feat(schemas): add service logs table (#3390)

packages/core/src/tenants/utils.ts

@@ -1,4 +1,4 @@
-import { Systems } from '@logto/schemas';
+import { ServiceLogs, Systems } from '@logto/schemas';
 import { Tenants } from '@logto/schemas/models';
 import { isKeyInObject } from '@logto/shared';
 import { conditional, conditionalString } from '@silverhand/essentials';
@@ -55,7 +55,9 @@ export const checkRowLevelSecurity = async (client: CommonQueryMethods) => {
     and rowsecurity=false
   `);
 
-  const rlsDisabled = rows.filter(({ tablename }) => tablename !== Systems.table);
+  const rlsDisabled = rows.filter(
+    ({ tablename }) => tablename !== Systems.table && tablename !== ServiceLogs.table
+  );
 
   if (rlsDisabled.length > 0) {
     throw new Error(

packages/schemas/alterations/next-1678716747-service-logs.ts

@@ -0,0 +1,51 @@
+import type { CommonQueryMethods } from 'slonik';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getId = (value: string) => sql.identifier([value]);
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    const baseRole = `logto_tenant_${database}`;
+    const baseRoleId = getId(baseRole);
+
+    await pool.query(sql`
+      create table service_logs (
+        id varchar(21) not null,
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        type varchar(64) not null,
+        payload jsonb /* @use ArbitraryObject */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        primary key (id)
+      );
+
+      create index service_logs__id
+        on service_logs (id);
+
+      create index service_logs__tenant_id__type
+        on service_logs (tenant_id, type);
+
+      revoke all privileges
+        on table service_logs
+        from ${baseRoleId};
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop table service_logs;
+    `);
+  },
+};
+
+export default alteration;

packages/schemas/tables/_after_all.sql

@@ -28,6 +28,11 @@ revoke all privileges
   on table systems
   from logto_tenant_${database};
 
+---- Revoke all privileges on service_logs table for tenant roles ----
+revoke all privileges
+  on table service_logs
+  from logto_tenant_${database};
+
 ---- Create policies to make internal roles read-only ----
 
 /**

packages/schemas/tables/service_logs.sql

@@ -0,0 +1,17 @@
+create table service_logs (
+  id varchar(21) not null,
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  type varchar(64) not null,
+  payload jsonb /* @use ArbitraryObject */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  primary key (id)
+);
+
+create index service_logs__id
+  on service_logs (id);
+
+create index service_logs__tenant_id__type
+  on service_logs (tenant_id, type);
+
+/* no_after_each */