@logto/schemas 1.29.0 → 1.30.0

package/lib/types/verification-records/backup-code-verification.js

@@ -7,3 +7,6 @@ export const backupCodeVerificationRecordDataGuard = z.object({
     code: z.string().optional(),
     backupCodes: z.string().array().optional(),
 });
+export const sanitizedBackupCodeVerificationRecordDataGuard = backupCodeVerificationRecordDataGuard.omit({
+    backupCodes: true,
+});

package/lib/types/verification-records/enterprise-sso-verification.d.ts

@@ -1,4 +1,5 @@
 import { z } from 'zod';
+import { type EncryptedTokenSet } from '../secrets.js';
 import { type ExtendedSocialUserInfo } from '../sso-connector.js';
 import { VerificationType } from './verification-type.js';
 /** The JSON data type for the EnterpriseSsoVerification record stored in the interaction storage */
@@ -10,6 +11,7 @@ export type EnterpriseSsoVerificationRecordData = {
      * The enterprise SSO identity returned by the connector.
      */
     enterpriseSsoUserInfo?: ExtendedSocialUserInfo;
+    encryptedTokenSet?: EncryptedTokenSet;
     issuer?: string;
 };
 export declare const enterpriseSsoVerificationRecordDataGuard: z.ZodObject<{
@@ -38,6 +40,41 @@ export declare const enterpriseSsoVerificationRecordDataGuard: z.ZodObject<{
         avatar: z.ZodOptional<z.ZodString>;
         rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
     }, z.ZodUnknown, "strip">>>;
+    encryptedTokenSet: z.ZodOptional<z.ZodObject<{
+        encryptedTokenSetBase64: z.ZodString;
+        metadata: z.ZodObject<{
+            scope: z.ZodOptional<z.ZodString>;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+            tokenType: z.ZodOptional<z.ZodString>;
+            hasRefreshToken: z.ZodBoolean;
+        }, "strip", z.ZodTypeAny, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }>>;
     issuer: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     type: VerificationType.EnterpriseSso;
@@ -52,6 +89,114 @@ export declare const enterpriseSsoVerificationRecordDataGuard: z.ZodObject<{
         avatar: z.ZodOptional<z.ZodString>;
         rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
     }, z.ZodUnknown, "strip"> | undefined;
+    encryptedTokenSet?: {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    } | undefined;
+}, {
+    type: VerificationType.EnterpriseSso;
+    id: string;
+    connectorId: string;
+    issuer?: string | undefined;
+    enterpriseSsoUserInfo?: z.objectInputType<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        phone: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatar: z.ZodOptional<z.ZodString>;
+        rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
+    }, z.ZodUnknown, "strip"> | undefined;
+    encryptedTokenSet?: {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    } | undefined;
+}>;
+export type SanitizedEnterpriseSsoVerificationRecordData = Omit<EnterpriseSsoVerificationRecordData, 'encryptedTokenSet'>;
+export declare const sanitizedEnterpriseSsoVerificationRecordDataGuard: z.ZodObject<Omit<{
+    id: z.ZodString;
+    connectorId: z.ZodString;
+    type: z.ZodLiteral<VerificationType.EnterpriseSso>;
+    enterpriseSsoUserInfo: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        phone: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatar: z.ZodOptional<z.ZodString>;
+        rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        phone: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatar: z.ZodOptional<z.ZodString>;
+        rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        phone: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatar: z.ZodOptional<z.ZodString>;
+        rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
+    }, z.ZodUnknown, "strip">>>;
+    encryptedTokenSet: z.ZodOptional<z.ZodObject<{
+        encryptedTokenSetBase64: z.ZodString;
+        metadata: z.ZodObject<{
+            scope: z.ZodOptional<z.ZodString>;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+            tokenType: z.ZodOptional<z.ZodString>;
+            hasRefreshToken: z.ZodBoolean;
+        }, "strip", z.ZodTypeAny, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }>>;
+    issuer: z.ZodOptional<z.ZodString>;
+}, "encryptedTokenSet">, "strip", z.ZodTypeAny, {
+    type: VerificationType.EnterpriseSso;
+    id: string;
+    connectorId: string;
+    issuer?: string | undefined;
+    enterpriseSsoUserInfo?: z.objectOutputType<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        phone: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatar: z.ZodOptional<z.ZodString>;
+        rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
+    }, z.ZodUnknown, "strip"> | undefined;
 }, {
     type: VerificationType.EnterpriseSso;
     id: string;

package/lib/types/verification-records/enterprise-sso-verification.js

@@ -1,4 +1,5 @@
 import { z } from 'zod';
+import { encryptedTokenSetGuard } from '../secrets.js';
 import { extendedSocialUserInfoGuard } from '../sso-connector.js';
 import { VerificationType } from './verification-type.js';
 export const enterpriseSsoVerificationRecordDataGuard = z.object({
@@ -6,5 +7,9 @@ export const enterpriseSsoVerificationRecordDataGuard = z.object({
     connectorId: z.string(),
     type: z.literal(VerificationType.EnterpriseSso),
     enterpriseSsoUserInfo: extendedSocialUserInfoGuard.optional(),
+    encryptedTokenSet: encryptedTokenSetGuard.optional(),
     issuer: z.string().optional(),
 });
+export const sanitizedEnterpriseSsoVerificationRecordDataGuard = enterpriseSsoVerificationRecordDataGuard.omit({
+    encryptedTokenSet: true,
+});

package/lib/types/verification-records/new-password-identity-verification.d.ts

@@ -52,3 +52,34 @@ export declare const newPasswordIdentityVerificationRecordDataGuard: z.ZodObject
     passwordEncrypted?: string | undefined;
     passwordEncryptionMethod?: UsersPasswordEncryptionMethod.Argon2i | undefined;
 }>;
+export type SanitizedNewPasswordIdentityVerificationRecordData = Omit<NewPasswordIdentityVerificationRecordData, 'passwordEncrypted' | 'passwordEncryptionMethod'>;
+export declare const sanitizedNewPasswordIdentityVerificationRecordDataGuard: z.ZodObject<Omit<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.NewPasswordIdentity>;
+    identifier: z.ZodObject<{
+        type: z.ZodNativeEnum<typeof import("../../index.js").SignInIdentifier>;
+        value: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    }, {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    }>;
+    passwordEncrypted: z.ZodOptional<z.ZodString>;
+    passwordEncryptionMethod: z.ZodOptional<z.ZodLiteral<UsersPasswordEncryptionMethod.Argon2i>>;
+}, "passwordEncrypted" | "passwordEncryptionMethod">, "strip", z.ZodTypeAny, {
+    type: VerificationType.NewPasswordIdentity;
+    id: string;
+    identifier: {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    };
+}, {
+    type: VerificationType.NewPasswordIdentity;
+    id: string;
+    identifier: {
+        value: string;
+        type: import("../../index.js").SignInIdentifier;
+    };
+}>;

package/lib/types/verification-records/new-password-identity-verification.js

@@ -14,3 +14,7 @@ export const newPasswordIdentityVerificationRecordDataGuard = z.object({
     passwordEncrypted: z.string().optional(),
     passwordEncryptionMethod: z.literal(UsersPasswordEncryptionMethod.Argon2i).optional(),
 });
+export const sanitizedNewPasswordIdentityVerificationRecordDataGuard = newPasswordIdentityVerificationRecordDataGuard.omit({
+    passwordEncrypted: true,
+    passwordEncryptionMethod: true,
+});

package/lib/types/verification-records/social-verification.d.ts

@@ -1,5 +1,6 @@
 import { type ConnectorSession, type SocialUserInfo } from '@logto/connector-kit';
 import { z } from 'zod';
+import { type EncryptedTokenSet } from '../secrets.js';
 import { VerificationType } from './verification-type.js';
 /** The JSON data type for the SocialVerification record stored in the interaction storage */
 export type SocialVerificationRecordData = {
@@ -10,6 +11,7 @@ export type SocialVerificationRecordData = {
      * The social identity returned by the connector.
      */
     socialUserInfo?: SocialUserInfo;
+    encryptedTokenSet?: EncryptedTokenSet;
     /**
      * The connector session result
      */
@@ -41,6 +43,41 @@ export declare const socialVerificationRecordDataGuard: z.ZodObject<{
         avatar?: string | undefined;
         rawData?: import("@withtyped/server").Json | undefined;
     }>>;
+    encryptedTokenSet: z.ZodOptional<z.ZodObject<{
+        encryptedTokenSetBase64: z.ZodString;
+        metadata: z.ZodObject<{
+            scope: z.ZodOptional<z.ZodString>;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+            tokenType: z.ZodOptional<z.ZodString>;
+            hasRefreshToken: z.ZodBoolean;
+        }, "strip", z.ZodTypeAny, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }>>;
     connectorSession: z.ZodOptional<z.ZodObject<{
         nonce: z.ZodOptional<z.ZodString>;
         redirectUri: z.ZodOptional<z.ZodString>;
@@ -67,6 +104,15 @@ export declare const socialVerificationRecordDataGuard: z.ZodObject<{
     type: VerificationType.Social;
     id: string;
     connectorId: string;
+    encryptedTokenSet?: {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    } | undefined;
     socialUserInfo?: {
         id: string;
         name?: string | undefined;
@@ -87,6 +133,15 @@ export declare const socialVerificationRecordDataGuard: z.ZodObject<{
     type: VerificationType.Social;
     id: string;
     connectorId: string;
+    encryptedTokenSet?: {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    } | undefined;
     socialUserInfo?: {
         id: string;
         name?: string | undefined;
@@ -104,3 +159,112 @@ export declare const socialVerificationRecordDataGuard: z.ZodObject<{
         state: z.ZodOptional<z.ZodString>;
     }, z.ZodUnknown, "strip"> | undefined;
 }>;
+export type SanitizedSocialVerificationRecordData = Omit<SocialVerificationRecordData, 'encryptedTokenSet' | 'connectorSession'>;
+export declare const sanitizedSocialVerificationRecordDataGuard: z.ZodObject<Omit<{
+    id: z.ZodString;
+    connectorId: z.ZodString;
+    type: z.ZodLiteral<VerificationType.Social>;
+    socialUserInfo: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        phone: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatar: z.ZodOptional<z.ZodString>;
+        rawData: z.ZodOptional<z.ZodType<import("@withtyped/server").Json, z.ZodTypeDef, import("@withtyped/server").Json>>;
+    }, "strip", z.ZodTypeAny, {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    }, {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    }>>;
+    encryptedTokenSet: z.ZodOptional<z.ZodObject<{
+        encryptedTokenSetBase64: z.ZodString;
+        metadata: z.ZodObject<{
+            scope: z.ZodOptional<z.ZodString>;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+            tokenType: z.ZodOptional<z.ZodString>;
+            hasRefreshToken: z.ZodBoolean;
+        }, "strip", z.ZodTypeAny, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }, {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }, {
+        metadata: {
+            hasRefreshToken: boolean;
+            scope?: string | undefined;
+            expiresAt?: number | undefined;
+            tokenType?: string | undefined;
+        };
+        encryptedTokenSetBase64: string;
+    }>>;
+    connectorSession: z.ZodOptional<z.ZodObject<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        nonce: z.ZodOptional<z.ZodString>;
+        redirectUri: z.ZodOptional<z.ZodString>;
+        connectorId: z.ZodOptional<z.ZodString>;
+        connectorFactoryId: z.ZodOptional<z.ZodString>;
+        jti: z.ZodOptional<z.ZodString>;
+        state: z.ZodOptional<z.ZodString>;
+    }, z.ZodUnknown, "strip">>>;
+}, "encryptedTokenSet" | "connectorSession">, "strip", z.ZodTypeAny, {
+    type: VerificationType.Social;
+    id: string;
+    connectorId: string;
+    socialUserInfo?: {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    } | undefined;
+}, {
+    type: VerificationType.Social;
+    id: string;
+    connectorId: string;
+    socialUserInfo?: {
+        id: string;
+        name?: string | undefined;
+        email?: string | undefined;
+        phone?: string | undefined;
+        avatar?: string | undefined;
+        rawData?: import("@withtyped/server").Json | undefined;
+    } | undefined;
+}>;

package/lib/types/verification-records/social-verification.js

@@ -1,10 +1,16 @@
 import { connectorSessionGuard, socialUserInfoGuard, } from '@logto/connector-kit';
 import { z } from 'zod';
+import { encryptedTokenSetGuard } from '../secrets.js';
 import { VerificationType } from './verification-type.js';
 export const socialVerificationRecordDataGuard = z.object({
     id: z.string(),
     connectorId: z.string(),
     type: z.literal(VerificationType.Social),
     socialUserInfo: socialUserInfoGuard.optional(),
+    encryptedTokenSet: encryptedTokenSetGuard.optional(),
     connectorSession: connectorSessionGuard.optional(),
 });
+export const sanitizedSocialVerificationRecordDataGuard = socialVerificationRecordDataGuard.omit({
+    encryptedTokenSet: true,
+    connectorSession: true,
+});

package/lib/types/verification-records/totp-verification.d.ts

@@ -27,3 +27,21 @@ export declare const totpVerificationRecordDataGuard: z.ZodObject<{
     verified: boolean;
     secret?: string | undefined;
 }>;
+export type SanitizedTotpVerificationRecordData = Omit<TotpVerificationRecordData, 'secret'>;
+export declare const sanitizedTotpVerificationRecordDataGuard: z.ZodObject<Omit<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.TOTP>;
+    userId: z.ZodString;
+    secret: z.ZodOptional<z.ZodString>;
+    verified: z.ZodBoolean;
+}, "secret">, "strip", z.ZodTypeAny, {
+    type: VerificationType.TOTP;
+    id: string;
+    userId: string;
+    verified: boolean;
+}, {
+    type: VerificationType.TOTP;
+    id: string;
+    userId: string;
+    verified: boolean;
+}>;

package/lib/types/verification-records/totp-verification.js

@@ -7,3 +7,6 @@ export const totpVerificationRecordDataGuard = z.object({
     secret: z.string().optional(),
     verified: z.boolean(),
 });
+export const sanitizedTotpVerificationRecordDataGuard = totpVerificationRecordDataGuard.omit({
+    secret: true,
+});

package/lib/types/verification-records/web-authn-verification.d.ts

@@ -78,3 +78,47 @@ export declare const webAuthnVerificationRecordDataGuard: z.ZodObject<{
         name?: string | undefined;
     } | undefined;
 }>;
+export type SanitizedWebAuthnVerificationRecordData = Omit<WebAuthnVerificationRecordData, 'registrationInfo' | 'registrationChallenge' | 'authenticationChallenge'>;
+export declare const sanitizedWebAuthnVerificationRecordDataGuard: z.ZodObject<Omit<{
+    id: z.ZodString;
+    type: z.ZodLiteral<VerificationType.WebAuthn>;
+    userId: z.ZodString;
+    verified: z.ZodBoolean;
+    registrationChallenge: z.ZodOptional<z.ZodString>;
+    authenticationChallenge: z.ZodOptional<z.ZodString>;
+    registrationInfo: z.ZodOptional<z.ZodObject<{
+        type: z.ZodLiteral<import("../../index.js").MfaFactor.WebAuthn>;
+        credentialId: z.ZodString;
+        publicKey: z.ZodString;
+        transports: z.ZodArray<z.ZodEnum<["usb", "nfc", "ble", "internal", "cable", "hybrid", "smart-card"]>, "many">;
+        counter: z.ZodNumber;
+        agent: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }>>;
+}, "registrationChallenge" | "authenticationChallenge" | "registrationInfo">, "strip", z.ZodTypeAny, {
+    type: VerificationType.WebAuthn;
+    id: string;
+    userId: string;
+    verified: boolean;
+}, {
+    type: VerificationType.WebAuthn;
+    id: string;
+    userId: string;
+    verified: boolean;
+}>;

package/lib/types/verification-records/web-authn-verification.js

@@ -10,3 +10,8 @@ export const webAuthnVerificationRecordDataGuard = z.object({
     authenticationChallenge: z.string().optional(),
     registrationInfo: bindWebAuthnGuard.optional(),
 });
+export const sanitizedWebAuthnVerificationRecordDataGuard = webAuthnVerificationRecordDataGuard.omit({
+    registrationInfo: true,
+    registrationChallenge: true,
+    authenticationChallenge: true,
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.29.0",
+  "version": "1.30.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -63,14 +63,14 @@
   },
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
-    "@logto/connector-kit": "^4.3.0",
+    "@withtyped/server": "^0.14.0",
+    "nanoid": "^5.0.9",
+    "@logto/connector-kit": "^4.4.0",
     "@logto/core-kit": "^2.6.0",
     "@logto/language-kit": "^1.2.0",
-    "@logto/phrases": "^1.19.0",
-    "@logto/phrases-experience": "^1.10.0",
     "@logto/shared": "^3.3.0",
-    "@withtyped/server": "^0.14.0",
-    "nanoid": "^5.0.9"
+    "@logto/phrases": "^1.19.0",
+    "@logto/phrases-experience": "^1.10.0"
   },
   "peerDependencies": {
     "zod": "3.24.3"

package/tables/account_centers.sql

@@ -3,7 +3,7 @@ create table account_centers (
     references tenants (id) on update cascade on delete cascade,
   id varchar(21) not null,
   /** The whole feature can be disabled */
-  enabled boolean not null default false,
+  enabled boolean not null default true,
   /** Control each fields */
   fields jsonb /* @use AccountCenterFieldControl */ not null default '{}'::jsonb,
   webauthn_related_origins jsonb /* @use WebauthnRelatedOrigins */ not null default '[]'::jsonb,

package/tables/connectors.sql

@@ -5,6 +5,8 @@ create table connectors (
     references tenants (id) on update cascade on delete cascade,
   id varchar(128) not null,
   sync_profile boolean not null default FALSE,
+  /** Whether the token storage is enabled for this connector. Only applied for OAuth2/OIDC social connectors. */
+  enable_token_storage boolean not null default FALSE,
   connector_id varchar(128) not null,
   config jsonb /* @use JsonObject */ not null default '{}'::jsonb,
   metadata jsonb /* @use ConfigurableConnectorMetadata */ not null default '{}'::jsonb,

package/tables/organization_user_relations.sql

@@ -8,5 +8,8 @@ create table organization_user_relations (
     references organizations (id) on update cascade on delete cascade,
   user_id varchar(21) not null
     references users (id) on update cascade on delete cascade,
-  primary key (tenant_id, organization_id, user_id)
+  primary key (tenant_id, organization_id, user_id),
+  constraint organization_user_relations__user_id__fk
+    foreign key (tenant_id, user_id)
+      references users (tenant_id, id) on update cascade on delete cascade
 );

package/tables/secret_enterprise_sso_connector_relations.sql

@@ -0,0 +1,60 @@
+/* init_order = 3 */
+
+create table secret_enterprise_sso_connector_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  secret_id varchar(21) not null
+    references secrets (id) on update cascade on delete cascade,
+  /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+  sso_connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade,
+  /** User SSO connector issuer. Only present for secrets that store SSO connector tokens. */
+  issuer varchar(256) not null,
+  /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
+  identity_id varchar(128) not null,
+  primary key (tenant_id, secret_id),
+  /** Ensures that each SSO identity is associated with only one secret. */
+  foreign key (tenant_id, issuer, identity_id)
+    references user_sso_identities (tenant_id, issuer, identity_id) on update cascade
+);
+
+/** Trigger function to delete secrets when the SSO connector is deleted. */
+create function delete_secrets_on_sso_connector_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_enterprise_sso_connector_relations
+    where tenant_id = old.tenant_id and sso_connector_id = old.id
+  );
+  return old;
+end;
+$$ language plpgsql;
+
+create trigger delete_secrets_before_sso_connector_delete
+  before delete on sso_connectors
+  for each row
+  execute procedure delete_secrets_on_sso_connector_delete();
+
+
+/** Trigger function to delete secret when the SSO identity is deleted. */
+create function delete_secret_on_sso_identity_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_enterprise_sso_connector_relations
+    where tenant_id = old.tenant_id
+    and issuer = old.issuer
+    and identity_id = old.identity_id
+  )
+  -- we also need to ensure that the secret is associated with the correct user
+  and user_id = old.user_id;
+  return old;
+end;
+$$ language plpgsql;
+
+create trigger delete_secret_before_sso_identity_delete
+  before delete on user_sso_identities
+  for each row
+  execute procedure delete_secret_on_sso_identity_delete();