@logto/schemas 1.37.0 → 1.38.0

package/lib/types/user-sessions.js

@@ -1,5 +1,4 @@
 import { z } from 'zod';
-import { OidcModelInstances } from '../db-entries/oidc-model-instance.js';
 import { oidcSessionInstancePayloadGuard } from '../foundations/index.js';
 import { jwtCustomizerUserInteractionContextGuard } from './logto-config/jwt-customizer.js';
 export const userSessionSignInContextGuard = z
@@ -14,13 +13,45 @@ export const userSessionSignInContextGuard = z
     botVerified: z.string().optional(),
 })
     .catchall(z.string());
-export const userExtendedSessionGuard = OidcModelInstances.guard.extend({
+export var SessionGrantRevokeTarget;
+(function (SessionGrantRevokeTarget) {
+    SessionGrantRevokeTarget["All"] = "all";
+    SessionGrantRevokeTarget["FirstParty"] = "firstParty";
+})(SessionGrantRevokeTarget || (SessionGrantRevokeTarget = {}));
+/**
+ * Public session shape for session management APIs.
+ *
+ * We intentionally expose only fields needed by management/account-center session views and actions.
+ * Internal OIDC storage fields (e.g. `tenantId`, `id`, `consumedAt`) are omitted on purpose.
+ */
+export const userExtendedSessionGuard = z.object({
     payload: oidcSessionInstancePayloadGuard,
     lastSubmission: jwtCustomizerUserInteractionContextGuard.nullable(),
     clientId: z.string().nullable(),
     accountId: z.string().nullable(),
+    expiresAt: z.number(),
 });
 export const getUserSessionsResponseGuard = z.object({
     sessions: z.array(userExtendedSessionGuard),
 });
 export const getUserSessionResponseGuard = userExtendedSessionGuard;
+export const userApplicationGrantPayloadGuard = z
+    .object({
+    /** Expiration time of the grant in seconds since the epoch */
+    exp: z.number(),
+    /** Issued at time of the grant in seconds since the epoch */
+    iat: z.number(),
+    jti: z.string(),
+    kind: z.literal('Grant'),
+    clientId: z.string(),
+    accountId: z.string(),
+})
+    .catchall(z.unknown());
+export const userApplicationGrantGuard = z.object({
+    id: z.string(),
+    payload: userApplicationGrantPayloadGuard,
+    expiresAt: z.number(),
+});
+export const getUserApplicationGrantsResponseGuard = z.object({
+    grants: z.array(userApplicationGrantGuard),
+});

package/lib/types/verification-records/verification-type.d.ts

@@ -9,7 +9,7 @@ export declare enum VerificationType {
     EnterpriseSso = "EnterpriseSso",
     TOTP = "Totp",
     WebAuthn = "WebAuthn",
-    SignInWebAuthn = "SignInWebAuthn",
+    SignInPasskey = "SignInPasskey",
     BackupCode = "BackupCode",
     NewPasswordIdentity = "NewPasswordIdentity",
     OneTimeToken = "OneTimeToken"

package/lib/types/verification-records/verification-type.js

@@ -10,7 +10,7 @@ export var VerificationType;
     VerificationType["EnterpriseSso"] = "EnterpriseSso";
     VerificationType["TOTP"] = "Totp";
     VerificationType["WebAuthn"] = "WebAuthn";
-    VerificationType["SignInWebAuthn"] = "SignInWebAuthn";
+    VerificationType["SignInPasskey"] = "SignInPasskey";
     VerificationType["BackupCode"] = "BackupCode";
     VerificationType["NewPasswordIdentity"] = "NewPasswordIdentity";
     VerificationType["OneTimeToken"] = "OneTimeToken";

package/lib/types/verification-records/web-authn-verification.d.ts

@@ -139,13 +139,13 @@ export declare const sanitizedWebAuthnVerificationRecordDataGuard: z.ZodObject<O
     userId: string;
     verified: boolean;
 }>;
-export type SignInWebAuthnVerificationRecordData = BaseWebAuthnVerificationRecordData & {
-    type: VerificationType.SignInWebAuthn;
+export type SignInPasskeyVerificationRecordData = BaseWebAuthnVerificationRecordData & {
+    type: VerificationType.SignInPasskey;
     userId?: string;
     /** The rpId used when generating the authentication options */
     authenticationRpId?: string;
 };
-export declare const signInWebAuthnVerificationRecordDataGuard: z.ZodObject<{
+export declare const signInPasskeyVerificationRecordDataGuard: z.ZodObject<{
     id: z.ZodString;
     verified: z.ZodBoolean;
     registrationChallenge: z.ZodOptional<z.ZodString>;
@@ -180,11 +180,11 @@ export declare const signInWebAuthnVerificationRecordDataGuard: z.ZodObject<{
         name?: string | undefined;
     }>>;
 } & {
-    type: z.ZodLiteral<VerificationType.SignInWebAuthn>;
+    type: z.ZodLiteral<VerificationType.SignInPasskey>;
     userId: z.ZodOptional<z.ZodString>;
     authenticationRpId: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
-    type: VerificationType.SignInWebAuthn;
+    type: VerificationType.SignInPasskey;
     id: string;
     verified: boolean;
     userId?: string | undefined;
@@ -203,7 +203,7 @@ export declare const signInWebAuthnVerificationRecordDataGuard: z.ZodObject<{
     } | undefined;
     authenticationRpId?: string | undefined;
 }, {
-    type: VerificationType.SignInWebAuthn;
+    type: VerificationType.SignInPasskey;
     id: string;
     verified: boolean;
     userId?: string | undefined;
@@ -222,8 +222,8 @@ export declare const signInWebAuthnVerificationRecordDataGuard: z.ZodObject<{
     } | undefined;
     authenticationRpId?: string | undefined;
 }>;
-export type SanitizedSignInWebAuthnVerificationRecordData = Omit<SignInWebAuthnVerificationRecordData, 'registrationInfo' | 'registrationChallenge' | 'registrationRpId' | 'authenticationChallenge' | 'authenticationRpId'>;
-export declare const sanitizedSignInWebAuthnVerificationRecordDataGuard: z.ZodObject<Omit<{
+export type SanitizedSignInPasskeyVerificationRecordData = Omit<SignInPasskeyVerificationRecordData, 'registrationInfo' | 'registrationChallenge' | 'registrationRpId' | 'authenticationChallenge' | 'authenticationRpId'>;
+export declare const sanitizedSignInPasskeyVerificationRecordDataGuard: z.ZodObject<Omit<{
     id: z.ZodString;
     verified: z.ZodBoolean;
     registrationChallenge: z.ZodOptional<z.ZodString>;
@@ -258,16 +258,16 @@ export declare const sanitizedSignInWebAuthnVerificationRecordDataGuard: z.ZodOb
         name?: string | undefined;
     }>>;
 } & {
-    type: z.ZodLiteral<VerificationType.SignInWebAuthn>;
+    type: z.ZodLiteral<VerificationType.SignInPasskey>;
     userId: z.ZodOptional<z.ZodString>;
     authenticationRpId: z.ZodOptional<z.ZodString>;
 }, "registrationChallenge" | "registrationRpId" | "authenticationChallenge" | "registrationInfo" | "authenticationRpId">, "strip", z.ZodTypeAny, {
-    type: VerificationType.SignInWebAuthn;
+    type: VerificationType.SignInPasskey;
     id: string;
     verified: boolean;
     userId?: string | undefined;
 }, {
-    type: VerificationType.SignInWebAuthn;
+    type: VerificationType.SignInPasskey;
     id: string;
     verified: boolean;
     userId?: string | undefined;

package/lib/types/verification-records/web-authn-verification.js

@@ -19,12 +19,12 @@ export const sanitizedWebAuthnVerificationRecordDataGuard = webAuthnVerification
     registrationRpId: true,
     authenticationChallenge: true,
 });
-export const signInWebAuthnVerificationRecordDataGuard = baseWebAuthnVerificationRecordDataGuard.extend({
-    type: z.literal(VerificationType.SignInWebAuthn),
+export const signInPasskeyVerificationRecordDataGuard = baseWebAuthnVerificationRecordDataGuard.extend({
+    type: z.literal(VerificationType.SignInPasskey),
     userId: z.string().optional(),
     authenticationRpId: z.string().optional(),
 });
-export const sanitizedSignInWebAuthnVerificationRecordDataGuard = signInWebAuthnVerificationRecordDataGuard.omit({
+export const sanitizedSignInPasskeyVerificationRecordDataGuard = signInPasskeyVerificationRecordDataGuard.omit({
     registrationInfo: true,
     registrationChallenge: true,
     registrationRpId: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.37.0",
+  "version": "1.38.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -65,12 +65,12 @@
   "dependencies": {
     "@withtyped/server": "^0.14.0",
     "nanoid": "^5.0.9",
-    "@logto/connector-kit": "^4.7.0",
-    "@logto/core-kit": "^2.7.0",
-    "@logto/language-kit": "^1.2.0",
-    "@logto/phrases": "^1.26.0",
-    "@logto/phrases-experience": "^1.12.1",
-    "@logto/shared": "^3.3.1"
+    "@logto/language-kit": "^1.3.0",
+    "@logto/core-kit": "^2.8.0",
+    "@logto/phrases": "^1.27.0",
+    "@logto/shared": "^3.3.1",
+    "@logto/connector-kit": "^5.0.0",
+    "@logto/phrases-experience": "^1.13.0"
   },
   "peerDependencies": {
     "zod": "3.24.3"
@@ -85,7 +85,8 @@
     "dev": "tsc -p tsconfig.build.json --watch --preserveWatchOutput --incremental",
     "lint": "eslint --ext .ts src",
     "lint:report": "pnpm lint --format json --output-file report.json",
-    "test": "vitest src",
+    "test": "vitest run src",
+    "test:watch": "vitest src --watch",
     "test:ci": "pnpm run test --silent --coverage"
   }
 }

package/tables/oidc_model_instances.sql

@@ -27,6 +27,7 @@ create index oidc_model_instances__model_name_payload_uid
     (payload->>'uid')
   );
 
+/* TODO: Consider dropping this full data index if the partial index proves to be effective and safe. */
 create index oidc_model_instances__model_name_payload_grant_id
   on oidc_model_instances (
     tenant_id,
@@ -34,9 +35,24 @@ create index oidc_model_instances__model_name_payload_grant_id
     (payload->>'grantId')
   );
 
+create index oidc_model_instances__model_name_payload_grant_id_partial
+  on oidc_model_instances (tenant_id, model_name, (payload->>'grantId'))
+  where payload ? 'grantId';
+
 create index oidc_model_instances__expires_at
   on oidc_model_instances (tenant_id, expires_at);
 
 create index oidc_model_instances__session_payload_account_id_expires_at
   on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
   WHERE model_name = 'Session';
+
+create index oidc_model_instances__grant_payload_account_id_expires_at
+  on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+  WHERE model_name = 'Grant';
+
+alter table oidc_model_instances set (
+  autovacuum_vacuum_scale_factor = 0.05,
+  autovacuum_analyze_scale_factor = 0.02,
+  autovacuum_vacuum_threshold = 5000,
+  autovacuum_analyze_threshold = 2000
+);