@logto/schemas 1.23.0 → 1.24.0

package/alterations/1.23.1-1735274337-add-encryption-config-to-saml-apps.ts

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+enum NameIdFormat {
+  /** Uses unique and persistent identifiers for the user. */
+  Persistent = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+}
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs
+        add column encryption jsonb,
+        add column name_id_format varchar(128);
+    `);
+    await pool.query(sql`
+      update saml_application_configs
+      set name_id_format = ${NameIdFormat.Persistent};
+    `);
+    await pool.query(sql`
+      alter table saml_application_configs
+        alter column name_id_format set not null;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs
+        drop column encryption,
+        drop column name_id_format;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.23.1-1735292380-make-saml-app-first-party-app.ts

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table applications drop constraint check_saml_app_third_party_consistency;
+    `);
+    await pool.query(sql`
+      update applications set is_third_party = false
+      where type = 'SAML';
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update applications set is_third_party = true
+      where type = 'SAML';
+    `);
+    await pool.query(sql`
+      alter table applications
+        add constraint check_saml_app_third_party_consistency
+          check (type != 'SAML' OR (type = 'SAML' AND is_third_party = true));
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.23.1-1735274337-add-encryption-config-to-saml-apps.js

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+var NameIdFormat;
+(function (NameIdFormat) {
+    /** Uses unique and persistent identifiers for the user. */
+    NameIdFormat["Persistent"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
+})(NameIdFormat || (NameIdFormat = {}));
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs
+        add column encryption jsonb,
+        add column name_id_format varchar(128);
+    `);
+        await pool.query(sql `
+      update saml_application_configs
+      set name_id_format = ${NameIdFormat.Persistent};
+    `);
+        await pool.query(sql `
+      alter table saml_application_configs
+        alter column name_id_format set not null;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs
+        drop column encryption,
+        drop column name_id_format;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.23.1-1735292380-make-saml-app-first-party-app.js

@@ -0,0 +1,24 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table applications drop constraint check_saml_app_third_party_consistency;
+    `);
+        await pool.query(sql `
+      update applications set is_third_party = false
+      where type = 'SAML';
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update applications set is_third_party = true
+      where type = 'SAML';
+    `);
+        await pool.query(sql `
+      alter table applications
+        add constraint check_saml_app_third_party_consistency
+          check (type != 'SAML' OR (type = 'SAML' AND is_third_party = true));
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/saml-application-config.d.ts

@@ -1,4 +1,4 @@
-import { SamlAttributeMapping, SamlAcsUrl, GeneratedSchema } from './../foundations/index.js';
+import { SamlAttributeMapping, SamlAcsUrl, SamlEncryption, NameIdFormat, GeneratedSchema } from './../foundations/index.js';
 /**
  * The SAML application config and SAML-type application have a one-to-one correspondence: 1. a SAML-type application can only have one SAML application config. (CANNOT use "semicolon" in comments, since it indicates the end of query.) 2. a SAML application config can only configure one SAML-type application.
  *
@@ -11,6 +11,8 @@ export type CreateSamlApplicationConfig = {
     attributeMapping?: SamlAttributeMapping;
     entityId?: string | null;
     acsUrl?: SamlAcsUrl | null;
+    encryption?: SamlEncryption | null;
+    nameIdFormat: NameIdFormat;
 };
 /** The SAML application config and SAML-type application have a one-to-one correspondence: 1. a SAML-type application can only have one SAML application config. (CANNOT use "semicolon" in comments, since it indicates the end of query.) 2. a SAML application config can only configure one SAML-type application. */
 export type SamlApplicationConfig = {
@@ -19,6 +21,8 @@ export type SamlApplicationConfig = {
     attributeMapping: SamlAttributeMapping;
     entityId: string | null;
     acsUrl: SamlAcsUrl | null;
+    encryption: SamlEncryption | null;
+    nameIdFormat: NameIdFormat;
 };
-export type SamlApplicationConfigKeys = 'applicationId' | 'tenantId' | 'attributeMapping' | 'entityId' | 'acsUrl';
+export type SamlApplicationConfigKeys = 'applicationId' | 'tenantId' | 'attributeMapping' | 'entityId' | 'acsUrl' | 'encryption' | 'nameIdFormat';
 export declare const SamlApplicationConfigs: GeneratedSchema<SamlApplicationConfigKeys, CreateSamlApplicationConfig, SamlApplicationConfig, 'saml_application_configs', 'saml_application_config'>;

package/lib/db-entries/saml-application-config.js

@@ -1,12 +1,14 @@
 // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
 import { z } from 'zod';
-import { samlAttributeMappingGuard, samlAcsUrlGuard } from './../foundations/index.js';
+import { samlAttributeMappingGuard, samlAcsUrlGuard, samlEncryptionGuard, nameIdFormatGuard } from './../foundations/index.js';
 const createGuard = z.object({
     applicationId: z.string().min(1).max(21),
     tenantId: z.string().max(21).optional(),
     attributeMapping: samlAttributeMappingGuard.optional(),
     entityId: z.string().max(128).nullable().optional(),
     acsUrl: samlAcsUrlGuard.nullable().optional(),
+    encryption: samlEncryptionGuard.nullable().optional(),
+    nameIdFormat: nameIdFormatGuard,
 });
 const guard = z.object({
     applicationId: z.string().min(1).max(21),
@@ -14,6 +16,8 @@ const guard = z.object({
     attributeMapping: samlAttributeMappingGuard,
     entityId: z.string().max(128).nullable(),
     acsUrl: samlAcsUrlGuard.nullable(),
+    encryption: samlEncryptionGuard.nullable(),
+    nameIdFormat: nameIdFormatGuard,
 });
 export const SamlApplicationConfigs = Object.freeze({
     table: 'saml_application_configs',
@@ -24,6 +28,8 @@ export const SamlApplicationConfigs = Object.freeze({
         attributeMapping: 'attribute_mapping',
         entityId: 'entity_id',
         acsUrl: 'acs_url',
+        encryption: 'encryption',
+        nameIdFormat: 'name_id_format',
     },
     fieldKeys: [
         'applicationId',
@@ -31,6 +37,8 @@ export const SamlApplicationConfigs = Object.freeze({
         'attributeMapping',
         'entityId',
         'acsUrl',
+        'encryption',
+        'nameIdFormat',
     ],
     createGuard,
     guard,

package/lib/foundations/jsonb-types/saml-application-configs.d.ts

@@ -1,6 +1,14 @@
+import { type UserClaim } from '@logto/core-kit';
 import { z } from 'zod';
-export type SamlAttributeMapping = Record<string, string>;
-export declare const samlAttributeMappingGuard: z.ZodRecord<z.ZodString, z.ZodString>;
+export type SamlAttributeMapping = Partial<Record<UserClaim | 'sub', string>>;
+export declare const samlAttributeMappingKeys: readonly ("name" | "username" | "email" | "nickname" | "profile" | "website" | "gender" | "birthdate" | "zoneinfo" | "locale" | "address" | "given_name" | "family_name" | "middle_name" | "preferred_username" | "picture" | "email_verified" | "phone_number" | "phone_number_verified" | "updated_at" | "roles" | "organizations" | "organization_data" | "organization_roles" | "custom_data" | "identities" | "sso_identities" | "created_at" | "sub")[];
+export declare const samlAttributeMappingGuard: z.ZodObject<{
+    [x: string]: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    [x: string]: string | undefined;
+}, {
+    [x: string]: string | undefined;
+}>;
 export declare enum BindingType {
     Post = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
     Redirect = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
@@ -19,3 +27,36 @@ export declare const samlAcsUrlGuard: z.ZodObject<{
     url: string;
     binding: BindingType;
 }>;
+export declare const samlEncryptionGuard: z.ZodEffects<z.ZodObject<{
+    encryptAssertion: z.ZodOptional<z.ZodBoolean>;
+    encryptThenSign: z.ZodOptional<z.ZodBoolean>;
+    certificate: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    encryptAssertion?: boolean | undefined;
+    encryptThenSign?: boolean | undefined;
+    certificate?: string | undefined;
+}, {
+    encryptAssertion?: boolean | undefined;
+    encryptThenSign?: boolean | undefined;
+    certificate?: string | undefined;
+}>, {
+    encryptAssertion?: boolean | undefined;
+    encryptThenSign?: boolean | undefined;
+    certificate?: string | undefined;
+}, {
+    encryptAssertion?: boolean | undefined;
+    encryptThenSign?: boolean | undefined;
+    certificate?: string | undefined;
+}>;
+export type SamlEncryption = z.input<typeof samlEncryptionGuard>;
+export declare enum NameIdFormat {
+    /** Uses unique and persistent identifiers for the user. */
+    Persistent = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+    /** Returns the email address of the user. */
+    EmailAddress = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+    /** Uses unique and transient identifiers for the user, which can be different for each session. */
+    Transient = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+    /** The Identity Provider can determine the format. */
+    Unspecified = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+}
+export declare const nameIdFormatGuard: z.ZodNativeEnum<typeof NameIdFormat>;

package/lib/foundations/jsonb-types/saml-application-configs.js

@@ -1,5 +1,9 @@
+import { userClaimsList } from '@logto/core-kit';
 import { z } from 'zod';
-export const samlAttributeMappingGuard = z.record(z.string());
+export const samlAttributeMappingKeys = Object.freeze(['sub', ...userClaimsList]);
+export const samlAttributeMappingGuard = z
+    .object(Object.fromEntries(samlAttributeMappingKeys.map((claim) => [claim, z.string()])))
+    .partial();
 export var BindingType;
 (function (BindingType) {
     BindingType["Post"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
@@ -9,3 +13,30 @@ export const samlAcsUrlGuard = z.object({
     binding: z.nativeEnum(BindingType),
     url: z.string().url(),
 });
+export const samlEncryptionGuard = z
+    .object({
+    encryptAssertion: z.boolean().optional(),
+    encryptThenSign: z.boolean().optional(),
+    certificate: z.string().optional(),
+})
+    .superRefine(({ encryptAssertion, encryptThenSign, certificate }, ctx) => {
+    if (encryptAssertion && (encryptThenSign === undefined || certificate === undefined)) {
+        ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: '`encryptThenSign` and `certificate` are required when `encryptAssertion` is `true`',
+        });
+        return z.NEVER;
+    }
+});
+export var NameIdFormat;
+(function (NameIdFormat) {
+    /** Uses unique and persistent identifiers for the user. */
+    NameIdFormat["Persistent"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
+    /** Returns the email address of the user. */
+    NameIdFormat["EmailAddress"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
+    /** Uses unique and transient identifiers for the user, which can be different for each session. */
+    NameIdFormat["Transient"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient";
+    /** The Identity Provider can determine the format. */
+    NameIdFormat["Unspecified"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
+})(NameIdFormat || (NameIdFormat = {}));
+export const nameIdFormatGuard = z.nativeEnum(NameIdFormat);

package/lib/foundations/jsonb-types/saml-application-configs.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/foundations/jsonb-types/saml-application-configs.test.js

@@ -0,0 +1,49 @@
+import { describe, it, expect } from 'vitest';
+import { samlEncryptionGuard } from './saml-application-configs.js';
+describe('samlEncryptionGuard', () => {
+    // Test valid configurations
+    it('should pass when encryption is disabled', () => {
+        const result = samlEncryptionGuard.safeParse({
+            encryptAssertion: false,
+        });
+        expect(result.success).toBe(true);
+    });
+    it('should pass when encryption is enabled with all required fields', () => {
+        const result = samlEncryptionGuard.safeParse({
+            encryptAssertion: true,
+            encryptThenSign: true,
+            certificate: '-----BEGIN CERTIFICATE-----\nMIICYDCCAcmgAwIBA...',
+        });
+        expect(result.success).toBe(true);
+    });
+    // Test invalid configurations
+    it('should fail when encryptAssertion is true but missing encryptThenSign', () => {
+        const result = samlEncryptionGuard.safeParse({
+            encryptAssertion: true,
+            certificate: '-----BEGIN CERTIFICATE-----\nMIICYDCCAcmgAwIBA...',
+        });
+        expect(result.success).toBe(false);
+        if (!result.success) {
+            expect(result.error.issues[0]?.message).toBe('`encryptThenSign` and `certificate` are required when `encryptAssertion` is `true`');
+        }
+    });
+    it('should fail when encryptAssertion is true but missing certificate', () => {
+        const result = samlEncryptionGuard.safeParse({
+            encryptAssertion: true,
+            encryptThenSign: true,
+        });
+        expect(result.success).toBe(false);
+        if (!result.success) {
+            expect(result.error.issues[0]?.message).toBe('`encryptThenSign` and `certificate` are required when `encryptAssertion` is `true`');
+        }
+    });
+    it('should fail when encryptAssertion is true but missing both encryptThenSign and certificate', () => {
+        const result = samlEncryptionGuard.safeParse({
+            encryptAssertion: true,
+        });
+        expect(result.success).toBe(false);
+        if (!result.success) {
+            expect(result.error.issues[0]?.message).toBe('`encryptThenSign` and `certificate` are required when `encryptAssertion` is `true`');
+        }
+    });
+});

package/lib/types/log/index.d.ts

@@ -1,21 +1,25 @@
 import type * as hook from './hook.js';
 import type * as interaction from './interaction.js';
 import type * as jwtCustomizer from './jwt-customizer.js';
+import type * as saml from './saml.js';
 import type * as token from './token.js';
 export * as interaction from './interaction.js';
 export * as token from './token.js';
 export * as hook from './hook.js';
 export * as jwtCustomizer from './jwt-customizer.js';
+export * as saml from './saml.js';
 /** Fallback for empty or unrecognized log keys. */
 export declare const LogKeyUnknown = "Unknown";
-export type AuditLogKey = typeof LogKeyUnknown | interaction.LogKey | token.LogKey;
+export type AuditLogKey = typeof LogKeyUnknown | interaction.LogKey | token.LogKey | saml.LogKey;
 export type WebhookLogKey = hook.LogKey;
 export type JwtCustomizerLogKey = jwtCustomizer.LogKey;
+export type SamlLogKey = saml.LogKey;
 /**
  * The union type of all available log keys.
  * Note duplicate keys are allowed but should be avoided.
  *
  * @see {@link interaction.LogKey} for interaction log keys.
  * @see {@link token.LogKey} for token log keys.
+ * @see {@link saml.LogKey} for SAML application log keys.
  **/
 export type LogKey = AuditLogKey | WebhookLogKey | JwtCustomizerLogKey;

package/lib/types/log/index.js

@@ -2,5 +2,6 @@ export * as interaction from './interaction.js';
 export * as token from './token.js';
 export * as hook from './hook.js';
 export * as jwtCustomizer from './jwt-customizer.js';
+export * as saml from './saml.js';
 /** Fallback for empty or unrecognized log keys. */
 export const LogKeyUnknown = 'Unknown';

package/lib/types/log/saml.d.ts

@@ -0,0 +1,7 @@
+export type Prefix = 'SamlApplication';
+export declare const prefix: Prefix;
+export declare enum Scenario {
+    Callback = "Callback",
+    AuthnRequest = "AuthnRequest"
+}
+export type LogKey = `${Prefix}.${Scenario}`;

package/lib/types/log/saml.js

@@ -0,0 +1,6 @@
+export const prefix = 'SamlApplication';
+export var Scenario;
+(function (Scenario) {
+    Scenario["Callback"] = "Callback";
+    Scenario["AuthnRequest"] = "AuthnRequest";
+})(Scenario || (Scenario = {}));