feat(core,schemas): added updated_at to user_sso_identities (#7425)

simeng-li · web-flow · commit f2c0a05ac72c · 2025-06-05T09:13:55.000+08:00
* feat(core,schemas): added updated_at to user_sso_identities

added an `updated_at` field to the `user_sso_identities` table to track the last update time for each record

* chore(test): update integration test

update integration test

* refactor(core,schemas): replace with native set_updated_at func

replace with native set_updated_at function

* chore(test): adjust integration test

adjust integration test

* fix(test): fix integration test

fix integration test
diff --git a/.changeset/blue-brooms-clean.md b/.changeset/blue-brooms-clean.md
@@ -0,0 +1,8 @@
+---
+"@logto/schemas": minor
+"@logto/core": minor
+---
+
+added an `updated_at` field to the `user_sso_identities` table to track the last update time for each record.
+
+On each successfull SSO sign-in, the `updated_at` field will be set to the current timestamp. This allows for better tracking of when a user's SSO identity was authenticated and updated.
diff --git a/packages/integration-tests/src/tests/api/experience-api/sign-in-interaction/enterprise-sso.test.ts b/packages/integration-tests/src/tests/api/experience-api/sign-in-interaction/enterprise-sso.test.ts
@@ -1,4 +1,4 @@
-import { InteractionEvent, MfaFactor, SignInIdentifier } from '@logto/schemas';
+import { InteractionEvent, MfaFactor, SignInIdentifier, SignInMode } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 
 import { createUserMfaVerification, deleteUser, getUser } from '#src/api/admin-user.js';
@@ -30,6 +30,7 @@ describe('enterprise sso sign-in and sign-up', () => {
     await ssoConnectorApi.createMockOidcConnector([domain]);
     await updateSignInExperience({
       singleSignOnEnabled: true,
+      signInMode: SignInMode.SignInAndRegister,
       signUp: { identifiers: [], password: false, verify: false },
     });
   });
@@ -38,7 +39,7 @@ describe('enterprise sso sign-in and sign-up', () => {
     await Promise.all([ssoConnectorApi.cleanUp(), userApi.cleanUp()]);
   });
 
-  it('should successfully sign-up with enterprise sso and sync email', async () => {
+  it('should successfully sign-up with enterprise sso and sync email and sync SSO profile on the next sign-in', async () => {
     const userId = await signInWithEnterpriseSso(
       ssoConnectorApi.firstConnectorId!,
       {
@@ -50,11 +51,10 @@ describe('enterprise sso sign-in and sign-up', () => {
     );
 
     const { primaryEmail } = await getUser(userId);
+
     expect(primaryEmail).toBe(email);
-  });
 
-  it('should successfully sign-in with enterprise sso', async () => {
-    const userId = await signInWithEnterpriseSso(ssoConnectorApi.firstConnectorId!, {
+    await signInWithEnterpriseSso(ssoConnectorApi.firstConnectorId!, {
       sub: enterpriseSsoIdentityId,
       email,
       email_verified: true,
@@ -71,6 +71,7 @@ describe('enterprise sso sign-in and sign-up', () => {
     const { userProfile, user } = await generateNewUser({
       primaryEmail: true,
     });
+
     const { primaryEmail } = userProfile;
 
     const userId = await signInWithEnterpriseSso(ssoConnectorApi.firstConnectorId!, {
@@ -85,10 +86,14 @@ describe('enterprise sso sign-in and sign-up', () => {
     const { name, ssoIdentities } = await getUser(userId, true);
 
     expect(name).toBe('John Doe');
-    expect(ssoIdentities?.some((identity) => identity.identityId === enterpriseSsoIdentityId)).toBe(
-      true
+
+    const enterpriseSsoIdentity = ssoIdentities?.find(
+      (identity) => identity.identityId === enterpriseSsoIdentityId
     );
 
+    expect(enterpriseSsoIdentity).toBeTruthy();
+    expect(enterpriseSsoIdentity?.updatedAt).not.toBeNull();
+
     await deleteUser(userId);
   });
 
diff --git a/packages/schemas/alterations/next-1749005587-user-sso-identities-table-add-updated-at-column.ts b/packages/schemas/alterations/next-1749005587-user-sso-identities-table-add-updated-at-column.ts
@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table user_sso_identities
+        add column updated_at timestamptz not null default(now());
+    `);
+
+    await pool.query(sql`
+      create trigger set_updated_at
+        before update on user_sso_identities
+        for each row
+        execute procedure set_updated_at();
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop trigger set_updated_at on user_sso_identities;
+    `);
+
+    await pool.query(sql`
+      alter table user_sso_identities
+        drop column updated_at;
+    `);
+  },
+};
+
+export default alteration;
diff --git a/packages/schemas/tables/user_sso_identities.sql b/packages/schemas/tables/user_sso_identities.sql
@@ -10,11 +10,19 @@ create table user_sso_identities (
   /** Provider user identity id*/
   identity_id varchar(128) not null,
   detail jsonb /* @use JsonObject */ not null default '{}'::jsonb,
+  /** Known issue: created_at uses timestamp instead of timestamptz */
   created_at timestamp not null default(now()),
+  updated_at timestamptz not null default(now()),
   sso_connector_id
     varchar(128) not null
     references sso_connectors (id) on update cascade on delete cascade,
   primary key (id),
   constraint user_sso_identities__issuer__identity_id
     unique (tenant_id, issuer, identity_id)
 );
+
+
+create trigger set_updated_at
+  before update on user_sso_identities
+  for each row
+  execute procedure set_updated_at();
