directus 9.15.0 → 9.16.1

package/dist/app.js

@@ -190,6 +190,7 @@ async function createApp() {
     if (env_1.default.RATE_LIMITER_ENABLED === true) {
         app.use(rate_limiter_1.default);
     }
+    app.get('/server/ping', (req, res) => res.send('pong'));
     app.use(authenticate_1.default);
     app.use(check_ip_1.checkIP);
     app.use(sanitize_query_1.default);

package/dist/cli/index.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cli/index.test.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+jest.mock('../../src/env', () => ({
+    ...jest.requireActual('../../src/env').default,
+    EXTENSIONS_PATH: '',
+    SERVE_APP: false,
+    DB_CLIENT: 'pg',
+    DB_HOST: 'localhost',
+    DB_PORT: 5432,
+    DB_DATABASE: 'directus',
+    DB_USER: 'postgres',
+    DB_PASSWORD: 'psql1234',
+}));
+jest.mock('@directus/shared/utils/node/get-extensions', () => ({
+    getPackageExtensions: jest.fn(() => Promise.resolve([])),
+    getLocalExtensions: jest.fn(() => Promise.resolve([customCliExtension])),
+}));
+jest.mock(`/hooks/custom-cli/index.js`, () => customCliHook, { virtual: true });
+const customCliExtension = {
+    path: `/hooks/custom-cli`,
+    name: 'custom-cli',
+    type: 'hook',
+    entrypoint: 'index.js',
+    local: true,
+};
+const beforeHook = jest.fn();
+const afterAction = jest.fn();
+const afterHook = jest.fn(({ program }) => {
+    program.command('custom').action(afterAction);
+});
+const customCliHook = ({ init }) => {
+    init('cli.before', beforeHook);
+    init('cli.after', afterHook);
+};
+const writeOut = jest.fn();
+const writeErr = jest.fn();
+const setup = async () => {
+    const program = await (0, index_1.createCli)();
+    program.exitOverride();
+    program.configureOutput({ writeOut, writeErr });
+    return program;
+};
+beforeEach(jest.clearAllMocks);
+describe('cli hooks', () => {
+    test('should call hooks before and after creating the cli', async () => {
+        const program = await setup();
+        expect(beforeHook).toHaveBeenCalledTimes(1);
+        expect(beforeHook).toHaveBeenCalledWith({ event: 'cli.before', program });
+        expect(afterHook).toHaveBeenCalledTimes(1);
+        expect(afterHook).toHaveBeenCalledWith({ event: 'cli.after', program });
+    });
+    test('should be able to add a custom cli command', async () => {
+        const program = await setup();
+        program.parseAsync(['custom'], { from: 'user' });
+        expect(afterAction).toHaveBeenCalledTimes(1);
+    });
+});

package/dist/cli/utils/create-env/env-stub.liquid

@@ -296,10 +296,10 @@ EMAIL_SENDMAIL_PATH="/usr/sbin/sendmail"
 ## Email (Sendmail Transport)
 
 # What new line style to use in sendmail ["unix"]
-EMAIL_SENDMAIL_NEW_LINE="unix"
+# EMAIL_SENDMAIL_NEW_LINE="unix"
 
 # Path to your sendmail executable ["/usr/sbin/sendmail"]
-EMAIL_SENDMAIL_PATH="/usr/sbin/sendmail"
+# EMAIL_SENDMAIL_PATH="/usr/sbin/sendmail"
 
 ## Email (SMTP Transport)
 # EMAIL_SMTP_HOST="localhost"

package/dist/controllers/assets.js

@@ -148,27 +148,31 @@ router.get('/:pk/:filename?',
         res.setHeader('Content-Length', stat.size);
         return res.end();
     }
-    stream.on('data', (chunk) => res.write(chunk));
+    let isDataSent = false;
+    stream.on('data', (chunk) => {
+        isDataSent = true;
+        res.write(chunk);
+    });
     stream.on('end', () => {
-        res.status(200).send();
+        res.end();
     });
     stream.on('error', (e) => {
         logger_1.default.error(e, `Couldn't stream file ${file.id} to the client`);
-        stream.unpipe(res);
-        res.removeHeader('Content-Disposition');
-        res.removeHeader('Content-Type');
-        res.removeHeader('Content-Disposition');
-        res.removeHeader('Cache-Control');
-        res.status(500).json({
-            errors: [
-                {
-                    message: 'An unexpected error occurred.',
-                    extensions: {
-                        code: 'INTERNAL_SERVER_ERROR',
+        if (!isDataSent) {
+            res.removeHeader('Content-Type');
+            res.removeHeader('Content-Disposition');
+            res.removeHeader('Cache-Control');
+            res.status(500).json({
+                errors: [
+                    {
+                        message: 'An unexpected error occurred.',
+                        extensions: {
+                            code: 'INTERNAL_SERVER_ERROR',
+                        },
                     },
-                },
-            ],
-        });
+                ],
+            });
+        }
     });
 }));
 exports.default = router;

package/dist/controllers/files.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/controllers/files.test.js

@@ -0,0 +1,49 @@
+"use strict";
+// @ts-nocheck
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+jest.mock('../../src/cache');
+jest.mock('../../src/database');
+jest.mock('../../src/utils/validate-env');
+const files_1 = require("./files");
+const invalid_payload_1 = require("../exceptions/invalid-payload");
+const stream_1 = require("stream");
+const form_data_1 = __importDefault(require("form-data"));
+describe('multipartHandler', () => {
+    it(`Errors out if request doesn't contain any files to upload`, () => {
+        const fakeForm = new form_data_1.default();
+        fakeForm.append('field', 'test');
+        const req = {
+            headers: fakeForm.getHeaders(),
+            is: jest.fn().mockReturnValue(true),
+            body: fakeForm.getBuffer(),
+            params: {},
+            pipe: (input) => stream.pipe(input),
+        };
+        const stream = new stream_1.PassThrough();
+        stream.push(fakeForm.getBuffer());
+        (0, files_1.multipartHandler)(req, {}, (err) => {
+            expect(err.message).toBe('No files where included in the body');
+            expect(err).toBeInstanceOf(invalid_payload_1.InvalidPayloadException);
+        });
+    });
+    it(`Errors out if uploaded file doesn't include the filename`, () => {
+        const fakeForm = new form_data_1.default();
+        fakeForm.append('file', Buffer.from('<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg width="100%" height="100%" viewBox="0 0 243 266" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.41421;"><g id="Calligraphy"><path d="M67.097,135.868c0,3.151 0.598,14.121 -11.586,14.121c-17.076,0 -15.95,-12.947 -15.95,-12.947c0,-2.521 4.597,-5.638 4.597,-7.318c0,-0.63 0.041,-3.519 -2.27,-3.519c-5.671,0 -5.671,10.083 -5.671,10.083c0,0 0.419,15.336 19.116,15.336c20.205,0 30.04,-23.712 30.04,-30.88c0,-18.197 -51.112,-27.701 -51.112,-57.949c0,1.575 -2.205,-13.864 14.18,-13.864c28.358,0 44.426,42.536 44.426,71.524c0,28.988 -16.699,55.455 -16.699,55.455c0,0 33.4,-25.837 33.4,-76.25c0,-70.264 -46.003,-69.634 -46.003,-69.634c-4.792,0 -7.602,-0.241 -28.398,20.555c-20.797,20.797 -17.646,29.83 -17.646,29.83c0,31.93 49.576,32.35 49.576,55.457Z" style="fill-rule:nonzero;"/><path d="M241.886,174.861c-1.602,-9.142 -15.448,-9.916 -22.675,-9.682c-0.7,-0.003 -1.172,0.02 -1.327,0.03c-8.804,0.01 -19.314,4.179 -33.072,13.115c-3.554,2.308 -7.19,4.847 -10.902,7.562c-6.979,-31.39 -13.852,-63.521 -28.033,-63.521c20.415,-20.119 22.19,-16.272 22.19,-39.054c0,-11.244 14.498,-21.35 14.498,-21.35l-0.296,-2.024c-19.193,5.304 -37.307,-8.577 -42.2,-12.755c5.375,-9.663 9.584,-12.565 9.584,-12.565c1.891,-20.377 15.965,-27.31 15.965,-27.31c1.681,-4.201 6.092,-7.142 6.092,-7.142c-70.162,22.267 -54.247,189.298 -54.247,189.298c-0.475,-55.91 5.238,-92.242 11.977,-115.55c9.094,8.248 24.425,11.765 24.425,11.765c-7.396,3.55 -5.324,12.13 -5.324,19.527c0,7.397 -3.848,10.651 -3.848,10.651l-21.893,22.782c17.043,0.294 23.638,31.657 30.689,63.056c-2.548,2.042 -5.125,4.12 -7.728,6.219c-16.396,13.223 -33.351,26.897 -50.266,37.354c-19.086,11.797 -35.151,17.533 -49.116,17.533c-25.25,0 -44.118,-24.368 -44.118,-46.154c0,-9.838 3.227,-17.831 5.935,-22.805c2.935,-5.39 5.911,-8.503 5.967,-8.561c0.001,0 0.001,0 0.001,-0.001l-0.013,-0.012c1.803,-1.885 4.841,-5.181 10.423,-5.181c20.715,0 27.475,40.776 55.603,40.776c24.857,0 31.834,-20.497 37.286,-31.399c0,0 -8.94,11.12 -21.587,11.12c-27.038,0 -35.323,-40.557 -55.166,-40.557c-13.41,0 -22.743,15.506 -31.029,27.281c0,0 0.018,-0.001 0.048,-0.003c-1.02,1.415 -2.214,3.233 -3.41,5.425c-2.847,5.21 -6.239,13.587 -6.239,23.917c0,22.816 19.801,48.334 46.299,48.334c14.381,0 30.822,-5.84 50.262,-17.858c17.033,-10.529 34.04,-24.246 50.489,-37.511c2.309,-1.862 4.607,-3.715 6.891,-5.549c6.952,30.814 14.606,60.912 33.278,60.912c14.794,0 26.923,-25.445 26.923,-25.445c-7.987,7.101 -13.313,5.621 -13.313,5.621c-13.139,0.379 -19.937,-27.594 -26.48,-56.931c16.455,-12.099 31.46,-20.829 43.488,-20.829l0.072,-0.003c0.082,-0.005 5.246,-0.305 9.957,1.471c-2.95,1.636 -4.947,4.782 -4.947,8.394c0,5.299 4.296,9.594 9.594,9.594c5.298,0 9.594,-4.295 9.594,-9.594c0,-0.826 -0.104,-1.627 -0.301,-2.391Z" style="fill-rule:nonzero;"/></g></svg>'));
+        const req = {
+            headers: fakeForm.getHeaders(),
+            is: jest.fn().mockReturnValue(true),
+            body: fakeForm.getBuffer(),
+            params: {},
+            pipe: (input) => stream.pipe(input),
+        };
+        const stream = new stream_1.PassThrough();
+        stream.push(fakeForm.getBuffer());
+        (0, files_1.multipartHandler)(req, {}, (err) => {
+            expect(err.message).toBe('File is missing filename');
+            expect(err).toBeInstanceOf(invalid_payload_1.InvalidPayloadException);
+        });
+    });
+});

package/dist/controllers/server.js

@@ -36,7 +36,6 @@ router.get('/specs/graphql/:scope?', (0, async_handler_1.default)(async (req, re
     res.attachment(filename);
     res.send(result);
 }));
-router.get('/ping', (req, res) => res.send('pong'));
 router.get('/info', (0, async_handler_1.default)(async (req, res, next) => {
     const service = new services_1.ServerService({
         accountability: req.accountability,

package/dist/database/migrations/run.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/database/migrations/run.test.js

@@ -0,0 +1,92 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const knex_1 = __importDefault(require("knex"));
+const knex_mock_client_1 = require("knex-mock-client");
+const run_1 = __importDefault(require("./run"));
+describe('run', () => {
+    let db;
+    let tracker;
+    beforeAll(() => {
+        db = (0, knex_1.default)({ client: knex_mock_client_1.MockClient });
+        tracker = (0, knex_mock_client_1.getTracker)();
+    });
+    afterEach(() => {
+        tracker.reset();
+    });
+    describe('when passed the argument up', () => {
+        it('returns "Nothing To Upgrade" if no directus_migrations', async () => {
+            tracker.on.select('directus_migrations').response(['Empty']);
+            await (0, run_1.default)(db, 'up').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe('Nothing to upgrade');
+            });
+        });
+        it('returns "Method implemented in the dialect driver" if no directus_migrations', async () => {
+            tracker.on.select('directus_migrations').response([]);
+            await (0, run_1.default)(db, 'up').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe('Method implemented in the dialect driver');
+            });
+        });
+        it('returns undefined if the migration is successful', async () => {
+            tracker.on.select('directus_migrations').response([
+                {
+                    version: '20201028A',
+                    name: 'Remove Collection Foreign Keys',
+                    timestamp: '2021-11-27 11:36:56.471595-05',
+                },
+            ]);
+            tracker.on.delete('directus_relations').response([]);
+            tracker.on.insert('directus_migrations').response(['Remove System Relations', '20201029A']);
+            expect(await (0, run_1.default)(db, 'up')).toBe(undefined);
+        });
+    });
+    describe('when passed the argument down', () => {
+        it('returns "Nothing To downgrade" if no valid directus_migrations', async () => {
+            tracker.on.select('directus_migrations').response(['Empty']);
+            await (0, run_1.default)(db, 'down').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe(`Couldn't find migration`);
+            });
+        });
+        it('returns "Method implemented in the dialect driver" if no directus_migrations', async () => {
+            tracker.on.select('directus_migrations').response([]);
+            await (0, run_1.default)(db, 'down').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe('Nothing to downgrade');
+            });
+        });
+        it(`returns "Couldn't find migration" if an invalid migration object is supplied`, async () => {
+            tracker.on.select('directus_migrations').response([
+                {
+                    version: '202018129A',
+                    name: 'Fake Migration',
+                    timestamp: '2020-00-32 11:36:56.471595-05',
+                },
+            ]);
+            await (0, run_1.default)(db, 'down').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe(`Couldn't find migration`);
+            });
+        });
+    });
+    describe('when passed the argument latest', () => {
+        it('returns "Nothing To downgrade" if no valid directus_migrations', async () => {
+            tracker.on.select('directus_migrations').response(['Empty']);
+            await (0, run_1.default)(db, 'latest').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe(`Method implemented in the dialect driver`);
+            });
+        });
+        it('returns "Method implemented in the dialect driver" if no directus_migrations', async () => {
+            tracker.on.select('directus_migrations').response([]);
+            await (0, run_1.default)(db, 'latest').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe('Method implemented in the dialect driver');
+            });
+        });
+    });
+});

package/dist/env.js

@@ -138,6 +138,13 @@ const allowedEnvironmentVars = [
     // extensions
     'EXTENSIONS_PATH',
     'EXTENSIONS_AUTO_RELOAD',
+    // messenger
+    'MESSENGER_STORE',
+    'MESSENGER_NAMESPACE',
+    'MESSENGER_REDIS',
+    'MESSENGER_REDIS_HOST',
+    'MESSENGER_REDIS_PORT',
+    'MESSENGER_REDIS_PASSWORD',
     // emails
     'EMAIL_FROM',
     'EMAIL_TRANSPORT',
@@ -226,6 +233,7 @@ const defaults = {
     EXPORT_BATCH_SIZE: 5000,
     FILE_METADATA_ALLOW_LIST: 'ifd0.Make,ifd0.Model,exif.FNumber,exif.ExposureTime,exif.FocalLength,exif.ISO',
     GRAPHQL_INTROSPECTION: true,
+    FLOWS_EXEC_ALLOWED_MODULES: false,
 };
 // Allows us to force certain environment variable into a type, instead of relying
 // on the auto-parsed type in processValues. ref #3705

package/dist/env.test.d.ts

@@ -0,0 +1,8 @@
+declare const testEnv: {
+    NUMBER: string;
+    NUMBER_CAST_AS_STRING: string;
+    REGEX: string;
+    CSV: string;
+    CSV_CAST_AS_STRING: string;
+    MULTIPLE: string;
+};

package/dist/env.test.js

@@ -0,0 +1,39 @@
+"use strict";
+const testEnv = {
+    NUMBER: '1234',
+    NUMBER_CAST_AS_STRING: 'string:1234',
+    REGEX: 'regex:\\.example\\.com$',
+    CSV: 'one,two,three,four',
+    CSV_CAST_AS_STRING: 'string:one,two,three,four',
+    MULTIPLE: 'array:string:https://example.com,regex:\\.example2\\.com$',
+};
+describe('env processed values', () => {
+    const originalEnv = process.env;
+    let env;
+    beforeEach(() => {
+        jest.resetModules();
+        process.env = { ...testEnv };
+        env = jest.requireActual('../src/env').default;
+    });
+    afterEach(() => {
+        process.env = originalEnv;
+    });
+    test('Number value should be a number', () => {
+        expect(env.NUMBER).toStrictEqual(1234);
+    });
+    test('Number value casted as string should be a string', () => {
+        expect(env.NUMBER_CAST_AS_STRING).toStrictEqual('1234');
+    });
+    test('Value casted as regex', () => {
+        expect(env.REGEX).toBeInstanceOf(RegExp);
+    });
+    test('CSV value should be an array', () => {
+        expect(env.CSV).toStrictEqual(['one', 'two', 'three', 'four']);
+    });
+    test('CSV value casted as string should be a string', () => {
+        expect(env.CSV_CAST_AS_STRING).toStrictEqual('one,two,three,four');
+    });
+    test('Multiple type cast', () => {
+        expect(env.MULTIPLE).toStrictEqual(['https://example.com', /\.example2\.com$/]);
+    });
+});

package/dist/flows.js

@@ -124,11 +124,12 @@ class FlowManager {
         const flows = await flowsService.readByQuery({
             filter: { status: { _eq: 'active' } },
             fields: ['*', 'operations.*'],
+            limit: -1,
         });
         const flowTrees = flows.map((flow) => (0, construct_flow_tree_1.constructFlowTree)(flow));
         for (const flow of flowTrees) {
             if (flow.trigger === 'event') {
-                const events = (_d = (_c = (_b = (_a = flow.options) === null || _a === void 0 ? void 0 : _a.scope) === null || _b === void 0 ? void 0 : _b.map((scope) => {
+                const events = (_d = (_c = (_b = (0, utils_1.toArray)((_a = flow.options) === null || _a === void 0 ? void 0 : _a.scope)) === null || _b === void 0 ? void 0 : _b.map((scope) => {
                     var _a, _b, _c;
                     if (['items.create', 'items.update', 'items.delete'].includes(scope)) {
                         return ((_c = (_b = (_a = flow.options) === null || _a === void 0 ? void 0 : _a.collections) === null || _b === void 0 ? void 0 : _b.map((collection) => {

package/dist/middleware/authenticate.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/authenticate.test.js

@@ -0,0 +1,174 @@
+"use strict";
+// @ts-nocheck
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const database_1 = __importDefault(require("../database"));
+const emitter_1 = __importDefault(require("../emitter"));
+const env_1 = __importDefault(require("../env"));
+const exceptions_1 = require("../exceptions");
+const authenticate_1 = require("./authenticate");
+require("../../src/types/express.d.ts");
+jest.mock('../../src/database');
+jest.mock('../../src/env', () => ({
+    SECRET: 'test',
+}));
+afterEach(() => {
+    jest.resetAllMocks();
+});
+test('Short-circuits when authenticate filter is used', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn(),
+    };
+    const res = {};
+    const next = jest.fn();
+    const customAccountability = { admin: true };
+    jest.spyOn(emitter_1.default, 'emitFilter').mockResolvedValue(customAccountability);
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(customAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Uses default public accountability when no token is given', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+    };
+    const res = {};
+    const next = jest.fn();
+    jest.spyOn(emitter_1.default, 'emitFilter').mockImplementation((_, payload) => payload);
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: null,
+        role: null,
+        admin: false,
+        app: false,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Sets accountability to payload contents if valid token is passed', async () => {
+    const userID = '3fac3c02-607f-4438-8d6e-6b8b25109b52';
+    const roleID = '38269fc6-6eb6-475a-93cb-479d97f73039';
+    const share = 'ca0ad005-f4ad-4bfe-b428-419ee8784790';
+    const shareScope = {
+        collection: 'articles',
+        item: 15,
+    };
+    const appAccess = true;
+    const adminAccess = false;
+    const token = jsonwebtoken_1.default.sign({
+        id: userID,
+        role: roleID,
+        app_access: appAccess,
+        admin_access: adminAccess,
+        share,
+        share_scope: shareScope,
+    }, env_1.default.SECRET, { issuer: 'directus' });
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+        token,
+    };
+    const res = {};
+    const next = jest.fn();
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: userID,
+        role: roleID,
+        app: appAccess,
+        admin: adminAccess,
+        share,
+        share_scope: shareScope,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test with 1/0 instead or true/false
+    next.mockClear();
+    req.token = jsonwebtoken_1.default.sign({
+        id: userID,
+        role: roleID,
+        app_access: 1,
+        admin_access: 0,
+        share,
+        share_scope: shareScope,
+    }, env_1.default.SECRET, { issuer: 'directus' });
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: userID,
+        role: roleID,
+        app: appAccess,
+        admin: adminAccess,
+        share,
+        share_scope: shareScope,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Throws InvalidCredentialsException when static token is used, but user does not exist', async () => {
+    jest.mocked(database_1.default).mockReturnValue({
+        select: jest.fn().mockReturnThis(),
+        from: jest.fn().mockReturnThis(),
+        leftJoin: jest.fn().mockReturnThis(),
+        where: jest.fn().mockReturnThis(),
+        first: jest.fn().mockResolvedValue(undefined),
+    });
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+        token: 'static-token',
+    };
+    const res = {};
+    const next = jest.fn();
+    expect((0, authenticate_1.handler)(req, res, next)).rejects.toEqual(new exceptions_1.InvalidCredentialsException());
+    expect(next).toHaveBeenCalledTimes(0);
+});
+test('Sets accountability to user information when static token is used', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => (string === 'user-agent' ? 'fake-user-agent' : null)),
+        token: 'static-token',
+    };
+    const res = {};
+    const next = jest.fn();
+    const testUser = { id: 'test-id', role: 'test-role', admin_access: true, app_access: false };
+    const expectedAccountability = {
+        user: testUser.id,
+        role: testUser.role,
+        app: testUser.app_access,
+        admin: testUser.admin_access,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+    };
+    jest.mocked(database_1.default).mockReturnValue({
+        select: jest.fn().mockReturnThis(),
+        from: jest.fn().mockReturnThis(),
+        leftJoin: jest.fn().mockReturnThis(),
+        where: jest.fn().mockReturnThis(),
+        first: jest.fn().mockResolvedValue(testUser),
+    });
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test for 0 / 1 instead of false / true
+    next.mockClear();
+    testUser.admin_access = 1;
+    testUser.app_access = 0;
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test for "1" / "0" instead of true / false
+    next.mockClear();
+    testUser.admin_access = '0';
+    testUser.app_access = '1';
+    expectedAccountability.admin = false;
+    expectedAccountability.app = true;
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+});

package/dist/middleware/extract-token.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/extract-token.test.js

@@ -0,0 +1,60 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const extract_token_1 = __importDefault(require("../../src/middleware/extract-token"));
+require("../../src/types/express.d.ts");
+let mockRequest;
+let mockResponse;
+const nextFunction = jest.fn();
+beforeEach(() => {
+    mockRequest = {};
+    mockResponse = {};
+    jest.clearAllMocks();
+});
+test('Token from query', () => {
+    mockRequest = {
+        query: {
+            access_token: 'test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Token from Authorization header (capitalized)', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'Bearer test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Token from Authorization header (lowercase)', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'bearer test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Ignore the token if authorization header is too many parts', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'bearer test what another one',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBeNull();
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Null if no token passed', () => {
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBeNull();
+    expect(nextFunction).toBeCalledTimes(1);
+});

package/dist/operations/exec/index.d.ts

@@ -0,0 +1,5 @@
+declare type Options = {
+    code: string;
+};
+declare const _default: import("@directus/shared/types").OperationApiConfig<Options>;
+export default _default;

package/dist/operations/exec/index.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const utils_1 = require("@directus/shared/utils");
+const vm2_1 = require("vm2");
+exports.default = (0, utils_1.defineOperationApi)({
+    id: 'exec',
+    handler: async ({ code }, { data, env }) => {
+        const allowedModules = env.FLOWS_EXEC_ALLOWED_MODULES ? (0, utils_1.toArray)(env.FLOWS_EXEC_ALLOWED_MODULES) : [];
+        const opts = {
+            eval: false,
+            wasm: false,
+        };
+        if (allowedModules.length > 0) {
+            opts.require = {
+                external: {
+                    modules: allowedModules,
+                    transitive: false,
+                },
+            };
+        }
+        const vm = new vm2_1.NodeVM(opts);
+        const script = new vm2_1.VMScript(code).compile();
+        const fn = await vm.run(script);
+        return await fn(data);
+    },
+});

package/dist/operations/exec/index.test.d.ts

@@ -0,0 +1 @@
+export {};