@friggframework/admin-scripts 2.0.0--canary.517.41839c5.0

package/src/builtins/oauth-token-refresh.js

@@ -0,0 +1,221 @@
+const { AdminScriptBase } = require('../application/admin-script-base');
+
+/**
+ * OAuth Token Refresh Script
+ *
+ * Refreshes OAuth tokens for integrations that are near expiry.
+ * This helps prevent authentication failures due to expired tokens.
+ */
+class OAuthTokenRefreshScript extends AdminScriptBase {
+    static Definition = {
+        name: 'oauth-token-refresh',
+        version: '1.0.0',
+        description: 'Refreshes OAuth tokens for integrations near expiry',
+        source: 'BUILTIN',
+
+        inputSchema: {
+            type: 'object',
+            properties: {
+                integrationIds: {
+                    type: 'array',
+                    items: { type: 'string' },
+                    description: 'Specific integration IDs to refresh (optional, defaults to all)'
+                },
+                expiryThresholdHours: {
+                    type: 'number',
+                    default: 24,
+                    description: 'Refresh tokens expiring within this many hours'
+                },
+                dryRun: {
+                    type: 'boolean',
+                    default: false,
+                    description: 'Preview without making changes'
+                }
+            }
+        },
+
+        outputSchema: {
+            type: 'object',
+            properties: {
+                refreshed: { type: 'number' },
+                failed: { type: 'number' },
+                skipped: { type: 'number' },
+                details: { type: 'array' }
+            }
+        },
+
+        config: {
+            timeout: 600000, // 10 minutes
+            maxRetries: 1,
+            requiresIntegrationFactory: true, // Needs to call external APIs
+        },
+
+        display: {
+            label: 'OAuth Token Refresh',
+            description: 'Refresh OAuth tokens before they expire',
+            category: 'maintenance',
+        },
+    };
+
+    async execute(frigg, params = {}) {
+        const {
+            integrationIds = null,
+            expiryThresholdHours = 24,
+            dryRun = false
+        } = params;
+
+        const results = {
+            refreshed: 0,
+            failed: 0,
+            skipped: 0,
+            details: []
+        };
+
+        frigg.log('info', 'Starting OAuth token refresh', {
+            expiryThresholdHours,
+            dryRun,
+            specificIds: integrationIds?.length || 'all'
+        });
+
+        // Get integrations to check
+        let integrations;
+        if (integrationIds && integrationIds.length > 0) {
+            integrations = await Promise.all(
+                integrationIds.map(id => frigg.findIntegrationById(id).catch(() => null))
+            );
+            integrations = integrations.filter(Boolean);
+        } else {
+            // Get all integrations (this would need to be paginated for large deployments)
+            integrations = await this.getAllIntegrations(frigg);
+        }
+
+        frigg.log('info', `Found ${integrations.length} integrations to check`);
+
+        for (const integration of integrations) {
+            try {
+                const detail = await this.processIntegration(frigg, integration, {
+                    expiryThresholdHours,
+                    dryRun
+                });
+
+                results.details.push(detail);
+
+                if (detail.action === 'refreshed') {
+                    results.refreshed++;
+                } else if (detail.action === 'skipped') {
+                    results.skipped++;
+                } else if (detail.action === 'failed') {
+                    results.failed++;
+                }
+            } catch (error) {
+                frigg.log('error', `Error processing integration ${integration.id}`, {
+                    error: error.message
+                });
+                results.failed++;
+                results.details.push({
+                    integrationId: integration.id,
+                    action: 'failed',
+                    reason: error.message
+                });
+            }
+        }
+
+        frigg.log('info', 'OAuth token refresh completed', {
+            refreshed: results.refreshed,
+            failed: results.failed,
+            skipped: results.skipped
+        });
+
+        return results;
+    }
+
+    async getAllIntegrations(frigg) {
+        // This is a simplified implementation
+        // In production, would need pagination for large datasets
+        return frigg.listIntegrations({});
+    }
+
+    async processIntegration(frigg, integration, options) {
+        const { expiryThresholdHours, dryRun } = options;
+
+        // Check prerequisites
+        const skipReason = this._checkRefreshPrerequisites(integration, expiryThresholdHours);
+        if (skipReason) {
+            return this._createResult(integration.id, 'skipped', skipReason);
+        }
+
+        // Handle dry run
+        if (dryRun) {
+            frigg.log('info', `[DRY RUN] Would refresh token for ${integration.id}`);
+            return this._createResult(integration.id, 'skipped', 'Dry run - would have refreshed');
+        }
+
+        // Perform refresh
+        return this._performTokenRefresh(frigg, integration);
+    }
+
+    /**
+     * Check if integration meets prerequisites for token refresh
+     * @private
+     * @returns {string|null} Skip reason or null if eligible
+     */
+    _checkRefreshPrerequisites(integration, expiryThresholdHours) {
+        if (!integration.config?.credentials?.access_token) {
+            return 'No OAuth credentials found';
+        }
+
+        const expiresAt = integration.config?.credentials?.expires_at;
+        if (!expiresAt) {
+            return 'No expiry time found';
+        }
+
+        const expiryTime = new Date(expiresAt);
+        const thresholdTime = new Date(Date.now() + (expiryThresholdHours * 60 * 60 * 1000));
+
+        if (expiryTime > thresholdTime) {
+            return 'Token not near expiry';
+        }
+
+        return null;
+    }
+
+    /**
+     * Perform the actual token refresh
+     * @private
+     */
+    async _performTokenRefresh(frigg, integration) {
+        const expiresAt = integration.config?.credentials?.expires_at;
+
+        try {
+            const instance = await frigg.instantiate(integration.id);
+
+            if (!instance.primary?.api?.refreshAccessToken) {
+                return this._createResult(integration.id, 'skipped', 'API does not support token refresh');
+            }
+
+            await instance.primary.api.refreshAccessToken();
+            frigg.log('info', `Refreshed token for integration ${integration.id}`);
+
+            return {
+                integrationId: integration.id,
+                action: 'refreshed',
+                previousExpiry: expiresAt
+            };
+        } catch (error) {
+            frigg.log('error', `Failed to refresh token for ${integration.id}`, {
+                error: error.message
+            });
+            return this._createResult(integration.id, 'failed', error.message);
+        }
+    }
+
+    /**
+     * Create a result object
+     * @private
+     */
+    _createResult(integrationId, action, reason) {
+        return { integrationId, action, reason };
+    }
+}
+
+module.exports = { OAuthTokenRefreshScript };

package/src/infrastructure/__tests__/admin-auth-middleware.test.js

@@ -0,0 +1,148 @@
+const { adminAuthMiddleware } = require('../admin-auth-middleware');
+
+// Mock the admin script commands
+jest.mock('@friggframework/core/application/commands/admin-script-commands', () => ({
+    createAdminScriptCommands: jest.fn(),
+}));
+
+const { createAdminScriptCommands } = require('@friggframework/core/application/commands/admin-script-commands');
+
+describe('adminAuthMiddleware', () => {
+    let mockReq;
+    let mockRes;
+    let mockNext;
+    let mockCommands;
+
+    beforeEach(() => {
+        mockReq = {
+            headers: {},
+            ip: '127.0.0.1',
+        };
+
+        mockRes = {
+            status: jest.fn().mockReturnThis(),
+            json: jest.fn(),
+        };
+
+        mockNext = jest.fn();
+
+        mockCommands = {
+            validateAdminApiKey: jest.fn(),
+        };
+
+        createAdminScriptCommands.mockReturnValue(mockCommands);
+    });
+
+    afterEach(() => {
+        jest.clearAllMocks();
+    });
+
+    describe('Authorization header validation', () => {
+        it('should reject request without Authorization header', async () => {
+            await adminAuthMiddleware(mockReq, mockRes, mockNext);
+
+            expect(mockRes.status).toHaveBeenCalledWith(401);
+            expect(mockRes.json).toHaveBeenCalledWith({
+                error: 'Missing or invalid Authorization header',
+                code: 'MISSING_AUTH',
+            });
+            expect(mockNext).not.toHaveBeenCalled();
+        });
+
+        it('should reject request with invalid Authorization format', async () => {
+            mockReq.headers.authorization = 'InvalidFormat key123';
+
+            await adminAuthMiddleware(mockReq, mockRes, mockNext);
+
+            expect(mockRes.status).toHaveBeenCalledWith(401);
+            expect(mockRes.json).toHaveBeenCalledWith({
+                error: 'Missing or invalid Authorization header',
+                code: 'MISSING_AUTH',
+            });
+            expect(mockNext).not.toHaveBeenCalled();
+        });
+    });
+
+    describe('API key validation', () => {
+        it('should reject request with invalid API key', async () => {
+            mockReq.headers.authorization = 'Bearer invalid-key';
+            mockCommands.validateAdminApiKey.mockResolvedValue({
+                error: 401,
+                reason: 'Invalid API key',
+                code: 'INVALID_API_KEY',
+            });
+
+            await adminAuthMiddleware(mockReq, mockRes, mockNext);
+
+            expect(mockCommands.validateAdminApiKey).toHaveBeenCalledWith('invalid-key');
+            expect(mockRes.status).toHaveBeenCalledWith(401);
+            expect(mockRes.json).toHaveBeenCalledWith({
+                error: 'Invalid API key',
+                code: 'INVALID_API_KEY',
+            });
+            expect(mockNext).not.toHaveBeenCalled();
+        });
+
+        it('should reject request with expired API key', async () => {
+            mockReq.headers.authorization = 'Bearer expired-key';
+            mockCommands.validateAdminApiKey.mockResolvedValue({
+                error: 401,
+                reason: 'API key has expired',
+                code: 'EXPIRED_API_KEY',
+            });
+
+            await adminAuthMiddleware(mockReq, mockRes, mockNext);
+
+            expect(mockCommands.validateAdminApiKey).toHaveBeenCalledWith('expired-key');
+            expect(mockRes.status).toHaveBeenCalledWith(401);
+            expect(mockRes.json).toHaveBeenCalledWith({
+                error: 'API key has expired',
+                code: 'EXPIRED_API_KEY',
+            });
+            expect(mockNext).not.toHaveBeenCalled();
+        });
+
+        it('should accept request with valid API key', async () => {
+            const validKey = 'valid-api-key-123';
+            mockReq.headers.authorization = `Bearer ${validKey}`;
+            mockCommands.validateAdminApiKey.mockResolvedValue({
+                valid: true,
+                apiKey: {
+                    id: 'key-id-1',
+                    name: 'test-key',
+                    keyLast4: 'e123',
+                },
+            });
+
+            await adminAuthMiddleware(mockReq, mockRes, mockNext);
+
+            expect(mockCommands.validateAdminApiKey).toHaveBeenCalledWith(validKey);
+            expect(mockReq.adminApiKey).toBeDefined();
+            expect(mockReq.adminApiKey.name).toBe('test-key');
+            expect(mockReq.adminAudit).toBeDefined();
+            expect(mockReq.adminAudit.apiKeyName).toBe('test-key');
+            expect(mockReq.adminAudit.apiKeyLast4).toBe('e123');
+            expect(mockReq.adminAudit.ipAddress).toBe('127.0.0.1');
+            expect(mockNext).toHaveBeenCalled();
+            expect(mockRes.status).not.toHaveBeenCalled();
+        });
+    });
+
+    describe('Error handling', () => {
+        it('should handle validation errors gracefully', async () => {
+            mockReq.headers.authorization = 'Bearer some-key';
+            mockCommands.validateAdminApiKey.mockRejectedValue(
+                new Error('Database error')
+            );
+
+            await adminAuthMiddleware(mockReq, mockRes, mockNext);
+
+            expect(mockRes.status).toHaveBeenCalledWith(500);
+            expect(mockRes.json).toHaveBeenCalledWith({
+                error: 'Authentication failed',
+                code: 'AUTH_ERROR',
+            });
+            expect(mockNext).not.toHaveBeenCalled();
+        });
+    });
+});