@friggframework/core 2.0.0--canary.461.fa770c1.0 → 2.0.0--canary.461.41b7566.0

package/database/prisma.js

@@ -6,6 +6,32 @@ const { logger } = require('./encryption/logger');
 const { Cryptor } = require('../encrypt/Cryptor');
 const config = require('./config');
 
+/**
+ * Ensures DATABASE_URL is set for MongoDB connections
+ * Falls back to MONGO_URI if DATABASE_URL is not set
+ * Infrastructure layer concern - maps legacy MONGO_URI to Prisma's expected DATABASE_URL
+ * 
+ * Note: This should only be called when DB_TYPE is 'mongodb'
+ */
+function ensureMongoDbUrl() {
+    // If DATABASE_URL is already set, use it
+    if (process.env.DATABASE_URL && process.env.DATABASE_URL.trim()) {
+        return;
+    }
+
+    // Fallback to MONGO_URI for backwards compatibility with DocumentDB deployments
+    if (process.env.MONGO_URI && process.env.MONGO_URI.trim()) {
+        process.env.DATABASE_URL = process.env.MONGO_URI;
+        logger.debug('Using MONGO_URI as DATABASE_URL for MongoDB connection');
+        return;
+    }
+
+    // Neither is set - error
+    throw new Error(
+        'DATABASE_URL or MONGO_URI environment variable must be set for MongoDB'
+    );
+}
+
 function getEncryptionConfig() {
     const STAGE = process.env.STAGE || process.env.NODE_ENV || 'development';
     const shouldBypassEncryption = ['dev', 'test', 'local'].includes(STAGE);
@@ -99,6 +125,8 @@ const prismaClientSingleton = () => {
     };
 
     if (config.DB_TYPE === 'mongodb') {
+        // Ensure DATABASE_URL is set (fallback to MONGO_URI if needed)
+        ensureMongoDbUrl();
         PrismaClient = loadPrismaClient('mongodb');
     } else if (config.DB_TYPE === 'postgresql') {
         PrismaClient = loadPrismaClient('postgresql');
@@ -181,4 +209,5 @@ module.exports = {
     connectPrisma,
     disconnectPrisma,
     getEncryptionConfig,
+    ensureMongoDbUrl, // Exported for testing
 };

package/handlers/routers/db-migration.js

@@ -61,13 +61,13 @@ const getDatabaseStateUseCase = new GetDatabaseStateViaWorkerUseCase({
  * Matches pattern from health.js:72-88
  */
 const validateApiKey = (req, res, next) => {
-    const apiKey = req.headers['x-api-key'];
+    const apiKey = req.headers['x-frigg-admin-api-key'];
 
     if (!apiKey || apiKey !== process.env.ADMIN_API_KEY) {
         console.error('Unauthorized access attempt to db-migrate endpoint');
         return res.status(401).json({
             status: 'error',
-            message: 'Unauthorized',
+            message: 'Unauthorized - x-frigg-admin-api-key header required',
         });
     }
 

package/handlers/routers/health.js

@@ -70,7 +70,7 @@ const checkIntegrationsHealthUseCase = new CheckIntegrationsHealthUseCase({
 });
 
 const validateApiKey = (req, res, next) => {
-    const apiKey = req.headers['x-api-key'];
+    const apiKey = req.headers['x-frigg-health-api-key'];
 
     if (req.path === '/health') {
         return next();
@@ -80,7 +80,7 @@ const validateApiKey = (req, res, next) => {
         console.error('Unauthorized access attempt to health endpoint');
         return res.status(401).json({
             status: 'error',
-            message: 'Unauthorized',
+            message: 'Unauthorized - x-frigg-health-api-key header required',
         });
     }
 

package/integrations/integration-router.js

@@ -62,6 +62,9 @@ const {
 const {
     GetUserFromAdopterJwt,
 } = require('../user/use-cases/get-user-from-adopter-jwt');
+const {
+    GetUserFromSharedSecret,
+} = require('../user/use-cases/get-user-from-shared-secret');
 const {
     AuthenticateUser,
 } = require('../user/use-cases/authenticate-user');
@@ -92,10 +95,16 @@ function createIntegrationRouter() {
         userConfig,
     });
 
+    const getUserFromSharedSecret = new GetUserFromSharedSecret({
+        userRepository,
+        userConfig,
+    });
+
     const authenticateUser = new AuthenticateUser({
         getUserFromBearerToken,
         getUserFromXFriggHeaders,
         getUserFromAdopterJwt,
+        getUserFromSharedSecret,
         userConfig,
     });
 

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@friggframework/core",
     "prettier": "@friggframework/prettier-config",
-    "version": "2.0.0--canary.461.fa770c1.0",
+    "version": "2.0.0--canary.461.41b7566.0",
     "dependencies": {
         "@aws-sdk/client-apigatewaymanagementapi": "^3.588.0",
         "@aws-sdk/client-kms": "^3.588.0",
@@ -38,9 +38,9 @@
         }
     },
     "devDependencies": {
-        "@friggframework/eslint-config": "2.0.0--canary.461.fa770c1.0",
-        "@friggframework/prettier-config": "2.0.0--canary.461.fa770c1.0",
-        "@friggframework/test": "2.0.0--canary.461.fa770c1.0",
+        "@friggframework/eslint-config": "2.0.0--canary.461.41b7566.0",
+        "@friggframework/prettier-config": "2.0.0--canary.461.41b7566.0",
+        "@friggframework/test": "2.0.0--canary.461.41b7566.0",
         "@prisma/client": "^6.17.0",
         "@types/lodash": "4.17.15",
         "@typescript-eslint/eslint-plugin": "^8.0.0",
@@ -80,5 +80,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "fa770c14042eacc322cb204dd0886d913938ec11"
+    "gitHead": "41b7566abaa46939705d52e01904022e52cdd06a"
 }

package/user/use-cases/authenticate-user.js

@@ -2,8 +2,15 @@ const Boom = require('@hapi/boom');
 
 /**
  * Use case for authenticating a user using multiple authentication strategies.
- * Supports Frigg native tokens, x-frigg headers, and adopter JWT (when implemented).
- * Tries authentication methods in priority order based on userConfig.authModes.
+ * 
+ * Supports three authentication modes in priority order:
+ * 1. Shared Secret (backend-to-backend with x-frigg-api-key + x-frigg headers)
+ * 2. Adopter JWT (custom JWT authentication)
+ * 3. Frigg Native Token (bearer token from /user/login)
+ * 
+ * x-frigg-appUserId and x-frigg-appOrgId headers are automatically supported
+ * for user identification with any auth mode. When present with JWT or Frigg
+ * tokens, they are validated to match the authenticated user.
  *
  * @class AuthenticateUser
  */
@@ -14,17 +21,20 @@ class AuthenticateUser {
      * @param {import('./get-user-from-bearer-token').GetUserFromBearerToken} params.getUserFromBearerToken - Use case for bearer token auth.
      * @param {import('./get-user-from-x-frigg-headers').GetUserFromXFriggHeaders} params.getUserFromXFriggHeaders - Use case for x-frigg header auth.
      * @param {import('./get-user-from-adopter-jwt').GetUserFromAdopterJwt} params.getUserFromAdopterJwt - Use case for adopter JWT auth.
+     * @param {import('./get-user-from-shared-secret').GetUserFromSharedSecret} params.getUserFromSharedSecret - Use case for shared secret auth.
      * @param {Object} params.userConfig - The user config in the app definition.
      */
     constructor({
         getUserFromBearerToken,
         getUserFromXFriggHeaders,
         getUserFromAdopterJwt,
+        getUserFromSharedSecret,
         userConfig,
     }) {
         this.getUserFromBearerToken = getUserFromBearerToken;
         this.getUserFromXFriggHeaders = getUserFromXFriggHeaders;
         this.getUserFromAdopterJwt = getUserFromAdopterJwt;
+        this.getUserFromSharedSecret = getUserFromSharedSecret;
         this.userConfig = userConfig;
     }
 
@@ -34,17 +44,20 @@ class AuthenticateUser {
      * @param {Object} req - Express request object with headers.
      * @returns {Promise<import('../user').User>} The authenticated user object.
      * @throws {Boom} Unauthorized if no valid authentication provided.
+     * @throws {Boom} Forbidden if x-frigg headers don't match authenticated user.
      */
     async execute(req) {
         const authModes = this.userConfig.authModes || { friggToken: true };
+        const appUserId = req.headers['x-frigg-appuserid'];
+        const appOrgId = req.headers['x-frigg-apporgid'];
+        let user = null;
 
-        // Priority 1: x-frigg headers (backend-to-backend)
-        if (authModes.xFriggHeaders !== false) {
-            const appUserId = req.headers['x-frigg-appuserid'];
-            const appOrgId = req.headers['x-frigg-apporgid'];
-
-            if (appUserId || appOrgId) {
-                return await this.getUserFromXFriggHeaders.execute(
+        // Priority 1: Shared Secret (backend-to-backend with API key)
+        if (authModes.sharedSecret !== false) {
+            const apiKey = req.headers['x-frigg-api-key'];
+            if (apiKey) {
+                return await this.getUserFromSharedSecret.execute(
+                    apiKey,
                     appUserId,
                     appOrgId
                 );
@@ -59,19 +72,52 @@ class AuthenticateUser {
             const token = req.headers.authorization.split(' ')[1];
             // Detect JWT format (3 parts separated by dots)
             if (token && token.split('.').length === 3) {
-                return await this.getUserFromAdopterJwt.execute(token);
+                user = await this.getUserFromAdopterJwt.execute(token);
+                // Validate x-frigg headers match JWT claims if present
+                if (appUserId || appOrgId) {
+                    this.validateUserMatch(user, appUserId, appOrgId);
+                }
+                return user;
             }
         }
 
         // Priority 3: Frigg native token (default)
-        if (authModes.friggToken !== false) {
-            return await this.getUserFromBearerToken.execute(
+        if (authModes.friggToken !== false && req.headers.authorization) {
+            user = await this.getUserFromBearerToken.execute(
                 req.headers.authorization
             );
+            // Validate x-frigg headers match token user if present
+            if (appUserId || appOrgId) {
+                this.validateUserMatch(user, appUserId, appOrgId);
+            }
+            return user;
         }
 
         throw Boom.unauthorized('No valid authentication provided');
     }
+
+    /**
+     * Validates that x-frigg headers match authenticated user if provided.
+     * This ensures that when both authentication (via token/JWT) and
+     * x-frigg headers are present, they refer to the same user.
+     *
+     * @param {import('../user').User} user - The authenticated user
+     * @param {string} [appUserId] - The x-frigg-appuserid header value
+     * @param {string} [appOrgId] - The x-frigg-apporgid header value
+     * @throws {Boom} 403 Forbidden if headers don't match user
+     */
+    validateUserMatch(user, appUserId, appOrgId) {
+        if (appUserId && user.getAppUserId() !== appUserId) {
+            throw Boom.forbidden(
+                'x-frigg-appuserid header does not match authenticated user'
+            );
+        }
+        if (appOrgId && user.getAppOrgId() !== appOrgId) {
+            throw Boom.forbidden(
+                'x-frigg-apporgid header does not match authenticated user'
+            );
+        }
+    }
 }
 
 module.exports = { AuthenticateUser };

package/user/use-cases/get-user-from-shared-secret.js

@@ -0,0 +1,124 @@
+const Boom = require('@hapi/boom');
+const { User } = require('../user');
+
+/**
+ * Use case for authenticating requests with shared secret API key.
+ * Used for backend-to-backend communication where the secret proves
+ * authenticity, and x-frigg headers identify the user/org.
+ *
+ * This separates authentication (proving legitimacy via API key) from
+ * authorization (identifying user/org via x-frigg headers).
+ *
+ * @class GetUserFromSharedSecret
+ */
+class GetUserFromSharedSecret {
+    /**
+     * Creates a new GetUserFromSharedSecret instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../repositories/user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Validates shared secret and extracts user from x-frigg headers.
+     * @async
+     * @param {string} providedSecret - Secret from x-frigg-api-key header
+     * @param {string} [appUserId] - From x-frigg-appuserid header
+     * @param {string} [appOrgId] - From x-frigg-apporgid header
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} 500 if FRIGG_API_KEY not configured
+     * @throws {Boom} 401 if provided secret doesn't match
+     * @throws {Boom} 400 if no user identifiers provided or if they refer to different users
+     */
+    async execute(providedSecret, appUserId, appOrgId) {
+        // Validate secret
+        const expectedSecret = process.env.FRIGG_API_KEY;
+        if (!expectedSecret) {
+            throw Boom.badImplementation(
+                'FRIGG_API_KEY environment variable is not configured. ' +
+                    'Set FRIGG_API_KEY to enable shared secret authentication.'
+            );
+        }
+
+        if (!providedSecret || providedSecret !== expectedSecret) {
+            throw Boom.unauthorized('Invalid API key');
+        }
+
+        // Require at least one user identifier
+        if (!appUserId && !appOrgId) {
+            throw Boom.badRequest(
+                'At least one of x-frigg-appuserid or x-frigg-apporgid headers is required with shared secret authentication'
+            );
+        }
+
+        // Find or create users (reuse logic from GetUserFromXFriggHeaders)
+        let individualUserData = null;
+        let organizationUserData = null;
+
+        if (appUserId && this.userConfig.individualUserRequired !== false) {
+            individualUserData =
+                await this.userRepository.findIndividualUserByAppUserId(
+                    appUserId
+                );
+        }
+
+        if (appOrgId && this.userConfig.organizationUserRequired) {
+            organizationUserData =
+                await this.userRepository.findOrganizationUserByAppOrgId(
+                    appOrgId
+                );
+        }
+
+        // VALIDATION: If both IDs provided and both users exist, verify they match
+        if (
+            appUserId &&
+            appOrgId &&
+            individualUserData &&
+            organizationUserData
+        ) {
+            const individualOrgId =
+                individualUserData.organizationUser?.toString();
+            const expectedOrgId = organizationUserData.id?.toString();
+
+            if (individualOrgId !== expectedOrgId) {
+                throw Boom.badRequest(
+                    'User ID mismatch: x-frigg-appuserid and x-frigg-apporgid refer to different users. ' +
+                        'Provide only one identifier or ensure they belong to the same user.'
+                );
+            }
+        }
+
+        // Auto-create user if not found
+        if (!individualUserData && !organizationUserData) {
+            if (appUserId) {
+                individualUserData =
+                    await this.userRepository.createIndividualUser({
+                        appUserId,
+                        username: `api-user-${appUserId}`,
+                        email: `${appUserId}@api.local`,
+                    });
+            } else {
+                organizationUserData =
+                    await this.userRepository.createOrganizationUser({
+                        appOrgId,
+                    });
+            }
+        }
+
+        return new User(
+            individualUserData,
+            organizationUserData,
+            this.userConfig.usePassword,
+            this.userConfig.primary,
+            this.userConfig.individualUserRequired,
+            this.userConfig.organizationUserRequired
+        );
+    }
+}
+
+module.exports = { GetUserFromSharedSecret };
+

package/user/user.js

@@ -72,6 +72,22 @@ class User {
     getOrganizationUser() {
         return this.organizationUser;
     }
+
+    /**
+     * Gets the appUserId from the individual user if present.
+     * @returns {string|null} The app user ID or null
+     */
+    getAppUserId() {
+        return this.individualUser?.appUserId || null;
+    }
+
+    /**
+     * Gets the appOrgId from the organization user if present.
+     * @returns {string|null} The app organization ID or null
+     */
+    getAppOrgId() {
+        return this.organizationUser?.appOrgId || null;
+    }
 }
 
 module.exports = { User };