@logto/schemas 1.35.0 → 1.36.0

package/alterations/1.36.0-1767193412-allow-token-exchange.ts

@@ -0,0 +1,34 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    /**
+     * For backward compatibility, set allowTokenExchange = true for existing first-party
+     * Traditional, Native, and SPA applications.
+     * M2M applications were never allowed to use token exchange before this feature.
+     *
+     * The admin-console should keep token exchange disabled, so we skip it here.
+     */
+    await pool.query(sql`
+      update applications
+        set custom_client_metadata = custom_client_metadata || '{"allowTokenExchange": true}'::jsonb
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+  },
+  down: async (pool) => {
+    // Remove allowTokenExchange only from applications that were updated in the `up` migration
+    await pool.query(sql`
+      update applications
+        set custom_client_metadata = custom_client_metadata - 'allowTokenExchange'
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1767859553-passkey-sign-in.ts

@@ -0,0 +1,21 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column passkey_sign_in jsonb /* @use PasskeySignIn */ not null default '{}'::jsonb;
+      create index users_mfa_verifications_gin on users using gin (mfa_verifications jsonb_path_ops);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences drop column passkey_sign_in;
+      drop index users_mfa_verifications_gin;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768192304-enable-account-center-for-admin-tenant.ts

@@ -0,0 +1,32 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+/**
+ * Enable the account center for the admin tenant and set all fields to Edit.
+ * This allows the console profile page to use the Account API.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update account_centers
+      set enabled = true,
+          fields = '{"name": "Edit", "avatar": "Edit", "profile": "Edit", "email": "Edit", "phone": "Edit", "password": "Edit", "username": "Edit", "social": "Edit", "customData": "Edit", "mfa": "Edit"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update account_centers
+      set enabled = false,
+          fields = '{}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768464306-enable-mfa-for-admin-tenant.ts

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+/**
+ * Enable MFA (TOTP and WebAuthn) for the admin tenant with NoPrompt policy.
+ * This allows users to optionally set up MFA via the account center.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = '{"factors":["Totp","WebAuthn","BackupCode"],"policy":"NoPrompt"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = '{"factors":[],"policy":"UserControlled"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768758295-add-user-geo-location.ts

@@ -0,0 +1,32 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table user_geo_locations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        latitude numeric(9,6),
+        longitude numeric(9,6),
+        updated_at timestamptz not null default now(),
+        primary key (tenant_id, user_id),
+        check ((latitude is null) = (longitude is null))
+      );
+    `);
+    await applyTableRls(pool, 'user_geo_locations');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'user_geo_locations');
+    await pool.query(sql`
+      drop table user_geo_locations;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768891516-add-user-sign-in-countries-table.ts

@@ -0,0 +1,33 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table user_sign_in_countries (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        country varchar(16) not null,
+        last_sign_in_at timestamptz not null default(now()),
+        primary key (tenant_id, user_id, country)
+      );
+
+      create index user_sign_in_countries__tenant_user_last_sign_in_at
+        on user_sign_in_countries (tenant_id, user_id, last_sign_in_at desc);
+    `);
+    await applyTableRls(pool, 'user_sign_in_countries');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'user_sign_in_countries');
+    await pool.query(sql`
+      drop table user_sign_in_countries;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1769067642-add-adaptive-mfa-configuration.ts

@@ -0,0 +1,19 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column adaptive_mfa jsonb not null default '{}'::jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences drop column adaptive_mfa;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1769172677-enable-organization-mfa-policy-for-admin-tenant.ts

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+/**
+ * Enable organization required MFA policy for the admin tenant.
+ * This allows tenant admins to require MFA for all tenant members
+ * by setting `isMfaRequired: true` on the organization.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = jsonb_set(mfa, '{organizationRequiredMfaPolicy}', '"Mandatory"')
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = mfa - 'organizationRequiredMfaPolicy'
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.36.0-1767193412-allow-token-exchange.js

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        /**
+         * For backward compatibility, set allowTokenExchange = true for existing first-party
+         * Traditional, Native, and SPA applications.
+         * M2M applications were never allowed to use token exchange before this feature.
+         *
+         * The admin-console should keep token exchange disabled, so we skip it here.
+         */
+        await pool.query(sql `
+      update applications
+        set custom_client_metadata = custom_client_metadata || '{"allowTokenExchange": true}'::jsonb
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+    },
+    down: async (pool) => {
+        // Remove allowTokenExchange only from applications that were updated in the `up` migration
+        await pool.query(sql `
+      update applications
+        set custom_client_metadata = custom_client_metadata - 'allowTokenExchange'
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1767859553-passkey-sign-in.js

@@ -0,0 +1,17 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column passkey_sign_in jsonb /* @use PasskeySignIn */ not null default '{}'::jsonb;
+      create index users_mfa_verifications_gin on users using gin (mfa_verifications jsonb_path_ops);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences drop column passkey_sign_in;
+      drop index users_mfa_verifications_gin;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768192304-enable-account-center-for-admin-tenant.js

@@ -0,0 +1,27 @@
+import { sql } from '@silverhand/slonik';
+const adminTenantId = 'admin';
+/**
+ * Enable the account center for the admin tenant and set all fields to Edit.
+ * This allows the console profile page to use the Account API.
+ */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      update account_centers
+      set enabled = true,
+          fields = '{"name": "Edit", "avatar": "Edit", "profile": "Edit", "email": "Edit", "phone": "Edit", "password": "Edit", "username": "Edit", "social": "Edit", "customData": "Edit", "mfa": "Edit"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update account_centers
+      set enabled = false,
+          fields = '{}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768464306-enable-mfa-for-admin-tenant.js

@@ -0,0 +1,25 @@
+import { sql } from '@silverhand/slonik';
+const adminTenantId = 'admin';
+/**
+ * Enable MFA (TOTP and WebAuthn) for the admin tenant with NoPrompt policy.
+ * This allows users to optionally set up MFA via the account center.
+ */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = '{"factors":["Totp","WebAuthn","BackupCode"],"policy":"NoPrompt"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = '{"factors":[],"policy":"UserControlled"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768758295-add-user-geo-location.js

@@ -0,0 +1,27 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table user_geo_locations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        latitude numeric(9,6),
+        longitude numeric(9,6),
+        updated_at timestamptz not null default now(),
+        primary key (tenant_id, user_id),
+        check ((latitude is null) = (longitude is null))
+      );
+    `);
+        await applyTableRls(pool, 'user_geo_locations');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'user_geo_locations');
+        await pool.query(sql `
+      drop table user_geo_locations;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768891516-add-user-sign-in-countries-table.js

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table user_sign_in_countries (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        country varchar(16) not null,
+        last_sign_in_at timestamptz not null default(now()),
+        primary key (tenant_id, user_id, country)
+      );
+
+      create index user_sign_in_countries__tenant_user_last_sign_in_at
+        on user_sign_in_countries (tenant_id, user_id, last_sign_in_at desc);
+    `);
+        await applyTableRls(pool, 'user_sign_in_countries');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'user_sign_in_countries');
+        await pool.query(sql `
+      drop table user_sign_in_countries;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1769067642-add-adaptive-mfa-configuration.js

@@ -0,0 +1,15 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column adaptive_mfa jsonb not null default '{}'::jsonb;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences drop column adaptive_mfa;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1769172677-enable-organization-mfa-policy-for-admin-tenant.js

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+const adminTenantId = 'admin';
+/**
+ * Enable organization required MFA policy for the admin tenant.
+ * This allows tenant admins to require MFA for all tenant members
+ * by setting `isMfaRequired: true` on the organization.
+ */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = jsonb_set(mfa, '{organizationRequiredMfaPolicy}', '"Mandatory"')
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = mfa - 'organizationRequiredMfaPolicy'
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/index.d.ts

@@ -62,6 +62,8 @@ export * from './sso-connector-idp-initiated-auth-config.js';
 export * from './sso-connector.js';
 export * from './subject-token.js';
 export * from './system.js';
+export * from './user-geo-location.js';
+export * from './user-sign-in-country.js';
 export * from './user-sso-identity.js';
 export * from './user.js';
 export * from './users-role.js';

package/lib/db-entries/index.js

@@ -63,6 +63,8 @@ export * from './sso-connector-idp-initiated-auth-config.js';
 export * from './sso-connector.js';
 export * from './subject-token.js';
 export * from './system.js';
+export * from './user-geo-location.js';
+export * from './user-sign-in-country.js';
 export * from './user-sso-identity.js';
 export * from './user.js';
 export * from './users-role.js';

package/lib/db-entries/sign-in-experience.d.ts

@@ -1,4 +1,4 @@
-import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, PartialPasswordPolicy, Mfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, GeneratedSchema } from './../foundations/index.js';
+import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, PartialPasswordPolicy, Mfa, AdaptiveMfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, PasskeySignIn, GeneratedSchema } from './../foundations/index.js';
 import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
 /**
  *
@@ -26,6 +26,7 @@ export type CreateSignInExperience = {
     customUiAssets?: CustomUiAssets | null;
     passwordPolicy?: PartialPasswordPolicy;
     mfa?: Mfa;
+    adaptiveMfa?: AdaptiveMfa;
     singleSignOnEnabled?: boolean;
     supportEmail?: string | null;
     supportWebsiteUrl?: string | null;
@@ -34,6 +35,7 @@ export type CreateSignInExperience = {
     sentinelPolicy?: SentinelPolicy;
     emailBlocklistPolicy?: EmailBlocklistPolicy;
     forgotPasswordMethods?: ForgotPasswordMethods | null;
+    passkeySignIn?: PasskeySignIn;
 };
 export type SignInExperience = {
     tenantId: string;
@@ -56,6 +58,7 @@ export type SignInExperience = {
     customUiAssets: CustomUiAssets | null;
     passwordPolicy: PartialPasswordPolicy;
     mfa: Mfa;
+    adaptiveMfa: AdaptiveMfa;
     singleSignOnEnabled: boolean;
     supportEmail: string | null;
     supportWebsiteUrl: string | null;
@@ -64,6 +67,7 @@ export type SignInExperience = {
     sentinelPolicy: SentinelPolicy;
     emailBlocklistPolicy: EmailBlocklistPolicy;
     forgotPasswordMethods: ForgotPasswordMethods | null;
+    passkeySignIn: PasskeySignIn;
 };
-export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'passwordPolicy' | 'mfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods';
+export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'passwordPolicy' | 'mfa' | 'adaptiveMfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods' | 'passkeySignIn';
 export declare const SignInExperiences: GeneratedSchema<SignInExperienceKeys, CreateSignInExperience, SignInExperience, 'sign_in_experiences', 'sign_in_experience'>;

package/lib/db-entries/sign-in-experience.js

@@ -1,6 +1,6 @@
 // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
 import { z } from 'zod';
-import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, partialPasswordPolicyGuard, mfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard } from './../foundations/index.js';
+import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, partialPasswordPolicyGuard, mfaGuard, adaptiveMfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard, passkeySignInGuard } from './../foundations/index.js';
 import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
 const createGuard = z.object({
     tenantId: z.string().max(21).optional(),
@@ -22,6 +22,7 @@ const createGuard = z.object({
     customUiAssets: customUiAssetsGuard.nullable().optional(),
     passwordPolicy: partialPasswordPolicyGuard.optional(),
     mfa: mfaGuard.optional(),
+    adaptiveMfa: adaptiveMfaGuard.optional(),
     singleSignOnEnabled: z.boolean().optional(),
     supportEmail: z.string().nullable().optional(),
     supportWebsiteUrl: z.string().nullable().optional(),
@@ -30,6 +31,7 @@ const createGuard = z.object({
     sentinelPolicy: sentinelPolicyGuard.optional(),
     emailBlocklistPolicy: emailBlocklistPolicyGuard.optional(),
     forgotPasswordMethods: forgotPasswordMethodsGuard.nullable().optional(),
+    passkeySignIn: passkeySignInGuard.optional(),
 });
 const guard = z.object({
     tenantId: z.string().max(21),
@@ -51,6 +53,7 @@ const guard = z.object({
     customUiAssets: customUiAssetsGuard.nullable(),
     passwordPolicy: partialPasswordPolicyGuard,
     mfa: mfaGuard,
+    adaptiveMfa: adaptiveMfaGuard,
     singleSignOnEnabled: z.boolean(),
     supportEmail: z.string().nullable(),
     supportWebsiteUrl: z.string().nullable(),
@@ -59,6 +62,7 @@ const guard = z.object({
     sentinelPolicy: sentinelPolicyGuard,
     emailBlocklistPolicy: emailBlocklistPolicyGuard,
     forgotPasswordMethods: forgotPasswordMethodsGuard.nullable(),
+    passkeySignIn: passkeySignInGuard,
 });
 export const SignInExperiences = Object.freeze({
     table: 'sign_in_experiences',
@@ -83,6 +87,7 @@ export const SignInExperiences = Object.freeze({
         customUiAssets: 'custom_ui_assets',
         passwordPolicy: 'password_policy',
         mfa: 'mfa',
+        adaptiveMfa: 'adaptive_mfa',
         singleSignOnEnabled: 'single_sign_on_enabled',
         supportEmail: 'support_email',
         supportWebsiteUrl: 'support_website_url',
@@ -91,6 +96,7 @@ export const SignInExperiences = Object.freeze({
         sentinelPolicy: 'sentinel_policy',
         emailBlocklistPolicy: 'email_blocklist_policy',
         forgotPasswordMethods: 'forgot_password_methods',
+        passkeySignIn: 'passkey_sign_in',
     },
     fieldKeys: [
         'tenantId',
@@ -112,6 +118,7 @@ export const SignInExperiences = Object.freeze({
         'customUiAssets',
         'passwordPolicy',
         'mfa',
+        'adaptiveMfa',
         'singleSignOnEnabled',
         'supportEmail',
         'supportWebsiteUrl',
@@ -120,6 +127,7 @@ export const SignInExperiences = Object.freeze({
         'sentinelPolicy',
         'emailBlocklistPolicy',
         'forgotPasswordMethods',
+        'passkeySignIn',
     ],
     createGuard,
     guard,

package/lib/db-entries/user-geo-location.d.ts

@@ -0,0 +1,24 @@
+import { GeneratedSchema } from './../foundations/index.js';
+/**
+ * The last known geo coordinates per user for geo-velocity checks.
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link UserGeoLocation} for the original type.
+ */
+export type CreateUserGeoLocation = {
+    tenantId?: string;
+    userId: string;
+    latitude?: number | null;
+    longitude?: number | null;
+    updatedAt?: number;
+};
+/** The last known geo coordinates per user for geo-velocity checks. */
+export type UserGeoLocation = {
+    tenantId: string;
+    userId: string;
+    latitude: number | null;
+    longitude: number | null;
+    updatedAt: number;
+};
+export type UserGeoLocationKeys = 'tenantId' | 'userId' | 'latitude' | 'longitude' | 'updatedAt';
+export declare const UserGeoLocations: GeneratedSchema<UserGeoLocationKeys, CreateUserGeoLocation, UserGeoLocation, 'user_geo_locations', 'user_geo_location'>;

package/lib/db-entries/user-geo-location.js

@@ -0,0 +1,37 @@
+// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+import { z } from 'zod';
+const createGuard = z.object({
+    tenantId: z.string().max(21).optional(),
+    userId: z.string().min(1).max(12),
+    latitude: z.number().nullable().optional(),
+    longitude: z.number().nullable().optional(),
+    updatedAt: z.number().optional(),
+});
+const guard = z.object({
+    tenantId: z.string().max(21),
+    userId: z.string().min(1).max(12),
+    latitude: z.number().nullable(),
+    longitude: z.number().nullable(),
+    updatedAt: z.number(),
+});
+export const UserGeoLocations = Object.freeze({
+    table: 'user_geo_locations',
+    tableSingular: 'user_geo_location',
+    fields: {
+        tenantId: 'tenant_id',
+        userId: 'user_id',
+        latitude: 'latitude',
+        longitude: 'longitude',
+        updatedAt: 'updated_at',
+    },
+    fieldKeys: [
+        'tenantId',
+        'userId',
+        'latitude',
+        'longitude',
+        'updatedAt',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/db-entries/user-sign-in-country.d.ts

@@ -0,0 +1,24 @@
+import { GeneratedSchema } from './../foundations/index.js';
+/**
+ * Tracks per-user sign-in countries for adaptive MFA rules.
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link UserSignInCountry} for the original type.
+ */
+export type CreateUserSignInCountry = {
+    tenantId?: string;
+    userId: string;
+    /** ISO 3166-1 alpha-2 country code (2 chars), stored up to 16 chars for robustness. */
+    country: string;
+    lastSignInAt?: number;
+};
+/** Tracks per-user sign-in countries for adaptive MFA rules. */
+export type UserSignInCountry = {
+    tenantId: string;
+    userId: string;
+    /** ISO 3166-1 alpha-2 country code (2 chars), stored up to 16 chars for robustness. */
+    country: string;
+    lastSignInAt: number;
+};
+export type UserSignInCountryKeys = 'tenantId' | 'userId' | 'country' | 'lastSignInAt';
+export declare const UserSignInCountries: GeneratedSchema<UserSignInCountryKeys, CreateUserSignInCountry, UserSignInCountry, 'user_sign_in_countries', 'user_sign_in_country'>;