@logto/schemas 1.36.0 → 1.37.0

package/alterations/1.37.0-1770295353-add-default-id-token-config.ts

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const idTokenConfigKey = 'idToken';
+
+const defaultIdTokenConfig = Object.freeze({
+  enabledExtendedClaims: ['roles', 'organizations', 'organization_roles'],
+});
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const tenants = await pool.any<{ id: string }>(sql`select id from tenants`);
+
+    for (const { id: tenantId } of tenants) {
+      // eslint-disable-next-line no-await-in-loop
+      await pool.query(sql`
+        insert into logto_configs (tenant_id, key, value)
+          values (${tenantId}, ${idTokenConfigKey}, ${sql.jsonb(defaultIdTokenConfig)})
+      `);
+    }
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      delete from logto_configs where key = ${idTokenConfigKey}
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.37.0-1770361004-add-oidc-model-instances-session-account-id-indexes.ts

@@ -0,0 +1,37 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  beforeUp: async (pool) => {
+    // Add index to optimize the query performance for cleaning up expired OIDC model instances.
+    await pool.query(sql`
+      create index concurrently if not exists oidc_model_instances__expires_at
+        on oidc_model_instances (tenant_id, expires_at);
+    `);
+
+    // Add index to optimize the query performance for querying non-expired session instances by accountId.
+    await pool.query(sql`
+      create index concurrently if not exists oidc_model_instances__session_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Session';
+    `);
+  },
+  up: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+  },
+  beforeDown: async (pool) => {
+    await pool.query(sql`
+      drop index concurrently if exists oidc_model_instances__expires_at;
+    `);
+
+    await pool.query(sql`
+      drop index concurrently if exists oidc_model_instances__session_payload_account_id_expires_at;
+    `);
+  },
+  down: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+  },
+};
+
+export default alteration;

package/alterations/1.37.0-1770362227-add-client-id-column-to-oidc-session-extensions-table.ts

@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_session_extensions
+      add column client_id varchar(21) null
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_session_extensions
+      drop column client_id
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.37.0-1770295353-add-default-id-token-config.js

@@ -0,0 +1,23 @@
+import { sql } from '@silverhand/slonik';
+const idTokenConfigKey = 'idToken';
+const defaultIdTokenConfig = Object.freeze({
+    enabledExtendedClaims: ['roles', 'organizations', 'organization_roles'],
+});
+const alteration = {
+    up: async (pool) => {
+        const tenants = await pool.any(sql `select id from tenants`);
+        for (const { id: tenantId } of tenants) {
+            // eslint-disable-next-line no-await-in-loop
+            await pool.query(sql `
+        insert into logto_configs (tenant_id, key, value)
+          values (${tenantId}, ${idTokenConfigKey}, ${sql.jsonb(defaultIdTokenConfig)})
+      `);
+        }
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      delete from logto_configs where key = ${idTokenConfigKey}
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.37.0-1770361004-add-oidc-model-instances-session-account-id-indexes.js

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    beforeUp: async (pool) => {
+        // Add index to optimize the query performance for cleaning up expired OIDC model instances.
+        await pool.query(sql `
+      create index concurrently if not exists oidc_model_instances__expires_at
+        on oidc_model_instances (tenant_id, expires_at);
+    `);
+        // Add index to optimize the query performance for querying non-expired session instances by accountId.
+        await pool.query(sql `
+      create index concurrently if not exists oidc_model_instances__session_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Session';
+    `);
+    },
+    up: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+    },
+    beforeDown: async (pool) => {
+        await pool.query(sql `
+      drop index concurrently if exists oidc_model_instances__expires_at;
+    `);
+        await pool.query(sql `
+      drop index concurrently if exists oidc_model_instances__session_payload_account_id_expires_at;
+    `);
+    },
+    down: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+    },
+};
+export default alteration;

package/alterations-js/1.37.0-1770362227-add-client-id-column-to-oidc-session-extensions-table.js

@@ -0,0 +1,16 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_session_extensions
+      add column client_id varchar(21) null
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_session_extensions
+      drop column client_id
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/oidc-session-extension.d.ts

@@ -9,6 +9,7 @@ export type CreateOidcSessionExtension = {
     sessionUid: string;
     accountId: string;
     lastSubmission?: JsonObject;
+    clientId?: string | null;
     createdAt?: number;
     updatedAt?: number;
 };
@@ -17,8 +18,9 @@ export type OidcSessionExtension = {
     sessionUid: string;
     accountId: string;
     lastSubmission: JsonObject;
+    clientId: string | null;
     createdAt: number;
     updatedAt: number;
 };
-export type OidcSessionExtensionKeys = 'tenantId' | 'sessionUid' | 'accountId' | 'lastSubmission' | 'createdAt' | 'updatedAt';
+export type OidcSessionExtensionKeys = 'tenantId' | 'sessionUid' | 'accountId' | 'lastSubmission' | 'clientId' | 'createdAt' | 'updatedAt';
 export declare const OidcSessionExtensions: GeneratedSchema<OidcSessionExtensionKeys, CreateOidcSessionExtension, OidcSessionExtension, 'oidc_session_extensions', 'oidc_session_extension'>;

package/lib/db-entries/oidc-session-extension.js

@@ -6,6 +6,7 @@ const createGuard = z.object({
     sessionUid: z.string().min(1).max(128),
     accountId: z.string().min(1).max(12),
     lastSubmission: jsonObjectGuard.optional(),
+    clientId: z.string().max(21).nullable().optional(),
     createdAt: z.number().optional(),
     updatedAt: z.number().optional(),
 });
@@ -14,6 +15,7 @@ const guard = z.object({
     sessionUid: z.string().min(1).max(128),
     accountId: z.string().min(1).max(12),
     lastSubmission: jsonObjectGuard,
+    clientId: z.string().max(21).nullable(),
     createdAt: z.number(),
     updatedAt: z.number(),
 });
@@ -25,6 +27,7 @@ export const OidcSessionExtensions = Object.freeze({
         sessionUid: 'session_uid',
         accountId: 'account_id',
         lastSubmission: 'last_submission',
+        clientId: 'client_id',
         createdAt: 'created_at',
         updatedAt: 'updated_at',
     },
@@ -33,6 +36,7 @@ export const OidcSessionExtensions = Object.freeze({
         'sessionUid',
         'accountId',
         'lastSubmission',
+        'clientId',
         'createdAt',
         'updatedAt',
     ],

package/lib/foundations/jsonb-types/account-centers.d.ts

@@ -20,10 +20,11 @@ export declare const accountCenterFieldControlGuard: z.ZodObject<{
     social: z.ZodOptional<z.ZodNativeEnum<typeof AccountCenterControlValue>>;
     customData: z.ZodOptional<z.ZodNativeEnum<typeof AccountCenterControlValue>>;
     mfa: z.ZodOptional<z.ZodNativeEnum<typeof AccountCenterControlValue>>;
+    session: z.ZodOptional<z.ZodNativeEnum<typeof AccountCenterControlValue>>;
 }, "strip", z.ZodTypeAny, {
     name?: AccountCenterControlValue | undefined;
-    email?: AccountCenterControlValue | undefined;
     username?: AccountCenterControlValue | undefined;
+    email?: AccountCenterControlValue | undefined;
     phone?: AccountCenterControlValue | undefined;
     password?: AccountCenterControlValue | undefined;
     profile?: AccountCenterControlValue | undefined;
@@ -31,10 +32,11 @@ export declare const accountCenterFieldControlGuard: z.ZodObject<{
     social?: AccountCenterControlValue | undefined;
     customData?: AccountCenterControlValue | undefined;
     mfa?: AccountCenterControlValue | undefined;
+    session?: AccountCenterControlValue | undefined;
 }, {
     name?: AccountCenterControlValue | undefined;
-    email?: AccountCenterControlValue | undefined;
     username?: AccountCenterControlValue | undefined;
+    email?: AccountCenterControlValue | undefined;
     phone?: AccountCenterControlValue | undefined;
     password?: AccountCenterControlValue | undefined;
     profile?: AccountCenterControlValue | undefined;
@@ -42,6 +44,7 @@ export declare const accountCenterFieldControlGuard: z.ZodObject<{
     social?: AccountCenterControlValue | undefined;
     customData?: AccountCenterControlValue | undefined;
     mfa?: AccountCenterControlValue | undefined;
+    session?: AccountCenterControlValue | undefined;
 }>;
 export type AccountCenterFieldControl = z.infer<typeof accountCenterFieldControlGuard>;
 export declare const webauthnRelatedOriginsGuard: z.ZodArray<z.ZodString, "many">;

package/lib/foundations/jsonb-types/account-centers.js

@@ -22,6 +22,7 @@ export const accountCenterFieldControlGuard = z
     social: z.nativeEnum(AccountCenterControlValue),
     customData: z.nativeEnum(AccountCenterControlValue),
     mfa: z.nativeEnum(AccountCenterControlValue),
+    session: z.nativeEnum(AccountCenterControlValue),
 })
     .partial();
 export const webauthnRelatedOriginsGuard = z.array(z.string());

package/lib/foundations/jsonb-types/custom-profile-fields.d.ts

@@ -135,8 +135,8 @@ export declare const fieldPartGuard: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     type: CustomProfileFieldType;
     name: string;
-    enabled: boolean;
     required: boolean;
+    enabled: boolean;
     label?: string | undefined;
     description?: string | undefined;
     config?: {
@@ -156,8 +156,8 @@ export declare const fieldPartGuard: z.ZodObject<{
 }, {
     type: CustomProfileFieldType;
     name: string;
-    enabled: boolean;
     required: boolean;
+    enabled: boolean;
     label?: string | undefined;
     description?: string | undefined;
     config?: {
@@ -232,8 +232,8 @@ export declare const fieldPartsGuard: z.ZodArray<z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     type: CustomProfileFieldType;
     name: string;
-    enabled: boolean;
     required: boolean;
+    enabled: boolean;
     label?: string | undefined;
     description?: string | undefined;
     config?: {
@@ -253,8 +253,8 @@ export declare const fieldPartsGuard: z.ZodArray<z.ZodObject<{
 }, {
     type: CustomProfileFieldType;
     name: string;
-    enabled: boolean;
     required: boolean;
+    enabled: boolean;
     label?: string | undefined;
     description?: string | undefined;
     config?: {
@@ -349,8 +349,8 @@ export declare const customProfileFieldConfigGuard: z.ZodObject<{
     }, "strip", z.ZodTypeAny, {
         type: CustomProfileFieldType;
         name: string;
-        enabled: boolean;
         required: boolean;
+        enabled: boolean;
         label?: string | undefined;
         description?: string | undefined;
         config?: {
@@ -370,8 +370,8 @@ export declare const customProfileFieldConfigGuard: z.ZodObject<{
     }, {
         type: CustomProfileFieldType;
         name: string;
-        enabled: boolean;
         required: boolean;
+        enabled: boolean;
         label?: string | undefined;
         description?: string | undefined;
         config?: {
@@ -405,8 +405,8 @@ export declare const customProfileFieldConfigGuard: z.ZodObject<{
     parts?: {
         type: CustomProfileFieldType;
         name: string;
-        enabled: boolean;
         required: boolean;
+        enabled: boolean;
         label?: string | undefined;
         description?: string | undefined;
         config?: {
@@ -440,8 +440,8 @@ export declare const customProfileFieldConfigGuard: z.ZodObject<{
     parts?: {
         type: CustomProfileFieldType;
         name: string;
-        enabled: boolean;
         required: boolean;
+        enabled: boolean;
         label?: string | undefined;
         description?: string | undefined;
         config?: {

package/lib/foundations/jsonb-types/hooks.d.ts

@@ -9,6 +9,7 @@ import { z } from 'zod';
 export declare enum InteractionHookEvent {
     PostRegister = "PostRegister",
     PostSignIn = "PostSignIn",
+    PostSignInAdaptiveMfaTriggered = "PostSignInAdaptiveMfaTriggered",
     PostResetPassword = "PostResetPassword"
 }
 export declare enum DataHookSchema {
@@ -32,11 +33,11 @@ type DataHookPropertyUpdateEvent = `${CustomDataHookMutableSchema}.${DataHookDet
 export type ExceptionHookEvent = 'Identifier.Lockout';
 export type DataHookEvent = BasicDataHookEvent | DataHookPropertyUpdateEvent;
 /** The hook event values that can be registered. */
-export declare const hookEvents: readonly [InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated", "Identifier.Lockout"];
+export declare const hookEvents: readonly [InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostSignInAdaptiveMfaTriggered, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated", "Identifier.Lockout"];
 /** The type of hook event values that can be registered. */
 export type HookEvent = (typeof hookEvents)[number];
-export declare const hookEventGuard: z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated", "Identifier.Lockout"]>;
-export declare const hookEventsGuard: z.ZodArray<z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated", "Identifier.Lockout"]>, "many">;
+export declare const hookEventGuard: z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostSignInAdaptiveMfaTriggered, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated", "Identifier.Lockout"]>;
+export declare const hookEventsGuard: z.ZodArray<z.ZodEnum<[InteractionHookEvent.PostRegister, InteractionHookEvent.PostSignIn, InteractionHookEvent.PostSignInAdaptiveMfaTriggered, InteractionHookEvent.PostResetPassword, "User.Created", "User.Deleted", "User.Data.Updated", "User.SuspensionStatus.Updated", "Role.Created", "Role.Deleted", "Role.Data.Updated", "Role.Scopes.Updated", "Scope.Created", "Scope.Deleted", "Scope.Data.Updated", "Organization.Created", "Organization.Deleted", "Organization.Data.Updated", "Organization.Membership.Updated", "OrganizationRole.Created", "OrganizationRole.Deleted", "OrganizationRole.Data.Updated", "OrganizationRole.Scopes.Updated", "OrganizationScope.Created", "OrganizationScope.Deleted", "OrganizationScope.Data.Updated", "Identifier.Lockout"]>, "many">;
 export type HookEvents = z.infer<typeof hookEventsGuard>;
 export declare const interactionHookEventGuard: z.ZodNativeEnum<typeof InteractionHookEvent>;
 /**

package/lib/foundations/jsonb-types/hooks.js

@@ -11,6 +11,7 @@ export var InteractionHookEvent;
 (function (InteractionHookEvent) {
     InteractionHookEvent["PostRegister"] = "PostRegister";
     InteractionHookEvent["PostSignIn"] = "PostSignIn";
+    InteractionHookEvent["PostSignInAdaptiveMfaTriggered"] = "PostSignInAdaptiveMfaTriggered";
     InteractionHookEvent["PostResetPassword"] = "PostResetPassword";
 })(InteractionHookEvent || (InteractionHookEvent = {}));
 // DataHookEvent
@@ -36,6 +37,7 @@ var DataHookDetailMutationType;
 export const hookEvents = Object.freeze([
     InteractionHookEvent.PostRegister,
     InteractionHookEvent.PostSignIn,
+    InteractionHookEvent.PostSignInAdaptiveMfaTriggered,
     InteractionHookEvent.PostResetPassword,
     'User.Created',
     'User.Deleted',

package/lib/foundations/jsonb-types/logs.d.ts

@@ -361,7 +361,6 @@ export declare const logContextPayloadGuard: z.ZodObject<{
             architecture: z.ZodOptional<z.ZodString>;
         }, z.ZodUnknown, "strip">>>;
     }, z.ZodUnknown, "strip">>>;
-    injectedHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     userId: z.ZodOptional<z.ZodString>;
     applicationId: z.ZodOptional<z.ZodString>;
     sessionId: z.ZodOptional<z.ZodString>;
@@ -547,7 +546,6 @@ export declare const logContextPayloadGuard: z.ZodObject<{
             architecture: z.ZodOptional<z.ZodString>;
         }, z.ZodUnknown, "strip">>>;
     }, z.ZodUnknown, "strip">>>;
-    injectedHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     userId: z.ZodOptional<z.ZodString>;
     applicationId: z.ZodOptional<z.ZodString>;
     sessionId: z.ZodOptional<z.ZodString>;
@@ -733,7 +731,6 @@ export declare const logContextPayloadGuard: z.ZodObject<{
             architecture: z.ZodOptional<z.ZodString>;
         }, z.ZodUnknown, "strip">>>;
     }, z.ZodUnknown, "strip">>>;
-    injectedHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     userId: z.ZodOptional<z.ZodString>;
     applicationId: z.ZodOptional<z.ZodString>;
     sessionId: z.ZodOptional<z.ZodString>;

package/lib/foundations/jsonb-types/logs.js

@@ -63,7 +63,6 @@ export const logContextPayloadGuard = z
     ip: z.string().optional(),
     userAgent: z.string().optional(),
     userAgentParsed: userAgentParsedGuard.optional(),
-    injectedHeaders: z.record(z.string(), z.string()).optional(),
     userId: z.string().optional(),
     applicationId: z.string().optional(),
     sessionId: z.string().optional(),