npm - @logto/schemas - Versions diffs - 1.16.0 → 1.18.0 - Mend

@logto/schemas 1.16.0 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

package/alterations/1.18.0-1719312694-custom-ui-assets.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { sql } from '@silverhand/slonik';
+import type { AlterationScript } from '../lib/types/alteration.js';
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences add column custom_ui_asset_id varchar(21);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences drop column custom_ui_asset_id;
+    `);
+  },
+};
+export default alteration;

package/alterations/utils/1716643968-id-generation.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * This file is forked from `@logto/shared` 3.1.0 to avoid alteration scripts to depend on outer packages.
+ */
+import { customAlphabet } from 'nanoid';
+const lowercaseAlphabet = '0123456789abcdefghijklmnopqrstuvwxyz';
+const alphabet = `${lowercaseAlphabet}ABCDEFGHIJKLMNOPQRSTUVWXYZ` as const;
+type BuildIdGenerator = {
+  /**
+   * Build a nanoid generator function uses numbers (0-9), lowercase letters (a-z), and uppercase letters (A-Z) as the alphabet.
+   * @param size The default id length for the generator.
+   */
+  (size: number): ReturnType<typeof customAlphabet>;
+  /**
+   * Build a nanoid generator function uses numbers (0-9) and lowercase letters (a-z) as the alphabet.
+   * @param size The default id length for the generator.
+   */
+  // eslint-disable-next-line @typescript-eslint/unified-signatures
+  (size: number, includingUppercase: false): ReturnType<typeof customAlphabet>;
+};
+const buildIdGenerator: BuildIdGenerator = (size: number, includingUppercase = true) =>
+  customAlphabet(includingUppercase ? alphabet : lowercaseAlphabet, size);
+/**
+ * Generate a standard id with 21 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export const generateStandardId = buildIdGenerator(21, false);
+/**
+ * Generate a standard short id with 12 characters, including lowercase letters and numbers.
+ *
+ * @see {@link lowercaseAlphabet}
+ */
+export const generateStandardShortId = buildIdGenerator(12, false);
+/**
+ * Generate a standard secret with 32 characters, including uppercase letters, lowercase
+ * letters, and numbers.
+ *
+ * @see {@link alphabet}
+ */
+export const generateStandardSecret = buildIdGenerator(32);

package/alterations-js/1.17.0-1715826336-add-default-user-role-config.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1715826336-add-default-user-role-config.js ADDED Viewed

@@ -0,0 +1,14 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table roles add column is_default boolean not null default false;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table roles drop column is_default;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1715829731-rename-data-hook-schema-update-event.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1715829731-rename-data-hook-schema-update-event.js ADDED Viewed

@@ -0,0 +1,96 @@
+import { sql } from '@silverhand/slonik';
+var DataHookSchema;
+(function (DataHookSchema) {
+    DataHookSchema["User"] = "User";
+    DataHookSchema["Role"] = "Role";
+    DataHookSchema["Scope"] = "Scope";
+    DataHookSchema["Organization"] = "Organization";
+    DataHookSchema["OrganizationRole"] = "OrganizationRole";
+    DataHookSchema["OrganizationScope"] = "OrganizationScope";
+})(DataHookSchema || (DataHookSchema = {}));
+const oldSchemaUpdateEvents = Object.freeze([
+    'User.Updated',
+    'Role.Updated',
+    'Scope.Updated',
+    'Organization.Updated',
+    'OrganizationRole.Updated',
+    'OrganizationScope.Updated',
+]);
+const newSchemaUpdateEvents = Object.freeze([
+    'User.Data.Updated',
+    'Role.Data.Updated',
+    'Scope.Data.Updated',
+    'Organization.Data.Updated',
+    'OrganizationRole.Data.Updated',
+    'OrganizationScope.Data.Updated',
+]);
+const updateMap = {
+    'User.Updated': 'User.Data.Updated',
+    'Role.Updated': 'Role.Data.Updated',
+    'Scope.Updated': 'Scope.Data.Updated',
+    'Organization.Updated': 'Organization.Data.Updated',
+    'OrganizationRole.Updated': 'OrganizationRole.Data.Updated',
+    'OrganizationScope.Updated': 'OrganizationScope.Data.Updated',
+};
+const reverseMap = {
+    'User.Data.Updated': 'User.Updated',
+    'Role.Data.Updated': 'Role.Updated',
+    'Scope.Data.Updated': 'Scope.Updated',
+    'Organization.Data.Updated': 'Organization.Updated',
+    'OrganizationRole.Data.Updated': 'OrganizationRole.Updated',
+    'OrganizationScope.Data.Updated': 'OrganizationScope.Updated',
+};
+// This alteration script filters all the hook's events jsonb column to replace all the old schema update events with the new schema update events.
+const isOldSchemaUpdateEvent = (event) =>
+// eslint-disable-next-line no-restricted-syntax
+oldSchemaUpdateEvents.includes(event);
+const isNewSchemaUpdateEvent = (event) =>
+// eslint-disable-next-line no-restricted-syntax
+newSchemaUpdateEvents.includes(event);
+const alteration = {
+    up: async (pool) => {
+        const { rows: hooks } = await pool.query(sql `
+      select id, events
+      from hooks
+    `);
+        const hooksToBeUpdate = hooks.filter(({ events }) => {
+            return oldSchemaUpdateEvents.some((oldEvent) => events.includes(oldEvent));
+        });
+        await Promise.all(hooksToBeUpdate.map(async ({ id, events }) => {
+            const updateEvents = events.reduce((accumulator, event) => {
+                if (isOldSchemaUpdateEvent(event)) {
+                    return [...accumulator, updateMap[event]];
+                }
+                return [...accumulator, event];
+            }, []);
+            await pool.query(sql `
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+        }));
+    },
+    down: async (pool) => {
+        const { rows: hooks } = await pool.query(sql `
+      select id, events
+      from hooks
+    `);
+        const hooksToBeUpdate = hooks.filter(({ events }) => {
+            return newSchemaUpdateEvents.some((newEvent) => events.includes(newEvent));
+        });
+        await Promise.all(hooksToBeUpdate.map(async ({ id, events }) => {
+            const updateEvents = events.reduce((accumulator, event) => {
+                if (isNewSchemaUpdateEvent(event)) {
+                    return [...accumulator, reverseMap[event]];
+                }
+                return [...accumulator, event];
+            }, []);
+            await pool.query(sql `
+          update hooks
+          set events = ${JSON.stringify(updateEvents)}
+          where id = ${id};
+        `);
+        }));
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1716278409-remove-internal-role-database-policies.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1716278409-remove-internal-role-database-policies.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      drop policy if exists roles_select on roles;
+      drop policy if exists roles_modification on roles;
+      create policy roles_modification on roles using (true);
+      drop policy if exists roles_scopes_select on roles_scopes;
+      drop policy if exists roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes using (true);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      create policy roles_select on roles
+        for select using (true);
+      drop policy roles_modification on roles;
+      create policy roles_modification on roles
+        using (not starts_with(name, '#internal:'));
+      -- Restrict role - scope modification
+      create policy roles_scopes_select on roles_scopes
+        for select using (true);
+      drop policy roles_scopes_modification on roles_scopes;
+      create policy roles_scopes_modification on roles_scopes
+        using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1716291265-create-pre-configured-m-api-role.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+/**
+ * This script is to create a pre-configured Management API M2M role for new users.
+ * This script is **only for CI**, since we won't create this role for existing users, so this script is not applicable for existing db data.
+ */
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1716291265-create-pre-configured-m-api-role.js ADDED Viewed

@@ -0,0 +1,77 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+const isCi = yes(process.env.CI);
+const defaultTenantId = 'default';
+const defaultTenantManagementApiIndicator = `https://${defaultTenantId}.logto.app/api`;
+const roleName = 'Logto Management API access';
+const roleDescription = 'This default role grants access to the Logto management API.';
+var RoleType;
+(function (RoleType) {
+    RoleType["MachineToMachine"] = "MachineToMachine";
+})(RoleType || (RoleType = {}));
+var PredefinedScope;
+(function (PredefinedScope) {
+    PredefinedScope["All"] = "all";
+})(PredefinedScope || (PredefinedScope = {}));
+/**
+ * This script is to create a pre-configured Management API M2M role for new users.
+ * This script is **only for CI**, since we won't create this role for existing users, so this script is not applicable for existing db data.
+ */
+const alteration = {
+    up: async (pool) => {
+        if (!isCi) {
+            console.info("Skipping the alteration script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to existing db data.");
+            return;
+        }
+        /**
+         * Only affect the `default` tenant, since this is the only tenant in the OSS version and the initial tenant in the cloud version.
+         * So we only need to care about this role for the `default` tenant.
+         */
+        const roleId = generateStandardId();
+        await pool.query(sql `
+      insert into roles (id, tenant_id, name, description, type)
+      values (
+        ${roleId},
+        ${defaultTenantId},
+        ${roleName},
+        ${roleDescription},
+        ${RoleType.MachineToMachine}
+      );
+    `);
+        // Assign Logto Management API permission `all` to the Logto Management API M2M role
+        await pool.query(sql `
+      insert into roles_scopes (id, role_id, scope_id, tenant_id)
+      values (
+        ${generateStandardId()},
+        ${roleId},
+        (
+          select scopes.id
+          from scopes
+          join resources on
+            scopes.tenant_id = resources.tenant_id and
+            scopes.resource_id = resources.id
+          where resources.indicator = ${defaultTenantManagementApiIndicator}
+          and scopes.name = ${PredefinedScope.All}
+          and scopes.tenant_id = ${defaultTenantId}
+        ),
+        ${defaultTenantId}
+      )
+    `);
+    },
+    down: async (pool) => {
+        if (!isCi) {
+            console.info("Skipping the down script `next-1716291265-create-pre-configured-m-api-role.ts` since it's should not be applied to production db.");
+            return;
+        }
+        // Delete the created role
+        await pool.query(sql `
+      delete from roles
+      where tenant_id = ${defaultTenantId}
+      and name = ${roleName}
+      and description = ${roleDescription}
+      and type = ${RoleType.MachineToMachine}
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.17.0-1717148078-remove-service-log-reference.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.17.0-1717148078-remove-service-log-reference.js ADDED Viewed

@@ -0,0 +1,15 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table service_logs drop constraint service_logs_tenant_id_fkey;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table service_logs add constraint service_logs_tenant_id_fkey
+        foreign key (tenant_id) references tenants(id) on update cascade on delete cascade;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1717567857-social-sign-in-linking.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1717567857-social-sign-in-linking.js ADDED Viewed

@@ -0,0 +1,14 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences add column social_sign_in jsonb not null default '{}'::jsonb;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences drop column social_sign_in;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1717597875-add-organization-email-domains-table.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1717597875-add-organization-email-domains-table.js ADDED Viewed

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table organization_email_domains (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The ID of the organization. */
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        /** The email domain that will be automatically provisioned. */
+        email_domain varchar(128) not null,
+        primary key (tenant_id, organization_id, email_domain)
+      );
+    `);
+        await applyTableRls(pool, 'organization_email_domains');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'organization_email_domains');
+        await pool.query(sql `
+      drop table organization_email_domains
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1717818597-organization-mfa-requirement.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1717818597-organization-mfa-requirement.js ADDED Viewed

@@ -0,0 +1,14 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table organizations add column is_mfa_required boolean not null default false;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table organizations drop column is_mfa_required;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1718340884-rename-org-email-domains-and-add-jit-roles-table.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1718340884-rename-org-email-domains-and-add-jit-roles-table.js ADDED Viewed

@@ -0,0 +1,51 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table organization_email_domains rename to organization_jit_email_domains;
+      alter table organization_jit_email_domains
+        rename constraint organization_email_domains_organization_id_fkey to organization_jit_email_domains_organization_id_fkey;
+      alter table organization_jit_email_domains
+        rename constraint organization_email_domains_pkey to organization_jit_email_domains_pkey;
+      alter table organization_jit_email_domains
+        rename constraint organization_email_domains_tenant_id_fkey to organization_jit_email_domains_tenant_id_fkey;
+      alter policy organization_email_domains_modification
+        on organization_jit_email_domains rename to organization_jit_email_domains_modification;
+      alter policy organization_email_domains_tenant_id
+        on organization_jit_email_domains rename to organization_jit_email_domains_tenant_id;
+      create table organization_jit_roles (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The ID of the organization. */
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        /** The organization role ID that will be automatically provisioned. */
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, organization_role_id)
+      );
+    `);
+        await applyTableRls(pool, 'organization_jit_roles');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'organization_jit_roles');
+        await pool.query(sql `
+      drop table organization_jit_roles
+    `);
+        await pool.query(sql `
+      alter table organization_jit_email_domains rename to organization_email_domains;
+      alter table organization_email_domains
+        rename constraint organization_jit_email_domains_organization_id_fkey to organization_email_domains_organization_id_fkey;
+      alter table organization_email_domains
+        rename constraint organization_jit_email_domains_pkey to organization_email_domains_pkey;
+      alter table organization_email_domains
+        rename constraint organization_jit_email_domains_tenant_id_fkey to organization_email_domains_tenant_id_fkey;
+      alter policy organization_jit_email_domains_modification
+        on organization_email_domains rename to organization_email_domains_modification;
+      alter policy organization_jit_email_domains_tenant_id
+        on organization_email_domains rename to organization_email_domains_tenant_id;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1718594164-add-agree-to-terms-policy.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1718594164-add-agree-to-terms-policy.js ADDED Viewed

@@ -0,0 +1,34 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from '@silverhand/slonik';
+const isCi = yes(process.env.CI);
+const alteration = {
+    up: async (pool) => {
+        // Create type
+        await pool.query(sql `
+      create type agree_to_terms_policy as enum ('Automatic', 'ManualRegistrationOnly', 'Manual');
+    `);
+        if (isCi) {
+            // Direct set default to 'Automatic' to align with the sql table definition when running CI
+            await pool.query(sql `
+        alter table sign_in_experiences add column agree_to_terms_policy agree_to_terms_policy not null default 'Automatic';
+      `);
+        }
+        else {
+            // For compatibility with existing data, default to 'ManualRegistrationOnly'
+            await pool.query(sql `
+        alter table sign_in_experiences add column agree_to_terms_policy agree_to_terms_policy not null default 'ManualRegistrationOnly';
+      `);
+            // For new data, default to 'Automatic'
+            await pool.query(sql `
+        alter table sign_in_experiences alter column agree_to_terms_policy set default 'Automatic';
+      `);
+        }
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences drop column agree_to_terms_policy;
+      drop type agree_to_terms_policy;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1718785576-organization-application-relations.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1718785576-organization-application-relations.js ADDED Viewed

@@ -0,0 +1,32 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create function check_application_type(application_id varchar(21), target_type application_type) returns boolean as
+      $$ begin
+        return (select type from applications where id = application_id) = target_type;
+      end; $$ language plpgsql;
+      create table organization_application_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, application_id),
+        constraint application_type
+          check (check_application_type(application_id, 'MachineToMachine'))
+      );
+    `);
+        await applyTableRls(pool, 'organization_application_relations');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'organization_application_relations');
+        await pool.query(sql `
+      drop table organization_application_relations;
+      drop function check_application_type;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1718786576-organization-jit-sso-connectors.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1718786576-organization-jit-sso-connectors.js ADDED Viewed

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table organization_jit_sso_connectors (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The ID of the organization. */
+        organization_id varchar(21) not null
+          references organizations (id) on update cascade on delete cascade,
+        sso_connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        primary key (tenant_id, organization_id, sso_connector_id)
+      );
+    `);
+        await applyTableRls(pool, 'organization_jit_sso_connectors');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'organization_jit_sso_connectors');
+        await pool.query(sql `
+      drop table organization_jit_sso_connectors;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1718807616-organization-role-application-relations.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1718807616-organization-role-application-relations.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table organization_role_application_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        organization_id varchar(21) not null,
+        organization_role_id varchar(21) not null
+          references organization_roles (id) on update cascade on delete cascade,
+        application_id varchar(21) not null,
+        primary key (tenant_id, organization_id, organization_role_id, application_id),
+        /** Application's roles in an organization should be synchronized with the application's membership in the organization. */
+        foreign key (tenant_id, organization_id, application_id)
+          references organization_application_relations (tenant_id, organization_id, application_id)
+          on update cascade on delete cascade
+      );
+    `);
+        await applyTableRls(pool, 'organization_role_application_relations');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'organization_role_application_relations');
+        await pool.query(sql `
+      drop table organization_role_application_relations;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1718865814-add-subject-tokens.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.18.0-1718865814-add-subject-tokens.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table subject_tokens (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(25) not null,
+        context jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+        expires_at timestamptz not null,
+        consumed_at timestamptz,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        created_at timestamptz not null default(now()),
+        creator_id varchar(32) not null, /* It is intented to not reference to user or application table */
+        primary key (id)
+      );
+      create index subject_token__id on subject_tokens (tenant_id, id);
+    `);
+        await applyTableRls(pool, 'subject_tokens');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'subject_tokens');
+        await pool.query(sql `
+      drop table subject_tokens
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.18.0-1719014832-organization-role-types.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;