@logto/schemas 1.28.0 → 1.30.0

package/alterations/1.30.0-1751255436-split-secret-connector-relatioins-table.ts

@@ -0,0 +1,359 @@
+/**
+ * @fileoverview
+ * This migration script alters the database schema to split the `secret_connector_relations` table into two separate tables:
+ * `secret_social_connector_relations` and `secret_enterprise_sso_connector_relations`.
+ */
+
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Drop all triggers
+    await pool.query(sql`
+      drop trigger if exists delete_secrets_before_social_connector_delete on connectors;
+      drop function if exists delete_secrets_on_social_connector_delete();
+
+      drop trigger if exists delete_secrets_before_sso_connector_delete on sso_connectors;
+      drop function if exists delete_secrets_on_sso_connector_delete;
+
+      drop trigger if exists delete_secret_before_sso_identity_delete on user_sso_identities;
+      drop function if exists delete_secret_on_sso_identity_delete();
+
+      drop trigger if exists delete_secrets_before_social_identity_delete on users;
+      drop function if exists delete_secrets_on_social_identity_delete();
+    `);
+
+    // Drop the existing `secret_connector_relations` table
+    await pool.query(sql`
+      drop table if exists secret_connector_relations;
+    `);
+
+    // Create the new `secret_social_connector_relations` table
+    await pool.query(sql`
+      create table secret_social_connector_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        secret_id varchar(21) not null
+          references secrets (id) on update cascade on delete cascade,
+        /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+        connector_id varchar(128) not null
+          references connectors (id) on update cascade,
+        /** The target of the social connector. e.g. 'github', 'google', etc. */
+        target varchar(256) not null,
+        /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
+        identity_id varchar(128) not null,
+        primary key (tenant_id, secret_id),
+        /** Ensures that each social identity is associated with only one secret. */
+        constraint secret_social_connector_relations__target__identity_id
+          unique (tenant_id, target, identity_id)
+      );
+    `);
+
+    // Create triggers for the new `secret_social_connector_relations` table
+    await pool.query(sql`
+      /** Trigger function to delete secrets when the social connector is deleted. */
+      create function delete_secrets_on_social_connector_delete()
+      returns trigger as $$
+      begin
+        delete from secrets
+        where id in (
+          select secret_id from secret_social_connector_relations
+          where tenant_id = old.tenant_id and connector_id = old.id
+        );
+        return old;
+      end;
+      $$ language plpgsql;
+
+      create trigger delete_secrets_before_social_connector_delete
+        before delete on connectors
+        for each row
+        execute procedure delete_secrets_on_social_connector_delete();
+
+      /** Trigger function to delete associated secrets when social identities are deleted. */
+      create function delete_secrets_on_social_identity_delete()
+      returns trigger as $$
+      declare
+        identity_target text;
+        old_identity jsonb;
+        new_identity jsonb;
+      begin
+        -- Loop over old identities to detect deletions or modifications
+        for identity_target in select jsonb_object_keys(old.identities)
+        loop
+          old_identity := old.identities -> identity_target;
+          new_identity := new.identities -> identity_target;
+
+          -- If the identity was deleted or modified, delete the associated secret
+          if new_identity is null or (new_identity->>'userId') is distinct from (old_identity->>'userId') then
+            -- Identity was removed or changed, delete the corresponding secrets
+            delete from secrets
+            using secret_social_connector_relations
+            where secrets.id = secret_social_connector_relations.secret_id
+            -- Ensure we are deleting the correct social identity
+            and secret_social_connector_relations.target = identity_target
+            and secret_social_connector_relations.identity_id = old_identity->>'userId'
+            -- Ensure we delete the correct user's secret
+            and secrets.user_id = old.id;
+          end if;
+        end loop;
+
+        return new;
+      end;
+      $$ language plpgsql;
+
+      create trigger delete_secrets_before_social_identity_delete
+        before update of identities on users
+        for each row
+        execute procedure delete_secrets_on_social_identity_delete();
+    `);
+
+    await applyTableRls(pool, 'secret_social_connector_relations');
+
+    // Create the new `secret_enterprise_sso_connector_relations` table
+    await pool.query(sql`
+      create table secret_enterprise_sso_connector_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        secret_id varchar(21) not null
+          references secrets (id) on update cascade on delete cascade,
+        /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+        sso_connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade,
+        /** User SSO connector issuer. Only present for secrets that store SSO connector tokens. */
+        issuer varchar(256) not null,
+        /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
+        identity_id varchar(128) not null,
+        primary key (tenant_id, secret_id),
+        /** Ensures that each SSO identity is associated with only one secret. */
+        foreign key (tenant_id, issuer, identity_id)
+          references user_sso_identities (tenant_id, issuer, identity_id) on update cascade
+      ); 
+    `);
+
+    // Create triggers for the new `secret_enterprise_sso_connector_relations` table
+    await pool.query(sql`
+      /** Trigger function to delete secrets when the SSO connector is deleted. */
+      create function delete_secrets_on_sso_connector_delete()
+      returns trigger as $$
+      begin
+        delete from secrets
+        where id in (
+          select secret_id from secret_enterprise_sso_connector_relations
+          where tenant_id = old.tenant_id and sso_connector_id = old.id
+        );
+        return old;
+      end;
+      $$ language plpgsql;
+
+      create trigger delete_secrets_before_sso_connector_delete
+        before delete on sso_connectors
+        for each row
+        execute procedure delete_secrets_on_sso_connector_delete();
+
+      /** Trigger function to delete secret when the SSO identity is deleted. */
+      create function delete_secret_on_sso_identity_delete()
+      returns trigger as $$
+      begin
+        delete from secrets
+        where id in (
+          select secret_id from secret_enterprise_sso_connector_relations
+          where tenant_id = old.tenant_id
+          and issuer = old.issuer
+          and identity_id = old.identity_id
+        )
+        -- we also need to ensure that the secret is associated with the correct user
+        and user_id = old.user_id;
+        return old;
+      end;
+      $$ language plpgsql;
+      
+      create trigger delete_secret_before_sso_identity_delete
+        before delete on user_sso_identities
+        for each row
+        execute procedure delete_secret_on_sso_identity_delete();
+    `);
+
+    await applyTableRls(pool, 'secret_enterprise_sso_connector_relations');
+  },
+  down: async (pool) => {
+    // Drop all triggers
+    await pool.query(sql`
+      drop trigger if exists delete_secrets_before_social_connector_delete on connectors;
+      drop function if exists delete_secrets_on_social_connector_delete;
+
+      drop trigger if exists delete_secrets_before_sso_connector_delete on sso_connectors;
+      drop function if exists delete_secrets_on_sso_connector_delete;
+
+      drop trigger if exists delete_secret_before_sso_identity_delete on user_sso_identities;
+      drop function if exists delete_secret_on_sso_identity_delete();
+
+      drop trigger if exists delete_secrets_before_social_identity_delete on users;
+      drop function if exists delete_secrets_on_social_identity_delete();
+    `);
+
+    // Drop the new `secret_social_connector_relations` table
+    await dropTableRls(pool, 'secret_social_connector_relations');
+    await pool.query(sql`
+      drop table if exists secret_social_connector_relations;
+    `);
+
+    // Drop the new `secret_enterprise_sso_connector_relations` table
+    await dropTableRls(pool, 'secret_enterprise_sso_connector_relations');
+    await pool.query(sql`
+      drop table if exists secret_enterprise_sso_connector_relations;  
+    `);
+
+    // Create secret_connector_relations
+    await pool.query(sql`
+      create table secret_connector_relations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        secret_id varchar(21) not null
+          references secrets (id) on update cascade on delete cascade,
+        /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+        connector_id varchar(128)
+          references connectors (id) on update cascade,
+        /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+        sso_connector_id varchar(128)
+          references sso_connectors (id) on update cascade,
+        /** The target of the social connector. e.g. 'github', 'google', etc. */
+        social_connector_target varchar(256),
+        /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
+        social_identity_id varchar(128),
+        /** User sso connector issuer. Only present for secrets that store SSO connector tokens. */
+        sso_connector_issuer varchar(256),
+        /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
+        sso_identity_id varchar(128),
+        primary key (tenant_id, secret_id),
+        /** Ensures that each social identity is associated with only one secret. */
+        constraint secret_connector_relations__target__social_identity_id
+          unique (tenant_id, social_connector_target, social_identity_id),
+        /** Ensures that each SSO identity is associated with only one secret. */
+        foreign key (tenant_id, sso_connector_issuer, sso_identity_id)
+          references user_sso_identities (tenant_id, issuer, identity_id) on update cascade,
+        /** Ensure that each secret is associated with a social connector or SSO connector, but not both at the same time. */
+        constraint secret_connector_relations__connector_id__sso_connector_id
+          check (
+            (
+              connector_id is not null and social_connector_target is not null and social_identity_id is not null and
+              sso_connector_id is null and sso_identity_id is null
+            ) or (
+              connector_id is null and social_connector_target is null and social_identity_id is null and
+              sso_connector_id is not null and sso_identity_id is not null
+            )
+          )
+      );
+    `);
+
+    await applyTableRls(pool, 'secret_connector_relations');
+
+    /** Trigger function to delete secrets when the social connector is deleted. */
+    await pool.query(sql`
+      create function delete_secrets_on_social_connector_delete()
+      returns trigger as $$
+      begin
+        delete from secrets
+        where id in (
+          select secret_id from secret_connector_relations
+          where tenant_id = old.tenant_id and connector_id = old.id
+        );
+        return old;
+      end;
+      $$ language plpgsql;
+
+      create trigger delete_secrets_before_social_connector_delete
+        before delete on connectors
+        for each row
+        execute procedure delete_secrets_on_social_connector_delete();
+    `);
+
+    /** Trigger function to delete secrets when the SSO connector is deleted. */
+    await pool.query(sql`
+      create function delete_secrets_on_sso_connector_delete()
+      returns trigger as $$
+      begin
+        delete from secrets
+        where id in (
+          select secret_id from secret_connector_relations
+          where tenant_id = old.tenant_id and sso_connector_id = old.id
+        );
+        return old;
+      end;
+      $$ language plpgsql;
+
+      create trigger delete_secrets_before_sso_connector_delete
+        before delete on sso_connectors
+        for each row
+        execute procedure delete_secrets_on_sso_connector_delete();
+    `);
+
+    /** Trigger function to delete secret when the SSO identity is deleted. */
+    await pool.query(sql`
+      create function delete_secret_on_sso_identity_delete()
+      returns trigger as $$
+      begin
+        delete from secrets
+        where id in (
+          select secret_id from secret_connector_relations
+          where tenant_id = old.tenant_id
+          and sso_connector_issuer = old.issuer
+          and sso_identity_id = old.identity_id
+        )
+        -- we also need to ensure that the secret is associated with the correct user
+        and user_id = old.user_id;
+        return old;
+      end;
+      $$ language plpgsql;
+
+      create trigger delete_secret_before_sso_identity_delete
+        before delete on user_sso_identities
+        for each row
+        execute procedure delete_secret_on_sso_identity_delete();
+    `);
+
+    /** Trigger function to delete associated secrets when social identities are deleted. */
+    await pool.query(sql`
+      create function delete_secrets_on_social_identity_delete()
+      returns trigger as $$
+      declare
+        target text;
+        old_identity jsonb;
+        new_identity jsonb;
+      begin
+        -- Loop over old identities to detect deletions or modifications
+        for target in select jsonb_object_keys(old.identities)
+        loop
+          old_identity := old.identities -> target;
+          new_identity := new.identities -> target;
+
+          -- If the identity was deleted or modified, delete the associated secret
+          if new_identity is null or (new_identity->>'userId') is distinct from (old_identity->>'userId') then
+            -- Identity was removed or changed, delete the corresponding secrets
+            delete from secrets
+            using secret_connector_relations
+            where secrets.id = secret_connector_relations.secret_id
+            -- Ensure we are deleting the correct social identity
+            and secret_connector_relations.social_connector_target = target
+            and secret_connector_relations.social_identity_id = old_identity->>'userId'
+            -- Ensure we delete the correct user's secret
+            and secrets.user_id = old.id;
+          end if;
+        end loop;
+
+        return new;
+      end;
+      $$ language plpgsql;
+
+      create trigger delete_secrets_before_social_identity_delete
+        before update of identities on users
+        for each row
+        execute procedure delete_secrets_on_social_identity_delete();
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.30.0-1751337183-add-require-mfa-on-sign-in-to-users.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table users
+      add column require_mfa_on_sign_in boolean not null default true;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table users
+      drop column require_mfa_on_sign_in;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.30.0-1751400000-move-require-mfa-on-sign-in-to-logto-config.ts

@@ -0,0 +1,21 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // No need to migrate existing data, as the feature is not released yet.
+    await pool.query(sql`
+      alter table users
+      drop column require_mfa_on_sign_in;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table users
+      add column require_mfa_on_sign_in boolean not null default true;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.30.0-1751529530-add-enable-token-storage-column-to-sso-connectors-table.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors
+      add column enable_token_storage boolean not null default FALSE;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connectors
+      drop column if exists enable_token_storage;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.30.0-1752630302-alterate-enable-column-default-value-in-account-centers-table.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+      alter column enabled set default true;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table account_centers
+      alter column enabled set default false;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.30.0-1753669579-add-organization-user-relations-foreign-key.ts

@@ -0,0 +1,46 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Drop the existing index in users table
+    await pool.query(sql`
+      drop index if exists users__id;
+    `);
+
+    // Create a new unique index in users table
+    await pool.query(sql`
+      create unique index users__id
+        on users (tenant_id, id);
+    `);
+
+    // Apply the foreign key constraint to organization_user_relations table
+    await pool.query(sql`
+      alter table organization_user_relations
+       add constraint organization_user_relations__user_id__fk
+        foreign key (tenant_id, user_id)
+        references users (tenant_id, id)
+        on update cascade on delete cascade;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table organization_user_relations
+       drop constraint organization_user_relations__user_id__fk;
+    `);
+
+    // Drop the unique index in users table
+    await pool.query(sql`
+      drop index if exists users__id;
+    `);
+
+    // Recreate the old index in users table
+    await pool.query(sql`
+      create index users__id
+        on users (tenant_id, id);
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.29.0-1748832174-add-webauthn-related-origins.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        add column webauthn_related_origins jsonb not null default '[]'::jsonb;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table account_centers
+        drop column webauthn_related_origins;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.29.0-1749005587-user-sso-identities-table-add-updated-at-column.js

@@ -0,0 +1,25 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table user_sso_identities
+        add column updated_at timestamptz not null default(now());
+    `);
+        await pool.query(sql `
+      create trigger set_updated_at
+        before update on user_sso_identities
+        for each row
+        execute procedure set_updated_at();
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      drop trigger set_updated_at on user_sso_identities;
+    `);
+        await pool.query(sql `
+      alter table user_sso_identities
+        drop column updated_at;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.29.0-1749026308-add-oidc-session-extension-table.js

@@ -0,0 +1,33 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table oidc_session_extensions (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        session_uid varchar(128) not null,
+        account_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        last_submission jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        updated_at timestamptz not null default(now()),
+        primary key (tenant_id, session_uid)
+      );
+    `);
+        await pool.query(sql `
+      create trigger set_updated_at
+        before update on oidc_session_extensions
+        for each row
+        execute procedure set_updated_at();
+    `);
+        await applyTableRls(pool, 'oidc_session_extensions');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'oidc_session_extensions');
+        await pool.query(sql `
+      drop table oidc_session_extensions;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.29.0-1749523818-add-custom-profile-fields.js

@@ -0,0 +1,52 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table custom_profile_fields (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        name varchar(128) not null,
+        type varchar(128) not null /* @use CustomProfileFieldType */,
+        label varchar(128) not null default '',
+        description varchar(256),
+        required boolean not null default false,
+        config jsonb /* @use CustomProfileFieldConfig */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        sie_order int2 not null default 0,
+        primary key (id),
+        constraint custom_profile_fields__name
+          unique (tenant_id, name),
+        constraint custom_profile_fields__sie_order
+          unique (tenant_id, sie_order)
+      );
+
+      create or replace function custom_profile_fields__increment_sie_order() returns trigger as
+      $$ begin
+        new.sie_order = (
+          select coalesce(max(sie_order), 0)
+          from custom_profile_fields
+          where tenant_id = (
+            select id from tenants where db_user = current_user
+          )
+        ) + 1;
+        return new;
+      end; $$ language plpgsql;
+
+      create trigger custom_profile_fields__increment_sie_order before insert on custom_profile_fields
+        for each row execute procedure custom_profile_fields__increment_sie_order();
+    `);
+        await applyTableRls(pool, 'custom_profile_fields');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'custom_profile_fields');
+        await pool.query(sql `
+      drop trigger custom_profile_fields__increment_sie_order on custom_profile_fields;
+      drop function custom_profile_fields__increment_sie_order;
+      drop table if exists custom_profile_fields;
+      drop type if exists custom_profile_field_type;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.29.0-1749724664-drop-sie-order-constraint-from-custom-profile-fields.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table custom_profile_fields
+        drop constraint custom_profile_fields__sie_order
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table custom_profile_fields
+        add constraint custom_profile_fields__sie_order unique (tenant_id, sie_order)
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.29.0-1750663091-change-user-password-encrypted-length.js

@@ -0,0 +1,14 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table users alter column password_encrypted set data type varchar(256);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table users alter column password_encrypted set data type varchar(128);
+    `);
+    },
+};
+export default alteration;