npm - @logto/schemas - Versions diffs - 1.16.0 → 1.18.0 - Mend

@logto/schemas 1.16.0 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

package/alterations/1.17.0-1715826336-add-default-user-role-config.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table roles add column is_default boolean not null default false;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table roles drop column is_default;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.17.0-1715829731-rename-data-hook-schema-update-event.ts ADDED Viewed

@@ -0,0 +1,120 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+enum DataHookSchema {
+  User = 'User',
+  Role = 'Role',
+  Scope = 'Scope',
+  Organization = 'Organization',
+  OrganizationRole = 'OrganizationRole',
+  OrganizationScope = 'OrganizationScope',
+}
+type OldSchemaUpdateEvent = `${DataHookSchema}.${'Updated'}`;
+type NewSchemaUpdateEvent = `${DataHookSchema}.Data.Updated`;
+const oldSchemaUpdateEvents = Object.freeze([
+  'User.Updated',
+  'Role.Updated',
+  'Scope.Updated',
+  'Organization.Updated',
+  'OrganizationRole.Updated',
+  'OrganizationScope.Updated',
+] satisfies OldSchemaUpdateEvent[]);
+const newSchemaUpdateEvents = Object.freeze([
+  'User.Data.Updated',
+  'Role.Data.Updated',
+  'Scope.Data.Updated',
+  'Organization.Data.Updated',
+  'OrganizationRole.Data.Updated',
+  'OrganizationScope.Data.Updated',
+] as const satisfies NewSchemaUpdateEvent[]);
+const updateMap: { [key in OldSchemaUpdateEvent]: NewSchemaUpdateEvent } = {
+  'User.Updated': 'User.Data.Updated',
+  'Role.Updated': 'Role.Data.Updated',
+  'Scope.Updated': 'Scope.Data.Updated',
+  'Organization.Updated': 'Organization.Data.Updated',
+  'OrganizationRole.Updated': 'OrganizationRole.Data.Updated',
+  'OrganizationScope.Updated': 'OrganizationScope.Data.Updated',
+};
+const reverseMap: { [key in NewSchemaUpdateEvent]: OldSchemaUpdateEvent } = {
+  'User.Data.Updated': 'User.Updated',
+  'Role.Data.Updated': 'Role.Updated',
+  'Scope.Data.Updated': 'Scope.Updated',
+  'Organization.Data.Updated': 'Organization.Updated',
+  'OrganizationRole.Data.Updated': 'OrganizationRole.Updated',
+  'OrganizationScope.Data.Updated': 'OrganizationScope.Updated',
+};
+// This alteration script filters all the hook's events jsonb column to replace all the old schema update events with the new schema update events.
+const isOldSchemaUpdateEvent = (event: string): event is OldSchemaUpdateEvent =>
+  // eslint-disable-next-line no-restricted-syntax
+  oldSchemaUpdateEvents.includes(event as OldSchemaUpdateEvent);
+const isNewSchemaUpdateEvent = (event: string): event is NewSchemaUpdateEvent =>
+  // eslint-disable-next-line no-restricted-syntax
+  newSchemaUpdateEvents.includes(event as NewSchemaUpdateEvent);
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const { rows: hooks } = await pool.query<{ id: string; events: string[] }>(sql`
+      select id, events
+      from hooks
+    `);
+    const hooksToBeUpdate = hooks.filter(({ events }) => {
+      return oldSchemaUpdateEvents.some((oldEvent) => events.includes(oldEvent));
+    });
+    await Promise.all(
+      hooksToBeUpdate.map(async ({ id, events }) => {
+        const updateEvents = events.reduce<string[]>((accumulator, event) => {
+          if (isOldSchemaUpdateEvent(event)) {
+            return [...accumulator, updateMap[event]];
+          }
+          return [...accumulator, event];
+        }, []);
+        await pool.query(sql`
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+      })
+    );
+  },
+  down: async (pool) => {
+    const { rows: hooks } = await pool.query<{ id: string; events: string[] }>(sql`
+      select id, events
+      from hooks
+    `);
+    const hooksToBeUpdate = hooks.filter(({ events }) => {
+      return newSchemaUpdateEvents.some((newEvent) => events.includes(newEvent));
+    });
+    await Promise.all(
+      hooksToBeUpdate.map(async ({ id, events }) => {
+        const updateEvents = events.reduce<string[]>((accumulator, event) => {
+          if (isNewSchemaUpdateEvent(event)) {
+            return [...accumulator, reverseMap[event]];
+          }
+          return [...accumulator, event];
+        }, []);
+        await pool.query(sql`
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+      })
+    );
+  },
+};
+export default alteration;

package/alterations/1.17.0-1716278409-remove-internal-role-database-policies.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      drop policy if exists roles_select on roles;
+      drop policy if exists roles_modification on roles;
+      create policy roles_modification on roles using (true);
+      drop policy if exists roles_scopes_select on roles_scopes;
+      drop policy if exists roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes using (true);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      create policy roles_select on roles
+        for select using (true);
+      drop policy roles_modification on roles;
+      create policy roles_modification on roles
+        using (not starts_with(name, '#internal:'));
+      -- Restrict role - scope modification
+      create policy roles_scopes_select on roles_scopes
+        for select using (true);
+      drop policy roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes
+        using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
+    `);
+  },
+};
+export default alteration;

package/alterations/1.17.0-1716291265-create-pre-configured-m-api-role.ts ADDED Viewed

@@ -0,0 +1,92 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+const isCi = yes(process.env.CI);
+const defaultTenantId = 'default';
+const defaultTenantManagementApiIndicator = `https://${defaultTenantId}.logto.app/api`;
+const roleName = 'Logto Management API access';
+const roleDescription = 'This default role grants access to the Logto management API.';
+enum RoleType {
+  MachineToMachine = 'MachineToMachine',
+}
+enum PredefinedScope {
+  All = 'all',
+}
+/**
+ * This script is to create a pre-configured Management API M2M role for new users.
+ * This script is **only for CI**, since we won't create this role for existing users, so this script is not applicable for existing db data.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    if (!isCi) {
+      console.info(
+        "Skipping the alteration script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to existing db data."
+      );
+      return;
+    }
+    /**
+     * Only affect the `default` tenant, since this is the only tenant in the OSS version and the initial tenant in the cloud version.
+     * So we only need to care about this role for the `default` tenant.
+     */
+    const roleId = generateStandardId();
+    await pool.query(sql`
+      insert into roles (id, tenant_id, name, description, type)
+      values (
+        ${roleId},
+        ${defaultTenantId},
+        ${roleName},
+        ${roleDescription},
+        ${RoleType.MachineToMachine}
+      );
+    `);
+    // Assign Logto Management API permission `all` to the Logto Management API M2M role
+    await pool.query(sql`
+      insert into roles_scopes (id, role_id, scope_id, tenant_id)
+      values (
+        ${generateStandardId()},
+        ${roleId},
+        (
+          select scopes.id
+          from scopes
+          join resources on
+            scopes.tenant_id = resources.tenant_id and
+            scopes.resource_id = resources.id
+          where resources.indicator = ${defaultTenantManagementApiIndicator}
+          and scopes.name = ${PredefinedScope.All}
+          and scopes.tenant_id = ${defaultTenantId}
+        ),
+        ${defaultTenantId}
+      )
+    `);
+  },
+  down: async (pool) => {
+    if (!isCi) {
+      console.info(
+        "Skipping the down script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to production db."
+      );
+      return;
+    }
+    // Delete the created role
+    await pool.query(sql`
+      delete from roles
+      where tenant_id = ${defaultTenantId}
+      and name = ${roleName}
+      and description = ${roleDescription}
+      and type = ${RoleType.MachineToMachine}
+    `);
+  },
+};
+export default alteration;

package/alterations/1.17.0-1717148078-remove-service-log-reference.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table service_logs drop constraint service_logs_tenant_id_fkey;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table service_logs add constraint service_logs_tenant_id_fkey
+        foreign key (tenant_id) references tenants(id) on update cascade on delete cascade;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1717567857-social-sign-in-linking.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences add column social_sign_in jsonb not null default '{}'::jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences drop column social_sign_in;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1717597875-add-organization-email-domains-table.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table organization_email_domains (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The ID of the organization. */
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        /** The email domain that will be automatically provisioned. */
+        email_domain varchar(128) not null,
+        primary key (tenant_id, organization_id, email_domain)
+      );
+    `);
+    await applyTableRls(pool, 'organization_email_domains');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'organization_email_domains');
+    await pool.query(sql`
+      drop table organization_email_domains
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1717818597-organization-mfa-requirement.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organizations add column is_mfa_required boolean not null default false;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table organizations drop column is_mfa_required;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1718340884-rename-org-email-domains-and-add-jit-roles-table.ts ADDED Viewed

@@ -0,0 +1,56 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organization_email_domains rename to organization_jit_email_domains;
+      alter table organization_jit_email_domains
+        rename constraint organization_email_domains_organization_id_fkey to organization_jit_email_domains_organization_id_fkey;
+      alter table organization_jit_email_domains
+        rename constraint organization_email_domains_pkey to organization_jit_email_domains_pkey;
+      alter table organization_jit_email_domains
+        rename constraint organization_email_domains_tenant_id_fkey to organization_jit_email_domains_tenant_id_fkey;
+      alter policy organization_email_domains_modification
+        on organization_jit_email_domains rename to organization_jit_email_domains_modification;
+      alter policy organization_email_domains_tenant_id
+        on organization_jit_email_domains rename to organization_jit_email_domains_tenant_id;
+      create table organization_jit_roles (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The ID of the organization. */
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        /** The organization role ID that will be automatically provisioned. */
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, organization_role_id)
+      );
+    `);
+    await applyTableRls(pool, 'organization_jit_roles');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'organization_jit_roles');
+    await pool.query(sql`
+      drop table organization_jit_roles
+    `);
+    await pool.query(sql`
+      alter table organization_jit_email_domains rename to organization_email_domains;
+      alter table organization_email_domains
+        rename constraint organization_jit_email_domains_organization_id_fkey to organization_email_domains_organization_id_fkey;
+      alter table organization_email_domains
+        rename constraint organization_jit_email_domains_pkey to organization_email_domains_pkey;
+      alter table organization_email_domains
+        rename constraint organization_jit_email_domains_tenant_id_fkey to organization_email_domains_tenant_id_fkey;
+      alter policy organization_jit_email_domains_modification
+        on organization_email_domains rename to organization_email_domains_modification;
+      alter policy organization_jit_email_domains_tenant_id
+        on organization_email_domains rename to organization_email_domains_tenant_id;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1718594164-add-agree-to-terms-policy.ts ADDED Viewed

@@ -0,0 +1,40 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const isCi = yes(process.env.CI);
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Create type
+    await pool.query(sql`
+      create type agree_to_terms_policy as enum ('Automatic', 'ManualRegistrationOnly', 'Manual');
+    `);
+    if (isCi) {
+      // Direct set default to 'Automatic' to align with the sql table definition when running CI
+      await pool.query(sql`
+        alter table sign_in_experiences add column agree_to_terms_policy agree_to_terms_policy not null default 'Automatic';
+      `);
+    } else {
+      // For compatibility with existing data, default to 'ManualRegistrationOnly'
+      await pool.query(sql`
+        alter table sign_in_experiences add column agree_to_terms_policy agree_to_terms_policy not null default 'ManualRegistrationOnly';
+      `);
+      // For new data, default to 'Automatic'
+      await pool.query(sql`
+        alter table sign_in_experiences alter column agree_to_terms_policy set default 'Automatic';
+      `);
+    }
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences drop column agree_to_terms_policy;
+      drop type agree_to_terms_policy;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1718785576-organization-application-relations.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create function check_application_type(application_id varchar(21), target_type application_type) returns boolean as
+      $$ begin
+        return (select type from applications where id = application_id) = target_type;
+      end; $$ language plpgsql;
+      create table organization_application_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, application_id),
+        constraint application_type
+          check (check_application_type(application_id, 'MachineToMachine'))
+      );
+    `);
+    await applyTableRls(pool, 'organization_application_relations');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'organization_application_relations');
+    await pool.query(sql`
+      drop table organization_application_relations;
+      drop function check_application_type;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1718786576-organization-jit-sso-connectors.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table organization_jit_sso_connectors (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The ID of the organization. */
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        sso_connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, sso_connector_id)
+      );
+    `);
+    await applyTableRls(pool, 'organization_jit_sso_connectors');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'organization_jit_sso_connectors');
+    await pool.query(sql`
+      drop table organization_jit_sso_connectors;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1718807616-organization-role-application-relations.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table organization_role_application_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_id varchar(21) not null,
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        application_id varchar(21) not null,
+        primary key (tenant_id, organization_id, organization_role_id, application_id),
+        /** Application's roles in an organization should be synchronized with the application's membership in the organization. */
+        foreign key (tenant_id, organization_id, application_id)
+          references organization_application_relations (tenant_id, organization_id, application_id)
+          on update cascade on delete cascade
+      );
+    `);
+    await applyTableRls(pool, 'organization_role_application_relations');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'organization_role_application_relations');
+    await pool.query(sql`
+      drop table organization_role_application_relations;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1718865814-add-subject-tokens.ts ADDED Viewed

@@ -0,0 +1,36 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table subject_tokens (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(25) not null,
+        context jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+        expires_at timestamptz not null,
+        consumed_at timestamptz,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        created_at timestamptz not null default(now()),
+        creator_id varchar(32) not null, /* It is intented to not reference to user or application table */
+        primary key (id)
+      );
+      create index subject_token__id on subject_tokens (tenant_id, id);
+    `);
+    await applyTableRls(pool, 'subject_tokens');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'subject_tokens');
+    await pool.query(sql`
+      drop table subject_tokens
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1719014832-organization-role-types.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table organization_roles
+        add column type role_type not null default 'User';
+      create function check_organization_role_type(role_id varchar(21), target_type role_type) returns boolean as
+        $$ begin
+          return (select type from organization_roles where id = role_id) = target_type;
+        end; $$ language plpgsql;
+      alter table organization_role_user_relations
+        add constraint organization_role_user_relations__role_type
+          check (check_organization_role_type(organization_role_id, 'User'));
+      alter table organization_role_application_relations
+        add constraint organization_role_application_relations__role_type
+          check (check_organization_role_type(organization_role_id, 'MachineToMachine'));
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table organization_role_application_relations
+        drop constraint organization_role_application_relations__role_type;
+      alter table organization_role_user_relations
+        drop constraint organization_role_user_relations__role_type;
+      alter table organization_roles
+        drop column type;
+      drop function check_organization_role_type;
+    `);
+  },
+};
+export default alteration;

package/alterations/1.18.0-1719221205-fix-functions.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * In Logto Cloud, we have multiple schemas and the default search behavior will be problematic.
+ * This alteration script will fix it by setting the search path to public for the functions.
+ */
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter function check_application_type set search_path = public;
+      alter function check_organization_role_type set search_path = public;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter function check_application_type reset search_path;
+      alter function check_organization_role_type reset search_path;
+    `);
+  },
+};
+export default alteration;