@donotdev/functions 0.0.9 → 0.0.11

package/src/shared/billing/webhookHandler.ts

@@ -23,14 +23,22 @@ import { logger } from '../logger.js';
 import { createIdempotencyStore } from './idempotency.js';
 import { calculateSubscriptionEndDate } from '../utils/external/date.js';
 
-// ✅ CREATE: Singleton idempotency store (auto-detects Firestore)
-const idempotencyStore = createIdempotencyStore();
-
 import type {
   SubscriptionData,
   AuthProvider,
 } from './helpers/updateUserSubscription.js';
 
+// W7: Lazy singleton — resolving at import time reads env vars / Firebase Admin
+// before they are fully injected (e.g., defineSecret values on Firebase Functions v2).
+// Resolved on first use instead.
+let _idempotencyStore: ReturnType<typeof createIdempotencyStore> | null = null;
+function getIdempotencyStore() {
+  if (!_idempotencyStore) {
+    _idempotencyStore = createIdempotencyStore();
+  }
+  return _idempotencyStore;
+}
+
 /**
  * Platform-agnostic auth provider interface for webhook handlers
  */
@@ -94,8 +102,8 @@ export async function processWebhook(
       operation: 'webhook_processing',
     });
 
-    // ✅ CHECK: Idempotency (auto-detects storage)
-    if (await idempotencyStore.isProcessed(event.id)) {
+    // ✅ CHECK: Idempotency (auto-detects storage, lazy init per W7)
+    if (await getIdempotencyStore().isProcessed(event.id)) {
       logger.info('[Webhook] Already processed', { eventId: event.id });
       return { success: true, message: 'Event already processed' };
     }
@@ -104,7 +112,7 @@ export async function processWebhook(
     await routeEvent(event, config, updateSubscription, stripe, authProvider);
 
     // ✅ MARK: Event as processed
-    await idempotencyStore.markProcessed(event.id);
+    await getIdempotencyStore().markProcessed(event.id);
 
     return { success: true, message: 'Webhook processed' };
   } catch (error) {
@@ -160,7 +168,8 @@ async function routeEvent(
       break;
 
     default:
-      console.log('[Webhook] Unhandled event type', { type: event.type });
+      // W23: Use structured logger instead of console.log in production
+      logger.debug('[Webhook] Unhandled event type', { type: event.type });
   }
 }
 

package/src/shared/errorHandling.ts

@@ -12,49 +12,10 @@
 import { HttpsError } from 'firebase-functions/v2/https';
 import * as v from 'valibot';
 
-import type { ErrorCode } from '@donotdev/core/server';
-import { EntityHookError } from '@donotdev/core/server';
+import { DoNotDevError, EntityHookError } from '@donotdev/core/server';
 
-/**
- * Custom error class for application-specific errors in functions.
- *
- * @version 0.0.1
- * @since 0.0.1
- * @author AMBROISE PARK Consulting
- */
-export class DoNotDevError extends Error {
-  public readonly code: ErrorCode;
-  public readonly details?: Record<string, any>;
-
-  constructor(
-    message: string,
-    code: ErrorCode = 'unknown',
-    details?: Record<string, any>
-  ) {
-    super(message);
-    Object.setPrototypeOf(this, DoNotDevError.prototype);
-    this.code = code;
-    this.details = details;
-    this.name = this.constructor.name;
-
-    if (Error.captureStackTrace) {
-      Error.captureStackTrace(this, this.constructor);
-    }
-  }
-
-  public toString(): string {
-    return `${this.name} [${this.code}]: ${this.message}`;
-  }
-
-  public toJSON(): object {
-    return {
-      name: this.name,
-      code: this.code,
-      message: this.message,
-      details: this.details,
-    };
-  }
-}
+// Re-export DoNotDevError so existing imports from this module continue to work
+export { DoNotDevError };
 
 /**
  * Platform-aware error handling that throws in the correct format
@@ -66,7 +27,16 @@ export class DoNotDevError extends Error {
  * @author AMBROISE PARK Consulting
  */
 export function handleError(error: unknown): never {
-  console.error('Function error:', error);
+  // W11: Log only in development to avoid double-logging with platform loggers.
+  // Known DoNotDevError, ValiError, and EntityHookError are handled by callers.
+  if (
+    process.env.NODE_ENV === 'development' &&
+    !(error instanceof DoNotDevError) &&
+    !(error instanceof Error && error.name === 'ValiError') &&
+    !(error instanceof Error && error.name === 'EntityHookError')
+  ) {
+    console.error('Function error:', error);
+  }
 
   // Error classification logic (same for all platforms)
   let code: string;
@@ -117,20 +87,12 @@ export function handleError(error: unknown): never {
     message = entityError.message;
     details = undefined;
   } else {
-    // Preserve original error message for debugging
     code = 'internal';
+    // W10: Never expose error.stack in details — it leaks internal file paths
+    // and implementation details to clients. Log server-side only.
     message =
       error instanceof Error ? error.message : 'An unexpected error occurred';
-    details = {
-      originalError:
-        error instanceof Error
-          ? {
-              name: error.name,
-              message: error.message,
-              stack: error.stack,
-            }
-          : String(error),
-    };
+    details = undefined;
   }
 
   // Platform-specific error throwing

package/src/shared/firebase.ts

@@ -212,28 +212,4 @@ export function prepareForFirestore<T = any>(
 
   // Return primitive values unchanged
   return data;
-}
-
-/**
- * Checks if a string is an ISO date string
- * @param str - The string to check
- * @returns True if the string is an ISO date
- *
- * @version 0.0.1
- * @since 0.0.1
- * @author AMBROISE PARK Consulting
- */
-function isISODateString(str: string): boolean {
-  if (typeof str !== 'string') return false;
-
-  // Basic ISO date pattern check
-  const isoDatePattern = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{3})?Z?$/;
-  if (!isoDatePattern.test(str)) return false;
-
-  // Try to parse it as a date
-  const date = new Date(str);
-  return (
-    !isNaN(date.getTime()) &&
-    date.toISOString().startsWith(str.substring(0, 19))
-  );
-}
+}

package/src/shared/oauth/__tests__/exchangeToken.test.ts

@@ -0,0 +1,116 @@
+// packages/functions/src/shared/oauth/__tests__/exchangeToken.test.ts
+
+/**
+ * @fileoverview Tests for exchangeTokenAlgorithm
+ * @description Unit tests using dependency injection — no real OAuth or network calls.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+
+import { describe, it, expect, vi } from 'vitest';
+
+import {
+  exchangeTokenAlgorithm,
+  type OAuthProvider,
+} from '../exchangeToken';
+import type { ExchangeTokenRequest, TokenResponse } from '@donotdev/core/server';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeProvider(result: TokenResponse): OAuthProvider {
+  return {
+    exchangeCodeForToken: vi.fn().mockResolvedValue(result),
+  };
+}
+
+function makeRejectingProvider(error: Error): OAuthProvider {
+  return {
+    exchangeCodeForToken: vi.fn().mockRejectedValue(error),
+  };
+}
+
+const BASE_REQUEST: ExchangeTokenRequest = {
+  provider: 'github',
+  purpose: 'login',
+  code: 'auth-code-abc',
+  redirectUri: 'https://app.example.com/oauth/callback',
+};
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('exchangeTokenAlgorithm', () => {
+  describe('successful exchange', () => {
+    it('returns token response from provider', async () => {
+      const tokenResponse: TokenResponse = {
+        access_token: 'access-token-xyz',
+        token_type: 'Bearer',
+        expires_in: 3600,
+        refresh_token: 'refresh-token-123',
+      };
+      const oauthProvider = makeProvider(tokenResponse);
+
+      const result = await exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider);
+
+      expect(result).toEqual(tokenResponse);
+    });
+
+    it('forwards code, redirectUri, and codeVerifier to provider', async () => {
+      const oauthProvider = makeProvider({
+        access_token: 'tok',
+      });
+      const request: ExchangeTokenRequest = {
+        ...BASE_REQUEST,
+        codeVerifier: 'pkce-verifier-xyz',
+      };
+
+      await exchangeTokenAlgorithm(request, oauthProvider);
+
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledOnce();
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledWith({
+        code: request.code,
+        redirectUri: request.redirectUri,
+        codeVerifier: 'pkce-verifier-xyz',
+      });
+    });
+
+    it('forwards without codeVerifier when omitted', async () => {
+      const oauthProvider = makeProvider({ access_token: 'tok' });
+
+      await exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider);
+
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledWith({
+        code: BASE_REQUEST.code,
+        redirectUri: BASE_REQUEST.redirectUri,
+        codeVerifier: undefined,
+      });
+    });
+  });
+
+  describe('error scenarios', () => {
+    it('re-throws errors from provider', async () => {
+      const oauthProvider = makeRejectingProvider(
+        new Error('invalid_grant')
+      );
+
+      await expect(
+        exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider)
+      ).rejects.toThrow('invalid_grant');
+    });
+
+    it('calls provider exactly once on error', async () => {
+      const oauthProvider = makeRejectingProvider(new Error('network error'));
+
+      await expect(
+        exchangeTokenAlgorithm(BASE_REQUEST, oauthProvider)
+      ).rejects.toThrow('network error');
+
+      expect(oauthProvider.exchangeCodeForToken).toHaveBeenCalledOnce();
+    });
+  });
+});

package/src/shared/oauth/__tests__/grantAccess.test.ts

@@ -0,0 +1,237 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+import {
+  grantAccessAlgorithm,
+  type OAuthGrantProvider,
+} from '../grantAccess';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeProvider(
+  result: { success: boolean; message: string }
+): OAuthGrantProvider {
+  return { grantAccess: vi.fn().mockResolvedValue(result) };
+}
+
+function makeRejectingProvider(error: Error): OAuthGrantProvider {
+  return { grantAccess: vi.fn().mockRejectedValue(error) };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('grantAccessAlgorithm', () => {
+  const userId = 'user-123';
+  const provider = 'github';
+  const accessToken = 'access-token-abc';
+  const refreshToken = 'refresh-token-xyz';
+
+  // -------------------------------------------------------------------------
+  // Successful grant
+  // -------------------------------------------------------------------------
+
+  describe('successful grant', () => {
+    it('returns success result from provider', async () => {
+      const oauthProvider = makeProvider({ success: true, message: 'OK' });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(result).toEqual({ success: true, message: 'OK' });
+    });
+
+    it('forwards all parameters to the provider', async () => {
+      const oauthProvider = makeProvider({ success: true, message: 'granted' });
+
+      await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(oauthProvider.grantAccess).toHaveBeenCalledOnce();
+      expect(oauthProvider.grantAccess).toHaveBeenCalledWith({
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+      });
+    });
+
+    it('works without a refreshToken (undefined)', async () => {
+      const oauthProvider = makeProvider({ success: true, message: 'granted' });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        undefined,
+        oauthProvider
+      );
+
+      expect(result.success).toBe(true);
+      expect(oauthProvider.grantAccess).toHaveBeenCalledWith({
+        userId,
+        provider,
+        accessToken,
+        refreshToken: undefined,
+      });
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Invalid / missing user
+  // -------------------------------------------------------------------------
+
+  describe('invalid / missing user', () => {
+    it('passes empty userId to provider (provider owns validation)', async () => {
+      const oauthProvider = makeProvider({
+        success: false,
+        message: 'user not found',
+      });
+
+      const result = await grantAccessAlgorithm(
+        '',
+        provider,
+        accessToken,
+        undefined,
+        oauthProvider
+      );
+
+      expect(result.success).toBe(false);
+      expect(result.message).toBe('user not found');
+      expect(oauthProvider.grantAccess).toHaveBeenCalledWith({
+        userId: '',
+        provider,
+        accessToken,
+        refreshToken: undefined,
+      });
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Permission checks (provider denies access)
+  // -------------------------------------------------------------------------
+
+  describe('permission checks', () => {
+    it('returns provider failure when access is denied', async () => {
+      const oauthProvider = makeProvider({
+        success: false,
+        message: 'permission denied',
+      });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(result.success).toBe(false);
+      expect(result.message).toBe('permission denied');
+    });
+
+    it('propagates the exact message returned by the provider', async () => {
+      const expectedMessage = 'scope insufficient for this resource';
+      const oauthProvider = makeProvider({
+        success: false,
+        message: expectedMessage,
+      });
+
+      const result = await grantAccessAlgorithm(
+        userId,
+        provider,
+        accessToken,
+        refreshToken,
+        oauthProvider
+      );
+
+      expect(result.message).toBe(expectedMessage);
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Provider-specific grant logic
+  // -------------------------------------------------------------------------
+
+  describe('provider-specific grant logic', () => {
+    it.each([
+      ['github', 'gh-token'],
+      ['google', 'goog-token'],
+      ['stripe', 'stripe-token'],
+    ])(
+      'correctly forwards provider "%s" with its access token',
+      async (providerName, token) => {
+        const oauthProvider = makeProvider({
+          success: true,
+          message: 'granted',
+        });
+
+        await grantAccessAlgorithm(
+          userId,
+          providerName,
+          token,
+          undefined,
+          oauthProvider
+        );
+
+        expect(oauthProvider.grantAccess).toHaveBeenCalledWith(
+          expect.objectContaining({ provider: providerName, accessToken: token })
+        );
+      }
+    );
+  });
+
+  // -------------------------------------------------------------------------
+  // Error scenarios
+  // -------------------------------------------------------------------------
+
+  describe('error scenarios', () => {
+    it('re-throws synchronous errors from provider', async () => {
+      const oauthProvider = makeRejectingProvider(
+        new Error('network failure')
+      );
+
+      await expect(
+        grantAccessAlgorithm(userId, provider, accessToken, refreshToken, oauthProvider)
+      ).rejects.toThrow('network failure');
+    });
+
+    it('re-throws custom provider errors without wrapping', async () => {
+      class ProviderError extends Error {
+        constructor(msg: string) {
+          super(msg);
+          this.name = 'ProviderError';
+        }
+      }
+
+      const originalError = new ProviderError('token expired');
+      const oauthProvider = makeRejectingProvider(originalError);
+
+      await expect(
+        grantAccessAlgorithm(userId, provider, accessToken, refreshToken, oauthProvider)
+      ).rejects.toThrow('token expired');
+    });
+
+    it('calls provider exactly once even on error', async () => {
+      const oauthProvider = makeRejectingProvider(new Error('boom'));
+
+      await expect(
+        grantAccessAlgorithm(userId, provider, accessToken, refreshToken, oauthProvider)
+      ).rejects.toThrow('boom');
+
+      expect(oauthProvider.grantAccess).toHaveBeenCalledOnce();
+    });
+  });
+});

package/src/shared/schema.ts

@@ -12,7 +12,7 @@
 import * as v from 'valibot';
 
 /** Visibility levels matching @donotdev/core */
-type Visibility = 'guest' | 'user' | 'admin' | 'technical' | 'hidden';
+type Visibility = 'guest' | 'user' | 'admin' | 'technical' | 'hidden' | 'owner';
 
 // Define a type for the custom visibility property we might add to Valibot schemas
 interface ValibotSchemaWithVisibility extends v.BaseSchema<
@@ -52,6 +52,7 @@ function getFieldVisibility(field: any): Visibility | undefined {
  * - 'admin': Visible only to admins
  * - 'technical': Visible to admins only (shown as read-only in edit forms)
  * - 'hidden': Never visible (passwords, tokens, API keys - only in DB)
+ * - 'owner': Visible only when uid matches one of entity.ownership.ownerFields (requires document context; here treated as not visible for aggregate)
  * - undefined: Defaults to 'user' behavior (visible to authenticated users)
  *
  * @param key - The name (key) of the field.
@@ -90,6 +91,11 @@ export function isFieldVisible(
     return isAdmin;
   }
 
+  // Owner: requires per-document check (documentData, uid, ownership); not available in aggregate context
+  if (visibility === 'owner') {
+    return false;
+  }
+
   // User fields (or undefined/default) are visible to authenticated users
   if (visibility === 'user' || visibility === undefined) {
     return isAuthenticated;

package/src/shared/utils/__tests__/functionWrapper.test.ts

@@ -0,0 +1,122 @@
+// packages/functions/src/shared/utils/__tests__/functionWrapper.test.ts
+
+/**
+ * @fileoverview Tests for withValidation, firebaseFunction, vercelFunction
+ * @description Unit tests for schema validation wrappers.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import * as v from 'valibot';
+
+import {
+  withValidation,
+  firebaseFunction,
+  vercelFunction,
+} from '../functionWrapper';
+
+// ---------------------------------------------------------------------------
+// Schemas and fixtures
+// ---------------------------------------------------------------------------
+
+const TestSchema = v.object({
+  name: v.pipe(v.string(), v.minLength(1)),
+  count: v.optional(v.pipe(v.number(), v.minValue(0))),
+});
+
+type TestData = v.InferOutput<typeof TestSchema>;
+
+// ---------------------------------------------------------------------------
+// withValidation
+// ---------------------------------------------------------------------------
+
+describe('withValidation', () => {
+  it('returns handler result when data is valid', async () => {
+    const handler = vi.fn().mockResolvedValue({ id: '123' });
+    const wrapped = withValidation(TestSchema, handler);
+    const data = { name: 'foo', count: 2 };
+
+    const result = await wrapped(data);
+
+    expect(result).toEqual({ id: '123' });
+    expect(handler).toHaveBeenCalledWith({ name: 'foo', count: 2 });
+  });
+
+  it('throws when data fails validation', async () => {
+    const handler = vi.fn();
+    const wrapped = withValidation(TestSchema, handler);
+
+    await expect(wrapped({ name: '' })).rejects.toThrow();
+    expect(handler).not.toHaveBeenCalled();
+  });
+
+  it('passes validated (parsed) data to handler', async () => {
+    const handler = vi.fn().mockResolvedValue(undefined);
+    const wrapped = withValidation(TestSchema, handler);
+    await wrapped({ name: 'a', count: 0 });
+
+    expect(handler).toHaveBeenCalledWith(
+      expect.objectContaining({ name: 'a', count: 0 })
+    );
+  });
+});
+
+// ---------------------------------------------------------------------------
+// firebaseFunction
+// ---------------------------------------------------------------------------
+
+describe('firebaseFunction', () => {
+  it('calls handler with parsed request.data', async () => {
+    const handler = vi.fn().mockResolvedValue({ success: true });
+    const fn = firebaseFunction(TestSchema, handler);
+    const request = {
+      data: { name: 'test', count: 1 },
+      rawRequest: {} as any,
+    };
+
+    const result = await fn(request);
+
+    expect(result).toEqual({ success: true });
+    expect(handler).toHaveBeenCalledWith({ name: 'test', count: 1 });
+  });
+
+  it('throws when request.data is invalid', async () => {
+    const handler = vi.fn();
+    const fn = firebaseFunction(TestSchema, handler);
+    const request = { data: { name: '' }, rawRequest: {} as any };
+
+    await expect(fn(request)).rejects.toThrow();
+    expect(handler).not.toHaveBeenCalled();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// vercelFunction
+// ---------------------------------------------------------------------------
+
+describe('vercelFunction', () => {
+  it('parses req.body and calls handler with (req, res, data)', async () => {
+    const handler = vi.fn().mockResolvedValue({ ok: true });
+    const fn = vercelFunction(TestSchema, handler);
+    const req = { body: { name: 'v', count: 0 } } as any;
+    const res = {} as any;
+
+    const result = await fn(req, res);
+
+    expect(result).toEqual({ ok: true });
+    expect(handler).toHaveBeenCalledWith(req, res, { name: 'v', count: 0 });
+  });
+
+  it('throws when req.body is invalid', async () => {
+    const handler = vi.fn();
+    const fn = vercelFunction(TestSchema, handler);
+    const req = { body: {} } as any;
+    const res = {} as any;
+
+    await expect(fn(req, res)).rejects.toThrow();
+    expect(handler).not.toHaveBeenCalled();
+  });
+});