directus 9.15.1 → 9.17.0

package/dist/extensions.js

@@ -78,19 +78,27 @@ class ExtensionManager {
         this.reloadQueue = new job_queue_1.JobQueue();
     }
     async initialize(options = {}) {
+        const prevOptions = this.options;
         this.options = {
             ...defaultOptions,
             ...options,
         };
-        this.initializeWatcher();
+        if (!prevOptions.watch && this.options.watch) {
+            this.initializeWatcher();
+        }
+        else if (prevOptions.watch && !this.options.watch) {
+            await this.closeWatcher();
+        }
         if (!this.isLoaded) {
             await this.load();
-            this.updateWatchedExtensions(this.extensions);
             const loadedExtensions = this.getExtensionsList();
             if (loadedExtensions.length > 0) {
                 logger_1.default.info(`Loaded extensions: ${loadedExtensions.join(', ')}`);
             }
         }
+        if (!prevOptions.watch && this.options.watch) {
+            this.updateWatchedExtensions(this.extensions);
+        }
     }
     reload() {
         this.reloadQueue.enqueue(async () => {
@@ -158,7 +166,7 @@ class ExtensionManager {
         this.isLoaded = false;
     }
     initializeWatcher() {
-        if (this.options.watch && !this.watcher) {
+        if (!this.watcher) {
             logger_1.default.info('Watching extensions for changes...');
             const localExtensionPaths = (env_1.default.SERVE_APP ? constants_1.EXTENSION_TYPES : constants_1.API_OR_HYBRID_EXTENSION_TYPES).flatMap((type) => {
                 const typeDir = path_1.default.posix.join(path_1.default.relative('.', env_1.default.EXTENSIONS_PATH).split(path_1.default.sep).join(path_1.default.posix.sep), (0, utils_1.pluralize)(type));
@@ -175,6 +183,11 @@ class ExtensionManager {
                 .on('unlink', () => this.reload());
         }
     }
+    async closeWatcher() {
+        if (this.watcher) {
+            await this.watcher.close();
+        }
+    }
     updateWatchedExtensions(added, removed = []) {
         if (this.watcher) {
             const toPackageExtensionPaths = (extensions) => extensions

package/dist/flows.js

@@ -119,28 +119,33 @@ class FlowManager {
         return handler(data, context);
     }
     async load() {
-        var _a, _b, _c, _d, _e, _f, _g;
+        var _a, _b, _c, _d;
         const flowsService = new services_1.FlowsService({ knex: (0, database_1.default)(), schema: await (0, get_schema_1.getSchema)() });
         const flows = await flowsService.readByQuery({
             filter: { status: { _eq: 'active' } },
             fields: ['*', 'operations.*'],
+            limit: -1,
         });
         const flowTrees = flows.map((flow) => (0, construct_flow_tree_1.constructFlowTree)(flow));
         for (const flow of flowTrees) {
             if (flow.trigger === 'event') {
-                const events = (_d = (_c = (_b = (_a = flow.options) === null || _a === void 0 ? void 0 : _a.scope) === null || _b === void 0 ? void 0 : _b.map((scope) => {
-                    var _a, _b, _c;
-                    if (['items.create', 'items.update', 'items.delete'].includes(scope)) {
-                        return ((_c = (_b = (_a = flow.options) === null || _a === void 0 ? void 0 : _a.collections) === null || _b === void 0 ? void 0 : _b.map((collection) => {
-                            if (collection.startsWith('directus_')) {
-                                const action = scope.split('.')[1];
-                                return collection.substring(9) + '.' + action;
-                            }
-                            return `${collection}.${scope}`;
-                        })) !== null && _c !== void 0 ? _c : []);
-                    }
-                    return scope;
-                })) === null || _c === void 0 ? void 0 : _c.flat()) !== null && _d !== void 0 ? _d : [];
+                const events = ((_a = flow.options) === null || _a === void 0 ? void 0 : _a.scope)
+                    ? (0, utils_1.toArray)(flow.options.scope)
+                        .map((scope) => {
+                        var _a, _b, _c;
+                        if (['items.create', 'items.update', 'items.delete'].includes(scope)) {
+                            return ((_c = (_b = (_a = flow.options) === null || _a === void 0 ? void 0 : _a.collections) === null || _b === void 0 ? void 0 : _b.map((collection) => {
+                                if (collection.startsWith('directus_')) {
+                                    const action = scope.split('.')[1];
+                                    return collection.substring(9) + '.' + action;
+                                }
+                                return `${collection}.${scope}`;
+                            })) !== null && _c !== void 0 ? _c : []);
+                        }
+                        return scope;
+                    })
+                        .flat()
+                    : [];
                 if (flow.options.type === 'filter') {
                     const handler = (payload, meta, context) => this.executeFlow(flow, { payload, ...meta }, {
                         accountability: context.accountability,
@@ -195,9 +200,9 @@ class FlowManager {
                         return this.executeFlow(flow, data, context);
                     }
                 };
-                const method = (_f = (_e = flow.options) === null || _e === void 0 ? void 0 : _e.method) !== null && _f !== void 0 ? _f : 'GET';
+                const method = (_c = (_b = flow.options) === null || _b === void 0 ? void 0 : _b.method) !== null && _c !== void 0 ? _c : 'GET';
                 // Default return to $last for webhooks
-                flow.options.return = (_g = flow.options.return) !== null && _g !== void 0 ? _g : '$last';
+                flow.options.return = (_d = flow.options.return) !== null && _d !== void 0 ? _d : '$last';
                 this.webhookFlowHandlers[`${method}-${flow.id}`] = handler;
             }
             else if (flow.trigger === 'manual') {
@@ -253,7 +258,7 @@ class FlowManager {
         this.isLoaded = false;
     }
     async executeFlow(flow, data = null, context = {}) {
-        var _a, _b, _c, _d, _e, _f;
+        var _a, _b, _c, _d, _e, _f, _g;
         const database = (_a = context.database) !== null && _a !== void 0 ? _a : (0, database_1.default)();
         const schema = (_b = context.schema) !== null && _b !== void 0 ? _b : (await (0, get_schema_1.getSchema)({ database }));
         const keyedData = {
@@ -262,11 +267,13 @@ class FlowManager {
             [ACCOUNTABILITY_KEY]: (_c = context === null || context === void 0 ? void 0 : context.accountability) !== null && _c !== void 0 ? _c : null,
         };
         let nextOperation = flow.operation;
+        let lastOperationStatus = 'unknown';
         const steps = [];
         while (nextOperation !== null) {
             const { successor, data, status, options } = await this.executeOperation(nextOperation, keyedData, context);
             keyedData[nextOperation.key] = data;
             keyedData[LAST_KEY] = data;
+            lastOperationStatus = status;
             steps.push({ operation: nextOperation.id, key: nextOperation.key, status, options });
             nextOperation = successor;
         }
@@ -282,6 +289,7 @@ class FlowManager {
                 collection: 'directus_flows',
                 ip: (_e = accountability === null || accountability === void 0 ? void 0 : accountability.ip) !== null && _e !== void 0 ? _e : null,
                 user_agent: (_f = accountability === null || accountability === void 0 ? void 0 : accountability.userAgent) !== null && _f !== void 0 ? _f : null,
+                origin: (_g = accountability === null || accountability === void 0 ? void 0 : accountability.origin) !== null && _g !== void 0 ? _g : null,
                 item: flow.id,
             });
             if (flow.accountability === 'all') {
@@ -300,6 +308,9 @@ class FlowManager {
                 });
             }
         }
+        if (flow.trigger === 'event' && flow.options.type === 'filter' && lastOperationStatus === 'reject') {
+            throw keyedData[LAST_KEY];
+        }
         if (flow.options.return === '$all') {
             return keyedData;
         }

package/dist/mailer.js

@@ -37,6 +37,7 @@ function getMailer() {
         }
         const tls = (0, get_config_from_env_1.getConfigFromEnv)('EMAIL_SMTP_TLS_');
         transporter = nodemailer_1.default.createTransport({
+            name: env_1.default.EMAIL_SMTP_NAME,
             pool: env_1.default.EMAIL_SMTP_POOL,
             host: env_1.default.EMAIL_SMTP_HOST,
             port: env_1.default.EMAIL_SMTP_PORT,

package/dist/middleware/authenticate.d.ts

@@ -3,5 +3,5 @@ import { NextFunction, Request, Response } from 'express';
  * Verify the passed JWT and assign the user ID and role to `req`
  */
 export declare const handler: (req: Request, res: Response, next: NextFunction) => Promise<void>;
-declare const _default: import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
+declare const _default: (req: Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>, res: Response<any, Record<string, any>>, next: NextFunction) => Promise<void>;
 export default _default;

package/dist/middleware/authenticate.js

@@ -24,6 +24,7 @@ const handler = async (req, res, next) => {
         app: false,
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
         userAgent: req.get('user-agent'),
+        origin: req.get('origin'),
     };
     const database = (0, database_1.default)();
     const customAccountability = await emitter_1.default.emitFilter('authenticate', defaultAccountability, {

package/dist/middleware/authenticate.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/authenticate.test.js

@@ -0,0 +1,214 @@
+"use strict";
+// @ts-nocheck
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const database_1 = __importDefault(require("../database"));
+const emitter_1 = __importDefault(require("../emitter"));
+const env_1 = __importDefault(require("../env"));
+const exceptions_1 = require("../exceptions");
+const authenticate_1 = require("./authenticate");
+require("../../src/types/express.d.ts");
+jest.mock('../../src/database');
+jest.mock('../../src/env', () => ({
+    SECRET: 'test',
+}));
+afterEach(() => {
+    jest.resetAllMocks();
+});
+test('Short-circuits when authenticate filter is used', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn(),
+    };
+    const res = {};
+    const next = jest.fn();
+    const customAccountability = { admin: true };
+    jest.spyOn(emitter_1.default, 'emitFilter').mockResolvedValue(customAccountability);
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(customAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Uses default public accountability when no token is given', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => {
+            switch (string) {
+                case 'user-agent':
+                    return 'fake-user-agent';
+                case 'origin':
+                    return 'fake-origin';
+                default:
+                    return null;
+            }
+        }),
+    };
+    const res = {};
+    const next = jest.fn();
+    jest.spyOn(emitter_1.default, 'emitFilter').mockImplementation((_, payload) => payload);
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: null,
+        role: null,
+        admin: false,
+        app: false,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+        origin: 'fake-origin',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Sets accountability to payload contents if valid token is passed', async () => {
+    const userID = '3fac3c02-607f-4438-8d6e-6b8b25109b52';
+    const roleID = '38269fc6-6eb6-475a-93cb-479d97f73039';
+    const share = 'ca0ad005-f4ad-4bfe-b428-419ee8784790';
+    const shareScope = {
+        collection: 'articles',
+        item: 15,
+    };
+    const appAccess = true;
+    const adminAccess = false;
+    const token = jsonwebtoken_1.default.sign({
+        id: userID,
+        role: roleID,
+        app_access: appAccess,
+        admin_access: adminAccess,
+        share,
+        share_scope: shareScope,
+    }, env_1.default.SECRET, { issuer: 'directus' });
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => {
+            switch (string) {
+                case 'user-agent':
+                    return 'fake-user-agent';
+                case 'origin':
+                    return 'fake-origin';
+                default:
+                    return null;
+            }
+        }),
+        token,
+    };
+    const res = {};
+    const next = jest.fn();
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: userID,
+        role: roleID,
+        app: appAccess,
+        admin: adminAccess,
+        share,
+        share_scope: shareScope,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+        origin: 'fake-origin',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test with 1/0 instead or true/false
+    next.mockClear();
+    req.token = jsonwebtoken_1.default.sign({
+        id: userID,
+        role: roleID,
+        app_access: 1,
+        admin_access: 0,
+        share,
+        share_scope: shareScope,
+    }, env_1.default.SECRET, { issuer: 'directus' });
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual({
+        user: userID,
+        role: roleID,
+        app: appAccess,
+        admin: adminAccess,
+        share,
+        share_scope: shareScope,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+        origin: 'fake-origin',
+    });
+    expect(next).toHaveBeenCalledTimes(1);
+});
+test('Throws InvalidCredentialsException when static token is used, but user does not exist', async () => {
+    jest.mocked(database_1.default).mockReturnValue({
+        select: jest.fn().mockReturnThis(),
+        from: jest.fn().mockReturnThis(),
+        leftJoin: jest.fn().mockReturnThis(),
+        where: jest.fn().mockReturnThis(),
+        first: jest.fn().mockResolvedValue(undefined),
+    });
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => {
+            switch (string) {
+                case 'user-agent':
+                    return 'fake-user-agent';
+                case 'origin':
+                    return 'fake-origin';
+                default:
+                    return null;
+            }
+        }),
+        token: 'static-token',
+    };
+    const res = {};
+    const next = jest.fn();
+    expect((0, authenticate_1.handler)(req, res, next)).rejects.toEqual(new exceptions_1.InvalidCredentialsException());
+    expect(next).toHaveBeenCalledTimes(0);
+});
+test('Sets accountability to user information when static token is used', async () => {
+    const req = {
+        ip: '127.0.0.1',
+        get: jest.fn((string) => {
+            switch (string) {
+                case 'user-agent':
+                    return 'fake-user-agent';
+                case 'origin':
+                    return 'fake-origin';
+                default:
+                    return null;
+            }
+        }),
+        token: 'static-token',
+    };
+    const res = {};
+    const next = jest.fn();
+    const testUser = { id: 'test-id', role: 'test-role', admin_access: true, app_access: false };
+    const expectedAccountability = {
+        user: testUser.id,
+        role: testUser.role,
+        app: testUser.app_access,
+        admin: testUser.admin_access,
+        ip: '127.0.0.1',
+        userAgent: 'fake-user-agent',
+        origin: 'fake-origin',
+    };
+    jest.mocked(database_1.default).mockReturnValue({
+        select: jest.fn().mockReturnThis(),
+        from: jest.fn().mockReturnThis(),
+        leftJoin: jest.fn().mockReturnThis(),
+        where: jest.fn().mockReturnThis(),
+        first: jest.fn().mockResolvedValue(testUser),
+    });
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test for 0 / 1 instead of false / true
+    next.mockClear();
+    testUser.admin_access = 1;
+    testUser.app_access = 0;
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+    // Test for "1" / "0" instead of true / false
+    next.mockClear();
+    testUser.admin_access = '0';
+    testUser.app_access = '1';
+    expectedAccountability.admin = false;
+    expectedAccountability.app = true;
+    await (0, authenticate_1.handler)(req, res, next);
+    expect(req.accountability).toEqual(expectedAccountability);
+    expect(next).toHaveBeenCalledTimes(1);
+});

package/dist/middleware/extract-token.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/extract-token.test.js

@@ -0,0 +1,60 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const extract_token_1 = __importDefault(require("../../src/middleware/extract-token"));
+require("../../src/types/express.d.ts");
+let mockRequest;
+let mockResponse;
+const nextFunction = jest.fn();
+beforeEach(() => {
+    mockRequest = {};
+    mockResponse = {};
+    jest.clearAllMocks();
+});
+test('Token from query', () => {
+    mockRequest = {
+        query: {
+            access_token: 'test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Token from Authorization header (capitalized)', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'Bearer test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Token from Authorization header (lowercase)', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'bearer test',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBe('test');
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Ignore the token if authorization header is too many parts', () => {
+    mockRequest = {
+        headers: {
+            authorization: 'bearer test what another one',
+        },
+    };
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBeNull();
+    expect(nextFunction).toBeCalledTimes(1);
+});
+test('Null if no token passed', () => {
+    (0, extract_token_1.default)(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.token).toBeNull();
+    expect(nextFunction).toBeCalledTimes(1);
+});

package/dist/middleware/validate-batch.d.ts

@@ -1,2 +1 @@
-import { RequestHandler } from 'express';
-export declare const validateBatch: (scope: 'read' | 'update' | 'delete') => RequestHandler;
+export declare const validateBatch: (scope: 'read' | 'update' | 'delete') => (req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>, res: import("express").Response<any, Record<string, any>>, next: import("express").NextFunction) => Promise<void>;

package/dist/middleware/validate-batch.js

@@ -14,39 +14,36 @@ const validateBatch = (scope) => (0, async_handler_1.default)(async (req, res, n
         req.body = {};
         return next();
     }
+    if (req.method.toLowerCase() !== 'search' && scope !== 'read' && req.singleton) {
+        return next();
+    }
     if (!req.body)
         throw new exceptions_1.InvalidPayloadException('Payload in body is required');
-    if (req.singleton)
+    if (['update', 'delete'].includes(scope) && Array.isArray(req.body)) {
         return next();
+    }
+    // In reads, the query in the body should override the query params for searching
+    if (scope === 'read' && req.body.query) {
+        req.sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+    }
     // Every cRUD action has either keys or query
     let batchSchema = joi_1.default.object().keys({
         keys: joi_1.default.array().items(joi_1.default.alternatives(joi_1.default.string(), joi_1.default.number())),
         query: joi_1.default.object().unknown(),
     });
-    // In reads, you can't combine the two, and 1 of the two at  least is required
-    if (scope !== 'read') {
+    if (['update', 'delete'].includes(scope)) {
         batchSchema = batchSchema.xor('query', 'keys');
     }
     // In updates, we add a required `data` that holds the update payload if an array isn't used
     if (scope === 'update') {
-        if (Array.isArray(req.body))
-            return next();
         batchSchema = batchSchema.keys({
             data: joi_1.default.object().unknown().required(),
         });
     }
-    // In deletes, we want to keep supporting an array of just primary keys
-    if (scope === 'delete' && Array.isArray(req.body)) {
-        return next();
-    }
     const { error } = batchSchema.validate(req.body);
     if (error) {
         throw new exceptions_2.FailedValidationException(error.details[0]);
     }
-    // In reads, the query in the body should override the query params for searching
-    if (scope === 'read' && req.body.query) {
-        req.sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
-    }
     return next();
 });
 exports.validateBatch = validateBatch;

package/dist/middleware/validate-batch.test.d.ts

@@ -0,0 +1 @@
+import '../../src/types/express.d.ts';

package/dist/middleware/validate-batch.test.js

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const validate_batch_1 = require("./validate-batch");
+require("../../src/types/express.d.ts");
+const exceptions_1 = require("../exceptions");
+const exceptions_2 = require("@directus/shared/exceptions");
+let mockRequest;
+let mockResponse;
+const nextFunction = jest.fn();
+beforeEach(() => {
+    mockRequest = {};
+    mockResponse = {};
+    jest.clearAllMocks();
+});
+test('Sets body to empty, calls next on GET requests', async () => {
+    mockRequest.method = 'GET';
+    await (0, validate_batch_1.validateBatch)('read')(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.body).toEqual({});
+    expect(nextFunction).toHaveBeenCalledTimes(1);
+});
+test(`Short circuits on singletons that aren't queried through SEARCH`, async () => {
+    mockRequest.method = 'PATCH';
+    mockRequest.singleton = true;
+    mockRequest.body = { title: 'test' };
+    await (0, validate_batch_1.validateBatch)('update')(mockRequest, mockResponse, nextFunction);
+    expect(nextFunction).toHaveBeenCalledTimes(1);
+});
+test('Throws InvalidPayloadException on missing body', async () => {
+    mockRequest.method = 'SEARCH';
+    await (0, validate_batch_1.validateBatch)('read')(mockRequest, mockResponse, nextFunction);
+    expect(nextFunction).toHaveBeenCalledTimes(1);
+    expect(jest.mocked(nextFunction).mock.calls[0][0]).toBeInstanceOf(exceptions_1.InvalidPayloadException);
+});
+test(`Short circuits on Array body in update/delete use`, async () => {
+    mockRequest.method = 'PATCH';
+    mockRequest.body = [1, 2, 3];
+    await (0, validate_batch_1.validateBatch)('update')(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.sanitizedQuery).toBe(undefined);
+    expect(nextFunction).toHaveBeenCalled();
+});
+test(`Sets sanitizedQuery based on body.query in read operations`, async () => {
+    mockRequest.method = 'SEARCH';
+    mockRequest.body = {
+        query: {
+            sort: 'id',
+        },
+    };
+    await (0, validate_batch_1.validateBatch)('read')(mockRequest, mockResponse, nextFunction);
+    expect(mockRequest.sanitizedQuery).toEqual({
+        sort: ['id'],
+    });
+});
+test(`Doesn't allow both query and keys in a batch delete`, async () => {
+    mockRequest.method = 'DELETE';
+    mockRequest.body = {
+        keys: [1, 2, 3],
+        query: { filter: {} },
+    };
+    await (0, validate_batch_1.validateBatch)('delete')(mockRequest, mockResponse, nextFunction);
+    expect(nextFunction).toHaveBeenCalledTimes(1);
+    expect(jest.mocked(nextFunction).mock.calls[0][0]).toBeInstanceOf(exceptions_2.FailedValidationException);
+});
+test(`Requires 'data' on batch update`, async () => {
+    mockRequest.method = 'PATCH';
+    mockRequest.body = {
+        keys: [1, 2, 3],
+        query: { filter: {} },
+    };
+    await (0, validate_batch_1.validateBatch)('update')(mockRequest, mockResponse, nextFunction);
+    expect(nextFunction).toHaveBeenCalledTimes(1);
+    expect(jest.mocked(nextFunction).mock.calls[0][0]).toBeInstanceOf(exceptions_2.FailedValidationException);
+});
+test(`Calls next when all is well`, async () => {
+    mockRequest.method = 'PATCH';
+    mockRequest.body = {
+        query: { filter: {} },
+        data: {},
+    };
+    await (0, validate_batch_1.validateBatch)('update')(mockRequest, mockResponse, nextFunction);
+    expect(nextFunction).toHaveBeenCalledTimes(1);
+    expect(jest.mocked(nextFunction).mock.calls[0][0]).toBeUndefined();
+});

package/dist/operations/exec/index.d.ts

@@ -0,0 +1,5 @@
+declare type Options = {
+    code: string;
+};
+declare const _default: import("@directus/shared/types").OperationApiConfig<Options>;
+export default _default;

package/dist/operations/exec/index.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const utils_1 = require("@directus/shared/utils");
+const vm2_1 = require("vm2");
+exports.default = (0, utils_1.defineOperationApi)({
+    id: 'exec',
+    handler: async ({ code }, { data, env }) => {
+        const allowedModules = env.FLOWS_EXEC_ALLOWED_MODULES ? (0, utils_1.toArray)(env.FLOWS_EXEC_ALLOWED_MODULES) : [];
+        const opts = {
+            eval: false,
+            wasm: false,
+        };
+        if (allowedModules.length > 0) {
+            opts.require = {
+                external: {
+                    modules: allowedModules,
+                    transitive: false,
+                },
+            };
+        }
+        const vm = new vm2_1.NodeVM(opts);
+        const script = new vm2_1.VMScript(code).compile();
+        const fn = await vm.run(script);
+        return await fn(data);
+    },
+});

package/dist/operations/exec/index.test.d.ts

@@ -0,0 +1 @@
+export {};