@logto/schemas 1.39.0 → 1.40.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/alterations/1.40.0-1776516232-add-account-center-profile-fields.ts +20 -0
- package/alterations/1.40.0-1778318116-add-custom-ui-csp-to-sie.ts +20 -0
- package/alterations/1.40.0-1778500000-add-organization-user-relations-user-id-index.ts +41 -0
- package/alterations/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.ts +43 -0
- package/alterations/1.40.0-1779421396-add-application-access-control-schema.ts +90 -0
- package/alterations-js/1.40.0-1776516232-add-account-center-profile-fields.js +16 -0
- package/alterations-js/1.40.0-1778318116-add-custom-ui-csp-to-sie.js +16 -0
- package/alterations-js/1.40.0-1778500000-add-organization-user-relations-user-id-index.js +37 -0
- package/alterations-js/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.js +39 -0
- package/alterations-js/1.40.0-1779421396-add-application-access-control-schema.js +82 -0
- package/lib/consts/application.d.ts +1 -0
- package/lib/consts/application.js +1 -0
- package/lib/consts/index.d.ts +1 -0
- package/lib/consts/index.js +1 -0
- package/lib/db-entries/account-center.d.ts +6 -2
- package/lib/db-entries/account-center.js +5 -1
- package/lib/db-entries/application-access-control-org-role-relation.d.ts +22 -0
- package/lib/db-entries/application-access-control-org-role-relation.js +33 -0
- package/lib/db-entries/application-access-control-organization-relation.d.ts +20 -0
- package/lib/db-entries/application-access-control-organization-relation.js +29 -0
- package/lib/db-entries/application-access-control-user-relation.d.ts +20 -0
- package/lib/db-entries/application-access-control-user-relation.js +29 -0
- package/lib/db-entries/application-access-control-user-role-relation.d.ts +20 -0
- package/lib/db-entries/application-access-control-user-role-relation.js +29 -0
- package/lib/db-entries/application.d.ts +3 -1
- package/lib/db-entries/application.js +4 -0
- package/lib/db-entries/index.d.ts +4 -0
- package/lib/db-entries/index.js +4 -0
- package/lib/db-entries/sign-in-experience.d.ts +4 -2
- package/lib/db-entries/sign-in-experience.js +5 -1
- package/lib/foundations/jsonb-types/account-centers.d.ts +26 -0
- package/lib/foundations/jsonb-types/account-centers.js +4 -0
- package/lib/foundations/jsonb-types/applications.d.ts +3 -0
- package/lib/foundations/jsonb-types/applications.js +4 -0
- package/lib/foundations/jsonb-types/applications.test.d.ts +1 -0
- package/lib/foundations/jsonb-types/applications.test.js +23 -0
- package/lib/foundations/jsonb-types/sign-in-experience.d.ts +1 -1
- package/lib/foundations/jsonb-types/sign-in-experience.js +1 -0
- package/lib/foundations/jsonb-types/sign-in-experience.test.d.ts +1 -0
- package/lib/foundations/jsonb-types/sign-in-experience.test.js +18 -0
- package/lib/seeds/application.js +2 -0
- package/lib/seeds/sign-in-experience.d.ts +13 -1
- package/lib/seeds/sign-in-experience.js +10 -1
- package/lib/seeds/sign-in-experience.test.d.ts +1 -0
- package/lib/seeds/sign-in-experience.test.js +27 -0
- package/lib/types/application.d.ts +99 -0
- package/lib/types/application.js +55 -0
- package/lib/types/application.test.d.ts +1 -0
- package/lib/types/application.test.js +120 -0
- package/lib/types/consent.d.ts +6 -0
- package/lib/types/logto-config/index.d.ts +38 -0
- package/lib/types/logto-config/jwt-customizer.d.ts +65 -0
- package/lib/types/saml-application.d.ts +3 -0
- package/lib/types/sign-in-experience.d.ts +14 -0
- package/lib/types/sign-in-experience.js +1 -0
- package/lib/types/system.d.ts +46 -7
- package/lib/types/system.js +9 -0
- package/lib/types/user-assets.d.ts +1 -1
- package/lib/types/user-sessions.d.ts +2516 -0
- package/lib/types/user-sessions.js +21 -0
- package/package.json +4 -4
- package/tables/account_centers.sql +2 -0
- package/tables/application_access_control_org_role_relations.sql +16 -0
- package/tables/application_access_control_organization_relations.sql +12 -0
- package/tables/application_access_control_user_relations.sql +12 -0
- package/tables/application_access_control_user_role_relations.sql +14 -0
- package/tables/applications.sql +1 -0
- package/tables/organization_role_user_relations.sql +3 -0
- package/tables/organization_user_relations.sql +3 -0
- package/tables/sign_in_experiences.sql +1 -0
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
|
|
3
|
+
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
4
|
+
|
|
5
|
+
const alteration: AlterationScript = {
|
|
6
|
+
up: async (pool) => {
|
|
7
|
+
await pool.query(sql`
|
|
8
|
+
alter table account_centers
|
|
9
|
+
add column profile_fields jsonb;
|
|
10
|
+
`);
|
|
11
|
+
},
|
|
12
|
+
down: async (pool) => {
|
|
13
|
+
await pool.query(sql`
|
|
14
|
+
alter table account_centers
|
|
15
|
+
drop column profile_fields;
|
|
16
|
+
`);
|
|
17
|
+
},
|
|
18
|
+
};
|
|
19
|
+
|
|
20
|
+
export default alteration;
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
|
|
3
|
+
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
4
|
+
|
|
5
|
+
const alteration: AlterationScript = {
|
|
6
|
+
up: async (pool) => {
|
|
7
|
+
await pool.query(sql`
|
|
8
|
+
alter table sign_in_experiences
|
|
9
|
+
add column custom_ui_csp jsonb not null default '{}'::jsonb;
|
|
10
|
+
`);
|
|
11
|
+
},
|
|
12
|
+
down: async (pool) => {
|
|
13
|
+
await pool.query(sql`
|
|
14
|
+
alter table sign_in_experiences
|
|
15
|
+
drop column custom_ui_csp;
|
|
16
|
+
`);
|
|
17
|
+
},
|
|
18
|
+
};
|
|
19
|
+
|
|
20
|
+
export default alteration;
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
|
|
3
|
+
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
4
|
+
|
|
5
|
+
const alteration: AlterationScript = {
|
|
6
|
+
beforeUp: async (pool) => {
|
|
7
|
+
/**
|
|
8
|
+
* Secondary index for `user_id` lookups; the PK `(tenant_id, organization_id, user_id)`
|
|
9
|
+
* cannot serve queries that filter by `tenant_id` and `user_id` alone.
|
|
10
|
+
*
|
|
11
|
+
* Built `concurrently` to avoid the write-blocking `SHARE` lock that a plain
|
|
12
|
+
* `create index` holds on the table for the duration of the build. The table is hot
|
|
13
|
+
* on every sign-in, so a multi-second lock on a large tenant translates directly
|
|
14
|
+
* into request stalls. `if not exists` keeps the migration idempotent if a later
|
|
15
|
+
* step in the transaction fails and the alteration needs to be re-run.
|
|
16
|
+
*/
|
|
17
|
+
await pool.query(sql`
|
|
18
|
+
create index concurrently if not exists organization_user_relations__tenant_id_user_id
|
|
19
|
+
on organization_user_relations (tenant_id, user_id);
|
|
20
|
+
`);
|
|
21
|
+
},
|
|
22
|
+
up: async () => {
|
|
23
|
+
/**
|
|
24
|
+
* The index must be created outside of a transaction to avoid table locks.
|
|
25
|
+
* 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty.
|
|
26
|
+
*/
|
|
27
|
+
},
|
|
28
|
+
beforeDown: async (pool) => {
|
|
29
|
+
await pool.query(sql`
|
|
30
|
+
drop index concurrently if exists organization_user_relations__tenant_id_user_id;
|
|
31
|
+
`);
|
|
32
|
+
},
|
|
33
|
+
down: async () => {
|
|
34
|
+
/**
|
|
35
|
+
* The index must be dropped outside of a transaction to avoid table locks.
|
|
36
|
+
* 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty.
|
|
37
|
+
*/
|
|
38
|
+
},
|
|
39
|
+
};
|
|
40
|
+
|
|
41
|
+
export default alteration;
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
|
|
3
|
+
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
4
|
+
|
|
5
|
+
const alteration: AlterationScript = {
|
|
6
|
+
beforeUp: async (pool) => {
|
|
7
|
+
/**
|
|
8
|
+
* Secondary index for `(organization_id, user_id)` lookups; the PK
|
|
9
|
+
* `(tenant_id, organization_id, organization_role_id, user_id)` cannot serve
|
|
10
|
+
* queries that skip `organization_role_id`.
|
|
11
|
+
*
|
|
12
|
+
* Built `concurrently` to avoid the write-blocking `SHARE` lock that a plain
|
|
13
|
+
* `create index` holds on the table for the duration of the build. The table is
|
|
14
|
+
* hot on every authorization decision through `getUserScopes`, so a multi-second
|
|
15
|
+
* lock on a large tenant translates directly into request stalls. `if not exists`
|
|
16
|
+
* keeps the migration idempotent if a later step in the transaction fails and the
|
|
17
|
+
* alteration needs to be re-run.
|
|
18
|
+
*/
|
|
19
|
+
await pool.query(sql`
|
|
20
|
+
create index concurrently if not exists organization_role_user_relations__tenant_id_org_id_user_id
|
|
21
|
+
on organization_role_user_relations (tenant_id, organization_id, user_id);
|
|
22
|
+
`);
|
|
23
|
+
},
|
|
24
|
+
up: async () => {
|
|
25
|
+
/**
|
|
26
|
+
* The index must be created outside of a transaction to avoid table locks.
|
|
27
|
+
* 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty.
|
|
28
|
+
*/
|
|
29
|
+
},
|
|
30
|
+
beforeDown: async (pool) => {
|
|
31
|
+
await pool.query(sql`
|
|
32
|
+
drop index concurrently if exists organization_role_user_relations__tenant_id_org_id_user_id;
|
|
33
|
+
`);
|
|
34
|
+
},
|
|
35
|
+
down: async () => {
|
|
36
|
+
/**
|
|
37
|
+
* The index must be dropped outside of a transaction to avoid table locks.
|
|
38
|
+
* 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty.
|
|
39
|
+
*/
|
|
40
|
+
},
|
|
41
|
+
};
|
|
42
|
+
|
|
43
|
+
export default alteration;
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
|
|
3
|
+
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
4
|
+
|
|
5
|
+
import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
|
|
6
|
+
|
|
7
|
+
const accessControlRelationTables = Object.freeze([
|
|
8
|
+
'application_access_control_user_relations',
|
|
9
|
+
'application_access_control_user_role_relations',
|
|
10
|
+
'application_access_control_organization_relations',
|
|
11
|
+
'application_access_control_org_role_relations',
|
|
12
|
+
]);
|
|
13
|
+
|
|
14
|
+
const alteration: AlterationScript = {
|
|
15
|
+
up: async (pool) => {
|
|
16
|
+
await pool.query(sql`
|
|
17
|
+
alter table applications
|
|
18
|
+
add column app_level_access_control_enabled boolean not null default false;
|
|
19
|
+
|
|
20
|
+
create table application_access_control_user_relations (
|
|
21
|
+
tenant_id varchar(21) not null
|
|
22
|
+
references tenants (id) on update cascade on delete cascade,
|
|
23
|
+
application_id varchar(21) not null
|
|
24
|
+
references applications (id) on update cascade on delete cascade,
|
|
25
|
+
user_id varchar(21) not null
|
|
26
|
+
references users (id) on update cascade on delete cascade,
|
|
27
|
+
primary key (tenant_id, application_id, user_id)
|
|
28
|
+
);
|
|
29
|
+
|
|
30
|
+
create table application_access_control_user_role_relations (
|
|
31
|
+
tenant_id varchar(21) not null
|
|
32
|
+
references tenants (id) on update cascade on delete cascade,
|
|
33
|
+
application_id varchar(21) not null
|
|
34
|
+
references applications (id) on update cascade on delete cascade,
|
|
35
|
+
role_id varchar(21) not null
|
|
36
|
+
references roles (id) on update cascade on delete cascade,
|
|
37
|
+
primary key (tenant_id, application_id, role_id),
|
|
38
|
+
constraint application_access_control_user_role_relations__role_type
|
|
39
|
+
check (public.check_role_type(role_id, 'User'))
|
|
40
|
+
);
|
|
41
|
+
|
|
42
|
+
create table application_access_control_organization_relations (
|
|
43
|
+
tenant_id varchar(21) not null
|
|
44
|
+
references tenants (id) on update cascade on delete cascade,
|
|
45
|
+
application_id varchar(21) not null
|
|
46
|
+
references applications (id) on update cascade on delete cascade,
|
|
47
|
+
organization_id varchar(21) not null
|
|
48
|
+
references organizations (id) on update cascade on delete cascade,
|
|
49
|
+
primary key (tenant_id, application_id, organization_id)
|
|
50
|
+
);
|
|
51
|
+
|
|
52
|
+
create table application_access_control_org_role_relations (
|
|
53
|
+
tenant_id varchar(21) not null
|
|
54
|
+
references tenants (id) on update cascade on delete cascade,
|
|
55
|
+
application_id varchar(21) not null
|
|
56
|
+
references applications (id) on update cascade on delete cascade,
|
|
57
|
+
organization_id varchar(21) not null
|
|
58
|
+
references organizations (id) on update cascade on delete cascade,
|
|
59
|
+
organization_role_id varchar(21) not null
|
|
60
|
+
references organization_roles (id) on update cascade on delete cascade,
|
|
61
|
+
primary key (tenant_id, application_id, organization_id, organization_role_id),
|
|
62
|
+
constraint application_access_control_org_role_relations__role_type
|
|
63
|
+
check (check_organization_role_type(organization_role_id, 'User'))
|
|
64
|
+
);
|
|
65
|
+
`);
|
|
66
|
+
|
|
67
|
+
for (const table of accessControlRelationTables) {
|
|
68
|
+
// eslint-disable-next-line no-await-in-loop
|
|
69
|
+
await applyTableRls(pool, table);
|
|
70
|
+
}
|
|
71
|
+
},
|
|
72
|
+
down: async (pool) => {
|
|
73
|
+
for (const table of accessControlRelationTables) {
|
|
74
|
+
// eslint-disable-next-line no-await-in-loop
|
|
75
|
+
await dropTableRls(pool, table);
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
await pool.query(sql`
|
|
79
|
+
drop table application_access_control_org_role_relations;
|
|
80
|
+
drop table application_access_control_organization_relations;
|
|
81
|
+
drop table application_access_control_user_role_relations;
|
|
82
|
+
drop table application_access_control_user_relations;
|
|
83
|
+
|
|
84
|
+
alter table applications
|
|
85
|
+
drop column app_level_access_control_enabled;
|
|
86
|
+
`);
|
|
87
|
+
},
|
|
88
|
+
};
|
|
89
|
+
|
|
90
|
+
export default alteration;
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
const alteration = {
|
|
3
|
+
up: async (pool) => {
|
|
4
|
+
await pool.query(sql `
|
|
5
|
+
alter table account_centers
|
|
6
|
+
add column profile_fields jsonb;
|
|
7
|
+
`);
|
|
8
|
+
},
|
|
9
|
+
down: async (pool) => {
|
|
10
|
+
await pool.query(sql `
|
|
11
|
+
alter table account_centers
|
|
12
|
+
drop column profile_fields;
|
|
13
|
+
`);
|
|
14
|
+
},
|
|
15
|
+
};
|
|
16
|
+
export default alteration;
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
const alteration = {
|
|
3
|
+
up: async (pool) => {
|
|
4
|
+
await pool.query(sql `
|
|
5
|
+
alter table sign_in_experiences
|
|
6
|
+
add column custom_ui_csp jsonb not null default '{}'::jsonb;
|
|
7
|
+
`);
|
|
8
|
+
},
|
|
9
|
+
down: async (pool) => {
|
|
10
|
+
await pool.query(sql `
|
|
11
|
+
alter table sign_in_experiences
|
|
12
|
+
drop column custom_ui_csp;
|
|
13
|
+
`);
|
|
14
|
+
},
|
|
15
|
+
};
|
|
16
|
+
export default alteration;
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
const alteration = {
|
|
3
|
+
beforeUp: async (pool) => {
|
|
4
|
+
/**
|
|
5
|
+
* Secondary index for `user_id` lookups; the PK `(tenant_id, organization_id, user_id)`
|
|
6
|
+
* cannot serve queries that filter by `tenant_id` and `user_id` alone.
|
|
7
|
+
*
|
|
8
|
+
* Built `concurrently` to avoid the write-blocking `SHARE` lock that a plain
|
|
9
|
+
* `create index` holds on the table for the duration of the build. The table is hot
|
|
10
|
+
* on every sign-in, so a multi-second lock on a large tenant translates directly
|
|
11
|
+
* into request stalls. `if not exists` keeps the migration idempotent if a later
|
|
12
|
+
* step in the transaction fails and the alteration needs to be re-run.
|
|
13
|
+
*/
|
|
14
|
+
await pool.query(sql `
|
|
15
|
+
create index concurrently if not exists organization_user_relations__tenant_id_user_id
|
|
16
|
+
on organization_user_relations (tenant_id, user_id);
|
|
17
|
+
`);
|
|
18
|
+
},
|
|
19
|
+
up: async () => {
|
|
20
|
+
/**
|
|
21
|
+
* The index must be created outside of a transaction to avoid table locks.
|
|
22
|
+
* 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty.
|
|
23
|
+
*/
|
|
24
|
+
},
|
|
25
|
+
beforeDown: async (pool) => {
|
|
26
|
+
await pool.query(sql `
|
|
27
|
+
drop index concurrently if exists organization_user_relations__tenant_id_user_id;
|
|
28
|
+
`);
|
|
29
|
+
},
|
|
30
|
+
down: async () => {
|
|
31
|
+
/**
|
|
32
|
+
* The index must be dropped outside of a transaction to avoid table locks.
|
|
33
|
+
* 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty.
|
|
34
|
+
*/
|
|
35
|
+
},
|
|
36
|
+
};
|
|
37
|
+
export default alteration;
|
package/alterations-js/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.js
ADDED
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
const alteration = {
|
|
3
|
+
beforeUp: async (pool) => {
|
|
4
|
+
/**
|
|
5
|
+
* Secondary index for `(organization_id, user_id)` lookups; the PK
|
|
6
|
+
* `(tenant_id, organization_id, organization_role_id, user_id)` cannot serve
|
|
7
|
+
* queries that skip `organization_role_id`.
|
|
8
|
+
*
|
|
9
|
+
* Built `concurrently` to avoid the write-blocking `SHARE` lock that a plain
|
|
10
|
+
* `create index` holds on the table for the duration of the build. The table is
|
|
11
|
+
* hot on every authorization decision through `getUserScopes`, so a multi-second
|
|
12
|
+
* lock on a large tenant translates directly into request stalls. `if not exists`
|
|
13
|
+
* keeps the migration idempotent if a later step in the transaction fails and the
|
|
14
|
+
* alteration needs to be re-run.
|
|
15
|
+
*/
|
|
16
|
+
await pool.query(sql `
|
|
17
|
+
create index concurrently if not exists organization_role_user_relations__tenant_id_org_id_user_id
|
|
18
|
+
on organization_role_user_relations (tenant_id, organization_id, user_id);
|
|
19
|
+
`);
|
|
20
|
+
},
|
|
21
|
+
up: async () => {
|
|
22
|
+
/**
|
|
23
|
+
* The index must be created outside of a transaction to avoid table locks.
|
|
24
|
+
* 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty.
|
|
25
|
+
*/
|
|
26
|
+
},
|
|
27
|
+
beforeDown: async (pool) => {
|
|
28
|
+
await pool.query(sql `
|
|
29
|
+
drop index concurrently if exists organization_role_user_relations__tenant_id_org_id_user_id;
|
|
30
|
+
`);
|
|
31
|
+
},
|
|
32
|
+
down: async () => {
|
|
33
|
+
/**
|
|
34
|
+
* The index must be dropped outside of a transaction to avoid table locks.
|
|
35
|
+
* 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty.
|
|
36
|
+
*/
|
|
37
|
+
},
|
|
38
|
+
};
|
|
39
|
+
export default alteration;
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
import { sql } from '@silverhand/slonik';
|
|
2
|
+
import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
|
|
3
|
+
const accessControlRelationTables = Object.freeze([
|
|
4
|
+
'application_access_control_user_relations',
|
|
5
|
+
'application_access_control_user_role_relations',
|
|
6
|
+
'application_access_control_organization_relations',
|
|
7
|
+
'application_access_control_org_role_relations',
|
|
8
|
+
]);
|
|
9
|
+
const alteration = {
|
|
10
|
+
up: async (pool) => {
|
|
11
|
+
await pool.query(sql `
|
|
12
|
+
alter table applications
|
|
13
|
+
add column app_level_access_control_enabled boolean not null default false;
|
|
14
|
+
|
|
15
|
+
create table application_access_control_user_relations (
|
|
16
|
+
tenant_id varchar(21) not null
|
|
17
|
+
references tenants (id) on update cascade on delete cascade,
|
|
18
|
+
application_id varchar(21) not null
|
|
19
|
+
references applications (id) on update cascade on delete cascade,
|
|
20
|
+
user_id varchar(21) not null
|
|
21
|
+
references users (id) on update cascade on delete cascade,
|
|
22
|
+
primary key (tenant_id, application_id, user_id)
|
|
23
|
+
);
|
|
24
|
+
|
|
25
|
+
create table application_access_control_user_role_relations (
|
|
26
|
+
tenant_id varchar(21) not null
|
|
27
|
+
references tenants (id) on update cascade on delete cascade,
|
|
28
|
+
application_id varchar(21) not null
|
|
29
|
+
references applications (id) on update cascade on delete cascade,
|
|
30
|
+
role_id varchar(21) not null
|
|
31
|
+
references roles (id) on update cascade on delete cascade,
|
|
32
|
+
primary key (tenant_id, application_id, role_id),
|
|
33
|
+
constraint application_access_control_user_role_relations__role_type
|
|
34
|
+
check (public.check_role_type(role_id, 'User'))
|
|
35
|
+
);
|
|
36
|
+
|
|
37
|
+
create table application_access_control_organization_relations (
|
|
38
|
+
tenant_id varchar(21) not null
|
|
39
|
+
references tenants (id) on update cascade on delete cascade,
|
|
40
|
+
application_id varchar(21) not null
|
|
41
|
+
references applications (id) on update cascade on delete cascade,
|
|
42
|
+
organization_id varchar(21) not null
|
|
43
|
+
references organizations (id) on update cascade on delete cascade,
|
|
44
|
+
primary key (tenant_id, application_id, organization_id)
|
|
45
|
+
);
|
|
46
|
+
|
|
47
|
+
create table application_access_control_org_role_relations (
|
|
48
|
+
tenant_id varchar(21) not null
|
|
49
|
+
references tenants (id) on update cascade on delete cascade,
|
|
50
|
+
application_id varchar(21) not null
|
|
51
|
+
references applications (id) on update cascade on delete cascade,
|
|
52
|
+
organization_id varchar(21) not null
|
|
53
|
+
references organizations (id) on update cascade on delete cascade,
|
|
54
|
+
organization_role_id varchar(21) not null
|
|
55
|
+
references organization_roles (id) on update cascade on delete cascade,
|
|
56
|
+
primary key (tenant_id, application_id, organization_id, organization_role_id),
|
|
57
|
+
constraint application_access_control_org_role_relations__role_type
|
|
58
|
+
check (check_organization_role_type(organization_role_id, 'User'))
|
|
59
|
+
);
|
|
60
|
+
`);
|
|
61
|
+
for (const table of accessControlRelationTables) {
|
|
62
|
+
// eslint-disable-next-line no-await-in-loop
|
|
63
|
+
await applyTableRls(pool, table);
|
|
64
|
+
}
|
|
65
|
+
},
|
|
66
|
+
down: async (pool) => {
|
|
67
|
+
for (const table of accessControlRelationTables) {
|
|
68
|
+
// eslint-disable-next-line no-await-in-loop
|
|
69
|
+
await dropTableRls(pool, table);
|
|
70
|
+
}
|
|
71
|
+
await pool.query(sql `
|
|
72
|
+
drop table application_access_control_org_role_relations;
|
|
73
|
+
drop table application_access_control_organization_relations;
|
|
74
|
+
drop table application_access_control_user_role_relations;
|
|
75
|
+
drop table application_access_control_user_relations;
|
|
76
|
+
|
|
77
|
+
alter table applications
|
|
78
|
+
drop column app_level_access_control_enabled;
|
|
79
|
+
`);
|
|
80
|
+
},
|
|
81
|
+
};
|
|
82
|
+
export default alteration;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export declare const defaultApplicationSecretName = "Default secret";
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export const defaultApplicationSecretName = 'Default secret';
|
package/lib/consts/index.d.ts
CHANGED
package/lib/consts/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { AccountCenterFieldControl, WebauthnRelatedOrigins, GeneratedSchema } from './../foundations/index.js';
|
|
1
|
+
import { AccountCenterFieldControl, WebauthnRelatedOrigins, AccountCenterProfileFields, GeneratedSchema } from './../foundations/index.js';
|
|
2
2
|
/**
|
|
3
3
|
*
|
|
4
4
|
* @remarks This is a type for database creation.
|
|
@@ -16,6 +16,8 @@ export type CreateAccountCenter = {
|
|
|
16
16
|
deleteAccountUrl?: string | null;
|
|
17
17
|
/** User-defined custom CSS for the account center */
|
|
18
18
|
customCss?: string | null;
|
|
19
|
+
/** Ordered list of custom profile fields to show in the prebuilt account center */
|
|
20
|
+
profileFields?: AccountCenterProfileFields | null;
|
|
19
21
|
};
|
|
20
22
|
export type AccountCenter = {
|
|
21
23
|
tenantId: string;
|
|
@@ -29,6 +31,8 @@ export type AccountCenter = {
|
|
|
29
31
|
deleteAccountUrl: string | null;
|
|
30
32
|
/** User-defined custom CSS for the account center */
|
|
31
33
|
customCss: string | null;
|
|
34
|
+
/** Ordered list of custom profile fields to show in the prebuilt account center */
|
|
35
|
+
profileFields: AccountCenterProfileFields | null;
|
|
32
36
|
};
|
|
33
|
-
export type AccountCenterKeys = 'tenantId' | 'id' | 'enabled' | 'fields' | 'webauthnRelatedOrigins' | 'deleteAccountUrl' | 'customCss';
|
|
37
|
+
export type AccountCenterKeys = 'tenantId' | 'id' | 'enabled' | 'fields' | 'webauthnRelatedOrigins' | 'deleteAccountUrl' | 'customCss' | 'profileFields';
|
|
34
38
|
export declare const AccountCenters: GeneratedSchema<AccountCenterKeys, CreateAccountCenter, AccountCenter, 'account_centers', 'account_center'>;
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
|
|
2
2
|
import { z } from 'zod';
|
|
3
|
-
import { accountCenterFieldControlGuard, webauthnRelatedOriginsGuard } from './../foundations/index.js';
|
|
3
|
+
import { accountCenterFieldControlGuard, webauthnRelatedOriginsGuard, accountCenterProfileFieldsGuard } from './../foundations/index.js';
|
|
4
4
|
const createGuard = z.object({
|
|
5
5
|
tenantId: z.string().max(21).optional(),
|
|
6
6
|
id: z.string().min(1).max(21),
|
|
@@ -9,6 +9,7 @@ const createGuard = z.object({
|
|
|
9
9
|
webauthnRelatedOrigins: webauthnRelatedOriginsGuard.optional(),
|
|
10
10
|
deleteAccountUrl: z.string().max(2048).nullable().optional(),
|
|
11
11
|
customCss: z.string().nullable().optional(),
|
|
12
|
+
profileFields: accountCenterProfileFieldsGuard.nullable().optional(),
|
|
12
13
|
});
|
|
13
14
|
const guard = z.object({
|
|
14
15
|
tenantId: z.string().max(21),
|
|
@@ -18,6 +19,7 @@ const guard = z.object({
|
|
|
18
19
|
webauthnRelatedOrigins: webauthnRelatedOriginsGuard,
|
|
19
20
|
deleteAccountUrl: z.string().max(2048).nullable(),
|
|
20
21
|
customCss: z.string().nullable(),
|
|
22
|
+
profileFields: accountCenterProfileFieldsGuard.nullable(),
|
|
21
23
|
});
|
|
22
24
|
export const AccountCenters = Object.freeze({
|
|
23
25
|
table: 'account_centers',
|
|
@@ -30,6 +32,7 @@ export const AccountCenters = Object.freeze({
|
|
|
30
32
|
webauthnRelatedOrigins: 'webauthn_related_origins',
|
|
31
33
|
deleteAccountUrl: 'delete_account_url',
|
|
32
34
|
customCss: 'custom_css',
|
|
35
|
+
profileFields: 'profile_fields',
|
|
33
36
|
},
|
|
34
37
|
fieldKeys: [
|
|
35
38
|
'tenantId',
|
|
@@ -39,6 +42,7 @@ export const AccountCenters = Object.freeze({
|
|
|
39
42
|
'webauthnRelatedOrigins',
|
|
40
43
|
'deleteAccountUrl',
|
|
41
44
|
'customCss',
|
|
45
|
+
'profileFields',
|
|
42
46
|
],
|
|
43
47
|
createGuard,
|
|
44
48
|
guard,
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import { GeneratedSchema } from './../foundations/index.js';
|
|
2
|
+
/**
|
|
3
|
+
* The organization role allow relations for application-level access control.
|
|
4
|
+
*
|
|
5
|
+
* @remarks This is a type for database creation.
|
|
6
|
+
* @see {@link ApplicationAccessControlOrgRoleRelation} for the original type.
|
|
7
|
+
*/
|
|
8
|
+
export type CreateApplicationAccessControlOrgRoleRelation = {
|
|
9
|
+
tenantId?: string;
|
|
10
|
+
applicationId: string;
|
|
11
|
+
organizationId: string;
|
|
12
|
+
organizationRoleId: string;
|
|
13
|
+
};
|
|
14
|
+
/** The organization role allow relations for application-level access control. */
|
|
15
|
+
export type ApplicationAccessControlOrgRoleRelation = {
|
|
16
|
+
tenantId: string;
|
|
17
|
+
applicationId: string;
|
|
18
|
+
organizationId: string;
|
|
19
|
+
organizationRoleId: string;
|
|
20
|
+
};
|
|
21
|
+
export type ApplicationAccessControlOrgRoleRelationKeys = 'tenantId' | 'applicationId' | 'organizationId' | 'organizationRoleId';
|
|
22
|
+
export declare const ApplicationAccessControlOrgRoleRelations: GeneratedSchema<ApplicationAccessControlOrgRoleRelationKeys, CreateApplicationAccessControlOrgRoleRelation, ApplicationAccessControlOrgRoleRelation, 'application_access_control_org_role_relations', 'application_access_control_org_role_relation'>;
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
|
|
2
|
+
import { z } from 'zod';
|
|
3
|
+
const createGuard = z.object({
|
|
4
|
+
tenantId: z.string().max(21).optional(),
|
|
5
|
+
applicationId: z.string().min(1).max(21),
|
|
6
|
+
organizationId: z.string().min(1).max(21),
|
|
7
|
+
organizationRoleId: z.string().min(1).max(21),
|
|
8
|
+
});
|
|
9
|
+
const guard = z.object({
|
|
10
|
+
tenantId: z.string().max(21),
|
|
11
|
+
applicationId: z.string().min(1).max(21),
|
|
12
|
+
organizationId: z.string().min(1).max(21),
|
|
13
|
+
organizationRoleId: z.string().min(1).max(21),
|
|
14
|
+
});
|
|
15
|
+
export const ApplicationAccessControlOrgRoleRelations = Object.freeze({
|
|
16
|
+
table: 'application_access_control_org_role_relations',
|
|
17
|
+
tableSingular: 'application_access_control_org_role_relation',
|
|
18
|
+
fields: {
|
|
19
|
+
tenantId: 'tenant_id',
|
|
20
|
+
applicationId: 'application_id',
|
|
21
|
+
organizationId: 'organization_id',
|
|
22
|
+
organizationRoleId: 'organization_role_id',
|
|
23
|
+
},
|
|
24
|
+
fieldKeys: [
|
|
25
|
+
'tenantId',
|
|
26
|
+
'applicationId',
|
|
27
|
+
'organizationId',
|
|
28
|
+
'organizationRoleId',
|
|
29
|
+
],
|
|
30
|
+
createGuard,
|
|
31
|
+
guard,
|
|
32
|
+
updateGuard: guard.partial(),
|
|
33
|
+
});
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { GeneratedSchema } from './../foundations/index.js';
|
|
2
|
+
/**
|
|
3
|
+
* The organization membership allow relations for application-level access control.
|
|
4
|
+
*
|
|
5
|
+
* @remarks This is a type for database creation.
|
|
6
|
+
* @see {@link ApplicationAccessControlOrganizationRelation} for the original type.
|
|
7
|
+
*/
|
|
8
|
+
export type CreateApplicationAccessControlOrganizationRelation = {
|
|
9
|
+
tenantId?: string;
|
|
10
|
+
applicationId: string;
|
|
11
|
+
organizationId: string;
|
|
12
|
+
};
|
|
13
|
+
/** The organization membership allow relations for application-level access control. */
|
|
14
|
+
export type ApplicationAccessControlOrganizationRelation = {
|
|
15
|
+
tenantId: string;
|
|
16
|
+
applicationId: string;
|
|
17
|
+
organizationId: string;
|
|
18
|
+
};
|
|
19
|
+
export type ApplicationAccessControlOrganizationRelationKeys = 'tenantId' | 'applicationId' | 'organizationId';
|
|
20
|
+
export declare const ApplicationAccessControlOrganizationRelations: GeneratedSchema<ApplicationAccessControlOrganizationRelationKeys, CreateApplicationAccessControlOrganizationRelation, ApplicationAccessControlOrganizationRelation, 'application_access_control_organization_relations', 'application_access_control_organization_relation'>;
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
|
|
2
|
+
import { z } from 'zod';
|
|
3
|
+
const createGuard = z.object({
|
|
4
|
+
tenantId: z.string().max(21).optional(),
|
|
5
|
+
applicationId: z.string().min(1).max(21),
|
|
6
|
+
organizationId: z.string().min(1).max(21),
|
|
7
|
+
});
|
|
8
|
+
const guard = z.object({
|
|
9
|
+
tenantId: z.string().max(21),
|
|
10
|
+
applicationId: z.string().min(1).max(21),
|
|
11
|
+
organizationId: z.string().min(1).max(21),
|
|
12
|
+
});
|
|
13
|
+
export const ApplicationAccessControlOrganizationRelations = Object.freeze({
|
|
14
|
+
table: 'application_access_control_organization_relations',
|
|
15
|
+
tableSingular: 'application_access_control_organization_relation',
|
|
16
|
+
fields: {
|
|
17
|
+
tenantId: 'tenant_id',
|
|
18
|
+
applicationId: 'application_id',
|
|
19
|
+
organizationId: 'organization_id',
|
|
20
|
+
},
|
|
21
|
+
fieldKeys: [
|
|
22
|
+
'tenantId',
|
|
23
|
+
'applicationId',
|
|
24
|
+
'organizationId',
|
|
25
|
+
],
|
|
26
|
+
createGuard,
|
|
27
|
+
guard,
|
|
28
|
+
updateGuard: guard.partial(),
|
|
29
|
+
});
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { GeneratedSchema } from './../foundations/index.js';
|
|
2
|
+
/**
|
|
3
|
+
* The direct user allow relations for application-level access control.
|
|
4
|
+
*
|
|
5
|
+
* @remarks This is a type for database creation.
|
|
6
|
+
* @see {@link ApplicationAccessControlUserRelation} for the original type.
|
|
7
|
+
*/
|
|
8
|
+
export type CreateApplicationAccessControlUserRelation = {
|
|
9
|
+
tenantId?: string;
|
|
10
|
+
applicationId: string;
|
|
11
|
+
userId: string;
|
|
12
|
+
};
|
|
13
|
+
/** The direct user allow relations for application-level access control. */
|
|
14
|
+
export type ApplicationAccessControlUserRelation = {
|
|
15
|
+
tenantId: string;
|
|
16
|
+
applicationId: string;
|
|
17
|
+
userId: string;
|
|
18
|
+
};
|
|
19
|
+
export type ApplicationAccessControlUserRelationKeys = 'tenantId' | 'applicationId' | 'userId';
|
|
20
|
+
export declare const ApplicationAccessControlUserRelations: GeneratedSchema<ApplicationAccessControlUserRelationKeys, CreateApplicationAccessControlUserRelation, ApplicationAccessControlUserRelation, 'application_access_control_user_relations', 'application_access_control_user_relation'>;
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
|
|
2
|
+
import { z } from 'zod';
|
|
3
|
+
const createGuard = z.object({
|
|
4
|
+
tenantId: z.string().max(21).optional(),
|
|
5
|
+
applicationId: z.string().min(1).max(21),
|
|
6
|
+
userId: z.string().min(1).max(21),
|
|
7
|
+
});
|
|
8
|
+
const guard = z.object({
|
|
9
|
+
tenantId: z.string().max(21),
|
|
10
|
+
applicationId: z.string().min(1).max(21),
|
|
11
|
+
userId: z.string().min(1).max(21),
|
|
12
|
+
});
|
|
13
|
+
export const ApplicationAccessControlUserRelations = Object.freeze({
|
|
14
|
+
table: 'application_access_control_user_relations',
|
|
15
|
+
tableSingular: 'application_access_control_user_relation',
|
|
16
|
+
fields: {
|
|
17
|
+
tenantId: 'tenant_id',
|
|
18
|
+
applicationId: 'application_id',
|
|
19
|
+
userId: 'user_id',
|
|
20
|
+
},
|
|
21
|
+
fieldKeys: [
|
|
22
|
+
'tenantId',
|
|
23
|
+
'applicationId',
|
|
24
|
+
'userId',
|
|
25
|
+
],
|
|
26
|
+
createGuard,
|
|
27
|
+
guard,
|
|
28
|
+
updateGuard: guard.partial(),
|
|
29
|
+
});
|