@logto/schemas 1.19.0 → 1.21.0

package/lib/foundations/jsonb-types/sso-connector.d.ts

@@ -15,3 +15,52 @@ export declare const ssoBrandingGuard: z.ZodObject<{
     darkLogo?: string | undefined;
 }>;
 export type SsoBranding = z.infer<typeof ssoBrandingGuard>;
+export declare const idpInitiatedAuthParamsGuard: z.ZodObject<{
+    scope: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodString, z.objectOutputType<{
+    scope: z.ZodOptional<z.ZodString>;
+}, z.ZodString, "strip">, z.objectInputType<{
+    scope: z.ZodOptional<z.ZodString>;
+}, z.ZodString, "strip">>;
+export type IdpInitiatedAuthParams = z.infer<typeof idpInitiatedAuthParamsGuard>;
+export declare const ssoSamlAssertionContentGuard: z.ZodObject<{
+    nameID: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+    conditions: z.ZodOptional<z.ZodObject<{
+        notBefore: z.ZodOptional<z.ZodString>;
+        notOnOrAfter: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }>>;
+}, "strip", z.ZodUnknown, z.objectOutputType<{
+    nameID: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+    conditions: z.ZodOptional<z.ZodObject<{
+        notBefore: z.ZodOptional<z.ZodString>;
+        notOnOrAfter: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }>>;
+}, z.ZodUnknown, "strip">, z.objectInputType<{
+    nameID: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+    conditions: z.ZodOptional<z.ZodObject<{
+        notBefore: z.ZodOptional<z.ZodString>;
+        notOnOrAfter: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }>>;
+}, z.ZodUnknown, "strip">>;
+export type SsoSamlAssertionContent = z.infer<typeof ssoSamlAssertionContentGuard>;

package/lib/foundations/jsonb-types/sso-connector.js

@@ -5,3 +5,20 @@ export const ssoBrandingGuard = z.object({
     logo: z.string().optional(),
     darkLogo: z.string().optional(),
 });
+export const idpInitiatedAuthParamsGuard = z
+    .object({
+    scope: z.string().optional(),
+})
+    .catchall(z.string());
+export const ssoSamlAssertionContentGuard = z
+    .object({
+    nameID: z.string().optional(),
+    attributes: z.record(z.string().or(z.array(z.string()))).optional(),
+    conditions: z
+        .object({
+        notBefore: z.string().optional(),
+        notOnOrAfter: z.string().optional(),
+    })
+        .optional(),
+})
+    .catchall(z.unknown());

package/lib/foundations/jsonb-types/verification-records.d.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod';
+export declare enum VerificationType {
+    Password = "Password",
+    EmailVerificationCode = "EmailVerificationCode",
+    PhoneVerificationCode = "PhoneVerificationCode",
+    Social = "Social",
+    EnterpriseSso = "EnterpriseSso",
+    TOTP = "Totp",
+    WebAuthn = "WebAuthn",
+    BackupCode = "BackupCode",
+    NewPasswordIdentity = "NewPasswordIdentity"
+}
+export declare const verificationTypeGuard: z.ZodNativeEnum<typeof VerificationType>;

package/lib/foundations/jsonb-types/verification-records.js

@@ -0,0 +1,14 @@
+import { z } from 'zod';
+export var VerificationType;
+(function (VerificationType) {
+    VerificationType["Password"] = "Password";
+    VerificationType["EmailVerificationCode"] = "EmailVerificationCode";
+    VerificationType["PhoneVerificationCode"] = "PhoneVerificationCode";
+    VerificationType["Social"] = "Social";
+    VerificationType["EnterpriseSso"] = "EnterpriseSso";
+    VerificationType["TOTP"] = "Totp";
+    VerificationType["WebAuthn"] = "WebAuthn";
+    VerificationType["BackupCode"] = "BackupCode";
+    VerificationType["NewPasswordIdentity"] = "NewPasswordIdentity";
+})(VerificationType || (VerificationType = {}));
+export const verificationTypeGuard = z.nativeEnum(VerificationType);

package/lib/seeds/cloud-api.d.ts

@@ -14,6 +14,10 @@ export declare enum CloudScope {
      * scripts and fetch the parsed token payload.
      */
     FetchCustomJwt = "fetch:custom:jwt",
+    /**
+     * The entity can report changes on Stripe subscription to Logto Cloud.
+     */
+    ReportSubscriptionUpdates = "report:subscription:updates",
     /** The user can see and manage affiliates, including create, update, and delete. */
     ManageAffiliate = "manage:affiliate",
     /** The user can create new affiliates and logs. */

package/lib/seeds/cloud-api.js

@@ -17,6 +17,10 @@ export var CloudScope;
      * scripts and fetch the parsed token payload.
      */
     CloudScope["FetchCustomJwt"] = "fetch:custom:jwt";
+    /**
+     * The entity can report changes on Stripe subscription to Logto Cloud.
+     */
+    CloudScope["ReportSubscriptionUpdates"] = "report:subscription:updates";
     /** The user can see and manage affiliates, including create, update, and delete. */
     CloudScope["ManageAffiliate"] = "manage:affiliate";
     /** The user can create new affiliates and logs. */
@@ -51,6 +55,7 @@ export const createCloudApi = () => {
         buildScope(CloudScope.SendEmail, 'Allow sending emails. This scope is only available to M2M application.'),
         buildScope(CloudScope.SendSms, 'Allow sending SMS. This scope is only available to M2M application.'),
         buildScope(CloudScope.FetchCustomJwt, 'Allow accessing external resource to execute JWT payload customizer script and fetch the parsed token payload.'),
+        buildScope(CloudScope.ReportSubscriptionUpdates, 'Allow reporting changes on Stripe subscription to Logto Cloud.'),
         buildScope(CloudScope.CreateAffiliate, 'Allow creating new affiliates and logs.'),
         buildScope(CloudScope.ManageAffiliate, 'Allow managing affiliates, including create, update, and delete.'),
     ]);

package/lib/types/connector.d.ts

@@ -222,6 +222,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -350,6 +351,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -543,6 +545,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -671,6 +674,7 @@ export declare const connectorResponseGuard: z.ZodObject<z.objectUtil.extendShap
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1059,6 +1063,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1187,6 +1192,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1374,6 +1380,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;
@@ -1502,6 +1509,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<z.objectUtil.ext
     } & {
         "af-ZA"?: string | undefined;
         "am-ET"?: string | undefined;
+        ar?: string | undefined;
         "ar-AR"?: string | undefined;
         "as-IN"?: string | undefined;
         "az-AZ"?: string | undefined;

package/lib/types/consent.d.ts

@@ -882,6 +882,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         termsOfUseUrl?: string | null | undefined;
         privacyPolicyUrl?: string | null | undefined;
     };
+    redirectUri: string;
     user: {
         name: string | null;
         id: string;
@@ -890,7 +891,6 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         primaryPhone: string | null;
         avatar: string | null;
     };
-    redirectUri: string;
     organizations?: {
         name: string;
         id: string;
@@ -934,6 +934,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         termsOfUseUrl?: string | null | undefined;
         privacyPolicyUrl?: string | null | undefined;
     };
+    redirectUri: string;
     user: {
         name: string | null;
         id: string;
@@ -942,7 +943,6 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         primaryPhone: string | null;
         avatar: string | null;
     };
-    redirectUri: string;
     organizations?: {
         name: string;
         id: string;

package/lib/types/interactions.d.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { MfaFactor, SignInIdentifier } from '../foundations/index.js';
+import { AdditionalIdentifier, MfaFactor, SignInIdentifier } from '../foundations/index.js';
 import type { EmailVerificationCodePayload, PhoneVerificationCodePayload } from './verification-code.js';
 /**
  * User interaction events defined in Logto RFC 0004.
@@ -10,6 +10,20 @@ export declare enum InteractionEvent {
     Register = "Register",
     ForgotPassword = "ForgotPassword"
 }
+export type VerificationIdentifier = {
+    type: SignInIdentifier | AdditionalIdentifier;
+    value: string;
+};
+export declare const verificationIdentifierGuard: z.ZodObject<{
+    type: z.ZodUnion<[z.ZodNativeEnum<typeof SignInIdentifier>, z.ZodNativeEnum<typeof AdditionalIdentifier>]>;
+    value: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: SignInIdentifier | AdditionalIdentifier;
+    value: string;
+}, {
+    type: SignInIdentifier | AdditionalIdentifier;
+    value: string;
+}>;
 /** Identifiers that can be used to uniquely identify a user. */
 export type InteractionIdentifier<T extends SignInIdentifier = SignInIdentifier> = {
     type: T;
@@ -41,18 +55,6 @@ export declare const verificationCodeIdentifierGuard: z.ZodObject<{
     type: SignInIdentifier.Email | SignInIdentifier.Phone;
     value: string;
 }>;
-/** Logto supported interaction verification types. */
-export declare enum VerificationType {
-    Password = "Password",
-    EmailVerificationCode = "EmailVerificationCode",
-    PhoneVerificationCode = "PhoneVerificationCode",
-    Social = "Social",
-    EnterpriseSso = "EnterpriseSso",
-    TOTP = "Totp",
-    WebAuthn = "WebAuthn",
-    BackupCode = "BackupCode",
-    NewPasswordIdentity = "NewPasswordIdentity"
-}
 /** Payload type for `POST /api/experience/verification/{social|sso}/:connectorId/authorization-uri`. */
 export type SocialAuthorizationUrlPayload = {
     state: string;
@@ -62,11 +64,11 @@ export declare const socialAuthorizationUrlPayloadGuard: z.ZodObject<{
     state: z.ZodString;
     redirectUri: z.ZodString;
 }, "strip", z.ZodTypeAny, {
-    state: string;
     redirectUri: string;
-}, {
     state: string;
+}, {
     redirectUri: string;
+    state: string;
 }>;
 /** Payload type for `POST /api/experience/verification/{social|sso}/:connectorId/verify`. */
 export type SocialVerificationCallbackPayload = {

package/lib/types/interactions.js

@@ -1,6 +1,6 @@
 import { emailRegEx, phoneRegEx, usernameRegEx } from '@logto/core-kit';
 import { z } from 'zod';
-import { MfaFactor, SignInIdentifier, jsonObjectGuard, webAuthnTransportGuard, } from '../foundations/index.js';
+import { AdditionalIdentifier, MfaFactor, SignInIdentifier, jsonObjectGuard, webAuthnTransportGuard, } from '../foundations/index.js';
 import { emailVerificationCodePayloadGuard, phoneVerificationCodePayloadGuard, } from './verification-code.js';
 /**
  * User interaction events defined in Logto RFC 0004.
@@ -12,6 +12,10 @@ export var InteractionEvent;
     InteractionEvent["Register"] = "Register";
     InteractionEvent["ForgotPassword"] = "ForgotPassword";
 })(InteractionEvent || (InteractionEvent = {}));
+export const verificationIdentifierGuard = z.object({
+    type: z.union([z.nativeEnum(SignInIdentifier), z.nativeEnum(AdditionalIdentifier)]),
+    value: z.string(),
+});
 export const interactionIdentifierGuard = z.object({
     type: z.nativeEnum(SignInIdentifier),
     value: z.string(),
@@ -20,19 +24,6 @@ export const verificationCodeIdentifierGuard = z.object({
     type: z.enum([SignInIdentifier.Email, SignInIdentifier.Phone]),
     value: z.string(),
 });
-/** Logto supported interaction verification types. */
-export var VerificationType;
-(function (VerificationType) {
-    VerificationType["Password"] = "Password";
-    VerificationType["EmailVerificationCode"] = "EmailVerificationCode";
-    VerificationType["PhoneVerificationCode"] = "PhoneVerificationCode";
-    VerificationType["Social"] = "Social";
-    VerificationType["EnterpriseSso"] = "EnterpriseSso";
-    VerificationType["TOTP"] = "Totp";
-    VerificationType["WebAuthn"] = "WebAuthn";
-    VerificationType["BackupCode"] = "BackupCode";
-    VerificationType["NewPasswordIdentity"] = "NewPasswordIdentity";
-})(VerificationType || (VerificationType = {}));
 export const socialAuthorizationUrlPayloadGuard = z.object({
     state: z.string(),
     redirectUri: z.string(),

package/lib/types/log/interaction.d.ts

@@ -1,5 +1,5 @@
-import { type MfaFactor } from '../../foundations/index.js';
-import type { InteractionEvent, VerificationType } from '../interactions.js';
+import { type VerificationType, type MfaFactor } from '../../foundations/index.js';
+import type { InteractionEvent } from '../interactions.js';
 export type Prefix = 'Interaction';
 export declare const prefix: Prefix;
 /** The interaction field to update. This is valid based on we only allow users update one field at a time. */
@@ -67,4 +67,4 @@ export declare enum Action {
  *   - When {@link Method} is `VerificationCode`, {@link Action} can be `Create` (generate and send a code) or `Submit` (verify and submit to the identifiers);
  *   - Otherwise, {@link Action} is fixed to `Submit` (other methods can be verified on submitting).
  */
-export type LogKey = `${Prefix}.${Action.Create | Action.End}` | `${Prefix}.${InteractionEvent}.${Action.Create | Action.Update | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.Profile}.${Action.Update | Action.Create | Action.Delete}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Exclude<Method, Method.Password>}.${Action.Create | Action.Submit}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Method.Password}.${Action.Submit}` | `${Prefix}.${InteractionEvent.ForgotPassword}.${Field.Identifier}.${Method.VerificationCode}.${Action.Create | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.BindMfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent.SignIn}.${Field.Mfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent}.${Field.Verification}.${VerificationType}.${Action}` | `${Prefix}.${InteractionEvent}.${Field.Identifier}.${Action.Submit}`;
+export type LogKey = `${Prefix}.${Action.Create | Action.End}` | `${Prefix}.${InteractionEvent}.${Action.Create | Action.Update | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.Profile}.${Action.Update | Action.Create | Action.Delete}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Exclude<Method, Method.Password>}.${Action.Create | Action.Submit}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Method.Password}.${Action.Submit}` | `${Prefix}.${InteractionEvent.ForgotPassword}.${Field.Identifier}.${Method.VerificationCode}.${Action.Create | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.BindMfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent.SignIn}.${Field.Mfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent}.${Field.Verification}.${VerificationType}.${Action}` | `${Prefix}.${InteractionEvent}.${Field.Identifier}.${Action.Submit}` | `${Prefix}.${InteractionEvent.SignIn}.${Field.Verification}.IdpInitiatedSso.${Action.Create}`;

package/lib/types/logto-config/jwt-customizer.d.ts

@@ -1890,3 +1890,51 @@ export declare const customJwtFetcherGuard: z.ZodDiscriminatedUnion<"tokenType",
     environmentVariables?: Record<string, string> | undefined;
 }>]>;
 export type CustomJwtFetcher = z.infer<typeof customJwtFetcherGuard>;
+export declare enum CustomJwtErrorCode {
+    /**
+     * The `AccessDenied` error explicitly thrown
+     * by calling the `api.denyAccess` function in the custom JWT script.
+     */
+    AccessDenied = "AccessDenied",
+    /** General JWT customizer error,
+     * this is the fallback custom jwt error code
+     * for any internal error thrown by the JWT customizer (localVM, azure function, or CF worker).
+     */
+    General = "General"
+}
+export declare const customJwtErrorBodyGuard: z.ZodObject<{
+    code: z.ZodNativeEnum<typeof CustomJwtErrorCode>;
+    message: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    code: CustomJwtErrorCode;
+    message: string;
+}, {
+    code: CustomJwtErrorCode;
+    message: string;
+}>;
+export type CustomJwtErrorBody = z.infer<typeof customJwtErrorBodyGuard>;
+export type CustomJwtApiContext = {
+    /**
+     * Reject the the current token request.
+     *
+     * @remarks
+     * By calling this function, the current token request will be rejected,
+     * and a OIDC `AccessDenied` error will be thrown to the client with the given message.
+     *
+     * @param message The message to be shown to the user.
+     * @throws {ResponseError} with `CustomJwtErrorBody`
+     */
+    denyAccess: (message?: string) => never;
+};
+/**
+ * The payload type for the custom JWT script.
+ *
+ * @remarks
+ * We use this type to guard the input payload for the custom JWT script.
+ */
+export type CustomJwtScriptPayload = {
+    token: Record<string, unknown>;
+    context?: Record<string, unknown>;
+    environmentVariables?: Record<string, string>;
+    api: CustomJwtApiContext;
+};

package/lib/types/logto-config/jwt-customizer.js

@@ -101,3 +101,20 @@ export const customJwtFetcherGuard = z.discriminatedUnion('tokenType', [
         tokenType: z.literal(LogtoJwtTokenKeyType.ClientCredentials),
     }),
 ]);
+export var CustomJwtErrorCode;
+(function (CustomJwtErrorCode) {
+    /**
+     * The `AccessDenied` error explicitly thrown
+     * by calling the `api.denyAccess` function in the custom JWT script.
+     */
+    CustomJwtErrorCode["AccessDenied"] = "AccessDenied";
+    /** General JWT customizer error,
+     * this is the fallback custom jwt error code
+     * for any internal error thrown by the JWT customizer (localVM, azure function, or CF worker).
+     */
+    CustomJwtErrorCode["General"] = "General";
+})(CustomJwtErrorCode || (CustomJwtErrorCode = {}));
+export const customJwtErrorBodyGuard = z.object({
+    code: z.nativeEnum(CustomJwtErrorCode),
+    message: z.string(),
+});

package/lib/types/sign-in-experience.d.ts

@@ -54,10 +54,10 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
     }>;
     languageInfo: z.ZodType<{
         autoDetect: boolean;
-        fallbackLanguage: "af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+        fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
     }, z.ZodTypeDef, {
         autoDetect: boolean;
-        fallbackLanguage: "af-ZA" | "am-ET" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+        fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
     }>;
     termsOfUseUrl: z.ZodType<string | null, z.ZodTypeDef, string | null>;
     privacyPolicyUrl: z.ZodType<string | null, z.ZodTypeDef, string | null>;
@@ -332,6 +332,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;
@@ -466,6 +467,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;
@@ -671,6 +673,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;
@@ -845,6 +848,7 @@ export declare const fullSignInExperienceGuard: z.ZodObject<z.objectUtil.extendS
         } & {
             "af-ZA"?: string | undefined;
             "am-ET"?: string | undefined;
+            ar?: string | undefined;
             "ar-AR"?: string | undefined;
             "as-IN"?: string | undefined;
             "az-AZ"?: string | undefined;

package/lib/types/sso-connector.d.ts

@@ -140,4 +140,7 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<z.objectUt
     providerConfig?: Record<string, unknown> | undefined;
 }>;
 export type SsoConnectorWithProviderConfig = z.infer<typeof ssoConnectorWithProviderConfigGuard>;
+export declare enum SsoAuthenticationQueryKey {
+    SsoConnectorId = "ssoConnectorId"
+}
 export {};

package/lib/types/sso-connector.js

@@ -69,3 +69,7 @@ z.object({
     // - SAML: connection config fetched from the metadata url or metadata file.
     providerConfig: z.record(z.unknown()).optional(),
 }));
+export var SsoAuthenticationQueryKey;
+(function (SsoAuthenticationQueryKey) {
+    SsoAuthenticationQueryKey["SsoConnectorId"] = "ssoConnectorId";
+})(SsoAuthenticationQueryKey || (SsoAuthenticationQueryKey = {}));

package/lib/types/system.d.ts

@@ -250,8 +250,25 @@ export type CloudflareType = {
 export declare const cloudflareGuard: Readonly<{
     [key in CloudflareKey]: ZodType<CloudflareType[key]>;
 }>;
-export type SystemKey = AlterationStateKey | StorageProviderKey | DemoSocialKey | CloudflareKey | EmailServiceProviderKey;
-export type SystemType = AlterationStateType | StorageProviderType | DemoSocialType | CloudflareType | EmailServiceProviderType;
-export type SystemGuard = typeof alterationStateGuard & typeof storageProviderGuard & typeof demoSocialGuard & typeof cloudflareGuard & typeof emailServiceProviderGuard;
+export declare enum FeatureFlagConfigKey {
+    NewExperienceFeatureFlag = "newExperienceFeatureFlag"
+}
+export declare const featureFlagConfigGuard: z.ZodObject<{
+    percentage: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    percentage: number;
+}, {
+    percentage: number;
+}>;
+export type FeatureFlagConfig = z.infer<typeof featureFlagConfigGuard>;
+export type FeatureFlagConfigType = {
+    [FeatureFlagConfigKey.NewExperienceFeatureFlag]: FeatureFlagConfig;
+};
+export declare const featureFlagConfigsGuard: Readonly<{
+    [key in FeatureFlagConfigKey]: ZodType<FeatureFlagConfigType[key]>;
+}>;
+export type SystemKey = AlterationStateKey | StorageProviderKey | DemoSocialKey | CloudflareKey | EmailServiceProviderKey | FeatureFlagConfigKey;
+export type SystemType = AlterationStateType | StorageProviderType | DemoSocialType | CloudflareType | EmailServiceProviderType | FeatureFlagConfigType;
+export type SystemGuard = typeof alterationStateGuard & typeof storageProviderGuard & typeof demoSocialGuard & typeof cloudflareGuard & typeof emailServiceProviderGuard & typeof featureFlagConfigsGuard;
 export declare const systemKeys: readonly SystemKey[];
 export declare const systemGuards: SystemGuard;

package/lib/types/system.js

@@ -145,12 +145,24 @@ export const cloudflareGuard = Object.freeze({
     [CloudflareKey.ProtectedAppHostnameProvider]: hostnameProviderDataGuard,
     [CloudflareKey.CustomJwtWorkerConfig]: customJwtWorkerConfigGuard,
 });
+// A/B Test settings
+export var FeatureFlagConfigKey;
+(function (FeatureFlagConfigKey) {
+    FeatureFlagConfigKey["NewExperienceFeatureFlag"] = "newExperienceFeatureFlag";
+})(FeatureFlagConfigKey || (FeatureFlagConfigKey = {}));
+export const featureFlagConfigGuard = z.object({
+    percentage: z.number().min(0).max(1),
+});
+export const featureFlagConfigsGuard = Object.freeze({
+    [FeatureFlagConfigKey.NewExperienceFeatureFlag]: featureFlagConfigGuard,
+});
 export const systemKeys = Object.freeze([
     ...Object.values(AlterationStateKey),
     ...Object.values(StorageProviderKey),
     ...Object.values(DemoSocialKey),
     ...Object.values(CloudflareKey),
     ...Object.values(EmailServiceProviderKey),
+    ...Object.values(FeatureFlagConfigKey),
 ]);
 export const systemGuards = Object.freeze({
     ...alterationStateGuard,
@@ -158,4 +170,5 @@ export const systemGuards = Object.freeze({
     ...demoSocialGuard,
     ...cloudflareGuard,
     ...emailServiceProviderGuard,
+    ...featureFlagConfigsGuard,
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.19.0",
+  "version": "1.21.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -66,10 +66,10 @@
     "@logto/connector-kit": "^4.0.0",
     "@logto/core-kit": "^2.5.0",
     "@logto/language-kit": "^1.1.0",
-    "@logto/phrases": "^1.13.0",
-    "@logto/phrases-experience": "^1.7.0",
-    "@logto/shared": "^3.1.1",
-    "@withtyped/server": "^0.13.6",
+    "@logto/phrases": "^1.14.1",
+    "@logto/phrases-experience": "^1.8.0",
+    "@logto/shared": "^3.1.2",
+    "@withtyped/server": "^0.14.0",
     "nanoid": "^5.0.1"
   },
   "peerDependencies": {

package/tables/idp_initiated_saml_sso_sessions.sql

@@ -0,0 +1,16 @@
+/* init_order = 2 */
+create table idp_initiated_saml_sso_sessions (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the assertion record. */
+  id varchar(21) not null,
+  /** The identifier of the SAML SSO connector. */
+  connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  /** The SAML assertion. */
+  assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  /** The expiration time of the assertion. */
+  expires_at timestamptz not null,
+  primary key (tenant_id, id)
+);

package/tables/personal_access_tokens.sql

@@ -0,0 +1,16 @@
+/* init_order = 2 */
+
+create table personal_access_tokens (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  user_id varchar(21) not null
+    references users (id) on update cascade on delete cascade,
+  /** The name of the secret. Should be unique within the user. */
+  name varchar(256) not null,
+  value varchar(64) not null,
+  created_at timestamptz not null default now(),
+  expires_at timestamptz,
+  primary key (tenant_id, user_id, name)
+);
+
+create index personal_access_token__value on personal_access_tokens (tenant_id, value);

package/tables/sso_connector_idp_initiated_auth_configs.sql

@@ -0,0 +1,24 @@
+/** init_order = 2 */
+create table sso_connector_idp_initiated_auth_configs (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the SSO connector. */
+  connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  /** The default Logto application id. */
+  default_application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** OIDC sign-in redirect URI. */
+  redirect_uri text,
+  /** Additional OIDC auth parameters. */
+  auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+  /** Whether to auto-trigger the auth flow on an IdP-initiated auth request. */
+  auto_send_authorization_request boolean not null default false,
+  /** The client side callback URI for handling IdP-initiated auth request. */
+  client_idp_initiated_auth_callback_uri text,
+  created_at timestamptz not null default(now()),
+  primary key (tenant_id, connector_id),
+  /** Insure the application type is Traditional or SPA. */
+  constraint application_type
+    check (check_application_type(default_application_id, 'Traditional', 'SPA'))
+);