@friggframework/core 2.0.0--canary.461.65a2be7.0 → 2.0.0--canary.461.0b53aff.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/handlers/use-cases/check-integrations-health-use-case.js +1 -1
  2. package/handlers/use-cases/check-integrations-health-use-case.test.js +4 -4
  3. package/index.js +12 -0
  4. package/integrations/integration-router.js +54 -70
  5. package/integrations/tests/integration-router-multi-auth.test.js +368 -0
  6. package/package.json +5 -5
  7. package/user/tests/use-cases/get-user-from-adopter-jwt.test.js +113 -0
  8. package/user/tests/use-cases/get-user-from-x-frigg-headers.test.js +345 -0
  9. package/user/use-cases/authenticate-user.js +78 -0
  10. package/user/use-cases/get-user-from-adopter-jwt.js +148 -0
  11. package/user/use-cases/get-user-from-x-frigg-headers.js +105 -0
package/user/tests/use-cases/get-user-from-x-frigg-headers.test.js ADDED
@@ -0,0 +1,345 @@
1
+ const Boom = require('@hapi/boom');
2
+ const { GetUserFromXFriggHeaders } = require('../../use-cases/get-user-from-x-frigg-headers');
3
+ const { User } = require('../../user');
4
+
5
+ describe('GetUserFromXFriggHeaders', () => {
6
+ let getUserFromXFriggHeaders;
7
+ let mockUserRepository;
8
+ let mockUserConfig;
9
+
10
+ beforeEach(() => {
11
+ mockUserRepository = {
12
+ findIndividualUserByAppUserId: jest.fn(),
13
+ findOrganizationUserByAppOrgId: jest.fn(),
14
+ createIndividualUser: jest.fn(),
15
+ createOrganizationUser: jest.fn(),
16
+ };
17
+
18
+ mockUserConfig = {
19
+ usePassword: false,
20
+ primary: 'individual',
21
+ individualUserRequired: true,
22
+ organizationUserRequired: false,
23
+ };
24
+
25
+ getUserFromXFriggHeaders = new GetUserFromXFriggHeaders({
26
+ userRepository: mockUserRepository,
27
+ userConfig: mockUserConfig,
28
+ });
29
+ });
30
+
31
+ describe('Validation', () => {
32
+ it('should throw 400 error when neither appUserId nor appOrgId provided', async () => {
33
+ await expect(
34
+ getUserFromXFriggHeaders.execute(null, null)
35
+ ).rejects.toThrow(Boom.badRequest().message);
36
+
37
+ await expect(
38
+ getUserFromXFriggHeaders.execute(undefined, undefined)
39
+ ).rejects.toThrow();
40
+ });
41
+ });
42
+
43
+ describe('Find Existing User', () => {
44
+ it('should find existing individual user by appUserId', async () => {
45
+ const mockIndividualUser = {
46
+ id: 'user-123',
47
+ appUserId: 'app-user-456',
48
+ username: 'testuser',
49
+ };
50
+
51
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
52
+ mockIndividualUser
53
+ );
54
+
55
+ const result = await getUserFromXFriggHeaders.execute(
56
+ 'app-user-456',
57
+ null
58
+ );
59
+
60
+ expect(result).toBeInstanceOf(User);
61
+ expect(
62
+ mockUserRepository.findIndividualUserByAppUserId
63
+ ).toHaveBeenCalledWith('app-user-456');
64
+ expect(
65
+ mockUserRepository.createIndividualUser
66
+ ).not.toHaveBeenCalled();
67
+ });
68
+
69
+ it('should find existing organization user by appOrgId', async () => {
70
+ mockUserConfig.organizationUserRequired = true;
71
+ mockUserConfig.primary = 'organization';
72
+
73
+ const mockOrgUser = {
74
+ id: 'org-123',
75
+ appOrgId: 'app-org-456',
76
+ };
77
+
78
+ mockUserRepository.findOrganizationUserByAppOrgId.mockResolvedValue(
79
+ mockOrgUser
80
+ );
81
+
82
+ const result = await getUserFromXFriggHeaders.execute(
83
+ null,
84
+ 'app-org-456'
85
+ );
86
+
87
+ expect(result).toBeInstanceOf(User);
88
+ expect(
89
+ mockUserRepository.findOrganizationUserByAppOrgId
90
+ ).toHaveBeenCalledWith('app-org-456');
91
+ expect(
92
+ mockUserRepository.createOrganizationUser
93
+ ).not.toHaveBeenCalled();
94
+ });
95
+ });
96
+
97
+ describe('Auto-create User', () => {
98
+ it('should create new individual user when appUserId not found', async () => {
99
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
100
+ null
101
+ );
102
+
103
+ const mockCreatedUser = {
104
+ id: 'user-new',
105
+ appUserId: 'new-app-user',
106
+ username: 'app-user-new-app-user',
107
+ email: 'new-app-user@app.local',
108
+ };
109
+
110
+ mockUserRepository.createIndividualUser.mockResolvedValue(
111
+ mockCreatedUser
112
+ );
113
+
114
+ const result = await getUserFromXFriggHeaders.execute(
115
+ 'new-app-user',
116
+ null
117
+ );
118
+
119
+ expect(result).toBeInstanceOf(User);
120
+ expect(
121
+ mockUserRepository.createIndividualUser
122
+ ).toHaveBeenCalledWith({
123
+ appUserId: 'new-app-user',
124
+ username: 'app-user-new-app-user',
125
+ email: 'new-app-user@app.local',
126
+ });
127
+ });
128
+
129
+ it('should create new organization user when appOrgId not found', async () => {
130
+ mockUserConfig.organizationUserRequired = true;
131
+ mockUserConfig.primary = 'organization';
132
+ mockUserConfig.individualUserRequired = false;
133
+
134
+ mockUserRepository.findOrganizationUserByAppOrgId.mockResolvedValue(
135
+ null
136
+ );
137
+
138
+ const mockCreatedOrgUser = {
139
+ id: 'org-new',
140
+ appOrgId: 'new-app-org',
141
+ };
142
+
143
+ mockUserRepository.createOrganizationUser.mockResolvedValue(
144
+ mockCreatedOrgUser
145
+ );
146
+
147
+ const result = await getUserFromXFriggHeaders.execute(
148
+ null,
149
+ 'new-app-org'
150
+ );
151
+
152
+ expect(result).toBeInstanceOf(User);
153
+ expect(
154
+ mockUserRepository.createOrganizationUser
155
+ ).toHaveBeenCalledWith({
156
+ appOrgId: 'new-app-org',
157
+ });
158
+ });
159
+ });
160
+
161
+ describe('User ID Conflict Detection', () => {
162
+ it('should throw 400 error when both IDs provided but belong to different users', async () => {
163
+ const mockIndividualUser = {
164
+ id: 'user-123',
165
+ appUserId: 'app-user-456',
166
+ organizationUser: 'org-999', // Different org
167
+ };
168
+
169
+ const mockOrgUser = {
170
+ id: 'org-888', // Different ID
171
+ appOrgId: 'app-org-789',
172
+ };
173
+
174
+ mockUserConfig.organizationUserRequired = true;
175
+
176
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
177
+ mockIndividualUser
178
+ );
179
+ mockUserRepository.findOrganizationUserByAppOrgId.mockResolvedValue(
180
+ mockOrgUser
181
+ );
182
+
183
+ await expect(
184
+ getUserFromXFriggHeaders.execute('app-user-456', 'app-org-789')
185
+ ).rejects.toThrow(Boom.badRequest().message);
186
+
187
+ await expect(
188
+ getUserFromXFriggHeaders.execute('app-user-456', 'app-org-789')
189
+ ).rejects.toThrow('User ID mismatch');
190
+ });
191
+
192
+ it('should succeed when both IDs provided and belong to same user', async () => {
193
+ const mockOrgUser = {
194
+ id: 'org-123',
195
+ appOrgId: 'app-org-789',
196
+ };
197
+
198
+ const mockIndividualUser = {
199
+ id: 'user-456',
200
+ appUserId: 'app-user-456',
201
+ organizationUser: 'org-123', // Matches org user
202
+ };
203
+
204
+ mockUserConfig.organizationUserRequired = true;
205
+
206
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
207
+ mockIndividualUser
208
+ );
209
+ mockUserRepository.findOrganizationUserByAppOrgId.mockResolvedValue(
210
+ mockOrgUser
211
+ );
212
+
213
+ const result = await getUserFromXFriggHeaders.execute(
214
+ 'app-user-456',
215
+ 'app-org-789'
216
+ );
217
+
218
+ expect(result).toBeInstanceOf(User);
219
+ expect(
220
+ mockUserRepository.createIndividualUser
221
+ ).not.toHaveBeenCalled();
222
+ expect(
223
+ mockUserRepository.createOrganizationUser
224
+ ).not.toHaveBeenCalled();
225
+ });
226
+
227
+ it('should not validate conflict when only one ID provided', async () => {
228
+ const mockIndividualUser = {
229
+ id: 'user-123',
230
+ appUserId: 'app-user-456',
231
+ };
232
+
233
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
234
+ mockIndividualUser
235
+ );
236
+
237
+ const result = await getUserFromXFriggHeaders.execute(
238
+ 'app-user-456',
239
+ null
240
+ );
241
+
242
+ expect(result).toBeInstanceOf(User);
243
+ expect(
244
+ mockUserRepository.findOrganizationUserByAppOrgId
245
+ ).not.toHaveBeenCalled();
246
+ });
247
+ });
248
+
249
+ describe('User Config Respect', () => {
250
+ it('should respect individualUserRequired setting', async () => {
251
+ mockUserConfig.individualUserRequired = false;
252
+
253
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
254
+ null
255
+ );
256
+
257
+ await getUserFromXFriggHeaders.execute('app-user-test', null);
258
+
259
+ // Should not attempt to query or create individual user if not required
260
+ expect(
261
+ mockUserRepository.findIndividualUserByAppUserId
262
+ ).not.toHaveBeenCalled();
263
+ });
264
+
265
+ it('should respect organizationUserRequired setting', async () => {
266
+ mockUserConfig.organizationUserRequired = false;
267
+
268
+ mockUserRepository.findOrganizationUserByAppOrgId.mockResolvedValue(
269
+ null
270
+ );
271
+
272
+ const mockIndividualUser = {
273
+ id: 'user-123',
274
+ appUserId: 'app-user-456',
275
+ };
276
+
277
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
278
+ mockIndividualUser
279
+ );
280
+
281
+ await getUserFromXFriggHeaders.execute('app-user-456', 'app-org-789');
282
+
283
+ // Should not query org user if not required
284
+ expect(
285
+ mockUserRepository.findOrganizationUserByAppOrgId
286
+ ).not.toHaveBeenCalled();
287
+ });
288
+
289
+ it('should respect primary user setting', async () => {
290
+ mockUserConfig.primary = 'organization';
291
+ mockUserConfig.organizationUserRequired = true;
292
+
293
+ const mockOrgUser = {
294
+ id: 'org-123',
295
+ appOrgId: 'app-org-789',
296
+ };
297
+
298
+ mockUserRepository.findOrganizationUserByAppOrgId.mockResolvedValue(
299
+ mockOrgUser
300
+ );
301
+
302
+ const result = await getUserFromXFriggHeaders.execute(
303
+ null,
304
+ 'app-org-789'
305
+ );
306
+
307
+ expect(result).toBeInstanceOf(User);
308
+ // Verify User is constructed with org as primary
309
+ expect(result.config.primary).toBe('organization');
310
+ });
311
+ });
312
+
313
+ describe('Edge Cases', () => {
314
+ it('should handle both IDs when only one user exists', async () => {
315
+ const mockIndividualUser = {
316
+ id: 'user-123',
317
+ appUserId: 'app-user-456',
318
+ };
319
+
320
+ mockUserConfig.organizationUserRequired = true;
321
+
322
+ mockUserRepository.findIndividualUserByAppUserId.mockResolvedValue(
323
+ mockIndividualUser
324
+ );
325
+ mockUserRepository.findOrganizationUserByAppOrgId.mockResolvedValue(
326
+ null
327
+ );
328
+
329
+ const result = await getUserFromXFriggHeaders.execute(
330
+ 'app-user-456',
331
+ 'app-org-789'
332
+ );
333
+
334
+ expect(result).toBeInstanceOf(User);
335
+ // Should not throw conflict error when only one user found
336
+ });
337
+
338
+ it('should handle empty string IDs as falsy', async () => {
339
+ await expect(
340
+ getUserFromXFriggHeaders.execute('', '')
341
+ ).rejects.toThrow();
342
+ });
343
+ });
344
+ });
345
+
package/user/use-cases/authenticate-user.js ADDED
@@ -0,0 +1,78 @@
1
+ const Boom = require('@hapi/boom');
2
+
3
+ /**
4
+ * Use case for authenticating a user using multiple authentication strategies.
5
+ * Supports Frigg native tokens, x-frigg headers, and adopter JWT (when implemented).
6
+ * Tries authentication methods in priority order based on userConfig.authModes.
7
+ *
8
+ * @class AuthenticateUser
9
+ */
10
+ class AuthenticateUser {
11
+ /**
12
+ * Creates a new AuthenticateUser instance.
13
+ * @param {Object} params - Configuration parameters.
14
+ * @param {import('./get-user-from-bearer-token').GetUserFromBearerToken} params.getUserFromBearerToken - Use case for bearer token auth.
15
+ * @param {import('./get-user-from-x-frigg-headers').GetUserFromXFriggHeaders} params.getUserFromXFriggHeaders - Use case for x-frigg header auth.
16
+ * @param {import('./get-user-from-adopter-jwt').GetUserFromAdopterJwt} params.getUserFromAdopterJwt - Use case for adopter JWT auth.
17
+ * @param {Object} params.userConfig - The user config in the app definition.
18
+ */
19
+ constructor({
20
+ getUserFromBearerToken,
21
+ getUserFromXFriggHeaders,
22
+ getUserFromAdopterJwt,
23
+ userConfig,
24
+ }) {
25
+ this.getUserFromBearerToken = getUserFromBearerToken;
26
+ this.getUserFromXFriggHeaders = getUserFromXFriggHeaders;
27
+ this.getUserFromAdopterJwt = getUserFromAdopterJwt;
28
+ this.userConfig = userConfig;
29
+ }
30
+
31
+ /**
32
+ * Executes the use case.
33
+ * @async
34
+ * @param {Object} req - Express request object with headers.
35
+ * @returns {Promise<import('../user').User>} The authenticated user object.
36
+ * @throws {Boom} Unauthorized if no valid authentication provided.
37
+ */
38
+ async execute(req) {
39
+ const authModes = this.userConfig.authModes || { friggToken: true };
40
+
41
+ // Priority 1: x-frigg headers (backend-to-backend)
42
+ if (authModes.xFriggHeaders !== false) {
43
+ const appUserId = req.headers['x-frigg-appuserid'];
44
+ const appOrgId = req.headers['x-frigg-apporgid'];
45
+
46
+ if (appUserId || appOrgId) {
47
+ return await this.getUserFromXFriggHeaders.execute(
48
+ appUserId,
49
+ appOrgId
50
+ );
51
+ }
52
+ }
53
+
54
+ // Priority 2: Adopter JWT (if enabled)
55
+ if (
56
+ authModes.adopterJwt === true &&
57
+ req.headers.authorization?.startsWith('Bearer ')
58
+ ) {
59
+ const token = req.headers.authorization.split(' ')[1];
60
+ // Detect JWT format (3 parts separated by dots)
61
+ if (token && token.split('.').length === 3) {
62
+ return await this.getUserFromAdopterJwt.execute(token);
63
+ }
64
+ }
65
+
66
+ // Priority 3: Frigg native token (default)
67
+ if (authModes.friggToken !== false) {
68
+ return await this.getUserFromBearerToken.execute(
69
+ req.headers.authorization
70
+ );
71
+ }
72
+
73
+ throw Boom.unauthorized('No valid authentication provided');
74
+ }
75
+ }
76
+
77
+ module.exports = { AuthenticateUser };
78
+
package/user/use-cases/get-user-from-adopter-jwt.js ADDED
@@ -0,0 +1,148 @@
1
+ const Boom = require('@hapi/boom');
2
+
3
+ /**
4
+ * STUB: Use case for retrieving a user from adopter-provided JWT token.
5
+ *
6
+ * This is a stub implementation for future JWT authentication support.
7
+ * When implemented, this will allow adopters to use their own JWT tokens
8
+ * for authentication instead of Frigg's native token system.
9
+ *
10
+ * FUTURE IMPLEMENTATION REQUIREMENTS:
11
+ * - Validate JWT signature using jwtConfig.secret from app definition
12
+ * - Support configurable signing algorithms (HS256, HS384, HS512, RS256, RS384, RS512)
13
+ * - Extract user identifiers from JWT claims based on jwtConfig.userIdClaim and jwtConfig.orgIdClaim
14
+ * - Find or create user based on extracted claim values
15
+ * - Handle token expiration and validation errors
16
+ * - Support refresh tokens (optional)
17
+ * - Validate user ID conflicts if both individual and org IDs present in JWT
18
+ *
19
+ * RECOMMENDED IMPLEMENTATION:
20
+ * - Use 'jsonwebtoken' package for JWT parsing and validation
21
+ * - Cache JWT public keys for RS* algorithms
22
+ * - Add comprehensive error handling for invalid tokens
23
+ * - Log authentication attempts for security auditing
24
+ *
25
+ * @todo Implement JWT validation with jsonwebtoken package
26
+ * @todo Add unit tests for JWT parsing and claim extraction
27
+ * @todo Document adopter JWT integration guide in Frigg docs
28
+ * @todo Add support for JWT refresh tokens
29
+ * @todo Implement JWT public key caching for RS* algorithms
30
+ *
31
+ * @class GetUserFromAdopterJwt
32
+ */
33
+ class GetUserFromAdopterJwt {
34
+ /**
35
+ * Creates a new GetUserFromAdopterJwt instance.
36
+ * @param {Object} params - Configuration parameters.
37
+ * @param {import('../repositories/user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
38
+ * @param {Object} params.userConfig - The user config in the app definition.
39
+ */
40
+ constructor({ userRepository, userConfig }) {
41
+ this.userRepository = userRepository;
42
+ this.userConfig = userConfig;
43
+ }
44
+
45
+ /**
46
+ * Executes the use case.
47
+ * @async
48
+ * @param {string} jwtToken - The JWT token from the Authorization header.
49
+ * @returns {Promise<import('../user').User>} The authenticated user object.
50
+ * @throws {Boom} 501 Not Implemented - This feature is not yet available.
51
+ */
52
+ async execute(jwtToken) {
53
+ throw Boom.notImplemented(
54
+ 'Adopter JWT authentication is not yet implemented. ' +
55
+ 'This feature is planned for a future Frigg release. ' +
56
+ 'Please use one of the supported authentication modes instead: ' +
57
+ 'friggToken (native bearer token) or xFriggHeaders (backend-to-backend with x-frigg-appUserId/appOrgId headers).'
58
+ );
59
+
60
+ /* FUTURE IMPLEMENTATION PSEUDOCODE:
61
+
62
+ const jwt = require('jsonwebtoken');
63
+
64
+ // Validate JWT configuration exists
65
+ if (!this.userConfig.jwtConfig || !this.userConfig.jwtConfig.secret) {
66
+ throw Boom.badImplementation('JWT configuration is required when adopterJwt auth mode is enabled');
67
+ }
68
+
69
+ try {
70
+ // Verify and decode JWT
71
+ const decoded = jwt.verify(jwtToken, this.userConfig.jwtConfig.secret, {
72
+ algorithms: [this.userConfig.jwtConfig.algorithm || 'HS256']
73
+ });
74
+
75
+ // Extract user identifiers from claims
76
+ const appUserId = decoded[this.userConfig.jwtConfig.userIdClaim || 'sub'];
77
+ const appOrgId = decoded[this.userConfig.jwtConfig.orgIdClaim || 'org_id'];
78
+
79
+ // At least one identifier required
80
+ if (!appUserId && !appOrgId) {
81
+ throw Boom.badRequest('JWT must contain user or organization identifier claims');
82
+ }
83
+
84
+ // Find existing users
85
+ let individualUserData = null;
86
+ let organizationUserData = null;
87
+
88
+ if (appUserId) {
89
+ individualUserData = await this.userRepository.findIndividualUserByAppUserId(appUserId);
90
+ }
91
+
92
+ if (appOrgId) {
93
+ organizationUserData = await this.userRepository.findOrganizationUserByAppOrgId(appOrgId);
94
+ }
95
+
96
+ // Validate no conflicts if both IDs present
97
+ if (appUserId && appOrgId && individualUserData && organizationUserData) {
98
+ const individualOrgId = individualUserData.organizationUser?.toString();
99
+ const expectedOrgId = organizationUserData.id?.toString();
100
+
101
+ if (individualOrgId !== expectedOrgId) {
102
+ throw Boom.badRequest(
103
+ 'User ID mismatch: JWT claims refer to different users. ' +
104
+ 'Individual and organization IDs must belong to the same user.'
105
+ );
106
+ }
107
+ }
108
+
109
+ // Auto-create if not found
110
+ if (!individualUserData && !organizationUserData) {
111
+ if (appUserId) {
112
+ individualUserData = await this.userRepository.createIndividualUser({
113
+ appUserId,
114
+ username: `jwt-user-${appUserId}`,
115
+ email: decoded.email || `${appUserId}@jwt.local`,
116
+ });
117
+ } else {
118
+ organizationUserData = await this.userRepository.createOrganizationUser({
119
+ appOrgId,
120
+ });
121
+ }
122
+ }
123
+
124
+ return new User(
125
+ individualUserData,
126
+ organizationUserData,
127
+ this.userConfig.usePassword,
128
+ this.userConfig.primary,
129
+ this.userConfig.individualUserRequired,
130
+ this.userConfig.organizationUserRequired
131
+ );
132
+
133
+ } catch (error) {
134
+ if (error.name === 'TokenExpiredError') {
135
+ throw Boom.unauthorized('JWT token has expired');
136
+ } else if (error.name === 'JsonWebTokenError') {
137
+ throw Boom.unauthorized('Invalid JWT token');
138
+ } else if (error.isBoom) {
139
+ throw error;
140
+ }
141
+ throw Boom.unauthorized('JWT authentication failed');
142
+ }
143
+ */
144
+ }
145
+ }
146
+
147
+ module.exports = { GetUserFromAdopterJwt };
148
+
package/user/use-cases/get-user-from-x-frigg-headers.js ADDED
@@ -0,0 +1,105 @@
1
+ const Boom = require('@hapi/boom');
2
+ const { User } = require('../user');
3
+
4
+ /**
5
+ * Use case for retrieving or creating a user from x-frigg header identifiers.
6
+ * Supports backend-to-backend API communication using application user IDs.
7
+ *
8
+ * @class GetUserFromXFriggHeaders
9
+ */
10
+ class GetUserFromXFriggHeaders {
11
+ /**
12
+ * Creates a new GetUserFromXFriggHeaders instance.
13
+ * @param {Object} params - Configuration parameters.
14
+ * @param {import('../repositories/user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
15
+ * @param {Object} params.userConfig - The user config in the app definition.
16
+ */
17
+ constructor({ userRepository, userConfig }) {
18
+ this.userRepository = userRepository;
19
+ this.userConfig = userConfig;
20
+ }
21
+
22
+ /**
23
+ * Executes the use case.
24
+ * @async
25
+ * @param {string} [appUserId] - The app user ID from x-frigg-appUserId header.
26
+ * @param {string} [appOrgId] - The app organization ID from x-frigg-appOrgId header.
27
+ * @returns {Promise<import('../user').User>} The authenticated user object.
28
+ * @throws {Boom} 400 Bad Request if neither ID is provided or if both IDs are provided but belong to different users.
29
+ */
30
+ async execute(appUserId, appOrgId) {
31
+ // At least one header must be provided
32
+ if (!appUserId && !appOrgId) {
33
+ throw Boom.badRequest(
34
+ 'At least one of x-frigg-appUserId or x-frigg-appOrgId headers is required for backend-to-backend authentication'
35
+ );
36
+ }
37
+
38
+ // Find users by both IDs if both are provided
39
+ let individualUserData = null;
40
+ let organizationUserData = null;
41
+
42
+ if (appUserId && this.userConfig.individualUserRequired !== false) {
43
+ individualUserData =
44
+ await this.userRepository.findIndividualUserByAppUserId(
45
+ appUserId
46
+ );
47
+ }
48
+
49
+ if (appOrgId && this.userConfig.organizationUserRequired) {
50
+ organizationUserData =
51
+ await this.userRepository.findOrganizationUserByAppOrgId(
52
+ appOrgId
53
+ );
54
+ }
55
+
56
+ // VALIDATION: If both IDs provided and both users exist, verify they match
57
+ if (
58
+ appUserId &&
59
+ appOrgId &&
60
+ individualUserData &&
61
+ organizationUserData
62
+ ) {
63
+ // Check if individual user is linked to the org user
64
+ const individualOrgId =
65
+ individualUserData.organizationUser?.toString();
66
+ const expectedOrgId = organizationUserData.id?.toString();
67
+
68
+ if (individualOrgId !== expectedOrgId) {
69
+ throw Boom.badRequest(
70
+ 'User ID mismatch: x-frigg-appUserId and x-frigg-appOrgId refer to different users. ' +
71
+ 'Provide only one identifier or ensure they belong to the same user.'
72
+ );
73
+ }
74
+ }
75
+
76
+ // Auto-create user if not found
77
+ if (!individualUserData && !organizationUserData) {
78
+ if (appUserId) {
79
+ individualUserData =
80
+ await this.userRepository.createIndividualUser({
81
+ appUserId,
82
+ username: `app-user-${appUserId}`,
83
+ email: `${appUserId}@app.local`,
84
+ });
85
+ } else {
86
+ organizationUserData =
87
+ await this.userRepository.createOrganizationUser({
88
+ appOrgId,
89
+ });
90
+ }
91
+ }
92
+
93
+ return new User(
94
+ individualUserData,
95
+ organizationUserData,
96
+ this.userConfig.usePassword,
97
+ this.userConfig.primary,
98
+ this.userConfig.individualUserRequired,
99
+ this.userConfig.organizationUserRequired
100
+ );
101
+ }
102
+ }
103
+
104
+ module.exports = { GetUserFromXFriggHeaders };
105
+