', 'RATE_LIMITER_GLOBAL_POINTS']);
+    validateConfiguration();
+    rateLimiterGlobal = createRateLimiter('RATE_LIMITER_GLOBAL');
+    checkRateLimit = asyncHandler(async (_req, res, next) => {
+        try {
+            await rateLimiterGlobal.consume(RATE_LIMITER_GLOBAL_KEY, 1);
+        }
+        catch (rateLimiterRes) {
+            if (rateLimiterRes instanceof Error)
+                throw rateLimiterRes;
+            res.set('Retry-After', String(Math.round(rateLimiterRes.msBeforeNext / 1000)));
+            throw new HitRateLimitException(`Too many requests, retry after ${ms(rateLimiterRes.msBeforeNext)}.`, {
+                limit: +env['RATE_LIMITER_GLOBAL_POINTS'],
+                reset: new Date(Date.now() + rateLimiterRes.msBeforeNext),
+            });
+        }
+        next();
+    });
+}
+export default checkRateLimit;
+function validateConfiguration() {
+    if (env['RATE_LIMITER_ENABLED'] !== true) {
+        logger.error(`The IP based rate limiter needs to be enabled when using the global rate limiter.`);
+        process.exit(1);
+    }
+    const globalPointsPerSec = Number(env['RATE_LIMITER_GLOBAL_POINTS']) / Math.max(Number(env['RATE_LIMITER_GLOBAL_DURATION']), 1);
+    const regularPointsPerSec = Number(env['RATE_LIMITER_POINTS']) / Math.max(Number(env['RATE_LIMITER_DURATION']), 1);
+    if (globalPointsPerSec <= regularPointsPerSec) {
+        logger.error(`The global rate limiter needs to allow more requests per second than the IP based rate limiter.`);
+        process.exit(1);
+    }
+}

package/dist/middleware/rate-limiter-ip.d.ts

@@ -0,0 +1,5 @@
+import type { RequestHandler } from 'express';
+import type { RateLimiterMemcache, RateLimiterMemory, RateLimiterRedis } from 'rate-limiter-flexible';
+declare let checkRateLimit: RequestHandler;
+export declare let rateLimiter: RateLimiterRedis | RateLimiterMemcache | RateLimiterMemory;
+export default checkRateLimit;

package/dist/middleware/rate-limiter-ip.js

@@ -0,0 +1,29 @@
+import ms from 'ms';
+import env from '../env.js';
+import { HitRateLimitException } from '../exceptions/index.js';
+import { createRateLimiter } from '../rate-limiter.js';
+import asyncHandler from '../utils/async-handler.js';
+import { getIPFromReq } from '../utils/get-ip-from-req.js';
+import { validateEnv } from '../utils/validate-env.js';
+let checkRateLimit = (_req, _res, next) => next();
+export let rateLimiter;
+if (env['RATE_LIMITER_ENABLED'] === true) {
+    validateEnv(['RATE_LIMITER_STORE', 'RATE_LIMITER_DURATION', 'RATE_LIMITER_POINTS']);
+    rateLimiter = createRateLimiter('RATE_LIMITER');
+    checkRateLimit = asyncHandler(async (req, res, next) => {
+        try {
+            await rateLimiter.consume(getIPFromReq(req), 1);
+        }
+        catch (rateLimiterRes) {
+            if (rateLimiterRes instanceof Error)
+                throw rateLimiterRes;
+            res.set('Retry-After', String(Math.round(rateLimiterRes.msBeforeNext / 1000)));
+            throw new HitRateLimitException(`Too many requests, retry after ${ms(rateLimiterRes.msBeforeNext)}.`, {
+                limit: +env['RATE_LIMITER_POINTS'],
+                reset: new Date(Date.now() + rateLimiterRes.msBeforeNext),
+            });
+        }
+        next();
+    });
+}
+export default checkRateLimit;

package/dist/middleware/respond.d.ts

@@ -0,0 +1,2 @@
+import type { RequestHandler } from 'express';
+export declare const respond: RequestHandler;

package/dist/middleware/respond.js

@@ -0,0 +1,82 @@
+import { parse as parseBytesConfiguration } from 'bytes';
+import { getCache, setCacheValue } from '../cache.js';
+import env from '../env.js';
+import logger from '../logger.js';
+import { ExportService } from '../services/import-export.js';
+import asyncHandler from '../utils/async-handler.js';
+import { getCacheControlHeader } from '../utils/get-cache-headers.js';
+import { getCacheKey } from '../utils/get-cache-key.js';
+import { getDateFormatted } from '../utils/get-date-formatted.js';
+import { getMilliseconds } from '../utils/get-milliseconds.js';
+import { stringByteSize } from '../utils/get-string-byte-size.js';
+export const respond = asyncHandler(async (req, res) => {
+    const { cache } = getCache();
+    let exceedsMaxSize = false;
+    if (env['CACHE_VALUE_MAX_SIZE'] !== false) {
+        const valueSize = res.locals['payload'] ? stringByteSize(JSON.stringify(res.locals['payload'])) : 0;
+        const maxSize = parseBytesConfiguration(env['CACHE_VALUE_MAX_SIZE']);
+        exceedsMaxSize = valueSize > maxSize;
+    }
+    if ((req.method.toLowerCase() === 'get' || req.originalUrl?.startsWith('/graphql')) &&
+        env['CACHE_ENABLED'] === true &&
+        cache &&
+        !req.sanitizedQuery.export &&
+        res.locals['cache'] !== false &&
+        exceedsMaxSize === false) {
+        const key = getCacheKey(req);
+        try {
+            await setCacheValue(cache, key, res.locals['payload'], getMilliseconds(env['CACHE_TTL']));
+            await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + getMilliseconds(env['CACHE_TTL'], 0) });
+        }
+        catch (err) {
+            logger.warn(err, `[cache] Couldn't set key ${key}. ${err}`);
+        }
+        res.setHeader('Cache-Control', getCacheControlHeader(req, getMilliseconds(env['CACHE_TTL']), true, true));
+        res.setHeader('Vary', 'Origin, Cache-Control');
+    }
+    else {
+        // Don't cache anything by default
+        res.setHeader('Cache-Control', 'no-cache');
+        res.setHeader('Vary', 'Origin, Cache-Control');
+    }
+    if (req.sanitizedQuery.export) {
+        const exportService = new ExportService({ accountability: req.accountability ?? null, schema: req.schema });
+        let filename = '';
+        if (req.collection) {
+            filename += req.collection;
+        }
+        else {
+            filename += 'Export';
+        }
+        filename += ' ' + getDateFormatted();
+        if (req.sanitizedQuery.export === 'json') {
+            res.attachment(`${filename}.json`);
+            res.set('Content-Type', 'application/json');
+            return res.status(200).send(exportService.transform(res.locals['payload']?.data, 'json'));
+        }
+        if (req.sanitizedQuery.export === 'xml') {
+            res.attachment(`${filename}.xml`);
+            res.set('Content-Type', 'text/xml');
+            return res.status(200).send(exportService.transform(res.locals['payload']?.data, 'xml'));
+        }
+        if (req.sanitizedQuery.export === 'csv') {
+            res.attachment(`${filename}.csv`);
+            res.set('Content-Type', 'text/csv');
+            return res.status(200).send(exportService.transform(res.locals['payload']?.data, 'csv'));
+        }
+        if (req.sanitizedQuery.export === 'yaml') {
+            res.attachment(`${filename}.yaml`);
+            res.set('Content-Type', 'text/yaml');
+            return res.status(200).send(exportService.transform(res.locals['payload']?.data, 'yaml'));
+        }
+    }
+    if (Buffer.isBuffer(res.locals['payload'])) {
+        return res.end(res.locals['payload']);
+    }
+    else if (res.locals['payload']) {
+        return res.json(res.locals['payload']);
+    }
+    else {
+        return res.status(204).end();
+    }
+});

package/dist/middleware/sanitize-query.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Sanitize query parameters.
+ * This ensures that query params are formatted and ready to go for the services.
+ */
+import type { RequestHandler } from 'express';
+declare const sanitizeQueryMiddleware: RequestHandler;
+export default sanitizeQueryMiddleware;

package/dist/middleware/sanitize-query.js

@@ -0,0 +1,19 @@
+/**
+ * Sanitize query parameters.
+ * This ensures that query params are formatted and ready to go for the services.
+ */
+import { sanitizeQuery } from '../utils/sanitize-query.js';
+import { validateQuery } from '../utils/validate-query.js';
+const sanitizeQueryMiddleware = (req, _res, next) => {
+    req.sanitizedQuery = {};
+    if (!req.query)
+        return;
+    req.sanitizedQuery = sanitizeQuery({
+        fields: req.query['fields'] || '*',
+        ...req.query,
+    }, req.accountability || null);
+    Object.freeze(req.sanitizedQuery);
+    validateQuery(req.sanitizedQuery);
+    return next();
+};
+export default sanitizeQueryMiddleware;

package/dist/middleware/schema.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+declare const schema: RequestHandler;
+export default schema;