@logto/schemas 1.29.0 → 1.30.0

package/tables/secret_social_connector_relations.sql

@@ -0,0 +1,75 @@
+/* init_order = 3 */
+
+create table secret_social_connector_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  secret_id varchar(21) not null
+    references secrets (id) on update cascade on delete cascade,
+  /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
+  connector_id varchar(128) not null
+    references connectors (id) on update cascade,
+  /** The target of the social connector. e.g. 'github', 'google', etc. */
+  target varchar(256) not null,
+  /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
+  identity_id varchar(128) not null,
+  primary key (tenant_id, secret_id),
+  /** Ensures that each social identity is associated with only one secret. */
+  constraint secret_social_connector_relations__target__identity_id
+    unique (tenant_id, target, identity_id)
+);
+
+/** Trigger function to delete secrets when the social connector is deleted. */
+create function delete_secrets_on_social_connector_delete()
+returns trigger as $$
+begin
+  delete from secrets
+  where id in (
+    select secret_id from secret_social_connector_relations
+    where tenant_id = old.tenant_id and connector_id = old.id
+  );
+  return old;
+end;
+$$ language plpgsql;
+
+create trigger delete_secrets_before_social_connector_delete
+  before delete on connectors
+  for each row
+  execute procedure delete_secrets_on_social_connector_delete();
+
+
+/** Trigger function to delete associated secrets when social identities are deleted. */
+create function delete_secrets_on_social_identity_delete()
+returns trigger as $$
+declare
+  identity_target text;
+  old_identity jsonb;
+  new_identity jsonb;
+begin
+  -- Loop over old identities to detect deletions or modifications
+  for identity_target in select jsonb_object_keys(old.identities)
+  loop
+    old_identity := old.identities -> identity_target;
+    new_identity := new.identities -> identity_target;
+
+    -- If the identity was deleted or modified, delete the associated secret
+    if new_identity is null or (new_identity->>'userId') is distinct from (old_identity->>'userId') then
+      -- Identity was removed or changed, delete the corresponding secrets
+      delete from secrets
+      using secret_social_connector_relations
+      where secrets.id = secret_social_connector_relations.secret_id
+      -- Ensure we are deleting the correct social identity
+      and secret_social_connector_relations.target = identity_target
+      and secret_social_connector_relations.identity_id = old_identity->>'userId'
+      -- Ensure we delete the correct user's secret
+      and secrets.user_id = old.id;
+    end if;
+  end loop;
+
+  return new;
+end;
+$$ language plpgsql;
+
+create trigger delete_secrets_before_social_identity_delete
+  before update of identities on users
+  for each row
+  execute procedure delete_secrets_on_social_identity_delete();

package/tables/secrets.sql

@@ -7,13 +7,13 @@ create table secrets (
     references users (id) on update cascade on delete cascade,
   type varchar(256) /* @use SecretType */ not null,
   /** Encrypted data encryption key (DEK) for the secret. */
-  encrypted_dek bytea not null,
+  encrypted_dek bytea /* @use BufferLike */ not null,
   /** Initialization vector for the secret encryption. */
-  iv bytea not null,
+  iv bytea /* @use BufferLike */ not null,
   /** Authentication tag for the secret encryption. */
-  auth_tag bytea not null,
+  auth_tag bytea /* @use BufferLike */ not null,
   /** The encrypted secret data. e.g. { access_token, refresh_token } */
-  ciphertext bytea not null,
+  ciphertext bytea /* @use BufferLike */ not null,
   /** The metadata associated with the secret. */
   metadata jsonb /* @use JsonObject */ not null default '{}'::jsonb,
   created_at timestamptz not null default(now()),

package/tables/sso_connectors.sql

@@ -16,6 +16,8 @@ create table sso_connectors (
   branding jsonb /* @use SsoBranding */ not null default '{}'::jsonb,
   /** Determines whether to synchronize the user's profile on each login. */
   sync_profile boolean not null default FALSE,
+  /** Whether the token storage is enabled for this connector. Only applied for OAuth2/OIDC SSO connectors. */
+  enable_token_storage boolean not null default FALSE,
   /** When the SSO connector was created. */
   created_at timestamptz not null default(now()),
   primary key (id),

package/tables/users.sql

@@ -34,7 +34,8 @@ create table users (
     unique (tenant_id, primary_phone)
 );
 
-create index users__id
+/* Unique index on (tenant_id, id) required for foreign key constraint in organization_user_relations table. */
+create unique index users__id
   on users (tenant_id, id);
 
 create index users__name

package/lib/db-entries/secret-connector-relation.d.ts

@@ -1,40 +0,0 @@
-import { GeneratedSchema } from './../foundations/index.js';
-/**
- *
- * @remarks This is a type for database creation.
- * @see {@link SecretConnectorRelation} for the original type.
- */
-export type CreateSecretConnectorRelation = {
-    tenantId?: string;
-    secretId: string;
-    /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first. */
-    connectorId?: string | null;
-    /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first. */
-    ssoConnectorId?: string | null;
-    /** The target of the social connector. e.g. 'github', 'google', etc. */
-    socialConnectorTarget?: string | null;
-    /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
-    socialIdentityId?: string | null;
-    /** User sso connector issuer. Only present for secrets that store SSO connector tokens. */
-    ssoConnectorIssuer?: string | null;
-    /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
-    ssoIdentityId?: string | null;
-};
-export type SecretConnectorRelation = {
-    tenantId: string;
-    secretId: string;
-    /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first. */
-    connectorId: string | null;
-    /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first. */
-    ssoConnectorId: string | null;
-    /** The target of the social connector. e.g. 'github', 'google', etc. */
-    socialConnectorTarget: string | null;
-    /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
-    socialIdentityId: string | null;
-    /** User sso connector issuer. Only present for secrets that store SSO connector tokens. */
-    ssoConnectorIssuer: string | null;
-    /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
-    ssoIdentityId: string | null;
-};
-export type SecretConnectorRelationKeys = 'tenantId' | 'secretId' | 'connectorId' | 'ssoConnectorId' | 'socialConnectorTarget' | 'socialIdentityId' | 'ssoConnectorIssuer' | 'ssoIdentityId';
-export declare const SecretConnectorRelations: GeneratedSchema<SecretConnectorRelationKeys, CreateSecretConnectorRelation, SecretConnectorRelation, 'secret_connector_relations', 'secret_connector_relation'>;

package/lib/db-entries/secret-connector-relation.js

@@ -1,49 +0,0 @@
-// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-import { z } from 'zod';
-const createGuard = z.object({
-    tenantId: z.string().max(21).optional(),
-    secretId: z.string().min(1).max(21),
-    connectorId: z.string().max(128).nullable().optional(),
-    ssoConnectorId: z.string().max(128).nullable().optional(),
-    socialConnectorTarget: z.string().max(256).nullable().optional(),
-    socialIdentityId: z.string().max(128).nullable().optional(),
-    ssoConnectorIssuer: z.string().max(256).nullable().optional(),
-    ssoIdentityId: z.string().max(128).nullable().optional(),
-});
-const guard = z.object({
-    tenantId: z.string().max(21),
-    secretId: z.string().min(1).max(21),
-    connectorId: z.string().max(128).nullable(),
-    ssoConnectorId: z.string().max(128).nullable(),
-    socialConnectorTarget: z.string().max(256).nullable(),
-    socialIdentityId: z.string().max(128).nullable(),
-    ssoConnectorIssuer: z.string().max(256).nullable(),
-    ssoIdentityId: z.string().max(128).nullable(),
-});
-export const SecretConnectorRelations = Object.freeze({
-    table: 'secret_connector_relations',
-    tableSingular: 'secret_connector_relation',
-    fields: {
-        tenantId: 'tenant_id',
-        secretId: 'secret_id',
-        connectorId: 'connector_id',
-        ssoConnectorId: 'sso_connector_id',
-        socialConnectorTarget: 'social_connector_target',
-        socialIdentityId: 'social_identity_id',
-        ssoConnectorIssuer: 'sso_connector_issuer',
-        ssoIdentityId: 'sso_identity_id',
-    },
-    fieldKeys: [
-        'tenantId',
-        'secretId',
-        'connectorId',
-        'ssoConnectorId',
-        'socialConnectorTarget',
-        'socialIdentityId',
-        'ssoConnectorIssuer',
-        'ssoIdentityId',
-    ],
-    createGuard,
-    guard,
-    updateGuard: guard.partial(),
-});

package/tables/secret_connector_relations.sql

@@ -1,78 +0,0 @@
-/* init_order = 3 */
-
-create table secret_connector_relations (
-  tenant_id varchar(21) not null
-    references tenants (id) on update cascade on delete cascade,
-  secret_id varchar(21) not null
-    references secrets (id) on update cascade on delete cascade,
-  /** Social connector ID foreign reference. Only present for secrets that store social connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
-  connector_id varchar(128)
-    references connectors (id) on update cascade,
-  /** SSO connector ID foreign reference. Only present for secrets that store SSO connector tokens. Note: avoid directly cascading deletes here, need to delete the secrets first.*/
-  sso_connector_id varchar(128)
-    references sso_connectors (id) on update cascade,
-  /** The target of the social connector. e.g. 'github', 'google', etc. */
-  social_connector_target varchar(256),
-  /** User social identity ID foreign reference. Only present for secrets that store social identity tokens. */
-  social_identity_id varchar(128),
-  /** User sso connector issuer. Only present for secrets that store SSO connector tokens. */
-  sso_connector_issuer varchar(256),
-  /** User SSO identity ID. Only present for secrets that store SSO identity tokens. */
-  sso_identity_id varchar(128),
-  primary key (tenant_id, secret_id),
-  /** Ensures that each social identity is associated with only one secret. */
-  constraint secret_connector_relations__target__social_identity_id
-    unique (tenant_id, social_connector_target, social_identity_id),
-  /** Ensures that each SSO identity is associated with only one secret. */
-  foreign key (tenant_id, sso_connector_issuer, sso_identity_id)
-    references user_sso_identities (tenant_id, issuer, identity_id) on update cascade,
-  /** Ensure that each secret is associated with a social connector or SSO connector, but not both at the same time. */
-  constraint secret_connector_relations__connector_id__sso_connector_id
-    check (
-      (
-        connector_id is not null and social_connector_target is not null and social_identity_id is not null and
-        sso_connector_id is null and sso_identity_id is null
-      ) or (
-        connector_id is null and social_connector_target is null and social_identity_id is null and
-        sso_connector_id is not null and sso_identity_id is not null
-      )
-    )
-);
-
-
-/** Trigger function to delete secrets when the social connector is deleted. */
-create function delete_secrets_on_social_connector_delete()
-returns trigger as $$
-begin
-  delete from secrets
-  where id in (
-    select secret_id from secret_connector_relations
-    where tenant_id = old.tenant_id and connector_id = old.id
-  );
-  return old;
-end;
-$$ language plpgsql;
-
-create trigger delete_secrets_before_social_connector_delete
-  before delete on connectors
-  for each row
-  execute procedure delete_secrets_on_social_connector_delete();
-
-
-/** Trigger function to delete secrets when the SSO connector is deleted. */
-create function delete_secrets_on_sso_connector_delete()
-returns trigger as $$
-begin
-  delete from secrets
-  where id in (
-    select secret_id from secret_connector_relations
-    where tenant_id = old.tenant_id and sso_connector_id = old.id
-  );
-  return old;
-end;
-$$ language plpgsql;
-
-create trigger delete_secrets_before_sso_connector_delete
-  before delete on sso_connectors
-  for each row
-  execute procedure delete_secrets_on_sso_connector_delete();