@logto/schemas 1.16.0 → 1.18.0

package/lib/types/sign-in-experience.js

@@ -0,0 +1,21 @@
+import { connectorMetadataGuard, googleOneTapConfigGuard, } from '@logto/connector-kit';
+import { z } from 'zod';
+import { SignInExperiences } from '../db-entries/index.js';
+import { ssoConnectorMetadataGuard } from './sso-connector.js';
+export const guardFullSignInExperience = SignInExperiences.guard.extend({
+    socialConnectors: connectorMetadataGuard
+        .omit({
+        description: true,
+        configTemplate: true,
+        formItems: true,
+        readme: true,
+        customData: true,
+    })
+        .array(),
+    ssoConnectors: ssoConnectorMetadataGuard.array(),
+    forgotPassword: z.object({ phone: z.boolean(), email: z.boolean() }),
+    isDevelopmentTenant: z.boolean(),
+    googleOneTap: googleOneTapConfigGuard
+        .extend({ clientId: z.string(), connectorId: z.string() })
+        .optional(),
+});

package/lib/types/subject-token.d.ts

@@ -0,0 +1,12 @@
+import { type z } from 'zod';
+export declare const subjectTokenResponseGuard: z.ZodObject<{
+    subjectToken: z.ZodString;
+    expiresIn: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    subjectToken: string;
+    expiresIn: number;
+}, {
+    subjectToken: string;
+    expiresIn: number;
+}>;
+export type SubjectTokenResponse = z.infer<typeof subjectTokenResponseGuard>;

package/lib/types/subject-token.js

@@ -0,0 +1,5 @@
+import { number, object, string } from 'zod';
+export const subjectTokenResponseGuard = object({
+    subjectToken: string(),
+    expiresIn: number(),
+});

package/lib/types/system.d.ts

@@ -96,17 +96,17 @@ export declare const sendgridEmailServiceConfigGuard: z.ZodObject<{
     fromName: z.ZodString;
     fromEmail: z.ZodString;
 }, "strip", z.ZodTypeAny, {
+    fromEmail: string;
     provider: EmailServiceProvider;
     apiKey: string;
     templateId: string;
     fromName: string;
-    fromEmail: string;
 }, {
+    fromEmail: string;
     provider: EmailServiceProvider;
     apiKey: string;
     templateId: string;
     fromName: string;
-    fromEmail: string;
 }>;
 export type SendgridEmailServiceConfig = z.infer<typeof sendgridEmailServiceConfigGuard>;
 export declare const emailServiceConfigGuard: z.ZodDiscriminatedUnion<"provider", [z.ZodObject<{
@@ -116,17 +116,17 @@ export declare const emailServiceConfigGuard: z.ZodDiscriminatedUnion<"provider"
     fromName: z.ZodString;
     fromEmail: z.ZodString;
 }, "strip", z.ZodTypeAny, {
+    fromEmail: string;
     provider: EmailServiceProvider;
     apiKey: string;
     templateId: string;
     fromName: string;
-    fromEmail: string;
 }, {
+    fromEmail: string;
     provider: EmailServiceProvider;
     apiKey: string;
     templateId: string;
     fromName: string;
-    fromEmail: string;
 }>]>;
 export type EmailServiceConfig = z.infer<typeof emailServiceConfigGuard>;
 export declare enum EmailServiceProviderKey {

package/lib/types/tenant-organization.d.ts

@@ -98,6 +98,7 @@ export declare enum TenantRole {
  *   id: 'collaborator',
  *   name: 'collaborator',
  *   description: 'Collaborator of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+ *   type: RoleType.User,
  * });
  * ```
  *

package/lib/types/tenant-organization.js

@@ -6,6 +6,7 @@
  *
  * This module provides utilities to manage tenant organizations.
  */
+import { RoleType, } from '../db-entries/index.js';
 import { adminTenantId } from '../seeds/tenant.js';
 /** Given a tenant ID, return the corresponding organization ID in the admin tenant. */
 export const getTenantOrganizationId = (tenantId) => `t-${tenantId}`;
@@ -129,6 +130,7 @@ const tenantRoleDescriptions = Object.freeze({
  *   id: 'collaborator',
  *   name: 'collaborator',
  *   description: 'Collaborator of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+ *   type: RoleType.User,
  * });
  * ```
  *
@@ -139,6 +141,7 @@ export const getTenantRole = (role) => Object.freeze({
     id: role,
     name: role,
     description: tenantRoleDescriptions[role],
+    type: RoleType.User,
 });
 /**
  * The dictionary of tenant roles and their corresponding scopes.

package/lib/types/user.d.ts

@@ -361,7 +361,11 @@ export declare const userMfaVerificationResponseGuard: z.ZodArray<z.ZodObject<{
     remainCodes?: number | undefined;
 }>, "many">;
 export type UserMfaVerificationResponse = z.infer<typeof userMfaVerificationResponseGuard>;
-/** Internal read-only roles for user tenants. */
+/**
+ * Internal read-only roles for user tenants.
+ *
+ * @deprecated We don't use internal roles anymore.
+ */
 export declare enum InternalRole {
     /**
      * Internal admin role for Machine-to-Machine apps in Logto user tenants.

package/lib/types/user.js

@@ -33,7 +33,11 @@ export const userMfaVerificationResponseGuard = z
     remainCodes: z.number().optional(),
 })
     .array();
-/** Internal read-only roles for user tenants. */
+/**
+ * Internal read-only roles for user tenants.
+ *
+ * @deprecated We don't use internal roles anymore.
+ */
 export var InternalRole;
 (function (InternalRole) {
     /**

package/lib/utils/role.d.ts

@@ -1,2 +1,4 @@
+/** @deprecated We don't restrict roles in the database anymore. */
 export declare const internalRolePrefix = "#internal:";
+/** @deprecated We don't restrict roles in the database anymore. */
 export declare const isInternalRole: (roleName: string) => boolean;

package/lib/utils/role.js

@@ -1,2 +1,4 @@
+/** @deprecated We don't restrict roles in the database anymore. */
 export const internalRolePrefix = '#internal:';
+/** @deprecated We don't restrict roles in the database anymore. */
 export const isInternalRole = (roleName) => roleName.startsWith(internalRolePrefix);

package/lib/utils/zod.d.ts

@@ -1,4 +1,4 @@
 import { type z } from 'zod';
 export type ToZodObject<T> = z.ZodObject<{
-    [K in keyof T]: z.ZodType<T[K]>;
+    [K in keyof T]-?: z.ZodType<T[K]>;
 }>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.16.0",
+  "version": "1.18.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -25,7 +25,7 @@
   },
   "devDependencies": {
     "@silverhand/eslint-config": "6.0.1",
-    "@silverhand/essentials": "^2.9.0",
+    "@silverhand/essentials": "^2.9.1",
     "@silverhand/slonik": "31.0.0-beta.2",
     "@silverhand/ts-config": "6.0.0",
     "@types/inquirer": "^9.0.0",
@@ -63,13 +63,14 @@
   },
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
-    "@logto/connector-kit": "^3.0.0",
-    "@logto/core-kit": "^2.4.0",
+    "@logto/connector-kit": "^4.0.0",
+    "@logto/core-kit": "^2.5.0",
     "@logto/language-kit": "^1.1.0",
-    "@logto/phrases": "^1.10.1",
-    "@logto/phrases-experience": "^1.6.1",
+    "@logto/phrases": "^1.12.0",
+    "@logto/phrases-experience": "^1.7.0",
     "@logto/shared": "^3.1.1",
-    "@withtyped/server": "^0.13.6"
+    "@withtyped/server": "^0.13.6",
+    "nanoid": "^5.0.1"
   },
   "peerDependencies": {
     "zod": "^3.22.4"

package/tables/_after_all.sql

@@ -32,30 +32,3 @@ revoke all privileges
 revoke all privileges
   on table service_logs
   from logto_tenant_${database};
-
----- Create policies to make internal roles read-only ----
-
-/**
- * Note:
- *
- * Internal roles have scope preset and they are read-only, but we do not
- * limit user or application assignment since it's business logic.
- */
-
--- Restrict direct role modification
-create policy roles_select on roles
-	for select using (true);
-
-drop policy roles_modification on roles;
-create policy roles_modification on roles
-	using (not starts_with(name, '#internal:'));
-
--- Restrict role - scope modification
-create policy roles_scopes_select on roles_scopes
-	for select using (true);
-
-drop policy roles_scopes_modification on roles_scopes;
-create policy roles_scopes_modification on roles_scopes
-  using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
-
----- TODO: Make internal API Resources read-only ----

package/tables/applications.sql

@@ -33,3 +33,8 @@ create unique index applications__protected_app_metadata_custom_domain
   on applications (
     (protected_app_metadata->'customDomains'->0->>'domain')
   );
+
+create function check_application_type(application_id varchar(21), target_type application_type) returns boolean as
+$$ begin
+  return (select type from applications where id = application_id) = target_type;
+end; $$ language plpgsql set search_path = public;

package/tables/organization_application_relations.sql

@@ -0,0 +1,14 @@
+/* init_order = 2 */
+
+/** The relations between organizations and applications. It indicates membership of applications in organizations. For now only machine-to-machine applications are supported. */
+create table organization_application_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  organization_id varchar(21) not null
+    references organizations (id) on update cascade on delete cascade,
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  primary key (tenant_id, organization_id, application_id),
+  constraint application_type
+    check (check_application_type(application_id, 'MachineToMachine'))
+);

package/tables/organization_jit_email_domains.sql

@@ -0,0 +1,13 @@
+/* init_order = 2 */
+
+/** The email domains that will automatically assign users into an organization when they sign up or are added through the Management API. */
+create table organization_jit_email_domains (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The ID of the organization. */
+  organization_id varchar(21) not null
+    references organizations (id) on update cascade on delete cascade,
+  /** The email domain that will be automatically provisioned. */
+  email_domain varchar(128) not null,
+  primary key (tenant_id, organization_id, email_domain)
+);

package/tables/organization_jit_roles.sql

@@ -0,0 +1,14 @@
+/* init_order = 2 */
+
+/** The organization roles that will be automatically provisioned to users when they join an organization through JIT. */
+create table organization_jit_roles (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The ID of the organization. */
+  organization_id varchar(21) not null
+    references organizations (id) on update cascade on delete cascade,
+  /** The organization role ID that will be automatically provisioned. */
+  organization_role_id varchar(21) not null
+    references organization_roles (id) on update cascade on delete cascade,
+  primary key (tenant_id, organization_id, organization_role_id)
+);

package/tables/organization_jit_sso_connectors.sql

@@ -0,0 +1,13 @@
+/* init_order = 2 */
+
+/** The enterprise SSO connectors that will automatically assign users into an organization when they are authenticated via the SSO connector for the first time. */
+create table organization_jit_sso_connectors (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The ID of the organization. */
+  organization_id varchar(21) not null
+    references organizations (id) on update cascade on delete cascade,
+  sso_connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  primary key (tenant_id, organization_id, sso_connector_id)
+);

package/tables/organization_role_application_relations.sql

@@ -0,0 +1,18 @@
+/* init_order = 3 */
+
+/** The relations between organizations, organization roles, and applications. A relation means that an application has a role in an organization. */
+create table organization_role_application_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  organization_id varchar(21) not null,
+  organization_role_id varchar(21) not null
+    references organization_roles (id) on update cascade on delete cascade,
+  application_id varchar(21) not null,
+  primary key (tenant_id, organization_id, organization_role_id, application_id),
+  /** Application's roles in an organization should be synchronized with the application's membership in the organization. */
+  foreign key (tenant_id, organization_id, application_id)
+    references organization_application_relations (tenant_id, organization_id, application_id)
+    on update cascade on delete cascade,
+  constraint organization_role_application_relations__role_type
+    check (check_organization_role_type(organization_role_id, 'MachineToMachine'))
+);

package/tables/organization_role_user_relations.sql

@@ -12,5 +12,7 @@ create table organization_role_user_relations (
   /** User's roles in an organization should be synchronized with the user's membership in the organization. */
   foreign key (tenant_id, organization_id, user_id)
     references organization_user_relations (tenant_id, organization_id, user_id)
-    on update cascade on delete cascade
+    on update cascade on delete cascade,
+  constraint organization_role_user_relations__role_type
+    check (check_organization_role_type(organization_role_id, 'User'))
 );

package/tables/organization_roles.sql

@@ -1,4 +1,4 @@
-/* init_order = 1 */
+/* init_order = 1.1 */
 
 /** The roles defined by the organization template. */
 create table organization_roles (
@@ -10,6 +10,8 @@ create table organization_roles (
   name varchar(128) not null,
   /** A brief description of the organization role. */
   description varchar(256),
+  /** The type of the organization role. Same as the `type` field in the `roles` table. */
+  type role_type not null default 'User',
   primary key (id),
   constraint organization_roles__name
     unique (tenant_id, name)
@@ -17,3 +19,8 @@ create table organization_roles (
 
 create index organization_roles__id
   on organization_roles (tenant_id, id);
+
+create function check_organization_role_type(role_id varchar(21), target_type role_type) returns boolean as
+$$ begin
+  return (select type from organization_roles where id = role_id) = target_type;
+end; $$ language plpgsql set search_path = public;

package/tables/organizations.sql

@@ -12,6 +12,8 @@ create table organizations (
   description varchar(256),
   /** Additional data associated with the organization. */
   custom_data jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  /** Whether multi-factor authentication configuration is required for the members of the organization. */
+  is_mfa_required boolean not null default false,
   /** When the organization was created. */
   created_at timestamptz not null default(now()),
   primary key (id)

package/tables/roles.sql

@@ -9,6 +9,8 @@ create table roles (
   name varchar(128) not null,
   description varchar(128) not null,
   type role_type not null default 'User',
+  /** If the role is the default role for a new user. Should be ignored for `MachineToMachine` roles. */
+  is_default boolean not null default false,
   primary key (id),
   constraint roles__name
     unique (tenant_id, name)

package/tables/service_logs.sql

@@ -1,7 +1,6 @@
 create table service_logs (
   id varchar(21) not null,
-  tenant_id varchar(21) not null
-    references tenants (id) on update cascade on delete cascade,
+  tenant_id varchar(21) not null,
   type varchar(64) not null,
   payload jsonb /* @use JsonObject */ not null default '{}'::jsonb,
   created_at timestamptz not null default(now()),

package/tables/sign_in_experiences.sql

@@ -1,4 +1,5 @@
 create type sign_in_mode as enum ('SignIn', 'Register', 'SignInAndRegister');
+create type agree_to_terms_policy as enum ('Automatic', 'ManualRegistrationOnly', 'Manual');
 
 create table sign_in_experiences (
   tenant_id varchar(21) not null
@@ -9,12 +10,16 @@ create table sign_in_experiences (
   language_info jsonb /* @use LanguageInfo */ not null,
   terms_of_use_url varchar(2048),
   privacy_policy_url varchar(2048),
+  /** The policy that determines how users agree to the terms of use and privacy policy. */
+  agree_to_terms_policy agree_to_terms_policy not null default 'Automatic',
   sign_in jsonb /* @use SignIn */ not null,
   sign_up jsonb /* @use SignUp */ not null,
+  social_sign_in jsonb /* @use SocialSignIn */ not null default '{}'::jsonb,
   social_sign_in_connector_targets jsonb /* @use ConnectorTargets */ not null default '[]'::jsonb,
   sign_in_mode sign_in_mode not null default 'SignInAndRegister',
   custom_css text,
   custom_content jsonb /* @use CustomContent */ not null default '{}'::jsonb,
+  custom_ui_asset_id varchar(21),
   password_policy jsonb /* @use PartialPasswordPolicy */ not null default '{}'::jsonb,
   mfa jsonb /* @use Mfa */ not null default '{}'::jsonb,
   single_sign_on_enabled boolean not null default false,

package/tables/subject_tokens.sql

@@ -0,0 +1,16 @@
+create table subject_tokens (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  id varchar(25) not null,
+  context jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  expires_at timestamptz not null,
+  consumed_at timestamptz,
+  user_id varchar(21) not null
+    references users (id) on update cascade on delete cascade,
+  created_at timestamptz not null default(now()),
+  /* It is intented to not reference to user or application table, it can be userId or applicationId, for audit only */
+  creator_id varchar(32) not null,
+  primary key (id)
+);
+
+create index subject_token__id on subject_tokens (tenant_id, id);