npm - @logto/schemas - Versions diffs - 1.28.0 → 1.30.0 - Mend

@logto/schemas 1.28.0 → 1.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (129) hide show

package/tables/secret_enterprise_sso_connector_relations.sql ADDED Viewed

@@ -0,0 +1,60 @@
+/* init_order = 3 */
+create table secret_enterprise_sso_connector_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  secret_id varchar(21) not null
+    references secrets (id) on update cascade on delete cascade,
+  /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+  sso_connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade,
+  /** User SSO connector issuer. Only present for secrets that store SSO connector tokens. */
+  issuer varchar(256) not null,
+  /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
+  identity_id varchar(128) not null,
+  primary key (tenant_id, secret_id),
+  /** Ensures that each SSO identity is associated with only one secret. */
+  foreign key (tenant_id, issuer, identity_id)
+    references user_sso_identities (tenant_id, issuer, identity_id) on update cascade
+);
+/** Trigger function to delete secrets when the SSO connector is deleted. */
+create function delete_secrets_on_sso_connector_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_enterprise_sso_connector_relations
+    where tenant_id = old.tenant_id and sso_connector_id = old.id
+  );
+  return old;
+end;
+$$ language plpgsql;
+create trigger delete_secrets_before_sso_connector_delete
+  before delete on sso_connectors
+  for each row
+  execute procedure delete_secrets_on_sso_connector_delete();
+/** Trigger function to delete secret when the SSO identity is deleted. */
+create function delete_secret_on_sso_identity_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_enterprise_sso_connector_relations
+    where tenant_id = old.tenant_id
+    and issuer = old.issuer
+    and identity_id = old.identity_id
+  )
+  -- we also need to ensure that the secret is associated with the correct user
+  and user_id = old.user_id;
+  return old;
+end;
+$$ language plpgsql;
+create trigger delete_secret_before_sso_identity_delete
+  before delete on user_sso_identities
+  for each row
+  execute procedure delete_secret_on_sso_identity_delete();

package/tables/secret_social_connector_relations.sql ADDED Viewed

@@ -0,0 +1,75 @@
+/* init_order = 3 */
+create table secret_social_connector_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  secret_id varchar(21) not null
+    references secrets (id) on update cascade on delete cascade,
+  /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+  connector_id varchar(128) not null
+    references connectors (id) on update cascade,
+  /** The target of the social connector. e.g. 'github', 'google', etc. */
+  target varchar(256) not null,
+  /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
+  identity_id varchar(128) not null,
+  primary key (tenant_id, secret_id),
+  /** Ensures that each social identity is associated with only one secret. */
+  constraint secret_social_connector_relations__target__identity_id
+    unique (tenant_id, target, identity_id)
+);
+/** Trigger function to delete secrets when the social connector is deleted. */
+create function delete_secrets_on_social_connector_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_social_connector_relations
+    where tenant_id = old.tenant_id and connector_id = old.id
+  );
+  return old;
+end;
+$$ language plpgsql;
+create trigger delete_secrets_before_social_connector_delete
+  before delete on connectors
+  for each row
+  execute procedure delete_secrets_on_social_connector_delete();
+/** Trigger function to delete associated secrets when social identities are deleted. */
+create function delete_secrets_on_social_identity_delete()
+returns trigger as $$
+declare
+  identity_target text;
+  old_identity jsonb;
+  new_identity jsonb;
+begin
+  -- Loop over old identities to detect deletions or modifications
+  for identity_target in select jsonb_object_keys(old.identities)
+  loop
+    old_identity := old.identities -> identity_target;
+    new_identity := new.identities -> identity_target;
+    -- If the identity was deleted or modified, delete the associated secret
+    if new_identity is null or (new_identity->>'userId') is distinct from (old_identity->>'userId') then
+      -- Identity was removed or changed, delete the corresponding secrets
+      delete from secrets
+      using secret_social_connector_relations
+      where secrets.id = secret_social_connector_relations.secret_id
+      -- Ensure we are deleting the correct social identity
+      and secret_social_connector_relations.target = identity_target
+      and secret_social_connector_relations.identity_id = old_identity->>'userId'
+      -- Ensure we delete the correct user's secret
+      and secrets.user_id = old.id;
+    end if;
+  end loop;
+  return new;
+end;
+$$ language plpgsql;
+create trigger delete_secrets_before_social_identity_delete
+  before update of identities on users
+  for each row
+  execute procedure delete_secrets_on_social_identity_delete();

package/tables/secrets.sql ADDED Viewed

@@ -0,0 +1,26 @@
+/* init_order = 2 */
+create table secrets (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  id varchar(21) not null primary key,
+  user_id varchar(21) not null
+    references users (id) on update cascade on delete cascade,
+  type varchar(256) /* @use SecretType */ not null,
+  /** Encrypted data encryption key (DEK) for the secret. */
+  encrypted_dek bytea /* @use BufferLike */ not null,
+  /** Initialization vector for the secret encryption. */
+  iv bytea /* @use BufferLike */ not null,
+  /** Authentication tag for the secret encryption. */
+  auth_tag bytea /* @use BufferLike */ not null,
+  /** The encrypted secret data. e.g. { access_token, refresh_token } */
+  ciphertext bytea /* @use BufferLike */ not null,
+  /** The metadata associated with the secret. */
+  metadata jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  updated_at timestamptz not null default(now())
+);
+create trigger set_updated_at
+  before update on secrets
+  for each row
+  execute procedure set_updated_at();

package/tables/sso_connectors.sql CHANGED Viewed

@@ -16,6 +16,8 @@ create table sso_connectors (
   branding jsonb /* @use SsoBranding */ not null default '{}'::jsonb,
   /** Determines whether to synchronize the user's profile on each login. */
   sync_profile boolean not null default FALSE,
+  /** Whether the token storage is enabled for this connector. Only applied for OAuth2/OIDC SSO connectors. */
+  enable_token_storage boolean not null default FALSE,
   /** When the SSO connector was created. */
   created_at timestamptz not null default(now()),
   primary key (id),

package/tables/user_sso_identities.sql CHANGED Viewed

@@ -10,7 +10,9 @@ create table user_sso_identities (
   /** Provider user identity id*/
   identity_id varchar(128) not null,
   detail jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  /** Known issue: created_at uses timestamp instead of timestamptz */
   created_at timestamp not null default(now()),
+  updated_at timestamptz not null default(now()),
   sso_connector_id
     varchar(128) not null
     references sso_connectors (id) on update cascade on delete cascade,
@@ -18,3 +20,9 @@ create table user_sso_identities (
   constraint user_sso_identities__issuer__identity_id
     unique (tenant_id, issuer, identity_id)
 );
+create trigger set_updated_at
+  before update on user_sso_identities
+  for each row
+  execute procedure set_updated_at();

package/tables/users.sql CHANGED Viewed

@@ -9,7 +9,7 @@ create table users (
   username varchar(128),
   primary_email varchar(128),
   primary_phone varchar(128),
-  password_encrypted varchar(128),
+  password_encrypted varchar(256),
   password_encryption_method users_password_encryption_method,
   name varchar(128),
   /** The URL that points to the user's profile picture. Mapped to OpenID Connect's `picture` claim. */
@@ -34,7 +34,8 @@ create table users (
     unique (tenant_id, primary_phone)
 );
-create index users__id
+/* Unique index on (tenant_id, id) required for foreign key constraint in organization_user_relations table. */
+create unique index users__id
   on users (tenant_id, id);
 create index users__name

/package/lib/{foundations/jsonb-types/verification-records.d.ts → types/verification-records/verification-type.d.ts} RENAMED Viewed

File without changes

/package/lib/{foundations/jsonb-types/verification-records.js → types/verification-records/verification-type.js} RENAMED Viewed

File without changes