@friggframework/core 0.2.31-v1-alpha-package-update.0 → 1.0.1-canary.a414ea2.0

package/database/models/IndividualUser.js

@@ -0,0 +1,76 @@
+const { mongoose } = require('../mongoose');
+const bcrypt = require('bcryptjs');
+const { UserModel: Parent } = require('./UserModel');
+
+const collectionName = 'IndividualUser';
+
+const schema = new mongoose.Schema({
+    email: { type: String },
+    username: { type: String, unique: true },
+    hashword: { type: String },
+    appUserId: { type: String },
+    organizationUser: { type: mongoose.Schema.Types.ObjectId, ref: 'User' },
+});
+
+schema.pre('save', async function () {
+    if (this.hashword) {
+        this.hashword = await bcrypt.hashSync(
+            this.hashword,
+            parseInt(this.schema.statics.decimals)
+        )
+    }
+})
+
+schema.static({
+    decimals: 10,
+    update: async function (id, options) {
+        if ('password' in options) {
+            options.hashword = await bcrypt.hashSync(
+                options.password,
+                parseInt(this.decimals)
+            );
+            delete options.password;
+        }
+        return this.findOneAndUpdate(
+            {_id: id},
+            options,
+            {new: true, useFindAndModify: true}
+        );
+    },
+    getUserByUsername: async function (username) {
+        let getByUser;
+        try{
+            getByUser = await this.find({username});
+        } catch (e) {
+            console.log('oops')
+        }
+
+        if (getByUser.length > 1) {
+            throw new Error(
+                'Unique username or email? Please reach out to our developers'
+            );
+        }
+
+        if (getByUser.length === 1) {
+            return getByUser[0];
+        }
+    },
+    getUserByAppUserId: async function (appUserId) {
+        const getByUser = await this.find({ appUserId });
+
+        if (getByUser.length > 1) {
+            throw new Error(
+                'Supposedly using a unique appUserId? Please reach out to our developers'
+            );
+        }
+
+
+        if (getByUser.length === 1) {
+            return getByUser[0];
+        }
+    }
+})
+
+const IndividualUser = Parent.discriminators?.IndividualUser || Parent.discriminator(collectionName, schema);
+
+module.exports = {IndividualUser};

package/database/models/OrganizationUser.js

@@ -0,0 +1,29 @@
+const { mongoose } = require('../mongoose');
+const { UserModel: Parent } = require('./UserModel');
+
+const collectionName = 'OrganizationUser';
+
+const schema = new mongoose.Schema({
+    appOrgId: { type: String, required: true, unique: true },
+    name: { type: String },
+});
+
+schema.static({
+    getUserByAppOrgId: async function (appOrgId) {
+        const getByUser = await this.find({ appOrgId });
+
+        if (getByUser.length > 1) {
+            throw new Error(
+                'Supposedly using a unique appOrgId? Please reach out to our developers'
+            );
+        }
+
+        if (getByUser.length === 1) {
+            return getByUser[0];
+        }
+    }
+})
+
+const OrganizationUser = Parent.discriminators?.OrganizationUser || Parent.discriminator(collectionName, schema);
+
+module.exports = {OrganizationUser};

package/database/models/State.js

@@ -0,0 +1,9 @@
+const { mongoose } = require('../mongoose');
+
+const schema = new mongoose.Schema({
+  state: { type: mongoose.Schema.Types.Mixed }
+});
+
+const State = mongoose.models.State || mongoose.model('State', schema);
+
+module.exports = { State };

package/database/models/Token.js

@@ -0,0 +1,70 @@
+const { mongoose } = require('../mongoose');
+const bcrypt = require('bcryptjs');
+
+const collectionName = 'Token';
+const decimals = 10;
+
+const schema = new mongoose.Schema({
+    token: { type: String, required: true },
+    created: { type: Date, default: Date.now },
+    expires: { type: Date },
+    user: { type: mongoose.Schema.Types.ObjectId, ref: 'User', required: true },
+});
+
+schema.static({
+    createTokenWithExpire: async function (userId, rawToken, minutes) {
+        // Create user token
+        let tokenHash = await bcrypt.hashSync(rawToken, parseInt(decimals));
+
+        let session = {
+            token: tokenHash,
+            expires: new Date(Date.now() + minutes * 60000).toISOString(),
+            user: userId,
+        };
+
+        return this.create(session);
+    },
+    // Takes in a token object and  that has been created in the database and the raw token value.
+    // Returns a json of just the token and id to return to the browser
+    createJSONToken: function (token, rawToken) {
+        let returnArr = {
+            id: token.id,
+            token: rawToken,
+        };
+        return JSON.stringify(returnArr);
+    },
+    // Takes in a token object and  that has been created in the database and the raw token value.
+    // Returns a base64 buffer of just the token and id to return to the browser
+    createBase64BufferToken: function (token, rawToken) {
+        let jsonVal = Token.createJSONToken(token, rawToken);
+        return Buffer.from(jsonVal).toString('base64');
+    },
+    getJSONTokenFromBase64BufferToken: function (buffer) {
+        let tokenStr = Buffer.from(buffer.trim(), 'base64').toString('ascii');
+        return JSON.parse(tokenStr);
+    },
+
+    // Takes in a JSON Token with id and token in it and verifies the token
+    // is valid from the database. If it is not va
+    validateAndGetTokenFromJSONToken: async function (tokenObj) {
+        let sessionToken = await this.findById(tokenObj.id);
+        if (sessionToken) {
+            if (
+                !(await bcrypt.compareSync(tokenObj.token, sessionToken.token))
+            ) {
+                throw new Error('Invalid Token: Token does not match');
+            }
+            if (new Date(sessionToken.expires) < new Date()) {
+                throw new Error('Invalid Token: Token is expired');
+            }
+
+            return sessionToken;
+        } else {
+            throw new Error('Invalid Token: Token does not exist');
+        }
+    }
+})
+
+const Token = mongoose.models.Token || mongoose.model(collectionName, schema);
+
+module.exports = { Token };

package/database/models/UserModel.js

@@ -0,0 +1,7 @@
+const { mongoose } = require('../mongoose');
+
+const schema = new mongoose.Schema({}, {timestamps: true})
+
+const UserModel = mongoose.models.User || mongoose.model('User',schema)
+
+module.exports = { UserModel: UserModel };

package/database/mongo.js

@@ -0,0 +1,45 @@
+// Best Practices Connecting from AWS Lambda:
+// https://dev.to/adnanrahic/building-a-serverless-rest-api-with-nodejs-and-mongodb-43db
+// https://mongoosejs.com/docs/lambda.html
+// https://www.mongodb.com/blog/post/optimizing-aws-lambda-performance-with-mongodb-atlas-and-nodejs
+const { Encrypt } = require('../encrypt');
+const { mongoose } = require('./mongoose');
+const { debug, flushDebugLog } = require('../logs');
+
+mongoose.plugin(Encrypt);
+mongoose.set('applyPluginsToDiscriminators', true); // Needed for LHEncrypt
+
+// Buffering means mongoose will queue up operations if it gets
+// With serverless, better to fail fast if not connected.
+// disconnected from MongoDB and send them when it reconnects.
+const mongoConfig = {
+    useNewUrlParser: true,
+    bufferCommands: false, // Disable mongoose buffering
+    autoCreate: false, // Disable because auto creation does not work without buffering
+    useUnifiedTopology: true,
+    serverSelectionTimeoutMS: 5000,
+};
+
+const checkIsConnected = () => mongoose.connection?.readyState > 0;
+
+const connectToDatabase = async () => {
+    if (checkIsConnected()) {
+        debug('=> using existing database connection');
+        return;
+    }
+
+    debug('=> using new database connection');
+    await mongoose.connect(process.env.MONGO_URI, mongoConfig);
+    debug('Connection state:',  mongoose.STATES[mongoose.connection.readyState]);
+    mongoose.connection.on('error', (error) => flushDebugLog(error));
+};
+
+const disconnectFromDatabase = async () => mongoose.disconnect();
+
+const createObjectId = () => new mongoose.Types.ObjectId();
+
+module.exports = {
+    connectToDatabase,
+    disconnectFromDatabase,
+    createObjectId,
+};

package/database/mongoose.js

@@ -0,0 +1,5 @@
+const mongoose = require('mongoose');
+mongoose.set('strictQuery', false);
+module.exports = {
+    mongoose
+}

package/encrypt/.eslintrc.json

@@ -0,0 +1,3 @@
+{
+    "extends": "@friggframework/eslint-config"
+}

package/encrypt/CHANGELOG.md

@@ -0,0 +1,78 @@
+# v1.1.8 (Fri Feb 02 2024)
+
+#### 🐛 Bug Fix
+
+- Added variable BYPASS_ENCRYPTION_STAGE to encrypt module [#248](https://github.com/friggframework/frigg/pull/248) ([@leofmds](https://github.com/leofmds))
+- Added variable BYPASS_ENCRYPTION_STAGE to encrypt module ([@leofmds](https://github.com/leofmds))
+
+#### Authors: 1
+
+- Leonardo Ferreira ([@leofmds](https://github.com/leofmds))
+
+---
+
+# v1.1.7 (Tue Apr 04 2023)
+
+:tada: This release contains work from a new contributor! :tada:
+
+Thank you, null[@debbie-yu](https://github.com/debbie-yu), for all your work!
+
+#### 🐛 Bug Fix
+
+- Adding new IntegrationMapping collection [#142](https://github.com/friggframework/frigg/pull/142) ([@debbie-yu](https://github.com/debbie-yu))
+- Merge branch 'main' of https://github.com/friggframework/frigg into debbie.yu/integration-mapping ([@debbie-yu](https://github.com/debbie-yu))
+- addressing PR feedback and adding unit tests around IntegrationMapping ([@debbie-yu](https://github.com/debbie-yu))
+- Bump independent versions \[skip ci\] ([@seanspeaks](https://github.com/seanspeaks))
+
+#### Authors: 2
+
+- [@debbie-yu](https://github.com/debbie-yu)
+- Sean Matthews ([@seanspeaks](https://github.com/seanspeaks))
+
+---
+
+# v1.1.6 (Tue Jan 31 2023)
+
+#### 🐛 Bug Fix
+
+- Bump independent versions \[skip ci\] ([@seanspeaks](https://github.com/seanspeaks))
+
+#### Authors: 1
+
+- Sean Matthews ([@seanspeaks](https://github.com/seanspeaks))
+
+---
+
+# v1.1.5 (Mon Jan 09 2023)
+
+#### 🐛 Bug Fix
+
+- Merge remote-tracking branch 'origin/main' into gitbook-updates [#48](https://github.com/friggframework/frigg/pull/48) ([@seanspeaks](https://github.com/seanspeaks))
+- Bump independent versions \[skip ci\] ([@seanspeaks](https://github.com/seanspeaks))
+- Merge remote-tracking branch 'origin/main' into simplify-mongoose-models ([@seanspeaks](https://github.com/seanspeaks))
+- Add READMEs for all packages and api-modules [#20](https://github.com/friggframework/frigg/pull/20) ([@seanspeaks](https://github.com/seanspeaks))
+- Add READMEs for all packages and api-modules ([@seanspeaks](https://github.com/seanspeaks))
+
+#### ⚠️ Pushed to `main`
+
+- Merge branch 'main' into gitbook-updates ([@seanspeaks](https://github.com/seanspeaks))
+- Refactored for more conventional naming (at least for packages) ([@seanspeaks](https://github.com/seanspeaks))
+
+#### Authors: 1
+
+- Sean Matthews ([@seanspeaks](https://github.com/seanspeaks))
+
+---
+
+# v1.1.4 (Tue Dec 06 2022)
+
+#### 🐛 Bug Fix
+
+- fix modules to @friggframework [#74](https://github.com/friggframework/frigg/pull/74) ([@sheehantoufiq](https://github.com/sheehantoufiq))
+- fix modules to @friggframework ([@sheehantoufiq](https://github.com/sheehantoufiq))
+- Bump independent versions \[skip ci\] ([@seanspeaks](https://github.com/seanspeaks))
+
+#### Authors: 2
+
+- Sean Matthews ([@seanspeaks](https://github.com/seanspeaks))
+- Sheehan Toufiq Khan ([@sheehantoufiq](https://github.com/sheehantoufiq))

package/encrypt/Cryptor.js

@@ -0,0 +1,236 @@
+const crypto = require('crypto');
+const AWS = require('aws-sdk');
+const { get, set } = require('lodash');
+const aes = require('./aes');
+
+const hasValue = (a) => a !== undefined && a !== null && a !== '';
+
+class Cryptor {
+    constructor({ fields, shouldUseAws }) {
+        this.shouldUseAws = shouldUseAws;
+        this.fields = fields;
+
+        this.permutationsByField = {};
+
+        for (const field of fields) {
+            this.permutationsByField[field] = this.calculatePermutations(
+                field.split('.')
+            );
+        }
+    }
+
+    async generateDataKey() {
+        if (this.shouldUseAws) {
+            const kmsClient = new AWS.KMS();
+            const dataKey = await kmsClient
+                .generateDataKey({
+                    KeyId: process.env.KMS_KEY_ARN,
+                    KeySpec: 'AES_256',
+                })
+                .promise();
+
+            const keyId = Buffer.from(dataKey.KeyId).toString('base64');
+            const encryptedKey = dataKey.CiphertextBlob.toString('base64');
+            const plaintext = dataKey.Plaintext;
+            return { keyId, encryptedKey, plaintext };
+        }
+
+        const { AES_KEY, AES_KEY_ID } = process.env;
+        const randomKey = crypto.randomBytes(32).toString('hex').slice(0, 32);
+
+        return {
+            keyId: Buffer.from(AES_KEY_ID).toString('base64'),
+            encryptedKey: Buffer.from(aes.encrypt(randomKey, AES_KEY)).toString(
+                'base64'
+            ),
+            plaintext: randomKey,
+        };
+    }
+
+    getKeyFromEnvironment(keyId) {
+        const availableKeys = {
+            [process.env.AES_KEY_ID]: process.env.AES_KEY,
+            [process.env.DEPRECATED_AES_KEY_ID]: process.env.DEPRECATED_AES_KEY,
+        };
+
+        const key = availableKeys[keyId];
+
+        if (!key) {
+            throw new Error(`No encryption key found with ID "${keyId}"`);
+        }
+
+        return key;
+    }
+
+    async decryptDataKey(keyId, encryptedKey) {
+        if (this.shouldUseAws) {
+            const kmsClient = new AWS.KMS();
+            const dataKey = await kmsClient
+                .decrypt({
+                    KeyId: keyId,
+                    CiphertextBlob: encryptedKey,
+                })
+                .promise();
+
+            return dataKey.Plaintext;
+        }
+
+        const key = this.getKeyFromEnvironment(keyId);
+        return aes.decrypt(encryptedKey, key);
+    }
+
+    // If the field has a value in the document, apply async function f to that field.
+    async setInDocument(doc, f) {
+        // Use the Mongoose document get/set when available (not for insertMany)
+        if (doc.get) {
+            for (const field of this.fields) {
+                const value = doc.get(field);
+                if (hasValue(value)) {
+                    doc.set(field, await f(value));
+                }
+            }
+            return;
+        }
+
+        // Otherwise use permutations.
+        for (const field of this.fields) {
+            const updatedDoc = await this.applyAll(doc, field, f);
+            Object.assign(doc, updatedDoc);
+        }
+    }
+
+    // Calculate all possible permutations for a nested field.  For example a
+    // field "deeply.nested.field" might be referred to in a Mongo query as
+    // { deeply: { 'nested.field': {} } } or { 'deeply.nested.field': {} }
+    // etc.  For a given path, this gives all path parts to check in a format
+    // that lodash understands when using get and set with an array of path
+    // parts e.g. get(o, ['deeply', 'nested.parts'])
+    calculatePermutations = (parts) => {
+        if (!parts.length) return [];
+        if (parts.length === 1) return [parts];
+
+        const combos = [];
+
+        for (let i = 0; i < parts.length; i += 1) {
+            const frontPath = parts.slice(0, i + 1).join('.');
+            const rest = parts.slice(i + 1);
+
+            if (rest.length) {
+                combos.push(
+                    ...this.calculatePermutations(rest).map((child) => [
+                        frontPath,
+                        ...child,
+                    ])
+                );
+            } else {
+                combos.push([frontPath]);
+            }
+        }
+
+        return combos;
+    };
+
+    // Encrypt all possible permutations of a field (possibly nested), if there
+    // is a value at that path permutation.
+    async applyAll(o, field, f) {
+        const clone = { ...o };
+        const permutations = this.permutationsByField[field];
+
+        for (const path of permutations) {
+            const value = get(o, path);
+            if (hasValue(value)) {
+                set(clone, path, await f(value));
+            }
+        }
+
+        return clone;
+    }
+
+    async processFieldsInDocuments(docs, f) {
+        const promises = docs
+            .filter(Boolean)
+            .flatMap((doc) => this.setInDocument(doc, f));
+
+        return Promise.all(promises);
+    }
+
+    async encryptFieldsInDocuments(docs) {
+        await this.processFieldsInDocuments(docs, this.encrypt.bind(this));
+    }
+
+    async decryptFieldsInDocuments(docs) {
+        await this.processFieldsInDocuments(docs, this.decrypt.bind(this));
+    }
+
+    async encryptFieldsInQuery(query) {
+        for (const field of this.fields) {
+            const originalUpdate = query.getUpdate();
+            const updatedUpdate = await this.applyAll(
+                originalUpdate,
+                field,
+                this.encrypt.bind(this)
+            );
+
+            if (originalUpdate.$set) {
+                const updatedSetUpdate = await this.applyAll(
+                    originalUpdate.$set,
+                    field,
+                    this.encrypt.bind(this)
+                );
+                updatedUpdate.$set = { ...updatedSetUpdate };
+            }
+
+            if (originalUpdate.$setOnInsert) {
+                const updatedSetOnInsertUpdate = await this.applyAll(
+                    originalUpdate.$setOnInsert,
+                    field,
+                    this.encrypt.bind(this)
+                );
+                updatedUpdate.$setOnInsert = { ...updatedSetOnInsertUpdate };
+            }
+
+            query.setUpdate(updatedUpdate);
+        }
+    }
+
+    expectNotToUpdateManyEncrypted(update) {
+        for (const field of this.fields) {
+            if (update.$set && hasValue(update.$set[field])) {
+                throw new Error(
+                    'Attempted to update encrypted field of multiple documents'
+                );
+            }
+
+            if (update.$setOnInsert && hasValue(update.$setOnInsert[field])) {
+                throw new Error(
+                    'Attempted to update encrypted field of multiple documents'
+                );
+            }
+
+            if (hasValue(update[field])) {
+                throw new Error(
+                    'Attempted to update encrypted field of multiple documents'
+                );
+            }
+        }
+    }
+
+    async encrypt(text) {
+        const { keyId, encryptedKey, plaintext } = await this.generateDataKey();
+        const encryptedText = aes.encrypt(text, plaintext);
+
+        return `${keyId}:${encryptedText}:${encryptedKey}`;
+    }
+
+    async decrypt(text) {
+        const split = text.split(':');
+        const keyId = Buffer.from(split[0], 'base64').toString();
+        const encryptedText = `${split[1]}:${split[2]}`;
+        const encryptedKey = Buffer.from(split[3], 'base64');
+        const plaintext = await this.decryptDataKey(keyId, encryptedKey);
+
+        return aes.decrypt(encryptedText, plaintext);
+    }
+}
+
+module.exports = { Cryptor };

package/encrypt/Cryptor.test.js

@@ -0,0 +1,32 @@
+const { Cryptor } = require('./Cryptor');
+
+describe('Cryptor', () => {
+    describe('Permutations', () => {
+        it('calculates permutations correctly', async () => {
+            // Given a nested field, we want all possible paths that could access it.
+            const cryptor = new Cryptor({ fields: ['a.b.c.d', 'e'] });
+            expect(cryptor.permutationsByField).toEqual({
+                'a.b.c.d': [
+                    ['a', 'b', 'c', 'd'],
+                    ['a', 'b', 'c.d'],
+                    ['a', 'b.c', 'd'],
+                    ['a', 'b.c.d'],
+                    ['a.b', 'c', 'd'],
+                    ['a.b', 'c.d'],
+                    ['a.b.c', 'd'],
+                    ['a.b.c.d'],
+                ],
+                e: [['e']],
+            });
+        });
+    });
+
+    describe('Keys', () => {
+        it('raises error on missing environment', () => {
+            const cryptor = new Cryptor({ fields: ['a.b.c.d', 'e'] });
+            expect(cryptor.getKeyFromEnvironment).toThrow(
+                'No encryption key found with ID "undefined"'
+            );
+        });
+    });
+});

package/encrypt/LICENSE.md

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2022 Left Hook Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/encrypt/README.md

@@ -0,0 +1,13 @@
+# encrypt
+
+This package exports the `encrypt` mongoose plugin used in [Frigg](https://friggframework.org). You can find its documentation [on Frigg's website](https://docs.friggframework.org/packages/encrypt).
+
+## Configuration
+
+| Environment variable    | Description                                                                                                |
+|-------------------------|------------------------------------------------------------------------------------------------------------|
+| KMS_KEY_ARN             | The AWS KMS Key ARN, if using it to encryption/decryption.                                                 |
+| AES_KEY                 | AES key, used in conjunction with AES_KEY_ID. AES option is mutually exclusive with KMS_KEY_ARN.           |
+| AES_KEY_ID              | AES key ID, used in conjunction with AES_KEY.                                                              |
+| STAGE                   | The stage in which the application is running. It is usually defined in Serverless configuration, if used. |
+| BYPASS_ENCRYPTION_STAGE | Stages to bypass encryption/decryption, separated by comma.                                                |

package/encrypt/aes.js

@@ -0,0 +1,27 @@
+const crypto = require('crypto');
+
+const algorithm = 'aes-256-ctr';
+
+function encrypt(text, key) {
+    const iv = crypto.randomBytes(16);
+    const randomString = iv.toString('hex');
+
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+    let crypted = cipher.update(text, 'utf8', 'hex');
+    crypted += cipher.final('hex');
+    return `${randomString}:${crypted}`;
+}
+
+function decrypt(text, key) {
+    const parts = text.toString().split(':');
+    const iv = Buffer.from(parts[0], 'hex');
+    const decipher = crypto.createDecipheriv(algorithm, key, iv);
+    let dec = decipher.update(parts[1], 'hex', 'utf8');
+    dec += decipher.final('utf8');
+    return dec;
+}
+
+module.exports = {
+    encrypt,
+    decrypt,
+};