@friggframework/core 2.0.0--canary.461.bb7fcba.0 → 2.0.0--canary.461.5767fa4.0

package/user/tests/use-cases/login-user.test.js

@@ -1,220 +0,0 @@
-const bcrypt = require('bcryptjs');
-const { LoginUser } = require('../../use-cases/login-user');
-const { TestUserRepository } = require('../doubles/test-user-repository');
-
-jest.mock('bcryptjs', () => ({
-    compare: jest.fn(),
-}));
-
-describe('LoginUser Use Case', () => {
-    let userRepository;
-    let loginUser;
-    let userConfig;
-
-    beforeEach(() => {
-        userConfig = { usePassword: true, individualUserRequired: true, organizationUserRequired: false };
-        userRepository = new TestUserRepository({ userConfig });
-        loginUser = new LoginUser({ userRepository, userConfig });
-
-        bcrypt.compare.mockClear();
-    });
-
-    describe('With Password Authentication', () => {
-        it('should successfully log in a user with correct credentials', async () => {
-            const username = 'test-user';
-            const password = 'password123';
-            await userRepository.createIndividualUser({
-                username,
-                hashword: 'hashed-password',
-            });
-
-            bcrypt.compare.mockResolvedValue(true);
-
-            const user = await loginUser.execute({ username, password });
-
-            expect(bcrypt.compare).toHaveBeenCalledWith(
-                password,
-                'hashed-password'
-            );
-            expect(user).toBeDefined();
-            expect(user.getIndividualUser().username).toBe(username);
-        });
-
-        it('should throw an unauthorized error for an incorrect password', async () => {
-            const username = 'test-user';
-            const password = 'wrong-password';
-            await userRepository.createIndividualUser({
-                username,
-                hashword: 'hashed-password',
-            });
-
-            bcrypt.compare.mockResolvedValue(false);
-
-            await expect(
-                loginUser.execute({ username, password })
-            ).rejects.toThrow('Incorrect username or password');
-        });
-
-        it('should throw an unauthorized error for a non-existent user', async () => {
-            const username = 'non-existent-user';
-            const password = 'password123';
-
-            await expect(
-                loginUser.execute({ username, password })
-            ).rejects.toThrow('user not found');
-        });
-    });
-
-    describe('Without Password (appUserId)', () => {
-        beforeEach(() => {
-            userConfig = { usePassword: false, individualUserRequired: true, organizationUserRequired: false };
-            userRepository = new TestUserRepository({ userConfig });
-            loginUser = new LoginUser({
-                userRepository,
-                userConfig,
-            });
-        });
-
-        it('should successfully retrieve a user by appUserId', async () => {
-            const appUserId = 'app-user-123';
-            const createdUserData = await userRepository.createIndividualUser({
-                appUserId,
-            });
-
-            const result = await loginUser.execute({ appUserId });
-            expect(result.getId()).toBe(createdUserData.id);
-        });
-    });
-
-    describe('With Organization User', () => {
-        beforeEach(() => {
-            userConfig = {
-                primary: 'organization',
-                individualUserRequired: false,
-                organizationUserRequired: true,
-            };
-            userRepository = new TestUserRepository({ userConfig });
-            loginUser = new LoginUser({
-                userRepository,
-                userConfig,
-            });
-        });
-
-        it('should successfully retrieve an organization user by appOrgId', async () => {
-            const appOrgId = 'app-org-123';
-            const createdUserData = await userRepository.createOrganizationUser({
-                name: 'Test Org',
-                appOrgId,
-            });
-
-            const result = await loginUser.execute({ appOrgId });
-            expect(result.getId()).toBe(createdUserData.id);
-        });
-
-        it('should throw an unauthorized error for a non-existent organization user', async () => {
-            const appOrgId = 'non-existent-org';
-
-            await expect(loginUser.execute({ appOrgId })).rejects.toThrow(
-                'org user non-existent-org not found'
-            );
-        });
-    });
-
-    describe('Required User Checks', () => {
-        it('should throw an error if a required individual user is not found', async () => {
-            userConfig = {
-                individualUserRequired: true,
-                usePassword: false,
-            };
-            userRepository = new TestUserRepository({ userConfig });
-            loginUser = new LoginUser({
-                userRepository,
-                userConfig,
-            });
-
-            await expect(
-                loginUser.execute({ appUserId: 'a-non-existent-user-id' })
-            ).rejects.toThrow('user not found');
-        });
-    });
-
-    describe('Bcrypt Hash Verification', () => {
-        beforeEach(() => {
-            userConfig = { usePassword: true, individualUserRequired: true, organizationUserRequired: false };
-            userRepository = new TestUserRepository({ userConfig });
-            loginUser = new LoginUser({ userRepository, userConfig });
-        });
-
-        it('should verify bcrypt.compare is called with plain password and hash', async () => {
-            const username = 'bcrypt-test-user';
-            const plainPassword = 'MyPlainPassword123';
-            const bcryptHash = '$2b$10$abcdefghijklmnopqrstuv';
-
-            await userRepository.createIndividualUser({
-                username,
-                hashword: bcryptHash,
-            });
-
-            bcrypt.compare.mockResolvedValue(true);
-
-            await loginUser.execute({ username, password: plainPassword });
-
-            expect(bcrypt.compare).toHaveBeenCalledTimes(1);
-            expect(bcrypt.compare).toHaveBeenCalledWith(plainPassword, bcryptHash);
-
-            const [firstArg, secondArg] = bcrypt.compare.mock.calls[0];
-            expect(firstArg).toBe(plainPassword);
-            expect(secondArg).toBe(bcryptHash);
-        });
-
-        it('should verify stored password has bcrypt hash format', async () => {
-            const username = 'format-test-user';
-            const bcryptHash = '$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy';
-
-            await userRepository.createIndividualUser({
-                username,
-                hashword: bcryptHash,
-            });
-
-            const user = await userRepository.findIndividualUserByUsername(username);
-
-            expect(user.hashword).toMatch(/^\$2[ab]\$/);
-            expect(user.hashword.length).toBeGreaterThan(50);
-            expect(user.hashword).not.toContain(':');
-        });
-
-        it('should reject passwords that look encrypted (have colon separators)', async () => {
-            const username = 'encrypted-format-user';
-            const encryptedLookingValue = 'kms:us-east-1:key:ciphertext';
-
-            await userRepository.createIndividualUser({
-                username,
-                hashword: encryptedLookingValue,
-            });
-
-            bcrypt.compare.mockResolvedValue(false);
-
-            await expect(
-                loginUser.execute({ username, password: 'any-password' })
-            ).rejects.toThrow('Incorrect username or password');
-        });
-
-        it('should verify bcrypt.compare returns false for mismatched passwords', async () => {
-            const username = 'mismatch-test-user';
-            const correctHash = '$2b$10$correcthash';
-
-            await userRepository.createIndividualUser({
-                username,
-                hashword: correctHash,
-            });
-
-            bcrypt.compare.mockResolvedValue(false);
-
-            await expect(
-                loginUser.execute({ username, password: 'wrong-password' })
-            ).rejects.toThrow('Incorrect username or password');
-
-            expect(bcrypt.compare).toHaveBeenCalledWith('wrong-password', correctHash);
-        });
-    });
-}); 

package/user/tests/user-password-encryption-isolation.test.js

@@ -1,237 +0,0 @@
-/**
- * Password Encryption Isolation Test
- *
- * Verifies that password hashing is completely isolated from the encryption system.
- * Tests that passwords are bcrypt hashed regardless of encryption configuration.
- *
- * Key Tests:
- * - With encryption ENABLED: passwords hashed (not encrypted)
- * - With encryption DISABLED: passwords still hashed
- * - Encryption schema does NOT include User.hashword
- * - Side-by-side: tokens encrypted, passwords hashed
- */
-
-// Set default DATABASE_URL for testing if not already set
-if (!process.env.DATABASE_URL) {
-    process.env.DATABASE_URL = 'mongodb://localhost:27017/frigg?replicaSet=rs0';
-}
-
-// Enable encryption for testing (bypass test stage check)
-process.env.STAGE = 'integration-test';
-process.env.AES_KEY_ID = 'test-key-id';
-process.env.AES_KEY = 'test-aes-key-32-characters-long!';
-
-jest.mock('../../database/config', () => ({
-    DB_TYPE: 'mongodb',
-    getDatabaseType: jest.fn(() => 'mongodb'),
-    PRISMA_LOG_LEVEL: 'error,warn',
-    PRISMA_QUERY_LOGGING: false,
-}));
-
-const bcrypt = require('bcryptjs');
-const { createUserRepository } = require('../repositories/user-repository-factory');
-const { prisma, connectPrisma, disconnectPrisma, getEncryptionConfig } = require('../../database/prisma');
-const { getEncryptedFields, hasEncryptedFields } = require('../../database/encryption/encryption-schema-registry');
-const { mongoose } = require('../../database/mongoose');
-
-describe('Password Encryption Isolation', () => {
-    const dbType = process.env.DB_TYPE || 'mongodb';
-    let userRepository;
-    let testUserIds = [];
-    const TEST_PASSWORD = 'IsolationTestPassword123!';
-
-    beforeAll(async () => {
-        await connectPrisma();
-        // Connect mongoose for raw database queries
-        if (mongoose.connection.readyState === 0) {
-            await mongoose.connect(process.env.DATABASE_URL);
-        }
-        userRepository = createUserRepository();
-    }, 30000); // 30 second timeout for database connection
-
-    afterAll(async () => {
-        for (const userId of testUserIds) {
-            await userRepository.deleteUser(userId).catch(() => {});
-        }
-        await mongoose.disconnect();
-        await disconnectPrisma();
-    }, 30000); // 30 second timeout for cleanup
-
-    test('✅ Encryption schema does NOT include User.hashword', () => {
-        const userEncryptedFields = getEncryptedFields('User');
-
-        console.log('\n📋 User model encrypted fields:', userEncryptedFields);
-
-        expect(userEncryptedFields).toBeDefined();
-        expect(Array.isArray(userEncryptedFields)).toBe(true);
-        expect(userEncryptedFields).not.toContain('hashword');
-
-        if (userEncryptedFields.length > 0) {
-            console.log('⚠️  WARNING: User model has encrypted fields:', userEncryptedFields);
-            console.log('   Password field (hashword) should NOT be in this list');
-        } else {
-            console.log('✅ User model has no encrypted fields (as expected)');
-        }
-    });
-
-    test('✅ Password is bcrypt hashed regardless of encryption config', async () => {
-        const encryptionConfig = getEncryptionConfig();
-        console.log('\n🔒 Current encryption config:', encryptionConfig);
-
-        const username = `isolation-test-${Date.now()}`;
-        const user = await userRepository.createIndividualUser({
-            username,
-            hashword: TEST_PASSWORD,
-            email: `${username}@test.com`,
-        });
-        testUserIds.push(user.id);
-
-        expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
-        expect(user.hashword).not.toBe(TEST_PASSWORD);
-        expect(user.hashword).not.toContain(':');
-
-        const isValid = await bcrypt.compare(TEST_PASSWORD, user.hashword);
-        expect(isValid).toBe(true);
-
-        console.log('✅ Password correctly hashed with bcrypt');
-        console.log('   Encryption enabled:', encryptionConfig.enabled);
-        console.log('   Hashword format:', user.hashword.substring(0, 20) + '...');
-    });
-
-    test('📊 Field-level encryption status comparison', async () => {
-        const models = ['User', 'Credential', 'Token', 'IntegrationMapping'];
-
-        console.log('\n📊 ENCRYPTION SCHEMA ANALYSIS:');
-        console.log('='.repeat(60));
-
-        for (const model of models) {
-            const fields = getEncryptedFields(model);
-            const hasEncryption = hasEncryptedFields(model);
-
-            console.log(`\n${model}:`);
-            console.log(`  Has encrypted fields: ${hasEncryption}`);
-            console.log(`  Encrypted fields: ${fields.length > 0 ? fields.join(', ') : 'none'}`);
-
-            if (model === 'User') {
-                expect(fields).not.toContain('hashword');
-                console.log('  ✅ Password (hashword) correctly excluded from encryption');
-            } else if (model === 'Credential') {
-                expect(fields).toContain('data.access_token');
-                console.log('  ✅ API tokens correctly included in encryption');
-            }
-        }
-    });
-
-    test('📊 End-to-end: Create user + credential, verify isolation', async () => {
-        const username = `e2e-isolation-${Date.now()}`;
-        const secretToken = 'my-secret-api-token-xyz';
-
-        const user = await userRepository.createIndividualUser({
-            username,
-            hashword: TEST_PASSWORD,
-            email: `${username}@test.com`,
-        });
-        testUserIds.push(user.id);
-
-        const credential = await prisma.credential.create({
-            data: {
-                userId: dbType === 'postgresql' ? parseInt(user.id, 10) : user.id,
-                externalId: `cred-${Date.now()}`,
-                data: {
-                    access_token: secretToken,
-                },
-            },
-        });
-
-        console.log('\n📊 END-TO-END ISOLATION TEST:');
-        console.log('='.repeat(60));
-
-        const fetchedUser = await userRepository.findIndividualUserById(user.id);
-        console.log('\n👤 User Password:');
-        console.log('  Format:', fetchedUser.hashword.substring(0, 30) + '...');
-        console.log('  Is bcrypt:', /^\$2[ab]\$\d{2}\$/.test(fetchedUser.hashword));
-        console.log('  Is encrypted (has :):', fetchedUser.hashword.includes(':'));
-
-        const fetchedCred = await prisma.credential.findUnique({
-            where: { id: credential.id },
-        });
-
-        console.log('\n🔑 Credential Token:');
-        const tokenValue = fetchedCred.data.access_token;
-        console.log('  Raw value:', tokenValue.substring(0, 50) + '...');
-        console.log('  Is encrypted (has :):', tokenValue.includes(':'));
-        console.log('  Equals plain text:', tokenValue === secretToken);
-
-        expect(fetchedUser.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
-        expect(fetchedUser.hashword).not.toContain(':');
-
-        const isPasswordValid = await bcrypt.compare(TEST_PASSWORD, fetchedUser.hashword);
-        expect(isPasswordValid).toBe(true);
-
-        console.log('\n✅ Password: bcrypt hashed (NOT encrypted)');
-
-        const encryptionEnabled = tokenValue !== secretToken;
-        if (encryptionEnabled) {
-            console.log('✅ Credential: properly encrypted');
-            expect(tokenValue).not.toBe(secretToken);
-        } else {
-            console.log('⚠️  Encryption disabled in this environment');
-        }
-
-        console.log('✅ ISOLATION VERIFIED: Passwords use bcrypt, credentials use encryption');
-
-        await prisma.credential.delete({ where: { id: credential.id } });
-    });
-
-    test('🔍 Bcrypt vs Encryption format analysis', () => {
-        const bcryptHash = '$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy';
-        const encryptedValue = 'kms:us-east-1:alias/app-key:AQICAHg...base64...';
-
-        console.log('\n🔍 FORMAT COMPARISON:');
-        console.log('='.repeat(60));
-
-        console.log('\nBcrypt Hash Format:');
-        console.log('  Example:', bcryptHash);
-        console.log('  Pattern: $2[ab]$rounds$salt+hash');
-        console.log('  Length: ~60 chars');
-        console.log('  Colon count:', (bcryptHash.match(/:/g) || []).length);
-        console.log('  Dollar signs: 3');
-
-        console.log('\nEncryption Format:');
-        console.log('  Example:', encryptedValue.substring(0, 50) + '...');
-        console.log('  Pattern: method:region:keyId:base64Ciphertext');
-        console.log('  Colon separators: 3');
-        console.log('  Variable length');
-
-        console.log('\n✅ Formats are clearly distinguishable');
-        console.log('✅ Bcrypt never has colon separators between dollar signs');
-        console.log('✅ Encryption always has exactly 3 colon separators');
-    });
-
-    test('⚠️  Verify password NOT double-processed', async () => {
-        const username = `double-process-test-${Date.now()}`;
-
-        const user = await userRepository.createIndividualUser({
-            username,
-            hashword: TEST_PASSWORD,
-            email: `${username}@test.com`,
-        });
-        testUserIds.push(user.id);
-
-        const hash1 = user.hashword;
-
-        const fetchedUser = await userRepository.findIndividualUserById(user.id);
-        const hash2 = fetchedUser.hashword;
-
-        console.log('\n⚠️  DOUBLE-PROCESSING CHECK:');
-        console.log('Hash after creation:', hash1.substring(0, 30) + '...');
-        console.log('Hash after fetch:   ', hash2.substring(0, 30) + '...');
-        console.log('Hashes match:', hash1 === hash2);
-
-        expect(hash1).toBe(hash2);
-        expect(hash1).toMatch(/^\$2[ab]\$\d{2}\$/);
-        expect(hash2).toMatch(/^\$2[ab]\$\d{2}\$/);
-
-        console.log('✅ No double-processing detected');
-    });
-});

package/user/tests/user-password-hashing.test.js

@@ -1,235 +0,0 @@
-/**
- * Password Hashing Verification Test
- *
- * Verifies that passwords are correctly bcrypt hashed (NOT encrypted) throughout
- * the user authentication flow. Tests both MongoDB and PostgreSQL.
- *
- * Expected Behavior:
- * - Passwords hashed with bcrypt on creation (format: $2a$ or $2b$)
- * - Password hashes stored as-is (NOT encrypted with KMS/AES)
- * - bcrypt.compare() works correctly for authentication
- * - Password updates also trigger bcrypt hashing
- */
-
-// Set default DATABASE_URL for testing if not already set
-if (!process.env.DATABASE_URL) {
-    process.env.DATABASE_URL = 'mongodb://localhost:27017/frigg?replicaSet=rs0';
-}
-
-// Enable encryption for testing (bypass test stage check)
-process.env.STAGE = 'integration-test';
-process.env.AES_KEY_ID = 'test-key-id';
-process.env.AES_KEY = 'test-aes-key-32-characters-long!';
-
-jest.mock('../../database/config', () => ({
-    DB_TYPE: 'mongodb',
-    getDatabaseType: jest.fn(() => 'mongodb'),
-    PRISMA_LOG_LEVEL: 'error,warn',
-    PRISMA_QUERY_LOGGING: false,
-}));
-
-const bcrypt = require('bcryptjs');
-const { LoginUser } = require('../use-cases/login-user');
-const { createUserRepository } = require('../repositories/user-repository-factory');
-const { prisma, connectPrisma, disconnectPrisma } = require('../../database/prisma');
-const { mongoose } = require('../../database/mongoose');
-
-describe('Password Hashing Verification - Both Databases', () => {
-    const dbType = process.env.DB_TYPE || 'mongodb';
-    let userRepository;
-    let testUserId;
-    const TEST_PASSWORD = 'MySecurePassword123!';
-    const TEST_USERNAME = `test-user-hash-${Date.now()}`;
-    const userConfig = {
-        usePassword: true,
-        individualUserRequired: true,
-        organizationUserRequired: false,
-        primary: 'individual',
-    };
-
-    beforeAll(async () => {
-        await connectPrisma();
-        // Connect mongoose for raw database queries
-        if (mongoose.connection.readyState === 0) {
-            await mongoose.connect(process.env.DATABASE_URL);
-        }
-        userRepository = createUserRepository();
-    }, 30000); // 30 second timeout for database connection
-
-    afterAll(async () => {
-        if (testUserId) {
-            await userRepository.deleteUser(testUserId).catch(() => {});
-        }
-        await mongoose.disconnect();
-        await disconnectPrisma();
-    }, 30000); // 30 second timeout for cleanup
-
-    describe(`${dbType.toUpperCase()} - Password Hashing`, () => {
-        test('✅ Password is bcrypt hashed on user creation', async () => {
-            const user = await userRepository.createIndividualUser({
-                username: TEST_USERNAME,
-                hashword: TEST_PASSWORD,
-                email: `${TEST_USERNAME}@test.com`,
-            });
-            testUserId = user.id;
-
-            expect(user.hashword).toBeDefined();
-            expect(user.hashword).not.toBe(TEST_PASSWORD);
-            expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
-            expect(user.hashword.length).toBeGreaterThan(50);
-            expect(user.hashword).not.toContain(':');
-
-            console.log('✅ Password hashed correctly:', user.hashword.substring(0, 20) + '...');
-        });
-
-        test('✅ Stored hashword is bcrypt format, NOT encrypted', async () => {
-            const user = await userRepository.findIndividualUserByUsername(TEST_USERNAME);
-
-            expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
-            expect(user.hashword).not.toContain(':');
-            expect(user.hashword.split(':')).toHaveLength(1);
-
-            console.log('✅ Stored password has bcrypt format (not encrypted)');
-        });
-
-        test('✅ bcrypt.compare() verifies correct password', async () => {
-            const user = await userRepository.findIndividualUserByUsername(TEST_USERNAME);
-            const isValid = await bcrypt.compare(TEST_PASSWORD, user.hashword);
-
-            expect(isValid).toBe(true);
-            console.log('✅ bcrypt.compare() successfully verified password');
-        });
-
-        test('✅ bcrypt.compare() rejects incorrect password', async () => {
-            const user = await userRepository.findIndividualUserByUsername(TEST_USERNAME);
-            const isValid = await bcrypt.compare('WrongPassword', user.hashword);
-
-            expect(isValid).toBe(false);
-            console.log('✅ bcrypt.compare() correctly rejected wrong password');
-        });
-
-        test('✅ Login succeeds with correct password', async () => {
-            const loginUser = new LoginUser({ userRepository, userConfig });
-            const user = await loginUser.execute({
-                username: TEST_USERNAME,
-                password: TEST_PASSWORD,
-            });
-
-            expect(user).toBeDefined();
-            expect(user.getId()).toBe(testUserId);
-            console.log('✅ Login successful with correct password');
-        });
-
-        test('✅ Login fails with incorrect password', async () => {
-            const loginUser = new LoginUser({ userRepository, userConfig });
-
-            await expect(
-                loginUser.execute({
-                    username: TEST_USERNAME,
-                    password: 'WrongPassword123',
-                })
-            ).rejects.toThrow('Incorrect username or password');
-
-            console.log('✅ Login correctly rejected incorrect password');
-        });
-
-        test('✅ Password update also hashes the new password', async () => {
-            const newPassword = 'NewSecurePassword456!';
-
-            const updatedUser = await userRepository.updateIndividualUser(testUserId, {
-                hashword: newPassword,
-            });
-
-            expect(updatedUser.hashword).not.toBe(newPassword);
-            expect(updatedUser.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
-            expect(updatedUser.hashword).not.toContain(':');
-
-            const isNewPasswordValid = await bcrypt.compare(newPassword, updatedUser.hashword);
-            expect(isNewPasswordValid).toBe(true);
-
-            const isOldPasswordValid = await bcrypt.compare(TEST_PASSWORD, updatedUser.hashword);
-            expect(isOldPasswordValid).toBe(false);
-
-            console.log('✅ Password update correctly hashed new password');
-        });
-
-        test('📊 Raw database check: bcrypt hash stored directly', async () => {
-            let rawUser;
-            if (dbType === 'postgresql') {
-                const userId = parseInt(testUserId, 10);
-                rawUser = await prisma.$queryRaw`
-                    SELECT hashword FROM "User" WHERE id = ${userId}
-                `;
-                rawUser = rawUser[0];
-            } else {
-                rawUser = await prisma.$queryRawUnsafe(
-                    `db.User.findOne({ _id: ObjectId("${testUserId}") })`
-                ).catch(() => {
-                    return userRepository.findIndividualUserById(testUserId);
-                });
-            }
-
-            console.log('\n📊 RAW DATABASE HASHWORD:');
-            console.log('Format:', rawUser.hashword.substring(0, 30) + '...');
-            console.log('Length:', rawUser.hashword.length);
-
-            expect(rawUser.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
-            expect(rawUser.hashword).not.toContain(':');
-
-            console.log('✅ Raw database stores bcrypt hash (not encrypted)');
-        });
-    });
-
-    describe(`${dbType.toUpperCase()} - Encryption Isolation`, () => {
-        test('📊 COMPARISON: Credential tokens encrypted, passwords hashed', async () => {
-            const credential = await prisma.credential.create({
-                data: {
-                    userId: dbType === 'postgresql' ? parseInt(testUserId, 10) : testUserId,
-                    externalId: `test-cred-${Date.now()}`,
-                    data: {
-                        access_token: 'secret-access-token-12345',
-                        refresh_token: 'secret-refresh-token-67890',
-                    },
-                },
-            });
-
-            const user = await userRepository.findIndividualUserById(testUserId);
-
-            let rawCred;
-            if (dbType === 'postgresql') {
-                rawCred = await prisma.$queryRaw`
-                    SELECT data FROM "Credential" WHERE id = ${credential.id}
-                `;
-                rawCred = rawCred[0];
-            } else {
-                rawCred = await prisma.credential.findUnique({
-                    where: { id: credential.id },
-                });
-            }
-
-            console.log('\n📊 ENCRYPTION COMPARISON:');
-            console.log('Credential token (should be encrypted):');
-            console.log('  Format:', rawCred.data.access_token.substring(0, 50) + '...');
-            console.log('  Has ":" separators:', rawCred.data.access_token.includes(':'));
-            console.log('\nUser password (should be bcrypt hashed):');
-            console.log('  Format:', user.hashword.substring(0, 30) + '...');
-            console.log('  Has ":" separators:', user.hashword.includes(':'));
-
-            const encryptionEnabled = rawCred.data.access_token !== 'secret-access-token-12345';
-
-            if (encryptionEnabled) {
-                expect(rawCred.data.access_token).toContain(':');
-                expect(rawCred.data.access_token.split(':')).toHaveLength(4);
-                console.log('✅ Credential token is encrypted');
-            } else {
-                console.log('⚠️  Encryption disabled in this environment');
-            }
-
-            expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
-            expect(user.hashword).not.toContain(':');
-            console.log('✅ Password is bcrypt hashed (NOT encrypted)');
-
-            await prisma.credential.delete({ where: { id: credential.id } });
-        });
-    });
-});