@logto/schemas 1.35.0 → 1.37.0

package/alterations/1.36.0-1767193412-allow-token-exchange.ts

@@ -0,0 +1,34 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    /**
+     * For backward compatibility, set allowTokenExchange = true for existing first-party
+     * Traditional, Native, and SPA applications.
+     * M2M applications were never allowed to use token exchange before this feature.
+     *
+     * The admin-console should keep token exchange disabled, so we skip it here.
+     */
+    await pool.query(sql`
+      update applications
+        set custom_client_metadata = custom_client_metadata || '{"allowTokenExchange": true}'::jsonb
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+  },
+  down: async (pool) => {
+    // Remove allowTokenExchange only from applications that were updated in the `up` migration
+    await pool.query(sql`
+      update applications
+        set custom_client_metadata = custom_client_metadata - 'allowTokenExchange'
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1767859553-passkey-sign-in.ts

@@ -0,0 +1,21 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column passkey_sign_in jsonb /* @use PasskeySignIn */ not null default '{}'::jsonb;
+      create index users_mfa_verifications_gin on users using gin (mfa_verifications jsonb_path_ops);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences drop column passkey_sign_in;
+      drop index users_mfa_verifications_gin;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768192304-enable-account-center-for-admin-tenant.ts

@@ -0,0 +1,32 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+/**
+ * Enable the account center for the admin tenant and set all fields to Edit.
+ * This allows the console profile page to use the Account API.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update account_centers
+      set enabled = true,
+          fields = '{"name": "Edit", "avatar": "Edit", "profile": "Edit", "email": "Edit", "phone": "Edit", "password": "Edit", "username": "Edit", "social": "Edit", "customData": "Edit", "mfa": "Edit"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update account_centers
+      set enabled = false,
+          fields = '{}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768464306-enable-mfa-for-admin-tenant.ts

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+/**
+ * Enable MFA (TOTP and WebAuthn) for the admin tenant with NoPrompt policy.
+ * This allows users to optionally set up MFA via the account center.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = '{"factors":["Totp","WebAuthn","BackupCode"],"policy":"NoPrompt"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = '{"factors":[],"policy":"UserControlled"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768758295-add-user-geo-location.ts

@@ -0,0 +1,32 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table user_geo_locations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        latitude numeric(9,6),
+        longitude numeric(9,6),
+        updated_at timestamptz not null default now(),
+        primary key (tenant_id, user_id),
+        check ((latitude is null) = (longitude is null))
+      );
+    `);
+    await applyTableRls(pool, 'user_geo_locations');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'user_geo_locations');
+    await pool.query(sql`
+      drop table user_geo_locations;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1768891516-add-user-sign-in-countries-table.ts

@@ -0,0 +1,33 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table user_sign_in_countries (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        country varchar(16) not null,
+        last_sign_in_at timestamptz not null default(now()),
+        primary key (tenant_id, user_id, country)
+      );
+
+      create index user_sign_in_countries__tenant_user_last_sign_in_at
+        on user_sign_in_countries (tenant_id, user_id, last_sign_in_at desc);
+    `);
+    await applyTableRls(pool, 'user_sign_in_countries');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'user_sign_in_countries');
+    await pool.query(sql`
+      drop table user_sign_in_countries;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1769067642-add-adaptive-mfa-configuration.ts

@@ -0,0 +1,19 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column adaptive_mfa jsonb not null default '{}'::jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences drop column adaptive_mfa;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.36.0-1769172677-enable-organization-mfa-policy-for-admin-tenant.ts

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminTenantId = 'admin';
+
+/**
+ * Enable organization required MFA policy for the admin tenant.
+ * This allows tenant admins to require MFA for all tenant members
+ * by setting `isMfaRequired: true` on the organization.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = jsonb_set(mfa, '{organizationRequiredMfaPolicy}', '"Mandatory"')
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      update sign_in_experiences
+      set mfa = mfa - 'organizationRequiredMfaPolicy'
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.37.0-1770295353-add-default-id-token-config.ts

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const idTokenConfigKey = 'idToken';
+
+const defaultIdTokenConfig = Object.freeze({
+  enabledExtendedClaims: ['roles', 'organizations', 'organization_roles'],
+});
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const tenants = await pool.any<{ id: string }>(sql`select id from tenants`);
+
+    for (const { id: tenantId } of tenants) {
+      // eslint-disable-next-line no-await-in-loop
+      await pool.query(sql`
+        insert into logto_configs (tenant_id, key, value)
+          values (${tenantId}, ${idTokenConfigKey}, ${sql.jsonb(defaultIdTokenConfig)})
+      `);
+    }
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      delete from logto_configs where key = ${idTokenConfigKey}
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.37.0-1770361004-add-oidc-model-instances-session-account-id-indexes.ts

@@ -0,0 +1,37 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  beforeUp: async (pool) => {
+    // Add index to optimize the query performance for cleaning up expired OIDC model instances.
+    await pool.query(sql`
+      create index concurrently if not exists oidc_model_instances__expires_at
+        on oidc_model_instances (tenant_id, expires_at);
+    `);
+
+    // Add index to optimize the query performance for querying non-expired session instances by accountId.
+    await pool.query(sql`
+      create index concurrently if not exists oidc_model_instances__session_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Session';
+    `);
+  },
+  up: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+  },
+  beforeDown: async (pool) => {
+    await pool.query(sql`
+      drop index concurrently if exists oidc_model_instances__expires_at;
+    `);
+
+    await pool.query(sql`
+      drop index concurrently if exists oidc_model_instances__session_payload_account_id_expires_at;
+    `);
+  },
+  down: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+  },
+};
+
+export default alteration;

package/alterations/1.37.0-1770362227-add-client-id-column-to-oidc-session-extensions-table.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_session_extensions
+      add column client_id varchar(21) null
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_session_extensions
+      drop column client_id
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.36.0-1767193412-allow-token-exchange.js

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        /**
+         * For backward compatibility, set allowTokenExchange = true for existing first-party
+         * Traditional, Native, and SPA applications.
+         * M2M applications were never allowed to use token exchange before this feature.
+         *
+         * The admin-console should keep token exchange disabled, so we skip it here.
+         */
+        await pool.query(sql `
+      update applications
+        set custom_client_metadata = custom_client_metadata || '{"allowTokenExchange": true}'::jsonb
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+    },
+    down: async (pool) => {
+        // Remove allowTokenExchange only from applications that were updated in the `up` migration
+        await pool.query(sql `
+      update applications
+        set custom_client_metadata = custom_client_metadata - 'allowTokenExchange'
+        where is_third_party = false
+        and type in ('Traditional', 'Native', 'SPA')
+        and id != 'admin-console';
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1767859553-passkey-sign-in.js

@@ -0,0 +1,17 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column passkey_sign_in jsonb /* @use PasskeySignIn */ not null default '{}'::jsonb;
+      create index users_mfa_verifications_gin on users using gin (mfa_verifications jsonb_path_ops);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences drop column passkey_sign_in;
+      drop index users_mfa_verifications_gin;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768192304-enable-account-center-for-admin-tenant.js

@@ -0,0 +1,27 @@
+import { sql } from '@silverhand/slonik';
+const adminTenantId = 'admin';
+/**
+ * Enable the account center for the admin tenant and set all fields to Edit.
+ * This allows the console profile page to use the Account API.
+ */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      update account_centers
+      set enabled = true,
+          fields = '{"name": "Edit", "avatar": "Edit", "profile": "Edit", "email": "Edit", "phone": "Edit", "password": "Edit", "username": "Edit", "social": "Edit", "customData": "Edit", "mfa": "Edit"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update account_centers
+      set enabled = false,
+          fields = '{}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768464306-enable-mfa-for-admin-tenant.js

@@ -0,0 +1,25 @@
+import { sql } from '@silverhand/slonik';
+const adminTenantId = 'admin';
+/**
+ * Enable MFA (TOTP and WebAuthn) for the admin tenant with NoPrompt policy.
+ * This allows users to optionally set up MFA via the account center.
+ */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = '{"factors":["Totp","WebAuthn","BackupCode"],"policy":"NoPrompt"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = '{"factors":[],"policy":"UserControlled"}'::jsonb
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768758295-add-user-geo-location.js

@@ -0,0 +1,27 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table user_geo_locations (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        latitude numeric(9,6),
+        longitude numeric(9,6),
+        updated_at timestamptz not null default now(),
+        primary key (tenant_id, user_id),
+        check ((latitude is null) = (longitude is null))
+      );
+    `);
+        await applyTableRls(pool, 'user_geo_locations');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'user_geo_locations');
+        await pool.query(sql `
+      drop table user_geo_locations;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1768891516-add-user-sign-in-countries-table.js

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table user_sign_in_countries (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        country varchar(16) not null,
+        last_sign_in_at timestamptz not null default(now()),
+        primary key (tenant_id, user_id, country)
+      );
+
+      create index user_sign_in_countries__tenant_user_last_sign_in_at
+        on user_sign_in_countries (tenant_id, user_id, last_sign_in_at desc);
+    `);
+        await applyTableRls(pool, 'user_sign_in_countries');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'user_sign_in_countries');
+        await pool.query(sql `
+      drop table user_sign_in_countries;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1769067642-add-adaptive-mfa-configuration.js

@@ -0,0 +1,15 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column adaptive_mfa jsonb not null default '{}'::jsonb;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences drop column adaptive_mfa;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.36.0-1769172677-enable-organization-mfa-policy-for-admin-tenant.js

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+const adminTenantId = 'admin';
+/**
+ * Enable organization required MFA policy for the admin tenant.
+ * This allows tenant admins to require MFA for all tenant members
+ * by setting `isMfaRequired: true` on the organization.
+ */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = jsonb_set(mfa, '{organizationRequiredMfaPolicy}', '"Mandatory"')
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      update sign_in_experiences
+      set mfa = mfa - 'organizationRequiredMfaPolicy'
+      where tenant_id = ${adminTenantId}
+        and id = 'default'
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.37.0-1770295353-add-default-id-token-config.js

@@ -0,0 +1,23 @@
+import { sql } from '@silverhand/slonik';
+const idTokenConfigKey = 'idToken';
+const defaultIdTokenConfig = Object.freeze({
+    enabledExtendedClaims: ['roles', 'organizations', 'organization_roles'],
+});
+const alteration = {
+    up: async (pool) => {
+        const tenants = await pool.any(sql `select id from tenants`);
+        for (const { id: tenantId } of tenants) {
+            // eslint-disable-next-line no-await-in-loop
+            await pool.query(sql `
+        insert into logto_configs (tenant_id, key, value)
+          values (${tenantId}, ${idTokenConfigKey}, ${sql.jsonb(defaultIdTokenConfig)})
+      `);
+        }
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      delete from logto_configs where key = ${idTokenConfigKey}
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.37.0-1770361004-add-oidc-model-instances-session-account-id-indexes.js

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    beforeUp: async (pool) => {
+        // Add index to optimize the query performance for cleaning up expired OIDC model instances.
+        await pool.query(sql `
+      create index concurrently if not exists oidc_model_instances__expires_at
+        on oidc_model_instances (tenant_id, expires_at);
+    `);
+        // Add index to optimize the query performance for querying non-expired session instances by accountId.
+        await pool.query(sql `
+      create index concurrently if not exists oidc_model_instances__session_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Session';
+    `);
+    },
+    up: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+    },
+    beforeDown: async (pool) => {
+        await pool.query(sql `
+      drop index concurrently if exists oidc_model_instances__expires_at;
+    `);
+        await pool.query(sql `
+      drop index concurrently if exists oidc_model_instances__session_payload_account_id_expires_at;
+    `);
+    },
+    down: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+    },
+};
+export default alteration;

package/alterations-js/1.37.0-1770362227-add-client-id-column-to-oidc-session-extensions-table.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_session_extensions
+      add column client_id varchar(21) null
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_session_extensions
+      drop column client_id
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/index.d.ts

@@ -62,6 +62,8 @@ export * from './sso-connector-idp-initiated-auth-config.js';
 export * from './sso-connector.js';
 export * from './subject-token.js';
 export * from './system.js';
+export * from './user-geo-location.js';
+export * from './user-sign-in-country.js';
 export * from './user-sso-identity.js';
 export * from './user.js';
 export * from './users-role.js';

package/lib/db-entries/index.js

@@ -63,6 +63,8 @@ export * from './sso-connector-idp-initiated-auth-config.js';
 export * from './sso-connector.js';
 export * from './subject-token.js';
 export * from './system.js';
+export * from './user-geo-location.js';
+export * from './user-sign-in-country.js';
 export * from './user-sso-identity.js';
 export * from './user.js';
 export * from './users-role.js';

package/lib/db-entries/oidc-session-extension.d.ts

@@ -9,6 +9,7 @@ export type CreateOidcSessionExtension = {
     sessionUid: string;
     accountId: string;
     lastSubmission?: JsonObject;
+    clientId?: string | null;
     createdAt?: number;
     updatedAt?: number;
 };
@@ -17,8 +18,9 @@ export type OidcSessionExtension = {
     sessionUid: string;
     accountId: string;
     lastSubmission: JsonObject;
+    clientId: string | null;
     createdAt: number;
     updatedAt: number;
 };
-export type OidcSessionExtensionKeys = 'tenantId' | 'sessionUid' | 'accountId' | 'lastSubmission' | 'createdAt' | 'updatedAt';
+export type OidcSessionExtensionKeys = 'tenantId' | 'sessionUid' | 'accountId' | 'lastSubmission' | 'clientId' | 'createdAt' | 'updatedAt';
 export declare const OidcSessionExtensions: GeneratedSchema<OidcSessionExtensionKeys, CreateOidcSessionExtension, OidcSessionExtension, 'oidc_session_extensions', 'oidc_session_extension'>;