feat(core,schemas): add user_social_identity_ids table

add user_social_identity_ids table

Author: simeng-li

packages/core/src/queries/user-social-identity-ids.ts

@@ -0,0 +1,27 @@
+import { type UserSocialIdentityId, UserSocialIdentityIds } from '@logto/schemas';
+import { sql, type CommonQueryMethods } from '@silverhand/slonik';
+
+import { convertToIdentifiers } from '../utils/sql.js';
+
+const { table, fields } = convertToIdentifiers(UserSocialIdentityIds);
+
+/**
+ * The `UserSocialIdentityIds` table is automatically synchronized with the `Users` table
+ * through a database trigger. This table serves as a read-only view of user social identity IDs.
+ *
+ * Important: This table should only be queried for reading data. Any write operations
+ * should be performed on the `Users` table instead, as the trigger will handle the synchronization.
+ */
+export const createUserSocialIdentityIdsQueries = (pool: CommonQueryMethods) => {
+  const findUserSocialIdentityIdsByUserId = async (userId: string) => {
+    return pool.any<UserSocialIdentityId>(sql`
+      select ${sql.join(Object.values(fields), sql`, `)}
+      from ${table}
+      where ${fields.userId}=${userId}
+    `);
+  };
+
+  return {
+    findUserSocialIdentityIdsByUserId,
+  };
+};

packages/core/src/routes/admin-user/social.ts

@@ -4,6 +4,7 @@ import {
   identityGuard,
   identitiesGuard,
   userProfileResponseGuard,
+  UserSocialIdentityIds,
 } from '@logto/schemas';
 import { has } from '@silverhand/essentials';
 import { object, record, string, unknown } from 'zod';
@@ -12,6 +13,7 @@ import RequestError from '#src/errors/RequestError/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import assertThat from '#src/utils/assert-that.js';
 
+import { EnvSet } from '../../env-set/index.js';
 import { transpileUserProfileResponse } from '../../utils/user.js';
 import type { ManagementApiRouter, RouterInitArgs } from '../types.js';
 
@@ -21,6 +23,7 @@ export default function adminUserSocialRoutes<T extends ManagementApiRouter>(
   const {
     queries: {
       users: { findUserById, updateUserById, hasUserWithIdentity, deleteUserIdentity },
+      userSocialIdentityIds: { findUserSocialIdentityIdsByUserId },
     },
     connectors: { getLogtoConnectorById },
   } = tenant;
@@ -154,4 +157,27 @@ export default function adminUserSocialRoutes<T extends ManagementApiRouter>(
       return next();
     }
   );
+
+  // For intergration test use only
+  if (EnvSet.values.isIntegrationTest) {
+    router.get(
+      '/users/:userId/identity-ids',
+      koaGuard({
+        params: object({ userId: string() }),
+        response: UserSocialIdentityIds.guard.array(),
+        status: [200],
+      }),
+      async (ctx, next) => {
+        const {
+          params: { userId },
+        } = ctx.guard;
+
+        const identityIds = await findUserSocialIdentityIdsByUserId(userId);
+
+        ctx.body = identityIds;
+
+        return next();
+      }
+    );
+  }
 }

packages/core/src/tenants/Queries.ts

@@ -41,6 +41,7 @@ import { OidcSessionExtensionsQueries } from '../queries/oidc-session-extensions
 import { PersonalAccessTokensQueries } from '../queries/personal-access-tokens.js';
 import { createSentinelActivitiesQueries } from '../queries/sentinel-activities.js';
 import TenantUsageQuery from '../queries/tenant-usage/index.js';
+import { createUserSocialIdentityIdsQueries } from '../queries/user-social-identity-ids.js';
 import { VerificationRecordQueries } from '../queries/verification-records.js';
 
 export default class Queries {
@@ -84,6 +85,7 @@ export default class Queries {
   captchaProviders = new CaptchaProviderQueries(this.pool);
   sentinelActivities = createSentinelActivitiesQueries(this.pool);
   oidcSessionExtensions = new OidcSessionExtensionsQueries(this.pool);
+  userSocialIdentityIds = createUserSocialIdentityIdsQueries(this.pool);
 
   constructor(
     public readonly pool: CommonQueryMethods,

packages/integration-tests/src/api/admin-user.ts

@@ -8,6 +8,7 @@ import type {
   PersonalAccessToken,
   Role,
   User,
+  UserSocialIdentityId,
   UserSsoIdentity,
   UsersPasswordEncryptionMethod,
 } from '@logto/schemas';
@@ -157,3 +158,7 @@ export const updatePersonalAccessToken = async (
       json: body,
     })
     .json<PersonalAccessToken>();
+
+export const getUserIdentityIds = async (userId: string) => {
+  return authedAdminApi.get(`users/${userId}/identity-ids`).json<UserSocialIdentityId[]>();
+};

packages/integration-tests/src/tests/api/admin-user.identities.test.ts

@@ -0,0 +1,168 @@
+import { ConnectorType } from '@logto/connector-kit';
+
+import {
+  mockSocialConnectorId,
+  mockSocialConnectorConfig,
+  mockSocialConnectorTarget,
+} from '#src/__mocks__/connectors-mock.js';
+import {
+  postUserIdentity,
+  putUserIdentity,
+  getUser,
+  deleteUserIdentity,
+  getUserIdentityIds,
+} from '#src/api/admin-user.js';
+import {
+  postConnector,
+  getConnectorAuthorizationUri,
+  deleteConnectorById,
+} from '#src/api/connector.js';
+import { clearConnectorsByTypes } from '#src/helpers/connector.js';
+import { createUserByAdmin } from '#src/helpers/index.js';
+import { createNewSocialUserWithUsernameAndPassword } from '#src/helpers/interactions.js';
+import { randomString } from '#src/utils.js';
+
+describe('admin user identities management API', () => {
+  beforeAll(async () => {
+    await clearConnectorsByTypes([ConnectorType.Social]);
+  });
+
+  it('should link social identity successfully', async () => {
+    const { id: connectorId } = await postConnector({
+      connectorId: mockSocialConnectorId,
+      config: mockSocialConnectorConfig,
+    });
+
+    const state = 'random_state';
+    const redirectUri = 'http://mock-social/callback/random_string';
+    const code = 'random_code_from_social';
+    const socialUserId = 'social_platform_user_id_' + randomString();
+    const socialUserEmail = `johndoe_${randomString()}@gmail.com`;
+    const anotherSocialUserId = 'another_social_platform_user_id_' + randomString();
+    const socialTarget = 'social_target';
+    const socialIdentity = {
+      userId: 'social_identity_user_id_' + randomString(),
+      details: {
+        age: 21,
+        email: 'foo@logto.io',
+      },
+    };
+
+    const { id: userId } = await createUserByAdmin();
+    const { redirectTo } = await getConnectorAuthorizationUri(connectorId, state, redirectUri);
+
+    expect(redirectTo).toBe(`http://mock-social/?state=${state}&redirect_uri=${redirectUri}`);
+
+    const identities = await postUserIdentity(userId, connectorId, {
+      code,
+      state,
+      redirectUri,
+      userId: socialUserId,
+      email: socialUserEmail,
+    });
+
+    expect(identities).toHaveProperty(mockSocialConnectorTarget);
+    expect(identities[mockSocialConnectorTarget]).toMatchObject({
+      userId: socialUserId,
+      details: {
+        id: socialUserId,
+        email: socialUserEmail,
+        rawData: {
+          code,
+          email: socialUserEmail,
+          redirectUri,
+          state,
+          userId: socialUserId,
+        },
+      },
+    });
+
+    // Check user identity ids are synced
+    const userIdentityIds = await getUserIdentityIds(userId);
+    expect(userIdentityIds).toHaveLength(1);
+    expect(userIdentityIds[0]).toMatchObject({
+      userId,
+      target: mockSocialConnectorTarget,
+      identityId: socialUserId,
+    });
+
+    const updatedIdentity = await putUserIdentity(userId, mockSocialConnectorTarget, {
+      userId: anotherSocialUserId,
+      details: {
+        id: anotherSocialUserId,
+        rawData: {
+          userId: anotherSocialUserId,
+        },
+      },
+    });
+
+    expect(updatedIdentity).toHaveProperty(mockSocialConnectorTarget);
+    expect(updatedIdentity[mockSocialConnectorTarget]).toMatchObject({
+      userId: anotherSocialUserId,
+      details: {
+        id: anotherSocialUserId,
+        rawData: {
+          userId: anotherSocialUserId,
+        },
+      },
+    });
+
+    // Check user identity ids are updated
+    const updatedUserIdentityIds = await getUserIdentityIds(userId);
+    expect(updatedUserIdentityIds).toHaveLength(1);
+    expect(updatedUserIdentityIds[0]).toMatchObject({
+      userId,
+      target: mockSocialConnectorTarget,
+      identityId: anotherSocialUserId,
+    });
+
+    const updatedIdentities = await putUserIdentity(userId, socialTarget, socialIdentity);
+    expect(updatedIdentities).toMatchObject({
+      [mockSocialConnectorTarget]: {
+        userId: anotherSocialUserId,
+      },
+      [socialTarget]: socialIdentity,
+    });
+
+    // Check new user identity id
+    const newUserIdentityIds = await getUserIdentityIds(userId);
+    expect(newUserIdentityIds).toHaveLength(2);
+    expect(
+      newUserIdentityIds.find(
+        ({ target, identityId }) => target === socialTarget && identityId === socialIdentity.userId
+      )
+    ).toBeTruthy();
+
+    await deleteConnectorById(connectorId);
+  });
+
+  it('should delete user identities successfully', async () => {
+    const { id: connectorId } = await postConnector({
+      connectorId: mockSocialConnectorId,
+      config: mockSocialConnectorConfig,
+    });
+
+    const createdUserId = await createNewSocialUserWithUsernameAndPassword(connectorId);
+
+    const userInfo = await getUser(createdUserId);
+    expect(userInfo.identities).toHaveProperty(mockSocialConnectorTarget);
+
+    const useIdentityIds = await getUserIdentityIds(createdUserId);
+    expect(useIdentityIds).toHaveLength(1);
+    expect(useIdentityIds[0]).toMatchObject({
+      userId: createdUserId,
+      target: mockSocialConnectorTarget,
+      identityId: userInfo.identities[mockSocialConnectorTarget]?.userId,
+    });
+
+    await deleteUserIdentity(createdUserId, mockSocialConnectorTarget);
+
+    const updatedUser = await getUser(createdUserId);
+    expect(updatedUser.identities).not.toHaveProperty(mockSocialConnectorTarget);
+
+    const updatedIdentityIds = await getUserIdentityIds(createdUserId);
+    expect(updatedIdentityIds).toHaveLength(0);
+
+    await deleteConnectorById(connectorId);
+  });
+});

packages/integration-tests/src/tests/api/admin-user.test.ts

@@ -1,38 +1,23 @@
 import { UsersPasswordEncryptionMethod, ConnectorType } from '@logto/schemas';
 import { HTTPError } from 'ky';
 
-import {
-  mockSocialConnectorConfig,
-  mockSocialConnectorId,
-  mockSocialConnectorTarget,
-} from '#src/__mocks__/connectors-mock.js';
 import {
   getUser,
   updateUser,
   deleteUser,
   updateUserPassword,
-  deleteUserIdentity,
-  postConnector,
-  getConnectorAuthorizationUri,
-  deleteConnectorById,
-  postUserIdentity,
   verifyUserPassword,
-  putUserIdentity,
   updateUserProfile,
 } from '#src/api/index.js';
 import { clearConnectorsByTypes } from '#src/helpers/connector.js';
 import { createUserByAdmin, expectRejects } from '#src/helpers/index.js';
-import {
-  createNewSocialUserWithUsernameAndPassword,
-  signInWithPassword,
-} from '#src/helpers/interactions.js';
+import { signInWithPassword } from '#src/helpers/interactions.js';
 import { enableAllPasswordSignInMethods } from '#src/helpers/sign-in-experience.js';
 import {
   generateUsername,
   generateEmail,
   generatePhone,
   generatePassword,
-  randomString,
   generateNationalPhoneNumber,
 } from '#src/utils.js';
 
@@ -210,108 +195,6 @@ describe('admin console user management', () => {
     expect(userEntity.updatedAt).toBeGreaterThan(updatedAt);
   });
 
-  it('should link social identity successfully', async () => {
-    const { id: connectorId } = await postConnector({
-      connectorId: mockSocialConnectorId,
-      config: mockSocialConnectorConfig,
-    });
-
-    const state = 'random_state';
-    const redirectUri = 'http://mock-social/callback/random_string';
-    const code = 'random_code_from_social';
-    const socialUserId = 'social_platform_user_id_' + randomString();
-    const socialUserEmail = `johndoe_${randomString()}@gmail.com`;
-    const anotherSocialUserId = 'another_social_platform_user_id_' + randomString();
-    const socialTarget = 'social_target';
-    const socialIdentity = {
-      userId: 'social_identity_user_id_' + randomString(),
-      details: {
-        age: 21,
-        email: 'foo@logto.io',
-      },
-    };
-
-    const { id: userId } = await createUserByAdmin();
-    const { redirectTo } = await getConnectorAuthorizationUri(connectorId, state, redirectUri);
-
-    expect(redirectTo).toBe(`http://mock-social/?state=${state}&redirect_uri=${redirectUri}`);
-
-    const identities = await postUserIdentity(userId, connectorId, {
-      code,
-      state,
-      redirectUri,
-      userId: socialUserId,
-      email: socialUserEmail,
-    });
-
-    expect(identities).toHaveProperty(mockSocialConnectorTarget);
-    expect(identities[mockSocialConnectorTarget]).toMatchObject({
-      userId: socialUserId,
-      details: {
-        id: socialUserId,
-        email: socialUserEmail,
-        rawData: {
-          code,
-          email: socialUserEmail,
-          redirectUri,
-          state,
-          userId: socialUserId,
-        },
-      },
-    });
-
-    const updatedIdentity = await putUserIdentity(userId, mockSocialConnectorTarget, {
-      userId: anotherSocialUserId,
-      details: {
-        id: anotherSocialUserId,
-        rawData: {
-          userId: anotherSocialUserId,
-        },
-      },
-    });
-
-    expect(updatedIdentity).toHaveProperty(mockSocialConnectorTarget);
-    expect(updatedIdentity[mockSocialConnectorTarget]).toMatchObject({
-      userId: anotherSocialUserId,
-      details: {
-        id: anotherSocialUserId,
-        rawData: {
-          userId: anotherSocialUserId,
-        },
-      },
-    });
-
-    const updatedIdentities = await putUserIdentity(userId, socialTarget, socialIdentity);
-    expect(updatedIdentities).toMatchObject({
-      [mockSocialConnectorTarget]: {
-        userId: anotherSocialUserId,
-      },
-      [socialTarget]: socialIdentity,
-    });
-
-    await deleteConnectorById(connectorId);
-  });
-
-  it('should delete user identities successfully', async () => {
-    const { id: connectorId } = await postConnector({
-      connectorId: mockSocialConnectorId,
-      config: mockSocialConnectorConfig,
-    });
-
-    const createdUserId = await createNewSocialUserWithUsernameAndPassword(connectorId);
-
-    const userInfo = await getUser(createdUserId);
-    expect(userInfo.identities).toHaveProperty(mockSocialConnectorTarget);
-
-    await deleteUserIdentity(createdUserId, mockSocialConnectorTarget);
-
-    const updatedUser = await getUser(createdUserId);
-
-    expect(updatedUser.identities).not.toHaveProperty(mockSocialConnectorTarget);
-
-    await deleteConnectorById(connectorId);
-  });
-
   it('should return 204 if password is correct', async () => {
     const user = await createUserByAdmin({ password: 'new_password' });
     expect(await verifyUserPassword(user.id, 'new_password')).toHaveProperty('status', 204);

packages/schemas/alterations/next-1750063177-add-user-social-identity-ids-table.ts

@@ -0,0 +1,99 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table if not exists user_social_identity_ids (
+        tenant_id varchar(21) not null
+          references tenants(id) on update cascade on delete cascade,
+        user_id varchar(12) not null
+          references users (id) on update cascade on delete cascade,
+        target varchar(256) not null,
+        identity_id varchar(128) not null,
+        created_at timestamptz not null default (now()),
+        primary key (tenant_id, user_id, target),
+        constraint user_social_identity_ids__tenant_id__target__identity_id
+          unique (tenant_id, target, identity_id)
+      );
+    `);
+
+    await applyTableRls(pool, 'user_social_identity_ids');
+
+    await pool.query(sql`
+      create function sync_user_social_identity_ids()
+      returns trigger as $$
+      declare
+        target_key text;
+        identity_value jsonb;
+        existing_targets text[];
+      begin
+        -- skip sync if this is an update and identities haven't changed
+        if tg_op = 'UPDATE' and new.identities is not distinct from old.identities then
+          return new;
+        end if;
+
+        -- extract all target keys from the new identities jsonb
+        select array_agg(key) into existing_targets
+        from jsonb_object_keys(new.identities) as key;
+
+        -- delete entries for this user that no longer exist in the new identities
+        delete from user_social_identity_ids
+        where user_id = new.id
+          and tenant_id = new.tenant_id
+          and target not in (select * from unnest(existing_targets));
+
+        -- upsert each identity entry
+        for target_key, identity_value in
+          select * from jsonb_each(new.identities)
+        loop
+          insert into user_social_identity_ids (
+            tenant_id,
+            user_id,
+            target,
+            identity_id
+          )
+          values (
+            new.tenant_id,
+            new.id,
+            target_key,
+            identity_value ->> 'userId'
+          )
+          -- update the identity_id if target already exists
+          on conflict (tenant_id, user_id, target)
+          do update set identity_id = excluded.identity_id;
+        end loop;
+
+        return new;
+      end;
+      $$ language plpgsql;
+    `);
+
+    await pool.query(sql`
+      create trigger sync_user_social_identity_ids_trigger
+        after insert or update of identities on users
+        for each row
+        execute procedure sync_user_social_identity_ids();
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop trigger if exists sync_user_social_identity_ids_trigger on users;
+    `);
+
+    await pool.query(sql`
+      drop function if exists sync_user_social_identity_ids() cascade;
+    `);
+
+    await dropTableRls(pool, 'user_social_identity_ids');
+
+    await pool.query(sql`
+      drop table if exists user_social_identity_ids;
+    `);
+  },
+};
+
+export default alteration;

packages/schemas/tables/user-social-identitiy-ids.sql

@@ -0,0 +1,69 @@
+/* init_order = 2 */
+
+create table user_social_identity_ids (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  user_id varchar(12) not null
+    references users (id) on update cascade on delete cascade,
+  /** Unique social provider identifier. E.g., 'google', 'facebook', etc. */
+  target varchar(256) not null,
+  /** Unique identifier for the user in the social provider. */
+  identity_id varchar(128) not null,
+  created_at timestamptz not null default (now()),
+  primary key (tenant_id, user_id, target),
+  constraint user_social_identity_ids__tenant_id__target__identity_id
+    unique (tenant_id, target, identity_id)
+);
+
+create function sync_user_social_identity_ids()
+returns trigger as $$
+declare
+  target_key text;
+  identity_value jsonb;
+  existing_targets text[];
+begin
+  -- skip sync if this is an update and identities haven't changed
+  if tg_op = 'UPDATE' and new.identities is not distinct from old.identities then
+    return new;
+  end if;
+
+  -- extract all target keys from the new identities jsonb
+  select array_agg(key) into existing_targets
+  from jsonb_object_keys(new.identities) as key;
+
+  -- delete entries for this user that no longer exist in the new identities
+  delete from user_social_identity_ids
+  where user_id = new.id
+    and tenant_id = new.tenant_id
+    and target not in (select * from unnest(existing_targets));
+
+  -- upsert each identity entry
+  for target_key, identity_value in
+    select * from jsonb_each(new.identities)
+  loop
+    insert into user_social_identity_ids (
+      tenant_id,
+      user_id,
+      target,
+      identity_id
+    )
+    values (
+      new.tenant_id,
+      new.id,
+      target_key,
+      identity_value ->> 'userId'
+    )
+    -- update the identity_id if target already exists
+    on conflict (tenant_id, user_id, target)
+    do update set identity_id = excluded.identity_id;
+  end loop;
+
+  return new;
+end;
+$$ language plpgsql;
+
+
+create trigger sync_user_social_identity_ids_trigger
+  after insert or update of identities on users
+  for each row
+  execute function sync_user_social_identity_ids();