@logto/schemas 1.22.0 → 1.23.1

package/alterations/1.23.0-1732851150-rename-saml-application-constraints.ts

@@ -0,0 +1,34 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs 
+        rename constraint application_type 
+        to saml_application_configs__application_type;
+    `);
+
+    await pool.query(sql`
+      alter table saml_application_secrets
+        rename constraint application_type 
+        to saml_application_secrets__application_type;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs 
+        rename constraint saml_application_configs__application_type 
+        to application_type;
+    `);
+
+    await pool.query(sql`
+      alter table saml_application_secrets
+        rename constraint saml_application_secrets__application_type 
+        to application_type;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.23.0-1733212543-add-saml-application-type-to-idp-initiated-sso-application-allow-list.ts

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA', 'SAML'));
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.23.0-1735012422-add-saml-application-sessions-table.ts

@@ -0,0 +1,37 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table saml_application_sessions (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(32) not null,
+        application_id varchar(21) not null 
+          references applications (id) on update cascade on delete cascade,
+        saml_request_id varchar(128) not null,
+        oidc_state varchar(32),
+        relay_state varchar(256),
+        raw_auth_request text not null,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        primary key (tenant_id, id),
+        constraint saml_application_sessions__application_type 
+          check (check_application_type(application_id, 'SAML'))
+      );
+    `);
+    await applyTableRls(pool, 'saml_application_sessions');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'saml_application_sessions');
+    await pool.query(sql`
+      drop table if exists saml_application_sessions;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.23.1-1735274337-add-encryption-config-to-saml-apps.ts

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+enum NameIdFormat {
+  /** Uses unique and persistent identifiers for the user. */
+  Persistent = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+}
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs
+        add column encryption jsonb,
+        add column name_id_format varchar(128);
+    `);
+    await pool.query(sql`
+      update saml_application_configs
+      set name_id_format = ${NameIdFormat.Persistent};
+    `);
+    await pool.query(sql`
+      alter table saml_application_configs
+        alter column name_id_format set not null;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs
+        drop column encryption,
+        drop column name_id_format;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.23.1-1735292380-make-saml-app-first-party-app.ts

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table applications drop constraint check_saml_app_third_party_consistency;
+    `);
+    await pool.query(sql`
+      update applications set is_third_party = false
+      where type = 'SAML';
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update applications set is_third_party = true
+      where type = 'SAML';
+    `);
+    await pool.query(sql`
+      alter table applications
+        add constraint check_saml_app_third_party_consistency
+          check (type != 'SAML' OR (type = 'SAML' AND is_third_party = true));
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.23.0-1732851150-rename-saml-application-constraints.js

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs 
+        rename constraint application_type 
+        to saml_application_configs__application_type;
+    `);
+        await pool.query(sql `
+      alter table saml_application_secrets
+        rename constraint application_type 
+        to saml_application_secrets__application_type;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs 
+        rename constraint saml_application_configs__application_type 
+        to application_type;
+    `);
+        await pool.query(sql `
+      alter table saml_application_secrets
+        rename constraint saml_application_secrets__application_type 
+        to application_type;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.23.0-1733212543-add-saml-application-type-to-idp-initiated-sso-application-allow-list.js

@@ -0,0 +1,24 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA', 'SAML'));
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.23.0-1735012422-add-saml-application-sessions-table.js

@@ -0,0 +1,32 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table saml_application_sessions (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(32) not null,
+        application_id varchar(21) not null 
+          references applications (id) on update cascade on delete cascade,
+        saml_request_id varchar(128) not null,
+        oidc_state varchar(32),
+        relay_state varchar(256),
+        raw_auth_request text not null,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        primary key (tenant_id, id),
+        constraint saml_application_sessions__application_type 
+          check (check_application_type(application_id, 'SAML'))
+      );
+    `);
+        await applyTableRls(pool, 'saml_application_sessions');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'saml_application_sessions');
+        await pool.query(sql `
+      drop table if exists saml_application_sessions;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.23.1-1735274337-add-encryption-config-to-saml-apps.js

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+var NameIdFormat;
+(function (NameIdFormat) {
+    /** Uses unique and persistent identifiers for the user. */
+    NameIdFormat["Persistent"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
+})(NameIdFormat || (NameIdFormat = {}));
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs
+        add column encryption jsonb,
+        add column name_id_format varchar(128);
+    `);
+        await pool.query(sql `
+      update saml_application_configs
+      set name_id_format = ${NameIdFormat.Persistent};
+    `);
+        await pool.query(sql `
+      alter table saml_application_configs
+        alter column name_id_format set not null;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs
+        drop column encryption,
+        drop column name_id_format;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.23.1-1735292380-make-saml-app-first-party-app.js

@@ -0,0 +1,24 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table applications drop constraint check_saml_app_third_party_consistency;
+    `);
+        await pool.query(sql `
+      update applications set is_third_party = false
+      where type = 'SAML';
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update applications set is_third_party = true
+      where type = 'SAML';
+    `);
+        await pool.query(sql `
+      alter table applications
+        add constraint check_saml_app_third_party_consistency
+          check (type != 'SAML' OR (type = 'SAML' AND is_third_party = true));
+    `);
+    },
+};
+export default alteration;

package/lib/consts/subscriptions.d.ts

@@ -8,26 +8,27 @@ export declare enum ReservedPlanId {
     Free = "free",
     /**
      * @deprecated
-     * In recent refactoring, the `hobby` plan is now treated as the `pro` plan.
-     * Only use this plan ID to check if a plan is a `pro` plan or not.
-     * This plan ID will be renamed to `pro` after legacy Stripe data is migrated by @darcyYe
-     *
-     * Todo @darcyYe:
-     * - LOG-7846: Rename `hobby` to `pro` and `pro` to `legacy-pro`
-     * - LOG-8339: Migrate legacy Stripe data
+     * Grandfathered Pro plan ID deprecated from 2024-11.
+     * Use {@link Pro202411} instead.
      */
-    Hobby = "hobby",
     Pro = "pro",
-    Enterprise = "enterprise",
-    /**
-     * @deprecated
-     * Should not use this plan ID, we only use this tag as a record for the legacy `pro` plan since we will rename the `hobby` plan to be `pro`.
-     */
-    GrandfatheredPro = "grandfathered-pro",
     Development = "dev",
     /**
      * This plan ID is reserved for Admin tenant.
      * In our new pricing model, we plan to add a special plan for Admin tenant, previously, admin tenant is using the `pro` plan, which is not suitable.
      */
-    Admin = "admin"
+    Admin = "admin",
+    /**
+     * The latest Pro plan ID applied from 2024-11.
+     */
+    Pro202411 = "pro-202411"
+}
+/**
+ * Tenant subscription related Redis cache keys.
+ *
+ * We use Redis to cache the tenant subscription data to reduce the number of requests to the Cloud.
+ * Both @logto/core and @logto/cloud will need to access the cache, so we define the cache keys here as the SSOT.
+ */
+export declare enum SubscriptionRedisCacheKey {
+    Subscription = "subscription"
 }

package/lib/consts/subscriptions.js

@@ -9,26 +9,28 @@ export var ReservedPlanId;
     ReservedPlanId["Free"] = "free";
     /**
      * @deprecated
-     * In recent refactoring, the `hobby` plan is now treated as the `pro` plan.
-     * Only use this plan ID to check if a plan is a `pro` plan or not.
-     * This plan ID will be renamed to `pro` after legacy Stripe data is migrated by @darcyYe
-     *
-     * Todo @darcyYe:
-     * - LOG-7846: Rename `hobby` to `pro` and `pro` to `legacy-pro`
-     * - LOG-8339: Migrate legacy Stripe data
+     * Grandfathered Pro plan ID deprecated from 2024-11.
+     * Use {@link Pro202411} instead.
      */
-    ReservedPlanId["Hobby"] = "hobby";
     ReservedPlanId["Pro"] = "pro";
-    ReservedPlanId["Enterprise"] = "enterprise";
-    /**
-     * @deprecated
-     * Should not use this plan ID, we only use this tag as a record for the legacy `pro` plan since we will rename the `hobby` plan to be `pro`.
-     */
-    ReservedPlanId["GrandfatheredPro"] = "grandfathered-pro";
     ReservedPlanId["Development"] = "dev";
     /**
      * This plan ID is reserved for Admin tenant.
      * In our new pricing model, we plan to add a special plan for Admin tenant, previously, admin tenant is using the `pro` plan, which is not suitable.
      */
     ReservedPlanId["Admin"] = "admin";
+    /**
+     * The latest Pro plan ID applied from 2024-11.
+     */
+    ReservedPlanId["Pro202411"] = "pro-202411";
 })(ReservedPlanId || (ReservedPlanId = {}));
+/**
+ * Tenant subscription related Redis cache keys.
+ *
+ * We use Redis to cache the tenant subscription data to reduce the number of requests to the Cloud.
+ * Both @logto/core and @logto/cloud will need to access the cache, so we define the cache keys here as the SSOT.
+ */
+export var SubscriptionRedisCacheKey;
+(function (SubscriptionRedisCacheKey) {
+    SubscriptionRedisCacheKey["Subscription"] = "subscription";
+})(SubscriptionRedisCacheKey || (SubscriptionRedisCacheKey = {}));

package/lib/db-entries/index.d.ts

@@ -44,6 +44,7 @@ export * from './role.js';
 export * from './roles-scope.js';
 export * from './saml-application-config.js';
 export * from './saml-application-secret.js';
+export * from './saml-application-session.js';
 export * from './scope.js';
 export * from './sentinel-activity.js';
 export * from './service-log.js';

package/lib/db-entries/index.js

@@ -45,6 +45,7 @@ export * from './role.js';
 export * from './roles-scope.js';
 export * from './saml-application-config.js';
 export * from './saml-application-secret.js';
+export * from './saml-application-session.js';
 export * from './scope.js';
 export * from './sentinel-activity.js';
 export * from './service-log.js';

package/lib/db-entries/saml-application-config.d.ts

@@ -1 +1,28 @@
-export {};
+import { SamlAttributeMapping, SamlAcsUrl, SamlEncryption, NameIdFormat, GeneratedSchema } from './../foundations/index.js';
+/**
+ * The SAML application config and SAML-type application have a one-to-one correspondence: 1. a SAML-type application can only have one SAML application config. (CANNOT use "semicolon" in comments, since it indicates the end of query.) 2. a SAML application config can only configure one SAML-type application.
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link SamlApplicationConfig} for the original type.
+ */
+export type CreateSamlApplicationConfig = {
+    applicationId: string;
+    tenantId?: string;
+    attributeMapping?: SamlAttributeMapping;
+    entityId?: string | null;
+    acsUrl?: SamlAcsUrl | null;
+    encryption?: SamlEncryption | null;
+    nameIdFormat: NameIdFormat;
+};
+/** The SAML application config and SAML-type application have a one-to-one correspondence: 1. a SAML-type application can only have one SAML application config. (CANNOT use "semicolon" in comments, since it indicates the end of query.) 2. a SAML application config can only configure one SAML-type application. */
+export type SamlApplicationConfig = {
+    applicationId: string;
+    tenantId: string;
+    attributeMapping: SamlAttributeMapping;
+    entityId: string | null;
+    acsUrl: SamlAcsUrl | null;
+    encryption: SamlEncryption | null;
+    nameIdFormat: NameIdFormat;
+};
+export type SamlApplicationConfigKeys = 'applicationId' | 'tenantId' | 'attributeMapping' | 'entityId' | 'acsUrl' | 'encryption' | 'nameIdFormat';
+export declare const SamlApplicationConfigs: GeneratedSchema<SamlApplicationConfigKeys, CreateSamlApplicationConfig, SamlApplicationConfig, 'saml_application_configs', 'saml_application_config'>;

package/lib/db-entries/saml-application-config.js

@@ -1,2 +1,46 @@
 // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-export {};
+import { z } from 'zod';
+import { samlAttributeMappingGuard, samlAcsUrlGuard, samlEncryptionGuard, nameIdFormatGuard } from './../foundations/index.js';
+const createGuard = z.object({
+    applicationId: z.string().min(1).max(21),
+    tenantId: z.string().max(21).optional(),
+    attributeMapping: samlAttributeMappingGuard.optional(),
+    entityId: z.string().max(128).nullable().optional(),
+    acsUrl: samlAcsUrlGuard.nullable().optional(),
+    encryption: samlEncryptionGuard.nullable().optional(),
+    nameIdFormat: nameIdFormatGuard,
+});
+const guard = z.object({
+    applicationId: z.string().min(1).max(21),
+    tenantId: z.string().max(21),
+    attributeMapping: samlAttributeMappingGuard,
+    entityId: z.string().max(128).nullable(),
+    acsUrl: samlAcsUrlGuard.nullable(),
+    encryption: samlEncryptionGuard.nullable(),
+    nameIdFormat: nameIdFormatGuard,
+});
+export const SamlApplicationConfigs = Object.freeze({
+    table: 'saml_application_configs',
+    tableSingular: 'saml_application_config',
+    fields: {
+        applicationId: 'application_id',
+        tenantId: 'tenant_id',
+        attributeMapping: 'attribute_mapping',
+        entityId: 'entity_id',
+        acsUrl: 'acs_url',
+        encryption: 'encryption',
+        nameIdFormat: 'name_id_format',
+    },
+    fieldKeys: [
+        'applicationId',
+        'tenantId',
+        'attributeMapping',
+        'entityId',
+        'acsUrl',
+        'encryption',
+        'nameIdFormat',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/db-entries/saml-application-session.d.ts

@@ -0,0 +1,40 @@
+import { GeneratedSchema } from './../foundations/index.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link SamlApplicationSession} for the original type.
+ */
+export type CreateSamlApplicationSession = {
+    tenantId?: string;
+    /** The globally unique identifier of the session. */
+    id: string;
+    applicationId: string;
+    /** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */
+    samlRequestId: string;
+    /** The identifier of the OIDC auth request state. */
+    oidcState?: string | null;
+    /** The relay state of the SAML auth request. */
+    relayState?: string | null;
+    /** The raw request of the SAML auth request. */
+    rawAuthRequest: string;
+    createdAt?: number;
+    expiresAt: number;
+};
+export type SamlApplicationSession = {
+    tenantId: string;
+    /** The globally unique identifier of the session. */
+    id: string;
+    applicationId: string;
+    /** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */
+    samlRequestId: string;
+    /** The identifier of the OIDC auth request state. */
+    oidcState: string | null;
+    /** The relay state of the SAML auth request. */
+    relayState: string | null;
+    /** The raw request of the SAML auth request. */
+    rawAuthRequest: string;
+    createdAt: number;
+    expiresAt: number;
+};
+export type SamlApplicationSessionKeys = 'tenantId' | 'id' | 'applicationId' | 'samlRequestId' | 'oidcState' | 'relayState' | 'rawAuthRequest' | 'createdAt' | 'expiresAt';
+export declare const SamlApplicationSessions: GeneratedSchema<SamlApplicationSessionKeys, CreateSamlApplicationSession, SamlApplicationSession, 'saml_application_sessions', 'saml_application_session'>;

package/lib/db-entries/saml-application-session.js

@@ -0,0 +1,53 @@
+// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+import { z } from 'zod';
+const createGuard = z.object({
+    tenantId: z.string().max(21).optional(),
+    id: z.string().min(1).max(32),
+    applicationId: z.string().min(1).max(21),
+    samlRequestId: z.string().min(1).max(128),
+    oidcState: z.string().max(32).nullable().optional(),
+    relayState: z.string().max(256).nullable().optional(),
+    rawAuthRequest: z.string().min(1),
+    createdAt: z.number().optional(),
+    expiresAt: z.number(),
+});
+const guard = z.object({
+    tenantId: z.string().max(21),
+    id: z.string().min(1).max(32),
+    applicationId: z.string().min(1).max(21),
+    samlRequestId: z.string().min(1).max(128),
+    oidcState: z.string().max(32).nullable(),
+    relayState: z.string().max(256).nullable(),
+    rawAuthRequest: z.string().min(1),
+    createdAt: z.number(),
+    expiresAt: z.number(),
+});
+export const SamlApplicationSessions = Object.freeze({
+    table: 'saml_application_sessions',
+    tableSingular: 'saml_application_session',
+    fields: {
+        tenantId: 'tenant_id',
+        id: 'id',
+        applicationId: 'application_id',
+        samlRequestId: 'saml_request_id',
+        oidcState: 'oidc_state',
+        relayState: 'relay_state',
+        rawAuthRequest: 'raw_auth_request',
+        createdAt: 'created_at',
+        expiresAt: 'expires_at',
+    },
+    fieldKeys: [
+        'tenantId',
+        'id',
+        'applicationId',
+        'samlRequestId',
+        'oidcState',
+        'relayState',
+        'rawAuthRequest',
+        'createdAt',
+        'expiresAt',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/foundations/jsonb-types/index.d.ts

@@ -11,5 +11,6 @@ export * from './applications.js';
 export * from './verification-records.js';
 export * from './account-centers.js';
 export * from './saml-application-configs.js';
+export * from './saml-application-sessions.js';
 export { configurableConnectorMetadataGuard, type ConfigurableConnectorMetadata, jsonGuard, jsonObjectGuard, } from '@logto/connector-kit';
 export type { Json, JsonObject } from '@withtyped/server';

package/lib/foundations/jsonb-types/index.js

@@ -11,4 +11,5 @@ export * from './applications.js';
 export * from './verification-records.js';
 export * from './account-centers.js';
 export * from './saml-application-configs.js';
+export * from './saml-application-sessions.js';
 export { configurableConnectorMetadataGuard, jsonGuard, jsonObjectGuard, } from '@logto/connector-kit';