feat(schemas): add sentinel policy (#7249)

simeng-li · web-flow · commit 0acec77e6826 · 2025-04-11T10:29:16.000+08:00
* feat(schemas): add sentinel policy

add sentinel polity to SIE settings

* fix(core): fix type issue

fix type issue

* fix(core): fix ut

fix ut

* chore: update comments

update comments for lockout duration unit
diff --git a/packages/core/src/__mocks__/sign-in-experience.ts b/packages/core/src/__mocks__/sign-in-experience.ts
@@ -104,4 +104,5 @@ export const mockSignInExperience: SignInExperience = {
   supportWebsiteUrl: null,
   unknownSessionRedirectUrl: null,
   captchaPolicy: {},
+  sentinelPolicy: {},
 };
diff --git a/packages/core/src/queries/sign-in-experience.test.ts b/packages/core/src/queries/sign-in-experience.test.ts
@@ -37,12 +37,13 @@ describe('sign-in-experience query', () => {
     mfa: JSON.stringify(mockSignInExperience.mfa),
     socialSignIn: JSON.stringify(mockSignInExperience.socialSignIn),
     captchaPolicy: JSON.stringify(mockSignInExperience.captchaPolicy),
+    sentinelPolicy: JSON.stringify(mockSignInExperience.sentinelPolicy),
   };
 
   it('findDefaultSignInExperience', async () => {
     /* eslint-disable sql/no-unsafe-query */
     const expectSql = `
-      select "tenant_id", "id", "color", "branding", "language_info", "terms_of_use_url", "privacy_policy_url", "agree_to_terms_policy", "sign_in", "sign_up", "social_sign_in", "social_sign_in_connector_targets", "sign_in_mode", "custom_css", "custom_content", "custom_ui_assets", "password_policy", "mfa", "single_sign_on_enabled", "support_email", "support_website_url", "unknown_session_redirect_url", "captcha_policy"
+      select "tenant_id", "id", "color", "branding", "language_info", "terms_of_use_url", "privacy_policy_url", "agree_to_terms_policy", "sign_in", "sign_up", "social_sign_in", "social_sign_in_connector_targets", "sign_in_mode", "custom_css", "custom_content", "custom_ui_assets", "password_policy", "mfa", "single_sign_on_enabled", "support_email", "support_website_url", "unknown_session_redirect_url", "captcha_policy", "sentinel_policy"
       from "sign_in_experiences"
       where "id"=$1
     `;
diff --git a/packages/experience/src/__mocks__/logto.tsx b/packages/experience/src/__mocks__/logto.tsx
@@ -118,6 +118,7 @@ export const mockSignInExperience: SignInExperience = {
   supportWebsiteUrl: null,
   unknownSessionRedirectUrl: null,
   captchaPolicy: {},
+  sentinelPolicy: {},
 };
 
 export const mockSignInExperienceSettings: SignInExperienceResponse = {
@@ -157,6 +158,7 @@ export const mockSignInExperienceSettings: SignInExperienceResponse = {
   supportWebsiteUrl: null,
   unknownSessionRedirectUrl: null,
   captchaPolicy: {},
+  sentinelPolicy: {},
 };
 
 const usernameSettings = {
diff --git a/packages/schemas/alterations/next-1744013256-add-sentinel-policy-column-to-sie-table.ts b/packages/schemas/alterations/next-1744013256-add-sentinel-policy-column-to-sie-table.ts
@@ -0,0 +1,20 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        add column sentinel_policy jsonb not null default '{}'::jsonb;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sign_in_experiences
+        drop column sentinel_policy;
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/src/foundations/jsonb-types/sign-in-experience.ts b/packages/schemas/src/foundations/jsonb-types/sign-in-experience.ts
@@ -235,3 +235,19 @@ export const captchaPolicyGuard = z.object({
 });
 
 export type CaptchaPolicy = z.infer<typeof captchaPolicyGuard>;
+
+export type SentinelPolicy = {
+  /**
+   * Maximum failed attempts allowed in one hour before blocking the user.
+   */
+  maxAttempts?: number;
+  /**
+   * Lockout duration in minutes after exceeding the maximum failed attempts.
+   */
+  lockoutDuration?: number;
+};
+
+export const sentinelPolicyGuard = z.object({
+  maxAttempts: z.number().optional(),
+  lockoutDuration: z.number().optional(),
+}) satisfies ToZodObject<SentinelPolicy>;
diff --git a/packages/schemas/tables/sign_in_experiences.sql b/packages/schemas/tables/sign_in_experiences.sql
@@ -27,5 +27,6 @@ create table sign_in_experiences (
   support_website_url text,
   unknown_session_redirect_url text,
   captcha_policy jsonb /* @use CaptchaPolicy */ not null default '{}'::jsonb,
+  sentinel_policy jsonb /* @use SentinelPolicy */ not null default '{}'::jsonb,
   primary key (tenant_id, id)
 );
