@logto/schemas 1.10.0 → 1.11.0

package/alterations/1.10.1-1695647183-update-private-key-type.ts

@@ -0,0 +1,108 @@
+import { generateStandardId } from '@logto/shared';
+import type { DatabaseTransactionConnection } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const targetConfigKeys = ['oidc.cookieKeys', 'oidc.privateKeys'];
+
+type OldPrivateKeyData = {
+  tenantId: string;
+  value: string[];
+};
+
+type PrivateKey = {
+  id: string;
+  value: string;
+  createdAt: number;
+};
+
+type NewPrivateKeyData = {
+  tenantId: string;
+  value: PrivateKey[];
+};
+
+/**
+ * Alternate string array private signing keys to JSON array
+ * "oidc.cookieKeys":  string[] -> PrivateKey[]
+ * "oidc.privateKeys": string[] -> PrivateKey[]
+ * @param configKey oidc.cookieKeys | oidc.privateKeys
+ * @param logtoConfig existing private key data for a specific tenant
+ * @param pool postgres database connection pool
+ */
+const alterPrivateKeysInLogtoConfig = async (
+  configKey: string,
+  logtoConfig: OldPrivateKeyData,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: oldPrivateKey } = logtoConfig;
+
+  // Use tenant creation time as `createdAt` timestamp for new private keys
+  const tenantData = await pool.maybeOne<{ createdAt: number }>(
+    sql`select * from tenants where id = ${tenantId}`
+  );
+  const newPrivateKeyData: PrivateKey[] = oldPrivateKey.map((key) => ({
+    id: generateStandardId(),
+    value: key,
+    createdAt: Math.floor((tenantData?.createdAt ?? Date.now()) / 1000),
+  }));
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      newPrivateKeyData
+    )} where tenant_id = ${tenantId} and key = ${configKey}`
+  );
+};
+
+/**
+ * Rollback JSON array private signing keys to string array
+ * "oidc.cookieKeys":  PrivateKey[] -> string[]
+ * "oidc.privateKeys": PrivateKey[] -> string[]
+ * @param configKey oidc.cookieKeys | oidc.privateKeys
+ * @param logtoConfig new private key data for a specific tenant
+ * @param pool postgres database connection pool
+ */
+const rollbackPrivateKeysInLogtoConfig = async (
+  configKey: string,
+  logtoConfig: NewPrivateKeyData,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: newPrivateKeyData } = logtoConfig;
+
+  const oldPrivateKeys = newPrivateKeyData.map(({ value }) => value);
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      oldPrivateKeys
+    )} where tenant_id = ${tenantId} and key = ${configKey}`
+  );
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await Promise.all(
+      targetConfigKeys.map(async (configKey) => {
+        const rows = await pool.many<OldPrivateKeyData>(
+          sql`select * from logto_configs where key = ${configKey}`
+        );
+        await Promise.all(
+          rows.map(async (row) => alterPrivateKeysInLogtoConfig(configKey, row, pool))
+        );
+      })
+    );
+  },
+  down: async (pool) => {
+    await Promise.all(
+      targetConfigKeys.map(async (configKey) => {
+        const rows = await pool.many<NewPrivateKeyData>(
+          sql`select * from logto_configs where key = ${configKey}`
+        );
+        await Promise.all(
+          rows.map(async (row) => rollbackPrivateKeysInLogtoConfig(configKey, row, pool))
+        );
+      })
+    );
+  },
+};
+
+export default alteration;

package/alterations/1.10.1-1696657546-organization-tables.ts

@@ -0,0 +1,150 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const enableRls = async (pool: CommonQueryMethods, database: string, table: string) => {
+  const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+
+  await pool.query(sql`
+    create trigger set_tenant_id before insert on ${sql.identifier([table])}
+      for each row execute procedure set_tenant_id();
+
+    alter table ${sql.identifier([table])} enable row level security;
+
+    create policy ${sql.identifier([`${table}_tenant_id`])} on ${sql.identifier([table])}
+      as restrictive
+      using (tenant_id = (select id from tenants where db_user = current_user));
+
+    create policy ${sql.identifier([`${table}_modification`])} on ${sql.identifier([table])}
+      using (true);
+
+    grant select, insert, update, delete on ${sql.identifier([table])} to ${baseRoleId};
+  `);
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+
+    await pool.query(sql`
+      create table organizations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the organization. */
+        id varchar(21) not null,
+        /** The organization's name for display. */
+        name varchar(128) not null,
+        /** A brief description of the organization. */
+        description varchar(256),
+        /** When the organization was created. */
+        created_at timestamptz not null default(now()),
+        primary key (id)
+      );
+
+      create index organizations__id
+        on organizations (tenant_id, id);
+    `);
+    await enableRls(pool, database, 'organizations');
+
+    await pool.query(sql`
+      create table organization_roles (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the organization role. */
+        id varchar(21) not null,
+        /** The organization role's name, unique within the organization template. */
+        name varchar(128) not null,
+        /** A brief description of the organization role. */
+        description varchar(256),
+        primary key (id),
+        constraint organization_roles__name
+          unique (tenant_id, name)
+      );
+
+      create index organization_roles__id
+        on organization_roles (tenant_id, id);
+    `);
+    await enableRls(pool, database, 'organization_roles');
+
+    await pool.query(sql`
+      create table organization_scopes (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the organization scope. */
+        id varchar(21) not null,
+        /** The organization scope's name, unique within the organization template. */
+        name varchar(128) not null,
+        /** A brief description of the organization scope. */
+        description varchar(256),
+        primary key (id),
+        constraint organization_scopes__name
+          unique (tenant_id, name)
+      );
+
+      create index organization_scopes__id
+        on organization_scopes (tenant_id, id);
+    `);
+    await enableRls(pool, database, 'organization_scopes');
+
+    await pool.query(sql`
+      create table organization_role_user_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, organization_role_id, user_id)
+      );
+    `);
+    await enableRls(pool, database, 'organization_role_user_relations');
+
+    await pool.query(sql`
+      create table organization_role_scope_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        organization_scope_id varchar(21) not null
+          references organization_scopes (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_role_id, organization_scope_id)
+      );
+    `);
+    await enableRls(pool, database, 'organization_role_scope_relations');
+
+    await pool.query(sql`
+      create table organization_user_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, user_id)
+      );
+    `);
+    await enableRls(pool, database, 'organization_user_relations');
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop table organization_role_scope_relations;
+      drop table organization_role_user_relations;
+      drop table organization_scopes;
+      drop table organization_roles;
+      drop table organization_user_relations;
+      drop table organizations;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.10.1-1697683802-add-sso-connectors-table.ts

@@ -0,0 +1,66 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getId = (value: string) => sql.identifier([value]);
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    const baseRoleId = getId(`logto_tenant_${database}`);
+
+    await pool.query(sql`
+      create table sso_connectors (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(128) not null,
+        provider_name varchar(128) not null,
+        connector_name varchar(128) not null,
+        config jsonb not null default '{}'::jsonb,
+        domains jsonb not null default '[]'::jsonb,
+        branding jsonb not null default '{}'::jsonb,
+        sync_profile boolean not null default FALSE,
+        sso_only boolean not null default FALSE,
+        created_at timestamptz not null default(now()),
+        primary key (id)
+      );
+
+      create index sso_connectors__id
+        on sso_connectors (tenant_id, id);
+
+      create index sso_connectors__id__provider_name
+        on sso_connectors (tenant_id, id, provider_name);
+
+      create trigger set_tenant_id before insert on sso_connectors
+        for each row execute procedure set_tenant_id();
+
+      alter table sso_connectors enable row level security;
+
+      create policy sso_connectors_tenant_id on sso_connectors
+        as restrictive
+        using (tenant_id = (select id from tenants where db_user = current_user));
+
+      create policy sso_connectors_modification on sso_connectors
+        using (true);
+
+      grant select, insert, update, delete on sso_connectors to ${baseRoleId};
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop policy sso_connectors_modification on sso_connectors;
+      drop policy sso_connectors_tenant_id on sso_connectors;
+      drop table sso_connectors;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.10.1-1698646271-add-organization-created-flag.ts

@@ -0,0 +1,75 @@
+import type { DatabaseTransactionConnection } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminConsoleConfigKey = 'adminConsole';
+
+type OldAdminConsoleData = {
+  signInExperienceCustomized: boolean;
+} & Record<string, unknown>;
+
+type OldLogtoAdminConsoleConfig = {
+  tenantId: string;
+  value: OldAdminConsoleData;
+};
+
+type NewAdminConsoleData = {
+  signInExperienceCustomized: boolean;
+  organizationCreated: boolean;
+} & Record<string, unknown>;
+
+type NewLogtoAdminConsoleConfig = {
+  tenantId: string;
+  value: NewAdminConsoleData;
+};
+
+const alterAdminConsoleData = async (
+  logtoConfig: OldLogtoAdminConsoleConfig,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: oldAdminConsoleConfig } = logtoConfig;
+
+  const newAdminConsoleData: NewAdminConsoleData = {
+    ...oldAdminConsoleConfig,
+    organizationCreated: false,
+  };
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      newAdminConsoleData
+    )} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`
+  );
+};
+
+const rollbackAdminConsoleData = async (
+  logtoConfig: NewLogtoAdminConsoleConfig,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: newAdminConsoleConfig } = logtoConfig;
+
+  const { organizationCreated, ...oldAdminConsoleData } = newAdminConsoleConfig;
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      oldAdminConsoleData
+    )} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`
+  );
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const rows = await pool.many<OldLogtoAdminConsoleConfig>(
+      sql`select * from logto_configs where key = ${adminConsoleConfigKey}`
+    );
+    await Promise.all(rows.map(async (row) => alterAdminConsoleData(row, pool)));
+  },
+  down: async (pool) => {
+    const rows = await pool.many<NewLogtoAdminConsoleConfig>(
+      sql`select * from logto_configs where key = ${adminConsoleConfigKey}`
+    );
+    await Promise.all(rows.map(async (row) => rollbackAdminConsoleData(row, pool)));
+  },
+};
+
+export default alteration;

package/alterations/1.10.1-1698820410-add-user-sso-identities-table.ts

@@ -0,0 +1,61 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getId = (value: string) => sql.identifier([value]);
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+/** The alteration script for adding `sso_identities` column to the users table. */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    const baseRoleId = getId(`logto_tenant_${database}`);
+
+    await pool.query(sql`
+      create table user_sso_identities (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        issuer varchar(256) not null,
+        identity_id varchar(128) not null,
+        detail jsonb not null default '{}'::jsonb,
+        created_at timestamp not null default(now()),
+        primary key (id),
+        constraint user_sso_identities__issuer__identity_id
+          unique (tenant_id, issuer, identity_id)
+      );
+
+      create trigger set_tenant_id before insert on user_sso_identities
+        for each row execute procedure set_tenant_id();
+
+      alter table user_sso_identities enable row level security;
+
+      create policy user_sso_identities_tenant_id on user_sso_identities
+        as restrictive
+        using (tenant_id = (select id from tenants where db_user = current_user));
+
+      create policy user_sso_identities_modification on user_sso_identities
+        using (true);
+
+      grant select, insert, update, delete on user_sso_identities to ${baseRoleId};
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop policy user_sso_identities_modification on user_sso_identities;
+      drop policy user_sso_identities_tenant_id on user_sso_identities;
+      drop table user_sso_identities;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.10.1-1698910485-user-logto-data.ts

@@ -0,0 +1,20 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table users
+        add column if not exists logto_config jsonb not null default '{}'::jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table users
+        drop column logto_config;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.11.0-1699422979-add-sso-connector-id-col-to-user-sso-identities-table.ts

@@ -0,0 +1,18 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table user_sso_identities add column sso_connector_id varchar(128) not null references sso_connectors (id) on update cascade on delete cascade;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table user_sso_identities drop column sso_connector_id;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.11.0-1699598903-remove-sso-only-column-in-sso-connectors-table.ts

@@ -0,0 +1,18 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors drop column sso_only;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors add column sso_only boolean not null default FALSE;
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.10.1-1695647183-update-private-key-type.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.10.1-1695647183-update-private-key-type.js

@@ -0,0 +1,50 @@
+import { generateStandardId } from '@logto/shared';
+import { sql } from 'slonik';
+const targetConfigKeys = ['oidc.cookieKeys', 'oidc.privateKeys'];
+/**
+ * Alternate string array private signing keys to JSON array
+ * "oidc.cookieKeys":  string[] -> PrivateKey[]
+ * "oidc.privateKeys": string[] -> PrivateKey[]
+ * @param configKey oidc.cookieKeys | oidc.privateKeys
+ * @param logtoConfig existing private key data for a specific tenant
+ * @param pool postgres database connection pool
+ */
+const alterPrivateKeysInLogtoConfig = async (configKey, logtoConfig, pool) => {
+    const { tenantId, value: oldPrivateKey } = logtoConfig;
+    // Use tenant creation time as `createdAt` timestamp for new private keys
+    const tenantData = await pool.maybeOne(sql `select * from tenants where id = ${tenantId}`);
+    const newPrivateKeyData = oldPrivateKey.map((key) => ({
+        id: generateStandardId(),
+        value: key,
+        createdAt: Math.floor((tenantData?.createdAt ?? Date.now()) / 1000),
+    }));
+    await pool.query(sql `update logto_configs set value = ${JSON.stringify(newPrivateKeyData)} where tenant_id = ${tenantId} and key = ${configKey}`);
+};
+/**
+ * Rollback JSON array private signing keys to string array
+ * "oidc.cookieKeys":  PrivateKey[] -> string[]
+ * "oidc.privateKeys": PrivateKey[] -> string[]
+ * @param configKey oidc.cookieKeys | oidc.privateKeys
+ * @param logtoConfig new private key data for a specific tenant
+ * @param pool postgres database connection pool
+ */
+const rollbackPrivateKeysInLogtoConfig = async (configKey, logtoConfig, pool) => {
+    const { tenantId, value: newPrivateKeyData } = logtoConfig;
+    const oldPrivateKeys = newPrivateKeyData.map(({ value }) => value);
+    await pool.query(sql `update logto_configs set value = ${JSON.stringify(oldPrivateKeys)} where tenant_id = ${tenantId} and key = ${configKey}`);
+};
+const alteration = {
+    up: async (pool) => {
+        await Promise.all(targetConfigKeys.map(async (configKey) => {
+            const rows = await pool.many(sql `select * from logto_configs where key = ${configKey}`);
+            await Promise.all(rows.map(async (row) => alterPrivateKeysInLogtoConfig(configKey, row, pool)));
+        }));
+    },
+    down: async (pool) => {
+        await Promise.all(targetConfigKeys.map(async (configKey) => {
+            const rows = await pool.many(sql `select * from logto_configs where key = ${configKey}`);
+            await Promise.all(rows.map(async (row) => rollbackPrivateKeysInLogtoConfig(configKey, row, pool)));
+        }));
+    },
+};
+export default alteration;

package/alterations-js/1.10.1-1696657546-organization-tables.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;