logto/packages/schemas/alterations/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.ts

import { sql } from '@silverhand/slonik';

import type { AlterationScript } from '../lib/types/alteration.js';

enum RoleType {
  User = 'User',
}

const getManagementApiResourceIndicator = (tenantId: string) => `https://${tenantId}.logto.app/api`;

// Remove management API scopes assigned to user roles, in case they were assigned by management API and bypassed the constraints in admin console.
const alteration: AlterationScript = {
  up: async (pool) => {
    const { rows } = await pool.query<{
      rolesScopesId: string;
      indicator: string;
      tenantId: string;
    }>(sql`
      select
        roles_scopes.id as "rolesScopesId",
        roles_scopes.tenant_id as "tenantId",
        resources.indicator as indicator from roles_scopes
      join roles
        on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
      join scopes on
        roles_scopes.scope_id = scopes.id and roles_scopes.tenant_id = scopes.tenant_id
      join resources on
        scopes.resource_id = resources.id and scopes.tenant_id = resources.tenant_id
      where roles.type = ${RoleType.User};
    `);
    const rolesScopesIdsToRemove = rows
      .filter(
        ({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId)
      )
      .map(({ rolesScopesId }) => rolesScopesId);
    if (rolesScopesIdsToRemove.length > 0) {
      await pool.query(sql`
        delete from roles_scopes where id in (${sql.join(rolesScopesIdsToRemove, sql`, `)});
      `);
    }
  },
  down: async (pool) => {
    // It cannot be reverted automatically.
  },
};

export default alteration;
refactor: use silverhand slonik 2024-03-16 06:04:55 -05:00			`import { sql } from '@silverhand/slonik';`
fix(core): mgmt API scopes are not assignable to user roles (#5425) * fix(core): mgmt API scopes are not assignable to user roles * feat: add alteration script to remove mgmt api scopes already assigned to user role * chore: use option object 2024-02-26 22:19:59 -05:00
			`import type { AlterationScript } from '../lib/types/alteration.js';`

			`enum RoleType {`
			`User = 'User',`
			`}`

			const getManagementApiResourceIndicator = (tenantId: string) => `https://${tenantId}.logto.app/api`;

			`// Remove management API scopes assigned to user roles, in case they were assigned by management API and bypassed the constraints in admin console.`
			`const alteration: AlterationScript = {`
			`up: async (pool) => {`
			`const { rows } = await pool.query<{`
			`rolesScopesId: string;`
			`indicator: string;`
			`tenantId: string;`
			}>(sql`
			`select`
			`roles_scopes.id as "rolesScopesId",`
			`roles_scopes.tenant_id as "tenantId",`
			`resources.indicator as indicator from roles_scopes`
			`join roles`
			`on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id`
			`join scopes on`
			`roles_scopes.scope_id = scopes.id and roles_scopes.tenant_id = scopes.tenant_id`
			`join resources on`
			`scopes.resource_id = resources.id and scopes.tenant_id = resources.tenant_id`
			`where roles.type = ${RoleType.User};`
			`);
			`const rolesScopesIdsToRemove = rows`
			`.filter(`
			`({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId)`
			`)`
			`.map(({ rolesScopesId }) => rolesScopesId);`
			`if (rolesScopesIdsToRemove.length > 0) {`
			await pool.query(sql`
			delete from roles_scopes where id in (${sql.join(rolesScopesIdsToRemove, sql`, `)});
			`);
			`}`
			`},`
			`down: async (pool) => {`
			`// It cannot be reverted automatically.`
			`},`
			`};`

			`export default alteration;`