refactor: block admin tenant from using creating jwt-customizer API

packages/core/src/oidc/init.ts

@@ -218,16 +218,6 @@ export default function initOidc(
 
       const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
 
-      /**
-       * Cloud connection should not go through this custom JWT logic.
-       */
-      if (isTokenClientCredentials) {
-        const { appId } = await cloudConnection.getCloudConnectionData();
-        if (token.clientId === appId) {
-          return;
-        }
-      }
-
       const { script, envVars } =
         (await trySafe(
           logtoConfigs.getJwtCustomizer(

packages/core/src/routes/logto-config.ts

@@ -18,6 +18,7 @@ import {
   LogtoJwtTokenPath,
   jsonObjectGuard,
 } from '@logto/schemas';
+import { adminTenantId } from '@logto/schemas';
 import { z } from 'zod';
 
 import { EnvSet } from '#src/env-set/index.js';
@@ -77,7 +78,10 @@ const getRedactedOidcKeyResponse = async (
   );
 
 export default function logtoConfigRoutes<T extends AuthedRouter>(
-  ...[router, { queries, logtoConfigs, invalidateCache, cloudConnection }]: RouterInitArgs<T>
+  ...[
+    router,
+    { id: tenantId, queries, logtoConfigs, invalidateCache, cloudConnection },
+  ]: RouterInitArgs<T>
 ) {
   const {
     getAdminConsoleConfig,
@@ -207,42 +211,44 @@ export default function logtoConfigRoutes<T extends AuthedRouter>(
     }
   );
 
-  router.put(
+  if (tenantId !== adminTenantId) {
-    '/configs/jwt-customizer/:tokenTypePath',
+    router.put(
-    koaGuard({
+      '/configs/jwt-customizer/:tokenTypePath',
-      params: z.object({
+      koaGuard({
-        tokenTypePath: z.nativeEnum(LogtoJwtTokenPath),
+        params: z.object({
+          tokenTypePath: z.nativeEnum(LogtoJwtTokenPath),
+        }),
+        /**
+         * Use `z.unknown()` to guard the request body as a JSON object, since the actual guard depends
+         * on the `tokenTypePath` and we can not get the value of `tokenTypePath` before parsing the request body,
+         * we will do more specific guard as long as we can get the value of `tokenTypePath`.
+         *
+         * Should specify `body` in koaGuard, otherwise the request body is not accessible even via `ctx.request.body`.
+         */
+        body: z.unknown(),
+        response: accessTokenJwtCustomizerGuard.or(clientCredentialsJwtCustomizerGuard),
+        status: [200, 201, 400],
       }),
-      /**
+      async (ctx, next) => {
-       * Use `z.unknown()` to guard the request body as a JSON object, since the actual guard depends
+        const {
-       * on the `tokenTypePath` and we can not get the value of `tokenTypePath` before parsing the request body,
+          params: { tokenTypePath },
-       * we will do more specific guard as long as we can get the value of `tokenTypePath`.
+          body: rawBody,
-       *
+        } = ctx.guard;
-       * Should specify `body` in koaGuard, otherwise the request body is not accessible even via `ctx.request.body`.
+        const { key, body } = getJwtTokenKeyAndBody(tokenTypePath, rawBody);
-       */
-      body: z.unknown(),
-      response: accessTokenJwtCustomizerGuard.or(clientCredentialsJwtCustomizerGuard),
-      status: [200, 201, 400],
-    }),
-    async (ctx, next) => {
-      const {
-        params: { tokenTypePath },
-        body: rawBody,
-      } = ctx.guard;
-      const { key, body } = getJwtTokenKeyAndBody(tokenTypePath, rawBody);
 
-      const { rows } = await getRowsByKeys([key]);
+        const { rows } = await getRowsByKeys([key]);
 
-      const jwtCustomizer = await upsertJwtCustomizer(key, body);
+        const jwtCustomizer = await upsertJwtCustomizer(key, body);
 
-      if (rows.length === 0) {
+        if (rows.length === 0) {
-        ctx.status = 201;
+          ctx.status = 201;
+        }
+        ctx.body = jwtCustomizer.value;
+
+        return next();
       }
-      ctx.body = jwtCustomizer.value;
+    );
-
+  }
-      return next();
-    }
-  );
 
   router.get(
     '/configs/jwt-customizer/:tokenTypePath',