@logto/schemas 1.11.0 → 1.13.0

package/lib/types/system.js

@@ -100,13 +100,30 @@ export const demoSocialGuard = Object.freeze({
 export const hostnameProviderDataGuard = z.object({
     zoneId: z.string(),
     apiToken: z.string(), // Requires zone permission for "SSL and Certificates Edit"
+    blockedDomains: z.string().array().optional(), // Optional list of blocked domains
+});
+// Cloudflare KV for protected app config
+export const protectedAppConfigProviderDataGuard = z.object({
+    /* Cloudflare Workers & Pages account ID */
+    accountIdentifier: z.string(),
+    /* KV namespace ID */
+    namespaceIdentifier: z.string(),
+    /* Key prefix for protected app config */
+    keyName: z.string(),
+    /* The default domain (e.g protected.app) for the protected app */
+    domain: z.string(),
+    apiToken: z.string(), // Requires account permission for "KV Storage Edit"
 });
 export var CloudflareKey;
 (function (CloudflareKey) {
     CloudflareKey["HostnameProvider"] = "cloudflareHostnameProvider";
+    CloudflareKey["ProtectedAppConfigProvider"] = "cloudflareProtectedAppConfigProvider";
+    CloudflareKey["ProtectedAppHostnameProvider"] = "cloudflareProtectedAppHostnameProvider";
 })(CloudflareKey || (CloudflareKey = {}));
 export const cloudflareGuard = Object.freeze({
     [CloudflareKey.HostnameProvider]: hostnameProviderDataGuard,
+    [CloudflareKey.ProtectedAppConfigProvider]: protectedAppConfigProviderDataGuard,
+    [CloudflareKey.ProtectedAppHostnameProvider]: hostnameProviderDataGuard,
 });
 export const systemKeys = Object.freeze([
     ...Object.values(AlterationStateKey),

package/lib/types/tenant-organization.d.ts

@@ -0,0 +1,107 @@
+/**
+ * @fileoverview
+ * Tenant organizations are organizations in the admin tenant that represent tenants. They are
+ * created when a tenant is created, and are used to define the roles and scopes for the users in
+ * the tenant.
+ *
+ * This module provides utilities to manage tenant organizations.
+ */
+import { type CreateOrganization, type OrganizationRole, type OrganizationScope } from '../db-entries/index.js';
+/** Given a tenant ID, return the corresponding organization ID in the admin tenant. */
+export declare const getTenantOrganizationId: (tenantId: string) => string;
+/**
+ * Given a tenant ID, return the organization create data for the admin tenant. It follows a
+ * convention to generate the organization ID and name which can be used across the system.
+ *
+ * @example
+ * ```ts
+ * const tenantId = 'test-tenant';
+ * const createData = getCreateData(tenantId);
+ *
+ * expect(createData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 't-test-tenant',
+ *   name: 'Tenant test-tenant',
+ * });
+ * ```
+ *
+ * @see {@link getId} for the convention of generating the organization ID.
+ */
+export declare const getTenantOrganizationCreateData: (tenantId: string) => Readonly<CreateOrganization>;
+/**
+ * Scope names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantScopeDescriptions}.
+ */
+export declare enum TenantScope {
+    /** Read the tenant data. */
+    ReadData = "read:data",
+    /** Write the tenant data, including creating and updating the tenant. */
+    WriteData = "write:data",
+    /** Delete data of the tenant. */
+    DeleteData = "delete:data",
+    /** Invite members to the tenant. */
+    InviteMember = "invite:member",
+    /** Remove members from the tenant. */
+    RemoveMember = "remove:member",
+    /** Update the role of a member in the tenant. */
+    UpdateMemberRole = "update:member:role",
+    /** Manage the tenant settings, including name, billing, etc. */
+    ManageTenant = "manage:tenant"
+}
+/**
+ * Given a tenant scope, return the corresponding organization scope data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const scope = TenantScope.ReadData; // 'read:data'
+ * const scopeData = getTenantScope(scope);
+ *
+ * expect(scopeData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'read-data',
+ *   name: 'read:data',
+ *   description: 'Read the tenant data.',
+ * });
+ * ```
+ *
+ * @see {@link tenantScopeDescriptions} for scope descriptions of each scope.
+ */
+export declare const getTenantScope: (scope: TenantScope) => Readonly<OrganizationScope>;
+/**
+ * Role names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantRoleDescriptions}.
+ */
+export declare enum TenantRole {
+    /** Admin of the tenant, who has all permissions. */
+    Admin = "admin",
+    /** Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings. */
+    Member = "member"
+}
+/**
+ * Given a tenant role, return the corresponding organization role data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const role = TenantRole.Member; // 'member'
+ * const roleData = getTenantRole(role);
+ *
+ * expect(roleData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'member',
+ *   name: 'member',
+ *   description: 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+ * });
+ * ```
+ *
+ * @see {@link tenantRoleDescriptions} for scope descriptions of each role.
+ */
+export declare const getTenantRole: (role: TenantRole) => Readonly<OrganizationRole>;
+/**
+ * The dictionary of tenant roles and their corresponding scopes.
+ * @see {TenantRole} for scope descriptions of each role.
+ */
+export declare const tenantRoleScopes: Readonly<Record<TenantRole, Readonly<TenantScope[]>>>;

package/lib/types/tenant-organization.js

@@ -0,0 +1,145 @@
+/**
+ * @fileoverview
+ * Tenant organizations are organizations in the admin tenant that represent tenants. They are
+ * created when a tenant is created, and are used to define the roles and scopes for the users in
+ * the tenant.
+ *
+ * This module provides utilities to manage tenant organizations.
+ */
+import { adminTenantId } from '../seeds/tenant.js';
+/** Given a tenant ID, return the corresponding organization ID in the admin tenant. */
+export const getTenantOrganizationId = (tenantId) => `t-${tenantId}`;
+/**
+ * Given a tenant ID, return the organization create data for the admin tenant. It follows a
+ * convention to generate the organization ID and name which can be used across the system.
+ *
+ * @example
+ * ```ts
+ * const tenantId = 'test-tenant';
+ * const createData = getCreateData(tenantId);
+ *
+ * expect(createData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 't-test-tenant',
+ *   name: 'Tenant test-tenant',
+ * });
+ * ```
+ *
+ * @see {@link getId} for the convention of generating the organization ID.
+ */
+export const getTenantOrganizationCreateData = (tenantId) => Object.freeze({
+    tenantId: adminTenantId,
+    id: getTenantOrganizationId(tenantId),
+    name: `Tenant ${tenantId}`,
+});
+/**
+ * Scope names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantScopeDescriptions}.
+ */
+export var TenantScope;
+(function (TenantScope) {
+    /** Read the tenant data. */
+    TenantScope["ReadData"] = "read:data";
+    /** Write the tenant data, including creating and updating the tenant. */
+    TenantScope["WriteData"] = "write:data";
+    /** Delete data of the tenant. */
+    TenantScope["DeleteData"] = "delete:data";
+    /** Invite members to the tenant. */
+    TenantScope["InviteMember"] = "invite:member";
+    /** Remove members from the tenant. */
+    TenantScope["RemoveMember"] = "remove:member";
+    /** Update the role of a member in the tenant. */
+    TenantScope["UpdateMemberRole"] = "update:member:role";
+    /** Manage the tenant settings, including name, billing, etc. */
+    TenantScope["ManageTenant"] = "manage:tenant";
+})(TenantScope || (TenantScope = {}));
+const allTenantScopes = Object.freeze(Object.values(TenantScope));
+/**
+ * Given a tenant scope, return the corresponding organization scope data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const scope = TenantScope.ReadData; // 'read:data'
+ * const scopeData = getTenantScope(scope);
+ *
+ * expect(scopeData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'read-data',
+ *   name: 'read:data',
+ *   description: 'Read the tenant data.',
+ * });
+ * ```
+ *
+ * @see {@link tenantScopeDescriptions} for scope descriptions of each scope.
+ */
+export const getTenantScope = (scope) => Object.freeze({
+    tenantId: adminTenantId,
+    id: scope.replaceAll(':', '-'),
+    name: scope,
+    description: tenantScopeDescriptions[scope],
+});
+const tenantScopeDescriptions = Object.freeze({
+    [TenantScope.ReadData]: 'Read the tenant data.',
+    [TenantScope.WriteData]: 'Write the tenant data, including creating and updating the tenant.',
+    [TenantScope.DeleteData]: 'Delete data of the tenant.',
+    [TenantScope.InviteMember]: 'Invite members to the tenant.',
+    [TenantScope.RemoveMember]: 'Remove members from the tenant.',
+    [TenantScope.UpdateMemberRole]: 'Update the role of a member in the tenant.',
+    [TenantScope.ManageTenant]: 'Manage the tenant settings, including name, billing, etc.',
+});
+/**
+ * Role names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantRoleDescriptions}.
+ */
+export var TenantRole;
+(function (TenantRole) {
+    /** Admin of the tenant, who has all permissions. */
+    TenantRole["Admin"] = "admin";
+    /** Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings. */
+    TenantRole["Member"] = "member";
+})(TenantRole || (TenantRole = {}));
+const tenantRoleDescriptions = Object.freeze({
+    [TenantRole.Admin]: 'Admin of the tenant, who has all permissions.',
+    [TenantRole.Member]: 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+});
+/**
+ * Given a tenant role, return the corresponding organization role data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const role = TenantRole.Member; // 'member'
+ * const roleData = getTenantRole(role);
+ *
+ * expect(roleData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'member',
+ *   name: 'member',
+ *   description: 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+ * });
+ * ```
+ *
+ * @see {@link tenantRoleDescriptions} for scope descriptions of each role.
+ */
+export const getTenantRole = (role) => Object.freeze({
+    tenantId: adminTenantId,
+    id: role,
+    name: role,
+    description: tenantRoleDescriptions[role],
+});
+/**
+ * The dictionary of tenant roles and their corresponding scopes.
+ * @see {TenantRole} for scope descriptions of each role.
+ */
+export const tenantRoleScopes = Object.freeze({
+    [TenantRole.Admin]: allTenantScopes,
+    [TenantRole.Member]: [
+        TenantScope.ReadData,
+        TenantScope.WriteData,
+        TenantScope.DeleteData,
+        TenantScope.InviteMember,
+    ],
+});

package/lib/types/tenant.d.ts

@@ -1,5 +1,4 @@
 export declare enum TenantTag {
     Development = "development",
-    Staging = "staging",
     Production = "production"
 }

package/lib/types/tenant.js

@@ -1,6 +1,7 @@
 export var TenantTag;
 (function (TenantTag) {
+    /* Development tenants are free to use but are not meant to be used as production environment. */
     TenantTag["Development"] = "development";
-    TenantTag["Staging"] = "staging";
+    /* A production tenant must have an associated subscription plan, even if it's a free plan. */
     TenantTag["Production"] = "production";
 })(TenantTag || (TenantTag = {}));

package/lib/types/user-assets.d.ts

@@ -1,19 +1,19 @@
 import { z } from 'zod';
 export declare const maxUploadFileSize: number;
-export declare const allowUploadMimeTypes: readonly ["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"];
-declare const allowUploadMimeTypeGuard: z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>;
+export declare const allowUploadMimeTypes: readonly ["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/x-icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"];
+declare const allowUploadMimeTypeGuard: z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/x-icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>;
 export type AllowedUploadMimeType = z.infer<typeof allowUploadMimeTypeGuard>;
 export declare const userAssetsServiceStatusGuard: z.ZodObject<{
     status: z.ZodUnion<[z.ZodLiteral<"ready">, z.ZodLiteral<"not_configured">]>;
-    allowUploadMimeTypes: z.ZodOptional<z.ZodArray<z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>, "many">>;
+    allowUploadMimeTypes: z.ZodOptional<z.ZodArray<z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/x-icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>, "many">>;
     maxUploadFileSize: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
     status: "ready" | "not_configured";
-    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
+    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/x-icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
     maxUploadFileSize?: number | undefined;
 }, {
     status: "ready" | "not_configured";
-    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
+    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/x-icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
     maxUploadFileSize?: number | undefined;
 }>;
 export type UserAssetsServiceStatus = z.infer<typeof userAssetsServiceStatusGuard>;

package/lib/types/user-assets.js

@@ -6,6 +6,7 @@ export const allowUploadMimeTypes = [
     'image/png',
     'image/gif',
     'image/vnd.microsoft.icon',
+    'image/x-icon',
     'image/svg+xml',
     'image/tiff',
     'image/webp',

package/lib/types/user.d.ts

@@ -20,8 +20,8 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>>;
-    customData: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
-    logtoConfig: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
+    customData: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
+    logtoConfig: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
     mfaVerifications: z.ZodType<({
         type: MfaFactor.TOTP;
         id: string;
@@ -92,8 +92,8 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -138,8 +138,8 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -189,8 +189,8 @@ export declare const userProfileResponseGuard: z.ZodObject<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>>;
-    customData: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
-    logtoConfig: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
+    customData: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
+    logtoConfig: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
     mfaVerifications: z.ZodType<({
         type: MfaFactor.TOTP;
         id: string;
@@ -245,6 +245,7 @@ export declare const userProfileResponseGuard: z.ZodObject<{
     isSuspended: z.ZodType<boolean, z.ZodTypeDef, boolean>;
     lastSignInAt: z.ZodType<number | null, z.ZodTypeDef, number | null>;
     hasPassword: z.ZodOptional<z.ZodBoolean>;
+    ssoIdentities: z.ZodOptional<z.ZodArray<import("../foundations/schemas.js").Guard<import("../db-entries/user-sso-identity.js").UserSsoIdentity>, "many">>;
 }, "strip", z.ZodTypeAny, {
     name: string | null;
     id: string;
@@ -261,8 +262,8 @@ export declare const userProfileResponseGuard: z.ZodObject<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -292,6 +293,7 @@ export declare const userProfileResponseGuard: z.ZodObject<{
     isSuspended: boolean;
     lastSignInAt: number | null;
     hasPassword?: boolean | undefined;
+    ssoIdentities?: import("../db-entries/user-sso-identity.js").UserSsoIdentity[] | undefined;
 }, {
     name: string | null;
     id: string;
@@ -308,8 +310,8 @@ export declare const userProfileResponseGuard: z.ZodObject<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -339,6 +341,7 @@ export declare const userProfileResponseGuard: z.ZodObject<{
     isSuspended: boolean;
     lastSignInAt: number | null;
     hasPassword?: boolean | undefined;
+    ssoIdentities?: import("../db-entries/user-sso-identity.js").UserSsoIdentity[] | undefined;
 }>;
 export type UserProfileResponse = z.infer<typeof userProfileResponseGuard>;
 export declare const userMfaVerificationResponseGuard: z.ZodArray<z.ZodObject<{
@@ -371,7 +374,6 @@ export declare enum InternalRole {
     Admin = "#internal:admin"
 }
 export declare enum AdminTenantRole {
-    Admin = "admin",
     /** Common user role in admin tenant. */
     User = "user",
     /** The role for machine to machine applications that represent a user tenant and send requests to Logto Cloud. */
@@ -404,8 +406,8 @@ export declare const featuredUserGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>>;
-    customData: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
-    logtoConfig: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
+    customData: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
+    logtoConfig: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
     mfaVerifications: z.ZodType<({
         type: MfaFactor.TOTP;
         id: string;

package/lib/types/user.js

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { Users } from '../db-entries/index.js';
+import { Users, UserSsoIdentities } from '../db-entries/index.js';
 import { MfaFactor } from '../foundations/index.js';
 export const userInfoSelectFields = Object.freeze([
     'id',
@@ -18,6 +18,7 @@ export const userInfoSelectFields = Object.freeze([
 export const userInfoGuard = Users.guard.pick(Object.fromEntries(userInfoSelectFields.map((key) => [key, true])));
 export const userProfileResponseGuard = userInfoGuard.extend({
     hasPassword: z.boolean().optional(),
+    ssoIdentities: z.array(UserSsoIdentities.guard).optional(),
 });
 export const userMfaVerificationResponseGuard = z
     .object({
@@ -40,7 +41,6 @@ export var InternalRole;
 })(InternalRole || (InternalRole = {}));
 export var AdminTenantRole;
 (function (AdminTenantRole) {
-    AdminTenantRole["Admin"] = "admin";
     /** Common user role in admin tenant. */
     AdminTenantRole["User"] = "user";
     /** The role for machine to machine applications that represent a user tenant and send requests to Logto Cloud. */

package/lib/utils/domain.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Find duplicated domains and blocked domains using the domain blacklist.
+ *
+ * @param domains Array of email domains.
+ * @returns
+ */
+export declare const findDuplicatedOrBlockedEmailDomains: (domains?: string[]) => {
+    duplicatedDomains: Set<string>;
+    forbiddenDomains: Set<string>;
+};

package/lib/utils/domain.js

@@ -0,0 +1,28 @@
+import { singleSignOnDomainBlackList } from '../types/sso-connector.js';
+/**
+ * Find duplicated domains and blocked domains using the domain blacklist.
+ *
+ * @param domains Array of email domains.
+ * @returns
+ */
+export const findDuplicatedOrBlockedEmailDomains = (domains) => {
+    const blackListSet = new Set(singleSignOnDomainBlackList);
+    const validDomainSet = new Set();
+    const duplicatedDomains = new Set();
+    const forbiddenDomains = new Set();
+    for (const domain of domains ?? []) {
+        if (blackListSet.has(domain)) {
+            forbiddenDomains.add(domain);
+        }
+        if (validDomainSet.has(domain)) {
+            duplicatedDomains.add(domain);
+        }
+        else {
+            validDomainSet.add(domain);
+        }
+    }
+    return {
+        duplicatedDomains,
+        forbiddenDomains,
+    };
+};

package/lib/utils/domain.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/domain.test.js

@@ -0,0 +1,34 @@
+import { findDuplicatedOrBlockedEmailDomains } from './domain.js';
+describe('findDuplicatedOrBlockedEmailDomains', () => {
+    it('should return blocked domains and duplicated domains correctly', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains([
+            'gmail.com',
+            'silverhand.io',
+            'logto.io',
+            'yahoo.com',
+            'outlook.com',
+            'logto.io',
+        ]);
+        expect(duplicatedDomains).toEqual(new Set(['logto.io']));
+        expect(forbiddenDomains).toEqual(new Set(['gmail.com', 'yahoo.com', 'outlook.com']));
+    });
+    it('should return empty `duplicatedDomains` and `forbiddenDomains` sets if all domains are valid', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains([
+            'silverhand.io',
+            'logto.io',
+            'metalhand.io',
+        ]);
+        expect(duplicatedDomains).toEqual(new Set());
+        expect(forbiddenDomains).toEqual(new Set());
+    });
+    it('should return empty `duplicatedDomains` and `forbiddenDomains` sets if input is undefined', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains();
+        expect(duplicatedDomains).toEqual(new Set());
+        expect(forbiddenDomains).toEqual(new Set());
+    });
+    it('should return empty `duplicatedDomains` and `forbiddenDomains` sets if input is empty array', () => {
+        const { duplicatedDomains, forbiddenDomains } = findDuplicatedOrBlockedEmailDomains([]);
+        expect(duplicatedDomains).toEqual(new Set());
+        expect(forbiddenDomains).toEqual(new Set());
+    });
+});

package/lib/utils/index.d.ts

@@ -1,2 +1,3 @@
 export * from './role.js';
 export * from './management-api.js';
+export * from './domain.js';

package/lib/utils/index.js

@@ -1,2 +1,3 @@
 export * from './role.js';
 export * from './management-api.js';
+export * from './domain.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.11.0",
+  "version": "1.13.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -21,27 +21,27 @@
     "access": "public"
   },
   "engines": {
-    "node": "^18.12.0"
+    "node": "^20.9.0"
   },
   "devDependencies": {
-    "@silverhand/eslint-config": "4.0.1",
-    "@silverhand/essentials": "^2.8.4",
-    "@silverhand/ts-config": "4.0.0",
+    "@silverhand/eslint-config": "5.0.0",
+    "@silverhand/essentials": "^2.9.0",
+    "@silverhand/ts-config": "5.0.0",
     "@types/inquirer": "^9.0.0",
     "@types/jest": "^29.4.0",
-    "@types/node": "^18.11.18",
-    "@types/pluralize": "^0.0.32",
+    "@types/node": "^20.9.5",
+    "@types/pluralize": "^0.0.33",
     "camelcase": "^8.0.0",
     "chalk": "^5.0.0",
     "eslint": "^8.44.0",
-    "jest": "^29.5.0",
+    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "pluralize": "^8.0.0",
     "prettier": "^3.0.0",
     "roarr": "^7.11.0",
     "slonik": "^30.0.0",
     "slonik-sql-tag-raw": "^1.1.4",
-    "typescript": "^5.0.0"
+    "typescript": "^5.3.3"
   },
   "eslintConfig": {
     "extends": "@silverhand",
@@ -64,12 +64,12 @@
   },
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
-    "@logto/connector-kit": "^2.0.0",
-    "@logto/core-kit": "^2.2.0",
-    "@logto/language-kit": "^1.0.0",
-    "@logto/phrases": "^1.7.0",
-    "@logto/phrases-experience": "^1.4.0",
-    "@logto/shared": "^3.0.0",
+    "@logto/connector-kit": "^2.1.0",
+    "@logto/core-kit": "^2.3.0",
+    "@logto/language-kit": "^1.1.0",
+    "@logto/phrases": "^1.9.0",
+    "@logto/phrases-experience": "^1.6.0",
+    "@logto/shared": "^3.1.0",
     "@withtyped/server": "^0.12.9"
   },
   "peerDependencies": {

package/tables/application_sign_in_experiences.sql

@@ -0,0 +1,15 @@
+/* init_order = 2 */
+
+/** Application level sign-in experience configuration. */
+create table application_sign_in_experiences (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  branding jsonb /* @use Branding */ not null default '{}'::jsonb,
+  terms_of_use_url varchar(2048),
+  privacy_policy_url varchar(2048),
+  display_name varchar(256),
+  
+  primary key (tenant_id, application_id)
+);

package/tables/application_user_consent_organization_scopes.sql

@@ -0,0 +1,14 @@
+/* init_order = 2 */
+
+/** The organization scopes (permissions) assigned to an application. */
+create table application_user_consent_organization_scopes (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the application. */
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the organization scope. */
+  organization_scope_id varchar(21) not null
+    references organization_scopes (id) on update cascade on delete cascade,
+  primary key (application_id, organization_scope_id)
+);