@logto/schemas 1.11.0 → 1.13.0

package/alterations/1.13.0-1703230000-update-tenant-roles.ts

@@ -0,0 +1,94 @@
+import { ConsoleLog } from '@logto/shared';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const consoleLog = new ConsoleLog();
+
+/**
+ * This script update the following in the admin tenant:
+ *
+ * - Remove `owner` organization role.
+ * - Add `manage:tenant` scope to `admin` organization role.
+ * - Add `delete:data` scope to `member` organization role.
+ * - Update descriptions accordingly.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Update existing owner to admin.
+    await pool.query(sql`
+      update organization_role_user_relations
+      set organization_role_id = 'admin'
+      where tenant_id = 'admin'
+      and organization_role_id = 'owner';
+    `);
+    await pool.query(sql`
+      delete from organization_roles
+      where tenant_id = 'admin'
+      and name = 'owner';
+    `);
+    await pool.query(sql`
+      insert into organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id)
+      values
+        ('admin', 'admin', 'manage-tenant'),
+        ('admin', 'member', 'delete-data');
+    `);
+    await pool.query(sql`
+      update organization_roles
+      set description = 'Admin of the tenant, who has all permissions.'
+      where tenant_id = 'admin'
+      and name = 'admin';
+    `);
+    await pool.query(sql`
+      update organization_roles
+      set description = 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.'
+      where tenant_id = 'admin'
+      and name = 'member';
+    `);
+  },
+  down: async (pool) => {
+    // Add back owner role
+    await pool.query(sql`
+      insert into organization_roles (tenant_id, id, name, description)
+      values
+        ('admin', 'owner', 'owner', 'Owner of the tenant, who has all permissions.');
+    `);
+    // Insert scope relations
+    await pool.query(sql`
+      insert into organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id)
+      values
+        ('admin', 'owner', 'read-data'),
+        ('admin', 'owner', 'write-data'),
+        ('admin', 'owner', 'delete-data'),
+        ('admin', 'owner', 'invite-member'),
+        ('admin', 'owner', 'remove-member'),
+        ('admin', 'owner', 'update-member-role'),
+        ('admin', 'owner', 'manage-tenant');
+    `);
+    // Remove added scopes
+    await pool.query(sql`
+      delete from organization_role_scope_relations
+      where tenant_id = 'admin'
+      and (organization_role_id = 'admin' and organization_scope_id = 'manage-tenant')
+      or (organization_role_id = 'member' and organization_scope_id = 'delete-data');
+    `);
+    // Update descriptions
+    await pool.query(sql`
+      update organization_roles
+      set description = 'Admin of the tenant, who has all permissions except managing the tenant settings.'
+      where tenant_id = 'admin'
+      and name = 'admin';
+    `);
+    await pool.query(sql`
+      update organization_roles
+      set description = 'Member of the tenant, who has limited permissions on reading and writing the tenant data.'
+      where tenant_id = 'admin'
+      and name = 'member';
+    `);
+    consoleLog.warn(
+      'Original owners are not restored since the owner role has more permissions than admin, and we cannot tell which users are the original owners.'
+    );
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1704692973-remove-legacy-resources.ts

@@ -0,0 +1,147 @@
+import { generateStandardId } from '@logto/shared/universal';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Delete all legacy roles in the admin tenant
+    await pool.query(sql`
+      delete from roles
+      where tenant_id = 'admin'
+      and name like '%:admin'
+      and name not like 'machine:mapi:%'
+      and name != 'default:admin';
+    `);
+    // Update default role description
+    await pool.query(sql`
+      update roles
+      set description = 'Legacy user role for accessing default Management API. Used in OSS only.'
+      where tenant_id = 'admin'
+      and name = 'default:admin';
+    `);
+    // Delete `manage:tenant` scope from the Cloud API resource
+    await pool.query(sql`
+      delete from scopes
+      using resources
+      where scopes.tenant_id = 'admin'
+      and scopes.name = 'manage:tenant'
+      and scopes.resource_id = resources.id
+      and resources.indicator = 'https://cloud.logto.io/api';
+    `);
+  },
+  down: async (pool) => {
+    console.log('Add `manage:tenant` scope to the Cloud API resource');
+    await pool.query(sql`
+      insert into scopes (tenant_id, id, name, description, resource_id)
+      values ('admin', 'manage:tenant', 'manage:tenant', 'Allow managing existing tenants, including create without limitation, update, and delete.', (
+        select id from resources where tenant_id = 'admin' and indicator = 'https://cloud.logto.io/api'
+      ));
+    `);
+
+    console.log('Update default role description');
+    await pool.query(sql`
+      update roles
+      set description = 'Admin tenant admin role for Logto tenant default.'
+      where tenant_id = 'admin'
+      and name = 'default:admin';
+    `);
+
+    console.log('Add legacy roles in the admin tenant');
+    const existingTenantIds = await pool.any<{ id: string }>(sql`
+      select id from tenants where id != 'default';
+    `);
+    await pool.query(sql`
+      insert into roles (tenant_id, id, name, description)
+      values ${sql.join(
+        existingTenantIds.map((tenant) => {
+          return sql`
+            (
+              'admin',
+              ${`${tenant.id}:admin`},
+              ${`${tenant.id}:admin`},
+              ${`Admin tenant admin role for Logto tenant ${tenant.id}.`}
+            )
+          `;
+        }),
+        sql`, `
+      )};
+    `);
+
+    console.log('Restore assigned Management API scopes to the legacy roles');
+    await pool.query(sql`
+      insert into roles_scopes (tenant_id, id, role_id, scope_id)
+      values ${sql.join(
+        existingTenantIds.map((tenant) => {
+          return sql`
+            (
+              'admin',
+              ${`${tenant.id}:admin`},
+              ${`${tenant.id}:admin`},
+              (
+                select scopes.id from scopes
+                join resources on scopes.resource_id = resources.id
+                and resources.indicator = ${`https://${tenant.id}.logto.app/api`}
+                where scopes.tenant_id = 'admin'
+                and scopes.name = 'all'
+              )
+            )
+          `;
+        }),
+        sql`, `
+      )};
+    `);
+
+    console.log('Assign to legacy roles to users according to the tenant organization roles');
+    const adminUsersOrganizations = await pool.any<{ userId: string; organizationId: string }>(sql`
+      select user_id as "userId", organization_id as "organizationId"
+      from organization_role_user_relations
+      where tenant_id = 'admin'
+      and organization_role_id = 'admin'
+      and organization_id != 't-default'
+      and organization_id like 't-%';
+    `);
+    await pool.query(sql`
+      insert into users_roles (tenant_id, id, user_id, role_id)
+      values ${sql.join(
+        adminUsersOrganizations.map((relation) => {
+          return sql`
+            (
+              'admin',
+              ${`${relation.userId}:${relation.organizationId.slice(2)}:admin`},
+              ${relation.userId},
+              ${`${relation.organizationId.slice(2)}:admin`}
+            )
+          `;
+        }),
+        sql`, `
+      )};
+    `);
+
+    console.log('Assign back cloud scopes to the legacy admin user');
+    await pool.query(sql`
+      insert into roles_scopes (tenant_id, id, role_id, scope_id)
+      values ${sql.join(
+        ['send:sms', 'send:email', 'create:affiliate', 'manage:affiliate', 'manage:tenant'].map(
+          (scope) => {
+            return sql`
+              (
+                'admin',
+                ${generateStandardId()},
+                'admin:admin',
+                (
+                  select id from scopes
+                  where tenant_id = 'admin'
+                  and name = ${scope}
+                )
+              )
+            `;
+          }
+        ),
+        sql`, `
+      )};
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1704934999-add-magic-links-table.ts

@@ -0,0 +1,37 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table magic_links (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The unique identifier of the link. */
+        id varchar(21) not null,
+        /** The token that can be used to verify the link. */
+        token varchar(32) not null,
+        /** The time when the link was created. */
+        created_at timestamptz not null default (now()),
+        /** The time when the link was consumed. */
+        consumed_at timestamptz,
+        primary key (id)
+      );
+
+      create index magic_links__token
+        on magic_links (tenant_id, token);
+    `);
+    await applyTableRls(pool, 'magic_links');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'magic_links');
+    await pool.query(sql`
+      drop table magic_links;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1704935001-add-organization-invitation-tables.ts

@@ -0,0 +1,78 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create type organization_invitation_status as enum ('Pending', 'Accepted', 'Expired', 'Revoked');
+
+      create table organization_invitations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The unique identifier of the invitation. */
+        id varchar(21) not null,
+        /** The user ID who sent the invitation. */
+        inviter_id varchar(21) not null,
+        /** The email address or other identifier of the invitee. */
+        invitee varchar(256) not null,
+        /** The user ID of who accepted the invitation. */
+        accepted_user_id varchar(21)
+          references users (id) on update cascade on delete cascade,
+        /** The ID of the organization to which the invitee is invited. */
+        organization_id varchar(21) not null,
+        /** The status of the invitation. */
+        status organization_invitation_status not null,
+        /** The ID of the magic link that can be used to accept the invitation. */
+        magic_link_id varchar(21)
+          references magic_links (id) on update cascade on delete cascade,
+        /** The time when the invitation was created. */
+        created_at timestamptz not null default (now()),
+        /** The time when the invitation status was last updated. */
+        updated_at timestamptz not null default (now()),
+        /** The time when the invitation expires. */
+        expires_at timestamptz not null,
+        primary key (id),
+        foreign key (tenant_id, inviter_id, organization_id)
+          references organization_user_relations (tenant_id, user_id, organization_id)
+          on update cascade on delete cascade
+      );
+
+      -- Ensure there is only one pending invitation for a given invitee and organization.
+      create unique index organization_invitations__invitee_organization_id
+        on organization_invitations (tenant_id, invitee, organization_id)
+        where status = 'Pending';
+    `);
+    await applyTableRls(pool, 'organization_invitations');
+
+    await pool.query(sql`
+      create table organization_invitation_role_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The ID of the invitation. */
+        invitation_id varchar(21) not null
+          references organization_invitations (id) on update cascade on delete cascade,
+        /** The ID of the organization role. */
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        primary key (tenant_id, invitation_id, organization_role_id)
+      );
+    `);
+    await applyTableRls(pool, 'organization_invitation_role_relations');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'organization_invitation_role_relations');
+    await pool.query(sql`
+      drop table organization_invitation_role_relations;
+    `);
+    await dropTableRls(pool, 'organization_invitations');
+    await pool.query(sql`
+      drop table organization_invitations;
+      drop type organization_invitation_status;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1705288654-add-application-user-consent-organizations-table.ts

@@ -0,0 +1,62 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const enableRls = async (pool: CommonQueryMethods, database: string, table: string) => {
+  const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+
+  await pool.query(sql`
+    create trigger set_tenant_id before insert on ${sql.identifier([table])}
+      for each row execute procedure set_tenant_id();
+
+    alter table ${sql.identifier([table])} enable row level security;
+
+    create policy ${sql.identifier([`${table}_tenant_id`])} on ${sql.identifier([table])}
+      as restrictive
+      using (tenant_id = (select id from tenants where db_user = current_user));
+
+    create policy ${sql.identifier([`${table}_modification`])} on ${sql.identifier([table])}
+      using (true);
+
+    grant select, insert, update, delete on ${sql.identifier([table])} to ${baseRoleId};
+  `);
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+
+    await pool.query(sql`
+      create table application_user_consent_organizations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        organization_id varchar(21) not null,
+        user_id varchar(21) not null,
+        primary key (tenant_id, application_id, organization_id, user_id),
+        /** User's consent to an application should be synchronized with the user's membership in the organization. */
+        foreign key (tenant_id, organization_id, user_id)
+          references organization_user_relations (tenant_id, organization_id, user_id)
+          on update cascade on delete cascade
+      )
+    `);
+
+    await enableRls(pool, database, 'application_user_consent_organizations');
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop table application_user_consent_organizations;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1705991158-update-invitation-indices.ts

@@ -0,0 +1,32 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+/**
+ * @fileoverview Separates the index (tenant_id, inviter_id, organization_id) to two indices. Also
+ * makes the inviter_id nullable.
+ */
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organization_invitations
+        drop constraint organization_invitations_tenant_id_inviter_id_organization_fkey,
+        add foreign key (inviter_id) references users (id) on update cascade on delete cascade,
+        add foreign key (organization_id) references organizations (id) on update cascade on delete cascade,
+        alter column inviter_id drop not null;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table organization_invitations
+        drop constraint organization_invitations_inviter_id_fkey,
+        drop constraint organization_invitations_organization_id_fkey,
+        add foreign key (tenant_id, inviter_id, organization_id) references organization_user_relations
+          (tenant_id, user_id, organization_id) on update cascade on delete cascade,
+        alter column inviter_id set not null;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1706449174-update-organization-invitation-column.ts

@@ -0,0 +1,24 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organization_invitation_role_relations
+        rename column invitation_id to organization_invitation_id;
+      alter table organization_invitation_role_relations
+        rename constraint organization_invitation_role_relations_invitation_id_fkey to organization_invitation_role_re_organization_invitation_id_fkey;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table organization_invitation_role_relations
+        rename column organization_invitation_id to invitation_id;
+        alter table organization_invitation_role_relations
+        rename constraint organization_invitation_role_re_organization_invitation_id_fkey to organization_invitation_role_relations_invitation_id_fkey;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1706510290-protected-app-host-index.ts

@@ -0,0 +1,21 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create unique index applications__protected_app_metadata_host
+      on applications (
+        (protected_app_metadata->>'host')
+      );
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop index applications__protected_app_metadata_host;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1706512952-restore-get-started-page.ts

@@ -0,0 +1,17 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update users
+      set custom_data = custom_data #- '{adminConsolePreferences, getStartedHidden}';
+    `);
+  },
+  down: async () => {
+    // Do nothing as the data change is not reversible
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1706528755-remove-magic-links.ts

@@ -0,0 +1,46 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organization_invitations
+        drop column magic_link_id;
+    `);
+    await dropTableRls(pool, 'magic_links');
+    await pool.query(sql`
+      drop table magic_links;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      create table magic_links (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The unique identifier of the link. */
+        id varchar(21) not null,
+        /** The token that can be used to verify the link. */
+        token varchar(32) not null,
+        /** The time when the link was created. */
+        created_at timestamptz not null default (now()),
+        /** The time when the link was consumed. */
+        consumed_at timestamptz,
+        primary key (id)
+      );
+
+      create index magic_links__token
+        on magic_links (tenant_id, token);
+    `);
+    await applyTableRls(pool, 'magic_links');
+    await pool.query(sql`
+      alter table organization_invitations
+        add column magic_link_id varchar(21)
+          references magic_links (id) on update cascade on delete cascade;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.13.0-1706585206-protected-app-custom-domain-unique.ts

@@ -0,0 +1,21 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create unique index applications__protected_app_metadata_custom_domain
+      on applications (
+        (protected_app_metadata->'customDomains'->0->>'domain')
+      );
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop index applications__protected_app_metadata_custom_domain;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/utils/1704934999-tables.ts

@@ -0,0 +1,49 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+const getId = (value: string) => sql.identifier([value]);
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+/**
+ * A function to call after the table is created. It will apply the necessary row-level security
+ * policies and triggers to the table.
+ */
+export const applyTableRls = async (pool: CommonQueryMethods, tableName: string) => {
+  const database = await getDatabaseName(pool);
+  const baseRoleId = getId(`logto_tenant_${database}`);
+  const table = getId(tableName);
+
+  await pool.query(sql`
+    create trigger set_tenant_id before insert on ${table}
+      for each row execute procedure set_tenant_id();
+
+    alter table ${table} enable row level security;
+
+    create policy ${getId(`${tableName}_tenant_id`)} on ${table}
+      as restrictive
+      using (tenant_id = (select id from tenants where db_user = current_user));
+
+    create policy ${getId(`${tableName}_modification`)} on ${table}
+      using (true);
+
+    grant select, insert, update, delete on ${table} to ${baseRoleId};
+  `);
+};
+
+/**
+ * A function to call before the table is dropped. It will remove the row-level security policies
+ * and triggers from the table.
+ */
+export const dropTableRls = async (pool: CommonQueryMethods, tableName: string) => {
+  await pool.query(sql`
+    drop policy ${getId(`${tableName}_modification`)} on ${getId(tableName)};
+    drop policy ${getId(`${tableName}_tenant_id`)} on ${getId(tableName)};
+    drop trigger set_tenant_id on ${getId(tableName)};
+  `);
+};

package/alterations/utils/README.md

@@ -0,0 +1,9 @@
+# Alteration utils
+
+This directory contains utilities for database alteration scripts.
+
+Due to the nature of alteration, all utility functions should be maintained in an immutable way. This means when a function needs to be changed, a new file should be created with the following name format:
+
+`<timestamp>-<function-or-purpose>.js`
+
+The timestamp should be in the format of epoch time in seconds. The original file should be kept for historical purposes.

package/alterations-js/1.12.0-1700031616-update-org-role-foreign-keys.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;