@logto/schemas 1.10.0 → 1.10.1

package/lib/db-entries/user.d.ts

@@ -1,5 +1,10 @@
 import { Identities, JsonObject, MfaVerifications, GeneratedSchema } from './../foundations/index.js';
 import { UsersPasswordEncryptionMethod } from './custom-types.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link User} for the original type.
+ */
 export type CreateUser = {
     tenantId?: string;
     id: string;
@@ -13,6 +18,7 @@ export type CreateUser = {
     applicationId?: string | null;
     identities?: Identities;
     customData?: JsonObject;
+    logtoConfig?: JsonObject;
     mfaVerifications?: MfaVerifications;
     isSuspended?: boolean;
     lastSignInAt?: number | null;
@@ -31,9 +37,11 @@ export type User = {
     applicationId: string | null;
     identities: Identities;
     customData: JsonObject;
+    logtoConfig: JsonObject;
     mfaVerifications: MfaVerifications;
     isSuspended: boolean;
     lastSignInAt: number | null;
     createdAt: number;
 };
-export declare const Users: GeneratedSchema<CreateUser, User>;
+export type UserKeys = 'tenantId' | 'id' | 'username' | 'primaryEmail' | 'primaryPhone' | 'passwordEncrypted' | 'passwordEncryptionMethod' | 'name' | 'avatar' | 'applicationId' | 'identities' | 'customData' | 'logtoConfig' | 'mfaVerifications' | 'isSuspended' | 'lastSignInAt' | 'createdAt';
+export declare const Users: GeneratedSchema<UserKeys, CreateUser, User, 'users', 'user'>;

package/lib/db-entries/user.js

@@ -15,6 +15,7 @@ const createGuard = z.object({
     applicationId: z.string().max(21).nullable().optional(),
     identities: identitiesGuard.optional(),
     customData: jsonObjectGuard.optional(),
+    logtoConfig: jsonObjectGuard.optional(),
     mfaVerifications: mfaVerificationsGuard.optional(),
     isSuspended: z.boolean().optional(),
     lastSignInAt: z.number().nullable().optional(),
@@ -33,6 +34,7 @@ const guard = z.object({
     applicationId: z.string().max(21).nullable(),
     identities: identitiesGuard,
     customData: jsonObjectGuard,
+    logtoConfig: jsonObjectGuard,
     mfaVerifications: mfaVerificationsGuard,
     isSuspended: z.boolean(),
     lastSignInAt: z.number().nullable(),
@@ -54,6 +56,7 @@ export const Users = Object.freeze({
         applicationId: 'application_id',
         identities: 'identities',
         customData: 'custom_data',
+        logtoConfig: 'logto_config',
         mfaVerifications: 'mfa_verifications',
         isSuspended: 'is_suspended',
         lastSignInAt: 'last_sign_in_at',
@@ -72,6 +75,7 @@ export const Users = Object.freeze({
         'applicationId',
         'identities',
         'customData',
+        'logtoConfig',
         'mfaVerifications',
         'isSuspended',
         'lastSignInAt',
@@ -79,4 +83,5 @@ export const Users = Object.freeze({
     ],
     createGuard,
     guard,
+    updateGuard: guard.partial(),
 });

package/lib/db-entries/users-role.d.ts

@@ -1,4 +1,9 @@
 import { GeneratedSchema } from './../foundations/index.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link UsersRole} for the original type.
+ */
 export type CreateUsersRole = {
     tenantId?: string;
     id: string;
@@ -11,4 +16,5 @@ export type UsersRole = {
     userId: string;
     roleId: string;
 };
-export declare const UsersRoles: GeneratedSchema<CreateUsersRole, UsersRole>;
+export type UsersRoleKeys = 'tenantId' | 'id' | 'userId' | 'roleId';
+export declare const UsersRoles: GeneratedSchema<UsersRoleKeys, CreateUsersRole, UsersRole, 'users_roles', 'users_role'>;

package/lib/db-entries/users-role.js

@@ -29,4 +29,5 @@ export const UsersRoles = Object.freeze({
     ],
     createGuard,
     guard,
+    updateGuard: guard.partial(),
 });

package/lib/db-entries/verification-status.d.ts

@@ -1,4 +1,9 @@
 import { GeneratedSchema } from './../foundations/index.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link VerificationStatus} for the original type.
+ */
 export type CreateVerificationStatus = {
     tenantId?: string;
     id: string;
@@ -11,4 +16,5 @@ export type VerificationStatus = {
     userId: string;
     createdAt: number;
 };
-export declare const VerificationStatuses: GeneratedSchema<CreateVerificationStatus, VerificationStatus>;
+export type VerificationStatusKeys = 'tenantId' | 'id' | 'userId' | 'createdAt';
+export declare const VerificationStatuses: GeneratedSchema<VerificationStatusKeys, CreateVerificationStatus, VerificationStatus, 'verification_statuses', 'verification_status'>;

package/lib/db-entries/verification-status.js

@@ -29,4 +29,5 @@ export const VerificationStatuses = Object.freeze({
     ],
     createGuard,
     guard,
+    updateGuard: guard.partial(),
 });

package/lib/foundations/index.d.ts

@@ -1,2 +1,2 @@
 export * from './schemas.js';
-export * from './jsonb-types.js';
+export * from './jsonb-types/index.js';

package/lib/foundations/index.js

@@ -1,2 +1,2 @@
 export * from './schemas.js';
-export * from './jsonb-types.js';
+export * from './jsonb-types/index.js';

package/lib/foundations/jsonb-types/custom-domain.d.ts

@@ -0,0 +1,134 @@
+import { z } from 'zod';
+export declare const domainDnsRecordGuard: z.ZodObject<{
+    name: z.ZodString;
+    type: z.ZodString;
+    value: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: string;
+    value: string;
+    name: string;
+}, {
+    type: string;
+    value: string;
+    name: string;
+}>;
+export type DomainDnsRecord = z.infer<typeof domainDnsRecordGuard>;
+export declare const domainDnsRecordsGuard: z.ZodArray<z.ZodObject<{
+    name: z.ZodString;
+    type: z.ZodString;
+    value: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: string;
+    value: string;
+    name: string;
+}, {
+    type: string;
+    value: string;
+    name: string;
+}>, "many">;
+export type DomainDnsRecords = z.infer<typeof domainDnsRecordsGuard>;
+export declare const cloudflareDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    status: z.ZodString;
+    ssl: z.ZodObject<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, z.ZodUnknown, "strip">>;
+    verification_errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodUnknown, z.objectOutputType<{
+    id: z.ZodString;
+    status: z.ZodString;
+    ssl: z.ZodObject<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, z.ZodUnknown, "strip">>;
+    verification_errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodUnknown, "strip">, z.objectInputType<{
+    id: z.ZodString;
+    status: z.ZodString;
+    ssl: z.ZodObject<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        status: z.ZodString;
+        validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            message: z.ZodString;
+        }, "strip", z.ZodUnknown, z.objectOutputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">, z.objectInputType<{
+            message: z.ZodString;
+        }, z.ZodUnknown, "strip">>, "many">>;
+    }, z.ZodUnknown, "strip">>;
+    verification_errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodUnknown, "strip">>;
+export type CloudflareData = z.infer<typeof cloudflareDataGuard>;
+export declare enum DomainStatus {
+    PendingVerification = "PendingVerification",
+    PendingSsl = "PendingSsl",
+    Active = "Active",
+    Error = "Error"
+}
+export declare const domainStatusGuard: z.ZodNativeEnum<typeof DomainStatus>;

package/lib/foundations/jsonb-types/custom-domain.js

@@ -0,0 +1,36 @@
+import { z } from 'zod';
+export const domainDnsRecordGuard = z.object({
+    name: z.string(),
+    type: z.string(),
+    value: z.string(),
+});
+export const domainDnsRecordsGuard = domainDnsRecordGuard.array();
+// https://developers.cloudflare.com/api/operations/custom-hostname-for-a-zone-list-custom-hostnames#Responses
+// Predefine the "useful" fields
+export const cloudflareDataGuard = z
+    .object({
+    id: z.string(),
+    status: z.string(),
+    ssl: z
+        .object({
+        status: z.string(),
+        validation_errors: z
+            .object({
+            message: z.string(),
+        })
+            .catchall(z.unknown())
+            .array()
+            .optional(),
+    })
+        .catchall(z.unknown()),
+    verification_errors: z.string().array().optional(),
+})
+    .catchall(z.unknown());
+export var DomainStatus;
+(function (DomainStatus) {
+    DomainStatus["PendingVerification"] = "PendingVerification";
+    DomainStatus["PendingSsl"] = "PendingSsl";
+    DomainStatus["Active"] = "Active";
+    DomainStatus["Error"] = "Error";
+})(DomainStatus || (DomainStatus = {}));
+export const domainStatusGuard = z.nativeEnum(DomainStatus);

package/lib/foundations/jsonb-types/hooks.d.ts

@@ -0,0 +1,32 @@
+import { z } from 'zod';
+export declare enum HookEvent {
+    PostRegister = "PostRegister",
+    PostSignIn = "PostSignIn",
+    PostResetPassword = "PostResetPassword"
+}
+export declare const hookEventGuard: z.ZodType<HookEvent>;
+export declare const hookEventsGuard: z.ZodArray<z.ZodType<HookEvent, z.ZodTypeDef, HookEvent>, "many">;
+export type HookEvents = z.infer<typeof hookEventsGuard>;
+export declare const hookConfigGuard: z.ZodObject<{
+    /** We don't need `type` since v1 only has web hook */
+    /** Method fixed to `POST` */
+    url: z.ZodString;
+    /** Additional headers that attach to the request */
+    headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /**
+     * @deprecated
+     * Retry times when hook response status >= 500.
+     * Now the retry times is fixed to 3.
+     * Keep for backward compatibility.
+     */
+    retries: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    url: string;
+    headers?: Record<string, string> | undefined;
+    retries?: number | undefined;
+}, {
+    url: string;
+    headers?: Record<string, string> | undefined;
+    retries?: number | undefined;
+}>;
+export type HookConfig = z.infer<typeof hookConfigGuard>;

package/lib/foundations/jsonb-types/hooks.js

@@ -0,0 +1,24 @@
+import { z } from 'zod';
+export var HookEvent;
+(function (HookEvent) {
+    HookEvent["PostRegister"] = "PostRegister";
+    HookEvent["PostSignIn"] = "PostSignIn";
+    HookEvent["PostResetPassword"] = "PostResetPassword";
+})(HookEvent || (HookEvent = {}));
+export const hookEventGuard = z.nativeEnum(HookEvent);
+export const hookEventsGuard = hookEventGuard.array();
+export const hookConfigGuard = z.object({
+    /** We don't need `type` since v1 only has web hook */
+    // type: 'web';
+    /** Method fixed to `POST` */
+    url: z.string(),
+    /** Additional headers that attach to the request */
+    headers: z.record(z.string()).optional(),
+    /**
+     * @deprecated
+     * Retry times when hook response status >= 500.
+     * Now the retry times is fixed to 3.
+     * Keep for backward compatibility.
+     */
+    retries: z.number().gte(0).lte(3).optional(),
+});

package/lib/foundations/jsonb-types/index.d.ts

@@ -0,0 +1,15 @@
+import type { Json } from '@withtyped/server';
+import { z } from 'zod';
+export * from './custom-domain.js';
+export * from './hooks.js';
+export * from './logs.js';
+export * from './oidc-module.js';
+export * from './phrases.js';
+export * from './sign-in-experience.js';
+export * from './sentinel.js';
+export * from './users.js';
+export * from './sso-connector.js';
+export { configurableConnectorMetadataGuard, type ConfigurableConnectorMetadata, } from '@logto/connector-kit';
+export type { Json, JsonObject } from '@withtyped/server';
+export declare const jsonGuard: z.ZodType<Json>;
+export declare const jsonObjectGuard: z.ZodRecord<z.ZodString, z.ZodType<Json, z.ZodTypeDef, Json>>;

package/lib/foundations/jsonb-types/index.js

@@ -0,0 +1,16 @@
+import { z } from 'zod';
+export * from './custom-domain.js';
+export * from './hooks.js';
+export * from './logs.js';
+export * from './oidc-module.js';
+export * from './phrases.js';
+export * from './sign-in-experience.js';
+export * from './sentinel.js';
+export * from './users.js';
+export * from './sso-connector.js';
+export { configurableConnectorMetadataGuard, } from '@logto/connector-kit';
+/* === Commonly Used === */
+// Copied from https://github.com/colinhacks/zod#json-type
+const literalSchema = z.union([z.string(), z.number(), z.boolean(), z.null()]);
+export const jsonGuard = z.lazy(() => z.union([literalSchema, z.array(jsonGuard), z.record(jsonGuard)]));
+export const jsonObjectGuard = z.record(jsonGuard);

package/lib/foundations/jsonb-types/logs.d.ts

@@ -0,0 +1,106 @@
+import { type PasswordPolicy } from '@logto/core-kit';
+import { type DeepPartial } from '@silverhand/essentials';
+import { z } from 'zod';
+export declare enum LogResult {
+    Success = "Success",
+    Error = "Error"
+}
+export declare const logContextPayloadGuard: z.ZodObject<{
+    key: z.ZodString;
+    result: z.ZodNativeEnum<typeof LogResult>;
+    error: z.ZodOptional<z.ZodUnion<[z.ZodRecord<z.ZodString, z.ZodUnknown>, z.ZodString]>>;
+    ip: z.ZodOptional<z.ZodString>;
+    userAgent: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
+    applicationId: z.ZodOptional<z.ZodString>;
+    sessionId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodUnknown, z.objectOutputType<{
+    key: z.ZodString;
+    result: z.ZodNativeEnum<typeof LogResult>;
+    error: z.ZodOptional<z.ZodUnion<[z.ZodRecord<z.ZodString, z.ZodUnknown>, z.ZodString]>>;
+    ip: z.ZodOptional<z.ZodString>;
+    userAgent: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
+    applicationId: z.ZodOptional<z.ZodString>;
+    sessionId: z.ZodOptional<z.ZodString>;
+}, z.ZodUnknown, "strip">, z.objectInputType<{
+    key: z.ZodString;
+    result: z.ZodNativeEnum<typeof LogResult>;
+    error: z.ZodOptional<z.ZodUnion<[z.ZodRecord<z.ZodString, z.ZodUnknown>, z.ZodString]>>;
+    ip: z.ZodOptional<z.ZodString>;
+    userAgent: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
+    applicationId: z.ZodOptional<z.ZodString>;
+    sessionId: z.ZodOptional<z.ZodString>;
+}, z.ZodUnknown, "strip">>;
+export type PartialPasswordPolicy = DeepPartial<PasswordPolicy>;
+export declare const partialPasswordPolicyGuard: z.ZodObject<{
+    length: z.ZodOptional<z.ZodDefault<z.ZodObject<{
+        min: z.ZodDefault<z.ZodNumber>;
+        max: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        min: number;
+        max: number;
+    }, {
+        min?: number | undefined;
+        max?: number | undefined;
+    }>>>;
+    characterTypes: z.ZodOptional<z.ZodDefault<z.ZodObject<{
+        min: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    }, "strip", z.ZodTypeAny, {
+        min: number;
+    }, {
+        min?: number | undefined;
+    }>>>;
+    rejects: z.ZodOptional<z.ZodDefault<z.ZodObject<{
+        pwned: z.ZodDefault<z.ZodBoolean>;
+        repetitionAndSequence: z.ZodDefault<z.ZodBoolean>;
+        userInfo: z.ZodDefault<z.ZodBoolean>;
+        words: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        pwned: boolean;
+        repetitionAndSequence: boolean;
+        userInfo: boolean;
+        words: string[];
+    }, {
+        pwned?: boolean | undefined;
+        repetitionAndSequence?: boolean | undefined;
+        userInfo?: boolean | undefined;
+        words?: string[] | undefined;
+    }>>>;
+}, "strip", z.ZodTypeAny, {
+    length?: {
+        min: number;
+        max: number;
+    } | undefined;
+    characterTypes?: {
+        min: number;
+    } | undefined;
+    rejects?: {
+        pwned: boolean;
+        repetitionAndSequence: boolean;
+        userInfo: boolean;
+        words: string[];
+    } | undefined;
+}, {
+    length?: {
+        min?: number | undefined;
+        max?: number | undefined;
+    } | undefined;
+    characterTypes?: {
+        min?: number | undefined;
+    } | undefined;
+    rejects?: {
+        pwned?: boolean | undefined;
+        repetitionAndSequence?: boolean | undefined;
+        userInfo?: boolean | undefined;
+        words?: string[] | undefined;
+    } | undefined;
+}>;
+/**
+ * The basic log context type. It's more about a type hint instead of forcing the log shape.
+ *
+ * Note when setting up a log function, the type of log key in function arguments should be `LogKey`.
+ * Here we use `string` to make it compatible with the Zod guard.
+ **/
+export type LogContextPayload = z.infer<typeof logContextPayloadGuard>;

package/lib/foundations/jsonb-types/logs.js

@@ -0,0 +1,20 @@
+import { passwordPolicyGuard } from '@logto/core-kit';
+import { z } from 'zod';
+export var LogResult;
+(function (LogResult) {
+    LogResult["Success"] = "Success";
+    LogResult["Error"] = "Error";
+})(LogResult || (LogResult = {}));
+export const logContextPayloadGuard = z
+    .object({
+    key: z.string(),
+    result: z.nativeEnum(LogResult),
+    error: z.record(z.string(), z.unknown()).or(z.string()).optional(),
+    ip: z.string().optional(),
+    userAgent: z.string().optional(),
+    userId: z.string().optional(),
+    applicationId: z.string().optional(),
+    sessionId: z.string().optional(),
+})
+    .catchall(z.unknown());
+export const partialPasswordPolicyGuard = passwordPolicyGuard.deepPartial();

package/lib/foundations/jsonb-types/oidc-module.d.ts

@@ -0,0 +1,80 @@
+import { z } from 'zod';
+export declare const oidcModelInstancePayloadGuard: z.ZodObject<{
+    userCode: z.ZodOptional<z.ZodString>;
+    uid: z.ZodOptional<z.ZodString>;
+    grantId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodUnknown, z.objectOutputType<{
+    userCode: z.ZodOptional<z.ZodString>;
+    uid: z.ZodOptional<z.ZodString>;
+    grantId: z.ZodOptional<z.ZodString>;
+}, z.ZodUnknown, "strip">, z.objectInputType<{
+    userCode: z.ZodOptional<z.ZodString>;
+    uid: z.ZodOptional<z.ZodString>;
+    grantId: z.ZodOptional<z.ZodString>;
+}, z.ZodUnknown, "strip">>;
+export type OidcModelInstancePayload = z.infer<typeof oidcModelInstancePayloadGuard>;
+export declare const oidcClientMetadataGuard: z.ZodObject<{
+    redirectUris: z.ZodArray<z.ZodUnion<[z.ZodEffects<z.ZodString, string, string>, z.ZodEffects<z.ZodString, string, string>]>, "many">;
+    postLogoutRedirectUris: z.ZodArray<z.ZodString, "many">;
+    logoUri: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    redirectUris: string[];
+    postLogoutRedirectUris: string[];
+    logoUri?: string | undefined;
+}, {
+    redirectUris: string[];
+    postLogoutRedirectUris: string[];
+    logoUri?: string | undefined;
+}>;
+export type OidcClientMetadata = z.infer<typeof oidcClientMetadataGuard>;
+export declare enum CustomClientMetadataKey {
+    CorsAllowedOrigins = "corsAllowedOrigins",
+    IdTokenTtl = "idTokenTtl",
+    /** @deprecated Use {@link RefreshTokenTtlInDays} instead. */
+    RefreshTokenTtl = "refreshTokenTtl",
+    RefreshTokenTtlInDays = "refreshTokenTtlInDays",
+    TenantId = "tenantId",
+    /**
+     * Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request.
+     *
+     * It only works for web applications when the client allowed grant types includes `refresh_token`.
+     *
+     * This config is for the third-party integrations that do not strictly follow OpenID Connect standards due to some reasons (e.g. they only know OAuth, but requires a Refresh Token to be returned anyway).
+     */
+    AlwaysIssueRefreshToken = "alwaysIssueRefreshToken",
+    /**
+     * When enabled (default), Logto will issue a new Refresh Token for token requests when 70% of the original Time to Live (TTL) has passed.
+     *
+     * It can be turned off for only traditional web apps for enhanced security.
+     */
+    RotateRefreshToken = "rotateRefreshToken"
+}
+export declare const customClientMetadataGuard: z.ZodObject<{
+    corsAllowedOrigins: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    idTokenTtl: z.ZodOptional<z.ZodNumber>;
+    refreshTokenTtl: z.ZodOptional<z.ZodNumber>;
+    refreshTokenTtlInDays: z.ZodOptional<z.ZodNumber>;
+    tenantId: z.ZodOptional<z.ZodString>;
+    alwaysIssueRefreshToken: z.ZodOptional<z.ZodBoolean>;
+    rotateRefreshToken: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    corsAllowedOrigins?: string[] | undefined;
+    idTokenTtl?: number | undefined;
+    refreshTokenTtl?: number | undefined;
+    refreshTokenTtlInDays?: number | undefined;
+    tenantId?: string | undefined;
+    alwaysIssueRefreshToken?: boolean | undefined;
+    rotateRefreshToken?: boolean | undefined;
+}, {
+    corsAllowedOrigins?: string[] | undefined;
+    idTokenTtl?: number | undefined;
+    refreshTokenTtl?: number | undefined;
+    refreshTokenTtlInDays?: number | undefined;
+    tenantId?: string | undefined;
+    alwaysIssueRefreshToken?: boolean | undefined;
+    rotateRefreshToken?: boolean | undefined;
+}>;
+/**
+ * @see {@link CustomClientMetadataKey} for key descriptions.
+ */
+export type CustomClientMetadata = z.infer<typeof customClientMetadataGuard>;

package/lib/foundations/jsonb-types/oidc-module.js

@@ -0,0 +1,54 @@
+import { validateRedirectUrl } from '@logto/core-kit';
+import { z } from 'zod';
+export const oidcModelInstancePayloadGuard = z
+    .object({
+    userCode: z.string().optional(),
+    uid: z.string().optional(),
+    grantId: z.string().optional(),
+})
+    /**
+     * Try to use `.passthrough()` if type has been fixed.
+     * https://github.com/colinhacks/zod/issues/452
+     */
+    .catchall(z.unknown());
+export const oidcClientMetadataGuard = z.object({
+    redirectUris: z
+        .string()
+        .refine((url) => validateRedirectUrl(url, 'web'))
+        .or(z.string().refine((url) => validateRedirectUrl(url, 'mobile')))
+        .array(),
+    postLogoutRedirectUris: z.string().url().array(),
+    logoUri: z.string().optional(),
+});
+export var CustomClientMetadataKey;
+(function (CustomClientMetadataKey) {
+    CustomClientMetadataKey["CorsAllowedOrigins"] = "corsAllowedOrigins";
+    CustomClientMetadataKey["IdTokenTtl"] = "idTokenTtl";
+    /** @deprecated Use {@link RefreshTokenTtlInDays} instead. */
+    CustomClientMetadataKey["RefreshTokenTtl"] = "refreshTokenTtl";
+    CustomClientMetadataKey["RefreshTokenTtlInDays"] = "refreshTokenTtlInDays";
+    CustomClientMetadataKey["TenantId"] = "tenantId";
+    /**
+     * Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request.
+     *
+     * It only works for web applications when the client allowed grant types includes `refresh_token`.
+     *
+     * This config is for the third-party integrations that do not strictly follow OpenID Connect standards due to some reasons (e.g. they only know OAuth, but requires a Refresh Token to be returned anyway).
+     */
+    CustomClientMetadataKey["AlwaysIssueRefreshToken"] = "alwaysIssueRefreshToken";
+    /**
+     * When enabled (default), Logto will issue a new Refresh Token for token requests when 70% of the original Time to Live (TTL) has passed.
+     *
+     * It can be turned off for only traditional web apps for enhanced security.
+     */
+    CustomClientMetadataKey["RotateRefreshToken"] = "rotateRefreshToken";
+})(CustomClientMetadataKey || (CustomClientMetadataKey = {}));
+export const customClientMetadataGuard = z.object({
+    [CustomClientMetadataKey.CorsAllowedOrigins]: z.string().min(1).array().optional(),
+    [CustomClientMetadataKey.IdTokenTtl]: z.number().optional(),
+    [CustomClientMetadataKey.RefreshTokenTtl]: z.number().optional(),
+    [CustomClientMetadataKey.RefreshTokenTtlInDays]: z.number().int().min(1).max(90).optional(),
+    [CustomClientMetadataKey.TenantId]: z.string().optional(),
+    [CustomClientMetadataKey.AlwaysIssueRefreshToken]: z.boolean().optional(),
+    [CustomClientMetadataKey.RotateRefreshToken]: z.boolean().optional(),
+});

package/lib/foundations/jsonb-types/phrases.d.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+export type Translation = {
+    [key: string]: string | Translation;
+};
+export declare const translationGuard: z.ZodType<Translation>;

package/lib/foundations/jsonb-types/phrases.js

@@ -0,0 +1,2 @@
+import { z } from 'zod';
+export const translationGuard = z.lazy(() => z.record(z.string().or(translationGuard)));