directus 9.22.4 → 9.23.3

package/dist/logger.js

@@ -27,13 +27,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.expressLogger = void 0;
+const utils_1 = require("@directus/shared/utils");
+const lodash_1 = require("lodash");
 const pino_1 = __importDefault(require("pino"));
 const pino_http_1 = __importStar(require("pino-http"));
-const get_config_from_env_1 = require("./utils/get-config-from-env");
 const url_1 = require("url");
 const env_1 = __importDefault(require("./env"));
-const utils_1 = require("@directus/shared/utils");
-const lodash_1 = require("lodash");
+const get_config_from_env_1 = require("./utils/get-config-from-env");
+const redact_header_cookies_1 = require("./utils/redact-header-cookies");
 const pinoOptions = {
     level: env_1.default.LOG_LEVEL || 'info',
     redact: {
@@ -104,8 +105,23 @@ exports.expressLogger = (0, pino_http_1.default)({
         req(request) {
             const output = pino_http_1.stdSerializers.req(request);
             output.url = redactQuery(output.url);
+            if (output.headers?.cookie) {
+                output.headers.cookie = (0, redact_header_cookies_1.redactHeaderCookie)(output.headers.cookie, [
+                    'access_token',
+                    `${env_1.default.REFRESH_TOKEN_COOKIE_NAME}`,
+                ]);
+            }
             return output;
         },
+        res(response) {
+            if (response.headers?.['set-cookie']) {
+                response.headers['set-cookie'] = (0, redact_header_cookies_1.redactHeaderCookie)(response.headers['set-cookie'], [
+                    'access_token',
+                    `${env_1.default.REFRESH_TOKEN_COOKIE_NAME}`,
+                ]);
+            }
+            return response;
+        },
     },
 });
 exports.default = logger;

package/dist/messenger.js

@@ -9,12 +9,12 @@ const ioredis_1 = __importDefault(require("ioredis"));
 const env_1 = __importDefault(require("./env"));
 const get_config_from_env_1 = require("./utils/get-config-from-env");
 class MessengerMemory {
+    handlers;
     constructor() {
         this.handlers = {};
     }
     publish(channel, payload) {
-        var _a, _b;
-        (_b = (_a = this.handlers)[channel]) === null || _b === void 0 ? void 0 : _b.call(_a, payload);
+        this.handlers[channel]?.(payload);
     }
     subscribe(channel, callback) {
         this.handlers[channel] = callback;
@@ -25,12 +25,14 @@ class MessengerMemory {
 }
 exports.MessengerMemory = MessengerMemory;
 class MessengerRedis {
+    namespace;
+    pub;
+    sub;
     constructor() {
-        var _a, _b, _c;
         const config = (0, get_config_from_env_1.getConfigFromEnv)('MESSENGER_REDIS');
-        this.pub = new ioredis_1.default((_a = env_1.default.MESSENGER_REDIS) !== null && _a !== void 0 ? _a : config);
-        this.sub = new ioredis_1.default((_b = env_1.default.MESSENGER_REDIS) !== null && _b !== void 0 ? _b : config);
-        this.namespace = (_c = env_1.default.MESSENGER_NAMESPACE) !== null && _c !== void 0 ? _c : 'directus';
+        this.pub = new ioredis_1.default(env_1.default.MESSENGER_REDIS ?? config);
+        this.sub = new ioredis_1.default(env_1.default.MESSENGER_REDIS ?? config);
+        this.namespace = env_1.default.MESSENGER_NAMESPACE ?? 'directus';
     }
     publish(channel, payload) {
         this.pub.publish(`${this.namespace}:${channel}`, JSON.stringify(payload));

package/dist/middleware/authenticate.d.ts

@@ -1,5 +1,5 @@
 /// <reference types="qs" />
-import { NextFunction, Request, Response } from 'express';
+import type { NextFunction, Request, Response } from 'express';
 /**
  * Verify the passed JWT and assign the user ID and role to `req`
  */

package/dist/middleware/authenticate.js

@@ -23,9 +23,13 @@ const handler = async (req, res, next) => {
         admin: false,
         app: false,
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        defaultAccountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        defaultAccountability.origin = origin;
     const database = (0, database_1.default)();
     const customAccountability = await emitter_1.default.emitFilter('authenticate', defaultAccountability, {
         req,
@@ -42,12 +46,15 @@ const handler = async (req, res, next) => {
     if (req.token) {
         if ((0, is_directus_jwt_1.default)(req.token)) {
             const payload = (0, jwt_1.verifyAccessJWT)(req.token, env_1.default.SECRET);
-            req.accountability.share = payload.share;
-            req.accountability.share_scope = payload.share_scope;
-            req.accountability.user = payload.id;
             req.accountability.role = payload.role;
             req.accountability.admin = payload.admin_access === true || payload.admin_access == 1;
             req.accountability.app = payload.app_access === true || payload.app_access == 1;
+            if (payload.share)
+                req.accountability.share = payload.share;
+            if (payload.share_scope)
+                req.accountability.share_scope = payload.share_scope;
+            if (payload.id)
+                req.accountability.user = payload.id;
         }
         else {
             // Try finding the user with the provided token

package/dist/middleware/cache.d.ts

@@ -1,3 +1,3 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare const checkCacheMiddleware: RequestHandler;
 export default checkCacheMiddleware;

package/dist/middleware/cache.js

@@ -5,20 +5,20 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const cache_1 = require("../cache");
 const env_1 = __importDefault(require("../env"));
+const logger_1 = __importDefault(require("../logger"));
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const get_cache_headers_1 = require("../utils/get-cache-headers");
 const get_cache_key_1 = require("../utils/get-cache-key");
-const logger_1 = __importDefault(require("../logger"));
+const should_skip_cache_1 = require("../utils/should-skip-cache");
 const checkCacheMiddleware = (0, async_handler_1.default)(async (req, res, next) => {
-    var _a, _b, _c, _d;
     const { cache } = (0, cache_1.getCache)();
-    if (req.method.toLowerCase() !== 'get' && ((_a = req.originalUrl) === null || _a === void 0 ? void 0 : _a.startsWith('/graphql')) === false)
+    if (req.method.toLowerCase() !== 'get' && req.originalUrl?.startsWith('/graphql') === false)
         return next();
     if (env_1.default.CACHE_ENABLED !== true)
         return next();
     if (!cache)
         return next();
-    if (((_b = req.headers['cache-control']) === null || _b === void 0 ? void 0 : _b.includes('no-store')) || ((_c = req.headers['Cache-Control']) === null || _c === void 0 ? void 0 : _c.includes('no-store'))) {
+    if ((0, should_skip_cache_1.shouldSkipCache)(req)) {
         if (env_1.default.CACHE_STATUS_HEADER)
             res.setHeader(`${env_1.default.CACHE_STATUS_HEADER}`, 'MISS');
         return next();
@@ -37,7 +37,7 @@ const checkCacheMiddleware = (0, async_handler_1.default)(async (req, res, next)
     if (cachedData) {
         let cacheExpiryDate;
         try {
-            cacheExpiryDate = (_d = (await (0, cache_1.getCacheValue)(cache, `${key}__expires_at`))) === null || _d === void 0 ? void 0 : _d.exp;
+            cacheExpiryDate = (await (0, cache_1.getCacheValue)(cache, `${key}__expires_at`))?.exp;
         }
         catch (err) {
             logger_1.default.warn(err, `[cache] Couldn't read key ${`${key}__expires_at`}. ${err.message}`);
@@ -45,8 +45,8 @@ const checkCacheMiddleware = (0, async_handler_1.default)(async (req, res, next)
                 res.setHeader(`${env_1.default.CACHE_STATUS_HEADER}`, 'MISS');
             return next();
         }
-        const cacheTTL = cacheExpiryDate ? cacheExpiryDate - Date.now() : null;
-        res.setHeader('Cache-Control', (0, get_cache_headers_1.getCacheControlHeader)(req, cacheTTL));
+        const cacheTTL = cacheExpiryDate ? cacheExpiryDate - Date.now() : undefined;
+        res.setHeader('Cache-Control', (0, get_cache_headers_1.getCacheControlHeader)(req, cacheTTL, true, true));
         res.setHeader('Vary', 'Origin, Cache-Control');
         if (env_1.default.CACHE_STATUS_HEADER)
             res.setHeader(`${env_1.default.CACHE_STATUS_HEADER}`, 'HIT');

package/dist/middleware/check-ip.d.ts

@@ -1,2 +1,2 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 export declare const checkIP: RequestHandler;

package/dist/middleware/check-ip.js

@@ -17,7 +17,7 @@ exports.checkIP = (0, async_handler_1.default)(async (req, _res, next) => {
         query.whereNull('id');
     }
     const role = await query.first();
-    const ipAllowlist = ((role === null || role === void 0 ? void 0 : role.ip_access) || '').split(',').filter((ip) => ip);
+    const ipAllowlist = (role?.ip_access || '').split(',').filter((ip) => ip);
     if (ipAllowlist.length > 0 && ipAllowlist.includes(req.accountability.ip) === false)
         throw new exceptions_1.InvalidIPException();
     return next();

package/dist/middleware/collection-exists.d.ts

@@ -1,6 +1,6 @@
 /**
  * Check if requested collection exists, and save it to req.collection
  */
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare const collectionExists: RequestHandler;
 export default collectionExists;

package/dist/middleware/collection-exists.js

@@ -18,9 +18,9 @@ const collectionExists = (0, async_handler_1.default)(async (req, res, next) =>
     req.collection = req.params.collection;
     if (req.collection.startsWith('directus_')) {
         const systemRow = collections_1.systemCollectionRows.find((collection) => {
-            return (collection === null || collection === void 0 ? void 0 : collection.collection) === req.collection;
+            return collection?.collection === req.collection;
         });
-        req.singleton = !!(systemRow === null || systemRow === void 0 ? void 0 : systemRow.singleton);
+        req.singleton = !!systemRow?.singleton;
     }
     else {
         req.singleton = req.schema.collections[req.collection].singleton;

package/dist/middleware/cors.d.ts

@@ -1,3 +1,3 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare let corsMiddleware: RequestHandler;
 export default corsMiddleware;

package/dist/middleware/error-handler.d.ts

@@ -1,3 +1,3 @@
-import { ErrorRequestHandler } from 'express';
+import type { ErrorRequestHandler } from 'express';
 declare const errorHandler: ErrorRequestHandler;
 export default errorHandler;

package/dist/middleware/error-handler.js

@@ -3,22 +3,21 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const exceptions_1 = require("@directus/shared/exceptions");
+const utils_1 = require("@directus/shared/utils");
+const database_1 = __importDefault(require("../database"));
 const emitter_1 = __importDefault(require("../emitter"));
 const env_1 = __importDefault(require("../env"));
-const exceptions_1 = require("../exceptions");
-const exceptions_2 = require("@directus/shared/exceptions");
+const exceptions_2 = require("../exceptions");
 const logger_1 = __importDefault(require("../logger"));
-const utils_1 = require("@directus/shared/utils");
-const database_1 = __importDefault(require("../database"));
 // Note: keep all 4 parameters here. That's how Express recognizes it's the error handler, even if
 // we don't use next
 const errorHandler = (err, req, res, _next) => {
-    var _a, _b;
     let payload = {
         errors: [],
     };
     const errors = (0, utils_1.toArray)(err);
-    if (errors.some((err) => err instanceof exceptions_2.BaseException === false)) {
+    if (errors.some((err) => err instanceof exceptions_1.BaseException === false)) {
         res.status(500);
     }
     else {
@@ -39,7 +38,7 @@ const errorHandler = (err, req, res, _next) => {
                 stack: err.stack,
             };
         }
-        if (err instanceof exceptions_2.BaseException) {
+        if (err instanceof exceptions_1.BaseException) {
             logger_1.default.debug(err);
             res.status(err.status);
             payload.errors.push({
@@ -49,14 +48,14 @@ const errorHandler = (err, req, res, _next) => {
                     ...err.extensions,
                 },
             });
-            if (err instanceof exceptions_1.MethodNotAllowedException) {
+            if (err instanceof exceptions_2.MethodNotAllowedException) {
                 res.header('Allow', err.extensions.allow.join(', '));
             }
         }
         else {
             logger_1.default.error(err);
             res.status(500);
-            if (((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.admin) === true) {
+            if (req.accountability?.admin === true) {
                 payload = {
                     errors: [
                         {
@@ -87,7 +86,7 @@ const errorHandler = (err, req, res, _next) => {
         .emitFilter('request.error', payload.errors, {}, {
         database: (0, database_1.default)(),
         schema: req.schema,
-        accountability: (_b = req.accountability) !== null && _b !== void 0 ? _b : null,
+        accountability: req.accountability ?? null,
     })
         .then(() => {
         return res.json(payload);

package/dist/middleware/extract-token.d.ts

@@ -6,6 +6,6 @@
  *
  * and store in req.token
  */
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare const extractToken: RequestHandler;
 export default extractToken;

package/dist/middleware/get-permissions.d.ts

@@ -1,3 +1,3 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare const getPermissions: RequestHandler;
 export default getPermissions;

package/dist/middleware/graphql.d.ts

@@ -1,2 +1,2 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 export declare const parseGraphQL: RequestHandler;

package/dist/middleware/graphql.js

@@ -49,13 +49,13 @@ exports.parseGraphQL = (0, async_handler_1.default)(async (req, res, next) => {
     }
     const operationAST = (0, graphql_1.getOperationAST)(document, operationName);
     // You can only do `query` through GET
-    if (req.method === 'GET' && (operationAST === null || operationAST === void 0 ? void 0 : operationAST.operation) !== 'query') {
-        throw new exceptions_1.MethodNotAllowedException(`Can only perform a ${operationAST === null || operationAST === void 0 ? void 0 : operationAST.operation} from a POST request.`, {
+    if (req.method === 'GET' && operationAST?.operation !== 'query') {
+        throw new exceptions_1.MethodNotAllowedException(`Can only perform a ${operationAST?.operation} from a POST request.`, {
             allow: ['POST'],
         });
     }
     // Prevent caching responses when mutations are made
-    if ((operationAST === null || operationAST === void 0 ? void 0 : operationAST.operation) === 'mutation') {
+    if (operationAST?.operation === 'mutation') {
         res.locals.cache = false;
     }
     res.locals.graphqlParams = { document, query, variables, operationName, contextValue: { req, res } };

package/dist/middleware/rate-limiter-global.d.ts

@@ -0,0 +1,5 @@
+import type { RequestHandler } from 'express';
+import type { RateLimiterMemcache, RateLimiterMemory, RateLimiterRedis } from 'rate-limiter-flexible';
+declare let checkRateLimit: RequestHandler;
+export declare let rateLimiterGlobal: RateLimiterRedis | RateLimiterMemcache | RateLimiterMemory;
+export default checkRateLimit;

package/dist/middleware/rate-limiter-global.js

@@ -0,0 +1,48 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rateLimiterGlobal = void 0;
+const ms_1 = __importDefault(require("ms"));
+const env_1 = __importDefault(require("../env"));
+const index_1 = require("../exceptions/index");
+const logger_1 = __importDefault(require("../logger"));
+const rate_limiter_1 = require("../rate-limiter");
+const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const validate_env_1 = require("../utils/validate-env");
+const RATE_LIMITER_GLOBAL_KEY = 'global-rate-limit';
+let checkRateLimit = (_req, _res, next) => next();
+if (env_1.default.RATE_LIMITER_GLOBAL_ENABLED === true) {
+    (0, validate_env_1.validateEnv)(['RATE_LIMITER_GLOBAL_STORE', 'RATE_LIMITER_GLOBAL_DURATION', 'RATE_LIMITER_GLOBAL_POINTS']);
+    validateConfiguration();
+    exports.rateLimiterGlobal = (0, rate_limiter_1.createRateLimiter)('RATE_LIMITER_GLOBAL');
+    checkRateLimit = (0, async_handler_1.default)(async (_req, res, next) => {
+        try {
+            await exports.rateLimiterGlobal.consume(RATE_LIMITER_GLOBAL_KEY, 1);
+        }
+        catch (rateLimiterRes) {
+            if (rateLimiterRes instanceof Error)
+                throw rateLimiterRes;
+            res.set('Retry-After', String(Math.round(rateLimiterRes.msBeforeNext / 1000)));
+            throw new index_1.HitRateLimitException(`Too many requests, retry after ${(0, ms_1.default)(rateLimiterRes.msBeforeNext)}.`, {
+                limit: +env_1.default.RATE_LIMITER_GLOBAL_POINTS,
+                reset: new Date(Date.now() + rateLimiterRes.msBeforeNext),
+            });
+        }
+        next();
+    });
+}
+exports.default = checkRateLimit;
+function validateConfiguration() {
+    if (env_1.default.RATE_LIMITER_ENABLED !== true) {
+        logger_1.default.error(`The IP based rate limiter needs to be enabled when using the global rate limiter.`);
+        process.exit(1);
+    }
+    const globalPointsPerSec = Number(env_1.default.RATE_LIMITER_GLOBAL_POINTS) / Math.max(Number(env_1.default.RATE_LIMITER_GLOBAL_DURATION), 1);
+    const regularPointsPerSec = Number(env_1.default.RATE_LIMITER_POINTS) / Math.max(Number(env_1.default.RATE_LIMITER_DURATION), 1);
+    if (globalPointsPerSec <= regularPointsPerSec) {
+        logger_1.default.error(`The global rate limiter needs to allow more requests per second than the IP based rate limiter.`);
+        process.exit(1);
+    }
+}

package/dist/middleware/{rate-limiter.d.ts → rate-limiter-ip.d.ts}

@@ -1,5 +1,5 @@
-import { RequestHandler } from 'express';
-import { RateLimiterMemcache, RateLimiterMemory, RateLimiterRedis } from 'rate-limiter-flexible';
+import type { RequestHandler } from 'express';
+import type { RateLimiterMemcache, RateLimiterMemory, RateLimiterRedis } from 'rate-limiter-flexible';
 declare let checkRateLimit: RequestHandler;
 export declare let rateLimiter: RateLimiterRedis | RateLimiterMemcache | RateLimiterMemory;
 export default checkRateLimit;

package/dist/middleware/{rate-limiter.js → rate-limiter-ip.js}

@@ -11,10 +11,10 @@ const rate_limiter_1 = require("../rate-limiter");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const get_ip_from_req_1 = require("../utils/get-ip-from-req");
 const validate_env_1 = require("../utils/validate-env");
-let checkRateLimit = (req, res, next) => next();
+let checkRateLimit = (_req, _res, next) => next();
 if (env_1.default.RATE_LIMITER_ENABLED === true) {
     (0, validate_env_1.validateEnv)(['RATE_LIMITER_STORE', 'RATE_LIMITER_DURATION', 'RATE_LIMITER_POINTS']);
-    exports.rateLimiter = (0, rate_limiter_1.createRateLimiter)();
+    exports.rateLimiter = (0, rate_limiter_1.createRateLimiter)('RATE_LIMITER');
     checkRateLimit = (0, async_handler_1.default)(async (req, res, next) => {
         try {
             await exports.rateLimiter.consume((0, get_ip_from_req_1.getIPFromReq)(req), 1);
@@ -22,7 +22,7 @@ if (env_1.default.RATE_LIMITER_ENABLED === true) {
         catch (rateLimiterRes) {
             if (rateLimiterRes instanceof Error)
                 throw rateLimiterRes;
-            res.set('Retry-After', String(rateLimiterRes.msBeforeNext / 1000));
+            res.set('Retry-After', String(Math.round(rateLimiterRes.msBeforeNext / 1000)));
             throw new exceptions_1.HitRateLimitException(`Too many requests, retry after ${(0, ms_1.default)(rateLimiterRes.msBeforeNext)}.`, {
                 limit: +env_1.default.RATE_LIMITER_POINTS,
                 reset: new Date(Date.now() + rateLimiterRes.msBeforeNext),

package/dist/middleware/respond.d.ts

@@ -1,2 +1,2 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 export declare const respond: RequestHandler;

package/dist/middleware/respond.js

@@ -4,19 +4,18 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.respond = void 0;
-const ms_1 = __importDefault(require("ms"));
+const bytes_1 = require("bytes");
 const cache_1 = require("../cache");
 const env_1 = __importDefault(require("../env"));
-const async_handler_1 = __importDefault(require("../utils/async-handler"));
-const get_cache_key_1 = require("../utils/get-cache-key");
-const get_cache_headers_1 = require("../utils/get-cache-headers");
 const logger_1 = __importDefault(require("../logger"));
 const services_1 = require("../services");
+const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const get_cache_headers_1 = require("../utils/get-cache-headers");
+const get_cache_key_1 = require("../utils/get-cache-key");
 const get_date_formatted_1 = require("../utils/get-date-formatted");
+const get_milliseconds_1 = require("../utils/get-milliseconds");
 const get_string_byte_size_1 = require("../utils/get-string-byte-size");
-const bytes_1 = require("bytes");
 exports.respond = (0, async_handler_1.default)(async (req, res) => {
-    var _a, _b, _c, _d;
     const { cache } = (0, cache_1.getCache)();
     let exceedsMaxSize = false;
     if (env_1.default.CACHE_VALUE_MAX_SIZE !== false) {
@@ -24,7 +23,7 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         const maxSize = (0, bytes_1.parse)(env_1.default.CACHE_VALUE_MAX_SIZE);
         exceedsMaxSize = valueSize > maxSize;
     }
-    if ((req.method.toLowerCase() === 'get' || ((_a = req.originalUrl) === null || _a === void 0 ? void 0 : _a.startsWith('/graphql'))) &&
+    if ((req.method.toLowerCase() === 'get' || req.originalUrl?.startsWith('/graphql')) &&
         env_1.default.CACHE_ENABLED === true &&
         cache &&
         !req.sanitizedQuery.export &&
@@ -32,13 +31,13 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         exceedsMaxSize === false) {
         const key = (0, get_cache_key_1.getCacheKey)(req);
         try {
-            await (0, cache_1.setCacheValue)(cache, key, res.locals.payload, (0, ms_1.default)(env_1.default.CACHE_TTL));
-            await (0, cache_1.setCacheValue)(cache, `${key}__expires_at`, { exp: Date.now() + (0, ms_1.default)(env_1.default.CACHE_TTL) });
+            await (0, cache_1.setCacheValue)(cache, key, res.locals.payload, (0, get_milliseconds_1.getMilliseconds)(env_1.default.CACHE_TTL));
+            await (0, cache_1.setCacheValue)(cache, `${key}__expires_at`, { exp: Date.now() + (0, get_milliseconds_1.getMilliseconds)(env_1.default.CACHE_TTL, 0) });
         }
         catch (err) {
             logger_1.default.warn(err, `[cache] Couldn't set key ${key}. ${err}`);
         }
-        res.setHeader('Cache-Control', (0, get_cache_headers_1.getCacheControlHeader)(req, (0, ms_1.default)(env_1.default.CACHE_TTL)));
+        res.setHeader('Cache-Control', (0, get_cache_headers_1.getCacheControlHeader)(req, (0, get_milliseconds_1.getMilliseconds)(env_1.default.CACHE_TTL), true, true));
         res.setHeader('Vary', 'Origin, Cache-Control');
     }
     else {
@@ -47,7 +46,7 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         res.setHeader('Vary', 'Origin, Cache-Control');
     }
     if (req.sanitizedQuery.export) {
-        const exportService = new services_1.ExportService({ accountability: req.accountability, schema: req.schema });
+        const exportService = new services_1.ExportService({ accountability: req.accountability ?? null, schema: req.schema });
         let filename = '';
         if (req.collection) {
             filename += req.collection;
@@ -59,17 +58,22 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         if (req.sanitizedQuery.export === 'json') {
             res.attachment(`${filename}.json`);
             res.set('Content-Type', 'application/json');
-            return res.status(200).send(exportService.transform((_b = res.locals.payload) === null || _b === void 0 ? void 0 : _b.data, 'json'));
+            return res.status(200).send(exportService.transform(res.locals.payload?.data, 'json'));
         }
         if (req.sanitizedQuery.export === 'xml') {
             res.attachment(`${filename}.xml`);
             res.set('Content-Type', 'text/xml');
-            return res.status(200).send(exportService.transform((_c = res.locals.payload) === null || _c === void 0 ? void 0 : _c.data, 'xml'));
+            return res.status(200).send(exportService.transform(res.locals.payload?.data, 'xml'));
         }
         if (req.sanitizedQuery.export === 'csv') {
             res.attachment(`${filename}.csv`);
             res.set('Content-Type', 'text/csv');
-            return res.status(200).send(exportService.transform((_d = res.locals.payload) === null || _d === void 0 ? void 0 : _d.data, 'csv'));
+            return res.status(200).send(exportService.transform(res.locals.payload?.data, 'csv'));
+        }
+        if (req.sanitizedQuery.export === 'yaml') {
+            res.attachment(`${filename}.yaml`);
+            res.set('Content-Type', 'text/yaml');
+            return res.status(200).send(exportService.transform(res.locals.payload?.data, 'yaml'));
         }
     }
     if (Buffer.isBuffer(res.locals.payload)) {

package/dist/middleware/sanitize-query.d.ts

@@ -2,6 +2,6 @@
  * Sanitize query parameters.
  * This ensures that query params are formatted and ready to go for the services.
  */
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare const sanitizeQueryMiddleware: RequestHandler;
 export default sanitizeQueryMiddleware;

package/dist/middleware/schema.d.ts

@@ -1,3 +1,3 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare const schema: RequestHandler;
 export default schema;

package/dist/middleware/use-collection.d.ts

@@ -2,6 +2,6 @@
  * Set req.collection for use in other middleware. Used as an alternative on validate-collection for
  * system collections
  */
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 declare const useCollection: (collection: string) => RequestHandler;
 export default useCollection;

package/dist/operations/condition/index.d.ts

@@ -1,4 +1,4 @@
-import { Filter } from '@directus/shared/types';
+import type { Filter } from '@directus/shared/types';
 type Options = {
     filter: Filter;
 };

package/dist/operations/exec/index.js

@@ -2,21 +2,32 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const utils_1 = require("@directus/shared/utils");
 const vm2_1 = require("vm2");
+const node_module_1 = require("node:module");
 exports.default = (0, utils_1.defineOperationApi)({
     id: 'exec',
     handler: async ({ code }, { data, env }) => {
-        var _a;
         const allowedModules = env.FLOWS_EXEC_ALLOWED_MODULES ? (0, utils_1.toArray)(env.FLOWS_EXEC_ALLOWED_MODULES) : [];
-        const allowedEnv = (_a = data.$env) !== null && _a !== void 0 ? _a : {};
+        const allowedModulesBuiltIn = [];
+        const allowedModulesExternal = [];
+        const allowedEnv = data.$env ?? {};
         const opts = {
             eval: false,
             wasm: false,
             env: allowedEnv,
         };
+        for (const module of allowedModules) {
+            if ((0, node_module_1.isBuiltin)(module)) {
+                allowedModulesBuiltIn.push(module);
+            }
+            else {
+                allowedModulesExternal.push(module);
+            }
+        }
         if (allowedModules.length > 0) {
             opts.require = {
+                builtin: allowedModulesBuiltIn,
                 external: {
-                    modules: allowedModules,
+                    modules: allowedModulesExternal,
                     transitive: false,
                 },
             };

package/dist/operations/item-create/index.js

@@ -6,7 +6,6 @@ const get_accountability_for_role_1 = require("../../utils/get-accountability-fo
 exports.default = (0, utils_1.defineOperationApi)({
     id: 'item-create',
     handler: async ({ collection, payload, emitEvents, permissions }, { accountability, database, getSchema }) => {
-        var _a;
         const schema = await getSchema({ database });
         let customAccountability;
         if (!permissions || permissions === '$trigger') {
@@ -26,7 +25,7 @@ exports.default = (0, utils_1.defineOperationApi)({
             accountability: customAccountability,
             knex: database,
         });
-        const payloadObject = (_a = (0, utils_1.optionToObject)(payload)) !== null && _a !== void 0 ? _a : null;
+        const payloadObject = (0, utils_1.optionToObject)(payload) ?? null;
         let result;
         if (!payloadObject) {
             result = null;

package/dist/operations/item-delete/index.d.ts

@@ -1,4 +1,4 @@
-import { PrimaryKey } from '@directus/shared/types';
+import type { PrimaryKey } from '@directus/shared/types';
 type Options = {
     collection: string;
     key?: PrimaryKey | PrimaryKey[] | null;

package/dist/operations/item-read/index.d.ts

@@ -1,4 +1,4 @@
-import { PrimaryKey } from '@directus/shared/types';
+import type { PrimaryKey } from '@directus/shared/types';
 type Options = {
     collection: string;
     key?: PrimaryKey | PrimaryKey[] | null;

package/dist/operations/item-update/index.d.ts

@@ -1,4 +1,4 @@
-import { PrimaryKey } from '@directus/shared/types';
+import type { PrimaryKey } from '@directus/shared/types';
 type Options = {
     collection: string;
     key?: PrimaryKey | PrimaryKey[] | null;

package/dist/operations/item-update/index.js

@@ -7,7 +7,6 @@ const sanitize_query_1 = require("../../utils/sanitize-query");
 exports.default = (0, utils_1.defineOperationApi)({
     id: 'item-update',
     handler: async ({ collection, key, payload, query, emitEvents, permissions }, { accountability, database, getSchema }) => {
-        var _a;
         const schema = await getSchema({ database });
         let customAccountability;
         if (!permissions || permissions === '$trigger') {
@@ -27,7 +26,7 @@ exports.default = (0, utils_1.defineOperationApi)({
             accountability: customAccountability,
             knex: database,
         });
-        const payloadObject = (_a = (0, utils_1.optionToObject)(payload)) !== null && _a !== void 0 ? _a : null;
+        const payloadObject = (0, utils_1.optionToObject)(payload) ?? null;
         const queryObject = query ? (0, utils_1.optionToObject)(query) : {};
         const sanitizedQueryObject = (0, sanitize_query_1.sanitizeQuery)(queryObject, customAccountability);
         if (!payloadObject) {