@logto/schemas 1.28.0 → 1.29.0

package/lib/types/verification-records/new-password-identity-verification.d.ts

@@ -0,0 +1,54 @@
+/**
+ * @deprecated
+ * This verification record type is deprecated.
+ * DO NOT use this verification record type in new code.
+ */
+import { z } from 'zod';
+import { UsersPasswordEncryptionMethod } from '../../db-entries/custom-types.js';
+import { type InteractionIdentifier } from '../interactions.js';
+import { VerificationType } from './verification-type.js';
+export type NewPasswordIdentityVerificationRecordData = {
+    id: string;
+    type: VerificationType.NewPasswordIdentity;
+    /**
+     * For now we only support username identifier for new password identity registration.
+     * For email and phone new identity registration, a `CodeVerification` record is required.
+     */
+    identifier: InteractionIdentifier;
+    passwordEncrypted?: string;
+    passwordEncryptionMethod?: UsersPasswordEncryptionMethod.Argon2i;
+};
+export declare const newPasswordIdentityVerificationRecordDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.NewPasswordIdentity>;
+    identifier: z.ZodObject<{
+        type: z.ZodNativeEnum<typeof import("../../index.js").SignInIdentifier>;
+        value: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    }, {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    }>;
+    passwordEncrypted: z.ZodOptional<z.ZodString>;
+    passwordEncryptionMethod: z.ZodOptional<z.ZodLiteral<UsersPasswordEncryptionMethod.Argon2i>>;
+}, "strip", z.ZodTypeAny, {
+    type: VerificationType.NewPasswordIdentity;
+    id: string;
+    identifier: {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    };
+    passwordEncrypted?: string | undefined;
+    passwordEncryptionMethod?: UsersPasswordEncryptionMethod.Argon2i | undefined;
+}, {
+    type: VerificationType.NewPasswordIdentity;
+    id: string;
+    identifier: {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    };
+    passwordEncrypted?: string | undefined;
+    passwordEncryptionMethod?: UsersPasswordEncryptionMethod.Argon2i | undefined;
+}>;

package/lib/types/verification-records/new-password-identity-verification.js

@@ -0,0 +1,16 @@
+/**
+ * @deprecated
+ * This verification record type is deprecated.
+ * DO NOT use this verification record type in new code.
+ */
+import { z } from 'zod';
+import { UsersPasswordEncryptionMethod } from '../../db-entries/custom-types.js';
+import { interactionIdentifierGuard } from '../interactions.js';
+import { VerificationType } from './verification-type.js';
+export const newPasswordIdentityVerificationRecordDataGuard = z.object({
+    id: z.string(),
+    type: z.literal(VerificationType.NewPasswordIdentity),
+    identifier: interactionIdentifierGuard,
+    passwordEncrypted: z.string().optional(),
+    passwordEncryptionMethod: z.literal(UsersPasswordEncryptionMethod.Argon2i).optional(),
+});

package/lib/types/verification-records/one-time-token-verification.d.ts

@@ -0,0 +1,55 @@
+import { z } from 'zod';
+import { type OneTimeTokenContext, SignInIdentifier } from '../../foundations/index.js';
+import { type InteractionIdentifier } from '../interactions.js';
+import { VerificationType } from './verification-type.js';
+export type OneTimeTokenVerificationRecordData = {
+    id: string;
+    type: VerificationType.OneTimeToken;
+    identifier: InteractionIdentifier<SignInIdentifier.Email>;
+    verified: boolean;
+    oneTimeTokenContext?: OneTimeTokenContext;
+};
+export declare const oneTimeTokenVerificationRecordDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.OneTimeToken>;
+    verified: z.ZodBoolean;
+    identifier: z.ZodObject<{
+        type: z.ZodLiteral<SignInIdentifier.Email>;
+        value: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        value: string;
+        type: SignInIdentifier.Email;
+    }, {
+        value: string;
+        type: SignInIdentifier.Email;
+    }>;
+    oneTimeTokenContext: z.ZodOptional<z.ZodObject<{
+        jitOrganizationIds: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        jitOrganizationIds?: string[] | undefined;
+    }, {
+        jitOrganizationIds?: string[] | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    type: VerificationType.OneTimeToken;
+    id: string;
+    identifier: {
+        value: string;
+        type: SignInIdentifier.Email;
+    };
+    verified: boolean;
+    oneTimeTokenContext?: {
+        jitOrganizationIds?: string[] | undefined;
+    } | undefined;
+}, {
+    type: VerificationType.OneTimeToken;
+    id: string;
+    identifier: {
+        value: string;
+        type: SignInIdentifier.Email;
+    };
+    verified: boolean;
+    oneTimeTokenContext?: {
+        jitOrganizationIds?: string[] | undefined;
+    } | undefined;
+}>;

package/lib/types/verification-records/one-time-token-verification.js

@@ -0,0 +1,13 @@
+import { z } from 'zod';
+import { oneTimeTokenContextGuard, SignInIdentifier, } from '../../foundations/index.js';
+import { VerificationType } from './verification-type.js';
+export const oneTimeTokenVerificationRecordDataGuard = z.object({
+    id: z.string(),
+    type: z.literal(VerificationType.OneTimeToken),
+    verified: z.boolean(),
+    identifier: z.object({
+        type: z.literal(SignInIdentifier.Email),
+        value: z.string(),
+    }),
+    oneTimeTokenContext: oneTimeTokenContextGuard.optional(),
+});

package/lib/types/verification-records/password-verification.d.ts

@@ -0,0 +1,40 @@
+import { z } from 'zod';
+import { type VerificationIdentifier } from '../interactions.js';
+import { VerificationType } from './verification-type.js';
+export type PasswordVerificationRecordData = {
+    id: string;
+    type: VerificationType.Password;
+    identifier: VerificationIdentifier;
+    verified: boolean;
+};
+export declare const passwordVerificationRecordDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.Password>;
+    identifier: z.ZodObject<{
+        type: z.ZodUnion<[z.ZodNativeEnum<typeof import("../../index.js").SignInIdentifier>, z.ZodNativeEnum<typeof import("../../index.js").AdditionalIdentifier>]>;
+        value: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        value: string;
+        type: import("../../index.js").SignInIdentifier | import("../../index.js").AdditionalIdentifier;
+    }, {
+        value: string;
+        type: import("../../index.js").SignInIdentifier | import("../../index.js").AdditionalIdentifier;
+    }>;
+    verified: z.ZodBoolean;
+}, "strip", z.ZodTypeAny, {
+    type: VerificationType.Password;
+    id: string;
+    identifier: {
+        value: string;
+        type: import("../../index.js").SignInIdentifier | import("../../index.js").AdditionalIdentifier;
+    };
+    verified: boolean;
+}, {
+    type: VerificationType.Password;
+    id: string;
+    identifier: {
+        value: string;
+        type: import("../../index.js").SignInIdentifier | import("../../index.js").AdditionalIdentifier;
+    };
+    verified: boolean;
+}>;

package/lib/types/verification-records/password-verification.js

@@ -0,0 +1,9 @@
+import { z } from 'zod';
+import { verificationIdentifierGuard } from '../interactions.js';
+import { VerificationType } from './verification-type.js';
+export const passwordVerificationRecordDataGuard = z.object({
+    id: z.string(),
+    type: z.literal(VerificationType.Password),
+    identifier: verificationIdentifierGuard,
+    verified: z.boolean(),
+});

package/lib/types/verification-records/social-verification.d.ts

@@ -0,0 +1,106 @@
+import { type ConnectorSession, type SocialUserInfo } from '@logto/connector-kit';
+import { z } from 'zod';
+import { VerificationType } from './verification-type.js';
+/** The JSON data type for the SocialVerification record stored in the interaction storage */
+export type SocialVerificationRecordData = {
+    id: string;
+    connectorId: string;
+    type: VerificationType.Social;
+    /**
+     * The social identity returned by the connector.
+     */
+    socialUserInfo?: SocialUserInfo;
+    /**
+     * The connector session result
+     */
+    connectorSession?: ConnectorSession;
+};
+export declare const socialVerificationRecordDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    connectorId: z.ZodString;
+    type: z.ZodLiteral<VerificationType.Social>;
+    socialUserInfo: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        phone: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatar: z.ZodOptional<z.ZodString>;
+        rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
+    }, "strip", z.ZodTypeAny, {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    }, {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    }>>;
+    connectorSession: z.ZodOptional<z.ZodObject<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, z.ZodUnknown, "strip">>>;
+}, "strip", z.ZodTypeAny, {
+    type: VerificationType.Social;
+    id: string;
+    connectorId: string;
+    socialUserInfo?: {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    } | undefined;
+    connectorSession?: z.objectOutputType<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, z.ZodUnknown, "strip"> | undefined;
+}, {
+    type: VerificationType.Social;
+    id: string;
+    connectorId: string;
+    socialUserInfo?: {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    } | undefined;
+    connectorSession?: z.objectInputType<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, z.ZodUnknown, "strip"> | undefined;
+}>;

package/lib/types/verification-records/social-verification.js

@@ -0,0 +1,10 @@
+import { connectorSessionGuard, socialUserInfoGuard, } from '@logto/connector-kit';
+import { z } from 'zod';
+import { VerificationType } from './verification-type.js';
+export const socialVerificationRecordDataGuard = z.object({
+    id: z.string(),
+    connectorId: z.string(),
+    type: z.literal(VerificationType.Social),
+    socialUserInfo: socialUserInfoGuard.optional(),
+    connectorSession: connectorSessionGuard.optional(),
+});

package/lib/types/verification-records/totp-verification.d.ts

@@ -0,0 +1,29 @@
+import { z } from 'zod';
+import { VerificationType } from './verification-type.js';
+export type TotpVerificationRecordData = {
+    id: string;
+    type: VerificationType.TOTP;
+    /** UserId is required for verifying or binding new TOTP */
+    userId: string;
+    secret?: string;
+    verified: boolean;
+};
+export declare const totpVerificationRecordDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.TOTP>;
+    userId: z.ZodString;
+    secret: z.ZodOptional<z.ZodString>;
+    verified: z.ZodBoolean;
+}, "strip", z.ZodTypeAny, {
+    type: VerificationType.TOTP;
+    id: string;
+    userId: string;
+    verified: boolean;
+    secret?: string | undefined;
+}, {
+    type: VerificationType.TOTP;
+    id: string;
+    userId: string;
+    verified: boolean;
+    secret?: string | undefined;
+}>;

package/lib/types/verification-records/totp-verification.js

@@ -0,0 +1,9 @@
+import { z } from 'zod';
+import { VerificationType } from './verification-type.js';
+export const totpVerificationRecordDataGuard = z.object({
+    id: z.string(),
+    type: z.literal(VerificationType.TOTP),
+    userId: z.string(),
+    secret: z.string().optional(),
+    verified: z.boolean(),
+});

package/lib/types/verification-records/web-authn-verification.d.ts

@@ -0,0 +1,80 @@
+import { z } from 'zod';
+import { type BindWebAuthn } from '../interactions.js';
+import { VerificationType } from './verification-type.js';
+export type WebAuthnVerificationRecordData = {
+    id: string;
+    type: VerificationType.WebAuthn;
+    /** UserId is required for verifying or binding new TOTP */
+    userId: string;
+    verified: boolean;
+    /** The challenge generated for the WebAuthn registration */
+    registrationChallenge?: string;
+    /** The challenge generated for the WebAuthn authentication */
+    authenticationChallenge?: string;
+    registrationInfo?: BindWebAuthn;
+};
+export declare const webAuthnVerificationRecordDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.WebAuthn>;
+    userId: z.ZodString;
+    verified: z.ZodBoolean;
+    registrationChallenge: z.ZodOptional<z.ZodString>;
+    authenticationChallenge: z.ZodOptional<z.ZodString>;
+    registrationInfo: z.ZodOptional<z.ZodObject<{
+        type: z.ZodLiteral<import("../../index.js").MfaFactor.WebAuthn>;
+        credentialId: z.ZodString;
+        publicKey: z.ZodString;
+        transports: z.ZodArray<z.ZodEnum<["usb", "nfc", "ble", "internal", "cable", "hybrid", "smart-card"]>, "many">;
+        counter: z.ZodNumber;
+        agent: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    type: VerificationType.WebAuthn;
+    id: string;
+    userId: string;
+    verified: boolean;
+    registrationChallenge?: string | undefined;
+    authenticationChallenge?: string | undefined;
+    registrationInfo?: {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    } | undefined;
+}, {
+    type: VerificationType.WebAuthn;
+    id: string;
+    userId: string;
+    verified: boolean;
+    registrationChallenge?: string | undefined;
+    authenticationChallenge?: string | undefined;
+    registrationInfo?: {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    } | undefined;
+}>;

package/lib/types/verification-records/web-authn-verification.js

@@ -0,0 +1,12 @@
+import { z } from 'zod';
+import { bindWebAuthnGuard } from '../interactions.js';
+import { VerificationType } from './verification-type.js';
+export const webAuthnVerificationRecordDataGuard = z.object({
+    id: z.string(),
+    type: z.literal(VerificationType.WebAuthn),
+    userId: z.string(),
+    verified: z.boolean(),
+    registrationChallenge: z.string().optional(),
+    authenticationChallenge: z.string().optional(),
+    registrationInfo: bindWebAuthnGuard.optional(),
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.28.0",
+  "version": "1.29.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",

package/tables/account_centers.sql

@@ -6,5 +6,6 @@ create table account_centers (
   enabled boolean not null default false,
   /** Control each fields */
   fields jsonb /* @use AccountCenterFieldControl */ not null default '{}'::jsonb,
+  webauthn_related_origins jsonb /* @use WebauthnRelatedOrigins */ not null default '[]'::jsonb,
   primary key (tenant_id, id)
 );

package/tables/connectors.sql

@@ -1,3 +1,5 @@
+/* init_order = 1 */
+
 create table connectors (
   tenant_id varchar(21) not null 
     references tenants (id) on update cascade on delete cascade,

package/tables/custom_profile_fields.sql

@@ -0,0 +1,31 @@
+create table custom_profile_fields (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  id varchar(21) not null,
+  name varchar(128) not null,
+  type varchar(128) not null /* @use CustomProfileFieldType */,
+  label varchar(128) not null default '',
+  description varchar(256),
+  required boolean not null default false,
+  config jsonb /* @use CustomProfileFieldConfig */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  sie_order int2 not null default 0,
+  primary key (id),
+  constraint custom_profile_fields__name
+    unique (tenant_id, name)
+);
+
+create or replace function custom_profile_fields__increment_sie_order() returns trigger as
+$$ begin
+  new.sie_order = (
+    select coalesce(max(sie_order), 0)
+    from custom_profile_fields
+    where tenant_id = (
+      select id from tenants where db_user = current_user
+    )
+  ) + 1;
+  return new;
+end; $$ language plpgsql;
+
+create trigger custom_profile_fields__increment_sie_order before insert on custom_profile_fields
+  for each row execute procedure custom_profile_fields__increment_sie_order();

package/tables/oidc_model_instances.sql

@@ -1,3 +1,5 @@
+/* init_order = 1 */
+
 create table oidc_model_instances (
   tenant_id varchar(21) not null
     references tenants (id) on update cascade on delete cascade,

package/tables/oidc_session_extensions.sql

@@ -0,0 +1,18 @@
+/* init_order = 2 */
+
+create table oidc_session_extensions (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  session_uid varchar(128) not null,
+  account_id varchar(12) not null
+    references users (id) on update cascade on delete cascade,
+  last_submission jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  updated_at timestamptz not null default(now()),
+  primary key (tenant_id, session_uid)
+);
+
+create trigger set_updated_at
+  before update on oidc_session_extensions
+  for each row
+  execute procedure set_updated_at();

package/tables/secret_connector_relations.sql

@@ -0,0 +1,78 @@
+/* init_order = 3 */
+
+create table secret_connector_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  secret_id varchar(21) not null
+    references secrets (id) on update cascade on delete cascade,
+  /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+  connector_id varchar(128)
+    references connectors (id) on update cascade,
+  /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+  sso_connector_id varchar(128)
+    references sso_connectors (id) on update cascade,
+  /** The target of the social connector. e.g. 'github', 'google', etc. */
+  social_connector_target varchar(256),
+  /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
+  social_identity_id varchar(128),
+  /** User sso connector issuer. Only present for secrets that store SSO connector tokens. */
+  sso_connector_issuer varchar(256),
+  /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
+  sso_identity_id varchar(128),
+  primary key (tenant_id, secret_id),
+  /** Ensures that each social identity is associated with only one secret. */
+  constraint secret_connector_relations__target__social_identity_id
+    unique (tenant_id, social_connector_target, social_identity_id),
+  /** Ensures that each SSO identity is associated with only one secret. */
+  foreign key (tenant_id, sso_connector_issuer, sso_identity_id)
+    references user_sso_identities (tenant_id, issuer, identity_id) on update cascade,
+  /** Ensure that each secret is associated with a social connector or SSO connector, but not both at the same time. */
+  constraint secret_connector_relations__connector_id__sso_connector_id
+    check (
+      (
+        connector_id is not null and social_connector_target is not null and social_identity_id is not null and
+        sso_connector_id is null and sso_identity_id is null
+      ) or (
+        connector_id is null and social_connector_target is null and social_identity_id is null and
+        sso_connector_id is not null and sso_identity_id is not null
+      )
+    )
+);
+
+
+/** Trigger function to delete secrets when the social connector is deleted. */
+create function delete_secrets_on_social_connector_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_connector_relations
+    where tenant_id = old.tenant_id and connector_id = old.id
+  );
+  return old;
+end;
+$$ language plpgsql;
+
+create trigger delete_secrets_before_social_connector_delete
+  before delete on connectors
+  for each row
+  execute procedure delete_secrets_on_social_connector_delete();
+
+
+/** Trigger function to delete secrets when the SSO connector is deleted. */
+create function delete_secrets_on_sso_connector_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_connector_relations
+    where tenant_id = old.tenant_id and sso_connector_id = old.id
+  );
+  return old;
+end;
+$$ language plpgsql;
+
+create trigger delete_secrets_before_sso_connector_delete
+  before delete on sso_connectors
+  for each row
+  execute procedure delete_secrets_on_sso_connector_delete();

package/tables/secrets.sql

@@ -0,0 +1,26 @@
+/* init_order = 2 */
+create table secrets (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  id varchar(21) not null primary key,
+  user_id varchar(21) not null 
+    references users (id) on update cascade on delete cascade,
+  type varchar(256) /* @use SecretType */ not null,
+  /** Encrypted data encryption key (DEK) for the secret. */
+  encrypted_dek bytea not null,
+  /** Initialization vector for the secret encryption. */
+  iv bytea not null,
+  /** Authentication tag for the secret encryption. */
+  auth_tag bytea not null,
+  /** The encrypted secret data. e.g. { access_token, refresh_token } */
+  ciphertext bytea not null,
+  /** The metadata associated with the secret. */
+  metadata jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  updated_at timestamptz not null default(now())
+);
+
+create trigger set_updated_at
+  before update on secrets
+  for each row
+  execute procedure set_updated_at();

package/tables/user_sso_identities.sql

@@ -10,7 +10,9 @@ create table user_sso_identities (
   /** Provider user identity id*/
   identity_id varchar(128) not null,
   detail jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  /** Known issue: created_at uses timestamp instead of timestamptz */
   created_at timestamp not null default(now()),
+  updated_at timestamptz not null default(now()),
   sso_connector_id
     varchar(128) not null
     references sso_connectors (id) on update cascade on delete cascade,
@@ -18,3 +20,9 @@ create table user_sso_identities (
   constraint user_sso_identities__issuer__identity_id
     unique (tenant_id, issuer, identity_id)
 );
+
+
+create trigger set_updated_at
+  before update on user_sso_identities
+  for each row
+  execute procedure set_updated_at();

package/tables/users.sql

@@ -9,7 +9,7 @@ create table users (
   username varchar(128),
   primary_email varchar(128),
   primary_phone varchar(128),
-  password_encrypted varchar(128),
+  password_encrypted varchar(256),
   password_encryption_method users_password_encryption_method,
   name varchar(128),
   /** The URL that points to the user's profile picture. Mapped to OpenID Connect's `picture` claim. */