@logto/schemas 1.16.0 → 1.17.0

package/alterations/1.17.0-1715826336-add-default-user-role-config.ts

@@ -0,0 +1,18 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table roles add column is_default boolean not null default false;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table roles drop column is_default;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.17.0-1715829731-rename-data-hook-schema-update-event.ts

@@ -0,0 +1,120 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+enum DataHookSchema {
+  User = 'User',
+  Role = 'Role',
+  Scope = 'Scope',
+  Organization = 'Organization',
+  OrganizationRole = 'OrganizationRole',
+  OrganizationScope = 'OrganizationScope',
+}
+
+type OldSchemaUpdateEvent = `${DataHookSchema}.${'Updated'}`;
+type NewSchemaUpdateEvent = `${DataHookSchema}.Data.Updated`;
+
+const oldSchemaUpdateEvents = Object.freeze([
+  'User.Updated',
+  'Role.Updated',
+  'Scope.Updated',
+  'Organization.Updated',
+  'OrganizationRole.Updated',
+  'OrganizationScope.Updated',
+] satisfies OldSchemaUpdateEvent[]);
+
+const newSchemaUpdateEvents = Object.freeze([
+  'User.Data.Updated',
+  'Role.Data.Updated',
+  'Scope.Data.Updated',
+  'Organization.Data.Updated',
+  'OrganizationRole.Data.Updated',
+  'OrganizationScope.Data.Updated',
+] as const satisfies NewSchemaUpdateEvent[]);
+
+const updateMap: { [key in OldSchemaUpdateEvent]: NewSchemaUpdateEvent } = {
+  'User.Updated': 'User.Data.Updated',
+  'Role.Updated': 'Role.Data.Updated',
+  'Scope.Updated': 'Scope.Data.Updated',
+  'Organization.Updated': 'Organization.Data.Updated',
+  'OrganizationRole.Updated': 'OrganizationRole.Data.Updated',
+  'OrganizationScope.Updated': 'OrganizationScope.Data.Updated',
+};
+
+const reverseMap: { [key in NewSchemaUpdateEvent]: OldSchemaUpdateEvent } = {
+  'User.Data.Updated': 'User.Updated',
+  'Role.Data.Updated': 'Role.Updated',
+  'Scope.Data.Updated': 'Scope.Updated',
+  'Organization.Data.Updated': 'Organization.Updated',
+  'OrganizationRole.Data.Updated': 'OrganizationRole.Updated',
+  'OrganizationScope.Data.Updated': 'OrganizationScope.Updated',
+};
+
+// This alteration script filters all the hook's events jsonb column to replace all the old schema update events with the new schema update events.
+
+const isOldSchemaUpdateEvent = (event: string): event is OldSchemaUpdateEvent =>
+  // eslint-disable-next-line no-restricted-syntax
+  oldSchemaUpdateEvents.includes(event as OldSchemaUpdateEvent);
+
+const isNewSchemaUpdateEvent = (event: string): event is NewSchemaUpdateEvent =>
+  // eslint-disable-next-line no-restricted-syntax
+  newSchemaUpdateEvents.includes(event as NewSchemaUpdateEvent);
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const { rows: hooks } = await pool.query<{ id: string; events: string[] }>(sql`
+      select id, events
+      from hooks
+    `);
+
+    const hooksToBeUpdate = hooks.filter(({ events }) => {
+      return oldSchemaUpdateEvents.some((oldEvent) => events.includes(oldEvent));
+    });
+
+    await Promise.all(
+      hooksToBeUpdate.map(async ({ id, events }) => {
+        const updateEvents = events.reduce<string[]>((accumulator, event) => {
+          if (isOldSchemaUpdateEvent(event)) {
+            return [...accumulator, updateMap[event]];
+          }
+          return [...accumulator, event];
+        }, []);
+
+        await pool.query(sql`
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+      })
+    );
+  },
+  down: async (pool) => {
+    const { rows: hooks } = await pool.query<{ id: string; events: string[] }>(sql`
+      select id, events
+      from hooks
+    `);
+
+    const hooksToBeUpdate = hooks.filter(({ events }) => {
+      return newSchemaUpdateEvents.some((newEvent) => events.includes(newEvent));
+    });
+
+    await Promise.all(
+      hooksToBeUpdate.map(async ({ id, events }) => {
+        const updateEvents = events.reduce<string[]>((accumulator, event) => {
+          if (isNewSchemaUpdateEvent(event)) {
+            return [...accumulator, reverseMap[event]];
+          }
+          return [...accumulator, event];
+        }, []);
+
+        await pool.query(sql`
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+      })
+    );
+  },
+};
+
+export default alteration;

package/alterations/1.17.0-1716278409-remove-internal-role-database-policies.ts

@@ -0,0 +1,37 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      drop policy if exists roles_select on roles;
+      drop policy if exists roles_modification on roles;
+      create policy roles_modification on roles using (true);
+      
+      drop policy if exists roles_scopes_select on roles_scopes;
+      drop policy if exists roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes using (true);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      create policy roles_select on roles
+        for select using (true);
+
+      drop policy roles_modification on roles;
+      create policy roles_modification on roles
+        using (not starts_with(name, '#internal:'));
+
+      -- Restrict role - scope modification
+      create policy roles_scopes_select on roles_scopes
+        for select using (true);
+
+      drop policy roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes
+        using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.17.0-1716291265-create-pre-configured-m-api-role.ts

@@ -0,0 +1,92 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+
+const isCi = yes(process.env.CI);
+
+const defaultTenantId = 'default';
+const defaultTenantManagementApiIndicator = `https://${defaultTenantId}.logto.app/api`;
+const roleName = 'Logto Management API access';
+const roleDescription = 'This default role grants access to the Logto management API.';
+enum RoleType {
+  MachineToMachine = 'MachineToMachine',
+}
+
+enum PredefinedScope {
+  All = 'all',
+}
+
+/**
+ * This script is to create a pre-configured Management API M2M role for new users.
+ * This script is **only for CI**, since we won't create this role for existing users, so this script is not applicable for existing db data.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    if (!isCi) {
+      console.info(
+        "Skipping the alteration script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to existing db data."
+      );
+      return;
+    }
+
+    /**
+     * Only affect the `default` tenant, since this is the only tenant in the OSS version and the initial tenant in the cloud version.
+     * So we only need to care about this role for the `default` tenant.
+     */
+
+    const roleId = generateStandardId();
+
+    await pool.query(sql`
+      insert into roles (id, tenant_id, name, description, type)
+      values (
+        ${roleId},
+        ${defaultTenantId},
+        ${roleName},
+        ${roleDescription},
+        ${RoleType.MachineToMachine}
+      );
+    `);
+
+    // Assign Logto Management API permission `all` to the Logto Management API M2M role
+    await pool.query(sql`
+      insert into roles_scopes (id, role_id, scope_id, tenant_id)
+      values (
+        ${generateStandardId()},
+        ${roleId},
+        (
+          select scopes.id
+          from scopes
+          join resources on
+            scopes.tenant_id = resources.tenant_id and
+            scopes.resource_id = resources.id
+          where resources.indicator = ${defaultTenantManagementApiIndicator}
+          and scopes.name = ${PredefinedScope.All}
+          and scopes.tenant_id = ${defaultTenantId}
+        ),
+        ${defaultTenantId}
+      )
+    `);
+  },
+  down: async (pool) => {
+    if (!isCi) {
+      console.info(
+        "Skipping the down script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to production db."
+      );
+      return;
+    }
+
+    // Delete the created role
+    await pool.query(sql`
+      delete from roles
+      where tenant_id = ${defaultTenantId}
+      and name = ${roleName}
+      and description = ${roleDescription}
+      and type = ${RoleType.MachineToMachine}
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.17.0-1717148078-remove-service-log-reference.ts

@@ -0,0 +1,19 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table service_logs drop constraint service_logs_tenant_id_fkey;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table service_logs add constraint service_logs_tenant_id_fkey 
+        foreign key (tenant_id) references tenants(id) on update cascade on delete cascade;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/utils/1716643968-id-generation.ts

@@ -0,0 +1,46 @@
+/**
+ * This file is forked from `@logto/shared` 3.1.0 to avoid alteration scripts to depend on outer packages.
+ */
+import { customAlphabet } from 'nanoid';
+
+const lowercaseAlphabet = '0123456789abcdefghijklmnopqrstuvwxyz';
+const alphabet = `${lowercaseAlphabet}ABCDEFGHIJKLMNOPQRSTUVWXYZ` as const;
+
+type BuildIdGenerator = {
+  /**
+   * Build a nanoid generator function uses numbers (0-9), lowercase letters (a-z), and uppercase letters (A-Z) as the alphabet.
+   * @param size The default id length for the generator.
+   */
+  (size: number): ReturnType<typeof customAlphabet>;
+  /**
+   * Build a nanoid generator function uses numbers (0-9) and lowercase letters (a-z) as the alphabet.
+   * @param size The default id length for the generator.
+   */
+  // eslint-disable-next-line @typescript-eslint/unified-signatures
+  (size: number, includingUppercase: false): ReturnType<typeof customAlphabet>;
+};
+
+const buildIdGenerator: BuildIdGenerator = (size: number, includingUppercase = true) =>
+  customAlphabet(includingUppercase ? alphabet : lowercaseAlphabet, size);
+
+/**
+ * Generate a standard id with 21 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export const generateStandardId = buildIdGenerator(21, false);
+
+/**
+ * Generate a standard short id with 12 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export const generateStandardShortId = buildIdGenerator(12, false);
+
+/**
+ * Generate a standard secret with 32 characters, including uppercase letters, lowercase
+ * letters, and numbers.
+ *
+ * @see {@link alphabet}
+ */
+export const generateStandardSecret = buildIdGenerator(32);

package/alterations-js/1.17.0-1715826336-add-default-user-role-config.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1715826336-add-default-user-role-config.js

@@ -0,0 +1,14 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table roles add column is_default boolean not null default false;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table roles drop column is_default;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1715829731-rename-data-hook-schema-update-event.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1715829731-rename-data-hook-schema-update-event.js

@@ -0,0 +1,96 @@
+import { sql } from '@silverhand/slonik';
+var DataHookSchema;
+(function (DataHookSchema) {
+    DataHookSchema["User"] = "User";
+    DataHookSchema["Role"] = "Role";
+    DataHookSchema["Scope"] = "Scope";
+    DataHookSchema["Organization"] = "Organization";
+    DataHookSchema["OrganizationRole"] = "OrganizationRole";
+    DataHookSchema["OrganizationScope"] = "OrganizationScope";
+})(DataHookSchema || (DataHookSchema = {}));
+const oldSchemaUpdateEvents = Object.freeze([
+    'User.Updated',
+    'Role.Updated',
+    'Scope.Updated',
+    'Organization.Updated',
+    'OrganizationRole.Updated',
+    'OrganizationScope.Updated',
+]);
+const newSchemaUpdateEvents = Object.freeze([
+    'User.Data.Updated',
+    'Role.Data.Updated',
+    'Scope.Data.Updated',
+    'Organization.Data.Updated',
+    'OrganizationRole.Data.Updated',
+    'OrganizationScope.Data.Updated',
+]);
+const updateMap = {
+    'User.Updated': 'User.Data.Updated',
+    'Role.Updated': 'Role.Data.Updated',
+    'Scope.Updated': 'Scope.Data.Updated',
+    'Organization.Updated': 'Organization.Data.Updated',
+    'OrganizationRole.Updated': 'OrganizationRole.Data.Updated',
+    'OrganizationScope.Updated': 'OrganizationScope.Data.Updated',
+};
+const reverseMap = {
+    'User.Data.Updated': 'User.Updated',
+    'Role.Data.Updated': 'Role.Updated',
+    'Scope.Data.Updated': 'Scope.Updated',
+    'Organization.Data.Updated': 'Organization.Updated',
+    'OrganizationRole.Data.Updated': 'OrganizationRole.Updated',
+    'OrganizationScope.Data.Updated': 'OrganizationScope.Updated',
+};
+// This alteration script filters all the hook's events jsonb column to replace all the old schema update events with the new schema update events.
+const isOldSchemaUpdateEvent = (event) => 
+// eslint-disable-next-line no-restricted-syntax
+oldSchemaUpdateEvents.includes(event);
+const isNewSchemaUpdateEvent = (event) => 
+// eslint-disable-next-line no-restricted-syntax
+newSchemaUpdateEvents.includes(event);
+const alteration = {
+    up: async (pool) => {
+        const { rows: hooks } = await pool.query(sql `
+      select id, events
+      from hooks
+    `);
+        const hooksToBeUpdate = hooks.filter(({ events }) => {
+            return oldSchemaUpdateEvents.some((oldEvent) => events.includes(oldEvent));
+        });
+        await Promise.all(hooksToBeUpdate.map(async ({ id, events }) => {
+            const updateEvents = events.reduce((accumulator, event) => {
+                if (isOldSchemaUpdateEvent(event)) {
+                    return [...accumulator, updateMap[event]];
+                }
+                return [...accumulator, event];
+            }, []);
+            await pool.query(sql `
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+        }));
+    },
+    down: async (pool) => {
+        const { rows: hooks } = await pool.query(sql `
+      select id, events
+      from hooks
+    `);
+        const hooksToBeUpdate = hooks.filter(({ events }) => {
+            return newSchemaUpdateEvents.some((newEvent) => events.includes(newEvent));
+        });
+        await Promise.all(hooksToBeUpdate.map(async ({ id, events }) => {
+            const updateEvents = events.reduce((accumulator, event) => {
+                if (isNewSchemaUpdateEvent(event)) {
+                    return [...accumulator, reverseMap[event]];
+                }
+                return [...accumulator, event];
+            }, []);
+            await pool.query(sql `
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+        }));
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1716278409-remove-internal-role-database-policies.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1716278409-remove-internal-role-database-policies.js

@@ -0,0 +1,33 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      drop policy if exists roles_select on roles;
+      drop policy if exists roles_modification on roles;
+      create policy roles_modification on roles using (true);
+      
+      drop policy if exists roles_scopes_select on roles_scopes;
+      drop policy if exists roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes using (true);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      create policy roles_select on roles
+        for select using (true);
+
+      drop policy roles_modification on roles;
+      create policy roles_modification on roles
+        using (not starts_with(name, '#internal:'));
+
+      -- Restrict role - scope modification
+      create policy roles_scopes_select on roles_scopes
+        for select using (true);
+
+      drop policy roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes
+        using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1716291265-create-pre-configured-m-api-role.d.ts

@@ -0,0 +1,7 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+/**
+ * This script is to create a pre-configured Management API M2M role for new users.
+ * This script is **only for CI**, since we won't create this role for existing users, so this script is not applicable for existing db data.
+ */
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1716291265-create-pre-configured-m-api-role.js

@@ -0,0 +1,77 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+const isCi = yes(process.env.CI);
+const defaultTenantId = 'default';
+const defaultTenantManagementApiIndicator = `https://${defaultTenantId}.logto.app/api`;
+const roleName = 'Logto Management API access';
+const roleDescription = 'This default role grants access to the Logto management API.';
+var RoleType;
+(function (RoleType) {
+    RoleType["MachineToMachine"] = "MachineToMachine";
+})(RoleType || (RoleType = {}));
+var PredefinedScope;
+(function (PredefinedScope) {
+    PredefinedScope["All"] = "all";
+})(PredefinedScope || (PredefinedScope = {}));
+/**
+ * This script is to create a pre-configured Management API M2M role for new users.
+ * This script is **only for CI**, since we won't create this role for existing users, so this script is not applicable for existing db data.
+ */
+const alteration = {
+    up: async (pool) => {
+        if (!isCi) {
+            console.info("Skipping the alteration script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to existing db data.");
+            return;
+        }
+        /**
+         * Only affect the `default` tenant, since this is the only tenant in the OSS version and the initial tenant in the cloud version.
+         * So we only need to care about this role for the `default` tenant.
+         */
+        const roleId = generateStandardId();
+        await pool.query(sql `
+      insert into roles (id, tenant_id, name, description, type)
+      values (
+        ${roleId},
+        ${defaultTenantId},
+        ${roleName},
+        ${roleDescription},
+        ${RoleType.MachineToMachine}
+      );
+    `);
+        // Assign Logto Management API permission `all` to the Logto Management API M2M role
+        await pool.query(sql `
+      insert into roles_scopes (id, role_id, scope_id, tenant_id)
+      values (
+        ${generateStandardId()},
+        ${roleId},
+        (
+          select scopes.id
+          from scopes
+          join resources on
+            scopes.tenant_id = resources.tenant_id and
+            scopes.resource_id = resources.id
+          where resources.indicator = ${defaultTenantManagementApiIndicator}
+          and scopes.name = ${PredefinedScope.All}
+          and scopes.tenant_id = ${defaultTenantId}
+        ),
+        ${defaultTenantId}
+      )
+    `);
+    },
+    down: async (pool) => {
+        if (!isCi) {
+            console.info("Skipping the down script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to production db.");
+            return;
+        }
+        // Delete the created role
+        await pool.query(sql `
+      delete from roles
+      where tenant_id = ${defaultTenantId}
+      and name = ${roleName}
+      and description = ${roleDescription}
+      and type = ${RoleType.MachineToMachine}
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1717148078-remove-service-log-reference.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1717148078-remove-service-log-reference.js

@@ -0,0 +1,15 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table service_logs drop constraint service_logs_tenant_id_fkey;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table service_logs add constraint service_logs_tenant_id_fkey 
+        foreign key (tenant_id) references tenants(id) on update cascade on delete cascade;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/utils/1716643968-id-generation.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Generate a standard id with 21 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export declare const generateStandardId: (size?: number | undefined) => string;
+/**
+ * Generate a standard short id with 12 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export declare const generateStandardShortId: (size?: number | undefined) => string;
+/**
+ * Generate a standard secret with 32 characters, including uppercase letters, lowercase
+ * letters, and numbers.
+ *
+ * @see {@link alphabet}
+ */
+export declare const generateStandardSecret: (size?: number | undefined) => string;

package/alterations-js/utils/1716643968-id-generation.js

@@ -0,0 +1,26 @@
+/**
+ * This file is forked from `@logto/shared` 3.1.0 to avoid alteration scripts to depend on outer packages.
+ */
+import { customAlphabet } from 'nanoid';
+const lowercaseAlphabet = '0123456789abcdefghijklmnopqrstuvwxyz';
+const alphabet = `${lowercaseAlphabet}ABCDEFGHIJKLMNOPQRSTUVWXYZ`;
+const buildIdGenerator = (size, includingUppercase = true) => customAlphabet(includingUppercase ? alphabet : lowercaseAlphabet, size);
+/**
+ * Generate a standard id with 21 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export const generateStandardId = buildIdGenerator(21, false);
+/**
+ * Generate a standard short id with 12 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export const generateStandardShortId = buildIdGenerator(12, false);
+/**
+ * Generate a standard secret with 32 characters, including uppercase letters, lowercase
+ * letters, and numbers.
+ *
+ * @see {@link alphabet}
+ */
+export const generateStandardSecret = buildIdGenerator(32);

package/lib/db-entries/role.d.ts

@@ -11,6 +11,8 @@ export type CreateRole = {
     name: string;
     description: string;
     type?: RoleType;
+    /** If the role is the default role for a new user. Should be ignored for `MachineToMachine` roles. */
+    isDefault?: boolean;
 };
 export type Role = {
     tenantId: string;
@@ -18,6 +20,8 @@ export type Role = {
     name: string;
     description: string;
     type: RoleType;
+    /** If the role is the default role for a new user. Should be ignored for `MachineToMachine` roles. */
+    isDefault: boolean;
 };
-export type RoleKeys = 'tenantId' | 'id' | 'name' | 'description' | 'type';
+export type RoleKeys = 'tenantId' | 'id' | 'name' | 'description' | 'type' | 'isDefault';
 export declare const Roles: GeneratedSchema<RoleKeys, CreateRole, Role, 'roles', 'role'>;

package/lib/db-entries/role.js

@@ -7,6 +7,7 @@ const createGuard = z.object({
     name: z.string().min(1).max(128),
     description: z.string().min(1).max(128),
     type: z.nativeEnum(RoleType).optional(),
+    isDefault: z.boolean().optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
@@ -14,6 +15,7 @@ const guard = z.object({
     name: z.string().min(1).max(128),
     description: z.string().min(1).max(128),
     type: z.nativeEnum(RoleType),
+    isDefault: z.boolean(),
 });
 export const Roles = Object.freeze({
     table: 'roles',
@@ -24,6 +26,7 @@ export const Roles = Object.freeze({
         name: 'name',
         description: 'description',
         type: 'type',
+        isDefault: 'is_default',
     },
     fieldKeys: [
         'tenantId',
@@ -31,6 +34,7 @@ export const Roles = Object.freeze({
         'name',
         'description',
         'type',
+        'isDefault',
     ],
     createGuard,
     guard,

package/lib/foundations/jsonb-types/hooks.d.ts

@@ -10,7 +10,7 @@ export declare enum InteractionHookEvent {
     PostSignIn = "PostSignIn",
     PostResetPassword = "PostResetPassword"
 }
-declare enum DataHookSchema {
+export declare enum DataHookSchema {
     User = "User",
     Role = "Role",
     Scope = "Scope",
@@ -20,19 +20,21 @@ declare enum DataHookSchema {
 }
 declare enum DataHookBasicMutationType {
     Created = "Created",
-    Deleted = "Deleted",
+    Deleted = "Deleted"
+}
+declare enum DataHookDetailMutationType {
     Updated = "Updated"
 }
 type BasicDataHookEvent = `${DataHookSchema}.${DataHookBasicMutationType}`;
-type CustomDataHookMutableSchema = `${DataHookSchema.User}.SuspensionStatus` | `${DataHookSchema.Role}.Scopes` | `${DataHookSchema.Organization}.Membership` | `${DataHookSchema.OrganizationRole}.Scopes`;
-type DataHookPropertyUpdateEvent = `${CustomDataHookMutableSchema}.${DataHookBasicMutationType.Updated}`;
+type CustomDataHookMutableSchema = `${DataHookSchema}.Data` | `${DataHookSchema.User}.SuspensionStatus` | `${DataHookSchema.Role}.Scopes` | `${DataHookSchema.Organization}.Membership` | `${DataHookSchema.OrganizationRole}.Scopes`;
+type DataHookPropertyUpdateEvent = `${CustomDataHookMutableSchema}.${DataHookDetailMutationType.Updated}`;
 export type DataHookEvent = BasicDataHookEvent | DataHookPropertyUpdateEvent;
 /** The hook event values that can be registered. */
-export declare const hookEvents: readonly [InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Updated", "Organization.Created", "Organization.Deleted", "Organization.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Updated"];
+export declare const hookEvents: readonly [InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated"];
 /** The type of hook event values that can be registered. */
 export type HookEvent = (typeof hookEvents)[number];
-export declare const hookEventGuard: z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Updated", "Organization.Created", "Organization.Deleted", "Organization.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Updated"]>;
-export declare const hookEventsGuard: z.ZodArray<z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Updated", "Organization.Created", "Organization.Deleted", "Organization.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Updated"]>, "many">;
+export declare const hookEventGuard: z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated"]>;
+export declare const hookEventsGuard: z.ZodArray<z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated"]>, "many">;
 export type HookEvents = z.infer<typeof hookEventsGuard>;
 export declare const interactionHookEventGuard: z.ZodNativeEnum<typeof InteractionHookEvent>;
 /**
@@ -68,31 +70,31 @@ export type HookConfig = z.infer<typeof hookConfigGuard>;
 export declare const managementApiHooksRegistration: Readonly<{
     'POST /users': "User.Created";
     'DELETE /users/:userId': "User.Deleted";
-    'PATCH /users/:userId': "User.Updated";
-    'PATCH /users/:userId/custom-data': "User.Updated";
-    'PATCH /users/:userId/profile': "User.Updated";
-    'PATCH /users/:userId/password': "User.Updated";
+    'PATCH /users/:userId': "User.Data.Updated";
+    'PATCH /users/:userId/custom-data': "User.Data.Updated";
+    'PATCH /users/:userId/profile': "User.Data.Updated";
+    'PATCH /users/:userId/password': "User.Data.Updated";
     'PATCH /users/:userId/is-suspended': "User.SuspensionStatus.Updated";
     'POST /roles': "Role.Created";
     'DELETE /roles/:id': "Role.Deleted";
-    'PATCH /roles/:id': "Role.Updated";
+    'PATCH /roles/:id': "Role.Data.Updated";
     'POST /roles/:id/scopes': "Role.Scopes.Updated";
     'DELETE /roles/:id/scopes/:scopeId': "Role.Scopes.Updated";
     'POST /resources/:resourceId/scopes': "Scope.Created";
     'DELETE /resources/:resourceId/scopes/:scopeId': "Scope.Deleted";
-    'PATCH /resources/:resourceId/scopes/:scopeId': "Scope.Updated";
+    'PATCH /resources/:resourceId/scopes/:scopeId': "Scope.Data.Updated";
     'POST /organizations': "Organization.Created";
     'DELETE /organizations/:id': "Organization.Deleted";
-    'PATCH /organizations/:id': "Organization.Updated";
+    'PATCH /organizations/:id': "Organization.Data.Updated";
     'PUT /organizations/:id/users': "Organization.Membership.Updated";
     'POST /organizations/:id/users': "Organization.Membership.Updated";
     'DELETE /organizations/:id/users/:userId': "Organization.Membership.Updated";
     'POST /organization-roles': "OrganizationRole.Created";
     'DELETE /organization-roles/:id': "OrganizationRole.Deleted";
-    'PATCH /organization-roles/:id': "OrganizationRole.Updated";
+    'PATCH /organization-roles/:id': "OrganizationRole.Data.Updated";
     'POST /organization-scopes': "OrganizationScope.Created";
     'DELETE /organization-scopes/:id': "OrganizationScope.Deleted";
-    'PATCH /organization-scopes/:id': "OrganizationScope.Updated";
+    'PATCH /organization-scopes/:id': "OrganizationScope.Data.Updated";
     'PUT /organization-roles/:id/scopes': "OrganizationRole.Scopes.Updated";
     'POST /organization-roles/:id/scopes': "OrganizationRole.Scopes.Updated";
     'DELETE /organization-roles/:id/scopes/:organizationScopeId': "OrganizationRole.Scopes.Updated";

package/lib/foundations/jsonb-types/hooks.js

@@ -13,7 +13,7 @@ export var InteractionHookEvent;
     InteractionHookEvent["PostResetPassword"] = "PostResetPassword";
 })(InteractionHookEvent || (InteractionHookEvent = {}));
 // DataHookEvent
-var DataHookSchema;
+export var DataHookSchema;
 (function (DataHookSchema) {
     DataHookSchema["User"] = "User";
     DataHookSchema["Role"] = "Role";
@@ -26,8 +26,11 @@ var DataHookBasicMutationType;
 (function (DataHookBasicMutationType) {
     DataHookBasicMutationType["Created"] = "Created";
     DataHookBasicMutationType["Deleted"] = "Deleted";
-    DataHookBasicMutationType["Updated"] = "Updated";
 })(DataHookBasicMutationType || (DataHookBasicMutationType = {}));
+var DataHookDetailMutationType;
+(function (DataHookDetailMutationType) {
+    DataHookDetailMutationType["Updated"] = "Updated";
+})(DataHookDetailMutationType || (DataHookDetailMutationType = {}));
 /** The hook event values that can be registered. */
 export const hookEvents = Object.freeze([
     InteractionHookEvent.PostRegister,
@@ -35,26 +38,26 @@ export const hookEvents = Object.freeze([
     InteractionHookEvent.PostResetPassword,
     'User.Created',
     'User.Deleted',
-    'User.Updated',
+    'User.Data.Updated',
     'User.SuspensionStatus.Updated',
     'Role.Created',
     'Role.Deleted',
-    'Role.Updated',
+    'Role.Data.Updated',
     'Role.Scopes.Updated',
     'Scope.Created',
     'Scope.Deleted',
-    'Scope.Updated',
+    'Scope.Data.Updated',
     'Organization.Created',
     'Organization.Deleted',
-    'Organization.Updated',
+    'Organization.Data.Updated',
     'Organization.Membership.Updated',
     'OrganizationRole.Created',
     'OrganizationRole.Deleted',
-    'OrganizationRole.Updated',
+    'OrganizationRole.Data.Updated',
     'OrganizationRole.Scopes.Updated',
     'OrganizationScope.Created',
     'OrganizationScope.Deleted',
-    'OrganizationScope.Updated',
+    'OrganizationScope.Data.Updated',
 ]);
 export const hookEventGuard = z.enum(hookEvents);
 export const hookEventsGuard = hookEventGuard.array();
@@ -84,31 +87,31 @@ export const hookConfigGuard = z.object({
 export const managementApiHooksRegistration = Object.freeze({
     'POST /users': 'User.Created',
     'DELETE /users/:userId': 'User.Deleted',
-    'PATCH /users/:userId': 'User.Updated',
-    'PATCH /users/:userId/custom-data': 'User.Updated',
-    'PATCH /users/:userId/profile': 'User.Updated',
-    'PATCH /users/:userId/password': 'User.Updated',
+    'PATCH /users/:userId': 'User.Data.Updated',
+    'PATCH /users/:userId/custom-data': 'User.Data.Updated',
+    'PATCH /users/:userId/profile': 'User.Data.Updated',
+    'PATCH /users/:userId/password': 'User.Data.Updated',
     'PATCH /users/:userId/is-suspended': 'User.SuspensionStatus.Updated',
     'POST /roles': 'Role.Created',
     'DELETE /roles/:id': 'Role.Deleted',
-    'PATCH /roles/:id': 'Role.Updated',
+    'PATCH /roles/:id': 'Role.Data.Updated',
     'POST /roles/:id/scopes': 'Role.Scopes.Updated',
     'DELETE /roles/:id/scopes/:scopeId': 'Role.Scopes.Updated',
     'POST /resources/:resourceId/scopes': 'Scope.Created',
     'DELETE /resources/:resourceId/scopes/:scopeId': 'Scope.Deleted',
-    'PATCH /resources/:resourceId/scopes/:scopeId': 'Scope.Updated',
+    'PATCH /resources/:resourceId/scopes/:scopeId': 'Scope.Data.Updated',
     'POST /organizations': 'Organization.Created',
     'DELETE /organizations/:id': 'Organization.Deleted',
-    'PATCH /organizations/:id': 'Organization.Updated',
+    'PATCH /organizations/:id': 'Organization.Data.Updated',
     'PUT /organizations/:id/users': 'Organization.Membership.Updated',
     'POST /organizations/:id/users': 'Organization.Membership.Updated',
     'DELETE /organizations/:id/users/:userId': 'Organization.Membership.Updated',
     'POST /organization-roles': 'OrganizationRole.Created',
     'DELETE /organization-roles/:id': 'OrganizationRole.Deleted',
-    'PATCH /organization-roles/:id': 'OrganizationRole.Updated',
+    'PATCH /organization-roles/:id': 'OrganizationRole.Data.Updated',
     'POST /organization-scopes': 'OrganizationScope.Created',
     'DELETE /organization-scopes/:id': 'OrganizationScope.Deleted',
-    'PATCH /organization-scopes/:id': 'OrganizationScope.Updated',
+    'PATCH /organization-scopes/:id': 'OrganizationScope.Data.Updated',
     'PUT /organization-roles/:id/scopes': 'OrganizationRole.Scopes.Updated',
     'POST /organization-roles/:id/scopes': 'OrganizationRole.Scopes.Updated',
     'DELETE /organization-roles/:id/scopes/:organizationScopeId': 'OrganizationRole.Scopes.Updated',

package/lib/models/tenants.d.ts

@@ -1,5 +1,4 @@
 import type { InferModelType } from '@withtyped/server/model';
-import { z } from 'zod';
 import { TenantTag } from '../types/tenant.js';
 export declare const Tenants: import("@withtyped/server/lib/model/index.js").default<"tenants", {
     id: string;
@@ -11,23 +10,3 @@ export declare const Tenants: import("@withtyped/server/lib/model/index.js").def
     isSuspended: boolean;
 }, "name" | "createdAt" | "isSuspended" | "tag", "createdAt">;
 export type TenantModel = InferModelType<typeof Tenants>;
-export declare const tenantInfoGuard: z.ZodObject<{
-    name: z.ZodType<string, z.ZodTypeDef, string>;
-    id: z.ZodType<string, z.ZodTypeDef, string>;
-    isSuspended: z.ZodType<boolean, z.ZodTypeDef, boolean>;
-    tag: z.ZodType<TenantTag, z.ZodTypeDef, TenantTag>;
-    indicator: z.ZodString;
-}, z.UnknownKeysParam, z.ZodTypeAny, {
-    name: string;
-    id: string;
-    indicator: string;
-    isSuspended: boolean;
-    tag: TenantTag;
-}, {
-    name: string;
-    id: string;
-    indicator: string;
-    isSuspended: boolean;
-    tag: TenantTag;
-}>;
-export type TenantInfo = z.infer<typeof tenantInfoGuard>;

package/lib/models/tenants.js

@@ -20,6 +20,3 @@ export const Tenants = createModel(
 `, 'public')
     .extend('tag', z.nativeEnum(TenantTag))
     .extend('createdAt', { readonly: true });
-export const tenantInfoGuard = Tenants.guard('model')
-    .pick({ id: true, name: true, tag: true, isSuspended: true })
-    .extend({ indicator: z.string() });

package/lib/seeds/cloud-api.js

@@ -61,4 +61,5 @@ export const createTenantApplicationRole = () => ({
     name: AdminTenantRole.TenantApplication,
     description: 'The role for M2M applications that represent a user tenant and send requests to Logto Cloud.',
     type: RoleType.MachineToMachine,
+    isDefault: false,
 });

package/lib/seeds/management-api.d.ts

@@ -120,3 +120,7 @@ export declare const createMeApiInAdminTenant: () => Readonly<{
         type: RoleType.User;
     };
 }>;
+/**
+ * Create a pre-configured M2M role for Management API access.
+ */
+export declare const createPreConfiguredManagementApiAccessRole: (tenantId: string) => CreateRole;

package/lib/seeds/management-api.js

@@ -131,3 +131,13 @@ export const createMeApiInAdminTenant = () => {
         },
     });
 };
+/**
+ * Create a pre-configured M2M role for Management API access.
+ */
+export const createPreConfiguredManagementApiAccessRole = (tenantId) => ({
+    tenantId,
+    id: generateStandardId(),
+    description: 'This default role grants access to the Logto management API.',
+    name: 'Logto Management API access',
+    type: RoleType.MachineToMachine,
+});

package/lib/types/hook.d.ts

@@ -1,4 +1,8 @@
 import { z } from 'zod';
+import { type Application, type User } from '../db-entries/index.js';
+import { type DataHookEvent, type InteractionHookEvent } from '../foundations/index.js';
+import { type InteractionEvent } from './interactions.js';
+import { type userInfoSelectFields } from './user.js';
 declare const hookExecutionStatsGuard: z.ZodObject<{
     successCount: z.ZodNumber;
     requestCount: z.ZodNumber;
@@ -24,8 +28,8 @@ export declare const hookResponseGuard: z.ZodObject<{
         headers?: Record<string, string> | undefined;
         retries?: number | undefined;
     }>;
-    event: z.ZodType<"User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent | null, z.ZodTypeDef, "User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent | null>;
-    events: z.ZodType<("User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent)[], z.ZodTypeDef, ("User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent)[]>;
+    event: z.ZodType<"User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent | null, z.ZodTypeDef, "User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent | null>;
+    events: z.ZodType<("User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent)[], z.ZodTypeDef, ("User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent)[]>;
     signingKey: z.ZodType<string, z.ZodTypeDef, string>;
     enabled: z.ZodType<boolean, z.ZodTypeDef, boolean>;
     executionStats: z.ZodObject<{
@@ -48,8 +52,8 @@ export declare const hookResponseGuard: z.ZodObject<{
         headers?: Record<string, string> | undefined;
         retries?: number | undefined;
     };
-    event: "User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent | null;
-    events: ("User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent)[];
+    event: "User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent | null;
+    events: ("User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent)[];
     signingKey: string;
     enabled: boolean;
     executionStats: {
@@ -66,8 +70,8 @@ export declare const hookResponseGuard: z.ZodObject<{
         headers?: Record<string, string> | undefined;
         retries?: number | undefined;
     };
-    event: "User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent | null;
-    events: ("User.Created" | "User.Deleted" | "User.Updated" | "Role.Created" | "Role.Deleted" | "Role.Updated" | "Scope.Created" | "Scope.Deleted" | "Scope.Updated" | "Organization.Created" | "Organization.Deleted" | "Organization.Updated" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationRole.Updated" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "OrganizationScope.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | import("../index.js").InteractionHookEvent)[];
+    event: "User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent | null;
+    events: ("User.Created" | "User.Deleted" | "Role.Created" | "Role.Deleted" | "Scope.Created" | "Scope.Deleted" | "Organization.Created" | "Organization.Deleted" | "OrganizationRole.Created" | "OrganizationRole.Deleted" | "OrganizationScope.Created" | "OrganizationScope.Deleted" | "User.Data.Updated" | "Role.Data.Updated" | "Scope.Data.Updated" | "Organization.Data.Updated" | "OrganizationRole.Data.Updated" | "OrganizationScope.Data.Updated" | "User.SuspensionStatus.Updated" | "Role.Scopes.Updated" | "Organization.Membership.Updated" | "OrganizationRole.Scopes.Updated" | InteractionHookEvent)[];
     signingKey: string;
     enabled: boolean;
     executionStats: {
@@ -87,4 +91,61 @@ export declare const hookTestErrorResponseDataGuard: z.ZodObject<{
     responseBody: string;
 }>;
 export type HookTestErrorResponseData = z.infer<typeof hookTestErrorResponseDataGuard>;
+/**
+ * The interaction API context for triggering InteractionHook and DataHook events.
+ * In the `koaInteractionHooks` middleware,
+ * we will store the context before processing the interaction and consume it after the interaction is processed if needed.
+ */
+export type InteractionApiMetadata = {
+    /** The application ID if the hook is triggered by interaction API. */
+    applicationId?: string;
+    /** The session ID if the hook is triggered by interaction API. */
+    sessionId?: string;
+    /** The InteractionEvent if the hook is triggered by interaction API. */
+    interactionEvent: InteractionEvent;
+};
+type InteractionApiContextPayload = {
+    /** Fetch application detail by application ID before sending the hook event */
+    application?: Pick<Application, 'id' | 'type' | 'name' | 'description'>;
+    sessionId?: string;
+    interactionEvent?: InteractionEvent;
+};
+export type InteractionHookEventPayload = {
+    event: InteractionHookEvent;
+    createdAt: string;
+    hookId: string;
+    userAgent?: string;
+    userIp?: string;
+    /** InteractionHook result */
+    userId?: string;
+    /** Fetch user detail by user ID before sending the hook event */
+    user?: Pick<User, (typeof userInfoSelectFields)[number]>;
+} & InteractionApiContextPayload & Record<string, unknown>;
+/**
+ * The API context for management API triggered data hooks.
+ * In the `koaManagementApiHooks` middleware,
+ * we will store the context of management API requests that triggers the DataHook events.
+ * Can't put it in the DataHookMetadata because the matched API context is only available after the request is processed.
+ */
+export type ManagementApiContext = {
+    /** Request route params. */
+    params?: Record<string, string>;
+    /** Request route path. */
+    path: string;
+    /** Matched route used as the identifier to trigger the hook. */
+    matchedRoute?: string;
+    /** Request method. */
+    method: string;
+    /** Response status code. */
+    status: number;
+};
+export type DataHookEventPayload = {
+    event: DataHookEvent;
+    createdAt: string;
+    hookId: string;
+    ip?: string;
+    userAgent?: string;
+    data?: unknown;
+} & Partial<InteractionApiContextPayload> & Partial<ManagementApiContext> & Record<string, unknown>;
+export type HookEventPayload = InteractionHookEventPayload | DataHookEventPayload;
 export {};

package/lib/types/mapi-proxy.js

@@ -27,6 +27,7 @@ export const getMapiProxyRole = (tenantId) => Object.freeze({
     name: `machine:mapi:${tenantId}`,
     description: `Machine-to-machine role for accessing Management API of tenant '${tenantId}'.`,
     type: RoleType.MachineToMachine,
+    isDefault: false,
 });
 /**
  * Given a tenant ID, return the application create data for the mapi proxy. The proxy will use the

package/lib/types/user.d.ts

@@ -361,7 +361,11 @@ export declare const userMfaVerificationResponseGuard: z.ZodArray<z.ZodObject<{
     remainCodes?: number | undefined;
 }>, "many">;
 export type UserMfaVerificationResponse = z.infer<typeof userMfaVerificationResponseGuard>;
-/** Internal read-only roles for user tenants. */
+/**
+ * Internal read-only roles for user tenants.
+ *
+ * @deprecated We don't use internal roles anymore.
+ */
 export declare enum InternalRole {
     /**
      * Internal admin role for Machine-to-Machine apps in Logto user tenants.

package/lib/types/user.js

@@ -33,7 +33,11 @@ export const userMfaVerificationResponseGuard = z
     remainCodes: z.number().optional(),
 })
     .array();
-/** Internal read-only roles for user tenants. */
+/**
+ * Internal read-only roles for user tenants.
+ *
+ * @deprecated We don't use internal roles anymore.
+ */
 export var InternalRole;
 (function (InternalRole) {
     /**

package/lib/utils/role.d.ts

@@ -1,2 +1,4 @@
+/** @deprecated We don't restrict roles in the database anymore. */
 export declare const internalRolePrefix = "#internal:";
+/** @deprecated We don't restrict roles in the database anymore. */
 export declare const isInternalRole: (roleName: string) => boolean;

package/lib/utils/role.js

@@ -1,2 +1,4 @@
+/** @deprecated We don't restrict roles in the database anymore. */
 export const internalRolePrefix = '#internal:';
+/** @deprecated We don't restrict roles in the database anymore. */
 export const isInternalRole = (roleName) => roleName.startsWith(internalRolePrefix);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.16.0",
+  "version": "1.17.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -25,7 +25,7 @@
   },
   "devDependencies": {
     "@silverhand/eslint-config": "6.0.1",
-    "@silverhand/essentials": "^2.9.0",
+    "@silverhand/essentials": "^2.9.1",
     "@silverhand/slonik": "31.0.0-beta.2",
     "@silverhand/ts-config": "6.0.0",
     "@types/inquirer": "^9.0.0",
@@ -64,12 +64,13 @@
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
     "@logto/connector-kit": "^3.0.0",
-    "@logto/core-kit": "^2.4.0",
+    "@logto/core-kit": "^2.5.0",
     "@logto/language-kit": "^1.1.0",
-    "@logto/phrases": "^1.10.1",
+    "@logto/phrases": "^1.11.0",
     "@logto/phrases-experience": "^1.6.1",
     "@logto/shared": "^3.1.1",
-    "@withtyped/server": "^0.13.6"
+    "@withtyped/server": "^0.13.6",
+    "nanoid": "^5.0.1"
   },
   "peerDependencies": {
     "zod": "^3.22.4"

package/tables/_after_all.sql

@@ -32,30 +32,3 @@ revoke all privileges
 revoke all privileges
   on table service_logs
   from logto_tenant_${database};
-
----- Create policies to make internal roles read-only ----
-
-/**
- * Note:
- *
- * Internal roles have scope preset and they are read-only, but we do not
- * limit user or application assignment since it's business logic.
- */
-
--- Restrict direct role modification
-create policy roles_select on roles
-	for select using (true);
-
-drop policy roles_modification on roles;
-create policy roles_modification on roles
-	using (not starts_with(name, '#internal:'));
-
--- Restrict role - scope modification
-create policy roles_scopes_select on roles_scopes
-	for select using (true);
-
-drop policy roles_scopes_modification on roles_scopes;
-create policy roles_scopes_modification on roles_scopes
-  using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
-
----- TODO: Make internal API Resources read-only ----

package/tables/roles.sql

@@ -9,6 +9,8 @@ create table roles (
   name varchar(128) not null,
   description varchar(128) not null,
   type role_type not null default 'User',
+  /** If the role is the default role for a new user. Should be ignored for `MachineToMachine` roles. */
+  is_default boolean not null default false,
   primary key (id),
   constraint roles__name
     unique (tenant_id, name)

package/tables/service_logs.sql

@@ -1,7 +1,6 @@
 create table service_logs (
   id varchar(21) not null,
-  tenant_id varchar(21) not null
-    references tenants (id) on update cascade on delete cascade,
+  tenant_id varchar(21) not null,
   type varchar(64) not null,
   payload jsonb /* @use JsonObject */ not null default '{}'::jsonb,
   created_at timestamptz not null default(now()),