@logto/schemas 1.0.0-rc.0 → 1.0.7

package/LICENSE

@@ -1,3 +1,9 @@
+Portions of this software are licensed as follows:
+
+* All content that resides under the "packages/cloud" directory of this repository, if that directory exists, is licensed under the license defined in "packages/cloud/LICENSE" (Elastic-2.0).
+* All third party components incorporated into this software are licensed under the original license provided by the owner of the applicable component.
+* Content outside of the above mentioned directories or restrictions above is available under the "MPL-2.0" license as defined below.
+
 Mozilla Public License Version 2.0
 ==================================
 

package/README.md

@@ -0,0 +1,24 @@
+# @logto/schemas
+
+The central packages for all database schemas and their TypeScript definitions and utilities.
+
+## Table init
+
+The Logto CLI will pick up all necessary SQL queries in `tables/` and `src/models/` and run them in the following order:
+
+1. Run `tables/_before_all.sql`
+2. Run `tables/*.sql` with the snippet `/* init_order = <number> */` in ascending order of `<number>`
+3. Run `tables/*.sql` without the `init_order` snippet in ascending order of filename (`tables/`) or table name (`src/models/`)
+4. Run `tables/_after_all.sql`
+
+Additional rules for step 2 and 3:
+
+- If no snippet `/* no_after_each */` found, run `tables/_after_each.sql` after each SQL file
+- Exclude lifecycle scripts `tables/_[lifecycle].sql` where `[lifecycle]` could be one of:
+  - `after_all`
+  - `after_each`
+  - `before_all`
+
+In the `after_each` lifecycle script, you can use `${name}` to represent the current filename (`tables/`) or table name (`src/models/`).
+
+In all lifecycle scripts, you can use `${database}` to represent the current database.

package/alterations/1.0.0-1677208902-update-admin-console-config.ts

@@ -0,0 +1,108 @@
+import type { DatabaseTransactionConnection } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminConsoleConfigKey = 'adminConsole';
+
+type DeprecatedAdminConsoleData = {
+  demoChecked: boolean;
+  applicationCreated: boolean;
+  signInExperienceCustomized: boolean;
+  passwordlessConfigured: boolean;
+  socialSignInConfigured: boolean;
+  furtherReadingsChecked: boolean;
+} & Record<string, unknown>;
+
+type DeprecatedLogtoAdminConsoleConfig = {
+  tenantId: string;
+  value: DeprecatedAdminConsoleData;
+};
+
+type AdminConsoleData = {
+  livePreviewChecked: boolean;
+  applicationCreated: boolean;
+  signInExperienceCustomized: boolean;
+  passwordlessConfigured: boolean;
+  selfHostingChecked: boolean;
+  communityChecked: boolean;
+  m2mApplicationCreated: boolean;
+} & Record<string, unknown>;
+
+type LogtoAdminConsoleConfig = {
+  tenantId: string;
+  value: AdminConsoleData;
+};
+
+const alterAdminConsoleData = async (
+  logtoConfig: DeprecatedLogtoAdminConsoleConfig,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: adminConsoleConfig } = logtoConfig;
+
+  const {
+    demoChecked,
+    socialSignInConfigured, // Extract to remove from config
+    furtherReadingsChecked, // Extract to remove from config
+    ...others
+  } = adminConsoleConfig;
+
+  const newAdminConsoleData: AdminConsoleData = {
+    ...others,
+    livePreviewChecked: demoChecked,
+    selfHostingChecked: false,
+    communityChecked: false,
+    m2mApplicationCreated: false,
+  };
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      newAdminConsoleData
+    )} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`
+  );
+};
+
+const rollbackAdminConsoleData = async (
+  logtoConfig: LogtoAdminConsoleConfig,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: adminConsoleConfig } = logtoConfig;
+
+  const {
+    livePreviewChecked,
+    selfHostingChecked, // Extract to remove from config
+    communityChecked, // Extract to remove from config
+    m2mApplicationCreated, // Extract to remove from config
+    ...others
+  } = adminConsoleConfig;
+
+  const originAdminConsoleData: DeprecatedAdminConsoleData = {
+    ...others,
+    demoChecked: livePreviewChecked,
+    socialSignInConfigured: false,
+    furtherReadingsChecked: false,
+  };
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      originAdminConsoleData
+    )} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`
+  );
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const rows = await pool.many<DeprecatedLogtoAdminConsoleConfig>(
+      sql`select * from logto_configs where key = ${adminConsoleConfigKey}`
+    );
+    await Promise.all(rows.map(async (row) => alterAdminConsoleData(row, pool)));
+  },
+  down: async (pool) => {
+    const rows = await pool.many<LogtoAdminConsoleConfig>(
+      sql`select * from logto_configs where key = ${adminConsoleConfigKey}`
+    );
+    await Promise.all(rows.map(async (row) => rollbackAdminConsoleData(row, pool)));
+  },
+};
+
+export default alteration;

package/alterations/1.0.0-1677765137-seed-for-admin-tenant.ts

@@ -0,0 +1,127 @@
+import { generateStandardId } from '@logto/core-kit';
+import type { CommonQueryMethods } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+const addApiData = async (pool: CommonQueryMethods) => {
+  const adminApi = {
+    resourceId: generateStandardId(),
+    scopeId: generateStandardId(),
+  };
+  const cloudApi = {
+    resourceId: generateStandardId(),
+    scopeId: generateStandardId(),
+  };
+  const adminRole = {
+    id: generateStandardId(),
+    name: 'admin:admin',
+    description: 'Admin role for Logto.',
+  };
+
+  await pool.query(sql`
+    insert into resources (tenant_id, id, indicator, name)
+      values (
+        ${adminTenantId},
+        ${adminApi.resourceId},
+        'https://admin.logto.app/api',
+        'Logto Management API for tenant admin'
+      ), (
+        ${adminTenantId},
+        ${cloudApi.resourceId},
+        'https://cloud.logto.io/api',
+        'Logto Cloud API'
+      );
+  `);
+  await pool.query(sql`
+    insert into scopes (tenant_id, id, name, description, resource_id)
+      values (
+        ${adminTenantId},
+        ${adminApi.scopeId},
+        'all',
+        'Default scope for Management API, allows all permissions.',
+        ${adminApi.resourceId}
+      ), (
+        ${adminTenantId},
+        ${cloudApi.scopeId},
+        'create:tenant',
+        'Allow creating new tenants.',
+        ${cloudApi.resourceId}
+      );
+  `);
+  await pool.query(sql`
+    insert into roles (tenant_id, id, name, description)
+      values (
+        ${adminTenantId},
+        ${adminRole.id},
+        ${adminRole.name},
+        ${adminRole.description}
+      );
+  `);
+
+  const { id: userRoleId } = await pool.one<{ id: string }>(sql`
+    select id from roles
+    where tenant_id = ${adminTenantId}
+    and name = 'user'
+  `);
+
+  await pool.query(sql`
+    insert into roles_scopes (tenant_id, id, role_id, scope_id)
+      values (
+        ${adminTenantId},
+        ${generateStandardId()},
+        ${userRoleId},
+        ${cloudApi.scopeId}
+      ), (
+        ${adminTenantId},
+        ${generateStandardId()},
+        ${adminRole.id},
+        ${adminApi.scopeId}
+      );
+  `);
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await addApiData(pool);
+    await pool.query(sql`
+      insert into logto_configs (tenant_id, key, value)
+      values (
+        ${adminTenantId},
+        'adminConsole',
+        ${sql.jsonb({
+          language: 'en',
+          appearanceMode: 'system',
+          livePreviewChecked: false,
+          applicationCreated: false,
+          signInExperienceCustomized: false,
+          passwordlessConfigured: false,
+          selfHostingChecked: false,
+          communityChecked: false,
+          m2mApplicationCreated: false,
+        })}
+      );
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      delete from resources
+        where tenant_id = ${adminTenantId}
+        and indicator in ('https://admin.logto.app/api', 'https://cloud.logto.io/api');
+    `);
+    await pool.query(sql`
+      delete from roles
+        where tenant_id = ${adminTenantId}
+        and name = 'admin:admin';
+    `);
+    await pool.query(sql`
+      delete from logto_configs
+        where tenant_id = ${adminTenantId}
+        and key = 'adminConsole';
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.0.0-1677907982-allow-admin-create-multiple-tenants.ts

@@ -0,0 +1,56 @@
+import { generateStandardId } from '@logto/core-kit';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const scopeId = generateStandardId();
+    const { id: resourceId } = await pool.one<{ id: string }>(sql`
+      select id from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = 'https://cloud.logto.io/api'
+    `);
+
+    await pool.query(sql`
+      insert into scopes (tenant_id, id, name, description, resource_id)
+        values (
+          ${adminTenantId},
+          ${scopeId},
+          'manage:tenant',
+          'Allow managing existing tenants, including create without limitation, update, and delete.',
+          ${resourceId}
+        );
+    `);
+
+    const { id: roleId } = await pool.one<{ id: string }>(sql`
+      select id from roles
+      where tenant_id = ${adminTenantId}
+      and name = 'admin:admin'
+    `);
+
+    await pool.query(sql`
+      insert into roles_scopes (tenant_id, id, role_id, scope_id)
+        values (
+          ${adminTenantId},
+          ${generateStandardId()},
+          ${roleId},
+          ${scopeId}
+        );
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      delete from scopes
+        using resources
+        where resources.id = scopes.resource_id
+        and scopes.tenant_id = ${adminTenantId}
+        and resources.indicator = 'https://cloud.logto.io/api'
+        and scopes.name='manage:tenant';
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.0.0-1678157950-privacy-policy-url.ts

@@ -0,0 +1,20 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column if not exists privacy_policy_url varchar(2048);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column privacy_policy_url;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.0.0-1678199795-add-verification-status-table.ts

@@ -0,0 +1,60 @@
+import type { CommonQueryMethods } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getId = (value: string) => sql.identifier([value]);
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    const baseRoleId = getId(`logto_tenant_${database}`);
+
+    await pool.query(sql`
+      create table verification_statuses (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        created_at timestamptz not null default(now()),
+        primary key (id)
+      );
+
+      create index verification_statuses__id
+        on verification_statuses (tenant_id, id);
+
+      create index verification_statuses__user_id
+        on verification_statuses (tenant_id, user_id);
+
+      create trigger set_tenant_id before insert on verification_statuses
+        for each row execute procedure set_tenant_id();
+
+      alter table verification_statuses enable row level security;
+
+      create policy verification_statuses_tenant_id on verification_statuses to ${baseRoleId}
+        using (tenant_id = (select id from tenants where db_user = current_user));
+
+      grant select, insert, update, delete on verification_statuses to ${baseRoleId};
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop policy verification_statuses_tenant_id on verification_statuses;
+
+      alter table verification_statuses disable row level security;
+
+      drop table verification_statuses;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.0.0-1678259693-remove-branding-style-config.ts

@@ -0,0 +1,112 @@
+import type { DatabaseTransactionConnection } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+enum DeprecatedBrandingStyle {
+  Logo = 'Logo',
+  Logo_Slogan = 'Logo_Slogan',
+}
+
+const deprecatedDefaultBrandingStyle = DeprecatedBrandingStyle.Logo_Slogan;
+const deprecatedDefaultSlogan = 'admin_console.welcome.title';
+
+type DeprecatedBranding = {
+  style?: DeprecatedBrandingStyle;
+  logoUrl?: string;
+  darkLogoUrl?: string;
+  favicon?: string;
+  slogan?: string;
+};
+
+type DeprecatedSignInExperience = {
+  id: string;
+  tenantId: string;
+  branding: DeprecatedBranding;
+};
+
+type Branding = {
+  logoUrl?: string;
+  darkLogoUrl?: string;
+  favicon?: string;
+};
+
+type SignInExperience = {
+  id: string;
+  tenantId: string;
+  branding: Branding;
+};
+
+const alterBranding = async (
+  signInExperience: DeprecatedSignInExperience,
+  pool: DatabaseTransactionConnection
+) => {
+  const { id, tenantId, branding: originBranding } = signInExperience;
+
+  const {
+    style, // Extract to remove from branding
+    slogan, // Extract to remove from branding
+    logoUrl,
+    darkLogoUrl,
+    favicon,
+  } = originBranding;
+
+  const branding: Branding = { logoUrl, darkLogoUrl, favicon };
+
+  await pool.query(
+    sql`update sign_in_experiences set branding = ${JSON.stringify(
+      branding
+    )} where id = ${id} and tenant_id = ${tenantId}`
+  );
+};
+
+const rollbackBranding = async (
+  signInExperience: SignInExperience,
+  pool: DatabaseTransactionConnection
+) => {
+  const {
+    id,
+    tenantId,
+    branding: { logoUrl, darkLogoUrl, favicon },
+  } = signInExperience;
+
+  const adminBranding: DeprecatedBranding = {
+    style: DeprecatedBrandingStyle.Logo_Slogan,
+    slogan: 'admin_console.welcome.title',
+    logoUrl,
+    darkLogoUrl,
+    favicon,
+  };
+
+  const defaultBranding: DeprecatedBranding = {
+    style: DeprecatedBrandingStyle.Logo,
+    logoUrl,
+    darkLogoUrl,
+    favicon,
+  };
+
+  const branding: DeprecatedBranding = tenantId === 'admin' ? adminBranding : defaultBranding;
+
+  await pool.query(
+    sql`update sign_in_experiences set branding = ${JSON.stringify(
+      branding
+    )} where id = ${id} and tenant_id = ${tenantId}`
+  );
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const rows = await pool.many<DeprecatedSignInExperience>(
+      sql`select * from sign_in_experiences`
+    );
+
+    await Promise.all(rows.map(async (row) => alterBranding(row, pool)));
+  },
+  down: async (pool) => {
+    const rows = await pool.many<SignInExperience>(sql`select * from sign_in_experiences`);
+
+    await Promise.all(rows.map(async (row) => rollbackBranding(row, pool)));
+  },
+};
+
+export default alteration;

package/alterations/1.0.0-1678269972-use-restrictive-policies.ts

@@ -0,0 +1,85 @@
+import type { CommonQueryMethods } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const tables = [
+  'applications_roles',
+  'applications',
+  'connectors',
+  'custom_phrases',
+  'logs',
+  'logto_configs',
+  'oidc_model_instances',
+  'passcodes',
+  'resources',
+  'roles_scopes',
+  'roles',
+  'scopes',
+  'sign_in_experiences',
+  'users_roles',
+  'users',
+  'verification_statuses',
+  'hooks',
+];
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await Promise.all(
+      tables.map(async (tableRaw) => {
+        const table = sql.identifier([tableRaw]);
+        const tenantIdPolicy = sql.identifier([`${tableRaw}_tenant_id`]);
+        const modificationPolicy = sql.identifier([`${tableRaw}_modification`]);
+
+        await pool.query(sql`
+          drop policy ${tenantIdPolicy} on ${table};
+          create policy ${tenantIdPolicy} on ${table}
+            as restrictive
+            using (tenant_id = (select id from tenants where db_user = current_user));
+          create policy ${modificationPolicy} on ${table}
+              using (true);
+        `);
+      })
+    );
+    await pool.query(sql`
+      drop policy tenants_tenant_id on tenants;
+      create policy tenants_tenant_id on tenants
+        using (db_user = current_user);
+    `);
+  },
+  down: async (pool) => {
+    const role = sql.identifier([`logto_tenant_${await getDatabaseName(pool)}`]);
+
+    await Promise.all(
+      tables.map(async (tableRaw) => {
+        const table = sql.identifier([tableRaw]);
+        const tenantIdPolicy = sql.identifier([`${tableRaw}_tenant_id`]);
+        const modificationPolicy = sql.identifier([`${tableRaw}_modification`]);
+
+        await pool.query(sql`
+          drop policy ${tenantIdPolicy} on ${table};
+          drop policy ${modificationPolicy} on ${table};
+          create policy ${tenantIdPolicy} on ${table}
+            to ${role}
+            using (tenant_id = (select id from tenants where db_user = current_user));
+        `);
+      })
+    );
+    await pool.query(sql`
+      drop policy tenants_tenant_id on tenants;
+      create policy tenants_tenant_id on tenants
+        to ${role}
+        using (db_user = current_user);
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.0.0-1678284778-restrict-internal-roles.ts

@@ -0,0 +1,62 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update roles
+      set name = '#internal:admin', description = 'Internal admin role for Logto tenant ' || tenant_id || '.'
+      where name = 'admin'
+      and tenant_id != 'admin';
+
+      update roles
+      set description = 'Admin tenant admin role for Logto tenant ' || substring(name from 0 for strpos(name, ':admin')) || '.'
+      where name like '%:admin'
+      and tenant_id = 'admin';
+
+      -- Restrict direct role modification
+      create policy roles_select on roles
+        for select using (true);
+
+      drop policy roles_modification on roles;
+      create policy roles_modification on roles
+        using (not starts_with(name, '#internal:'));
+
+      -- Restrict role - scope modification
+      create policy roles_scopes_select on roles_scopes
+        for select using (true);
+
+      drop policy roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes
+        using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update roles
+      set name = 'admin', description = 'Admin role for Logto.'
+      where name = '#internal:admin'
+      and tenant_id != 'admin';
+
+      update roles
+      set description = 'Admin role for Logto.'
+      where name like '%:admin'
+      and tenant_id = 'admin';
+
+      drop policy roles_select on roles;
+      drop policy roles_modification on roles;
+
+      create policy roles_modification on roles
+        using (true);
+
+      drop policy roles_scopes_select on roles_scopes;
+      drop policy roles_scopes_modification on roles_scopes;
+
+      create policy roles_scopes_modification on roles_scopes
+        using (true);
+    `);
+  },
+};
+
+export default alteration;