@logto/schemas 1.33.0 → 1.35.0

package/lib/types/interactions.js

@@ -21,10 +21,16 @@ export const interactionIdentifierGuard = z.object({
     type: z.nativeEnum(SignInIdentifier),
     value: z.string(),
 });
-export const verificationCodeIdentifierGuard = z.object({
-    type: z.enum([SignInIdentifier.Email, SignInIdentifier.Phone]),
-    value: z.string(),
-});
+export const verificationCodeIdentifierGuard = z.discriminatedUnion('type', [
+    z.object({
+        type: z.literal(SignInIdentifier.Email),
+        value: z.string().regex(emailRegEx),
+    }),
+    z.object({
+        type: z.literal(SignInIdentifier.Phone),
+        value: z.string().regex(phoneRegEx),
+    }),
+]);
 export const socialAuthorizationUrlPayloadGuard = z.object({
     state: z.string(),
     redirectUri: z.string(),

package/lib/types/sign-in-experience.d.ts

@@ -1,7 +1,7 @@
 import { type ConnectorMetadata, type GoogleOneTapConfig } from '@logto/connector-kit';
 import { z } from 'zod';
 import { type CustomProfileField, type SignInExperience } from '../db-entries/index.js';
-import { CaptchaType } from '../foundations/jsonb-types/index.js';
+import { CaptchaType, RecaptchaEnterpriseMode } from '../foundations/jsonb-types/index.js';
 import { type SsoConnectorMetadata } from './sso-connector.js';
 type ForgotPassword = {
     phone: boolean;
@@ -32,6 +32,8 @@ export type FullSignInExperience = Omit<SignInExperience, 'forgotPasswordMethods
     captchaConfig?: {
         type: CaptchaType;
         siteKey: string;
+        domain?: string;
+        mode?: RecaptchaEnterpriseMode;
     };
     customProfileFields?: Readonly<CustomProfileField[]>;
 };
@@ -674,12 +676,18 @@ export declare const fullSignInExperienceGuard: z.ZodObject<Omit<{
     captchaConfig: z.ZodOptional<z.ZodObject<{
         type: z.ZodNativeEnum<typeof CaptchaType>;
         siteKey: z.ZodString;
+        domain: z.ZodOptional<z.ZodString>;
+        mode: z.ZodOptional<z.ZodNativeEnum<typeof RecaptchaEnterpriseMode>>;
     }, "strip", z.ZodTypeAny, {
         type: CaptchaType;
         siteKey: string;
+        domain?: string | undefined;
+        mode?: RecaptchaEnterpriseMode | undefined;
     }, {
         type: CaptchaType;
         siteKey: string;
+        domain?: string | undefined;
+        mode?: RecaptchaEnterpriseMode | undefined;
     }>>;
     customProfileFields: z.ZodArray<import("../index.js").Guard<CustomProfileField>, "many">;
 }, "strip", z.ZodTypeAny, {
@@ -873,6 +881,8 @@ export declare const fullSignInExperienceGuard: z.ZodObject<Omit<{
     captchaConfig?: {
         type: CaptchaType;
         siteKey: string;
+        domain?: string | undefined;
+        mode?: RecaptchaEnterpriseMode | undefined;
     } | undefined;
 }, {
     id: string;
@@ -1065,6 +1075,8 @@ export declare const fullSignInExperienceGuard: z.ZodObject<Omit<{
     captchaConfig?: {
         type: CaptchaType;
         siteKey: string;
+        domain?: string | undefined;
+        mode?: RecaptchaEnterpriseMode | undefined;
     } | undefined;
 }>;
 export {};

package/lib/types/sign-in-experience.js

@@ -1,7 +1,7 @@
 import { connectorMetadataGuard, googleOneTapConfigGuard, } from '@logto/connector-kit';
 import { z } from 'zod';
 import { CustomProfileFields, SignInExperiences, } from '../db-entries/index.js';
-import { CaptchaType } from '../foundations/jsonb-types/index.js';
+import { CaptchaType, RecaptchaEnterpriseMode } from '../foundations/jsonb-types/index.js';
 import { ssoConnectorMetadataGuard } from './sso-connector.js';
 export const fullSignInExperienceGuard = SignInExperiences.guard
     .omit({ forgotPasswordMethods: true })
@@ -25,6 +25,8 @@ export const fullSignInExperienceGuard = SignInExperiences.guard
         .object({
         type: z.nativeEnum(CaptchaType),
         siteKey: z.string(),
+        domain: z.string().optional(),
+        mode: z.nativeEnum(RecaptchaEnterpriseMode).optional(),
     })
         .optional(),
     customProfileFields: CustomProfileFields.guard.array(),

package/lib/types/user.d.ts

@@ -316,6 +316,7 @@ export type UserProfileResponse = z.infer<typeof userProfileResponseGuard>;
 export declare const userMfaVerificationResponseGuard: z.ZodArray<z.ZodObject<{
     id: z.ZodString;
     createdAt: z.ZodString;
+    lastUsedAt: z.ZodOptional<z.ZodString>;
     type: z.ZodNativeEnum<typeof MfaFactor>;
     agent: z.ZodOptional<z.ZodString>;
     name: z.ZodOptional<z.ZodString>;
@@ -325,6 +326,7 @@ export declare const userMfaVerificationResponseGuard: z.ZodArray<z.ZodObject<{
     id: string;
     createdAt: string;
     name?: string | undefined;
+    lastUsedAt?: string | undefined;
     agent?: string | undefined;
     remainCodes?: number | undefined;
 }, {
@@ -332,6 +334,7 @@ export declare const userMfaVerificationResponseGuard: z.ZodArray<z.ZodObject<{
     id: string;
     createdAt: string;
     name?: string | undefined;
+    lastUsedAt?: string | undefined;
     agent?: string | undefined;
     remainCodes?: number | undefined;
 }>, "many">;

package/lib/types/user.js

@@ -29,6 +29,7 @@ export const userMfaVerificationResponseGuard = z
     .object({
     id: z.string(),
     createdAt: z.string(),
+    lastUsedAt: z.string().optional(),
     type: z.nativeEnum(MfaFactor),
     agent: z.string().optional(),
     name: z.string().optional(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.33.0",
+  "version": "1.35.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -65,11 +65,11 @@
   "dependencies": {
     "@withtyped/server": "^0.14.0",
     "nanoid": "^5.0.9",
-    "@logto/language-kit": "^1.2.0",
+    "@logto/connector-kit": "^4.7.0",
     "@logto/core-kit": "^2.6.1",
-    "@logto/connector-kit": "^4.6.0",
-    "@logto/phrases": "^1.22.0",
+    "@logto/phrases": "^1.24.0",
     "@logto/phrases-experience": "^1.12.0",
+    "@logto/language-kit": "^1.2.0",
     "@logto/shared": "^3.3.0"
   },
   "peerDependencies": {

package/tables/_after_all.sql

@@ -13,7 +13,7 @@ revoke all privileges
   from logto_tenant_${database};
 
 -- Allow limited select to perform the RLS policy query in `after_each` (using select ... from tenants ...)
-grant select (id, db_user, is_suspended)
+grant select (id, db_user, is_suspended, tag)
   on table tenants
   to logto_tenant_${database};
 

package/tables/aggregated_daily_active_users.sql

@@ -0,0 +1,16 @@
+/** This table is used to store aggregated data of daily active users for each tenant. A daily job summarizes data from the daily active users table and inserts it into this table, or removes expired data. Therefore, we should not directly manipulate this table, except for "read" operations. */
+create table aggregated_daily_active_users (
+  tenant_id varchar(21) not null,
+  activity_date date not null,
+  user_id varchar(21) not null,
+  activity_count integer not null,
+  primary key (tenant_id, activity_date, user_id)
+);
+
+-- Index for billing cycle range queries
+create index aggregated_daily_active_users__tenant_date
+  on aggregated_daily_active_users (tenant_id, activity_date);
+
+-- Index for tenant-specific user activity queries
+create index aggregated_daily_active_users__tenant_user_date
+  on aggregated_daily_active_users (tenant_id, user_id, activity_date desc);

package/tables/daily_active_users.sql

@@ -1,7 +1,6 @@
 create table daily_active_users (
   id varchar(21) not null,
-  tenant_id varchar(21) not null
-    references tenants (id) on update cascade on delete cascade,
+  tenant_id varchar(21) not null,
   user_id varchar(21) not null,
   date timestamptz not null default (now()),
   primary key (id),
@@ -9,8 +8,14 @@ create table daily_active_users (
     unique (user_id, date)
 );
 
-create index daily_active_users__id
-  on daily_active_users (tenant_id, id);
+-- Optimized index for aggregation queries with better write performance
+create index daily_active_users__tenant_date_user
+  on daily_active_users (tenant_id, date, user_id);
+
+-- BRIN index for time-series date range queries
+-- Optimized for sequential data insertion and range scans (date >= ?)
+create index daily_active_users__date_brin
+  on daily_active_users using brin (date);
 
 create index daily_active_users__date
   on daily_active_users (tenant_id, date);

package/tables/daily_token_usage.sql

@@ -1,8 +1,9 @@
 create table daily_token_usage (
   id varchar(21) not null,
-  tenant_id varchar(21) not null
-    references tenants (id) on update cascade on delete cascade,
+  tenant_id varchar(21) not null,
   usage bigint not null default(0),
+  user_token_usage bigint not null default(0),
+  m2m_token_usage bigint not null default(0),
   date timestamptz not null,
   primary key (id)
 );

package/tables/logs.sql

@@ -10,9 +10,6 @@ create table logs (
   primary key (id)
 );
 
-create index logs__id
-  on logs (tenant_id, id);
-
 create index logs__key
   on logs (tenant_id, key);
 
@@ -24,3 +21,6 @@ create index logs__application_id
 
 create index logs__hook_id
   on logs (tenant_id, (payload->>'hookId'));
+
+create index logs__created_at_id
+  on logs (tenant_id, created_at, id);

package/tables/organization_roles.sql

@@ -20,6 +20,9 @@ create table organization_roles (
 create index organization_roles__id
   on organization_roles (tenant_id, id);
 
+create index organization_roles__type
+  on organization_roles (tenant_id, type);
+
 create function check_organization_role_type(role_id varchar(21), target_type role_type) returns boolean as
 $$ begin
   return (select type from organization_roles where id = role_id) = target_type;

package/tables/saml_application_sessions.sql

@@ -12,7 +12,7 @@ create table saml_application_sessions (
   /** The identifier of the OIDC auth request state. */
   oidc_state varchar(32),
   /** The relay state of the SAML auth request. */
-  relay_state varchar(256),
+  relay_state varchar(512),
   /** The raw request of the SAML auth request. */
   raw_auth_request text not null,
   created_at timestamptz not null default(now()),