npm - @logto/schemas - Versions diffs - 1.13.0 → 1.14.0 - Mend

@logto/schemas 1.13.0 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/alterations/1.13.1-1707360939-grant-is-suspended-read-permission.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+  return currentDatabase.replaceAll('-', '_');
+};
+/**
+ * Grant read permission to the is_suspended column in the tenants table to the logto_tenant_<databaseName> role.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const databaseName = await getDatabaseName(pool);
+    const baseRoleId = sql.identifier([`logto_tenant_${databaseName}`]);
+    await pool.query(sql`
+      grant select (is_suspended)
+        on table tenants
+        to ${baseRoleId}
+    `);
+  },
+  down: async (pool) => {
+    const databaseName = await getDatabaseName(pool);
+    const baseRoleId = sql.identifier([`logto_tenant_${databaseName}`]);
+    await pool.query(sql`
+      revoke select(is_suspended)
+        on table tenants
+        from ${baseRoleId}
+    `);
+  },
+};
+export default alteration;

package/alterations/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.ts ADDED Viewed

@@ -0,0 +1,47 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+enum RoleType {
+  User = 'User',
+}
+const getManagementApiResourceIndicator = (tenantId: string) => `https://${tenantId}.logto.app/api`;
+// Remove management API scopes assigned to user roles, in case they were assigned by management API and bypassed the constraints in admin console.
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const { rows } = await pool.query<{
+      rolesScopesId: string;
+      indicator: string;
+      tenantId: string;
+    }>(sql`
+      select
+        roles_scopes.id as "rolesScopesId",
+        roles_scopes.tenant_id as "tenantId",
+        resources.indicator as indicator from roles_scopes
+      join roles
+        on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
+      join scopes on
+        roles_scopes.scope_id = scopes.id and roles_scopes.tenant_id = scopes.tenant_id
+      join resources on
+        scopes.resource_id = resources.id and scopes.tenant_id = resources.tenant_id
+      where roles.type = ${RoleType.User};
+    `);
+    const rolesScopesIdsToRemove = rows
+      .filter(
+        ({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId)
+      )
+      .map(({ rolesScopesId }) => rolesScopesId);
+    if (rolesScopesIdsToRemove.length > 0) {
+      await pool.query(sql`
+        delete from roles_scopes where id in (${sql.join(rolesScopesIdsToRemove, sql`, `)});
+      `);
+    }
+  },
+  down: async (pool) => {
+    // It cannot be reverted automatically.
+  },
+};
+export default alteration;

package/alterations/1.14.0-1709190131-enhance-dau-data-accuracy.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { sql } from 'slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table daily_active_users alter column date set default now();
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table daily_active_users alter column date drop default;
+    `);
+  },
+};
+export default alteration;

package/alterations-js/1.13.1-1707360939-grant-is-suspended-read-permission.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+/**
+ * Grant read permission to the is_suspended column in the tenants table to the logto_tenant_<databaseName> role.
+ */
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.13.1-1707360939-grant-is-suspended-read-permission.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { sql } from 'slonik';
+const getDatabaseName = async (pool) => {
+    const { currentDatabase } = await pool.one(sql `
+    select current_database();
+  `);
+    return currentDatabase.replaceAll('-', '_');
+};
+/**
+ * Grant read permission to the is_suspended column in the tenants table to the logto_tenant_<databaseName> role.
+ */
+const alteration = {
+    up: async (pool) => {
+        const databaseName = await getDatabaseName(pool);
+        const baseRoleId = sql.identifier([`logto_tenant_${databaseName}`]);
+        await pool.query(sql `
+      grant select (is_suspended)
+        on table tenants
+        to ${baseRoleId}
+    `);
+    },
+    down: async (pool) => {
+        const databaseName = await getDatabaseName(pool);
+        const baseRoleId = sql.identifier([`logto_tenant_${databaseName}`]);
+        await pool.query(sql `
+      revoke select(is_suspended)
+        on table tenants
+        from ${baseRoleId}
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.js ADDED Viewed

@@ -0,0 +1,36 @@
+import { sql } from 'slonik';
+var RoleType;
+(function (RoleType) {
+    RoleType["User"] = "User";
+})(RoleType || (RoleType = {}));
+const getManagementApiResourceIndicator = (tenantId) => `https://${tenantId}.logto.app/api`;
+// Remove management API scopes assigned to user roles, in case they were assigned by management API and bypassed the constraints in admin console.
+const alteration = {
+    up: async (pool) => {
+        const { rows } = await pool.query(sql `
+      select
+        roles_scopes.id as "rolesScopesId",
+        roles_scopes.tenant_id as "tenantId",
+        resources.indicator as indicator from roles_scopes
+      join roles
+        on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
+      join scopes on
+        roles_scopes.scope_id = scopes.id and roles_scopes.tenant_id = scopes.tenant_id
+      join resources on
+        scopes.resource_id = resources.id and scopes.tenant_id = resources.tenant_id
+      where roles.type = ${RoleType.User};
+    `);
+        const rolesScopesIdsToRemove = rows
+            .filter(({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId))
+            .map(({ rolesScopesId }) => rolesScopesId);
+        if (rolesScopesIdsToRemove.length > 0) {
+            await pool.query(sql `
+        delete from roles_scopes where id in (${sql.join(rolesScopesIdsToRemove, sql `, `)});
+      `);
+        }
+    },
+    down: async (pool) => {
+        // It cannot be reverted automatically.
+    },
+};
+export default alteration;

package/alterations-js/1.14.0-1709190131-enhance-dau-data-accuracy.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.14.0-1709190131-enhance-dau-data-accuracy.js ADDED Viewed

@@ -0,0 +1,14 @@
+import { sql } from 'slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table daily_active_users alter column date set default now();
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table daily_active_users alter column date drop default;
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/daily-active-user.d.ts CHANGED Viewed

@@ -8,7 +8,7 @@ export type CreateDailyActiveUser = {
     id: string;
     tenantId?: string;
     userId: string;
-    date: number;
+    date?: number;
 };
 export type DailyActiveUser = {
     id: string;

package/lib/db-entries/daily-active-user.js CHANGED Viewed

@@ -4,7 +4,7 @@ const createGuard = z.object({
     id: z.string().min(1).max(21),
     tenantId: z.string().max(21).optional(),
     userId: z.string().min(1).max(21),
-    date: z.number(),
+    date: z.number().optional(),
 });
 const guard = z.object({
     id: z.string().min(1).max(21),

package/lib/foundations/jsonb-types/users.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { MfaFactor } from './sign-in-experience.js';
 export declare const roleNamesGuard: z.ZodArray<z.ZodString, "many">;
-declare const identityGuard: z.ZodObject<{
+export declare const identityGuard: z.ZodObject<{
     userId: z.ZodString;
     details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, "strip", z.ZodTypeAny, {
@@ -282,4 +282,3 @@ export declare const mfaVerificationsGuard: z.ZodArray<z.ZodDiscriminatedUnion<"
     lastUsedAt?: string | undefined;
 }>]>, "many">;
 export type MfaVerifications = z.infer<typeof mfaVerificationsGuard>;
-export {};

package/lib/foundations/jsonb-types/users.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { MfaFactor } from './sign-in-experience.js';
 export const roleNamesGuard = z.string().array();
-const identityGuard = z.object({
+export const identityGuard = z.object({
     userId: z.string(),
     details: z.record(z.unknown()).optional(), // Connector's userinfo details, schemaless
 });

package/lib/seeds/cloud-api.d.ts CHANGED Viewed

@@ -12,7 +12,9 @@ export declare enum CloudScope {
     /** The user can see and manage affiliates, including create, update, and delete. */
     ManageAffiliate = "manage:affiliate",
     /** The user can create new affiliates and logs. */
-    CreateAffiliate = "create:affiliate"
+    CreateAffiliate = "create:affiliate",
+    /** The user can prune logs which are expired. */
+    PruneLogs = "prune:logs"
 }
 export declare const createCloudApi: () => readonly [UpdateAdminData, ...CreateScope[]];
 export declare const createTenantApplicationRole: () => Readonly<Role>;

package/lib/seeds/cloud-api.js CHANGED Viewed

@@ -16,6 +16,8 @@ export var CloudScope;
     CloudScope["ManageAffiliate"] = "manage:affiliate";
     /** The user can create new affiliates and logs. */
     CloudScope["CreateAffiliate"] = "create:affiliate";
+    /** The user can prune logs which are expired. */
+    CloudScope["PruneLogs"] = "prune:logs";
 })(CloudScope || (CloudScope = {}));
 export const createCloudApi = () => {
     const resourceId = generateStandardId();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.13.0",
+  "version": "1.14.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",

package/tables/_after_all.sql CHANGED Viewed

@@ -13,7 +13,7 @@ revoke all privileges
   from logto_tenant_${database};
 -- Allow limited select to perform the RLS policy query in `after_each` (using select ... from tenants ...)
-grant select (id, db_user)
+grant select (id, db_user, is_suspended)
   on table tenants
   to logto_tenant_${database};

package/tables/_before_all.sql CHANGED Viewed

@@ -1,3 +1,3 @@
 /* This SQL will run before all other queries. */
-create role logto_tenant_${database} noinherit;
+create role logto_tenant_${database} password '${password}' noinherit;

package/tables/daily_active_users.sql CHANGED Viewed

@@ -3,7 +3,7 @@ create table daily_active_users (
   tenant_id varchar(21) not null
     references tenants (id) on update cascade on delete cascade,
   user_id varchar(21) not null,
-  date timestamptz not null,
+  date timestamptz not null default (now()),
   primary key (id),
   constraint daily_active_users__user_id_date
     unique (user_id, date)