directus 9.14.5 → 9.16.0

package/dist/middleware/authenticate.test.js

@@ -0,0 +1,174 @@
+"use strict";
+// @ts-nocheck
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const database_1 = __importDefault(require("../database"));
+const emitter_1 = __importDefault(require("../emitter"));
+const env_1 = __importDefault(require("../env"));
+const exceptions_1 = require("../exceptions");
+const authenticate_1 = require("./authenticate");
+require("../../src/types/express.d.ts");
+jest.mock('../../src/database');
+jest.mock('../../src/env', () => ({
+    SECRET: 'test',
+}));
+afterEach(() => {
+    jest.resetAllMocks();
+});
+test('Short-circuits when authenticate filter is used', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn(),
+    };
+    const res = {};
+    const next = jest.fn();
+    const customAccountability = { admin: true };
+    jest.spyOn(emitter_1.default, 'emitFilter').mockResolvedValue(customAccountability);
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(customAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Uses default public accountability when no token is given', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+    };
+    const res = {};
+    const next = jest.fn();
+    jest.spyOn(emitter_1.default, 'emitFilter').mockImplementation((_, payload) => payload);
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: null,
+        role: null,
+        admin: false,
+        app: false,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Sets accountability to payload contents if valid token is passed', async () => {
+    const userID = '3fac3c02-607f-4438-8d6e-6b8b25109b52';
+    const roleID = '38269fc6-6eb6-475a-93cb-479d97f73039';
+    const share = 'ca0ad005-f4ad-4bfe-b428-419ee8784790';
+    const shareScope = {
+        collection: 'articles',
+        item: 15,
+    };
+    const appAccess = true;
+    const adminAccess = false;
+    const token = jsonwebtoken_1.default.sign({
+        id: userID,
+        role: roleID,
+        app_access: appAccess,
+        admin_access: adminAccess,
+        share,
+        share_scope: shareScope,
+    }, env_1.default.SECRET, { issuer: 'directus' });
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+        token,
+    };
+    const res = {};
+    const next = jest.fn();
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: userID,
+        role: roleID,
+        app: appAccess,
+        admin: adminAccess,
+        share,
+        share_scope: shareScope,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test with 1/0 instead or true/false
+    next.mockClear();
+    req.token = jsonwebtoken_1.default.sign({
+        id: userID,
+        role: roleID,
+        app_access: 1,
+        admin_access: 0,
+        share,
+        share_scope: shareScope,
+    }, env_1.default.SECRET, { issuer: 'directus' });
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: userID,
+        role: roleID,
+        app: appAccess,
+        admin: adminAccess,
+        share,
+        share_scope: shareScope,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Throws InvalidCredentialsException when static token is used, but user does not exist', async () => {
+    jest.mocked(database_1.default).mockReturnValue({
+        select: jest.fn().mockReturnThis(),
+        from: jest.fn().mockReturnThis(),
+        leftJoin: jest.fn().mockReturnThis(),
+        where: jest.fn().mockReturnThis(),
+        first: jest.fn().mockResolvedValue(undefined),
+    });
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+        token: 'static-token',
+    };
+    const res = {};
+    const next = jest.fn();
+    expect((0, authenticate_1.handler)(req, res, next)).rejects.toEqual(new exceptions_1.InvalidCredentialsException());
+    expect(next).toHaveBeenCalledTimes(0);
+});
+test('Sets accountability to user information when static token is used', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+        token: 'static-token',
+    };
+    const res = {};
+    const next = jest.fn();
+    const testUser = { id: 'test-id', role: 'test-role', admin_access: true, app_access: false };
+    const expectedAccountability = {
+        user: testUser.id,
+        role: testUser.role,
+        app: testUser.app_access,
+        admin: testUser.admin_access,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    };
+    jest.mocked(database_1.default).mockReturnValue({
+        select: jest.fn().mockReturnThis(),
+        from: jest.fn().mockReturnThis(),
+        leftJoin: jest.fn().mockReturnThis(),
+        where: jest.fn().mockReturnThis(),
+        first: jest.fn().mockResolvedValue(testUser),
+    });
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test for 0 / 1 instead of false / true
+    next.mockClear();
+    testUser.admin_access = 1;
+    testUser.app_access = 0;
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test for "1" / "0" instead of true / false
+    next.mockClear();
+    testUser.admin_access = '0';
+    testUser.app_access = '1';
+    expectedAccountability.admin = false;
+    expectedAccountability.app = true;
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+});

package/dist/middleware/cache.js

@@ -10,7 +10,7 @@ const get_cache_headers_1 = require("../utils/get-cache-headers");
 const get_cache_key_1 = require("../utils/get-cache-key");
 const logger_1 = __importDefault(require("../logger"));
 const checkCacheMiddleware = (0, async_handler_1.default)(async (req, res, next) => {
-    var _a, _b, _c;
+    var _a, _b, _c, _d;
     const { cache } = (0, cache_1.getCache)();
     if (req.method.toLowerCase() !== 'get' && ((_a = req.path) === null || _a === void 0 ? void 0 : _a.startsWith('/graphql')) === false)
         return next();
@@ -26,7 +26,7 @@ const checkCacheMiddleware = (0, async_handler_1.default)(async (req, res, next)
     const key = (0, get_cache_key_1.getCacheKey)(req);
     let cachedData;
     try {
-        cachedData = await cache.get(key);
+        cachedData = await (0, cache_1.getCacheValue)(cache, key);
     }
     catch (err) {
         logger_1.default.warn(err, `[cache] Couldn't read key ${key}. ${err.message}`);
@@ -37,7 +37,7 @@ const checkCacheMiddleware = (0, async_handler_1.default)(async (req, res, next)
     if (cachedData) {
         let cacheExpiryDate;
         try {
-            cacheExpiryDate = (await cache.get(`${key}__expires_at`));
+            cacheExpiryDate = (_d = (await (0, cache_1.getCacheValue)(cache, `${key}__expires_at`))) === null || _d === void 0 ? void 0 : _d.exp;
         }
         catch (err) {
             logger_1.default.warn(err, `[cache] Couldn't read key ${`${key}__expires_at`}. ${err.message}`);

package/dist/middleware/extract-token.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/extract-token.test.js

@@ -0,0 +1,60 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const extract_token_1 = __importDefault(require("../../src/middleware/extract-token"));
+require("../../src/types/express.d.ts");
+let mockRequest;
+let mockResponse;
+const nextFunction = jest.fn();
+beforeEach(() => {
+    mockRequest = {};
+    mockResponse = {};
+    jest.clearAllMocks();
+});
+test('Token from query', () => {
+    mockRequest = {
+        query: {
+            access_token: 'test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Token from Authorization header (capitalized)', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'Bearer test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Token from Authorization header (lowercase)', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'bearer test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Ignore the token if authorization header is too many parts', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'bearer test what another one',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBeNull();
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Null if no token passed', () => {
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBeNull();
+    expect(nextFunction).toBeCalledTimes(1);
+});

package/dist/middleware/respond.js

@@ -32,8 +32,8 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         exceedsMaxSize === false) {
         const key = (0, get_cache_key_1.getCacheKey)(req);
         try {
-            await cache.set(key, res.locals.payload, (0, ms_1.default)(env_1.default.CACHE_TTL));
-            await cache.set(`${key}__expires_at`, Date.now() + (0, ms_1.default)(env_1.default.CACHE_TTL));
+            await (0, cache_1.setCacheValue)(cache, key, res.locals.payload, (0, ms_1.default)(env_1.default.CACHE_TTL));
+            await (0, cache_1.setCacheValue)(cache, `${key}__expires_at`, { exp: Date.now() + (0, ms_1.default)(env_1.default.CACHE_TTL) });
         }
         catch (err) {
             logger_1.default.warn(err, `[cache] Couldn't set key ${key}. ${err}`);

package/dist/operations/exec/index.d.ts

@@ -0,0 +1,5 @@
+declare type Options = {
+    code: string;
+};
+declare const _default: import("@directus/shared/types").OperationApiConfig<Options>;
+export default _default;

package/dist/operations/exec/index.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const utils_1 = require("@directus/shared/utils");
+const vm2_1 = require("vm2");
+exports.default = (0, utils_1.defineOperationApi)({
+    id: 'exec',
+    handler: async ({ code }, { data, env }) => {
+        const allowedModules = env.FLOWS_EXEC_ALLOWED_MODULES ? (0, utils_1.toArray)(env.FLOWS_EXEC_ALLOWED_MODULES) : [];
+        const opts = {
+            eval: false,
+            wasm: false,
+        };
+        if (allowedModules.length > 0) {
+            opts.require = {
+                external: {
+                    modules: allowedModules,
+                    transitive: false,
+                },
+            };
+        }
+        const vm = new vm2_1.NodeVM(opts);
+        const script = new vm2_1.VMScript(code).compile();
+        const fn = await vm.run(script);
+        return await fn(data);
+    },
+});

package/dist/operations/exec/index.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/operations/exec/index.test.js

@@ -0,0 +1,95 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vm2_1 = require("vm2");
+const index_1 = __importDefault(require("./index"));
+test('Rejects when modules are used without modules being allowed', async () => {
+    const testCode = `
+		const test = require('test');
+	`;
+    await expect(index_1.default.handler({ code: testCode }, {
+        data: {},
+        env: {
+            FLOWS_EXEC_ALLOWED_MODULES: '',
+        },
+    })).rejects.toEqual(new vm2_1.VMError("Cannot find module 'test'"));
+});
+test('Rejects when code contains syntax errors', async () => {
+    const testCode = `
+		~~
+	`;
+    await expect(index_1.default.handler({ code: testCode }, {
+        data: {},
+        env: {
+            FLOWS_EXEC_ALLOWED_MODULES: '',
+        },
+    })).rejects.toEqual(new Error("Couldn't compile code: Unexpected end of input"));
+});
+test('Rejects when returned function does something illegal', async () => {
+    const testCode = `
+		module.exports = function() {
+			return a + b;
+		};
+	`;
+    await expect(index_1.default.handler({ code: testCode }, {
+        data: {},
+        env: {
+            FLOWS_EXEC_ALLOWED_MODULES: '',
+        },
+    })).rejects.toEqual(new ReferenceError('a is not defined'));
+});
+test("Rejects when code doesn't return valid function", async () => {
+    const testCode = `
+		module.exports = false;
+	`;
+    await expect(index_1.default.handler({ code: testCode }, {
+        data: {},
+        env: {
+            FLOWS_EXEC_ALLOWED_MODULES: '',
+        },
+    })).rejects.toEqual(new TypeError('fn is not a function'));
+});
+test('Rejects returned function throws errors', async () => {
+    const testCode = `
+		module.exports = function () {
+			throw new Error('test');
+		};
+	`;
+    await expect(index_1.default.handler({ code: testCode }, {
+        data: {},
+        env: {
+            FLOWS_EXEC_ALLOWED_MODULES: '',
+        },
+    })).rejects.toEqual(new Error('test'));
+});
+test('Executes function when valid', () => {
+    const testCode = `
+		module.exports = function (data) {
+			return { result: data.input + ' test' };
+		};
+	`;
+    expect(index_1.default.handler({ code: testCode }, {
+        data: {
+            input: 'start',
+        },
+        env: {
+            FLOWS_EXEC_ALLOWED_MODULES: '',
+        },
+    })).resolves.toEqual({ result: 'start test' });
+});
+test('Allows modules that are whitelisted', () => {
+    const testCode = `
+		const bytes = require('bytes');
+
+		module.exports = function (data) {
+			return { result: bytes(1000) };
+		};
+	`;
+    expect(index_1.default.handler({ code: testCode }, {
+        env: {
+            FLOWS_EXEC_ALLOWED_MODULES: 'bytes',
+        },
+    })).resolves.toEqual({ result: '1000B' });
+});

package/dist/operations/item-create/index.js

@@ -32,7 +32,7 @@ exports.default = (0, utils_1.defineOperationApi)({
             result = null;
         }
         else {
-            result = await itemsService.createMany((0, utils_1.toArray)(payloadObject), { emitEvents });
+            result = await itemsService.createMany((0, utils_1.toArray)(payloadObject), { emitEvents: !!emitEvents });
         }
         return result;
     },

package/dist/operations/item-delete/index.js

@@ -35,10 +35,10 @@ exports.default = (0, utils_1.defineOperationApi)({
         else {
             const keys = (0, utils_1.toArray)(key);
             if (keys.length === 1) {
-                result = await itemsService.deleteOne(keys[0], { emitEvents });
+                result = await itemsService.deleteOne(keys[0], { emitEvents: !!emitEvents });
             }
             else {
-                result = await itemsService.deleteMany(keys, { emitEvents });
+                result = await itemsService.deleteMany(keys, { emitEvents: !!emitEvents });
             }
         }
         return result;

package/dist/operations/item-read/index.js

@@ -35,10 +35,10 @@ exports.default = (0, utils_1.defineOperationApi)({
         else {
             const keys = (0, utils_1.toArray)(key);
             if (keys.length === 1) {
-                result = await itemsService.readOne(keys[0], sanitizedQueryObject, { emitEvents });
+                result = await itemsService.readOne(keys[0], sanitizedQueryObject, { emitEvents: !!emitEvents });
             }
             else {
-                result = await itemsService.readMany(keys, sanitizedQueryObject, { emitEvents });
+                result = await itemsService.readMany(keys, sanitizedQueryObject, { emitEvents: !!emitEvents });
             }
         }
         return result;

package/dist/operations/item-update/index.js

@@ -35,15 +35,15 @@ exports.default = (0, utils_1.defineOperationApi)({
         }
         let result;
         if (!key || (Array.isArray(key) && key.length === 0)) {
-            result = await itemsService.updateByQuery(sanitizedQueryObject, payloadObject, { emitEvents });
+            result = await itemsService.updateByQuery(sanitizedQueryObject, payloadObject, { emitEvents: !!emitEvents });
         }
         else {
             const keys = (0, utils_1.toArray)(key);
             if (keys.length === 1) {
-                result = await itemsService.updateOne(keys[0], payloadObject, { emitEvents });
+                result = await itemsService.updateOne(keys[0], payloadObject, { emitEvents: !!emitEvents });
             }
             else {
-                result = await itemsService.updateMany(keys, payloadObject, { emitEvents });
+                result = await itemsService.updateMany(keys, payloadObject, { emitEvents: !!emitEvents });
             }
         }
         return result;

package/dist/operations/notification/index.js

@@ -6,7 +6,6 @@ const get_accountability_for_role_1 = require("../../utils/get-accountability-fo
 exports.default = (0, utils_1.defineOperationApi)({
     id: 'notification',
     handler: async ({ recipient, subject, message, permissions }, { accountability, database, getSchema }) => {
-        var _a;
         const schema = await getSchema({ database });
         let customAccountability;
         if (!permissions || permissions === '$trigger') {
@@ -27,12 +26,16 @@ exports.default = (0, utils_1.defineOperationApi)({
             knex: database,
         });
         const messageString = message ? (0, utils_1.optionToString)(message) : null;
-        const result = await notificationsService.createOne({
-            recipient,
-            sender: (_a = customAccountability === null || customAccountability === void 0 ? void 0 : customAccountability.user) !== null && _a !== void 0 ? _a : null,
-            subject,
-            message: messageString,
+        const payload = (0, utils_1.toArray)(recipient).map((userId) => {
+            var _a;
+            return {
+                recipient: userId,
+                sender: (_a = customAccountability === null || customAccountability === void 0 ? void 0 : customAccountability.user) !== null && _a !== void 0 ? _a : null,
+                subject,
+                message: messageString,
+            };
         });
+        const result = await notificationsService.createMany(payload);
         return result;
     },
 });

package/dist/operations/request/index.js

@@ -8,11 +8,30 @@ const axios_1 = __importDefault(require("axios"));
 exports.default = (0, utils_1.defineOperationApi)({
     id: 'request',
     handler: async ({ url, method, body, headers }) => {
-        const customHeaders = headers === null || headers === void 0 ? void 0 : headers.reduce((acc, { header, value }) => {
+        var _a;
+        const customHeaders = (_a = headers === null || headers === void 0 ? void 0 : headers.reduce((acc, { header, value }) => {
             acc[header] = value;
             return acc;
-        }, {});
-        const result = await (0, axios_1.default)({ url: encodeURI(url), method, data: body, headers: customHeaders });
+        }, {})) !== null && _a !== void 0 ? _a : {};
+        if (!customHeaders['Content-Type'] && isValidJSON(body)) {
+            customHeaders['Content-Type'] = 'application/json';
+        }
+        const shouldEncode = decodeURI(url) === url;
+        const result = await (0, axios_1.default)({
+            url: shouldEncode ? encodeURI(url) : url,
+            method,
+            data: body,
+            headers: customHeaders,
+        });
         return { status: result.status, statusText: result.statusText, headers: result.headers, data: result.data };
+        function isValidJSON(value) {
+            try {
+                (0, utils_1.parseJSON)(value);
+                return true;
+            }
+            catch {
+                return false;
+            }
+        }
     },
 });

package/dist/services/assets.d.ts

@@ -1,8 +1,8 @@
 /// <reference types="node" />
 import { Range, StatResponse } from '@directus/drive';
+import { Accountability } from '@directus/shared/types';
 import { Knex } from 'knex';
 import { AbstractServiceOptions, TransformationParams, TransformationPreset } from '../types';
-import { Accountability } from '@directus/shared/types';
 import { AuthorizationService } from './authorization';
 export declare class AssetsService {
     knex: Knex;

package/dist/services/assets.js

@@ -32,13 +32,14 @@ const mime_types_1 = require("mime-types");
 const object_hash_1 = __importDefault(require("object-hash"));
 const path_1 = __importDefault(require("path"));
 const sharp_1 = __importDefault(require("sharp"));
+const uuid_validate_1 = __importDefault(require("uuid-validate"));
 const database_1 = __importDefault(require("../database"));
 const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
+const logger_1 = __importDefault(require("../logger"));
 const storage_1 = __importDefault(require("../storage"));
-const authorization_1 = require("./authorization");
 const TransformationUtils = __importStar(require("../utils/transformations"));
-const uuid_validate_1 = __importDefault(require("uuid-validate"));
+const authorization_1 = require("./authorization");
 sharp_1.default.concurrency(1);
 // Note: don't put this in the service. The service can be initialized in multiple places, but they
 // should all share the same semaphore instance.
@@ -140,6 +141,10 @@ class AssetsService {
                     sequentialRead: true,
                 }).rotate();
                 transforms.forEach(([method, ...args]) => transformer[method].apply(transformer, args));
+                readStream.on('error', (e) => {
+                    logger_1.default.error(e, `Couldn't transform file ${file.id}`);
+                    readStream.unpipe(transformer);
+                });
                 await storage_1.default.disk(file.storage).put(assetFilename, readStream.pipe(transformer), type);
                 return {
                     stream: storage_1.default.disk(file.storage).getStream(assetFilename, range),

package/dist/services/authorization.js

@@ -13,6 +13,7 @@ const strip_function_1 = require("../utils/strip-function");
 const items_1 = require("./items");
 const payload_1 = require("./payload");
 const get_relation_info_1 = require("../utils/get-relation-info");
+const constants_1 = require("../constants");
 class AuthorizationService {
     constructor(options) {
         this.knex = options.knex || (0, database_1.default)();
@@ -379,7 +380,7 @@ class AuthorizationService {
         const requiredColumns = [];
         for (const field of Object.values(this.schema.collections[collection].fields)) {
             const specials = (_g = field === null || field === void 0 ? void 0 : field.special) !== null && _g !== void 0 ? _g : [];
-            const hasGenerateSpecial = ['uuid', 'date-created', 'role-created', 'user-created'].some((name) => specials.includes(name));
+            const hasGenerateSpecial = constants_1.GENERATE_SPECIAL.some((name) => specials.includes(name));
             const nullable = field.nullable || hasGenerateSpecial || field.generated;
             if (!nullable) {
                 requiredColumns.push(field);

package/dist/services/files.js

@@ -229,7 +229,8 @@ class FilesService extends items_1.ItemsService {
         }
         let fileResponse;
         try {
-            fileResponse = await axios_1.default.get(importURL, {
+            const shouldEncode = decodeURI(importURL) === importURL;
+            fileResponse = await axios_1.default.get(shouldEncode ? encodeURI(importURL) : importURL, {
                 responseType: 'stream',
             });
         }
@@ -240,7 +241,7 @@ class FilesService extends items_1.ItemsService {
             });
         }
         const parsedURL = url_1.default.parse(fileResponse.request.res.responseUrl);
-        const filename = path_1.default.basename(parsedURL.pathname);
+        const filename = decodeURI(path_1.default.basename(parsedURL.pathname));
         const payload = {
             filename_download: filename,
             storage: (0, utils_1.toArray)(env_1.default.STORAGE_LOCATIONS)[0],

package/dist/services/files.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/services/files.test.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const exifr_1 = __importDefault(require("exifr"));
+const knex_1 = __importDefault(require("knex"));
+const knex_mock_client_1 = require("knex-mock-client");
+const _1 = require(".");
+jest.mock('exifr');
+jest.mock('../../src/database/index', () => {
+    return { getDatabaseClient: jest.fn().mockReturnValue('postgres') };
+});
+jest.requireMock('../../src/database/index');
+describe('Integration Tests', () => {
+    let db;
+    let tracker;
+    beforeAll(async () => {
+        db = (0, knex_1.default)({ client: knex_mock_client_1.MockClient });
+        tracker = (0, knex_mock_client_1.getTracker)();
+    });
+    afterEach(() => {
+        tracker.reset();
+    });
+    describe('Services / Files', () => {
+        describe('getMetadata', () => {
+            let service;
+            let exifrParseSpy;
+            const sampleMetadata = {
+                CustomTagA: 'value a',
+                CustomTagB: 'value b',
+                CustomTagC: 'value c',
+            };
+            beforeEach(() => {
+                exifrParseSpy = jest.spyOn(exifr_1.default, 'parse');
+                service = new _1.FilesService({
+                    knex: db,
+                    schema: { collections: {}, relations: [] },
+                });
+            });
+            it('accepts allowlist metadata tags', async () => {
+                exifrParseSpy.mockReturnValue(Promise.resolve({ ...sampleMetadata }));
+                const bufferContent = 'file buffer content';
+                const allowList = ['CustomTagB', 'CustomTagA'];
+                const metadata = await service.getMetadata(bufferContent, allowList);
+                expect(exifrParseSpy).toHaveBeenCalled();
+                expect(metadata.metadata.CustomTagA).toStrictEqual(sampleMetadata.CustomTagA);
+                expect(metadata.metadata.CustomTagB).toStrictEqual(sampleMetadata.CustomTagB);
+                expect(metadata.metadata.CustomTagC).toBeUndefined();
+            });
+        });
+    });
+});