@logto/schemas 1.35.0 → 1.37.0

package/lib/types/user-sessions.js

@@ -0,0 +1,26 @@
+import { z } from 'zod';
+import { OidcModelInstances } from '../db-entries/oidc-model-instance.js';
+import { oidcSessionInstancePayloadGuard } from '../foundations/index.js';
+import { jwtCustomizerUserInteractionContextGuard } from './logto-config/jwt-customizer.js';
+export const userSessionSignInContextGuard = z
+    .object({
+    ip: z.string().optional(),
+    userAgent: z.string().optional(),
+    country: z.string().optional(),
+    city: z.string().optional(),
+    latitude: z.string().optional(),
+    longitude: z.string().optional(),
+    botScore: z.string().optional(),
+    botVerified: z.string().optional(),
+})
+    .catchall(z.string());
+export const userExtendedSessionGuard = OidcModelInstances.guard.extend({
+    payload: oidcSessionInstancePayloadGuard,
+    lastSubmission: jwtCustomizerUserInteractionContextGuard.nullable(),
+    clientId: z.string().nullable(),
+    accountId: z.string().nullable(),
+});
+export const getUserSessionsResponseGuard = z.object({
+    sessions: z.array(userExtendedSessionGuard),
+});
+export const getUserSessionResponseGuard = userExtendedSessionGuard;

package/lib/types/user.d.ts

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { type User } from '../db-entries/index.js';
 import { MfaFactor } from '../foundations/index.js';
-export declare const userInfoSelectFields: readonly ("name" | "id" | "applicationId" | "username" | "createdAt" | "profile" | "avatar" | "customData" | "identities" | "updatedAt" | "primaryEmail" | "primaryPhone" | "isSuspended" | "lastSignInAt")[];
+export declare const userInfoSelectFields: readonly ("name" | "id" | "applicationId" | "username" | "createdAt" | "profile" | "avatar" | "customData" | "identities" | "updatedAt" | "lastSignInAt" | "primaryEmail" | "primaryPhone" | "isSuspended")[];
 export declare const userInfoGuard: z.ZodObject<Pick<{
     tenantId: z.ZodType<string, z.ZodTypeDef, string>;
     id: z.ZodType<string, z.ZodTypeDef, string>;
@@ -122,7 +122,7 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
     lastSignInAt: z.ZodType<number | null, z.ZodTypeDef, number | null>;
     createdAt: z.ZodType<number, z.ZodTypeDef, number>;
     updatedAt: z.ZodType<number, z.ZodTypeDef, number>;
-}, "name" | "id" | "applicationId" | "username" | "createdAt" | "profile" | "avatar" | "customData" | "identities" | "updatedAt" | "primaryEmail" | "primaryPhone" | "isSuspended" | "lastSignInAt">, "strip", z.ZodTypeAny, {
+}, "name" | "id" | "applicationId" | "username" | "createdAt" | "profile" | "avatar" | "customData" | "identities" | "updatedAt" | "lastSignInAt" | "primaryEmail" | "primaryPhone" | "isSuspended">, "strip", z.ZodTypeAny, {
     name: string | null;
     id: string;
     applicationId: string | null;
@@ -133,10 +133,10 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
     customData: import("@withtyped/server/lib/types.js").JsonObject;
     identities: import("../foundations/index.js").Identities;
     updatedAt: number;
+    lastSignInAt: number | null;
     primaryEmail: string | null;
     primaryPhone: string | null;
     isSuspended: boolean;
-    lastSignInAt: number | null;
 }, {
     name: string | null;
     id: string;
@@ -148,10 +148,10 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
     customData: import("@withtyped/server/lib/types.js").JsonObject;
     identities: import("../foundations/index.js").Identities;
     updatedAt: number;
+    lastSignInAt: number | null;
     primaryEmail: string | null;
     primaryPhone: string | null;
     isSuspended: boolean;
-    lastSignInAt: number | null;
 }>;
 export type UserInfo = z.infer<typeof userInfoGuard>;
 export declare const userProfileResponseGuard: z.ZodObject<Pick<{
@@ -274,7 +274,7 @@ export declare const userProfileResponseGuard: z.ZodObject<Pick<{
     lastSignInAt: z.ZodType<number | null, z.ZodTypeDef, number | null>;
     createdAt: z.ZodType<number, z.ZodTypeDef, number>;
     updatedAt: z.ZodType<number, z.ZodTypeDef, number>;
-}, "name" | "id" | "applicationId" | "username" | "createdAt" | "profile" | "avatar" | "customData" | "identities" | "updatedAt" | "primaryEmail" | "primaryPhone" | "isSuspended" | "lastSignInAt"> & {
+}, "name" | "id" | "applicationId" | "username" | "createdAt" | "profile" | "avatar" | "customData" | "identities" | "updatedAt" | "lastSignInAt" | "primaryEmail" | "primaryPhone" | "isSuspended"> & {
     hasPassword: z.ZodOptional<z.ZodBoolean>;
     ssoIdentities: z.ZodOptional<z.ZodArray<import("../foundations/schemas.js").Guard<import("../db-entries/user-sso-identity.js").UserSsoIdentity>, "many">>;
 }, "strip", z.ZodTypeAny, {
@@ -288,10 +288,10 @@ export declare const userProfileResponseGuard: z.ZodObject<Pick<{
     customData: import("@withtyped/server/lib/types.js").JsonObject;
     identities: import("../foundations/index.js").Identities;
     updatedAt: number;
+    lastSignInAt: number | null;
     primaryEmail: string | null;
     primaryPhone: string | null;
     isSuspended: boolean;
-    lastSignInAt: number | null;
     hasPassword?: boolean | undefined;
     ssoIdentities?: import("../db-entries/user-sso-identity.js").UserSsoIdentity[] | undefined;
 }, {
@@ -305,10 +305,10 @@ export declare const userProfileResponseGuard: z.ZodObject<Pick<{
     customData: import("@withtyped/server/lib/types.js").JsonObject;
     identities: import("../foundations/index.js").Identities;
     updatedAt: number;
+    lastSignInAt: number | null;
     primaryEmail: string | null;
     primaryPhone: string | null;
     isSuspended: boolean;
-    lastSignInAt: number | null;
     hasPassword?: boolean | undefined;
     ssoIdentities?: import("../db-entries/user-sso-identity.js").UserSsoIdentity[] | undefined;
 }>;

package/lib/types/verification-records/verification-type.d.ts

@@ -9,6 +9,7 @@ export declare enum VerificationType {
     EnterpriseSso = "EnterpriseSso",
     TOTP = "Totp",
     WebAuthn = "WebAuthn",
+    SignInWebAuthn = "SignInWebAuthn",
     BackupCode = "BackupCode",
     NewPasswordIdentity = "NewPasswordIdentity",
     OneTimeToken = "OneTimeToken"

package/lib/types/verification-records/verification-type.js

@@ -10,6 +10,7 @@ export var VerificationType;
     VerificationType["EnterpriseSso"] = "EnterpriseSso";
     VerificationType["TOTP"] = "Totp";
     VerificationType["WebAuthn"] = "WebAuthn";
+    VerificationType["SignInWebAuthn"] = "SignInWebAuthn";
     VerificationType["BackupCode"] = "BackupCode";
     VerificationType["NewPasswordIdentity"] = "NewPasswordIdentity";
     VerificationType["OneTimeToken"] = "OneTimeToken";

package/lib/types/verification-records/web-authn-verification.d.ts

@@ -1,11 +1,8 @@
 import { z } from 'zod';
 import { type BindWebAuthn } from '../interactions.js';
 import { VerificationType } from './verification-type.js';
-export type WebAuthnVerificationRecordData = {
+type BaseWebAuthnVerificationRecordData = {
     id: string;
-    type: VerificationType.WebAuthn;
-    /** UserId is required for verifying or binding new TOTP */
-    userId: string;
     verified: boolean;
     /** The challenge generated for the WebAuthn registration */
     registrationChallenge?: string;
@@ -15,10 +12,12 @@ export type WebAuthnVerificationRecordData = {
     authenticationChallenge?: string;
     registrationInfo?: BindWebAuthn;
 };
+export type WebAuthnVerificationRecordData = BaseWebAuthnVerificationRecordData & {
+    type: VerificationType.WebAuthn;
+    userId: string;
+};
 export declare const webAuthnVerificationRecordDataGuard: z.ZodObject<{
     id: z.ZodString;
-    type: z.ZodLiteral<VerificationType.WebAuthn>;
-    userId: z.ZodString;
     verified: z.ZodBoolean;
     registrationChallenge: z.ZodOptional<z.ZodString>;
     registrationRpId: z.ZodOptional<z.ZodString>;
@@ -51,6 +50,9 @@ export declare const webAuthnVerificationRecordDataGuard: z.ZodObject<{
         agent: string;
         name?: string | undefined;
     }>>;
+} & {
+    type: z.ZodLiteral<VerificationType.WebAuthn>;
+    userId: z.ZodString;
 }, "strip", z.ZodTypeAny, {
     type: VerificationType.WebAuthn;
     id: string;
@@ -91,8 +93,6 @@ export declare const webAuthnVerificationRecordDataGuard: z.ZodObject<{
 export type SanitizedWebAuthnVerificationRecordData = Omit<WebAuthnVerificationRecordData, 'registrationInfo' | 'registrationChallenge' | 'registrationRpId' | 'authenticationChallenge'>;
 export declare const sanitizedWebAuthnVerificationRecordDataGuard: z.ZodObject<Omit<{
     id: z.ZodString;
-    type: z.ZodLiteral<VerificationType.WebAuthn>;
-    userId: z.ZodString;
     verified: z.ZodBoolean;
     registrationChallenge: z.ZodOptional<z.ZodString>;
     registrationRpId: z.ZodOptional<z.ZodString>;
@@ -125,6 +125,9 @@ export declare const sanitizedWebAuthnVerificationRecordDataGuard: z.ZodObject<O
         agent: string;
         name?: string | undefined;
     }>>;
+} & {
+    type: z.ZodLiteral<VerificationType.WebAuthn>;
+    userId: z.ZodString;
 }, "registrationChallenge" | "registrationRpId" | "authenticationChallenge" | "registrationInfo">, "strip", z.ZodTypeAny, {
     type: VerificationType.WebAuthn;
     id: string;
@@ -136,3 +139,137 @@ export declare const sanitizedWebAuthnVerificationRecordDataGuard: z.ZodObject<O
     userId: string;
     verified: boolean;
 }>;
+export type SignInWebAuthnVerificationRecordData = BaseWebAuthnVerificationRecordData & {
+    type: VerificationType.SignInWebAuthn;
+    userId?: string;
+    /** The rpId used when generating the authentication options */
+    authenticationRpId?: string;
+};
+export declare const signInWebAuthnVerificationRecordDataGuard: z.ZodObject<{
+    id: z.ZodString;
+    verified: z.ZodBoolean;
+    registrationChallenge: z.ZodOptional<z.ZodString>;
+    registrationRpId: z.ZodOptional<z.ZodString>;
+    authenticationChallenge: z.ZodOptional<z.ZodString>;
+    registrationInfo: z.ZodOptional<z.ZodObject<{
+        type: z.ZodLiteral<import("../../index.js").MfaFactor.WebAuthn>;
+        rpId: z.ZodString;
+        credentialId: z.ZodString;
+        publicKey: z.ZodString;
+        transports: z.ZodArray<z.ZodEnum<["usb", "nfc", "ble", "internal", "cable", "hybrid", "smart-card"]>, "many">;
+        counter: z.ZodNumber;
+        agent: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        rpId: string;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        rpId: string;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }>>;
+} & {
+    type: z.ZodLiteral<VerificationType.SignInWebAuthn>;
+    userId: z.ZodOptional<z.ZodString>;
+    authenticationRpId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: VerificationType.SignInWebAuthn;
+    id: string;
+    verified: boolean;
+    userId?: string | undefined;
+    registrationChallenge?: string | undefined;
+    registrationRpId?: string | undefined;
+    authenticationChallenge?: string | undefined;
+    registrationInfo?: {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        rpId: string;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    } | undefined;
+    authenticationRpId?: string | undefined;
+}, {
+    type: VerificationType.SignInWebAuthn;
+    id: string;
+    verified: boolean;
+    userId?: string | undefined;
+    registrationChallenge?: string | undefined;
+    registrationRpId?: string | undefined;
+    authenticationChallenge?: string | undefined;
+    registrationInfo?: {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        rpId: string;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    } | undefined;
+    authenticationRpId?: string | undefined;
+}>;
+export type SanitizedSignInWebAuthnVerificationRecordData = Omit<SignInWebAuthnVerificationRecordData, 'registrationInfo' | 'registrationChallenge' | 'registrationRpId' | 'authenticationChallenge' | 'authenticationRpId'>;
+export declare const sanitizedSignInWebAuthnVerificationRecordDataGuard: z.ZodObject<Omit<{
+    id: z.ZodString;
+    verified: z.ZodBoolean;
+    registrationChallenge: z.ZodOptional<z.ZodString>;
+    registrationRpId: z.ZodOptional<z.ZodString>;
+    authenticationChallenge: z.ZodOptional<z.ZodString>;
+    registrationInfo: z.ZodOptional<z.ZodObject<{
+        type: z.ZodLiteral<import("../../index.js").MfaFactor.WebAuthn>;
+        rpId: z.ZodString;
+        credentialId: z.ZodString;
+        publicKey: z.ZodString;
+        transports: z.ZodArray<z.ZodEnum<["usb", "nfc", "ble", "internal", "cable", "hybrid", "smart-card"]>, "many">;
+        counter: z.ZodNumber;
+        agent: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        rpId: string;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }, {
+        type: import("../../index.js").MfaFactor.WebAuthn;
+        rpId: string;
+        credentialId: string;
+        publicKey: string;
+        transports: ("usb" | "nfc" | "ble" | "internal" | "cable" | "hybrid" | "smart-card")[];
+        counter: number;
+        agent: string;
+        name?: string | undefined;
+    }>>;
+} & {
+    type: z.ZodLiteral<VerificationType.SignInWebAuthn>;
+    userId: z.ZodOptional<z.ZodString>;
+    authenticationRpId: z.ZodOptional<z.ZodString>;
+}, "registrationChallenge" | "registrationRpId" | "authenticationChallenge" | "registrationInfo" | "authenticationRpId">, "strip", z.ZodTypeAny, {
+    type: VerificationType.SignInWebAuthn;
+    id: string;
+    verified: boolean;
+    userId?: string | undefined;
+}, {
+    type: VerificationType.SignInWebAuthn;
+    id: string;
+    verified: boolean;
+    userId?: string | undefined;
+}>;
+export {};

package/lib/types/verification-records/web-authn-verification.js

@@ -1,19 +1,33 @@
 import { z } from 'zod';
 import { bindWebAuthnGuard } from '../interactions.js';
 import { VerificationType } from './verification-type.js';
-export const webAuthnVerificationRecordDataGuard = z.object({
+const baseWebAuthnVerificationRecordDataGuard = z.object({
     id: z.string(),
-    type: z.literal(VerificationType.WebAuthn),
-    userId: z.string(),
     verified: z.boolean(),
     registrationChallenge: z.string().optional(),
     registrationRpId: z.string().optional(),
     authenticationChallenge: z.string().optional(),
     registrationInfo: bindWebAuthnGuard.optional(),
 });
+export const webAuthnVerificationRecordDataGuard = baseWebAuthnVerificationRecordDataGuard.extend({
+    type: z.literal(VerificationType.WebAuthn),
+    userId: z.string(),
+});
 export const sanitizedWebAuthnVerificationRecordDataGuard = webAuthnVerificationRecordDataGuard.omit({
     registrationInfo: true,
     registrationChallenge: true,
     registrationRpId: true,
     authenticationChallenge: true,
 });
+export const signInWebAuthnVerificationRecordDataGuard = baseWebAuthnVerificationRecordDataGuard.extend({
+    type: z.literal(VerificationType.SignInWebAuthn),
+    userId: z.string().optional(),
+    authenticationRpId: z.string().optional(),
+});
+export const sanitizedSignInWebAuthnVerificationRecordDataGuard = signInWebAuthnVerificationRecordDataGuard.omit({
+    registrationInfo: true,
+    registrationChallenge: true,
+    registrationRpId: true,
+    authenticationChallenge: true,
+    authenticationRpId: true,
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.35.0",
+  "version": "1.37.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -66,11 +66,11 @@
     "@withtyped/server": "^0.14.0",
     "nanoid": "^5.0.9",
     "@logto/connector-kit": "^4.7.0",
-    "@logto/core-kit": "^2.6.1",
-    "@logto/phrases": "^1.24.0",
-    "@logto/phrases-experience": "^1.12.0",
+    "@logto/core-kit": "^2.7.0",
     "@logto/language-kit": "^1.2.0",
-    "@logto/shared": "^3.3.0"
+    "@logto/phrases": "^1.26.0",
+    "@logto/phrases-experience": "^1.12.1",
+    "@logto/shared": "^3.3.1"
   },
   "peerDependencies": {
     "zod": "3.24.3"

package/tables/oidc_model_instances.sql

@@ -33,3 +33,10 @@ create index oidc_model_instances__model_name_payload_grant_id
     model_name,
     (payload->>'grantId')
   );
+
+create index oidc_model_instances__expires_at
+  on oidc_model_instances (tenant_id, expires_at);
+
+create index oidc_model_instances__session_payload_account_id_expires_at
+  on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+  WHERE model_name = 'Session';

package/tables/oidc_session_extensions.sql

@@ -7,6 +7,7 @@ create table oidc_session_extensions (
   account_id varchar(12) not null
     references users (id) on update cascade on delete cascade,
   last_submission jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  client_id varchar(21) null,
   created_at timestamptz not null default(now()),
   updated_at timestamptz not null default(now()),
   primary key (tenant_id, session_uid)

package/tables/sign_in_experiences.sql

@@ -23,6 +23,7 @@ create table sign_in_experiences (
   custom_ui_assets jsonb /* @use CustomUiAssets */,
   password_policy jsonb /* @use PartialPasswordPolicy */ not null default '{}'::jsonb,
   mfa jsonb /* @use Mfa */ not null default '{}'::jsonb,
+  adaptive_mfa jsonb /* @use AdaptiveMfa */ not null default '{}'::jsonb,
   single_sign_on_enabled boolean not null default false,
   support_email text,
   support_website_url text,
@@ -31,5 +32,6 @@ create table sign_in_experiences (
   sentinel_policy jsonb /* @use SentinelPolicy */ not null default '{}'::jsonb,
   email_blocklist_policy jsonb /* @use EmailBlocklistPolicy */ not null default '{}'::jsonb,
   forgot_password_methods jsonb /* @use ForgotPasswordMethods */ default '[]'::jsonb,
+  passkey_sign_in jsonb /* @use PasskeySignIn */ not null default '{}'::jsonb,
   primary key (tenant_id, id)
 );

package/tables/user_geo_locations.sql

@@ -0,0 +1,14 @@
+/* init_order = 2 */
+
+/** The last known geo coordinates per user for geo-velocity checks. */
+create table user_geo_locations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  user_id varchar(12) not null
+    references users (id) on update cascade on delete cascade,
+  latitude numeric(9,6),
+  longitude numeric(9,6),
+  updated_at timestamptz not null default now(),
+  primary key (tenant_id, user_id),
+  check ((latitude is null) = (longitude is null))
+);

package/tables/user_sign_in_countries.sql

@@ -0,0 +1,16 @@
+/* init_order = 2 */
+
+/** Tracks per-user sign-in countries for adaptive MFA rules. */
+create table user_sign_in_countries (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  user_id varchar(12) not null
+    references users (id) on update cascade on delete cascade,
+  /** ISO 3166-1 alpha-2 country code (2 chars), stored up to 16 chars for robustness. */
+  country varchar(16) not null,
+  last_sign_in_at timestamptz not null default(now()),
+  primary key (tenant_id, user_id, country)
+);
+
+create index user_sign_in_countries__tenant_user_last_sign_in_at
+  on user_sign_in_countries (tenant_id, user_id, last_sign_in_at desc);

package/tables/users.sql

@@ -41,6 +41,9 @@ create unique index users__id
 create index users__name
   on users (tenant_id, name);
 
+create index users_mfa_verifications_gin
+  on users using gin (mfa_verifications jsonb_path_ops);
+
 create trigger set_updated_at
   before update on users
   for each row