feat(schemas): add application permissions relation tables (#5097)

* feat(schemas): add application permissions relation tables add appliaction permissions relation tables * refactor(schemas): redesign the application user scope relations table redesign the application user scope relations table * refactor(schemas): rename application user consent scopes table name rename application user consent scopes table name * fix(schemas): fix dirty char fix dirty char * refactor(schemas): rename resource scope column name rename resource scope column name * fix(schemas): fix the wrong column name fix the wrong column name * refactor(schemas): update the userscope column length update the userscope column length
2025-04-14 23:11:31 -05:00 · 2023-12-15 10:18:44 +08:00 · 2023-12-15 10:18:44 +08:00 · 875e948186
commit 875e948186
parent 21dd11c92e
4 changed files with 134 additions and 0 deletions
--- a/packages/schemas/alterations/next-1702372401-add-application-permissions-tables.ts
+++ b/packages/schemas/alterations/next-1702372401-add-application-permissions-tables.ts
@ -0,0 +1,93 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const enableRls = async (pool: CommonQueryMethods, database: string, table: string) => {
+  const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+
+  await pool.query(sql`
+    create trigger set_tenant_id before insert on ${sql.identifier([table])}
+      for each row execute procedure set_tenant_id();
+
+    alter table ${sql.identifier([table])} enable row level security;
+
+    create policy ${sql.identifier([`${table}_tenant_id`])} on ${sql.identifier([table])}
+      as restrictive
+      using (tenant_id = (select id from tenants where db_user = current_user));
+
+    create policy ${sql.identifier([`${table}_modification`])} on ${sql.identifier([table])}
+      using (true);
+
+    grant select, insert, update, delete on ${sql.identifier([table])} to ${baseRoleId};
+  `);
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+
+    await pool.query(sql`
+        create table application_user_consent_resource_scopes (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the application. */
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the resource scope. */
+        scope_id varchar(21) not null
+          references scopes (id) on update cascade on delete cascade,
+        primary key (application_id, scope_id)
+      );
+    `);
+
+    await enableRls(pool, database, 'application_user_consent_resource_scopes');
+
+    await pool.query(sql`
+      create table application_user_consent_organization_scopes (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the application. */
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the organization scope. */
+        organization_scope_id varchar(21) not null
+          references organization_scopes (id) on update cascade on delete cascade,
+        primary key (application_id, organization_scope_id)
+      );
+    `);
+
+    await enableRls(pool, database, 'application_user_consent_organization_scopes');
+
+    await pool.query(sql`
+      create table application_user_consent_user_scopes (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the application. */
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** The unique UserScope enum value @see (@logto/core-kit) for reference */
+        user_scope varchar(64) not null,
+        primary key (application_id, user_scope)
+      );
+    `);
+
+    await enableRls(pool, database, 'application_user_consent_user_scopes');
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop table application_user_consent_resource_scopes;
+      drop table application_user_consent_organization_scopes;
+      drop table application_user_consent_user_scopes;
+    `);
+  },
+};
+
+export default alteration;
--- a/packages/schemas/tables/application_user_consent_organization_scopes.sql
+++ b/packages/schemas/tables/application_user_consent_organization_scopes.sql
@ -0,0 +1,14 @@
+/* init_order = 2 */
+
+/** The organization scopes (permissions) assigned to an application. */
+create table application_user_consent_organization_scopes (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the application. */
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the organization scope. */
+  organization_scope_id varchar(21) not null
+    references organization_scopes (id) on update cascade on delete cascade,
+  primary key (application_id, organization_scope_id)
+);
--- a/packages/schemas/tables/application_user_consent_resource_scopes.sql
+++ b/packages/schemas/tables/application_user_consent_resource_scopes.sql
@ -0,0 +1,14 @@
+/* init_order = 3 */
+
+/** The resource scopes (permissions) assigned to an application's consent request. */
+create table application_user_consent_resource_scopes (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the application. */
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the resource scope. */
+  scope_id varchar(21) not null
+    references scopes (id) on update cascade on delete cascade,
+  primary key (application_id, scope_id)
+);
--- a/packages/schemas/tables/application_user_consent_user_scopes.sql
+++ b/packages/schemas/tables/application_user_consent_user_scopes.sql
@ -0,0 +1,13 @@
+/* init_order = 2 */
+
+/** The user scopes (permissions) assigned to an application */
+create table application_user_consent_user_scopes (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the application. */
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The unique UserScope enum value @see (@logto/core-kit/open-id.js) for more details */
+  user_scope varchar(64) not null,
+  primary key (application_id, user_scope)
+);