@logto/schemas 1.38.0 → 1.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/alterations/1.39.0-1774752400-add-delete-account-url.ts +20 -0
  2. package/alterations/1.39.0-1774770686-add-account-center-custom-css.ts +20 -0
  3. package/alterations/1.39.0-1776502301-add-sign-up-profile-fields.ts +20 -0
  4. package/alterations/1.40.0-1776516232-add-account-center-profile-fields.ts +20 -0
  5. package/alterations/1.40.0-1778318116-add-custom-ui-csp-to-sie.ts +20 -0
  6. package/alterations/1.40.0-1778500000-add-organization-user-relations-user-id-index.ts +41 -0
  7. package/alterations/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.ts +43 -0
  8. package/alterations/1.40.0-1779421396-add-application-access-control-schema.ts +90 -0
  9. package/alterations-js/1.39.0-1774752400-add-delete-account-url.js +16 -0
  10. package/alterations-js/1.39.0-1774770686-add-account-center-custom-css.js +16 -0
  11. package/alterations-js/1.39.0-1776502301-add-sign-up-profile-fields.js +16 -0
  12. package/alterations-js/1.40.0-1776516232-add-account-center-profile-fields.js +16 -0
  13. package/alterations-js/1.40.0-1778318116-add-custom-ui-csp-to-sie.js +16 -0
  14. package/alterations-js/1.40.0-1778500000-add-organization-user-relations-user-id-index.js +37 -0
  15. package/alterations-js/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.js +39 -0
  16. package/alterations-js/1.40.0-1779421396-add-application-access-control-schema.js +82 -0
  17. package/lib/consts/application.d.ts +1 -0
  18. package/lib/consts/application.js +1 -0
  19. package/lib/consts/index.d.ts +1 -0
  20. package/lib/consts/index.js +1 -0
  21. package/lib/db-entries/account-center.d.ts +14 -2
  22. package/lib/db-entries/account-center.js +13 -1
  23. package/lib/db-entries/application-access-control-org-role-relation.d.ts +22 -0
  24. package/lib/db-entries/application-access-control-org-role-relation.js +33 -0
  25. package/lib/db-entries/application-access-control-organization-relation.d.ts +20 -0
  26. package/lib/db-entries/application-access-control-organization-relation.js +29 -0
  27. package/lib/db-entries/application-access-control-user-relation.d.ts +20 -0
  28. package/lib/db-entries/application-access-control-user-relation.js +29 -0
  29. package/lib/db-entries/application-access-control-user-role-relation.d.ts +20 -0
  30. package/lib/db-entries/application-access-control-user-role-relation.js +29 -0
  31. package/lib/db-entries/application.d.ts +3 -1
  32. package/lib/db-entries/application.js +4 -0
  33. package/lib/db-entries/index.d.ts +4 -0
  34. package/lib/db-entries/index.js +4 -0
  35. package/lib/db-entries/sign-in-experience.d.ts +8 -2
  36. package/lib/db-entries/sign-in-experience.js +9 -1
  37. package/lib/foundations/jsonb-types/account-centers.d.ts +27 -0
  38. package/lib/foundations/jsonb-types/account-centers.js +12 -0
  39. package/lib/foundations/jsonb-types/applications.d.ts +3 -0
  40. package/lib/foundations/jsonb-types/applications.js +4 -0
  41. package/lib/foundations/jsonb-types/applications.test.d.ts +1 -0
  42. package/lib/foundations/jsonb-types/applications.test.js +23 -0
  43. package/lib/foundations/jsonb-types/sign-in-experience.d.ts +27 -1
  44. package/lib/foundations/jsonb-types/sign-in-experience.js +5 -0
  45. package/lib/foundations/jsonb-types/sign-in-experience.test.d.ts +1 -0
  46. package/lib/foundations/jsonb-types/sign-in-experience.test.js +18 -0
  47. package/lib/seeds/application.js +2 -0
  48. package/lib/seeds/sign-in-experience.d.ts +13 -1
  49. package/lib/seeds/sign-in-experience.js +10 -1
  50. package/lib/seeds/sign-in-experience.test.d.ts +1 -0
  51. package/lib/seeds/sign-in-experience.test.js +27 -0
  52. package/lib/types/alteration.d.ts +5 -0
  53. package/lib/types/application.d.ts +101 -2
  54. package/lib/types/application.js +55 -0
  55. package/lib/types/application.test.d.ts +1 -0
  56. package/lib/types/application.test.js +120 -0
  57. package/lib/types/consent.d.ts +6 -0
  58. package/lib/types/custom-profile-fields.d.ts +7 -13
  59. package/lib/types/custom-profile-fields.js +6 -13
  60. package/lib/types/logto-config/index.d.ts +93 -2
  61. package/lib/types/logto-config/index.js +22 -4
  62. package/lib/types/logto-config/index.test.d.ts +1 -0
  63. package/lib/types/logto-config/index.test.js +29 -0
  64. package/lib/types/logto-config/jwt-customizer.d.ts +74 -0
  65. package/lib/types/logto-config/jwt-customizer.js +1 -0
  66. package/lib/types/logto-config/jwt-customizer.test.js +14 -2
  67. package/lib/types/onboarding.d.ts +93 -1
  68. package/lib/types/onboarding.js +22 -1
  69. package/lib/types/saml-application.d.ts +3 -0
  70. package/lib/types/sign-in-experience.d.ts +23 -2
  71. package/lib/types/sign-in-experience.js +1 -0
  72. package/lib/types/system.d.ts +46 -7
  73. package/lib/types/system.js +9 -0
  74. package/lib/types/user-assets.d.ts +1 -1
  75. package/lib/types/user-logto-config.d.ts +11 -0
  76. package/lib/types/user-logto-config.js +6 -0
  77. package/lib/types/user-sessions.d.ts +2516 -0
  78. package/lib/types/user-sessions.js +21 -0
  79. package/lib/utils/index.d.ts +1 -0
  80. package/lib/utils/index.js +1 -0
  81. package/lib/utils/oidc-private-key.d.ts +88 -0
  82. package/lib/utils/oidc-private-key.js +163 -0
  83. package/lib/utils/oidc-private-key.test.d.ts +1 -0
  84. package/lib/utils/oidc-private-key.test.js +128 -0
  85. package/package.json +6 -6
  86. package/tables/account_centers.sql +6 -0
  87. package/tables/application_access_control_org_role_relations.sql +16 -0
  88. package/tables/application_access_control_organization_relations.sql +12 -0
  89. package/tables/application_access_control_user_relations.sql +12 -0
  90. package/tables/application_access_control_user_role_relations.sql +14 -0
  91. package/tables/applications.sql +1 -0
  92. package/tables/organization_role_user_relations.sql +3 -0
  93. package/tables/organization_user_relations.sql +3 -0
  94. package/tables/sign_in_experiences.sql +3 -0
@@ -41,6 +41,29 @@ export declare const oidcConfigKeyGuard: z.ZodObject<{
41
41
  createdAt: number;
42
42
  }>;
43
43
  export type OidcConfigKey = z.infer<typeof oidcConfigKeyGuard>;
44
+ export declare enum OidcSigningKeyStatus {
45
+ Next = "Next",
46
+ Current = "Current",
47
+ Previous = "Previous"
48
+ }
49
+ export declare const oidcPrivateKeyGuard: z.ZodObject<{
50
+ id: z.ZodString;
51
+ value: z.ZodString;
52
+ createdAt: z.ZodNumber;
53
+ } & {
54
+ status: z.ZodOptional<z.ZodNativeEnum<typeof OidcSigningKeyStatus>>;
55
+ }, "strip", z.ZodTypeAny, {
56
+ value: string;
57
+ id: string;
58
+ createdAt: number;
59
+ status?: OidcSigningKeyStatus | undefined;
60
+ }, {
61
+ value: string;
62
+ id: string;
63
+ createdAt: number;
64
+ status?: OidcSigningKeyStatus | undefined;
65
+ }>;
66
+ export type OidcPrivateKey = z.infer<typeof oidcPrivateKeyGuard>;
44
67
  export declare const oidcSessionConfigGuard: z.ZodObject<{
45
68
  ttl: z.ZodOptional<z.ZodNumber>;
46
69
  }, "strip", z.ZodTypeAny, {
@@ -50,7 +73,7 @@ export declare const oidcSessionConfigGuard: z.ZodObject<{
50
73
  }>;
51
74
  export type OidcSessionConfig = z.infer<typeof oidcSessionConfigGuard>;
52
75
  export type LogtoOidcConfigType = {
53
- [LogtoOidcConfigKey.PrivateKeys]: OidcConfigKey[];
76
+ [LogtoOidcConfigKey.PrivateKeys]: OidcPrivateKey[];
54
77
  [LogtoOidcConfigKey.CookieKeys]: OidcConfigKey[];
55
78
  [LogtoOidcConfigKey.Session]: OidcSessionConfig;
56
79
  };
@@ -73,6 +96,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
73
96
  value: z.ZodObject<{
74
97
  script: z.ZodString;
75
98
  environmentVariables: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
99
+ blockIssuanceOnError: z.ZodOptional<z.ZodBoolean>;
76
100
  } & {
77
101
  tokenSample: z.ZodOptional<z.ZodObject<{
78
102
  accountId: z.ZodOptional<z.ZodString>;
@@ -1246,6 +1270,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1246
1270
  pageRules: {
1247
1271
  path: string;
1248
1272
  }[];
1273
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1249
1274
  customDomains?: {
1250
1275
  status: import("../../index.js").DomainStatus;
1251
1276
  domain: string;
@@ -1274,6 +1299,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1274
1299
  pageRules: {
1275
1300
  path: string;
1276
1301
  }[];
1302
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1277
1303
  customDomains?: {
1278
1304
  status: import("../../index.js").DomainStatus;
1279
1305
  domain: string;
@@ -1297,6 +1323,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1297
1323
  }[] | undefined;
1298
1324
  } | null>>;
1299
1325
  isThirdParty: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
1326
+ appLevelAccessControlEnabled: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
1300
1327
  }, "strip", z.ZodTypeAny, {
1301
1328
  type?: import("../../index.js").ApplicationType | undefined;
1302
1329
  name?: string | undefined;
@@ -1325,6 +1352,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1325
1352
  pageRules: {
1326
1353
  path: string;
1327
1354
  }[];
1355
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1328
1356
  customDomains?: {
1329
1357
  status: import("../../index.js").DomainStatus;
1330
1358
  domain: string;
@@ -1348,6 +1376,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1348
1376
  }[] | undefined;
1349
1377
  } | null | undefined;
1350
1378
  isThirdParty?: boolean | undefined;
1379
+ appLevelAccessControlEnabled?: boolean | undefined;
1351
1380
  }, {
1352
1381
  type?: import("../../index.js").ApplicationType | undefined;
1353
1382
  name?: string | undefined;
@@ -1376,6 +1405,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1376
1405
  pageRules: {
1377
1406
  path: string;
1378
1407
  }[];
1408
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1379
1409
  customDomains?: {
1380
1410
  status: import("../../index.js").DomainStatus;
1381
1411
  domain: string;
@@ -1399,6 +1429,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1399
1429
  }[] | undefined;
1400
1430
  } | null | undefined;
1401
1431
  isThirdParty?: boolean | undefined;
1432
+ appLevelAccessControlEnabled?: boolean | undefined;
1402
1433
  }>>;
1403
1434
  }, "strip", z.ZodTypeAny, {
1404
1435
  user: {
@@ -1497,6 +1528,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1497
1528
  pageRules: {
1498
1529
  path: string;
1499
1530
  }[];
1531
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1500
1532
  customDomains?: {
1501
1533
  status: import("../../index.js").DomainStatus;
1502
1534
  domain: string;
@@ -1520,6 +1552,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1520
1552
  }[] | undefined;
1521
1553
  } | null | undefined;
1522
1554
  isThirdParty?: boolean | undefined;
1555
+ appLevelAccessControlEnabled?: boolean | undefined;
1523
1556
  } | undefined;
1524
1557
  grant?: {
1525
1558
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -1737,6 +1770,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1737
1770
  pageRules: {
1738
1771
  path: string;
1739
1772
  }[];
1773
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1740
1774
  customDomains?: {
1741
1775
  status: import("../../index.js").DomainStatus;
1742
1776
  domain: string;
@@ -1760,6 +1794,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1760
1794
  }[] | undefined;
1761
1795
  } | null | undefined;
1762
1796
  isThirdParty?: boolean | undefined;
1797
+ appLevelAccessControlEnabled?: boolean | undefined;
1763
1798
  } | undefined;
1764
1799
  grant?: {
1765
1800
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -1981,6 +2016,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1981
2016
  pageRules: {
1982
2017
  path: string;
1983
2018
  }[];
2019
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1984
2020
  customDomains?: {
1985
2021
  status: import("../../index.js").DomainStatus;
1986
2022
  domain: string;
@@ -2004,6 +2040,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2004
2040
  }[] | undefined;
2005
2041
  } | null | undefined;
2006
2042
  isThirdParty?: boolean | undefined;
2043
+ appLevelAccessControlEnabled?: boolean | undefined;
2007
2044
  } | undefined;
2008
2045
  grant?: {
2009
2046
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2125,6 +2162,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2125
2162
  signInContext?: Record<string, string> | undefined;
2126
2163
  } | undefined;
2127
2164
  } | undefined;
2165
+ blockIssuanceOnError?: boolean | undefined;
2128
2166
  tokenSample?: {
2129
2167
  grantId?: string | undefined;
2130
2168
  sid?: string | undefined;
@@ -2238,6 +2276,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2238
2276
  pageRules: {
2239
2277
  path: string;
2240
2278
  }[];
2279
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2241
2280
  customDomains?: {
2242
2281
  status: import("../../index.js").DomainStatus;
2243
2282
  domain: string;
@@ -2261,6 +2300,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2261
2300
  }[] | undefined;
2262
2301
  } | null | undefined;
2263
2302
  isThirdParty?: boolean | undefined;
2303
+ appLevelAccessControlEnabled?: boolean | undefined;
2264
2304
  } | undefined;
2265
2305
  grant?: {
2266
2306
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2382,6 +2422,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2382
2422
  signInContext?: Record<string, string> | undefined;
2383
2423
  } | undefined;
2384
2424
  } | undefined;
2425
+ blockIssuanceOnError?: boolean | undefined;
2385
2426
  tokenSample?: {
2386
2427
  grantId?: string | undefined;
2387
2428
  sid?: string | undefined;
@@ -2497,6 +2538,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2497
2538
  pageRules: {
2498
2539
  path: string;
2499
2540
  }[];
2541
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2500
2542
  customDomains?: {
2501
2543
  status: import("../../index.js").DomainStatus;
2502
2544
  domain: string;
@@ -2520,6 +2562,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2520
2562
  }[] | undefined;
2521
2563
  } | null | undefined;
2522
2564
  isThirdParty?: boolean | undefined;
2565
+ appLevelAccessControlEnabled?: boolean | undefined;
2523
2566
  } | undefined;
2524
2567
  grant?: {
2525
2568
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2641,6 +2684,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2641
2684
  signInContext?: Record<string, string> | undefined;
2642
2685
  } | undefined;
2643
2686
  } | undefined;
2687
+ blockIssuanceOnError?: boolean | undefined;
2644
2688
  tokenSample?: {
2645
2689
  grantId?: string | undefined;
2646
2690
  sid?: string | undefined;
@@ -2757,6 +2801,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2757
2801
  pageRules: {
2758
2802
  path: string;
2759
2803
  }[];
2804
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2760
2805
  customDomains?: {
2761
2806
  status: import("../../index.js").DomainStatus;
2762
2807
  domain: string;
@@ -2780,6 +2825,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2780
2825
  }[] | undefined;
2781
2826
  } | null | undefined;
2782
2827
  isThirdParty?: boolean | undefined;
2828
+ appLevelAccessControlEnabled?: boolean | undefined;
2783
2829
  } | undefined;
2784
2830
  grant?: {
2785
2831
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2901,6 +2947,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2901
2947
  signInContext?: Record<string, string> | undefined;
2902
2948
  } | undefined;
2903
2949
  } | undefined;
2950
+ blockIssuanceOnError?: boolean | undefined;
2904
2951
  tokenSample?: {
2905
2952
  grantId?: string | undefined;
2906
2953
  sid?: string | undefined;
@@ -2921,6 +2968,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2921
2968
  value: z.ZodObject<{
2922
2969
  script: z.ZodString;
2923
2970
  environmentVariables: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
2971
+ blockIssuanceOnError: z.ZodOptional<z.ZodBoolean>;
2924
2972
  } & {
2925
2973
  tokenSample: z.ZodOptional<z.ZodObject<{
2926
2974
  kind: z.ZodOptional<z.ZodLiteral<"ClientCredentials">>;
@@ -2981,6 +3029,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2981
3029
  pageRules: {
2982
3030
  path: string;
2983
3031
  }[];
3032
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2984
3033
  customDomains?: {
2985
3034
  status: import("../../index.js").DomainStatus;
2986
3035
  domain: string;
@@ -3009,6 +3058,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3009
3058
  pageRules: {
3010
3059
  path: string;
3011
3060
  }[];
3061
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3012
3062
  customDomains?: {
3013
3063
  status: import("../../index.js").DomainStatus;
3014
3064
  domain: string;
@@ -3032,6 +3082,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3032
3082
  }[] | undefined;
3033
3083
  } | null>>;
3034
3084
  isThirdParty: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
3085
+ appLevelAccessControlEnabled: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
3035
3086
  }, "strip", z.ZodTypeAny, {
3036
3087
  type?: import("../../index.js").ApplicationType | undefined;
3037
3088
  name?: string | undefined;
@@ -3060,6 +3111,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3060
3111
  pageRules: {
3061
3112
  path: string;
3062
3113
  }[];
3114
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3063
3115
  customDomains?: {
3064
3116
  status: import("../../index.js").DomainStatus;
3065
3117
  domain: string;
@@ -3083,6 +3135,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3083
3135
  }[] | undefined;
3084
3136
  } | null | undefined;
3085
3137
  isThirdParty?: boolean | undefined;
3138
+ appLevelAccessControlEnabled?: boolean | undefined;
3086
3139
  }, {
3087
3140
  type?: import("../../index.js").ApplicationType | undefined;
3088
3141
  name?: string | undefined;
@@ -3111,6 +3164,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3111
3164
  pageRules: {
3112
3165
  path: string;
3113
3166
  }[];
3167
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3114
3168
  customDomains?: {
3115
3169
  status: import("../../index.js").DomainStatus;
3116
3170
  domain: string;
@@ -3134,6 +3188,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3134
3188
  }[] | undefined;
3135
3189
  } | null | undefined;
3136
3190
  isThirdParty?: boolean | undefined;
3191
+ appLevelAccessControlEnabled?: boolean | undefined;
3137
3192
  }>>;
3138
3193
  }, "strip", z.ZodTypeAny, {
3139
3194
  application?: {
@@ -3164,6 +3219,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3164
3219
  pageRules: {
3165
3220
  path: string;
3166
3221
  }[];
3222
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3167
3223
  customDomains?: {
3168
3224
  status: import("../../index.js").DomainStatus;
3169
3225
  domain: string;
@@ -3187,6 +3243,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3187
3243
  }[] | undefined;
3188
3244
  } | null | undefined;
3189
3245
  isThirdParty?: boolean | undefined;
3246
+ appLevelAccessControlEnabled?: boolean | undefined;
3190
3247
  } | undefined;
3191
3248
  }, {
3192
3249
  application?: {
@@ -3217,6 +3274,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3217
3274
  pageRules: {
3218
3275
  path: string;
3219
3276
  }[];
3277
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3220
3278
  customDomains?: {
3221
3279
  status: import("../../index.js").DomainStatus;
3222
3280
  domain: string;
@@ -3240,6 +3298,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3240
3298
  }[] | undefined;
3241
3299
  } | null | undefined;
3242
3300
  isThirdParty?: boolean | undefined;
3301
+ appLevelAccessControlEnabled?: boolean | undefined;
3243
3302
  } | undefined;
3244
3303
  }>>;
3245
3304
  }, "strict", z.ZodTypeAny, {
@@ -3274,6 +3333,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3274
3333
  pageRules: {
3275
3334
  path: string;
3276
3335
  }[];
3336
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3277
3337
  customDomains?: {
3278
3338
  status: import("../../index.js").DomainStatus;
3279
3339
  domain: string;
@@ -3297,8 +3357,10 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3297
3357
  }[] | undefined;
3298
3358
  } | null | undefined;
3299
3359
  isThirdParty?: boolean | undefined;
3360
+ appLevelAccessControlEnabled?: boolean | undefined;
3300
3361
  } | undefined;
3301
3362
  } | undefined;
3363
+ blockIssuanceOnError?: boolean | undefined;
3302
3364
  tokenSample?: {
3303
3365
  jti?: string | undefined;
3304
3366
  kind?: "ClientCredentials" | undefined;
@@ -3338,6 +3400,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3338
3400
  pageRules: {
3339
3401
  path: string;
3340
3402
  }[];
3403
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3341
3404
  customDomains?: {
3342
3405
  status: import("../../index.js").DomainStatus;
3343
3406
  domain: string;
@@ -3361,8 +3424,10 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3361
3424
  }[] | undefined;
3362
3425
  } | null | undefined;
3363
3426
  isThirdParty?: boolean | undefined;
3427
+ appLevelAccessControlEnabled?: boolean | undefined;
3364
3428
  } | undefined;
3365
3429
  } | undefined;
3430
+ blockIssuanceOnError?: boolean | undefined;
3366
3431
  tokenSample?: {
3367
3432
  jti?: string | undefined;
3368
3433
  kind?: "ClientCredentials" | undefined;
@@ -3404,6 +3469,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3404
3469
  pageRules: {
3405
3470
  path: string;
3406
3471
  }[];
3472
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3407
3473
  customDomains?: {
3408
3474
  status: import("../../index.js").DomainStatus;
3409
3475
  domain: string;
@@ -3427,8 +3493,10 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3427
3493
  }[] | undefined;
3428
3494
  } | null | undefined;
3429
3495
  isThirdParty?: boolean | undefined;
3496
+ appLevelAccessControlEnabled?: boolean | undefined;
3430
3497
  } | undefined;
3431
3498
  } | undefined;
3499
+ blockIssuanceOnError?: boolean | undefined;
3432
3500
  tokenSample?: {
3433
3501
  jti?: string | undefined;
3434
3502
  kind?: "ClientCredentials" | undefined;
@@ -3471,6 +3539,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3471
3539
  pageRules: {
3472
3540
  path: string;
3473
3541
  }[];
3542
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3474
3543
  customDomains?: {
3475
3544
  status: import("../../index.js").DomainStatus;
3476
3545
  domain: string;
@@ -3494,8 +3563,10 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3494
3563
  }[] | undefined;
3495
3564
  } | null | undefined;
3496
3565
  isThirdParty?: boolean | undefined;
3566
+ appLevelAccessControlEnabled?: boolean | undefined;
3497
3567
  } | undefined;
3498
3568
  } | undefined;
3569
+ blockIssuanceOnError?: boolean | undefined;
3499
3570
  tokenSample?: {
3500
3571
  jti?: string | undefined;
3501
3572
  kind?: "ClientCredentials" | undefined;
@@ -3597,13 +3668,26 @@ export declare const idTokenConfigGuard: z.ZodObject<{
3597
3668
  enabledExtendedClaims?: ("custom_data" | "identities" | "sso_identities" | "roles" | "organizations" | "organization_data" | "organization_roles")[] | undefined;
3598
3669
  }>;
3599
3670
  export type IdTokenConfig = z.infer<typeof idTokenConfigGuard>;
3671
+ export declare const signingKeyRotationStateGuard: z.ZodObject<{
3672
+ tenantCacheExpiresAt: z.ZodOptional<z.ZodNumber>;
3673
+ signingKeyRotationAt: z.ZodOptional<z.ZodNumber>;
3674
+ }, "strip", z.ZodTypeAny, {
3675
+ tenantCacheExpiresAt?: number | undefined;
3676
+ signingKeyRotationAt?: number | undefined;
3677
+ }, {
3678
+ tenantCacheExpiresAt?: number | undefined;
3679
+ signingKeyRotationAt?: number | undefined;
3680
+ }>;
3681
+ export type SigningKeyRotationState = z.infer<typeof signingKeyRotationStateGuard>;
3600
3682
  export declare enum LogtoTenantConfigKey {
3601
3683
  AdminConsole = "adminConsole",
3602
3684
  CloudConnection = "cloudConnection",
3603
3685
  /** The URL to redirect when session not found in Sign-in Experience. */
3604
3686
  SessionNotFoundRedirectUrl = "sessionNotFoundRedirectUrl",
3605
3687
  /** ID token configuration for extended claims. */
3606
- IdToken = "idToken"
3688
+ IdToken = "idToken",
3689
+ /** Tenant-scoped rotation state for staged private signing key activation. */
3690
+ SigningKeyRotationState = "signingKeyRotationState"
3607
3691
  }
3608
3692
  export type LogtoTenantConfigType = {
3609
3693
  [LogtoTenantConfigKey.AdminConsole]: AdminConsoleData;
@@ -3612,6 +3696,7 @@ export type LogtoTenantConfigType = {
3612
3696
  url: string;
3613
3697
  };
3614
3698
  [LogtoTenantConfigKey.IdToken]: IdTokenConfig;
3699
+ [LogtoTenantConfigKey.SigningKeyRotationState]: SigningKeyRotationState;
3615
3700
  };
3616
3701
  export declare const logtoTenantConfigGuard: Readonly<{
3617
3702
  [key in LogtoTenantConfigKey]: ZodType<LogtoTenantConfigType[key]>;
@@ -3627,13 +3712,19 @@ export declare const oidcConfigKeysResponseGuard: z.ZodObject<Omit<{
3627
3712
  createdAt: z.ZodNumber;
3628
3713
  }, "value"> & {
3629
3714
  signingKeyAlgorithm: z.ZodOptional<z.ZodNativeEnum<typeof SupportedSigningKeyAlgorithm>>;
3715
+ status: z.ZodOptional<z.ZodNativeEnum<typeof OidcSigningKeyStatus>>;
3716
+ effectiveAt: z.ZodOptional<z.ZodNumber>;
3630
3717
  }, "strip", z.ZodTypeAny, {
3631
3718
  id: string;
3632
3719
  createdAt: number;
3720
+ status?: OidcSigningKeyStatus | undefined;
3633
3721
  signingKeyAlgorithm?: SupportedSigningKeyAlgorithm | undefined;
3722
+ effectiveAt?: number | undefined;
3634
3723
  }, {
3635
3724
  id: string;
3636
3725
  createdAt: number;
3726
+ status?: OidcSigningKeyStatus | undefined;
3637
3727
  signingKeyAlgorithm?: SupportedSigningKeyAlgorithm | undefined;
3728
+ effectiveAt?: number | undefined;
3638
3729
  }>;
3639
3730
  export type OidcConfigKeysResponse = z.infer<typeof oidcConfigKeysResponseGuard>;
@@ -33,11 +33,20 @@ export const oidcConfigKeyGuard = z.object({
33
33
  value: z.string(),
34
34
  createdAt: z.number(),
35
35
  });
36
+ export var OidcSigningKeyStatus;
37
+ (function (OidcSigningKeyStatus) {
38
+ OidcSigningKeyStatus["Next"] = "Next";
39
+ OidcSigningKeyStatus["Current"] = "Current";
40
+ OidcSigningKeyStatus["Previous"] = "Previous";
41
+ })(OidcSigningKeyStatus || (OidcSigningKeyStatus = {}));
42
+ export const oidcPrivateKeyGuard = oidcConfigKeyGuard.extend({
43
+ status: z.nativeEnum(OidcSigningKeyStatus).optional(),
44
+ });
36
45
  export const oidcSessionConfigGuard = z.object({
37
46
  ttl: z.number().int().min(1).max(31_536_000).optional(),
38
47
  });
39
48
  export const logtoOidcConfigGuard = Object.freeze({
40
- [LogtoOidcConfigKey.PrivateKeys]: oidcConfigKeyGuard.array(),
49
+ [LogtoOidcConfigKey.PrivateKeys]: oidcPrivateKeyGuard.array(),
41
50
  [LogtoOidcConfigKey.CookieKeys]: oidcConfigKeyGuard.array(),
42
51
  // Session config is optional, if not set, it will fallback to default value in core.
43
52
  [LogtoOidcConfigKey.Session]: oidcSessionConfigGuard.nullish().transform((data) => data ?? {}),
@@ -96,6 +105,10 @@ export const extendedIdTokenClaimsGuard = z.enum(extendedIdTokenClaims);
96
105
  export const idTokenConfigGuard = z.object({
97
106
  enabledExtendedClaims: extendedIdTokenClaimsGuard.array().optional(),
98
107
  });
108
+ export const signingKeyRotationStateGuard = z.object({
109
+ tenantCacheExpiresAt: z.number().optional(),
110
+ signingKeyRotationAt: z.number().optional(),
111
+ });
99
112
  export var LogtoTenantConfigKey;
100
113
  (function (LogtoTenantConfigKey) {
101
114
  LogtoTenantConfigKey["AdminConsole"] = "adminConsole";
@@ -104,12 +117,15 @@ export var LogtoTenantConfigKey;
104
117
  LogtoTenantConfigKey["SessionNotFoundRedirectUrl"] = "sessionNotFoundRedirectUrl";
105
118
  /** ID token configuration for extended claims. */
106
119
  LogtoTenantConfigKey["IdToken"] = "idToken";
120
+ /** Tenant-scoped rotation state for staged private signing key activation. */
121
+ LogtoTenantConfigKey["SigningKeyRotationState"] = "signingKeyRotationState";
107
122
  })(LogtoTenantConfigKey || (LogtoTenantConfigKey = {}));
108
123
  export const logtoTenantConfigGuard = Object.freeze({
109
124
  [LogtoTenantConfigKey.AdminConsole]: adminConsoleDataGuard,
110
125
  [LogtoTenantConfigKey.CloudConnection]: cloudConnectionDataGuard,
111
126
  [LogtoTenantConfigKey.SessionNotFoundRedirectUrl]: z.object({ url: z.string() }),
112
127
  [LogtoTenantConfigKey.IdToken]: idTokenConfigGuard,
128
+ [LogtoTenantConfigKey.SigningKeyRotationState]: signingKeyRotationStateGuard,
113
129
  });
114
130
  export const logtoConfigKeys = Object.freeze([
115
131
  ...Object.values(LogtoOidcConfigKey),
@@ -121,6 +137,8 @@ export const logtoConfigGuards = Object.freeze({
121
137
  ...jwtCustomizerConfigGuard,
122
138
  ...logtoTenantConfigGuard,
123
139
  });
124
- export const oidcConfigKeysResponseGuard = oidcConfigKeyGuard
125
- .omit({ value: true })
126
- .merge(z.object({ signingKeyAlgorithm: z.nativeEnum(SupportedSigningKeyAlgorithm).optional() }));
140
+ export const oidcConfigKeysResponseGuard = oidcConfigKeyGuard.omit({ value: true }).merge(z.object({
141
+ signingKeyAlgorithm: z.nativeEnum(SupportedSigningKeyAlgorithm).optional(),
142
+ status: z.nativeEnum(OidcSigningKeyStatus).optional(),
143
+ effectiveAt: z.number().optional(),
144
+ }));
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,29 @@
1
+ import { describe, expect, it } from 'vitest';
2
+ import { LogtoOidcConfigKey, LogtoTenantConfigKey, OidcSigningKeyStatus, logtoOidcConfigGuard, logtoTenantConfigGuard, oidcConfigKeysResponseGuard, } from './index.js';
3
+ describe('logto config guards', () => {
4
+ it('accepts legacy private keys without status', () => {
5
+ const privateKeys = [
6
+ {
7
+ id: 'key_1',
8
+ value: 'private-key-1',
9
+ createdAt: 1_710_000_000_000,
10
+ },
11
+ ];
12
+ const result = logtoOidcConfigGuard[LogtoOidcConfigKey.PrivateKeys].safeParse(privateKeys);
13
+ expect(result.success).toBe(true);
14
+ });
15
+ it('accepts signing key status in OIDC key responses', () => {
16
+ const result = oidcConfigKeysResponseGuard.safeParse({
17
+ id: 'key_1',
18
+ createdAt: 1_710_000_000_000,
19
+ status: OidcSigningKeyStatus.Current,
20
+ });
21
+ expect(result.success).toBe(true);
22
+ });
23
+ it('accepts partial signing key rotation state', () => {
24
+ const result = logtoTenantConfigGuard[LogtoTenantConfigKey.SigningKeyRotationState].safeParse({
25
+ signingKeyRotationAt: 1_710_000_000_000,
26
+ });
27
+ expect(result.success).toBe(true);
28
+ });
29
+ });