import { generateStandardId } from '@logto/shared/universal'; import type { CommonQueryMethods } from 'slonik'; import { sql } from 'slonik'; import { raw } from 'slonik-sql-tag-raw'; import type { AlterationScript } from '../lib/types/alteration.js'; const adminTenantId = 'admin'; const getId = (value: string) => sql.identifier([value]); const getDatabaseName = async (pool: CommonQueryMethods) => { const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql` select current_database(); `); return currentDatabase.replaceAll('-', '_'); }; const addManagementApiData = async (pool: CommonQueryMethods) => { const resourceId = generateStandardId(); const roleId = generateStandardId(); const scopeId = generateStandardId(); await pool.query(sql` insert into resources (tenant_id, id, indicator, name) values ( ${adminTenantId}, ${resourceId}, 'https://default.logto.app/api', 'Logto Management API for tenant default' ); `); await pool.query(sql` insert into scopes (tenant_id, id, name, description, resource_id) values ( ${adminTenantId}, ${scopeId}, 'all', 'Default scope for Management API, allows all permissions.', ${resourceId} ); `); await pool.query(sql` insert into roles (tenant_id, id, name, description) values ( ${adminTenantId}, ${roleId}, 'default:admin', 'Admin role for Logto.' ); `); await pool.query(sql` insert into roles_scopes (tenant_id, id, role_id, scope_id) values ( ${adminTenantId}, ${generateStandardId()}, ${roleId}, ${scopeId} ); `); }; const addMeApiData = async (pool: CommonQueryMethods) => { const resourceId = generateStandardId(); const roleId = generateStandardId(); const scopeId = generateStandardId(); await pool.query(sql` insert into resources (tenant_id, id, indicator, name) values ( ${adminTenantId}, ${resourceId}, 'https://admin.logto.app/me', 'Logto Me API' ); `); await pool.query(sql` insert into scopes (tenant_id, id, name, description, resource_id) values ( ${adminTenantId}, ${scopeId}, 'all', 'Default scope for Me API, allows all permissions.', ${resourceId} ); `); await pool.query(sql` insert into roles (tenant_id, id, name, description) values ( ${adminTenantId}, ${roleId}, 'user', 'Default role for admin tenant.' ); `); await pool.query(sql` insert into roles_scopes (tenant_id, id, role_id, scope_id) values ( ${adminTenantId}, ${generateStandardId()}, ${roleId}, ${scopeId} ); `); }; const alteration: AlterationScript = { up: async (pool) => { const database = await getDatabaseName(pool); // Update function await pool.query(sql` create or replace function set_tenant_id() returns trigger as $$ begin if new.tenant_id is not null then return new; end if; select tenants.id into new.tenant_id from tenants where tenants.db_user = current_user; return new; end; $$ language plpgsql; `); // Update users table constraint await pool.query(sql` alter table users drop constraint users_username_key, add constraint users__username unique (tenant_id, username), drop constraint users_primary_email_key, add constraint users__primary_email unique (tenant_id, primary_email), drop constraint users_primary_phone_key, add constraint users__primary_phone unique (tenant_id, primary_phone); `); // Update old resource await pool.query(sql` update resources set indicator = 'https://default.logto.app/api' where indicator = 'https://api.logto.io'; `); // Create admin tenant const baseRole = `logto_tenant_${database}`; const role = `logto_tenant_${database}_${adminTenantId}`; const password = generateStandardId(32); await pool.query(sql` insert into tenants (id, db_user, db_user_password) values (${adminTenantId}, ${role}, ${password}); `); await pool.query(sql` create role ${getId(role)} with inherit login password '${raw(password)}' in role ${getId(baseRole)}; `); await addManagementApiData(pool); await addMeApiData(pool); }, down: async (pool) => { const database = await getDatabaseName(pool); const role = `logto_tenant_${database}_${adminTenantId}`; // Drop role and tenant await pool.query(sql` drop role ${getId(role)}; `); await pool.query(sql` delete from tenants where id = ${adminTenantId}; `); // Restore users table constraint await pool.query(sql` alter table users drop constraint users__username, add constraint users_username_key unique (username), drop constraint users__primary_email, add constraint users_primary_email_key unique (primary_email), drop constraint users__primary_phone, add constraint users_primary_phone_key unique (primary_phone); `); // Restore old resource await pool.query(sql` update resources set indicator = 'https://api.logto.io' where indicator = 'https://default.logto.app/api'; `); // Update function await pool.query(sql` create or replace function set_tenant_id() returns trigger as $$ begin select tenants.id into new.tenant_id from tenants where ('tenant_user_' || tenants.id) = current_user; if new.tenant_id is null then new.tenant_id := 'default'; end if; return new; end; $$ language plpgsql; `); }, }; export default alteration;