From ec0f0c35f84dd315a0d79aaff5a11418b193a4c7 Mon Sep 17 00:00:00 2001
From: simeng-li <simeng@silverhand.io>
Date: Wed, 13 Nov 2024 10:29:14 +0800
Subject: [PATCH] feat(schemas,core): add unknown session redirect url to sie
 (#6796)

* feat(schemas,core): add unknown session redirect url to sie

add unknown session redirect url config to sie settings

* chore(core): update openapi docs

update openapi docs

* fix(core): fix typo

fix typo

* fix(core): fix typo

Co-authored-by: Charles Zhao <charleszhao@silverhand.io>

---------

Co-authored-by: Charles Zhao <charleszhao@silverhand.io>
---
 .../core/src/__mocks__/sign-in-experience.ts  |  1 +
 .../src/queries/sign-in-experience.test.ts    |  2 +-
 .../sign-in-experience/index.openapi.json     | 18 ++++++++++++++
 .../routes/sign-in-experience/index.test.ts   | 24 +++++++++++++++++++
 .../src/routes/sign-in-experience/index.ts    |  2 ++
 .../experience-legacy/src/__mocks__/logto.tsx |  2 ++
 packages/experience/src/__mocks__/logto.tsx   |  2 ++
 ...add-unknown-session-redirect-url-to-sie.ts | 20 ++++++++++++++++
 .../schemas/tables/sign_in_experiences.sql    |  1 +
 9 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 packages/schemas/alterations/next-1731377260-add-unknown-session-redirect-url-to-sie.ts

diff --git a/packages/core/src/__mocks__/sign-in-experience.ts b/packages/core/src/__mocks__/sign-in-experience.ts
index 02d5eb88e..669bd5ca3 100644
--- a/packages/core/src/__mocks__/sign-in-experience.ts
+++ b/packages/core/src/__mocks__/sign-in-experience.ts
@@ -102,4 +102,5 @@ export const mockSignInExperience: SignInExperience = {
   socialSignIn: {},
   supportEmail: null,
   supportWebsiteUrl: null,
+  unknownSessionRedirectUrl: null,
 };
diff --git a/packages/core/src/queries/sign-in-experience.test.ts b/packages/core/src/queries/sign-in-experience.test.ts
index be4631956..ac75818a2 100644
--- a/packages/core/src/queries/sign-in-experience.test.ts
+++ b/packages/core/src/queries/sign-in-experience.test.ts
@@ -41,7 +41,7 @@ describe('sign-in-experience query', () => {
   it('findDefaultSignInExperience', async () => {
     /* eslint-disable sql/no-unsafe-query */
     const expectSql = `
-      select "tenant_id", "id", "color", "branding", "language_info", "terms_of_use_url", "privacy_policy_url", "agree_to_terms_policy", "sign_in", "sign_up", "social_sign_in", "social_sign_in_connector_targets", "sign_in_mode", "custom_css", "custom_content", "custom_ui_assets", "password_policy", "mfa", "single_sign_on_enabled", "support_email", "support_website_url"
+      select "tenant_id", "id", "color", "branding", "language_info", "terms_of_use_url", "privacy_policy_url", "agree_to_terms_policy", "sign_in", "sign_up", "social_sign_in", "social_sign_in_connector_targets", "sign_in_mode", "custom_css", "custom_content", "custom_ui_assets", "password_policy", "mfa", "single_sign_on_enabled", "support_email", "support_website_url", "unknown_session_redirect_url"
       from "sign_in_experiences"
       where "id"=$1
     `;
diff --git a/packages/core/src/routes/sign-in-experience/index.openapi.json b/packages/core/src/routes/sign-in-experience/index.openapi.json
index 474535039..40108f981 100644
--- a/packages/core/src/routes/sign-in-experience/index.openapi.json
+++ b/packages/core/src/routes/sign-in-experience/index.openapi.json
@@ -51,6 +51,15 @@
                     },
                     "mfa": {
                       "description": "MFA settings"
+                    },
+                    "supportEmail": {
+                      "description": "The support email address to display on the error pages."
+                    },
+                    "supportWebsiteUrl": {
+                      "description": "The support website URL to display on the error pages."
+                    },
+                    "unknownSessionRedirectUrl": {
+                      "description": "The fallback URL to redirect users when the sign-in session does not exist or unknown. Client should initiates a new authentication flow after the redirection."
                     }
                   }
                 }
@@ -111,6 +120,15 @@
                   },
                   "mfa": {
                     "description": "MFA settings"
+                  },
+                  "supportEmail": {
+                    "description": "The support email address to display on the error pages."
+                  },
+                  "supportWebsiteUrl": {
+                    "description": "The support website URL to display on the error pages."
+                  },
+                  "unknownSessionRedirectUrl": {
+                    "description": "The fallback URL to redirect users when the sign-in session does not exist or unknown. Client should initiate a new authentication flow after the redirection."
                   }
                 }
               }
diff --git a/packages/core/src/routes/sign-in-experience/index.test.ts b/packages/core/src/routes/sign-in-experience/index.test.ts
index 947b66414..53ad965b9 100644
--- a/packages/core/src/routes/sign-in-experience/index.test.ts
+++ b/packages/core/src/routes/sign-in-experience/index.test.ts
@@ -232,4 +232,28 @@ describe('PATCH /sign-in-exp', () => {
       },
     });
   });
+
+  it('should guard unknown session redirect URL field format', async () => {
+    const exception = await signInExperienceRequester
+      .patch('/sign-in-exp')
+      .send({ unknownSessionRedirectUrl: 'invalid' });
+
+    expect(exception).toMatchObject({
+      status: 400,
+    });
+
+    const unknownSessionRedirectUrl = 'https://logto.io';
+
+    const response = await signInExperienceRequester.patch('/sign-in-exp').send({
+      unknownSessionRedirectUrl,
+    });
+
+    expect(response).toMatchObject({
+      status: 200,
+      body: {
+        ...mockSignInExperience,
+        unknownSessionRedirectUrl,
+      },
+    });
+  });
 });
diff --git a/packages/core/src/routes/sign-in-experience/index.ts b/packages/core/src/routes/sign-in-experience/index.ts
index cc38ddb8f..a7ec6f1ae 100644
--- a/packages/core/src/routes/sign-in-experience/index.ts
+++ b/packages/core/src/routes/sign-in-experience/index.ts
@@ -55,6 +55,7 @@ export default function signInExperiencesRoutes<T extends ManagementApiRouter>(
           privacyPolicyUrl: true,
           supportEmail: true,
           supportWebsiteUrl: true,
+          unknownSessionRedirectUrl: true,
         })
         .merge(
           object({
@@ -62,6 +63,7 @@ export default function signInExperiencesRoutes<T extends ManagementApiRouter>(
             privacyPolicyUrl: string().url().optional().nullable().or(literal('')),
             supportEmail: string().email().optional().nullable().or(literal('')),
             supportWebsiteUrl: string().url().optional().nullable().or(literal('')),
+            unknownSessionRedirectUrl: string().url().optional().nullable().or(literal('')),
           })
         )
         .partial(),
diff --git a/packages/experience-legacy/src/__mocks__/logto.tsx b/packages/experience-legacy/src/__mocks__/logto.tsx
index 03e13c53e..95d6ce559 100644
--- a/packages/experience-legacy/src/__mocks__/logto.tsx
+++ b/packages/experience-legacy/src/__mocks__/logto.tsx
@@ -116,6 +116,7 @@ export const mockSignInExperience: SignInExperience = {
   socialSignIn: {},
   supportEmail: null,
   supportWebsiteUrl: null,
+  unknownSessionRedirectUrl: null,
 };
 
 export const mockSignInExperienceSettings: SignInExperienceResponse = {
@@ -153,6 +154,7 @@ export const mockSignInExperienceSettings: SignInExperienceResponse = {
   socialSignIn: {},
   supportEmail: null,
   supportWebsiteUrl: null,
+  unknownSessionRedirectUrl: null,
 };
 
 const usernameSettings = {
diff --git a/packages/experience/src/__mocks__/logto.tsx b/packages/experience/src/__mocks__/logto.tsx
index 03e13c53e..95d6ce559 100644
--- a/packages/experience/src/__mocks__/logto.tsx
+++ b/packages/experience/src/__mocks__/logto.tsx
@@ -116,6 +116,7 @@ export const mockSignInExperience: SignInExperience = {
   socialSignIn: {},
   supportEmail: null,
   supportWebsiteUrl: null,
+  unknownSessionRedirectUrl: null,
 };
 
 export const mockSignInExperienceSettings: SignInExperienceResponse = {
@@ -153,6 +154,7 @@ export const mockSignInExperienceSettings: SignInExperienceResponse = {
   socialSignIn: {},
   supportEmail: null,
   supportWebsiteUrl: null,
+  unknownSessionRedirectUrl: null,
 };
 
 const usernameSettings = {
diff --git a/packages/schemas/alterations/next-1731377260-add-unknown-session-redirect-url-to-sie.ts b/packages/schemas/alterations/next-1731377260-add-unknown-session-redirect-url-to-sie.ts
new file mode 100644
index 000000000..22c7e0ad6
--- /dev/null
+++ b/packages/schemas/alterations/next-1731377260-add-unknown-session-redirect-url-to-sie.ts
@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column unknown_session_redirect_url text;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column unknown_session_redirect_url;
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/tables/sign_in_experiences.sql b/packages/schemas/tables/sign_in_experiences.sql
index 28be3dc81..4e7e0bb39 100644
--- a/packages/schemas/tables/sign_in_experiences.sql
+++ b/packages/schemas/tables/sign_in_experiences.sql
@@ -25,5 +25,6 @@ create table sign_in_experiences (
   single_sign_on_enabled boolean not null default false,
   support_email text,
   support_website_url text,
+  unknown_session_redirect_url text,
   primary key (tenant_id, id)
 );