mirror of
https://github.com/logto-io/logto.git
synced 2024-12-30 20:33:54 -05:00
refactor: remove Cloud API report usage scope to unblock cloud env deployment
This commit is contained in:
parent
f04678e7bb
commit
1131a7c512
4 changed files with 2 additions and 109 deletions
|
@ -181,8 +181,7 @@ export const seedTables = async (
|
||||||
({ name }) =>
|
({ name }) =>
|
||||||
name === CloudScope.SendSms ||
|
name === CloudScope.SendSms ||
|
||||||
name === CloudScope.SendEmail ||
|
name === CloudScope.SendEmail ||
|
||||||
name === CloudScope.FetchCustomJwt ||
|
name === CloudScope.FetchCustomJwt
|
||||||
name === CloudScope.ReportSubscriptionUpdates
|
|
||||||
)
|
)
|
||||||
.map(({ id }) => id)
|
.map(({ id }) => id)
|
||||||
);
|
);
|
||||||
|
|
|
@ -29,13 +29,8 @@ const accessTokenResponseGuard = z.object({
|
||||||
* The scope here can be empty and still work, because the cloud API requests made using this client do not rely on scope verification.
|
* The scope here can be empty and still work, because the cloud API requests made using this client do not rely on scope verification.
|
||||||
* The `CloudScope.SendEmail` is added for now because it needs to call the cloud email service API.
|
* The `CloudScope.SendEmail` is added for now because it needs to call the cloud email service API.
|
||||||
* The `CloudScope.FetchCustomJwt` is added for now because it needs to call the cloud custom JWT service API.
|
* The `CloudScope.FetchCustomJwt` is added for now because it needs to call the cloud custom JWT service API.
|
||||||
* The `CloudScope.ReportSubscriptionUpdates` is added since we need to report subscription updates to the cloud.
|
|
||||||
*/
|
*/
|
||||||
const scopes: string[] = [
|
const scopes: string[] = [CloudScope.SendEmail, CloudScope.FetchCustomJwt];
|
||||||
CloudScope.SendEmail,
|
|
||||||
CloudScope.FetchCustomJwt,
|
|
||||||
CloudScope.ReportSubscriptionUpdates,
|
|
||||||
];
|
|
||||||
const accessTokenExpirationMargin = 60;
|
const accessTokenExpirationMargin = 60;
|
||||||
|
|
||||||
/** The library for connecting to Logto Cloud service. */
|
/** The library for connecting to Logto Cloud service. */
|
||||||
|
|
|
@ -1,93 +0,0 @@
|
||||||
import { sql } from '@silverhand/slonik';
|
|
||||||
|
|
||||||
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
||||||
|
|
||||||
import { generateStandardId } from './utils/1716643968-id-generation.js';
|
|
||||||
|
|
||||||
type Resource = {
|
|
||||||
tenantId: string;
|
|
||||||
id: string;
|
|
||||||
name: string;
|
|
||||||
indicator: string;
|
|
||||||
isDefault: boolean;
|
|
||||||
};
|
|
||||||
|
|
||||||
type Scope = {
|
|
||||||
tenantId: string;
|
|
||||||
id: string;
|
|
||||||
resourceId: string;
|
|
||||||
name: string;
|
|
||||||
description: string;
|
|
||||||
};
|
|
||||||
|
|
||||||
type Role = {
|
|
||||||
tenantId: string;
|
|
||||||
id: string;
|
|
||||||
name: string;
|
|
||||||
description: string;
|
|
||||||
};
|
|
||||||
|
|
||||||
const cloudApiIndicator = 'https://cloud.logto.io/api';
|
|
||||||
|
|
||||||
const cloudConnectionAppRoleName = 'tenantApplication';
|
|
||||||
|
|
||||||
const adminTenantId = 'admin';
|
|
||||||
|
|
||||||
const reportSubscriptionUpdatesScopeName = 'report:subscription:updates';
|
|
||||||
const reportSubscriptionUpdatesScopeDescription =
|
|
||||||
'Allow reporting changes on Stripe subscription to Logto Cloud.';
|
|
||||||
|
|
||||||
const alteration: AlterationScript = {
|
|
||||||
up: async (pool) => {
|
|
||||||
// Get the Cloud API resource
|
|
||||||
const cloudApiResource = await pool.one<Resource>(sql`
|
|
||||||
select * from resources
|
|
||||||
where tenant_id = ${adminTenantId}
|
|
||||||
and indicator = ${cloudApiIndicator}
|
|
||||||
`);
|
|
||||||
|
|
||||||
// Get cloud connection application role
|
|
||||||
const tenantApplicationRole = await pool.one<Role>(sql`
|
|
||||||
select * from roles
|
|
||||||
where tenant_id = ${adminTenantId}
|
|
||||||
and name = ${cloudConnectionAppRoleName} and type = 'MachineToMachine'
|
|
||||||
`);
|
|
||||||
|
|
||||||
// Create the `report:subscription:updates` scope
|
|
||||||
const reportSubscriptionUpdatesCloudScope = await pool.one<Scope>(sql`
|
|
||||||
insert into scopes (id, tenant_id, resource_id, name, description)
|
|
||||||
values (${generateStandardId()}, ${adminTenantId}, ${
|
|
||||||
cloudApiResource.id
|
|
||||||
}, ${reportSubscriptionUpdatesScopeName}, ${reportSubscriptionUpdatesScopeDescription})
|
|
||||||
returning *;
|
|
||||||
`);
|
|
||||||
|
|
||||||
// Assign the `report:subscription:updates` scope to cloud connection application role
|
|
||||||
await pool.query(sql`
|
|
||||||
insert into roles_scopes (id, tenant_id, role_id, scope_id)
|
|
||||||
values (${generateStandardId()}, ${adminTenantId}, ${tenantApplicationRole.id}, ${
|
|
||||||
reportSubscriptionUpdatesCloudScope.id
|
|
||||||
});
|
|
||||||
`);
|
|
||||||
},
|
|
||||||
down: async (pool) => {
|
|
||||||
// Get the Cloud API resource
|
|
||||||
const cloudApiResource = await pool.one<Resource>(sql`
|
|
||||||
select * from resources
|
|
||||||
where tenant_id = ${adminTenantId}
|
|
||||||
and indicator = ${cloudApiIndicator}
|
|
||||||
`);
|
|
||||||
|
|
||||||
// Remove the `report:subscription:updates` scope
|
|
||||||
await pool.query(sql`
|
|
||||||
delete from scopes
|
|
||||||
where
|
|
||||||
tenant_id = ${adminTenantId} and
|
|
||||||
name = ${reportSubscriptionUpdatesScopeName} and
|
|
||||||
description = ${reportSubscriptionUpdatesScopeDescription} and
|
|
||||||
resource_id = ${cloudApiResource.id}
|
|
||||||
`);
|
|
||||||
},
|
|
||||||
};
|
|
||||||
|
|
||||||
export default alteration;
|
|
|
@ -22,10 +22,6 @@ export enum CloudScope {
|
||||||
* scripts and fetch the parsed token payload.
|
* scripts and fetch the parsed token payload.
|
||||||
*/
|
*/
|
||||||
FetchCustomJwt = 'fetch:custom:jwt',
|
FetchCustomJwt = 'fetch:custom:jwt',
|
||||||
/**
|
|
||||||
* The entity can report changes on Stripe subscription to Logto Cloud.
|
|
||||||
*/
|
|
||||||
ReportSubscriptionUpdates = 'report:subscription:updates',
|
|
||||||
/** The user can see and manage affiliates, including create, update, and delete. */
|
/** The user can see and manage affiliates, including create, update, and delete. */
|
||||||
ManageAffiliate = 'manage:affiliate',
|
ManageAffiliate = 'manage:affiliate',
|
||||||
/** The user can create new affiliates and logs. */
|
/** The user can create new affiliates and logs. */
|
||||||
|
@ -74,10 +70,6 @@ export const createCloudApi = (): Readonly<[UpdateAdminData, ...CreateScope[]]>
|
||||||
CloudScope.FetchCustomJwt,
|
CloudScope.FetchCustomJwt,
|
||||||
'Allow accessing external resource to execute JWT payload customizer script and fetch the parsed token payload.'
|
'Allow accessing external resource to execute JWT payload customizer script and fetch the parsed token payload.'
|
||||||
),
|
),
|
||||||
buildScope(
|
|
||||||
CloudScope.ReportSubscriptionUpdates,
|
|
||||||
'Allow reporting changes on Stripe subscription to Logto Cloud.'
|
|
||||||
),
|
|
||||||
buildScope(CloudScope.CreateAffiliate, 'Allow creating new affiliates and logs.'),
|
buildScope(CloudScope.CreateAffiliate, 'Allow creating new affiliates and logs.'),
|
||||||
buildScope(
|
buildScope(
|
||||||
CloudScope.ManageAffiliate,
|
CloudScope.ManageAffiliate,
|
||||||
|
|
Loading…
Reference in a new issue