@donotdev/functions 0.0.10 → 0.0.12

package/src/shared/billing/webhookHandler.ts

@@ -23,14 +23,22 @@ import { logger } from '../logger.js';
 import { createIdempotencyStore } from './idempotency.js';
 import { calculateSubscriptionEndDate } from '../utils/external/date.js';
 
-// ✅ CREATE: Singleton idempotency store (auto-detects Firestore)
-const idempotencyStore = createIdempotencyStore();
-
 import type {
   SubscriptionData,
   AuthProvider,
 } from './helpers/updateUserSubscription.js';
 
+// W7: Lazy singleton — resolving at import time reads env vars / Firebase Admin
+// before they are fully injected (e.g., defineSecret values on Firebase Functions v2).
+// Resolved on first use instead.
+let _idempotencyStore: ReturnType<typeof createIdempotencyStore> | null = null;
+function getIdempotencyStore() {
+  if (!_idempotencyStore) {
+    _idempotencyStore = createIdempotencyStore();
+  }
+  return _idempotencyStore;
+}
+
 /**
  * Platform-agnostic auth provider interface for webhook handlers
  */
@@ -94,8 +102,8 @@ export async function processWebhook(
       operation: 'webhook_processing',
     });
 
-    // ✅ CHECK: Idempotency (auto-detects storage)
-    if (await idempotencyStore.isProcessed(event.id)) {
+    // ✅ CHECK: Idempotency (auto-detects storage, lazy init per W7)
+    if (await getIdempotencyStore().isProcessed(event.id)) {
       logger.info('[Webhook] Already processed', { eventId: event.id });
       return { success: true, message: 'Event already processed' };
     }
@@ -104,7 +112,7 @@ export async function processWebhook(
     await routeEvent(event, config, updateSubscription, stripe, authProvider);
 
     // ✅ MARK: Event as processed
-    await idempotencyStore.markProcessed(event.id);
+    await getIdempotencyStore().markProcessed(event.id);
 
     return { success: true, message: 'Webhook processed' };
   } catch (error) {
@@ -160,7 +168,8 @@ async function routeEvent(
       break;
 
     default:
-      console.log('[Webhook] Unhandled event type', { type: event.type });
+      // W23: Use structured logger instead of console.log in production
+      logger.debug('[Webhook] Unhandled event type', { type: event.type });
   }
 }
 

package/src/shared/errorHandling.ts

@@ -9,52 +9,12 @@
  * @author AMBROISE PARK Consulting
  */
 
-import { HttpsError } from 'firebase-functions/v2/https';
 import * as v from 'valibot';
 
-import type { ErrorCode } from '@donotdev/core/server';
-import { EntityHookError } from '@donotdev/core/server';
+import { DoNotDevError, EntityHookError } from '@donotdev/core/server';
 
-/**
- * Custom error class for application-specific errors in functions.
- *
- * @version 0.0.1
- * @since 0.0.1
- * @author AMBROISE PARK Consulting
- */
-export class DoNotDevError extends Error {
-  public readonly code: ErrorCode;
-  public readonly details?: Record<string, any>;
-
-  constructor(
-    message: string,
-    code: ErrorCode = 'unknown',
-    details?: Record<string, any>
-  ) {
-    super(message);
-    Object.setPrototypeOf(this, DoNotDevError.prototype);
-    this.code = code;
-    this.details = details;
-    this.name = this.constructor.name;
-
-    if (Error.captureStackTrace) {
-      Error.captureStackTrace(this, this.constructor);
-    }
-  }
-
-  public toString(): string {
-    return `${this.name} [${this.code}]: ${this.message}`;
-  }
-
-  public toJSON(): object {
-    return {
-      name: this.name,
-      code: this.code,
-      message: this.message,
-      details: this.details,
-    };
-  }
-}
+// Re-export DoNotDevError so existing imports from this module continue to work
+export { DoNotDevError };
 
 /**
  * Platform-aware error handling that throws in the correct format
@@ -65,8 +25,17 @@ export class DoNotDevError extends Error {
  * @since 0.0.1
  * @author AMBROISE PARK Consulting
  */
-export function handleError(error: unknown): never {
-  console.error('Function error:', error);
+export async function handleError(error: unknown): Promise<never> {
+  // W11: Log only in development to avoid double-logging with platform loggers.
+  // Known DoNotDevError, ValiError, and EntityHookError are handled by callers.
+  if (
+    process.env.NODE_ENV === 'development' &&
+    !(error instanceof DoNotDevError) &&
+    !(error instanceof Error && error.name === 'ValiError') &&
+    !(error instanceof Error && error.name === 'EntityHookError')
+  ) {
+    console.error('Function error:', error);
+  }
 
   // Error classification logic (same for all platforms)
   let code: string;
@@ -117,25 +86,17 @@ export function handleError(error: unknown): never {
     message = entityError.message;
     details = undefined;
   } else {
-    // Preserve original error message for debugging
     code = 'internal';
+    // W10: Never expose error.stack in details — it leaks internal file paths
+    // and implementation details to clients. Log server-side only.
     message =
       error instanceof Error ? error.message : 'An unexpected error occurred';
-    details = {
-      originalError:
-        error instanceof Error
-          ? {
-              name: error.name,
-              message: error.message,
-              stack: error.stack,
-            }
-          : String(error),
-    };
+    details = undefined;
   }
 
   // Platform-specific error throwing
   if (isFirebaseEnvironment()) {
-    throwFirebaseError(code, message, details);
+    await throwFirebaseError(code, message, details);
   } else if (isVercelEnvironment()) {
     throwVercelError(code, message, details);
   } else {
@@ -181,12 +142,13 @@ function isVercelEnvironment(): boolean {
  * @since 0.0.1
  * @author AMBROISE PARK Consulting
  */
-function throwFirebaseError(
+async function throwFirebaseError(
   code: string,
   message: string,
   details?: any
-): never {
-  // Static import - Firebase is always available in Firebase functions
+): Promise<never> {
+  // Dynamic import — firebase-functions is only loaded in Firebase environments
+  const { HttpsError } = await import('firebase-functions/v2/https');
   throw new HttpsError(code as any, message, details);
 }
 

package/src/shared/firebase.ts

@@ -212,28 +212,4 @@ export function prepareForFirestore<T = any>(
 
   // Return primitive values unchanged
   return data;
-}
-
-/**
- * Checks if a string is an ISO date string
- * @param str - The string to check
- * @returns True if the string is an ISO date
- *
- * @version 0.0.1
- * @since 0.0.1
- * @author AMBROISE PARK Consulting
- */
-function isISODateString(str: string): boolean {
-  if (typeof str !== 'string') return false;
-
-  // Basic ISO date pattern check
-  const isoDatePattern = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{3})?Z?$/;
-  if (!isoDatePattern.test(str)) return false;
-
-  // Try to parse it as a date
-  const date = new Date(str);
-  return (
-    !isNaN(date.getTime()) &&
-    date.toISOString().startsWith(str.substring(0, 19))
-  );
-}
+}

package/src/shared/index.ts

@@ -19,8 +19,9 @@ export * from './oauth/index.js';
 export {
   createTimestamp,
   toTimestamp,
-  toISOString,
   isTimestamp,
   transformFirestoreData,
   prepareForFirestore,
 } from './firebase.js';
+// Note: toISOString is exported from ./utils/external/date.js (handles DateValue).
+// The Firebase-specific toISOString (FirestoreTimestamp only) is available via direct import from ./firebase.js.

package/src/shared/logger.ts

@@ -28,10 +28,8 @@ if (typeof globalThis !== 'undefined' && 'window' in globalThis) {
   throw new Error('Server logger cannot be imported on client side');
 }
 
-// ServerShim: Ensure we're in a Node.js environment
-if (typeof process === 'undefined' || !process.versions?.node) {
-  throw new Error('Server logger requires Node.js environment');
-}
+// ServerShim: Warn if not in Node.js (e.g., Deno) but don't throw — allow fallback logging
+const _isNodeEnv = typeof process !== 'undefined' && !!process.versions?.node;
 
 let sentryEnabled = false;
 let sentryClient: any = null;
@@ -247,9 +245,7 @@ export const logger = {
       context,
       error: context?.error,
       metadata: {
-        pid: process.pid,
-        nodeVersion: process.version,
-        platform: process.platform,
+        ...(_isNodeEnv ? { pid: process.pid, nodeVersion: process.version, platform: process.platform } : {}),
         ...context?.metadata,
       },
     };

package/src/shared/oauth/__tests__/exchangeToken.test.ts

@@ -0,0 +1,116 @@
+// packages/functions/src/shared/oauth/__tests__/exchangeToken.test.ts
+
+/**
+ * @fileoverview Tests for exchangeTokenAlgorithm
+ * @description Unit tests using dependency injection — no real OAuth or network calls.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+
+import { describe, it, expect, vi } from 'vitest';
+
+import {
+  exchangeTokenAlgorithm,
+  type OAuthProvider,
+} from '../exchangeToken';
+import type { ExchangeTokenRequest, TokenResponse } from '@donotdev/core/server';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeProvider(result: TokenResponse): OAuthProvider {
+  return {
+    exchangeCodeForToken: vi.fn().mockResolvedValue(result),
+  };
+}
+
+function makeRejectingProvider(error: Error): OAuthProvider {
+  return {
+    exchangeCodeForToken: vi.fn().mockRejectedValue(error),
+  };
+}
+
+const BASE_REQUEST: ExchangeTokenRequest = {
+  provider: 'github',
+  purpose: 'login',
+  code: 'auth-code-abc',
+  redirectUri: 'https://app.example.com/oauth/callback',
+};
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('exchangeTokenAlgorithm', () => {
+  describe('successful exchange', () => {
+    it('returns token response from provider', async () => {
+      const tokenResponse: TokenResponse = {
+        access_token: 'access-token-xyz',
+        token_type: 'Bearer',
+        expires_in: 3600,
+        refresh_token: 'refresh-token-123',
+      };
+      const oauthProvider = makeProvider(tokenResponse);
+
+      const result = await exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider);
+
+      expect(result).toEqual(tokenResponse);
+    });
+
+    it('forwards code, redirectUri, and codeVerifier to provider', async () => {
+      const oauthProvider = makeProvider({
+        access_token: 'tok',
+      });
+      const request: ExchangeTokenRequest = {
+        ...BASE_REQUEST,
+        codeVerifier: 'pkce-verifier-xyz',
+      };
+
+      await exchangeTokenAlgorithm(request, oauthProvider);
+
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledOnce();
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledWith({
+        code: request.code,
+        redirectUri: request.redirectUri,
+        codeVerifier: 'pkce-verifier-xyz',
+      });
+    });
+
+    it('forwards without codeVerifier when omitted', async () => {
+      const oauthProvider = makeProvider({ access_token: 'tok' });
+
+      await exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider);
+
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledWith({
+        code: BASE_REQUEST.code,
+        redirectUri: BASE_REQUEST.redirectUri,
+        codeVerifier: undefined,
+      });
+    });
+  });
+
+  describe('error scenarios', () => {
+    it('re-throws errors from provider', async () => {
+      const oauthProvider = makeRejectingProvider(
+        new Error('invalid_grant')
+      );
+
+      await expect(
+        exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider)
+      ).rejects.toThrow('invalid_grant');
+    });
+
+    it('calls provider exactly once on error', async () => {
+      const oauthProvider = makeRejectingProvider(new Error('network error'));
+
+      await expect(
+        exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider)
+      ).rejects.toThrow('network error');
+
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledOnce();
+    });
+  });
+});

package/src/shared/oauth/__tests__/grantAccess.test.ts

@@ -0,0 +1,237 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+import {
+  grantAccessAlgorithm,
+  type OAuthGrantProvider,
+} from '../grantAccess';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeProvider(
+  result: { success: boolean; message: string }
+): OAuthGrantProvider {
+  return { grantAccess: vi.fn().mockResolvedValue(result) };
+}
+
+function makeRejectingProvider(error: Error): OAuthGrantProvider {
+  return { grantAccess: vi.fn().mockRejectedValue(error) };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('grantAccessAlgorithm', () => {
+  const userId = 'user-123';
+  const provider = 'github';
+  const accessToken = 'access-token-abc';
+  const refreshToken = 'refresh-token-xyz';
+
+  // -------------------------------------------------------------------------
+  // Successful grant
+  // -------------------------------------------------------------------------
+
+  describe('successful grant', () => {
+    it('returns success result from provider', async () => {
+      const oauthProvider = makeProvider({ success: true, message: 'OK' });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(result).toEqual({ success: true, message: 'OK' });
+    });
+
+    it('forwards all parameters to the provider', async () => {
+      const oauthProvider = makeProvider({ success: true, message: 'granted' });
+
+      await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(oauthProvider.grantAccess).toHaveBeenCalledOnce();
+      expect(oauthProvider.grantAccess).toHaveBeenCalledWith({
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+      });
+    });
+
+    it('works without a refreshToken (undefined)', async () => {
+      const oauthProvider = makeProvider({ success: true, message: 'granted' });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        undefined,
+        oauthProvider
+      );
+
+      expect(result.success).toBe(true);
+      expect(oauthProvider.grantAccess).toHaveBeenCalledWith({
+        userId,
+        provider,
+        accessToken,
+        refreshToken: undefined,
+      });
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Invalid / missing user
+  // -------------------------------------------------------------------------
+
+  describe('invalid / missing user', () => {
+    it('passes empty userId to provider (provider owns validation)', async () => {
+      const oauthProvider = makeProvider({
+        success: false,
+        message: 'user not found',
+      });
+
+      const result = await grantAccessAlgorithm(
+        '',
+        provider,
+        accessToken,
+        undefined,
+        oauthProvider
+      );
+
+      expect(result.success).toBe(false);
+      expect(result.message).toBe('user not found');
+      expect(oauthProvider.grantAccess).toHaveBeenCalledWith({
+        userId: '',
+        provider,
+        accessToken,
+        refreshToken: undefined,
+      });
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Permission checks (provider denies access)
+  // -------------------------------------------------------------------------
+
+  describe('permission checks', () => {
+    it('returns provider failure when access is denied', async () => {
+      const oauthProvider = makeProvider({
+        success: false,
+        message: 'permission denied',
+      });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(result.success).toBe(false);
+      expect(result.message).toBe('permission denied');
+    });
+
+    it('propagates the exact message returned by the provider', async () => {
+      const expectedMessage = 'scope insufficient for this resource';
+      const oauthProvider = makeProvider({
+        success: false,
+        message: expectedMessage,
+      });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(result.message).toBe(expectedMessage);
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Provider-specific grant logic
+  // -------------------------------------------------------------------------
+
+  describe('provider-specific grant logic', () => {
+    it.each([
+      ['github', 'gh-token'],
+      ['google', 'goog-token'],
+      ['stripe', 'stripe-token'],
+    ])(
+      'correctly forwards provider "%s" with its access token',
+      async (providerName, token) => {
+        const oauthProvider = makeProvider({
+          success: true,
+          message: 'granted',
+        });
+
+        await grantAccessAlgorithm(
+          userId,
+          providerName,
+          token,
+          undefined,
+          oauthProvider
+        );
+
+        expect(oauthProvider.grantAccess).toHaveBeenCalledWith(
+          expect.objectContaining({ provider: providerName, accessToken: token })
+        );
+      }
+    );
+  });
+
+  // -------------------------------------------------------------------------
+  // Error scenarios
+  // -------------------------------------------------------------------------
+
+  describe('error scenarios', () => {
+    it('re-throws synchronous errors from provider', async () => {
+      const oauthProvider = makeRejectingProvider(
+        new Error('network failure')
+      );
+
+      await expect(
+        grantAccessAlgorithm(userId, provider, accessToken, refreshToken, oauthProvider)
+      ).rejects.toThrow('network failure');
+    });
+
+    it('re-throws custom provider errors without wrapping', async () => {
+      class ProviderError extends Error {
+        constructor(msg: string) {
+          super(msg);
+          this.name = 'ProviderError';
+        }
+      }
+
+      const originalError = new ProviderError('token expired');
+      const oauthProvider = makeRejectingProvider(originalError);
+
+      await expect(
+        grantAccessAlgorithm(userId, provider, accessToken, refreshToken, oauthProvider)
+      ).rejects.toThrow('token expired');
+    });
+
+    it('calls provider exactly once even on error', async () => {
+      const oauthProvider = makeRejectingProvider(new Error('boom'));
+
+      await expect(
+        grantAccessAlgorithm(userId, provider, accessToken, refreshToken, oauthProvider)
+      ).rejects.toThrow('boom');
+
+      expect(oauthProvider.grantAccess).toHaveBeenCalledOnce();
+    });
+  });
+});