npm - @logto/schemas - Versions diffs - 1.11.0 → 1.13.0 - Mend

@logto/schemas 1.11.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/alterations/1.12.0-1700031616-update-org-role-foreign-keys.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organization_role_user_relations
+        drop constraint organization_role_user_relations_organization_id_fkey;
+      alter table organization_role_user_relations
+        drop constraint organization_role_user_relations_user_id_fkey;
+      alter table organization_role_user_relations
+        add foreign key (tenant_id, organization_id, user_id)
+        references organization_user_relations (tenant_id, organization_id, user_id)
+        on update cascade on delete cascade;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table organization_role_user_relations
+        -- The constraint name is strange because it's generated by Postgres and it has a 63 character limit
+        drop constraint organization_role_user_relati_tenant_id_organization_id_us_fkey;
+      alter table organization_role_user_relations
+        add foreign key (organization_id)
+        references organizations (id)
+        on update cascade on delete cascade;
+      alter table organization_role_user_relations
+        add foreign key (user_id)
+        references users (id)
+        on update cascade on delete cascade;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.12.0-1701054133-add-unique-constraint-to-the-sso-connector-name.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors
+        add constraint sso_connectors__connector_name__unique
+          unique (tenant_id, connector_name);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors
+        drop constraint sso_connectors__connector_name__unique;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.12.0-1701245520-add-single-sign-on-enabled-flag-to-sie.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column single_sign_on_enabled boolean not null default false;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column single_sign_on_enabled;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.13.0-1702274830-add-new-third-party-column-to-applications-table.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table applications add is_third_party boolean not null default false;
+      create index applications__is_third_party on applications (tenant_id, is_third_party);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop index applications__is_third_party;
+      alter table applications drop is_third_party;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.13.0-1702372401-add-application-permissions-tables.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+  return currentDatabase.replaceAll('-', '_');
+};
+const enableRls = async (pool: CommonQueryMethods, database: string, table: string) => {
+  const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+  await pool.query(sql`
+    create trigger set_tenant_id before insert on ${sql.identifier([table])}
+      for each row execute procedure set_tenant_id();
+    alter table ${sql.identifier([table])} enable row level security;
+    create policy ${sql.identifier([`${table}_tenant_id`])} on ${sql.identifier([table])}
+      as restrictive
+      using (tenant_id = (select id from tenants where db_user = current_user));
+    create policy ${sql.identifier([`${table}_modification`])} on ${sql.identifier([table])}
+      using (true);
+    grant select, insert, update, delete on ${sql.identifier([table])} to ${baseRoleId};
+  `);
+};
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    await pool.query(sql`
+        create table application_user_consent_resource_scopes (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the application. */
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the resource scope. */
+        scope_id varchar(21) not null
+          references scopes (id) on update cascade on delete cascade,
+        primary key (application_id, scope_id)
+      );
+    `);
+    await enableRls(pool, database, 'application_user_consent_resource_scopes');
+    await pool.query(sql`
+      create table application_user_consent_organization_scopes (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the application. */
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the organization scope. */
+        organization_scope_id varchar(21) not null
+          references organization_scopes (id) on update cascade on delete cascade,
+        primary key (application_id, organization_scope_id)
+      );
+    `);
+    await enableRls(pool, database, 'application_user_consent_organization_scopes');
+    await pool.query(sql`
+      create table application_user_consent_user_scopes (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the application. */
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** The unique UserScope enum value @see (@logto/core-kit) for reference */
+        user_scope varchar(64) not null,
+        primary key (application_id, user_scope)
+      );
+    `);
+    await enableRls(pool, database, 'application_user_consent_user_scopes');
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop table application_user_consent_resource_scopes;
+      drop table application_user_consent_organization_scopes;
+      drop table application_user_consent_user_scopes;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.13.0-1702544178-sync-tenant-orgs.ts ADDED Viewed

@@ -0,0 +1,296 @@
+/**
+ * @fileoverview A preparation for the update of using organizations to manage tenants in the admin
+ * tenant. This script will do the following in the admin tenant:
+ *
+ * 1. Create organization template roles and scopes.
+ * 2. Create organizations for existing tenants.
+ * 3. Add membership records and assign organization roles to existing users.
+ * 4. Create machine-to-machine Management API role for each tenant.
+ * 5. Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it.
+ *
+ * The `down` script will revert the changes.
+ *
+ * NOTE: In order to avoid unnecessary dirty data, it's recommended disabling the registration of
+ * new tenants before running this script and deploying the changes.
+ */
+import { ConsoleLog, generateStandardId } from '@logto/shared';
+import { sql } from 'slonik';
+import { type AlterationScript } from '../lib/types/alteration.js';
+const adminTenantId = 'admin';
+const consoleLog = new ConsoleLog();
+const alteration: AlterationScript = {
+  up: async (transaction) => {
+    consoleLog.info('=== Sync tenant organizations ===');
+    consoleLog.info('Create organization template roles and scopes');
+    await transaction.query(sql`
+      insert into public.organization_roles (id, tenant_id, name, description)
+      values
+        ('owner', ${adminTenantId}, 'owner', 'Owner of the tenant, who has all permissions.'),
+        ('admin', ${adminTenantId}, 'admin', 'Admin of the tenant, who has all permissions except managing the tenant settings.'),
+        ('member', ${adminTenantId}, 'member', 'Member of the tenant, who has limited permissions on reading and writing the tenant data.');
+    `);
+    await transaction.query(sql`
+      insert into public.organization_scopes (id, tenant_id, name, description)
+      values
+        ('read-data', ${adminTenantId}, 'read:data', 'Read the tenant data.'),
+        ('write-data', ${adminTenantId}, 'write:data', 'Write the tenant data, including creating and updating the tenant.'),
+        ('delete-data', ${adminTenantId}, 'delete:data', 'Delete data of the tenant.'),
+        ('invite-member', ${adminTenantId}, 'invite:member', 'Invite members to the tenant.'),
+        ('remove-member', ${adminTenantId}, 'remove:member', 'Remove members from the tenant.'),
+        ('update-member-role', ${adminTenantId}, 'update:member:role', 'Update the role of a member in the tenant.'),
+        ('manage-tenant', ${adminTenantId}, 'manage:tenant', 'Manage the tenant settings, including name, billing, etc.');
+    `);
+    await transaction.query(sql`
+      insert into public.organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id)
+      values
+        (${adminTenantId}, 'owner', 'read-data'),
+        (${adminTenantId}, 'owner', 'write-data'),
+        (${adminTenantId}, 'owner', 'delete-data'),
+        (${adminTenantId}, 'owner', 'invite-member'),
+        (${adminTenantId}, 'owner', 'remove-member'),
+        (${adminTenantId}, 'owner', 'update-member-role'),
+        (${adminTenantId}, 'owner', 'manage-tenant'),
+        (${adminTenantId}, 'admin', 'read-data'),
+        (${adminTenantId}, 'admin', 'write-data'),
+        (${adminTenantId}, 'admin', 'delete-data'),
+        (${adminTenantId}, 'admin', 'invite-member'),
+        (${adminTenantId}, 'admin', 'remove-member'),
+        (${adminTenantId}, 'admin', 'update-member-role'),
+        (${adminTenantId}, 'member', 'read-data'),
+        (${adminTenantId}, 'member', 'write-data'),
+        (${adminTenantId}, 'member', 'invite-member')
+    `);
+    consoleLog.info('Create organizations for existing tenants');
+    const tenants = await transaction.any<{ id: string }>(sql`
+      select id
+      from public.tenants;
+    `);
+    await transaction.query(sql`
+      insert into public.organizations (id, tenant_id, name)
+      values
+        ${sql.join(
+          tenants.map(
+            (tenant) => sql`(${`t-${tenant.id}`}, ${adminTenantId}, ${`Tenant ${tenant.id}`})`
+          ),
+          sql`, `
+        )};
+    `);
+    const usersRoles = await transaction.any<{ userId: string; roleName: string }>(sql`
+      select
+        public.users.id as "userId",
+        public.roles.name as "roleName"
+      from public.users
+      join public.users_roles on public.users_roles.user_id = public.users.id
+      join public.roles on public.roles.id = public.users_roles.role_id
+      where public.roles.tenant_id = ${adminTenantId}
+      and public.roles.name like '%:admin';
+    `);
+    if (usersRoles.length === 0) {
+      consoleLog.warn(
+        'No existing admin users found, skip adding membership records for tenant organizations.'
+      );
+    } else {
+      consoleLog.info('Add membership records and assign organization roles to existing users');
+      // Add membership records
+      await transaction.query(sql`
+        insert into public.organization_user_relations (tenant_id, organization_id, user_id)
+        values
+          ${sql.join(
+            usersRoles.map(
+              (userRole) =>
+                sql`(${adminTenantId}, ${`t-${userRole.roleName.slice(0, -6)}`}, ${
+                  userRole.userId
+                })`
+            ),
+            sql`, `
+          )};
+      `);
+      // We treat all existing users as the owner of the tenant
+      await transaction.query(sql`
+        insert into public.organization_role_user_relations (tenant_id, organization_id, user_id, organization_role_id)
+        values
+          ${sql.join(
+            usersRoles.map(
+              (userRole) =>
+                sql`
+                  (
+                    ${adminTenantId},
+                    ${`t-${userRole.roleName.slice(0, -6)}`},
+                    ${userRole.userId},
+                    'owner'
+                  )
+                `
+            ),
+            sql`, `
+          )};
+      `);
+    }
+    consoleLog.info('Create machine-to-machine Management API role for each tenant');
+    await transaction.query(sql`
+      insert into public.roles (id, tenant_id, name, description, type)
+      values
+        ${sql.join(
+          tenants.map(
+            (tenant) =>
+              sql`
+                (
+                  ${`m-${tenant.id}`},
+                  ${adminTenantId},
+                  ${`machine:mapi:${tenant.id}`},
+                  ${`Machine-to-machine role for accessing Management API of tenant '${tenant.id}'.`},
+                  'MachineToMachine'
+                )
+              `
+          ),
+          sql`, `
+        )};
+    `);
+    const managementApiScopes = await transaction.any<{ id: string; indicator: string }>(sql`
+      select public.scopes.id, public.resources.indicator
+      from public.resources
+      join public.scopes on public.scopes.resource_id = public.resources.id
+      where public.resources.indicator like 'https://%.logto.app/api'
+      and public.scopes.name = 'all'
+      and public.resources.tenant_id = ${adminTenantId};
+    `);
+    const assertScopeId = (forTenantId: string) => {
+      const scope = managementApiScopes.find(
+        (scope) => scope.indicator === `https://${forTenantId}.logto.app/api`
+      );
+      if (!scope) {
+        throw new Error(`Cannot find Management API scope for tenant '${forTenantId}'.`);
+      }
+      return scope.id;
+    };
+    // Insert role - scope relations
+    await transaction.query(sql`
+      insert into public.roles_scopes (tenant_id, id, role_id, scope_id)
+      values
+        ${sql.join(
+          tenants.map(
+            (tenant) =>
+              sql`
+                (
+                  ${adminTenantId},
+                  ${generateStandardId()},
+                  ${`m-${tenant.id}`},
+                  ${assertScopeId(tenant.id)}
+                )
+              `
+          ),
+          sql`, `
+        )};
+    `);
+    consoleLog.info(
+      'Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it'
+    );
+    await transaction.query(sql`
+      insert into public.applications (id, tenant_id, secret, name, description, type, oidc_client_metadata)
+      values
+        ${sql.join(
+          tenants.map(
+            (tenant) =>
+              sql`
+                (
+                  ${`m-${tenant.id}`},
+                  ${adminTenantId},
+                  ${generateStandardId(32)},
+                  ${`Management API access for ${tenant.id}`},
+                  ${`Machine-to-machine app for accessing Management API of tenant '${tenant.id}'.`},
+                  'MachineToMachine',
+                  ${sql.jsonb({
+                    redirectUris: [],
+                    postLogoutRedirectUris: [],
+                  })}
+                )
+              `
+          ),
+          sql`, `
+        )};
+    `);
+    await transaction.query(sql`
+      insert into public.applications_roles (tenant_id, id, application_id, role_id)
+      values
+        ${sql.join(
+          tenants.map(
+            (tenant) =>
+              sql`
+                (
+                  ${adminTenantId},
+                  ${generateStandardId()},
+                  ${`m-${tenant.id}`},
+                  ${`m-${tenant.id}`}
+                )
+              `
+          ),
+          sql`, `
+        )};
+    `);
+    consoleLog.info('=== Sync tenant organizations done ===');
+  },
+  down: async (transaction) => {
+    consoleLog.info('=== Revert sync tenant organizations ===');
+    consoleLog.info('Remove machine-to-machine apps');
+    await transaction.query(sql`
+      delete from public.applications
+      where public.applications.tenant_id = ${adminTenantId}
+      and public.applications.id like 'm-%';
+    `);
+    consoleLog.info('Remove machine-to-machine roles');
+    await transaction.query(sql`
+      delete from public.roles
+      where public.roles.tenant_id = ${adminTenantId}
+      and public.roles.id like 'm-%';
+    `);
+    consoleLog.info('Remove organizations');
+    await transaction.query(sql`
+      delete from public.organizations
+      where public.organizations.tenant_id = ${adminTenantId}
+      and public.organizations.id like 't-%';
+    `);
+    consoleLog.info('Remove organization roles');
+    await transaction.query(sql`
+      delete from public.organization_roles
+      where public.organization_roles.tenant_id = ${adminTenantId}
+      and public.organization_roles.id in ('owner', 'admin', 'member');
+    `);
+    consoleLog.info('Remove organization scopes');
+    await transaction.query(sql`
+      delete from public.organization_scopes
+      where public.organization_scopes.tenant_id = ${adminTenantId}
+      and public.organization_scopes.id in (
+        'read-data',
+        'write-data',
+        'delete-data',
+        'invite-member',
+        'remove-member',
+        'update-member-role',
+        'manage-tenant'
+      );
+    `);
+    consoleLog.info('=== Revert sync tenant organizations done ===');
+  },
+};
+export default alteration;

package/alterations/1.13.0-1702871078-protected-application-type.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter type application_type add value 'Protected';
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      create type application_type_new as enum ('Native', 'SPA', 'Traditional', 'MachineToMachine');
+      delete from applications where "type"='Protected';
+      alter table applications
+        alter column "type" type application_type_new
+          using ("type"::text::application_type_new);
+      drop type application_type;
+      alter type application_type_new rename to application_type;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.13.0-1702877515-protected-app-configs.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table applications add protected_app_metadata jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table applications drop protected_app_metadata;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.13.0-1702978120-application-sign-in-experience-table.ts ADDED Viewed

@@ -0,0 +1,61 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+  return currentDatabase.replaceAll('-', '_');
+};
+const enableRls = async (pool: CommonQueryMethods, database: string, table: string) => {
+  const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+  await pool.query(sql`
+    create trigger set_tenant_id before insert on ${sql.identifier([table])}
+      for each row execute procedure set_tenant_id();
+    alter table ${sql.identifier([table])} enable row level security;
+    create policy ${sql.identifier([`${table}_tenant_id`])} on ${sql.identifier([table])}
+      as restrictive
+      using (tenant_id = (select id from tenants where db_user = current_user));
+    create policy ${sql.identifier([`${table}_modification`])} on ${sql.identifier([table])}
+      using (true);
+    grant select, insert, update, delete on ${sql.identifier([table])} to ${baseRoleId};
+  `);
+};
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    await pool.query(sql`
+      create table application_sign_in_experiences (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        branding jsonb /* @use Branding */ not null default '{}'::jsonb,
+        terms_of_use_url varchar(2048),
+        privacy_policy_url varchar(2048),
+        display_name varchar(256),
+        primary key (tenant_id, application_id)
+      );
+    `);
+    await enableRls(pool, database, 'application_sign_in_experiences');
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop table application_sign_in_experiences;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.13.0-1703229996-daily-token-usage.ts ADDED Viewed

@@ -0,0 +1,62 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const getId = (value: string) => sql.identifier([value]);
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+  return currentDatabase.replaceAll('-', '_');
+};
+const enableRls = async (pool: CommonQueryMethods, database: string, table: string) => {
+  const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+  await pool.query(sql`
+    create trigger set_tenant_id before insert on ${sql.identifier([table])}
+      for each row execute procedure set_tenant_id();
+    alter table ${sql.identifier([table])} enable row level security;
+    create policy ${sql.identifier([`${table}_tenant_id`])} on ${sql.identifier([table])}
+      as restrictive
+      using (tenant_id = (select id from tenants where db_user = current_user));
+    create policy ${sql.identifier([`${table}_modification`])} on ${sql.identifier([table])}
+      using (true);
+    grant select, insert, update, delete on ${sql.identifier([table])} to ${baseRoleId};
+  `);
+};
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    await pool.query(sql`
+      create table daily_token_usage (
+        id varchar(21) not null,
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        usage bigint not null default(0),
+        date timestamptz not null,
+        primary key (id)
+      );
+      create unique index daily_token_usage__date
+        on daily_token_usage (tenant_id, date);
+    `);
+    await enableRls(pool, database, 'daily_token_usage');
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop table daily_token_usage;
+    `);
+  },
+};
+export default alteration;