@de-otio/trellis 0.6.1 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +5 -3
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -12,6 +12,7 @@ const database_connection_manager_1 = require("./database-connection-manager");
|
|
|
12
12
|
const db_query_helper_1 = require("./db-query-helper");
|
|
13
13
|
const security_monitor_1 = require("./security-monitor");
|
|
14
14
|
const logger_1 = require("./logger");
|
|
15
|
+
const claims_cache_1 = require("./auth/claims-cache");
|
|
15
16
|
/**
|
|
16
17
|
* User Deprovisioning Handler
|
|
17
18
|
*/
|
|
@@ -29,6 +30,11 @@ class UserDeprovisioning {
|
|
|
29
30
|
async suspendUser(userId, reason, env) {
|
|
30
31
|
const db = (0, db_1.createPrisma)(env);
|
|
31
32
|
try {
|
|
33
|
+
// Fetch cognitoSub before update so we can invalidate the claim cache.
|
|
34
|
+
const userRow = await db.user.findUnique({
|
|
35
|
+
where: { id: userId },
|
|
36
|
+
select: { cognitoSub: true },
|
|
37
|
+
});
|
|
32
38
|
// Update user to suspended
|
|
33
39
|
await db.user.update({
|
|
34
40
|
where: { id: userId },
|
|
@@ -38,6 +44,18 @@ class UserDeprovisioning {
|
|
|
38
44
|
suspendedReason: `${reason.type}: ${reason.description}`,
|
|
39
45
|
},
|
|
40
46
|
});
|
|
47
|
+
// Invalidate DDB claim cache so the next token refresh reflects the suspension.
|
|
48
|
+
// Mitigation for G2 H3: suspended users that still have a cached token would
|
|
49
|
+
// bypass the suspension check for up to CACHE_TTL seconds without this call.
|
|
50
|
+
if (userRow?.cognitoSub) {
|
|
51
|
+
try {
|
|
52
|
+
const cache = (0, claims_cache_1.createClaimsCacheFromEnv)();
|
|
53
|
+
await cache.invalidate(userRow.cognitoSub);
|
|
54
|
+
}
|
|
55
|
+
catch {
|
|
56
|
+
// Best-effort — don't block suspension if DDB is unavailable.
|
|
57
|
+
}
|
|
58
|
+
}
|
|
41
59
|
// Log security event
|
|
42
60
|
await this.securityMonitor.logSecurityEvent({
|
|
43
61
|
type: "suspicious_activity",
|
|
@@ -59,7 +77,17 @@ class UserDeprovisioning {
|
|
|
59
77
|
}
|
|
60
78
|
}
|
|
61
79
|
/**
|
|
62
|
-
* Check if user is suspended
|
|
80
|
+
* Check if user is suspended.
|
|
81
|
+
*
|
|
82
|
+
* Fail-open is intentional and required: this is a best-effort hint used by
|
|
83
|
+
* non-critical paths (e.g. surfacing a banner to operators). The
|
|
84
|
+
* authoritative gate is the pre-token-generation Lambda, which already
|
|
85
|
+
* blocks token issuance for suspended users on the next refresh
|
|
86
|
+
* (see lambda/pre-token-generation.ts — the cache TTL bounds the
|
|
87
|
+
* window). Failing closed here would convert a transient RDS hiccup
|
|
88
|
+
* into a denial-of-service against legitimate users; the security
|
|
89
|
+
* properties hold via the pre-token path. Do not change to fail-closed
|
|
90
|
+
* without first moving the authoritative check off the RDS critical path.
|
|
63
91
|
*/
|
|
64
92
|
async isUserSuspended(userId, env, region = "US") {
|
|
65
93
|
try {
|
|
@@ -82,7 +110,8 @@ class UserDeprovisioning {
|
|
|
82
110
|
}
|
|
83
111
|
catch (error) {
|
|
84
112
|
this.logger.error("[UserDeprovisioning] Failed to check suspension status:", error);
|
|
85
|
-
|
|
113
|
+
// Fail open — see method-level docstring above for rationale.
|
|
114
|
+
return false;
|
|
86
115
|
}
|
|
87
116
|
}
|
|
88
117
|
/**
|
|
@@ -91,6 +120,11 @@ class UserDeprovisioning {
|
|
|
91
120
|
async restoreUser(userId, reason, initiatedBy, env) {
|
|
92
121
|
const db = (0, db_1.createPrisma)(env);
|
|
93
122
|
try {
|
|
123
|
+
// Fetch cognitoSub before update so we can invalidate the claim cache.
|
|
124
|
+
const userRow = await db.user.findUnique({
|
|
125
|
+
where: { id: userId },
|
|
126
|
+
select: { cognitoSub: true },
|
|
127
|
+
});
|
|
94
128
|
await db.user.update({
|
|
95
129
|
where: { id: userId },
|
|
96
130
|
data: {
|
|
@@ -99,6 +133,16 @@ class UserDeprovisioning {
|
|
|
99
133
|
suspendedReason: null,
|
|
100
134
|
},
|
|
101
135
|
});
|
|
136
|
+
// Invalidate DDB claim cache so the next token refresh can succeed with restored status.
|
|
137
|
+
if (userRow?.cognitoSub) {
|
|
138
|
+
try {
|
|
139
|
+
const cache = (0, claims_cache_1.createClaimsCacheFromEnv)();
|
|
140
|
+
await cache.invalidate(userRow.cognitoSub);
|
|
141
|
+
}
|
|
142
|
+
catch {
|
|
143
|
+
// Best-effort.
|
|
144
|
+
}
|
|
145
|
+
}
|
|
102
146
|
// Log security event
|
|
103
147
|
await this.securityMonitor.logSecurityEvent({
|
|
104
148
|
type: "suspicious_activity",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"user-deprovisioning.js","sourceRoot":"","sources":["../../src/lib/user-deprovisioning.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,8BAAqC;AACrC,+EAAgF;AAChF,uDAG2B;AAC3B,yDAAqD;AACrD,qCAAkD;
|
|
1
|
+
{"version":3,"file":"user-deprovisioning.js","sourceRoot":"","sources":["../../src/lib/user-deprovisioning.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,8BAAqC;AACrC,+EAAgF;AAChF,uDAG2B;AAC3B,yDAAqD;AACrD,qCAAkD;AAClD,sDAA+D;AAa/D;;GAEG;AACH,MAAa,kBAAkB;IACrB,eAAe,CAAkB;IACjC,MAAM,CAAS;IAEvB,YAAY,GAAe;QACzB,IAAI,CAAC,eAAe,GAAG,IAAI,kCAAe,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,GAAG,eAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CACf,MAAc,EACd,MAAyB,EACzB,GAAQ;QAER,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,uEAAuE;YACvE,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;gBACvC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;gBACrB,MAAM,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aAC7B,CAAC,CAAC;YAEH,2BAA2B;YAC3B,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;gBACnB,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;gBACrB,IAAI,EAAE;oBACJ,SAAS,EAAE,IAAI;oBACf,WAAW,EAAE,IAAI,IAAI,EAAE;oBACvB,eAAe,EAAE,GAAG,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,WAAW,EAAE;iBACzD;aACF,CAAC,CAAC;YAEH,gFAAgF;YAChF,6EAA6E;YAC7E,6EAA6E;YAC7E,IAAI,OAAO,EAAE,UAAU,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAA,uCAAwB,GAAE,CAAC;oBACzC,MAAM,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAC7C,CAAC;gBAAC,MAAM,CAAC;oBACP,8DAA8D;gBAChE,CAAC;YACH,CAAC;YAED,qBAAqB;YACrB,MAAM,IAAI,CAAC,eAAe,CAAC,gBAAgB,CACzC;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,QAAQ,EAAE,MAAM;gBAChB,MAAM;gBACN,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE;oBACR,MAAM,EAAE,gBAAgB;oBACxB,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;iBAChC;aACF,EACD,GAAG,CACJ,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,6BAA6B,MAAM,eAAe,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,WAAW,EAAE,CACxF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8CAA8C,EAAE,KAAK,CAAC,CAAC;YACzE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,GAAQ,EACR,SAAiB,IAAI;QAErB,IAAI,CAAC;YACH,qCAAqC;YACrC,MAAM,SAAS,GAAG,6DAA+B,CAAC;YAElD,MAAM,IAAI,GAAG,MAAM,IAAA,0CAAwB,EAGzC,SAAS,EACT,MAAM,EACN,GAAG,EACH,KAAK,EAAE,MAAM,EAAE,EAAE;gBACf,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;oBAC5B,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;oBACrB,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE;iBAC5B,CAAC,CAAC;YACL,CAAC,EACD;gBACE,GAAG,qCAAmB,CAAC,QAAQ,EAAE,6CAA6C;gBAC9E,YAAY,EAAE,IAAI,EAAE,8DAA8D;gBAClF,OAAO,EAAE;oBACP,SAAS,EAAE,iBAAiB;oBAC5B,MAAM;iBACP;aACF,CACF,CAAC;YAEF,OAAO,IAAI,IAAI,WAAW,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;QAC9D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,yDAAyD,EACzD,KAAK,CACN,CAAC;YACF,8DAA8D;YAC9D,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CACf,MAAc,EACd,MAAc,EACd,WAAmB,EACnB,GAAQ;QAER,MAAM,EAAE,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,uEAAuE;YACvE,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;gBACvC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;gBACrB,MAAM,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aAC7B,CAAC,CAAC;YAEH,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;gBACnB,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;gBACrB,IAAI,EAAE;oBACJ,SAAS,EAAE,KAAK;oBAChB,WAAW,EAAE,IAAI;oBACjB,eAAe,EAAE,IAAI;iBACtB;aACF,CAAC,CAAC;YAEH,yFAAyF;YACzF,IAAI,OAAO,EAAE,UAAU,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAA,uCAAwB,GAAE,CAAC;oBACzC,MAAM,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAC7C,CAAC;gBAAC,MAAM,CAAC;oBACP,eAAe;gBACjB,CAAC;YACH,CAAC;YAED,qBAAqB;YACrB,MAAM,IAAI,CAAC,eAAe,CAAC,gBAAgB,CACzC;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,QAAQ,EAAE,QAAQ;gBAClB,MAAM;gBACN,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE;oBACR,MAAM,EAAE,eAAe;oBACvB,MAAM;oBACN,WAAW;iBACZ;aACF,EACD,GAAG,CACJ,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,6BAA6B,MAAM,gBAAgB,WAAW,KAAK,MAAM,EAAE,CAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8CAA8C,EAAE,KAAK,CAAC,CAAC;YACzE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CACxB,MAAc,EACd,QAAgB,EAChB,GAAQ;QAER,+DAA+D;QAC/D,8DAA8D;QAC9D,sDAAsD;QAEtD,sEAAsE;QACtE,oCAAoC;QACpC,kDAAkD;QAClD,8DAA8D;QAC9D,4DAA4D;QAE5D,OAAO,IAAI,CAAC,CAAC,6BAA6B;IAC5C,CAAC;CACF;AArND,gDAqNC"}
|
|
@@ -110,7 +110,7 @@ export declare const FeatureToggleStateConfigSchema: z.ZodObject<{
|
|
|
110
110
|
}, "strip", z.ZodTypeAny, {
|
|
111
111
|
region: "US" | "EU" | "CN";
|
|
112
112
|
enabled: boolean;
|
|
113
|
-
state: "
|
|
113
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
114
114
|
percentage: number;
|
|
115
115
|
targeting?: {
|
|
116
116
|
value: string;
|
|
@@ -120,7 +120,7 @@ export declare const FeatureToggleStateConfigSchema: z.ZodObject<{
|
|
|
120
120
|
}, {
|
|
121
121
|
region: "US" | "EU" | "CN";
|
|
122
122
|
enabled: boolean;
|
|
123
|
-
state: "
|
|
123
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
124
124
|
percentage: number;
|
|
125
125
|
targeting?: {
|
|
126
126
|
value: string;
|
|
@@ -166,7 +166,7 @@ export declare const CreateToggleSchema: z.ZodEffects<z.ZodObject<{
|
|
|
166
166
|
}, "strip", z.ZodTypeAny, {
|
|
167
167
|
region: "US" | "EU" | "CN";
|
|
168
168
|
enabled: boolean;
|
|
169
|
-
state: "
|
|
169
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
170
170
|
percentage: number;
|
|
171
171
|
targeting?: {
|
|
172
172
|
value: string;
|
|
@@ -176,7 +176,7 @@ export declare const CreateToggleSchema: z.ZodEffects<z.ZodObject<{
|
|
|
176
176
|
}, {
|
|
177
177
|
region: "US" | "EU" | "CN";
|
|
178
178
|
enabled: boolean;
|
|
179
|
-
state: "
|
|
179
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
180
180
|
percentage: number;
|
|
181
181
|
targeting?: {
|
|
182
182
|
value: string;
|
|
@@ -193,7 +193,7 @@ export declare const CreateToggleSchema: z.ZodEffects<z.ZodObject<{
|
|
|
193
193
|
initialStates?: {
|
|
194
194
|
region: "US" | "EU" | "CN";
|
|
195
195
|
enabled: boolean;
|
|
196
|
-
state: "
|
|
196
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
197
197
|
percentage: number;
|
|
198
198
|
targeting?: {
|
|
199
199
|
value: string;
|
|
@@ -210,7 +210,7 @@ export declare const CreateToggleSchema: z.ZodEffects<z.ZodObject<{
|
|
|
210
210
|
initialStates?: {
|
|
211
211
|
region: "US" | "EU" | "CN";
|
|
212
212
|
enabled: boolean;
|
|
213
|
-
state: "
|
|
213
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
214
214
|
percentage: number;
|
|
215
215
|
targeting?: {
|
|
216
216
|
value: string;
|
|
@@ -227,7 +227,7 @@ export declare const CreateToggleSchema: z.ZodEffects<z.ZodObject<{
|
|
|
227
227
|
initialStates?: {
|
|
228
228
|
region: "US" | "EU" | "CN";
|
|
229
229
|
enabled: boolean;
|
|
230
|
-
state: "
|
|
230
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
231
231
|
percentage: number;
|
|
232
232
|
targeting?: {
|
|
233
233
|
value: string;
|
|
@@ -244,7 +244,7 @@ export declare const CreateToggleSchema: z.ZodEffects<z.ZodObject<{
|
|
|
244
244
|
initialStates?: {
|
|
245
245
|
region: "US" | "EU" | "CN";
|
|
246
246
|
enabled: boolean;
|
|
247
|
-
state: "
|
|
247
|
+
state: "DISABLED" | "ENABLED" | "GRADUAL";
|
|
248
248
|
percentage: number;
|
|
249
249
|
targeting?: {
|
|
250
250
|
value: string;
|
|
@@ -317,7 +317,7 @@ export declare const UpdateToggleStateSchema: z.ZodObject<{
|
|
|
317
317
|
region: "US" | "EU" | "CN";
|
|
318
318
|
reason?: string | undefined;
|
|
319
319
|
enabled?: boolean | undefined;
|
|
320
|
-
state?: "
|
|
320
|
+
state?: "DISABLED" | "ENABLED" | "GRADUAL" | undefined;
|
|
321
321
|
percentage?: number | undefined;
|
|
322
322
|
targeting?: {
|
|
323
323
|
value: string;
|
|
@@ -328,7 +328,7 @@ export declare const UpdateToggleStateSchema: z.ZodObject<{
|
|
|
328
328
|
region: "US" | "EU" | "CN";
|
|
329
329
|
reason?: string | undefined;
|
|
330
330
|
enabled?: boolean | undefined;
|
|
331
|
-
state?: "
|
|
331
|
+
state?: "DISABLED" | "ENABLED" | "GRADUAL" | undefined;
|
|
332
332
|
percentage?: number | undefined;
|
|
333
333
|
targeting?: {
|
|
334
334
|
value: string;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@de-otio/trellis",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.7.0",
|
|
4
4
|
"main": "./dist/index.js",
|
|
5
5
|
"types": "./dist/index.d.ts",
|
|
6
6
|
"files": [
|
|
@@ -20,6 +20,7 @@
|
|
|
20
20
|
"test:coverage": "vitest run --coverage",
|
|
21
21
|
"test:integration": "vitest run --config vitest.integration.config.ts",
|
|
22
22
|
"test:graph": "vitest run --config vitest.graph.config.ts",
|
|
23
|
+
"test:schema": "vitest run --config vitest.schema.config.ts",
|
|
23
24
|
"test:e2e": "vitest run --config vitest.e2e.config.ts",
|
|
24
25
|
"test:e2e:smoke": "E2E_SHARD=smoke vitest run --config vitest.e2e.smoke.config.ts",
|
|
25
26
|
"test:e2e:crud": "E2E_SHARD=crud E2E_USER_COUNT=2 vitest run --config vitest.e2e.crud.config.ts",
|
|
@@ -48,11 +49,11 @@
|
|
|
48
49
|
"@aws-sdk/client-ssm": "^3.0.0",
|
|
49
50
|
"@aws-sdk/s3-request-presigner": "^3.0.0",
|
|
50
51
|
"@aws-sdk/util-dynamodb": "^3.0.0",
|
|
52
|
+
"@de-otio/trellis-extension-api": "^0.2.0",
|
|
51
53
|
"@fedify/fedify": "^1.0.0",
|
|
52
54
|
"@prisma/adapter-pg": "^6.0.0",
|
|
53
55
|
"@prisma/client": "^6.0.0",
|
|
54
56
|
"@prisma/extension-accelerate": "^1.0.0",
|
|
55
|
-
"@de-otio/trellis-extension-api": "^0.2.0",
|
|
56
57
|
"aws-jwt-verify": "^4.0.0",
|
|
57
58
|
"exifr": "^7.1.3",
|
|
58
59
|
"isomorphic-dompurify": "^2.18.0",
|
|
@@ -66,6 +67,7 @@
|
|
|
66
67
|
"schema": "../../prisma/schema.prisma"
|
|
67
68
|
},
|
|
68
69
|
"devDependencies": {
|
|
70
|
+
"@aws-lambda-powertools/parameters": "^2.32.0",
|
|
69
71
|
"@aws-sdk/client-bedrock-agent-runtime": "^3.0.0",
|
|
70
72
|
"@aws-sdk/client-cloudwatch-logs": "^3.0.0",
|
|
71
73
|
"@aws-sdk/client-cognito-identity-provider": "^3.1009.0",
|
|
@@ -79,7 +81,7 @@
|
|
|
79
81
|
"@types/sharp": "^0.31.0",
|
|
80
82
|
"@vitest/coverage-v8": "^4.0.0",
|
|
81
83
|
"@vitest/ui": "^4.0.0",
|
|
82
|
-
"
|
|
84
|
+
"aws-sdk-client-mock": "^4.1.0",
|
|
83
85
|
"esbuild": "^0.27.0",
|
|
84
86
|
"form-data": "^4.0.1",
|
|
85
87
|
"mailparser": "^3.9.4",
|
|
@@ -0,0 +1,334 @@
|
|
|
1
|
+
-- CreateEnum
|
|
2
|
+
CREATE TYPE "TenantType" AS ENUM ('PERSONAL', 'ORGANIZATION');
|
|
3
|
+
|
|
4
|
+
-- CreateEnum
|
|
5
|
+
CREATE TYPE "TenantStatus" AS ENUM ('ACTIVE', 'SUSPENDED', 'DELETING');
|
|
6
|
+
|
|
7
|
+
-- CreateEnum
|
|
8
|
+
CREATE TYPE "TenantRole" AS ENUM ('OWNER', 'ADMIN', 'MEMBER', 'GUEST');
|
|
9
|
+
|
|
10
|
+
-- CreateEnum
|
|
11
|
+
CREATE TYPE "TenantMemberStatus" AS ENUM ('INVITED', 'ACTIVE', 'SUSPENDED', 'REMOVED');
|
|
12
|
+
|
|
13
|
+
-- CreateEnum
|
|
14
|
+
CREATE TYPE "IdpKind" AS ENUM ('SAML', 'OIDC');
|
|
15
|
+
|
|
16
|
+
-- CreateEnum
|
|
17
|
+
CREATE TYPE "IdpStatus" AS ENUM ('PENDING', 'ACTIVE', 'DISABLED', 'ERROR');
|
|
18
|
+
|
|
19
|
+
-- DropForeignKey
|
|
20
|
+
ALTER TABLE "security_events" DROP CONSTRAINT "security_events_partnerId_fkey";
|
|
21
|
+
|
|
22
|
+
-- DropForeignKey
|
|
23
|
+
ALTER TABLE "users" DROP CONSTRAINT "users_partnerId_fkey";
|
|
24
|
+
|
|
25
|
+
-- DropIndex
|
|
26
|
+
DROP INDEX "security_events_partnerId_idx";
|
|
27
|
+
|
|
28
|
+
-- DropIndex
|
|
29
|
+
DROP INDEX "users_partnerId_idx";
|
|
30
|
+
|
|
31
|
+
-- AlterTable
|
|
32
|
+
ALTER TABLE "connection_code_redemptions" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
33
|
+
|
|
34
|
+
-- AlterTable
|
|
35
|
+
ALTER TABLE "connection_codes" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
36
|
+
|
|
37
|
+
-- AlterTable
|
|
38
|
+
ALTER TABLE "entities" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
39
|
+
|
|
40
|
+
-- AlterTable
|
|
41
|
+
ALTER TABLE "entity_ownerships" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
42
|
+
|
|
43
|
+
-- AlterTable
|
|
44
|
+
ALTER TABLE "group_members" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
45
|
+
|
|
46
|
+
-- AlterTable
|
|
47
|
+
ALTER TABLE "groups" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
48
|
+
|
|
49
|
+
-- AlterTable
|
|
50
|
+
ALTER TABLE "notifications" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
51
|
+
|
|
52
|
+
-- AlterTable
|
|
53
|
+
ALTER TABLE "post_comments" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
54
|
+
|
|
55
|
+
-- AlterTable
|
|
56
|
+
ALTER TABLE "posts" ADD COLUMN "tenant_id" TEXT NOT NULL;
|
|
57
|
+
|
|
58
|
+
-- AlterTable
|
|
59
|
+
ALTER TABLE "security_events" DROP COLUMN "partnerId",
|
|
60
|
+
ADD COLUMN "tenant_id" TEXT;
|
|
61
|
+
|
|
62
|
+
-- AlterTable
|
|
63
|
+
ALTER TABLE "users" DROP COLUMN "partnerId",
|
|
64
|
+
ADD COLUMN "personal_tenant_id" TEXT;
|
|
65
|
+
|
|
66
|
+
-- DropTable
|
|
67
|
+
DROP TABLE "partners";
|
|
68
|
+
|
|
69
|
+
-- CreateTable
|
|
70
|
+
CREATE TABLE "tenants" (
|
|
71
|
+
"id" TEXT NOT NULL,
|
|
72
|
+
"slug" TEXT NOT NULL,
|
|
73
|
+
"display_name" TEXT NOT NULL,
|
|
74
|
+
"type" "TenantType" NOT NULL,
|
|
75
|
+
"status" "TenantStatus" NOT NULL DEFAULT 'ACTIVE',
|
|
76
|
+
"personal_owner_user_id" TEXT,
|
|
77
|
+
"created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
78
|
+
"updated_at" TIMESTAMP(3) NOT NULL,
|
|
79
|
+
"suspended_at" TIMESTAMP(3),
|
|
80
|
+
"suspend_reason" TEXT,
|
|
81
|
+
|
|
82
|
+
CONSTRAINT "tenants_pkey" PRIMARY KEY ("id")
|
|
83
|
+
);
|
|
84
|
+
|
|
85
|
+
-- CreateTable
|
|
86
|
+
CREATE TABLE "tenant_members" (
|
|
87
|
+
"id" TEXT NOT NULL,
|
|
88
|
+
"tenant_id" TEXT NOT NULL,
|
|
89
|
+
"user_id" TEXT NOT NULL,
|
|
90
|
+
"role" "TenantRole" NOT NULL,
|
|
91
|
+
"status" "TenantMemberStatus" NOT NULL DEFAULT 'ACTIVE',
|
|
92
|
+
"is_jit_provisioned" BOOLEAN NOT NULL DEFAULT false,
|
|
93
|
+
"invited_by_user_id" TEXT,
|
|
94
|
+
"invited_at" TIMESTAMP(3),
|
|
95
|
+
"joined_at" TIMESTAMP(3),
|
|
96
|
+
"removed_at" TIMESTAMP(3),
|
|
97
|
+
"last_active_at" TIMESTAMP(3),
|
|
98
|
+
|
|
99
|
+
CONSTRAINT "tenant_members_pkey" PRIMARY KEY ("id")
|
|
100
|
+
);
|
|
101
|
+
|
|
102
|
+
-- CreateTable
|
|
103
|
+
CREATE TABLE "tenant_domains" (
|
|
104
|
+
"id" TEXT NOT NULL,
|
|
105
|
+
"tenant_id" TEXT NOT NULL,
|
|
106
|
+
"domain" TEXT NOT NULL,
|
|
107
|
+
"verification_token" TEXT NOT NULL,
|
|
108
|
+
"token_expires_at" TIMESTAMP(3) NOT NULL,
|
|
109
|
+
"verified_at" TIMESTAMP(3),
|
|
110
|
+
"verify_attempted_at" TIMESTAMP(3),
|
|
111
|
+
"verify_attempts" INTEGER NOT NULL DEFAULT 0,
|
|
112
|
+
"created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
113
|
+
|
|
114
|
+
CONSTRAINT "tenant_domains_pkey" PRIMARY KEY ("id")
|
|
115
|
+
);
|
|
116
|
+
|
|
117
|
+
-- CreateTable
|
|
118
|
+
CREATE TABLE "tenant_identity_providers" (
|
|
119
|
+
"id" TEXT NOT NULL,
|
|
120
|
+
"tenant_id" TEXT NOT NULL,
|
|
121
|
+
"kind" "IdpKind" NOT NULL,
|
|
122
|
+
"cognito_idp_name" TEXT NOT NULL,
|
|
123
|
+
"metadata_url" TEXT,
|
|
124
|
+
"metadata_xml" TEXT,
|
|
125
|
+
"issuer_url" TEXT,
|
|
126
|
+
"client_id" TEXT,
|
|
127
|
+
"client_secret_arn" TEXT,
|
|
128
|
+
"scopes" TEXT NOT NULL DEFAULT 'openid email profile groups',
|
|
129
|
+
"attribute_mapping" JSONB NOT NULL DEFAULT '{}',
|
|
130
|
+
"default_role" "TenantRole",
|
|
131
|
+
"status" "IdpStatus" NOT NULL DEFAULT 'PENDING',
|
|
132
|
+
"enabled_at" TIMESTAMP(3),
|
|
133
|
+
"last_error" TEXT,
|
|
134
|
+
"last_error_at" TIMESTAMP(3),
|
|
135
|
+
"created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
136
|
+
"updated_at" TIMESTAMP(3) NOT NULL,
|
|
137
|
+
|
|
138
|
+
CONSTRAINT "tenant_identity_providers_pkey" PRIMARY KEY ("id")
|
|
139
|
+
);
|
|
140
|
+
|
|
141
|
+
-- CreateTable
|
|
142
|
+
CREATE TABLE "tenant_role_mappings" (
|
|
143
|
+
"id" TEXT NOT NULL,
|
|
144
|
+
"tenant_id" TEXT NOT NULL,
|
|
145
|
+
"idp_group_name" TEXT NOT NULL,
|
|
146
|
+
"tenant_role" "TenantRole" NOT NULL,
|
|
147
|
+
"priority" INTEGER NOT NULL DEFAULT 100,
|
|
148
|
+
"created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
149
|
+
"updated_at" TIMESTAMP(3) NOT NULL,
|
|
150
|
+
|
|
151
|
+
CONSTRAINT "tenant_role_mappings_pkey" PRIMARY KEY ("id")
|
|
152
|
+
);
|
|
153
|
+
|
|
154
|
+
-- CreateTable
|
|
155
|
+
CREATE TABLE "tenant_invitations" (
|
|
156
|
+
"id" TEXT NOT NULL,
|
|
157
|
+
"tenant_id" TEXT NOT NULL,
|
|
158
|
+
"email" TEXT NOT NULL,
|
|
159
|
+
"role" "TenantRole" NOT NULL,
|
|
160
|
+
"token" TEXT NOT NULL,
|
|
161
|
+
"expires_at" TIMESTAMP(3) NOT NULL,
|
|
162
|
+
"accepted_at" TIMESTAMP(3),
|
|
163
|
+
"accepted_by_user_id" TEXT,
|
|
164
|
+
"invited_by_user_id" TEXT NOT NULL,
|
|
165
|
+
"created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
166
|
+
|
|
167
|
+
CONSTRAINT "tenant_invitations_pkey" PRIMARY KEY ("id")
|
|
168
|
+
);
|
|
169
|
+
|
|
170
|
+
-- CreateIndex
|
|
171
|
+
CREATE UNIQUE INDEX "tenants_slug_key" ON "tenants"("slug");
|
|
172
|
+
|
|
173
|
+
-- CreateIndex
|
|
174
|
+
CREATE UNIQUE INDEX "tenants_personal_owner_user_id_key" ON "tenants"("personal_owner_user_id");
|
|
175
|
+
|
|
176
|
+
-- CreateIndex
|
|
177
|
+
CREATE INDEX "tenants_slug_idx" ON "tenants"("slug");
|
|
178
|
+
|
|
179
|
+
-- CreateIndex
|
|
180
|
+
CREATE INDEX "tenants_type_status_idx" ON "tenants"("type", "status");
|
|
181
|
+
|
|
182
|
+
-- CreateIndex
|
|
183
|
+
CREATE INDEX "tenant_members_user_id_idx" ON "tenant_members"("user_id");
|
|
184
|
+
|
|
185
|
+
-- CreateIndex
|
|
186
|
+
CREATE INDEX "tenant_members_tenant_id_status_idx" ON "tenant_members"("tenant_id", "status");
|
|
187
|
+
|
|
188
|
+
-- CreateIndex
|
|
189
|
+
CREATE INDEX "tenant_members_tenant_id_role_idx" ON "tenant_members"("tenant_id", "role");
|
|
190
|
+
|
|
191
|
+
-- CreateIndex
|
|
192
|
+
CREATE UNIQUE INDEX "tenant_members_tenant_id_user_id_key" ON "tenant_members"("tenant_id", "user_id");
|
|
193
|
+
|
|
194
|
+
-- CreateIndex
|
|
195
|
+
CREATE UNIQUE INDEX "tenant_domains_domain_key" ON "tenant_domains"("domain");
|
|
196
|
+
|
|
197
|
+
-- CreateIndex
|
|
198
|
+
CREATE INDEX "tenant_domains_tenant_id_idx" ON "tenant_domains"("tenant_id");
|
|
199
|
+
|
|
200
|
+
-- CreateIndex
|
|
201
|
+
CREATE INDEX "tenant_domains_verified_at_idx" ON "tenant_domains"("verified_at");
|
|
202
|
+
|
|
203
|
+
-- CreateIndex
|
|
204
|
+
CREATE INDEX "tenant_domains_token_expires_at_idx" ON "tenant_domains"("token_expires_at");
|
|
205
|
+
|
|
206
|
+
-- CreateIndex
|
|
207
|
+
CREATE UNIQUE INDEX "tenant_identity_providers_tenant_id_key" ON "tenant_identity_providers"("tenant_id");
|
|
208
|
+
|
|
209
|
+
-- CreateIndex
|
|
210
|
+
CREATE UNIQUE INDEX "tenant_identity_providers_cognito_idp_name_key" ON "tenant_identity_providers"("cognito_idp_name");
|
|
211
|
+
|
|
212
|
+
-- CreateIndex
|
|
213
|
+
CREATE INDEX "tenant_identity_providers_cognito_idp_name_idx" ON "tenant_identity_providers"("cognito_idp_name");
|
|
214
|
+
|
|
215
|
+
-- CreateIndex
|
|
216
|
+
CREATE INDEX "tenant_identity_providers_status_idx" ON "tenant_identity_providers"("status");
|
|
217
|
+
|
|
218
|
+
-- CreateIndex
|
|
219
|
+
CREATE INDEX "tenant_role_mappings_tenant_id_priority_idx" ON "tenant_role_mappings"("tenant_id", "priority");
|
|
220
|
+
|
|
221
|
+
-- CreateIndex
|
|
222
|
+
CREATE UNIQUE INDEX "tenant_role_mappings_tenant_id_idp_group_name_key" ON "tenant_role_mappings"("tenant_id", "idp_group_name");
|
|
223
|
+
|
|
224
|
+
-- CreateIndex
|
|
225
|
+
CREATE UNIQUE INDEX "tenant_invitations_token_key" ON "tenant_invitations"("token");
|
|
226
|
+
|
|
227
|
+
-- CreateIndex
|
|
228
|
+
CREATE INDEX "tenant_invitations_token_idx" ON "tenant_invitations"("token");
|
|
229
|
+
|
|
230
|
+
-- CreateIndex
|
|
231
|
+
CREATE INDEX "tenant_invitations_email_idx" ON "tenant_invitations"("email");
|
|
232
|
+
|
|
233
|
+
-- CreateIndex
|
|
234
|
+
CREATE INDEX "tenant_invitations_expires_at_idx" ON "tenant_invitations"("expires_at");
|
|
235
|
+
|
|
236
|
+
-- CreateIndex
|
|
237
|
+
CREATE UNIQUE INDEX "tenant_invitations_tenant_id_email_key" ON "tenant_invitations"("tenant_id", "email");
|
|
238
|
+
|
|
239
|
+
-- CreateIndex
|
|
240
|
+
CREATE INDEX "connection_code_redemptions_tenant_id_idx" ON "connection_code_redemptions"("tenant_id");
|
|
241
|
+
|
|
242
|
+
-- CreateIndex
|
|
243
|
+
CREATE INDEX "connection_codes_tenant_id_idx" ON "connection_codes"("tenant_id");
|
|
244
|
+
|
|
245
|
+
-- CreateIndex
|
|
246
|
+
CREATE INDEX "entities_tenant_id_idx" ON "entities"("tenant_id");
|
|
247
|
+
|
|
248
|
+
-- CreateIndex
|
|
249
|
+
CREATE INDEX "entities_tenant_id_entity_type_status_idx" ON "entities"("tenant_id", "entity_type", "status");
|
|
250
|
+
|
|
251
|
+
-- CreateIndex
|
|
252
|
+
CREATE INDEX "entity_ownerships_tenant_id_idx" ON "entity_ownerships"("tenant_id");
|
|
253
|
+
|
|
254
|
+
-- CreateIndex
|
|
255
|
+
CREATE INDEX "group_members_tenant_id_idx" ON "group_members"("tenant_id");
|
|
256
|
+
|
|
257
|
+
-- CreateIndex
|
|
258
|
+
CREATE INDEX "groups_tenant_id_idx" ON "groups"("tenant_id");
|
|
259
|
+
|
|
260
|
+
-- CreateIndex
|
|
261
|
+
CREATE INDEX "notifications_tenant_id_user_id_read_created_at_idx" ON "notifications"("tenant_id", "user_id", "read", "created_at");
|
|
262
|
+
|
|
263
|
+
-- CreateIndex
|
|
264
|
+
CREATE INDEX "post_comments_tenant_id_idx" ON "post_comments"("tenant_id");
|
|
265
|
+
|
|
266
|
+
-- CreateIndex
|
|
267
|
+
CREATE INDEX "posts_tenant_id_created_at_idx" ON "posts"("tenant_id", "created_at");
|
|
268
|
+
|
|
269
|
+
-- CreateIndex
|
|
270
|
+
CREATE INDEX "security_events_tenant_id_idx" ON "security_events"("tenant_id");
|
|
271
|
+
|
|
272
|
+
-- CreateIndex
|
|
273
|
+
CREATE UNIQUE INDEX "users_personal_tenant_id_key" ON "users"("personal_tenant_id");
|
|
274
|
+
|
|
275
|
+
-- CreateIndex
|
|
276
|
+
CREATE INDEX "users_personal_tenant_id_idx" ON "users"("personal_tenant_id");
|
|
277
|
+
|
|
278
|
+
-- AddForeignKey
|
|
279
|
+
ALTER TABLE "entities" ADD CONSTRAINT "entities_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
280
|
+
|
|
281
|
+
-- AddForeignKey
|
|
282
|
+
ALTER TABLE "posts" ADD CONSTRAINT "posts_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
283
|
+
|
|
284
|
+
-- AddForeignKey
|
|
285
|
+
ALTER TABLE "post_comments" ADD CONSTRAINT "post_comments_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
286
|
+
|
|
287
|
+
-- AddForeignKey
|
|
288
|
+
ALTER TABLE "entity_ownerships" ADD CONSTRAINT "entity_ownerships_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
289
|
+
|
|
290
|
+
-- AddForeignKey
|
|
291
|
+
ALTER TABLE "groups" ADD CONSTRAINT "groups_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
292
|
+
|
|
293
|
+
-- AddForeignKey
|
|
294
|
+
ALTER TABLE "group_members" ADD CONSTRAINT "group_members_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
295
|
+
|
|
296
|
+
-- AddForeignKey
|
|
297
|
+
ALTER TABLE "notifications" ADD CONSTRAINT "notifications_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
298
|
+
|
|
299
|
+
-- AddForeignKey
|
|
300
|
+
ALTER TABLE "connection_codes" ADD CONSTRAINT "connection_codes_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
301
|
+
|
|
302
|
+
-- AddForeignKey
|
|
303
|
+
ALTER TABLE "connection_code_redemptions" ADD CONSTRAINT "connection_code_redemptions_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
304
|
+
|
|
305
|
+
-- AddForeignKey
|
|
306
|
+
ALTER TABLE "tenants" ADD CONSTRAINT "tenants_personal_owner_user_id_fkey" FOREIGN KEY ("personal_owner_user_id") REFERENCES "users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
|
|
307
|
+
|
|
308
|
+
-- AddForeignKey
|
|
309
|
+
ALTER TABLE "tenant_members" ADD CONSTRAINT "tenant_members_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
310
|
+
|
|
311
|
+
-- AddForeignKey
|
|
312
|
+
ALTER TABLE "tenant_members" ADD CONSTRAINT "tenant_members_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
313
|
+
|
|
314
|
+
-- AddForeignKey
|
|
315
|
+
ALTER TABLE "tenant_members" ADD CONSTRAINT "tenant_members_invited_by_user_id_fkey" FOREIGN KEY ("invited_by_user_id") REFERENCES "users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
|
|
316
|
+
|
|
317
|
+
-- AddForeignKey
|
|
318
|
+
ALTER TABLE "tenant_domains" ADD CONSTRAINT "tenant_domains_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
319
|
+
|
|
320
|
+
-- AddForeignKey
|
|
321
|
+
ALTER TABLE "tenant_identity_providers" ADD CONSTRAINT "tenant_identity_providers_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
322
|
+
|
|
323
|
+
-- AddForeignKey
|
|
324
|
+
ALTER TABLE "tenant_role_mappings" ADD CONSTRAINT "tenant_role_mappings_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
325
|
+
|
|
326
|
+
-- AddForeignKey
|
|
327
|
+
ALTER TABLE "tenant_invitations" ADD CONSTRAINT "tenant_invitations_tenant_id_fkey" FOREIGN KEY ("tenant_id") REFERENCES "tenants"("id") ON DELETE CASCADE ON UPDATE CASCADE;
|
|
328
|
+
|
|
329
|
+
-- AddForeignKey
|
|
330
|
+
ALTER TABLE "tenant_invitations" ADD CONSTRAINT "tenant_invitations_invited_by_user_id_fkey" FOREIGN KEY ("invited_by_user_id") REFERENCES "users"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
|
|
331
|
+
|
|
332
|
+
-- AddForeignKey
|
|
333
|
+
ALTER TABLE "tenant_invitations" ADD CONSTRAINT "tenant_invitations_accepted_by_user_id_fkey" FOREIGN KEY ("accepted_by_user_id") REFERENCES "users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
|
|
334
|
+
|