@logto/schemas 1.11.0 → 1.12.0

package/alterations/1.12.0-1700031616-update-org-role-foreign-keys.ts

@@ -0,0 +1,35 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organization_role_user_relations
+        drop constraint organization_role_user_relations_organization_id_fkey;
+      alter table organization_role_user_relations
+        drop constraint organization_role_user_relations_user_id_fkey;
+      alter table organization_role_user_relations
+        add foreign key (tenant_id, organization_id, user_id)
+        references organization_user_relations (tenant_id, organization_id, user_id)
+        on update cascade on delete cascade;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table organization_role_user_relations
+        -- The constraint name is strange because it's generated by Postgres and it has a 63 character limit
+        drop constraint organization_role_user_relati_tenant_id_organization_id_us_fkey;
+      alter table organization_role_user_relations
+        add foreign key (organization_id)
+        references organizations (id)
+        on update cascade on delete cascade;
+      alter table organization_role_user_relations
+        add foreign key (user_id)
+        references users (id)
+        on update cascade on delete cascade;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.ts

@@ -0,0 +1,21 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors
+        add constraint sso_connectors__connector_name__unique 
+          unique (tenant_id, connector_name);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors
+        drop constraint sso_connectors__connector_name__unique;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.ts

@@ -0,0 +1,20 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column single_sign_on_enabled boolean not null default false;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column single_sign_on_enabled;
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.12.0-1700031616-update-org-role-foreign-keys.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.12.0-1700031616-update-org-role-foreign-keys.js

@@ -0,0 +1,31 @@
+import { sql } from 'slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table organization_role_user_relations
+        drop constraint organization_role_user_relations_organization_id_fkey;
+      alter table organization_role_user_relations
+        drop constraint organization_role_user_relations_user_id_fkey;
+      alter table organization_role_user_relations
+        add foreign key (tenant_id, organization_id, user_id)
+        references organization_user_relations (tenant_id, organization_id, user_id)
+        on update cascade on delete cascade;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table organization_role_user_relations
+        -- The constraint name is strange because it's generated by Postgres and it has a 63 character limit
+        drop constraint organization_role_user_relati_tenant_id_organization_id_us_fkey;
+      alter table organization_role_user_relations
+        add foreign key (organization_id)
+        references organizations (id)
+        on update cascade on delete cascade;
+      alter table organization_role_user_relations
+        add foreign key (user_id)
+        references users (id)
+        on update cascade on delete cascade;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.js

@@ -0,0 +1,17 @@
+import { sql } from 'slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connectors
+        add constraint sso_connectors__connector_name__unique 
+          unique (tenant_id, connector_name);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connectors
+        drop constraint sso_connectors__connector_name__unique;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.js

@@ -0,0 +1,16 @@
+import { sql } from 'slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column single_sign_on_enabled boolean not null default false;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        drop column single_sign_on_enabled;
+    `);
+    },
+};
+export default alteration;

package/lib/consts/index.d.ts

@@ -3,3 +3,4 @@ export * from './system.js';
 export * from './oidc.js';
 export * from './date.js';
 export * from './tenant.js';
+export * from './subscriptions.js';

package/lib/consts/index.js

@@ -3,3 +3,4 @@ export * from './system.js';
 export * from './oidc.js';
 export * from './date.js';
 export * from './tenant.js';
+export * from './subscriptions.js';

package/lib/consts/subscriptions.d.ts

@@ -0,0 +1,6 @@
+export declare enum ReservedPlanId {
+    Free = "free",
+    Hobby = "hobby",
+    Pro = "pro",
+    Development = "dev"
+}

package/lib/consts/subscriptions.js

@@ -0,0 +1,7 @@
+export var ReservedPlanId;
+(function (ReservedPlanId) {
+    ReservedPlanId["Free"] = "free";
+    ReservedPlanId["Hobby"] = "hobby";
+    ReservedPlanId["Pro"] = "pro";
+    ReservedPlanId["Development"] = "dev";
+})(ReservedPlanId || (ReservedPlanId = {}));

package/lib/db-entries/sign-in-experience.d.ts

@@ -21,6 +21,7 @@ export type CreateSignInExperience = {
     customContent?: CustomContent;
     passwordPolicy?: PartialPasswordPolicy;
     mfa?: Mfa;
+    singleSignOnEnabled?: boolean;
 };
 export type SignInExperience = {
     tenantId: string;
@@ -38,6 +39,7 @@ export type SignInExperience = {
     customContent: CustomContent;
     passwordPolicy: PartialPasswordPolicy;
     mfa: Mfa;
+    singleSignOnEnabled: boolean;
 };
-export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'signIn' | 'signUp' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'passwordPolicy' | 'mfa';
+export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'signIn' | 'signUp' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'passwordPolicy' | 'mfa' | 'singleSignOnEnabled';
 export declare const SignInExperiences: GeneratedSchema<SignInExperienceKeys, CreateSignInExperience, SignInExperience, 'sign_in_experiences', 'sign_in_experience'>;

package/lib/db-entries/sign-in-experience.js

@@ -18,6 +18,7 @@ const createGuard = z.object({
     customContent: customContentGuard.optional(),
     passwordPolicy: partialPasswordPolicyGuard.optional(),
     mfa: mfaGuard.optional(),
+    singleSignOnEnabled: z.boolean().optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
@@ -35,6 +36,7 @@ const guard = z.object({
     customContent: customContentGuard,
     passwordPolicy: partialPasswordPolicyGuard,
     mfa: mfaGuard,
+    singleSignOnEnabled: z.boolean(),
 });
 export const SignInExperiences = Object.freeze({
     table: 'sign_in_experiences',
@@ -55,6 +57,7 @@ export const SignInExperiences = Object.freeze({
         customContent: 'custom_content',
         passwordPolicy: 'password_policy',
         mfa: 'mfa',
+        singleSignOnEnabled: 'single_sign_on_enabled',
     },
     fieldKeys: [
         'tenantId',
@@ -72,6 +75,7 @@ export const SignInExperiences = Object.freeze({
         'customContent',
         'passwordPolicy',
         'mfa',
+        'singleSignOnEnabled',
     ],
     createGuard,
     guard,

package/lib/db-entries/sso-connector.d.ts

@@ -8,7 +8,7 @@ export type CreateSsoConnector = {
     tenantId?: string;
     /** The globally unique identifier of the SSO connector. */
     id: string;
-    /** The connector factory name of the SSO provider. */
+    /** The identifier of connector's SSO provider */
     providerName: string;
     /** The name of the SSO provider for display. */
     connectorName: string;
@@ -27,7 +27,7 @@ export type SsoConnector = {
     tenantId: string;
     /** The globally unique identifier of the SSO connector. */
     id: string;
-    /** The connector factory name of the SSO provider. */
+    /** The identifier of connector's SSO provider */
     providerName: string;
     /** The name of the SSO provider for display. */
     connectorName: string;

package/lib/foundations/jsonb-types/sso-connector.d.ts

@@ -2,12 +2,15 @@ import { z } from 'zod';
 export declare const ssoDomainsGuard: z.ZodArray<z.ZodString, "many">;
 export type SsoDomains = z.infer<typeof ssoDomainsGuard>;
 export declare const ssoBrandingGuard: z.ZodObject<{
+    displayName: z.ZodOptional<z.ZodString>;
     logo: z.ZodOptional<z.ZodString>;
     darkLogo: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
+    displayName?: string | undefined;
     logo?: string | undefined;
     darkLogo?: string | undefined;
 }, {
+    displayName?: string | undefined;
     logo?: string | undefined;
     darkLogo?: string | undefined;
 }>;

package/lib/foundations/jsonb-types/sso-connector.js

@@ -1,6 +1,7 @@
 import { z } from 'zod';
 export const ssoDomainsGuard = z.array(z.string());
 export const ssoBrandingGuard = z.object({
+    displayName: z.string().optional(),
     logo: z.string().optional(),
     darkLogo: z.string().optional(),
 });

package/lib/types/hook.d.ts

@@ -9,6 +9,7 @@ export type HookEventPayload = {
     sessionId?: string;
     userAgent?: string;
     userId?: string;
+    userIp?: string;
     user?: Pick<User, (typeof userInfoSelectFields)[number]>;
     application?: Pick<Application, 'id' | 'type' | 'name' | 'description'>;
 } & Record<string, unknown>;

package/lib/types/sso-connector.d.ts

@@ -1,4 +1,5 @@
 import { z } from 'zod';
+import { type SsoConnector } from '../db-entries/sso-connector.js';
 /**
  * SSO Connector data type that are returned to the experience client for sign-in use.
  */
@@ -19,71 +20,57 @@ export declare const ssoConnectorMetadataGuard: z.ZodObject<{
     darkLogo?: string | undefined;
 }>;
 export type SsoConnectorMetadata = z.infer<typeof ssoConnectorMetadataGuard>;
-declare const ssoConnectorFactoryDetailGuard: z.ZodObject<{
-    providerName: z.ZodString;
+export declare enum SsoProviderName {
+    OIDC = "OIDC",
+    SAML = "SAML",
+    AZURE_AD = "AzureAD",
+    GOOGLE_WORKSPACE = "GoogleWorkspace",
+    OKTA = "Okta"
+}
+export declare const singleSignOnDomainBlackList: readonly string[];
+export type SupportedSsoConnector = Omit<SsoConnector, 'providerName'> & {
+    providerName: SsoProviderName;
+};
+declare const ssoConnectorProviderDetailGuard: z.ZodObject<{
+    providerName: z.ZodNativeEnum<typeof SsoProviderName>;
     logo: z.ZodString;
+    logoDark: z.ZodString;
     description: z.ZodString;
+    name: z.ZodString;
 }, "strip", z.ZodTypeAny, {
+    name: string;
     logo: string;
     description: string;
-    providerName: string;
+    logoDark: string;
+    providerName: SsoProviderName;
 }, {
+    name: string;
     logo: string;
     description: string;
-    providerName: string;
+    logoDark: string;
+    providerName: SsoProviderName;
 }>;
-export type SsoConnectorFactoryDetail = z.infer<typeof ssoConnectorFactoryDetailGuard>;
-export declare const ssoConnectorFactoriesResponseGuard: z.ZodObject<{
-    standardConnectors: z.ZodArray<z.ZodObject<{
-        providerName: z.ZodString;
-        logo: z.ZodString;
-        description: z.ZodString;
-    }, "strip", z.ZodTypeAny, {
-        logo: string;
-        description: string;
-        providerName: string;
-    }, {
-        logo: string;
-        description: string;
-        providerName: string;
-    }>, "many">;
-    providerConnectors: z.ZodArray<z.ZodObject<{
-        providerName: z.ZodString;
-        logo: z.ZodString;
-        description: z.ZodString;
-    }, "strip", z.ZodTypeAny, {
-        logo: string;
-        description: string;
-        providerName: string;
-    }, {
-        logo: string;
-        description: string;
-        providerName: string;
-    }>, "many">;
+export type SsoConnectorProviderDetail = z.infer<typeof ssoConnectorProviderDetailGuard>;
+export declare const ssoConnectorProvidersResponseGuard: z.ZodArray<z.ZodObject<{
+    providerName: z.ZodNativeEnum<typeof SsoProviderName>;
+    logo: z.ZodString;
+    logoDark: z.ZodString;
+    description: z.ZodString;
+    name: z.ZodString;
 }, "strip", z.ZodTypeAny, {
-    standardConnectors: {
-        logo: string;
-        description: string;
-        providerName: string;
-    }[];
-    providerConnectors: {
-        logo: string;
-        description: string;
-        providerName: string;
-    }[];
+    name: string;
+    logo: string;
+    description: string;
+    logoDark: string;
+    providerName: SsoProviderName;
 }, {
-    standardConnectors: {
-        logo: string;
-        description: string;
-        providerName: string;
-    }[];
-    providerConnectors: {
-        logo: string;
-        description: string;
-        providerName: string;
-    }[];
-}>;
-export type SsoConnectorFactoriesResponse = z.infer<typeof ssoConnectorFactoriesResponseGuard>;
+    name: string;
+    logo: string;
+    description: string;
+    logoDark: string;
+    providerName: SsoProviderName;
+}>, "many">;
+export type SsoConnectorProvidersResponse = z.infer<typeof ssoConnectorProvidersResponseGuard>;
 export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
     id: z.ZodType<string, z.ZodTypeDef, string>;
     tenantId: z.ZodType<string, z.ZodTypeDef, string>;
@@ -92,17 +79,22 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
     config: z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>;
     domains: z.ZodType<string[], z.ZodTypeDef, string[]>;
     branding: z.ZodType<{
+        displayName?: string | undefined;
         logo?: string | undefined;
         darkLogo?: string | undefined;
     }, z.ZodTypeDef, {
+        displayName?: string | undefined;
         logo?: string | undefined;
         darkLogo?: string | undefined;
     }>;
-    providerName: z.ZodType<string, z.ZodTypeDef, string>;
     connectorName: z.ZodType<string, z.ZodTypeDef, string>;
+    name: z.ZodString;
+    providerName: z.ZodNativeEnum<typeof SsoProviderName>;
     providerLogo: z.ZodString;
+    providerLogoDark: z.ZodString;
     providerConfig: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, "strip", z.ZodTypeAny, {
+    name: string;
     id: string;
     tenantId: string;
     createdAt: number;
@@ -110,14 +102,17 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
     config: import("@withtyped/server").JsonObject;
     domains: string[];
     branding: {
+        displayName?: string | undefined;
         logo?: string | undefined;
         darkLogo?: string | undefined;
     };
-    providerName: string;
+    providerName: SsoProviderName;
     connectorName: string;
     providerLogo: string;
+    providerLogoDark: string;
     providerConfig?: Record<string, unknown> | undefined;
 }, {
+    name: string;
     id: string;
     tenantId: string;
     createdAt: number;
@@ -125,12 +120,14 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
     config: import("@withtyped/server").JsonObject;
     domains: string[];
     branding: {
+        displayName?: string | undefined;
         logo?: string | undefined;
         darkLogo?: string | undefined;
     };
-    providerName: string;
+    providerName: SsoProviderName;
     connectorName: string;
     providerLogo: string;
+    providerLogoDark: string;
     providerConfig?: Record<string, unknown> | undefined;
 }>;
 export type SsoConnectorWithProviderConfig = z.infer<typeof ssoConnectorWithProviderConfigGuard>;

package/lib/types/sso-connector.js

@@ -9,16 +9,50 @@ export const ssoConnectorMetadataGuard = z.object({
     logo: z.string(),
     darkLogo: z.string().optional(),
 });
-const ssoConnectorFactoryDetailGuard = z.object({
-    providerName: z.string(),
+export var SsoProviderName;
+(function (SsoProviderName) {
+    SsoProviderName["OIDC"] = "OIDC";
+    SsoProviderName["SAML"] = "SAML";
+    SsoProviderName["AZURE_AD"] = "AzureAD";
+    SsoProviderName["GOOGLE_WORKSPACE"] = "GoogleWorkspace";
+    SsoProviderName["OKTA"] = "Okta";
+})(SsoProviderName || (SsoProviderName = {}));
+export const singleSignOnDomainBlackList = Object.freeze([
+    'gmail.com',
+    'yahoo.com',
+    'hotmail.com',
+    'outlook.com',
+    'live.com',
+    'icloud.com',
+    'aol.com',
+    'yandex.com',
+    'mail.com',
+    'protonmail.com',
+    'yanex.com',
+    'gmx.com',
+    'mail.ru',
+    'zoho.com',
+    'qq.com',
+    '163.com',
+    '126.com',
+    'sina.com',
+    'sohu.com',
+]);
+const ssoConnectorProviderDetailGuard = z.object({
+    providerName: z.nativeEnum(SsoProviderName),
     logo: z.string(),
+    logoDark: z.string(),
     description: z.string(),
+    name: z.string(),
 });
-export const ssoConnectorFactoriesResponseGuard = z.object({
-    standardConnectors: z.array(ssoConnectorFactoryDetailGuard),
-    providerConnectors: z.array(ssoConnectorFactoryDetailGuard),
-});
-export const ssoConnectorWithProviderConfigGuard = SsoConnectors.guard.merge(z.object({
+export const ssoConnectorProvidersResponseGuard = z.array(ssoConnectorProviderDetailGuard);
+// API response guard for all the SSO connectors CRUD APIs
+export const ssoConnectorWithProviderConfigGuard = SsoConnectors.guard
+    .omit({ providerName: true })
+    .merge(z.object({
+    name: z.string(),
+    providerName: z.nativeEnum(SsoProviderName),
     providerLogo: z.string(),
+    providerLogoDark: z.string(),
     providerConfig: z.record(z.unknown()).optional(),
 }));

package/lib/types/tenant.js

@@ -1,6 +1,9 @@
 export var TenantTag;
 (function (TenantTag) {
+    /* Development tenants are free to use but are not meant to be used as production environment */
     TenantTag["Development"] = "development";
+    /* @deprecated */
     TenantTag["Staging"] = "staging";
+    /* A production tenant must have an associated subscription plan, even if it's a free plan */
     TenantTag["Production"] = "production";
 })(TenantTag || (TenantTag = {}));

package/lib/types/user.d.ts

@@ -245,6 +245,7 @@ export declare const userProfileResponseGuard: z.ZodObject<{
     isSuspended: z.ZodType<boolean, z.ZodTypeDef, boolean>;
     lastSignInAt: z.ZodType<number | null, z.ZodTypeDef, number | null>;
     hasPassword: z.ZodOptional<z.ZodBoolean>;
+    ssoIdentities: z.ZodOptional<z.ZodArray<import("../foundations/schemas.js").Guard<import("../db-entries/user-sso-identity.js").UserSsoIdentity>, "many">>;
 }, "strip", z.ZodTypeAny, {
     name: string | null;
     id: string;
@@ -292,6 +293,7 @@ export declare const userProfileResponseGuard: z.ZodObject<{
     isSuspended: boolean;
     lastSignInAt: number | null;
     hasPassword?: boolean | undefined;
+    ssoIdentities?: import("../db-entries/user-sso-identity.js").UserSsoIdentity[] | undefined;
 }, {
     name: string | null;
     id: string;
@@ -339,6 +341,7 @@ export declare const userProfileResponseGuard: z.ZodObject<{
     isSuspended: boolean;
     lastSignInAt: number | null;
     hasPassword?: boolean | undefined;
+    ssoIdentities?: import("../db-entries/user-sso-identity.js").UserSsoIdentity[] | undefined;
 }>;
 export type UserProfileResponse = z.infer<typeof userProfileResponseGuard>;
 export declare const userMfaVerificationResponseGuard: z.ZodArray<z.ZodObject<{

package/lib/types/user.js

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { Users } from '../db-entries/index.js';
+import { Users, UserSsoIdentities } from '../db-entries/index.js';
 import { MfaFactor } from '../foundations/index.js';
 export const userInfoSelectFields = Object.freeze([
     'id',
@@ -18,6 +18,7 @@ export const userInfoSelectFields = Object.freeze([
 export const userInfoGuard = Users.guard.pick(Object.fromEntries(userInfoSelectFields.map((key) => [key, true])));
 export const userProfileResponseGuard = userInfoGuard.extend({
     hasPassword: z.boolean().optional(),
+    ssoIdentities: z.array(UserSsoIdentities.guard).optional(),
 });
 export const userMfaVerificationResponseGuard = z
     .object({

package/lib/utils/domain.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Find duplicated domains and blocked domains using the domain blacklist.
+ *
+ * @param domains Array of email domains.
+ * @returns
+ */
+export declare const findDuplicatedOrBlockedEmailDomains: (domains?: string[]) => {
+    duplicatedDomains: Set<string>;
+    forbiddenDomains: Set<string>;
+};

package/lib/utils/domain.js

@@ -0,0 +1,28 @@
+import { singleSignOnDomainBlackList } from '../types/sso-connector.js';
+/**
+ * Find duplicated domains and blocked domains using the domain blacklist.
+ *
+ * @param domains Array of email domains.
+ * @returns
+ */
+export const findDuplicatedOrBlockedEmailDomains = (domains) => {
+    const blackListSet = new Set(singleSignOnDomainBlackList);
+    const validDomainSet = new Set();
+    const duplicatedDomains = new Set();
+    const forbiddenDomains = new Set();
+    for (const domain of domains ?? []) {
+        if (blackListSet.has(domain)) {
+            forbiddenDomains.add(domain);
+        }
+        if (validDomainSet.has(domain)) {
+            duplicatedDomains.add(domain);
+        }
+        else {
+            validDomainSet.add(domain);
+        }
+    }
+    return {
+        duplicatedDomains,
+        forbiddenDomains,
+    };
+};

package/lib/utils/domain.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/domain.test.js

@@ -0,0 +1,34 @@
+import { findDuplicatedOrBlockedEmailDomains } from './domain.js';
+describe('findDuplicatedOrBlockedEmailDomains', () => {
+    it('should return blocked domains and duplicated domains correctly', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains([
+            'gmail.com',
+            'silverhand.io',
+            'logto.io',
+            'yahoo.com',
+            'outlook.com',
+            'logto.io',
+        ]);
+        expect(duplicatedDomains).toEqual(new Set(['logto.io']));
+        expect(forbiddenDomains).toEqual(new Set(['gmail.com', 'yahoo.com', 'outlook.com']));
+    });
+    it('should return empty `duplicatedDomains` and `forbiddenDomains` sets if all domains are valid', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains([
+            'silverhand.io',
+            'logto.io',
+            'metalhand.io',
+        ]);
+        expect(duplicatedDomains).toEqual(new Set());
+        expect(forbiddenDomains).toEqual(new Set());
+    });
+    it('should return empty `duplicatedDomains` and `forbiddenDomains` sets if input is undefined', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains();
+        expect(duplicatedDomains).toEqual(new Set());
+        expect(forbiddenDomains).toEqual(new Set());
+    });
+    it('should return empty `duplicatedDomains` and `forbiddenDomains` sets if input is empty array', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains([]);
+        expect(duplicatedDomains).toEqual(new Set());
+        expect(forbiddenDomains).toEqual(new Set());
+    });
+});

package/lib/utils/index.d.ts

@@ -1,2 +1,3 @@
 export * from './role.js';
 export * from './management-api.js';
+export * from './domain.js';

package/lib/utils/index.js

@@ -1,2 +1,3 @@
 export * from './role.js';
 export * from './management-api.js';
+export * from './domain.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.11.0",
+  "version": "1.12.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -30,7 +30,7 @@
     "@types/inquirer": "^9.0.0",
     "@types/jest": "^29.4.0",
     "@types/node": "^18.11.18",
-    "@types/pluralize": "^0.0.32",
+    "@types/pluralize": "^0.0.33",
     "camelcase": "^8.0.0",
     "chalk": "^5.0.0",
     "eslint": "^8.44.0",
@@ -65,10 +65,10 @@
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
     "@logto/connector-kit": "^2.0.0",
-    "@logto/core-kit": "^2.2.0",
+    "@logto/core-kit": "^2.2.1",
     "@logto/language-kit": "^1.0.0",
-    "@logto/phrases": "^1.7.0",
-    "@logto/phrases-experience": "^1.4.0",
+    "@logto/phrases": "^1.8.0",
+    "@logto/phrases-experience": "^1.5.0",
     "@logto/shared": "^3.0.0",
     "@withtyped/server": "^0.12.9"
   },

package/tables/organization_role_user_relations.sql

@@ -1,14 +1,16 @@
-/* init_order = 2 */
+/* init_order = 3 */
 
 /** The relations between organizations, organization roles, and users. A relation means that a user has a role in an organization. */
 create table organization_role_user_relations (
   tenant_id varchar(21) not null
     references tenants (id) on update cascade on delete cascade,
-  organization_id varchar(21) not null
-    references organizations (id) on update cascade on delete cascade,
+  organization_id varchar(21) not null,
   organization_role_id varchar(21) not null
     references organization_roles (id) on update cascade on delete cascade,
-  user_id varchar(21) not null
-    references users (id) on update cascade on delete cascade,
-  primary key (tenant_id, organization_id, organization_role_id, user_id)
+  user_id varchar(21) not null,
+  primary key (tenant_id, organization_id, organization_role_id, user_id),
+  /** User's roles in an organization should be synchronized with the user's membership in the organization. */
+  foreign key (tenant_id, organization_id, user_id)
+    references organization_user_relations (tenant_id, organization_id, user_id)
+    on update cascade on delete cascade
 );

package/tables/sign_in_experiences.sql

@@ -17,5 +17,6 @@ create table sign_in_experiences (
   custom_content jsonb /* @use CustomContent */ not null default '{}'::jsonb,
   password_policy jsonb /* @use PartialPasswordPolicy */ not null default '{}'::jsonb,
   mfa jsonb /* @use Mfa */ not null default '{}'::jsonb,
+  single_sign_on_enabled boolean not null default false,
   primary key (tenant_id, id)
 );

package/tables/sso_connectors.sql

@@ -4,7 +4,7 @@ create table sso_connectors (
     references tenants (id) on update cascade on delete cascade,
   /** The globally unique identifier of the SSO connector. */
   id varchar(128) not null,
-  /** The connector factory name of the SSO provider. */
+  /** The identifier of connector's SSO provider */
   provider_name varchar(128) not null,
   /** The name of the SSO provider for display. */
   connector_name varchar(128) not null,
@@ -18,7 +18,9 @@ create table sso_connectors (
   sync_profile boolean not null default FALSE,
   /** When the SSO connector was created. */
   created_at timestamptz not null default(now()),
-  primary key (id)
+  primary key (id),
+  constraint sso_connectors__connector_name__unique
+    unique (tenant_id, connector_name)
 );
 
 create index sso_connectors__id