feat(core): update application organizaiton role apis

.changeset/fresh-gorillas-obey.md

@@ -0,0 +1,7 @@
+---
+"@logto/core": minor
+---
+
+pagination is now optional for `GET /api/organizations/:id/users/:userId/roles`
+
+The default pagination is now removed. This isn't considered a breaking change, but we marked it as minor to get your attention. 

packages/core/src/routes/init.ts

@@ -12,6 +12,7 @@ import type TenantContext from '#src/tenants/TenantContext.js';
 import koaAuth from '../middleware/koa-auth/index.js';
 
 import adminUserRoutes from './admin-user/index.js';
+import applicationOrganizationRoutes from './applications/application-organization.js';
 import applicationProtectedAppMetadataRoutes from './applications/application-protected-app-metadata.js';
 import applicationRoleRoutes from './applications/application-role.js';
 import applicationSignInExperienceRoutes from './applications/application-sign-in-experience.js';
@@ -52,16 +53,17 @@ const createRouters = (tenant: TenantContext) => {
  managementRouter.use(koaTenantGuard(tenant.id, tenant.queries));
  managementRouter.use(koaManagementApiHooks(tenant.libraries.hooks));
 
+ // TODO: FIXME @sijie @darcy mount these routes in `applicationRoutes` instead
  applicationRoutes(managementRouter, tenant);
  applicationRoleRoutes(managementRouter, tenant);
+ applicationProtectedAppMetadataRoutes(managementRouter, tenant);
+ applicationOrganizationRoutes(managementRouter, tenant);
 
  // Third-party application related routes
  applicationUserConsentScopeRoutes(managementRouter, tenant);
  applicationSignInExperienceRoutes(managementRouter, tenant);
  applicationUserConsentOrganizationRoutes(managementRouter, tenant);
 
- applicationProtectedAppMetadataRoutes(managementRouter, tenant);
-
  logtoConfigRoutes(managementRouter, tenant);
  connectorRoutes(managementRouter, tenant);
  resourceRoutes(managementRouter, tenant);

packages/core/src/routes/organization-role/index.ts

@@ -60,9 +60,7 @@ export default function organizationRoleRoutes<T extends ManagementApiRouter>(
  }),
  async (ctx, next) => {
  const { limit, offset } = ctx.pagination;
-
  const search = parseSearchOptions(organizationRoleSearchKeys, ctx.guard.query);
-
  const [count, entities] = await roles.findAll(limit, offset, search);
 
  ctx.pagination.totalCount = count;

packages/core/src/routes/organization/application/index.openapi.json

@@ -82,6 +82,37 @@
  }
  }
  },
+ "/api/organizations/{id}/applications/roles": {
+ "post": {
+ "tags": ["Dev feature"],
+ "summary": "Assign roles to applications in an organization",
+ "description": "Assign roles to applications in the specified organization.",
+ "requestBody": {
+ "content": {
+ "application/json": {
+ "schema": {
+ "properties": {
+ "applicationIds": {
+ "description": "An array of application IDs to assign roles to."
+ },
+ "organizationRoleIds": {
+ "description": "An array of organization role IDs to assign to the applications."
+ }
+ }
+ }
+ }
+ }
+ },
+ "responses": {
+ "201": {
+ "description": "Roles were assigned to the applications successfully."
+ },
+ "422": {
+ "description": "At least one of the IDs provided is not valid. For example, the organization ID, application ID, or organization role ID does not exist; the application is not a member of the organization; or the role type is not assignable to the application."
+ }
+ }
+ }
+ },
  "/api/organizations/{id}/applications/{applicationId}/roles": {
  "get": {
  "tags": ["Dev feature"],

packages/core/src/routes/organization/application/index.ts

@@ -54,6 +54,35 @@ export default function applicationRoutes(
  }
  );
 
+ router.post(
+ '/:id/applications/roles',
+ koaGuard({
+ params: z.object({ id: z.string().min(1) }),
+ body: z.object({
+ applicationIds: z.string().min(1).array().nonempty(),
+ organizationRoleIds: z.string().min(1).array().nonempty(),
+ }),
+ status: [201, 422],
+ }),
+ async (ctx, next) => {
+ const { id } = ctx.guard.params;
+ const { applicationIds, organizationRoleIds } = ctx.guard.body;
+
+ await organizations.relations.appsRoles.insert(
+ ...organizationRoleIds.flatMap((organizationRoleId) =>
+ applicationIds.map((applicationId) => ({
+ organizationId: id,
+ applicationId,
+ organizationRoleId,
+ }))
+ )
+ );
+
+ ctx.status = 201;
+ return next();
+ }
+ );
+
  // MARK: Organization - application role relation routes
  applicationRoleRelationRoutes(router, organizations);
  }

packages/core/src/routes/organization/application/role-relations.ts

@@ -35,7 +35,7 @@ export default function applicationRoleRelationRoutes(
 
  router.get(
  pathname,
- koaPagination(),
+ koaPagination({ isOptional: true }),
  koaGuard({
  params: z.object(params),
  response: OrganizationRoles.guard.array(),
@@ -49,10 +49,14 @@ export default function applicationRoleRelationRoutes(
  {
  organizationId: id,
  applicationId,
- }
+ },
+ ctx.pagination.disabled ? undefined : ctx.pagination
  );
 
- ctx.pagination.totalCount = totalCount;
+ if (!ctx.pagination.disabled) {
+ ctx.pagination.totalCount = totalCount;
+ }
+
  ctx.body = entities;
  return next();
  }

packages/core/src/routes/organization/user/index.openapi.json

@@ -91,7 +91,7 @@
  "/api/organizations/{id}/users/roles": {
  "post": {
  "summary": "Assign roles to organization user members",
- "description": "Assign roles to user members of the specified organization with the given data.",
+ "description": "Assign roles to user members of the specified organization.",
  "requestBody": {
  "content": {
  "application/json": {
@@ -113,7 +113,7 @@
  "description": "Roles were assigned to organization users successfully."
  },
  "422": {
- "description": "At least one of the IDs provided is not valid. For example, the organization ID, user ID, or organization role ID does not exist; the user is not a member of the organization."
+ "description": "At least one of the IDs provided is not valid. For example, the organization ID, user ID, or organization role ID does not exist; the user is not a member of the organization; or the role type is not assignable to the user."
  }
  }
  }

packages/core/src/routes/organization/user/role-relations.ts

@@ -39,7 +39,7 @@ export default function userRoleRelationRoutes(
 
  router.get(
  pathname,
- koaPagination(),
+ koaPagination({ isOptional: true }),
  koaGuard({
  params: z.object(params),
  response: OrganizationRoles.guard.array(),
@@ -54,10 +54,12 @@ export default function userRoleRelationRoutes(
  organizationId: id,
  userId,
  },
- ctx.pagination
+ ctx.pagination.disabled ? undefined : ctx.pagination
  );
 
- ctx.pagination.totalCount = totalCount;
+ if (!ctx.pagination.disabled) {
+ ctx.pagination.totalCount = totalCount;
+ }
  ctx.body = entities;
  return next();
  }

packages/integration-tests/src/api/organization.ts

@@ -36,6 +36,16 @@ export class OrganizationApi extends ApiFactory<Organization, Omit<CreateOrganiz
  return super.getList(query) as Promise<OrganizationWithFeatured[]>;
  }
 
+ async addApplicationsRoles(
+ id: string,
+ applicationIds: string[],
+ organizationRoleIds: string[]
+ ): Promise<void> {
+ await authedAdminApi.post(`${this.path}/${id}/applications/roles`, {
+ json: { applicationIds, organizationRoleIds },
+ });
+ }
+
  async addUsers(id: string, userIds: string[]): Promise<void> {
  await authedAdminApi.post(`${this.path}/${id}/users`, { json: { userIds } });
  }
@@ -68,9 +78,9 @@ export class OrganizationApi extends ApiFactory<Organization, Omit<CreateOrganiz
  });
  }
 
- async getUserRoles(id: string, userId: string): Promise<OrganizationRole[]> {
+ async getUserRoles(id: string, userId: string, query?: Query): Promise<OrganizationRole[]> {
  return authedAdminApi
- .get(`${this.path}/${id}/users/${userId}/roles`)
+ .get(`${this.path}/${id}/users/${userId}/roles`, { searchParams: query })
  .json<OrganizationRole[]>();
  }
 
@@ -98,9 +108,24 @@ export class OrganizationApi extends ApiFactory<Organization, Omit<CreateOrganiz
  });
  }
 
- async getApplicationRoles(id: string, applicationId: string): Promise<OrganizationRole[]> {
+ async getApplicationRoles(
+ id: string,
+ applicationId: string,
+ page?: number,
+ pageSize?: number
+ ): Promise<OrganizationRole[]> {
+ const search = new URLSearchParams();
+
+ if (page) {
+ search.set('page', String(page));
+ }
+
+ if (pageSize) {
+ search.set('page_size', String(pageSize));
+ }
+
  return authedAdminApi
- .get(`${this.path}/${id}/applications/${applicationId}/roles`)
+ .get(`${this.path}/${id}/applications/${applicationId}/roles`, { searchParams: search })
  .json<OrganizationRole[]>();
  }
 

packages/integration-tests/src/helpers/organization.ts

@@ -137,10 +137,12 @@ export class OrganizationApiTest extends OrganizationApi {
  * when they are deleted by other tests.
  */
  async cleanUp(): Promise<void> {
- await Promise.all(
+ await Promise.all([
  // Use `trySafe` to avoid error when organization is deleted by other tests.
- this.organizations.map(async (organization) => trySafe(this.delete(organization.id)))
- );
+ ...this.organizations.map(async (organization) => trySafe(this.delete(organization.id))),
+ this.roleApi.cleanUp(),
+ this.scopeApi.cleanUp(),
+ ]);
  this.#organizations = [];
  }
 }

packages/integration-tests/src/tests/api/hook/hook.trigger.data.test.ts

@@ -340,7 +340,7 @@ describe('organization role data hook events', () => {
  });
 
  afterAll(async () => {
- await organizationScopeApi.cleanUp();
+ await Promise.all([organizationScopeApi.cleanUp(), roleApi.cleanUp()]);
  });
 
  it.each(organizationRoleDataHookTestCases)(

packages/integration-tests/src/tests/api/interaction/consent/happy-path.test.ts

@@ -152,11 +152,9 @@ describe('consent api', () => {
  });
 
  describe('get consent info with organization resource scopes', () => {
- const roleApi = new OrganizationRoleApiTest();
  const organizationApi = new OrganizationApiTest();
 
  afterEach(async () => {
- await roleApi.cleanUp();
  await organizationApi.cleanUp();
  });
 
@@ -167,7 +165,7 @@ describe('consent api', () => {
  const resource = await createResource(generateResourceName(), generateResourceIndicator());
  const scope = await createScope(resource.id, generateScopeName());
  const scope2 = await createScope(resource.id, generateScopeName());
- const role = await roleApi.create({
+ const role = await organizationApi.roleApi.create({
  name: generateRoleName(),
  resourceScopeIds: [scope.id],
  });
@@ -219,7 +217,7 @@ describe('consent api', () => {
 
  const resource = await createResource(generateResourceName(), generateResourceIndicator());
  const scope = await createScope(resource.id, generateScopeName());
- const role = await roleApi.create({
+ const role = await organizationApi.roleApi.create({
  name: generateRoleName(),
  resourceScopeIds: [scope.id],
  });
@@ -397,10 +395,12 @@ describe('consent api', () => {
  // Scope2 is removed because organization2 is not consented
  expect(getAccessTokenPayload(accessToken)).toHaveProperty('scope', scope.name);
 
- await roleApi.cleanUp();
- await organizationApi.cleanUp();
- await deleteResource(resource.id);
- await deleteUser(user.id);
+ await Promise.all([
+ roleApi.cleanUp(),
+ organizationApi.cleanUp(),
+ deleteResource(resource.id),
+ deleteUser(user.id),
+ ]);
  });
  });
 

packages/integration-tests/src/tests/api/organization/organization-application.test.ts

@@ -259,5 +259,59 @@ devFeatureTest.describe('organization application APIs', () => {
  expect.objectContaining({ code: 'entity.db_constraint_violated' })
  );
  });
+
+ it('should be able to assign multiple roles to multiple applications', async () => {
+ const organization = await organizationApi.create({ name: 'test' });
+ const roles = await Promise.all(
+ Array.from({ length: 30 }).map(async () =>
+ organizationApi.roleApi.create({
+ name: `test-${generateTestName()}`,
+ type: RoleType.MachineToMachine,
+ })
+ )
+ );
+ const applications = await Promise.all(
+ Array.from({ length: 3 }).map(async () =>
+ createApplication(generateTestName(), ApplicationType.MachineToMachine)
+ )
+ );
+
+ await organizationApi.applications.add(
+ organization.id,
+ applications.map(({ id }) => id)
+ );
+ await organizationApi.addApplicationsRoles(
+ organization.id,
+ applications.map(({ id }) => id),
+ roles.map(({ id }) => id)
+ );
+ const fetchedRoles = await Promise.all(
+ applications.map(async ({ id }) => organizationApi.getApplicationRoles(organization.id, id))
+ );
+
+ expect(fetchedRoles).toEqual(
+ Array.from({ length: 3 }).map(() =>
+ expect.arrayContaining(roles.map((role) => expect.objectContaining(role)))
+ )
+ );
+
+ // Test pagination
+ const fetchedRoles1 = await organizationApi.getApplicationRoles(
+ organization.id,
+ applications[0]!.id,
+ 1,
+ 20
+ );
+ const fetchedRoles2 = await organizationApi.getApplicationRoles(
+ organization.id,
+ applications[0]!.id,
+ 2,
+ 10
+ );
+ expect(fetchedRoles1).toHaveLength(20);
+ expect(fetchedRoles2).toHaveLength(10);
+ expect(roles).toEqual(expect.arrayContaining(fetchedRoles1));
+ expect(roles).toEqual(expect.arrayContaining(fetchedRoles2));
+ });
  });
 });