@logto/schemas 1.8.0 → 1.9.0

package/alterations/1.9.0-1693554904-add-possword-policy.ts

@@ -0,0 +1,21 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+/** The alteration script for adding `password_policy` column to the sign-in experience table. */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+      add column password_policy jsonb not null default '{}';
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+      drop column password_policy;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.9.0-1694399696-add-type-col-to-roles-table.ts

@@ -0,0 +1,55 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+enum InternalRole {
+  Admin = '#internal:admin',
+}
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Get all m2m role ids.
+    const { rows: m2mRoleIds } = await pool.query<{ id: string }>(sql`
+      select roles.id as "id" from roles
+        left join applications_roles on applications_roles.role_id = roles.id and applications_roles.tenant_id = roles.tenant_id
+        left join applications on applications.id = applications_roles.application_id and applications.tenant_id = applications_roles.tenant_id
+      where applications.type = 'MachineToMachine' or roles.name = ${InternalRole.Admin} group by roles.id;
+    `);
+    // Add `type` column to `roles` table, and set `type` to 'MachineToMachine' for all m2m roles.
+    await pool.query(sql`
+      create type role_type as enum ('User', 'MachineToMachine');
+    `);
+    await pool.query(sql`alter table roles add column type role_type not null default 'User';`);
+    await pool.query(sql`
+      update roles set type = 'MachineToMachine' where id in (${sql.join(
+        m2mRoleIds.map(({ id }) => id),
+        sql`, `
+      )});
+    `);
+    // Add role type check function and constraints for recording user/application-role relations.
+    await pool.query(sql`
+      create function check_role_type(role_id varchar(21), target_type role_type) returns boolean as
+      $$ begin
+        return (select type from roles where id = role_id) = target_type;
+      end; $$ language plpgsql;
+    `);
+    await pool.query(sql`
+      alter table users_roles add constraint users_roles__role_type
+          check (check_role_type(role_id, 'User'));
+    `);
+    await pool.query(
+      sql`alter table applications_roles add constraint applications_roles__role_type check (check_role_type(role_id, 'MachineToMachine'));`
+    );
+  },
+  down: async (pool) => {
+    await pool.query(
+      sql`alter table applications_roles drop constraint applications_roles__role_type;`
+    );
+    await pool.query(sql`alter table users_roles drop constraint users_roles__role_type;`);
+    await pool.query(sql`drop function check_role_type;`);
+    await pool.query(sql`alter table roles drop column type;`);
+    await pool.query(sql`drop type role_type;`);
+  },
+};
+
+export default alteration;

package/alterations/1.9.0-1694418765-specify-check-role-type-function-to-be-public-schema.ts

@@ -0,0 +1,54 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+/**
+ * This alteration is a fix on `check_role_type` function, since this function could be called by
+ * cloud (at the time the DB schema is `cloud` and can not find `public` functions/tables).
+ *
+ * As a result, we need to specify the function to be with `public` schema.
+ */
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(
+      sql`alter table applications_roles drop constraint applications_roles__role_type;`
+    );
+    await pool.query(sql`alter table users_roles drop constraint users_roles__role_type;`);
+    await pool.query(sql`drop function check_role_type;`);
+    await pool.query(sql`
+      create function public.check_role_type(role_id varchar(21), target_type role_type) returns boolean as
+      $$ begin
+        return (select type from public.roles where id = role_id) = target_type;
+      end; $$ language plpgsql;
+    `);
+    await pool.query(sql`
+      alter table users_roles add constraint users_roles__role_type
+          check (public.check_role_type(role_id, 'User'));
+    `);
+    await pool.query(
+      sql`alter table applications_roles add constraint applications_roles__role_type check (public.check_role_type(role_id, 'MachineToMachine'));`
+    );
+  },
+  down: async (pool) => {
+    await pool.query(
+      sql`alter table applications_roles drop constraint applications_roles__role_type;`
+    );
+    await pool.query(sql`alter table users_roles drop constraint users_roles__role_type;`);
+    await pool.query(sql`drop function public.check_role_type;`);
+    await pool.query(sql`
+      create function check_role_type(role_id varchar(21), target_type role_type) returns boolean as
+      $$ begin
+        return (select type from roles where id = role_id) = target_type;
+      end; $$ language plpgsql;
+    `);
+    await pool.query(sql`
+      alter table users_roles add constraint users_roles__role_type
+          check (check_role_type(role_id, 'User'));
+    `);
+    await pool.query(
+      sql`alter table applications_roles add constraint applications_roles__role_type check (check_role_type(role_id, 'MachineToMachine'));`
+    );
+  },
+};
+
+export default alteration;

package/alterations/1.9.0-1694484927-remove-deprecated-challenge-flag.ts

@@ -0,0 +1,100 @@
+import type { DatabaseTransactionConnection } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const adminConsoleConfigKey = 'adminConsole';
+
+type OldAdminConsoleData = {
+  livePreviewChecked: boolean;
+  applicationCreated: boolean;
+  signInExperienceCustomized: boolean;
+  passwordlessConfigured: boolean;
+  furtherReadingsChecked: boolean;
+  roleCreated: boolean;
+  communityChecked: boolean;
+  m2mApplicationCreated: boolean;
+} & Record<string, unknown>;
+
+type OldLogtoAdminConsoleConfig = {
+  tenantId: string;
+  value: OldAdminConsoleData;
+};
+
+type NewAdminConsoleData = {
+  signInExperienceCustomized: boolean;
+} & Record<string, unknown>;
+
+type NewLogtoAdminConsoleConfig = {
+  tenantId: string;
+  value: NewAdminConsoleData;
+};
+
+const alterAdminConsoleData = async (
+  logtoConfig: OldLogtoAdminConsoleConfig,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: oldAdminConsoleConfig } = logtoConfig;
+
+  const {
+    livePreviewChecked,
+    applicationCreated,
+    passwordlessConfigured,
+    communityChecked,
+    furtherReadingsChecked,
+    roleCreated,
+    m2mApplicationCreated,
+    ...others
+  } = oldAdminConsoleConfig;
+
+  const newAdminConsoleData: NewAdminConsoleData = {
+    ...others,
+  };
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      newAdminConsoleData
+    )} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`
+  );
+};
+
+const rollbackAdminConsoleData = async (
+  logtoConfig: NewLogtoAdminConsoleConfig,
+  pool: DatabaseTransactionConnection
+) => {
+  const { tenantId, value: newAdminConsoleConfig } = logtoConfig;
+
+  const oldAdminConsoleData: OldAdminConsoleData = {
+    ...newAdminConsoleConfig,
+    livePreviewChecked: false,
+    applicationCreated: false,
+    passwordlessConfigured: false,
+    communityChecked: false,
+    furtherReadingsChecked: false,
+    roleCreated: false,
+    m2mApplicationCreated: false,
+  };
+
+  await pool.query(
+    sql`update logto_configs set value = ${JSON.stringify(
+      oldAdminConsoleData
+    )} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`
+  );
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const rows = await pool.many<OldLogtoAdminConsoleConfig>(
+      sql`select * from logto_configs where key = ${adminConsoleConfigKey}`
+    );
+    await Promise.all(rows.map(async (row) => alterAdminConsoleData(row, pool)));
+  },
+  down: async (pool) => {
+    const rows = await pool.many<NewLogtoAdminConsoleConfig>(
+      sql`select * from logto_configs where key = ${adminConsoleConfigKey}`
+    );
+    await Promise.all(rows.map(async (row) => rollbackAdminConsoleData(row, pool)));
+  },
+};
+
+export default alteration;

package/alterations/1.9.0-1694487524-sie-mfa.ts

@@ -0,0 +1,26 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column if not exists mfa jsonb not null default '{}'::jsonb;
+    `);
+
+    await pool.query(sql`
+      update sign_in_experiences
+        set mfa = '{"factors":[],"policy":"UserControlled"}'
+        where id = 'default';
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column mfa;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.9.0-1694509714-keep-existing-password-policy.ts

@@ -0,0 +1,54 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+// In the alteration testing environment, we do not want to run this alteration
+// script since it alters the existing data which does not match the new policy.
+const isAlterationTesting = yes(process.env.ALTERATION_TEST);
+
+/**
+ * Note: The legacy password policy does not separate upper and lower cases into
+ * different character types. It is not possible to migrate this behavior.
+ */
+const legacyPasswordPolicy = {
+  length: { min: 8 },
+  characterTypes: { min: 2 },
+  rejects: {
+    pwned: false,
+    repetitionAndSequence: false,
+    userInfo: false,
+    words: [],
+  },
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    if (isAlterationTesting) {
+      console.warn(
+        'Skipping alteration script next-1694509714-keep-existing-password-policy in alteration testing environment.'
+      );
+      return;
+    }
+
+    await pool.query(sql`
+      update sign_in_experiences
+        set password_policy = ${sql.jsonb(legacyPasswordPolicy)};
+    `);
+  },
+  down: async (pool) => {
+    if (isAlterationTesting) {
+      console.warn(
+        'Skipping alteration script next-1694509714-keep-existing-password-policy in alteration testing environment.'
+      );
+      return;
+    }
+
+    await pool.query(sql`
+      update sign_in_experiences
+        set password_policy = '{}'::jsonb;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.9.0-1694746763-user-verifications.ts

@@ -0,0 +1,20 @@
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table users
+        add column if not exists mfa_verifications jsonb not null default '[]'::jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table users
+        drop column mfa_verifications;
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.9.0-1693554904-add-possword-policy.d.ts

@@ -0,0 +1,4 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+/** The alteration script for adding `password_policy` column to the sign-in experience table. */
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.0-1693554904-add-possword-policy.js

@@ -0,0 +1,17 @@
+import { sql } from 'slonik';
+/** The alteration script for adding `password_policy` column to the sign-in experience table. */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+      add column password_policy jsonb not null default '{}';
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+      drop column password_policy;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.9.0-1694399696-add-type-col-to-roles-table.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.0-1694399696-add-type-col-to-roles-table.js

@@ -0,0 +1,44 @@
+import { sql } from 'slonik';
+var InternalRole;
+(function (InternalRole) {
+    InternalRole["Admin"] = "#internal:admin";
+})(InternalRole || (InternalRole = {}));
+const alteration = {
+    up: async (pool) => {
+        // Get all m2m role ids.
+        const { rows: m2mRoleIds } = await pool.query(sql `
+      select roles.id as "id" from roles
+        left join applications_roles on applications_roles.role_id = roles.id and applications_roles.tenant_id = roles.tenant_id
+        left join applications on applications.id = applications_roles.application_id and applications.tenant_id = applications_roles.tenant_id
+      where applications.type = 'MachineToMachine' or roles.name = ${InternalRole.Admin} group by roles.id;
+    `);
+        // Add `type` column to `roles` table, and set `type` to 'MachineToMachine' for all m2m roles.
+        await pool.query(sql `
+      create type role_type as enum ('User', 'MachineToMachine');
+    `);
+        await pool.query(sql `alter table roles add column type role_type not null default 'User';`);
+        await pool.query(sql `
+      update roles set type = 'MachineToMachine' where id in (${sql.join(m2mRoleIds.map(({ id }) => id), sql `, `)});
+    `);
+        // Add role type check function and constraints for recording user/application-role relations.
+        await pool.query(sql `
+      create function check_role_type(role_id varchar(21), target_type role_type) returns boolean as
+      $$ begin
+        return (select type from roles where id = role_id) = target_type;
+      end; $$ language plpgsql;
+    `);
+        await pool.query(sql `
+      alter table users_roles add constraint users_roles__role_type
+          check (check_role_type(role_id, 'User'));
+    `);
+        await pool.query(sql `alter table applications_roles add constraint applications_roles__role_type check (check_role_type(role_id, 'MachineToMachine'));`);
+    },
+    down: async (pool) => {
+        await pool.query(sql `alter table applications_roles drop constraint applications_roles__role_type;`);
+        await pool.query(sql `alter table users_roles drop constraint users_roles__role_type;`);
+        await pool.query(sql `drop function check_role_type;`);
+        await pool.query(sql `alter table roles drop column type;`);
+        await pool.query(sql `drop type role_type;`);
+    },
+};
+export default alteration;

package/alterations-js/1.9.0-1694418765-specify-check-role-type-function-to-be-public-schema.d.ts

@@ -0,0 +1,9 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+/**
+ * This alteration is a fix on `check_role_type` function, since this function could be called by
+ * cloud (at the time the DB schema is `cloud` and can not find `public` functions/tables).
+ *
+ * As a result, we need to specify the function to be with `public` schema.
+ */
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.0-1694418765-specify-check-role-type-function-to-be-public-schema.js

@@ -0,0 +1,42 @@
+import { sql } from 'slonik';
+/**
+ * This alteration is a fix on `check_role_type` function, since this function could be called by
+ * cloud (at the time the DB schema is `cloud` and can not find `public` functions/tables).
+ *
+ * As a result, we need to specify the function to be with `public` schema.
+ */
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `alter table applications_roles drop constraint applications_roles__role_type;`);
+        await pool.query(sql `alter table users_roles drop constraint users_roles__role_type;`);
+        await pool.query(sql `drop function check_role_type;`);
+        await pool.query(sql `
+      create function public.check_role_type(role_id varchar(21), target_type role_type) returns boolean as
+      $$ begin
+        return (select type from public.roles where id = role_id) = target_type;
+      end; $$ language plpgsql;
+    `);
+        await pool.query(sql `
+      alter table users_roles add constraint users_roles__role_type
+          check (public.check_role_type(role_id, 'User'));
+    `);
+        await pool.query(sql `alter table applications_roles add constraint applications_roles__role_type check (public.check_role_type(role_id, 'MachineToMachine'));`);
+    },
+    down: async (pool) => {
+        await pool.query(sql `alter table applications_roles drop constraint applications_roles__role_type;`);
+        await pool.query(sql `alter table users_roles drop constraint users_roles__role_type;`);
+        await pool.query(sql `drop function public.check_role_type;`);
+        await pool.query(sql `
+      create function check_role_type(role_id varchar(21), target_type role_type) returns boolean as
+      $$ begin
+        return (select type from roles where id = role_id) = target_type;
+      end; $$ language plpgsql;
+    `);
+        await pool.query(sql `
+      alter table users_roles add constraint users_roles__role_type
+          check (check_role_type(role_id, 'User'));
+    `);
+        await pool.query(sql `alter table applications_roles add constraint applications_roles__role_type check (check_role_type(role_id, 'MachineToMachine'));`);
+    },
+};
+export default alteration;

package/alterations-js/1.9.0-1694484927-remove-deprecated-challenge-flag.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.0-1694484927-remove-deprecated-challenge-flag.js

@@ -0,0 +1,35 @@
+import { sql } from 'slonik';
+const adminConsoleConfigKey = 'adminConsole';
+const alterAdminConsoleData = async (logtoConfig, pool) => {
+    const { tenantId, value: oldAdminConsoleConfig } = logtoConfig;
+    const { livePreviewChecked, applicationCreated, passwordlessConfigured, communityChecked, furtherReadingsChecked, roleCreated, m2mApplicationCreated, ...others } = oldAdminConsoleConfig;
+    const newAdminConsoleData = {
+        ...others,
+    };
+    await pool.query(sql `update logto_configs set value = ${JSON.stringify(newAdminConsoleData)} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`);
+};
+const rollbackAdminConsoleData = async (logtoConfig, pool) => {
+    const { tenantId, value: newAdminConsoleConfig } = logtoConfig;
+    const oldAdminConsoleData = {
+        ...newAdminConsoleConfig,
+        livePreviewChecked: false,
+        applicationCreated: false,
+        passwordlessConfigured: false,
+        communityChecked: false,
+        furtherReadingsChecked: false,
+        roleCreated: false,
+        m2mApplicationCreated: false,
+    };
+    await pool.query(sql `update logto_configs set value = ${JSON.stringify(oldAdminConsoleData)} where tenant_id = ${tenantId} and key = ${adminConsoleConfigKey}`);
+};
+const alteration = {
+    up: async (pool) => {
+        const rows = await pool.many(sql `select * from logto_configs where key = ${adminConsoleConfigKey}`);
+        await Promise.all(rows.map(async (row) => alterAdminConsoleData(row, pool)));
+    },
+    down: async (pool) => {
+        const rows = await pool.many(sql `select * from logto_configs where key = ${adminConsoleConfigKey}`);
+        await Promise.all(rows.map(async (row) => rollbackAdminConsoleData(row, pool)));
+    },
+};
+export default alteration;

package/alterations-js/1.9.0-1694487524-sie-mfa.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.0-1694487524-sie-mfa.js

@@ -0,0 +1,21 @@
+import { sql } from 'slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        add column if not exists mfa jsonb not null default '{}'::jsonb;
+    `);
+        await pool.query(sql `
+      update sign_in_experiences
+        set mfa = '{"factors":[],"policy":"UserControlled"}'
+        where id = 'default';
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sign_in_experiences
+        drop column mfa;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.9.0-1694509714-keep-existing-password-policy.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.0-1694509714-keep-existing-password-policy.js

@@ -0,0 +1,42 @@
+import { yes } from '@silverhand/essentials';
+import { sql } from 'slonik';
+// In the alteration testing environment, we do not want to run this alteration
+// script since it alters the existing data which does not match the new policy.
+const isAlterationTesting = yes(process.env.ALTERATION_TEST);
+/**
+ * Note: The legacy password policy does not separate upper and lower cases into
+ * different character types. It is not possible to migrate this behavior.
+ */
+const legacyPasswordPolicy = {
+    length: { min: 8 },
+    characterTypes: { min: 2 },
+    rejects: {
+        pwned: false,
+        repetitionAndSequence: false,
+        userInfo: false,
+        words: [],
+    },
+};
+const alteration = {
+    up: async (pool) => {
+        if (isAlterationTesting) {
+            console.warn('Skipping alteration script next-1694509714-keep-existing-password-policy in alteration testing environment.');
+            return;
+        }
+        await pool.query(sql `
+      update sign_in_experiences
+        set password_policy = ${sql.jsonb(legacyPasswordPolicy)};
+    `);
+    },
+    down: async (pool) => {
+        if (isAlterationTesting) {
+            console.warn('Skipping alteration script next-1694509714-keep-existing-password-policy in alteration testing environment.');
+            return;
+        }
+        await pool.query(sql `
+      update sign_in_experiences
+        set password_policy = '{}'::jsonb;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.9.0-1694746763-user-verifications.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.0-1694746763-user-verifications.js

@@ -0,0 +1,16 @@
+import { sql } from 'slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table users
+        add column if not exists mfa_verifications jsonb not null default '[]'::jsonb;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table users
+        drop column mfa_verifications;
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/custom-types.d.ts

@@ -4,6 +4,10 @@ export declare enum ApplicationType {
     Traditional = "Traditional",
     MachineToMachine = "MachineToMachine"
 }
+export declare enum RoleType {
+    User = "User",
+    MachineToMachine = "MachineToMachine"
+}
 export declare enum SignInMode {
     SignIn = "SignIn",
     Register = "Register",

package/lib/db-entries/custom-types.js

@@ -6,6 +6,11 @@ export var ApplicationType;
     ApplicationType["Traditional"] = "Traditional";
     ApplicationType["MachineToMachine"] = "MachineToMachine";
 })(ApplicationType || (ApplicationType = {}));
+export var RoleType;
+(function (RoleType) {
+    RoleType["User"] = "User";
+    RoleType["MachineToMachine"] = "MachineToMachine";
+})(RoleType || (RoleType = {}));
 export var SignInMode;
 (function (SignInMode) {
     SignInMode["SignIn"] = "SignIn";

package/lib/db-entries/role.d.ts

@@ -1,14 +1,17 @@
 import { GeneratedSchema } from './../foundations/index.js';
+import { RoleType } from './custom-types.js';
 export type CreateRole = {
     tenantId?: string;
     id: string;
     name: string;
     description: string;
+    type?: RoleType;
 };
 export type Role = {
     tenantId: string;
     id: string;
     name: string;
     description: string;
+    type: RoleType;
 };
 export declare const Roles: GeneratedSchema<CreateRole, Role>;