@logto/schemas 1.38.0 → 1.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/alterations/1.39.0-1774752400-add-delete-account-url.ts +20 -0
  2. package/alterations/1.39.0-1774770686-add-account-center-custom-css.ts +20 -0
  3. package/alterations/1.39.0-1776502301-add-sign-up-profile-fields.ts +20 -0
  4. package/alterations/1.40.0-1776516232-add-account-center-profile-fields.ts +20 -0
  5. package/alterations/1.40.0-1778318116-add-custom-ui-csp-to-sie.ts +20 -0
  6. package/alterations/1.40.0-1778500000-add-organization-user-relations-user-id-index.ts +41 -0
  7. package/alterations/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.ts +43 -0
  8. package/alterations/1.40.0-1779421396-add-application-access-control-schema.ts +90 -0
  9. package/alterations-js/1.39.0-1774752400-add-delete-account-url.js +16 -0
  10. package/alterations-js/1.39.0-1774770686-add-account-center-custom-css.js +16 -0
  11. package/alterations-js/1.39.0-1776502301-add-sign-up-profile-fields.js +16 -0
  12. package/alterations-js/1.40.0-1776516232-add-account-center-profile-fields.js +16 -0
  13. package/alterations-js/1.40.0-1778318116-add-custom-ui-csp-to-sie.js +16 -0
  14. package/alterations-js/1.40.0-1778500000-add-organization-user-relations-user-id-index.js +37 -0
  15. package/alterations-js/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.js +39 -0
  16. package/alterations-js/1.40.0-1779421396-add-application-access-control-schema.js +82 -0
  17. package/lib/consts/application.d.ts +1 -0
  18. package/lib/consts/application.js +1 -0
  19. package/lib/consts/index.d.ts +1 -0
  20. package/lib/consts/index.js +1 -0
  21. package/lib/db-entries/account-center.d.ts +14 -2
  22. package/lib/db-entries/account-center.js +13 -1
  23. package/lib/db-entries/application-access-control-org-role-relation.d.ts +22 -0
  24. package/lib/db-entries/application-access-control-org-role-relation.js +33 -0
  25. package/lib/db-entries/application-access-control-organization-relation.d.ts +20 -0
  26. package/lib/db-entries/application-access-control-organization-relation.js +29 -0
  27. package/lib/db-entries/application-access-control-user-relation.d.ts +20 -0
  28. package/lib/db-entries/application-access-control-user-relation.js +29 -0
  29. package/lib/db-entries/application-access-control-user-role-relation.d.ts +20 -0
  30. package/lib/db-entries/application-access-control-user-role-relation.js +29 -0
  31. package/lib/db-entries/application.d.ts +3 -1
  32. package/lib/db-entries/application.js +4 -0
  33. package/lib/db-entries/index.d.ts +4 -0
  34. package/lib/db-entries/index.js +4 -0
  35. package/lib/db-entries/sign-in-experience.d.ts +8 -2
  36. package/lib/db-entries/sign-in-experience.js +9 -1
  37. package/lib/foundations/jsonb-types/account-centers.d.ts +27 -0
  38. package/lib/foundations/jsonb-types/account-centers.js +12 -0
  39. package/lib/foundations/jsonb-types/applications.d.ts +3 -0
  40. package/lib/foundations/jsonb-types/applications.js +4 -0
  41. package/lib/foundations/jsonb-types/applications.test.d.ts +1 -0
  42. package/lib/foundations/jsonb-types/applications.test.js +23 -0
  43. package/lib/foundations/jsonb-types/sign-in-experience.d.ts +27 -1
  44. package/lib/foundations/jsonb-types/sign-in-experience.js +5 -0
  45. package/lib/foundations/jsonb-types/sign-in-experience.test.d.ts +1 -0
  46. package/lib/foundations/jsonb-types/sign-in-experience.test.js +18 -0
  47. package/lib/seeds/application.js +2 -0
  48. package/lib/seeds/sign-in-experience.d.ts +13 -1
  49. package/lib/seeds/sign-in-experience.js +10 -1
  50. package/lib/seeds/sign-in-experience.test.d.ts +1 -0
  51. package/lib/seeds/sign-in-experience.test.js +27 -0
  52. package/lib/types/alteration.d.ts +5 -0
  53. package/lib/types/application.d.ts +101 -2
  54. package/lib/types/application.js +55 -0
  55. package/lib/types/application.test.d.ts +1 -0
  56. package/lib/types/application.test.js +120 -0
  57. package/lib/types/consent.d.ts +6 -0
  58. package/lib/types/custom-profile-fields.d.ts +7 -13
  59. package/lib/types/custom-profile-fields.js +6 -13
  60. package/lib/types/logto-config/index.d.ts +93 -2
  61. package/lib/types/logto-config/index.js +22 -4
  62. package/lib/types/logto-config/index.test.d.ts +1 -0
  63. package/lib/types/logto-config/index.test.js +29 -0
  64. package/lib/types/logto-config/jwt-customizer.d.ts +74 -0
  65. package/lib/types/logto-config/jwt-customizer.js +1 -0
  66. package/lib/types/logto-config/jwt-customizer.test.js +14 -2
  67. package/lib/types/onboarding.d.ts +93 -1
  68. package/lib/types/onboarding.js +22 -1
  69. package/lib/types/saml-application.d.ts +3 -0
  70. package/lib/types/sign-in-experience.d.ts +23 -2
  71. package/lib/types/sign-in-experience.js +1 -0
  72. package/lib/types/system.d.ts +46 -7
  73. package/lib/types/system.js +9 -0
  74. package/lib/types/user-assets.d.ts +1 -1
  75. package/lib/types/user-logto-config.d.ts +11 -0
  76. package/lib/types/user-logto-config.js +6 -0
  77. package/lib/types/user-sessions.d.ts +2516 -0
  78. package/lib/types/user-sessions.js +21 -0
  79. package/lib/utils/index.d.ts +1 -0
  80. package/lib/utils/index.js +1 -0
  81. package/lib/utils/oidc-private-key.d.ts +88 -0
  82. package/lib/utils/oidc-private-key.js +163 -0
  83. package/lib/utils/oidc-private-key.test.d.ts +1 -0
  84. package/lib/utils/oidc-private-key.test.js +128 -0
  85. package/package.json +6 -6
  86. package/tables/account_centers.sql +6 -0
  87. package/tables/application_access_control_org_role_relations.sql +16 -0
  88. package/tables/application_access_control_organization_relations.sql +12 -0
  89. package/tables/application_access_control_user_relations.sql +12 -0
  90. package/tables/application_access_control_user_role_relations.sql +14 -0
  91. package/tables/applications.sql +1 -0
  92. package/tables/organization_role_user_relations.sql +3 -0
  93. package/tables/organization_user_relations.sql +3 -0
  94. package/tables/sign_in_experiences.sql +3 -0
@@ -0,0 +1,33 @@
1
+ // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
2
+ import { z } from 'zod';
3
+ const createGuard = z.object({
4
+ tenantId: z.string().max(21).optional(),
5
+ applicationId: z.string().min(1).max(21),
6
+ organizationId: z.string().min(1).max(21),
7
+ organizationRoleId: z.string().min(1).max(21),
8
+ });
9
+ const guard = z.object({
10
+ tenantId: z.string().max(21),
11
+ applicationId: z.string().min(1).max(21),
12
+ organizationId: z.string().min(1).max(21),
13
+ organizationRoleId: z.string().min(1).max(21),
14
+ });
15
+ export const ApplicationAccessControlOrgRoleRelations = Object.freeze({
16
+ table: 'application_access_control_org_role_relations',
17
+ tableSingular: 'application_access_control_org_role_relation',
18
+ fields: {
19
+ tenantId: 'tenant_id',
20
+ applicationId: 'application_id',
21
+ organizationId: 'organization_id',
22
+ organizationRoleId: 'organization_role_id',
23
+ },
24
+ fieldKeys: [
25
+ 'tenantId',
26
+ 'applicationId',
27
+ 'organizationId',
28
+ 'organizationRoleId',
29
+ ],
30
+ createGuard,
31
+ guard,
32
+ updateGuard: guard.partial(),
33
+ });
@@ -0,0 +1,20 @@
1
+ import { GeneratedSchema } from './../foundations/index.js';
2
+ /**
3
+ * The organization membership allow relations for application-level access control.
4
+ *
5
+ * @remarks This is a type for database creation.
6
+ * @see {@link ApplicationAccessControlOrganizationRelation} for the original type.
7
+ */
8
+ export type CreateApplicationAccessControlOrganizationRelation = {
9
+ tenantId?: string;
10
+ applicationId: string;
11
+ organizationId: string;
12
+ };
13
+ /** The organization membership allow relations for application-level access control. */
14
+ export type ApplicationAccessControlOrganizationRelation = {
15
+ tenantId: string;
16
+ applicationId: string;
17
+ organizationId: string;
18
+ };
19
+ export type ApplicationAccessControlOrganizationRelationKeys = 'tenantId' | 'applicationId' | 'organizationId';
20
+ export declare const ApplicationAccessControlOrganizationRelations: GeneratedSchema<ApplicationAccessControlOrganizationRelationKeys, CreateApplicationAccessControlOrganizationRelation, ApplicationAccessControlOrganizationRelation, 'application_access_control_organization_relations', 'application_access_control_organization_relation'>;
@@ -0,0 +1,29 @@
1
+ // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
2
+ import { z } from 'zod';
3
+ const createGuard = z.object({
4
+ tenantId: z.string().max(21).optional(),
5
+ applicationId: z.string().min(1).max(21),
6
+ organizationId: z.string().min(1).max(21),
7
+ });
8
+ const guard = z.object({
9
+ tenantId: z.string().max(21),
10
+ applicationId: z.string().min(1).max(21),
11
+ organizationId: z.string().min(1).max(21),
12
+ });
13
+ export const ApplicationAccessControlOrganizationRelations = Object.freeze({
14
+ table: 'application_access_control_organization_relations',
15
+ tableSingular: 'application_access_control_organization_relation',
16
+ fields: {
17
+ tenantId: 'tenant_id',
18
+ applicationId: 'application_id',
19
+ organizationId: 'organization_id',
20
+ },
21
+ fieldKeys: [
22
+ 'tenantId',
23
+ 'applicationId',
24
+ 'organizationId',
25
+ ],
26
+ createGuard,
27
+ guard,
28
+ updateGuard: guard.partial(),
29
+ });
@@ -0,0 +1,20 @@
1
+ import { GeneratedSchema } from './../foundations/index.js';
2
+ /**
3
+ * The direct user allow relations for application-level access control.
4
+ *
5
+ * @remarks This is a type for database creation.
6
+ * @see {@link ApplicationAccessControlUserRelation} for the original type.
7
+ */
8
+ export type CreateApplicationAccessControlUserRelation = {
9
+ tenantId?: string;
10
+ applicationId: string;
11
+ userId: string;
12
+ };
13
+ /** The direct user allow relations for application-level access control. */
14
+ export type ApplicationAccessControlUserRelation = {
15
+ tenantId: string;
16
+ applicationId: string;
17
+ userId: string;
18
+ };
19
+ export type ApplicationAccessControlUserRelationKeys = 'tenantId' | 'applicationId' | 'userId';
20
+ export declare const ApplicationAccessControlUserRelations: GeneratedSchema<ApplicationAccessControlUserRelationKeys, CreateApplicationAccessControlUserRelation, ApplicationAccessControlUserRelation, 'application_access_control_user_relations', 'application_access_control_user_relation'>;
@@ -0,0 +1,29 @@
1
+ // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
2
+ import { z } from 'zod';
3
+ const createGuard = z.object({
4
+ tenantId: z.string().max(21).optional(),
5
+ applicationId: z.string().min(1).max(21),
6
+ userId: z.string().min(1).max(21),
7
+ });
8
+ const guard = z.object({
9
+ tenantId: z.string().max(21),
10
+ applicationId: z.string().min(1).max(21),
11
+ userId: z.string().min(1).max(21),
12
+ });
13
+ export const ApplicationAccessControlUserRelations = Object.freeze({
14
+ table: 'application_access_control_user_relations',
15
+ tableSingular: 'application_access_control_user_relation',
16
+ fields: {
17
+ tenantId: 'tenant_id',
18
+ applicationId: 'application_id',
19
+ userId: 'user_id',
20
+ },
21
+ fieldKeys: [
22
+ 'tenantId',
23
+ 'applicationId',
24
+ 'userId',
25
+ ],
26
+ createGuard,
27
+ guard,
28
+ updateGuard: guard.partial(),
29
+ });
@@ -0,0 +1,20 @@
1
+ import { GeneratedSchema } from './../foundations/index.js';
2
+ /**
3
+ * The user role allow relations for application-level access control.
4
+ *
5
+ * @remarks This is a type for database creation.
6
+ * @see {@link ApplicationAccessControlUserRoleRelation} for the original type.
7
+ */
8
+ export type CreateApplicationAccessControlUserRoleRelation = {
9
+ tenantId?: string;
10
+ applicationId: string;
11
+ roleId: string;
12
+ };
13
+ /** The user role allow relations for application-level access control. */
14
+ export type ApplicationAccessControlUserRoleRelation = {
15
+ tenantId: string;
16
+ applicationId: string;
17
+ roleId: string;
18
+ };
19
+ export type ApplicationAccessControlUserRoleRelationKeys = 'tenantId' | 'applicationId' | 'roleId';
20
+ export declare const ApplicationAccessControlUserRoleRelations: GeneratedSchema<ApplicationAccessControlUserRoleRelationKeys, CreateApplicationAccessControlUserRoleRelation, ApplicationAccessControlUserRoleRelation, 'application_access_control_user_role_relations', 'application_access_control_user_role_relation'>;
@@ -0,0 +1,29 @@
1
+ // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
2
+ import { z } from 'zod';
3
+ const createGuard = z.object({
4
+ tenantId: z.string().max(21).optional(),
5
+ applicationId: z.string().min(1).max(21),
6
+ roleId: z.string().min(1).max(21),
7
+ });
8
+ const guard = z.object({
9
+ tenantId: z.string().max(21),
10
+ applicationId: z.string().min(1).max(21),
11
+ roleId: z.string().min(1).max(21),
12
+ });
13
+ export const ApplicationAccessControlUserRoleRelations = Object.freeze({
14
+ table: 'application_access_control_user_role_relations',
15
+ tableSingular: 'application_access_control_user_role_relation',
16
+ fields: {
17
+ tenantId: 'tenant_id',
18
+ applicationId: 'application_id',
19
+ roleId: 'role_id',
20
+ },
21
+ fieldKeys: [
22
+ 'tenantId',
23
+ 'applicationId',
24
+ 'roleId',
25
+ ],
26
+ createGuard,
27
+ guard,
28
+ updateGuard: guard.partial(),
29
+ });
@@ -18,6 +18,7 @@ export type CreateApplication = {
18
18
  protectedAppMetadata?: ProtectedAppMetadata | null;
19
19
  customData?: JsonObject;
20
20
  isThirdParty?: boolean;
21
+ appLevelAccessControlEnabled?: boolean;
21
22
  createdAt?: number;
22
23
  };
23
24
  export type Application = {
@@ -33,7 +34,8 @@ export type Application = {
33
34
  protectedAppMetadata: ProtectedAppMetadata | null;
34
35
  customData: JsonObject;
35
36
  isThirdParty: boolean;
37
+ appLevelAccessControlEnabled: boolean;
36
38
  createdAt: number;
37
39
  };
38
- export type ApplicationKeys = 'tenantId' | 'id' | 'name' | 'secret' | 'description' | 'type' | 'oidcClientMetadata' | 'customClientMetadata' | 'protectedAppMetadata' | 'customData' | 'isThirdParty' | 'createdAt';
40
+ export type ApplicationKeys = 'tenantId' | 'id' | 'name' | 'secret' | 'description' | 'type' | 'oidcClientMetadata' | 'customClientMetadata' | 'protectedAppMetadata' | 'customData' | 'isThirdParty' | 'appLevelAccessControlEnabled' | 'createdAt';
39
41
  export declare const Applications: GeneratedSchema<ApplicationKeys, CreateApplication, Application, 'applications', 'application'>;
@@ -14,6 +14,7 @@ const createGuard = z.object({
14
14
  protectedAppMetadata: protectedAppMetadataGuard.nullable().optional(),
15
15
  customData: jsonObjectGuard.optional(),
16
16
  isThirdParty: z.boolean().optional(),
17
+ appLevelAccessControlEnabled: z.boolean().optional(),
17
18
  createdAt: z.number().optional(),
18
19
  });
19
20
  const guard = z.object({
@@ -28,6 +29,7 @@ const guard = z.object({
28
29
  protectedAppMetadata: protectedAppMetadataGuard.nullable(),
29
30
  customData: jsonObjectGuard,
30
31
  isThirdParty: z.boolean(),
32
+ appLevelAccessControlEnabled: z.boolean(),
31
33
  createdAt: z.number(),
32
34
  });
33
35
  export const Applications = Object.freeze({
@@ -45,6 +47,7 @@ export const Applications = Object.freeze({
45
47
  protectedAppMetadata: 'protected_app_metadata',
46
48
  customData: 'custom_data',
47
49
  isThirdParty: 'is_third_party',
50
+ appLevelAccessControlEnabled: 'app_level_access_control_enabled',
48
51
  createdAt: 'created_at',
49
52
  },
50
53
  fieldKeys: [
@@ -59,6 +62,7 @@ export const Applications = Object.freeze({
59
62
  'protectedAppMetadata',
60
63
  'customData',
61
64
  'isThirdParty',
65
+ 'appLevelAccessControlEnabled',
62
66
  'createdAt',
63
67
  ],
64
68
  createGuard,
@@ -5,6 +5,10 @@ export * from './-before-all.js';
5
5
  export * from './-function.js';
6
6
  export * from './account-center.js';
7
7
  export * from './aggregated-daily-active-user.js';
8
+ export * from './application-access-control-org-role-relation.js';
9
+ export * from './application-access-control-organization-relation.js';
10
+ export * from './application-access-control-user-relation.js';
11
+ export * from './application-access-control-user-role-relation.js';
8
12
  export * from './application-secret.js';
9
13
  export * from './application-sign-in-experience.js';
10
14
  export * from './application-user-consent-organization-resource-scope.js';
@@ -6,6 +6,10 @@ export * from './-before-all.js';
6
6
  export * from './-function.js';
7
7
  export * from './account-center.js';
8
8
  export * from './aggregated-daily-active-user.js';
9
+ export * from './application-access-control-org-role-relation.js';
10
+ export * from './application-access-control-organization-relation.js';
11
+ export * from './application-access-control-user-relation.js';
12
+ export * from './application-access-control-user-role-relation.js';
9
13
  export * from './application-secret.js';
10
14
  export * from './application-sign-in-experience.js';
11
15
  export * from './application-user-consent-organization-resource-scope.js';
@@ -1,4 +1,4 @@
1
- import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, PartialPasswordPolicy, Mfa, AdaptiveMfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, PasskeySignIn, GeneratedSchema } from './../foundations/index.js';
1
+ import { Color, Branding, LanguageInfo, SignIn, SignUp, SocialSignIn, ConnectorTargets, CustomContent, CustomUiAssets, CustomUiCsp, PartialPasswordPolicy, Mfa, AdaptiveMfa, CaptchaPolicy, SentinelPolicy, EmailBlocklistPolicy, ForgotPasswordMethods, PasskeySignIn, SignUpProfileFields, GeneratedSchema } from './../foundations/index.js';
2
2
  import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
3
3
  /**
4
4
  *
@@ -24,6 +24,7 @@ export type CreateSignInExperience = {
24
24
  customCss?: string | null;
25
25
  customContent?: CustomContent;
26
26
  customUiAssets?: CustomUiAssets | null;
27
+ customUiCsp?: CustomUiCsp;
27
28
  passwordPolicy?: PartialPasswordPolicy;
28
29
  mfa?: Mfa;
29
30
  adaptiveMfa?: AdaptiveMfa;
@@ -36,6 +37,8 @@ export type CreateSignInExperience = {
36
37
  emailBlocklistPolicy?: EmailBlocklistPolicy;
37
38
  forgotPasswordMethods?: ForgotPasswordMethods | null;
38
39
  passkeySignIn?: PasskeySignIn;
40
+ /** Nullable by design: null keeps legacy full-catalog behavior and [] collects no custom profile fields. */
41
+ signUpProfileFields?: SignUpProfileFields | null;
39
42
  };
40
43
  export type SignInExperience = {
41
44
  tenantId: string;
@@ -56,6 +59,7 @@ export type SignInExperience = {
56
59
  customCss: string | null;
57
60
  customContent: CustomContent;
58
61
  customUiAssets: CustomUiAssets | null;
62
+ customUiCsp: CustomUiCsp;
59
63
  passwordPolicy: PartialPasswordPolicy;
60
64
  mfa: Mfa;
61
65
  adaptiveMfa: AdaptiveMfa;
@@ -68,6 +72,8 @@ export type SignInExperience = {
68
72
  emailBlocklistPolicy: EmailBlocklistPolicy;
69
73
  forgotPasswordMethods: ForgotPasswordMethods | null;
70
74
  passkeySignIn: PasskeySignIn;
75
+ /** Nullable by design: null keeps legacy full-catalog behavior and [] collects no custom profile fields. */
76
+ signUpProfileFields: SignUpProfileFields | null;
71
77
  };
72
- export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'passwordPolicy' | 'mfa' | 'adaptiveMfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods' | 'passkeySignIn';
78
+ export type SignInExperienceKeys = 'tenantId' | 'id' | 'color' | 'branding' | 'hideLogtoBranding' | 'languageInfo' | 'termsOfUseUrl' | 'privacyPolicyUrl' | 'agreeToTermsPolicy' | 'signIn' | 'signUp' | 'socialSignIn' | 'socialSignInConnectorTargets' | 'signInMode' | 'customCss' | 'customContent' | 'customUiAssets' | 'customUiCsp' | 'passwordPolicy' | 'mfa' | 'adaptiveMfa' | 'singleSignOnEnabled' | 'supportEmail' | 'supportWebsiteUrl' | 'unknownSessionRedirectUrl' | 'captchaPolicy' | 'sentinelPolicy' | 'emailBlocklistPolicy' | 'forgotPasswordMethods' | 'passkeySignIn' | 'signUpProfileFields';
73
79
  export declare const SignInExperiences: GeneratedSchema<SignInExperienceKeys, CreateSignInExperience, SignInExperience, 'sign_in_experiences', 'sign_in_experience'>;
@@ -1,6 +1,6 @@
1
1
  // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
2
2
  import { z } from 'zod';
3
- import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, partialPasswordPolicyGuard, mfaGuard, adaptiveMfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard, passkeySignInGuard } from './../foundations/index.js';
3
+ import { colorGuard, brandingGuard, languageInfoGuard, signInGuard, signUpGuard, socialSignInGuard, connectorTargetsGuard, customContentGuard, customUiAssetsGuard, customUiCspGuard, partialPasswordPolicyGuard, mfaGuard, adaptiveMfaGuard, captchaPolicyGuard, sentinelPolicyGuard, emailBlocklistPolicyGuard, forgotPasswordMethodsGuard, passkeySignInGuard, signUpProfileFieldsGuard } from './../foundations/index.js';
4
4
  import { AgreeToTermsPolicy, SignInMode } from './custom-types.js';
5
5
  const createGuard = z.object({
6
6
  tenantId: z.string().max(21).optional(),
@@ -20,6 +20,7 @@ const createGuard = z.object({
20
20
  customCss: z.string().nullable().optional(),
21
21
  customContent: customContentGuard.optional(),
22
22
  customUiAssets: customUiAssetsGuard.nullable().optional(),
23
+ customUiCsp: customUiCspGuard.optional(),
23
24
  passwordPolicy: partialPasswordPolicyGuard.optional(),
24
25
  mfa: mfaGuard.optional(),
25
26
  adaptiveMfa: adaptiveMfaGuard.optional(),
@@ -32,6 +33,7 @@ const createGuard = z.object({
32
33
  emailBlocklistPolicy: emailBlocklistPolicyGuard.optional(),
33
34
  forgotPasswordMethods: forgotPasswordMethodsGuard.nullable().optional(),
34
35
  passkeySignIn: passkeySignInGuard.optional(),
36
+ signUpProfileFields: signUpProfileFieldsGuard.nullable().optional(),
35
37
  });
36
38
  const guard = z.object({
37
39
  tenantId: z.string().max(21),
@@ -51,6 +53,7 @@ const guard = z.object({
51
53
  customCss: z.string().nullable(),
52
54
  customContent: customContentGuard,
53
55
  customUiAssets: customUiAssetsGuard.nullable(),
56
+ customUiCsp: customUiCspGuard,
54
57
  passwordPolicy: partialPasswordPolicyGuard,
55
58
  mfa: mfaGuard,
56
59
  adaptiveMfa: adaptiveMfaGuard,
@@ -63,6 +66,7 @@ const guard = z.object({
63
66
  emailBlocklistPolicy: emailBlocklistPolicyGuard,
64
67
  forgotPasswordMethods: forgotPasswordMethodsGuard.nullable(),
65
68
  passkeySignIn: passkeySignInGuard,
69
+ signUpProfileFields: signUpProfileFieldsGuard.nullable(),
66
70
  });
67
71
  export const SignInExperiences = Object.freeze({
68
72
  table: 'sign_in_experiences',
@@ -85,6 +89,7 @@ export const SignInExperiences = Object.freeze({
85
89
  customCss: 'custom_css',
86
90
  customContent: 'custom_content',
87
91
  customUiAssets: 'custom_ui_assets',
92
+ customUiCsp: 'custom_ui_csp',
88
93
  passwordPolicy: 'password_policy',
89
94
  mfa: 'mfa',
90
95
  adaptiveMfa: 'adaptive_mfa',
@@ -97,6 +102,7 @@ export const SignInExperiences = Object.freeze({
97
102
  emailBlocklistPolicy: 'email_blocklist_policy',
98
103
  forgotPasswordMethods: 'forgot_password_methods',
99
104
  passkeySignIn: 'passkey_sign_in',
105
+ signUpProfileFields: 'sign_up_profile_fields',
100
106
  },
101
107
  fieldKeys: [
102
108
  'tenantId',
@@ -116,6 +122,7 @@ export const SignInExperiences = Object.freeze({
116
122
  'customCss',
117
123
  'customContent',
118
124
  'customUiAssets',
125
+ 'customUiCsp',
119
126
  'passwordPolicy',
120
127
  'mfa',
121
128
  'adaptiveMfa',
@@ -128,6 +135,7 @@ export const SignInExperiences = Object.freeze({
128
135
  'emailBlocklistPolicy',
129
136
  'forgotPasswordMethods',
130
137
  'passkeySignIn',
138
+ 'signUpProfileFields',
131
139
  ],
132
140
  createGuard,
133
141
  guard,
@@ -49,3 +49,30 @@ export declare const accountCenterFieldControlGuard: z.ZodObject<{
49
49
  export type AccountCenterFieldControl = z.infer<typeof accountCenterFieldControlGuard>;
50
50
  export declare const webauthnRelatedOriginsGuard: z.ZodArray<z.ZodString, "many">;
51
51
  export type WebauthnRelatedOrigins = z.infer<typeof webauthnRelatedOriginsGuard>;
52
+ /**
53
+ * Configuration for which custom profile fields are exposed in the prebuilt account center and
54
+ * in which order. Each entry references an existing field by name in the `custom_profile_fields`
55
+ * catalog; fields in the catalog but not in this list are not shown in the account center.
56
+ *
57
+ * Kept separate from `signUpProfileFields` so the sign-up and account-center surfaces can be
58
+ * configured independently against the same catalog.
59
+ */
60
+ export type AccountCenterProfileFieldItem = {
61
+ name: string;
62
+ };
63
+ export declare const accountCenterProfileFieldItemGuard: z.ZodObject<{
64
+ name: z.ZodString;
65
+ }, "strip", z.ZodTypeAny, {
66
+ name: string;
67
+ }, {
68
+ name: string;
69
+ }>;
70
+ export declare const accountCenterProfileFieldsGuard: z.ZodArray<z.ZodObject<{
71
+ name: z.ZodString;
72
+ }, "strip", z.ZodTypeAny, {
73
+ name: string;
74
+ }, {
75
+ name: string;
76
+ }>, "many">;
77
+ export type AccountCenterProfileFields = z.infer<typeof accountCenterProfileFieldsGuard>;
78
+ export declare const deleteAccountUrlGuard: z.ZodEffects<z.ZodString, string, string>;
@@ -26,3 +26,15 @@ export const accountCenterFieldControlGuard = z
26
26
  })
27
27
  .partial();
28
28
  export const webauthnRelatedOriginsGuard = z.array(z.string());
29
+ export const accountCenterProfileFieldItemGuard = z.object({
30
+ name: z.string(),
31
+ });
32
+ export const accountCenterProfileFieldsGuard = z.array(accountCenterProfileFieldItemGuard);
33
+ export const deleteAccountUrlGuard = z
34
+ .string()
35
+ .max(2048)
36
+ .refine((value) => value === '' ||
37
+ ((value.startsWith('https://') || value.startsWith('http://')) &&
38
+ z.string().url().safeParse(value).success), {
39
+ message: 'deleteAccountUrl must be a valid http(s) URL',
40
+ });
@@ -217,6 +217,7 @@ export declare const protectedAppMetadataGuard: z.ZodObject<{
217
217
  }, {
218
218
  path: string;
219
219
  }>, "many">;
220
+ additionalScopes: z.ZodOptional<z.ZodArray<z.ZodEnum<[import("@logto/core-kit").UserScope.CustomData, import("@logto/core-kit").UserScope.Identities, import("@logto/core-kit").UserScope.Roles, import("@logto/core-kit").UserScope.Organizations, import("@logto/core-kit").UserScope.OrganizationRoles]>, "many">>;
220
221
  customDomains: z.ZodOptional<z.ZodArray<z.ZodObject<{
221
222
  domain: z.ZodString;
222
223
  status: z.ZodNativeEnum<typeof import("./custom-domain.js").DomainStatus>;
@@ -327,6 +328,7 @@ export declare const protectedAppMetadataGuard: z.ZodObject<{
327
328
  pageRules: {
328
329
  path: string;
329
330
  }[];
331
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
330
332
  customDomains?: {
331
333
  status: import("./custom-domain.js").DomainStatus;
332
334
  domain: string;
@@ -355,6 +357,7 @@ export declare const protectedAppMetadataGuard: z.ZodObject<{
355
357
  pageRules: {
356
358
  path: string;
357
359
  }[];
360
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
358
361
  customDomains?: {
359
362
  status: import("./custom-domain.js").DomainStatus;
360
363
  domain: string;
@@ -1,5 +1,7 @@
1
+ import { protectedAppAdditionalScopes } from '@logto/core-kit';
1
2
  import { z } from 'zod';
2
3
  import { cloudflareDataGuard, domainDnsRecordsGuard, domainStatusGuard } from './custom-domain.js';
4
+ const protectedAppAdditionalScopeGuard = z.enum(protectedAppAdditionalScopes);
3
5
  export const customDomainGuard = z.object({
4
6
  /* The domain name, e.g app.example.com */
5
7
  domain: z.string(),
@@ -24,6 +26,8 @@ export const protectedAppMetadataGuard = z.object({
24
26
  /* The path pattern (regex) to match */
25
27
  path: z.string(),
26
28
  })),
29
+ /* Additional scopes requested by protected app sign-in */
30
+ additionalScopes: z.array(protectedAppAdditionalScopeGuard).optional(),
27
31
  /* Custom domain */
28
32
  customDomains: customDomainsGuard.optional(),
29
33
  });
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,23 @@
1
+ import { UserScope } from '@logto/core-kit';
2
+ import { describe, expect, it } from 'vitest';
3
+ import { protectedAppMetadataGuard } from './applications.js';
4
+ const protectedAppMetadata = {
5
+ host: 'example.com',
6
+ origin: 'https://example.com',
7
+ sessionDuration: 3600,
8
+ pageRules: [],
9
+ };
10
+ describe('protectedAppMetadataGuard', () => {
11
+ it('accepts additional scopes with extended ID token claims', () => {
12
+ expect(protectedAppMetadataGuard.safeParse({
13
+ ...protectedAppMetadata,
14
+ additionalScopes: [UserScope.CustomData],
15
+ }).success).toBe(true);
16
+ });
17
+ it('rejects additional scopes without extended ID token claims', () => {
18
+ expect(protectedAppMetadataGuard.safeParse({
19
+ ...protectedAppMetadata,
20
+ additionalScopes: [UserScope.Sessions],
21
+ }).success).toBe(false);
22
+ });
23
+ });
@@ -415,4 +415,30 @@ export declare const passkeySignInGuard: z.ZodObject<{
415
415
  showPasskeyButton?: boolean | undefined;
416
416
  allowAutofill?: boolean | undefined;
417
417
  }>;
418
- export {};
418
+ /**
419
+ * Configuration for which custom profile fields are shown on the sign-up page and in which order.
420
+ *
421
+ * The list is a pure projection over the catalog in `custom_profile_fields` — each entry references
422
+ * an existing field by name. Fields in the catalog but not in this list are not collected during
423
+ * sign-up. This enables reusing the same catalog for other surfaces (e.g. account center) without
424
+ * affecting sign-up.
425
+ */
426
+ export type SignUpProfileFieldItem = {
427
+ name: string;
428
+ };
429
+ export declare const signUpProfileFieldItemGuard: z.ZodObject<{
430
+ name: z.ZodString;
431
+ }, "strip", z.ZodTypeAny, {
432
+ name: string;
433
+ }, {
434
+ name: string;
435
+ }>;
436
+ export declare const signUpProfileFieldsGuard: z.ZodArray<z.ZodObject<{
437
+ name: z.ZodString;
438
+ }, "strip", z.ZodTypeAny, {
439
+ name: string;
440
+ }, {
441
+ name: string;
442
+ }>, "many">;
443
+ export type SignUpProfileFields = z.infer<typeof signUpProfileFieldsGuard>;
444
+ export { customUiCspGuard, type CustomUiCsp } from '@logto/core-kit';
@@ -138,3 +138,8 @@ export const passkeySignInGuard = z
138
138
  allowAutofill: z.boolean(),
139
139
  })
140
140
  .partial();
141
+ export const signUpProfileFieldItemGuard = z.object({
142
+ name: z.string(),
143
+ });
144
+ export const signUpProfileFieldsGuard = z.array(signUpProfileFieldItemGuard);
145
+ export { customUiCspGuard } from '@logto/core-kit';
@@ -0,0 +1,18 @@
1
+ import { describe, expect, it } from 'vitest';
2
+ import { customUiCspGuard } from './sign-in-experience.js';
3
+ describe('customUiCspGuard', () => {
4
+ it.each([
5
+ {},
6
+ { scriptSrc: ['https://example.com'] },
7
+ { connectSrc: ['https://api.example.com'] },
8
+ {
9
+ scriptSrc: ['https://example.com'],
10
+ connectSrc: ['https://api.example.com'],
11
+ },
12
+ ])('accepts %p', (value) => {
13
+ expect(customUiCspGuard.safeParse(value).success).toBe(true);
14
+ });
15
+ it('rejects unsupported directives', () => {
16
+ expect(customUiCspGuard.safeParse({ imgSrc: ['https://example.com'] }).success).toBe(false);
17
+ });
18
+ });
@@ -21,6 +21,7 @@ const buildSpaApplicationData = (tenantId, { id, name, description, }) => ({
21
21
  customClientMetadata: {},
22
22
  protectedAppMetadata: null,
23
23
  isThirdParty: false,
24
+ appLevelAccessControlEnabled: false,
24
25
  createdAt: 0,
25
26
  customData: {},
26
27
  });
@@ -45,6 +46,7 @@ const buildNativeApplicationData = (tenantId, { id, name, description, }) => ({
45
46
  customClientMetadata: { isDeviceFlow: true },
46
47
  protectedAppMetadata: null,
47
48
  isThirdParty: false,
49
+ appLevelAccessControlEnabled: false,
48
50
  createdAt: 0,
49
51
  customData: {},
50
52
  });
@@ -3,4 +3,16 @@ export declare const defaultPrimaryColor = "#6139F6";
3
3
  export declare const createDefaultSignInExperience: (forTenantId: string, isCloud: boolean) => Readonly<CreateSignInExperience>;
4
4
  /** @deprecated Use `createDefaultSignInExperience()` instead. */
5
5
  export declare const defaultSignInExperience: Readonly<CreateSignInExperience>;
6
- export declare const createAdminTenantSignInExperience: () => Readonly<CreateSignInExperience>;
6
+ export type AdminSignInExperienceSeedOptions = {
7
+ /**
8
+ * When true, the seeded admin-tenant `passwordPolicy` explicitly disables the
9
+ * HaveIBeenPwned (HIBP) breach check by setting `rejects.pwned = false`. Intended
10
+ * for air-gapped or offline OSS deployments where `api.pwnedpasswords.com` is
11
+ * unreachable; otherwise the first admin sign-up will hang on the breach check.
12
+ *
13
+ * Defaults to `false`, which preserves the historical seeded value (`{}`) and lets
14
+ * the runtime fall back to the default policy (HIBP check enabled).
15
+ */
16
+ disablePwnedPasswordCheck?: boolean;
17
+ };
18
+ export declare const createAdminTenantSignInExperience: (options?: AdminSignInExperienceSeedOptions) => Readonly<CreateSignInExperience>;
@@ -50,7 +50,7 @@ export const createDefaultSignInExperience = (forTenantId, isCloud) => Object.fr
50
50
  });
51
51
  /** @deprecated Use `createDefaultSignInExperience()` instead. */
52
52
  export const defaultSignInExperience = createDefaultSignInExperience(defaultTenantId, false);
53
- export const createAdminTenantSignInExperience = () => Object.freeze({
53
+ export const createAdminTenantSignInExperience = (options = {}) => Object.freeze({
54
54
  ...defaultSignInExperience,
55
55
  tenantId: adminTenantId,
56
56
  color: {
@@ -62,6 +62,15 @@ export const createAdminTenantSignInExperience = () => Object.freeze({
62
62
  logoUrl: 'https://logto.io/logo.svg',
63
63
  darkLogoUrl: 'https://logto.io/logo-dark.svg',
64
64
  },
65
+ passwordPolicy: options.disablePwnedPasswordCheck
66
+ ? {
67
+ ...defaultSignInExperience.passwordPolicy,
68
+ rejects: {
69
+ ...defaultSignInExperience.passwordPolicy?.rejects,
70
+ pwned: false,
71
+ },
72
+ }
73
+ : defaultSignInExperience.passwordPolicy,
65
74
  mfa: {
66
75
  factors: [MfaFactor.TOTP, MfaFactor.WebAuthn, MfaFactor.BackupCode],
67
76
  policy: MfaPolicy.NoPrompt,
@@ -0,0 +1 @@
1
+ export {};