@friggframework/core 2.0.0-next.40 → 2.0.0-next.42

package/database/models/readme.md

@@ -0,0 +1 @@
+// todo: we need to get rid of this entire models folder

package/database/prisma.js

@@ -0,0 +1,162 @@
+const {
+    createEncryptionExtension,
+} = require('./encryption/prisma-encryption-extension');
+const { registerCustomSchema } = require('./encryption/encryption-schema-registry');
+const { logger } = require('./encryption/logger');
+const { Cryptor } = require('../encrypt/Cryptor');
+const config = require('./config');
+
+function getEncryptionConfig() {
+    const STAGE = process.env.STAGE || process.env.NODE_ENV || 'development';
+    const shouldBypassEncryption = ['dev', 'test', 'local'].includes(STAGE);
+
+    if (shouldBypassEncryption) {
+        return { enabled: false };
+    }
+
+    const hasKMS =
+        process.env.KMS_KEY_ARN && process.env.KMS_KEY_ARN.trim() !== '';
+    const hasAES =
+        process.env.AES_KEY_ID && process.env.AES_KEY_ID.trim() !== '';
+
+    if (!hasKMS && !hasAES) {
+        logger.warn(
+            'No encryption keys configured (KMS_KEY_ARN or AES_KEY_ID). ' +
+                'Field-level encryption disabled. Set STAGE=production and configure keys to enable.'
+        );
+        return { enabled: false };
+    }
+
+    return {
+        enabled: true,
+        method: hasKMS ? 'kms' : 'aes',
+    };
+}
+
+/**
+ * Loads and registers custom encryption schema from appDefinition
+ * Gracefully handles cases where appDefinition is not available
+ */
+function loadCustomEncryptionSchema() {
+    try {
+        // Lazy require to avoid circular dependency issues
+        const path = require('node:path');
+        const { findNearestBackendPackageJson } = require('../utils');
+
+        const backendPackagePath = findNearestBackendPackageJson();
+        if (!backendPackagePath) {
+            return; // No backend found, skip custom schema
+        }
+
+        const backendDir = path.dirname(backendPackagePath);
+        const backendIndexPath = path.join(backendDir, 'index.js');
+
+        const backendModule = require(backendIndexPath);
+        const appDefinition = backendModule?.Definition;
+
+        if (!appDefinition) {
+            return; // No app definition found
+        }
+
+        const customSchema = appDefinition.encryption?.schema;
+
+        if (customSchema && Object.keys(customSchema).length > 0) {
+            registerCustomSchema(customSchema);
+        }
+    } catch (error) {
+        // Silently ignore errors - custom schema is optional
+        // This handles cases like:
+        // - Backend package.json not found (tests, standalone usage)
+        // - No appDefinition defined
+        // - No custom encryption schema specified
+        logger.debug('Could not load custom encryption schema:', error.message);
+    }
+}
+
+const prismaClientSingleton = () => {
+    let PrismaClient;
+
+    if (config.DB_TYPE === 'mongodb') {
+        PrismaClient = require('@prisma-mongodb/client').PrismaClient;
+    } else if (config.DB_TYPE === 'postgresql') {
+        PrismaClient = require('@prisma-postgresql/client').PrismaClient;
+    } else {
+        throw new Error(
+            `Unsupported database type: ${config.DB_TYPE}. Supported values: 'mongodb', 'postgresql'`
+        );
+    }
+
+    let client = new PrismaClient({
+        log: process.env.PRISMA_LOG_LEVEL
+            ? process.env.PRISMA_LOG_LEVEL.split(',')
+            : ['error', 'warn'],
+        errorFormat: 'pretty',
+    });
+
+    const encryptionConfig = getEncryptionConfig();
+
+    if (encryptionConfig.enabled) {
+        try {
+            // Load custom encryption schema from appDefinition before creating extension
+            loadCustomEncryptionSchema();
+
+            const cryptor = new Cryptor({
+                shouldUseAws: encryptionConfig.method === 'kms',
+            });
+
+            client = client.$extends(
+                createEncryptionExtension({
+                    cryptor,
+                    enabled: true,
+                })
+            );
+
+            logger.info(
+                `Field-level encryption enabled using ${encryptionConfig.method.toUpperCase()}`
+            );
+        } catch (error) {
+            logger.error(
+                'Failed to initialize encryption extension:',
+                error
+            );
+            logger.warn('Continuing without encryption...');
+        }
+    } else {
+        logger.info('Field-level encryption disabled');
+    }
+
+    return client;
+};
+
+const globalForPrisma = global;
+
+// Lazy initialization - only create singleton when first accessed
+function getPrismaClient() {
+    if (!globalForPrisma._prismaInstance) {
+        globalForPrisma._prismaInstance = prismaClientSingleton();
+    }
+    return globalForPrisma._prismaInstance;
+}
+
+// Export a getter for lazy initialization
+const prisma = new Proxy({}, {
+    get(target, prop) {
+        return getPrismaClient()[prop];
+    }
+});
+
+async function disconnectPrisma() {
+    await getPrismaClient().$disconnect();
+}
+
+async function connectPrisma() {
+    await getPrismaClient().$connect();
+    return getPrismaClient();
+}
+
+module.exports = {
+    prisma,
+    connectPrisma,
+    disconnectPrisma,
+    getEncryptionConfig,
+};

package/database/repositories/health-check-repository-factory.js

@@ -0,0 +1,38 @@
+const { HealthCheckRepositoryMongoDB } = require('./health-check-repository-mongodb');
+const { HealthCheckRepositoryPostgreSQL } = require('./health-check-repository-postgres');
+const config = require('../config');
+
+/**
+ * Health Check Repository Factory
+ * Creates the appropriate repository adapter based on database type
+ *
+ * Usage:
+ * ```javascript
+ * const repository = createHealthCheckRepository();
+ * ```
+ *
+ * @returns {HealthCheckRepositoryInterface} Configured repository adapter
+ */
+function createHealthCheckRepository() {
+    const dbType = config.DB_TYPE;
+
+    switch (dbType) {
+        case 'mongodb':
+            return new HealthCheckRepositoryMongoDB();
+
+        case 'postgresql':
+            return new HealthCheckRepositoryPostgreSQL();
+
+        default:
+            throw new Error(
+                `Unsupported database type: ${dbType}. Supported values: 'mongodb', 'postgresql'`
+            );
+    }
+}
+
+module.exports = {
+    createHealthCheckRepository,
+    // Export adapters for direct testing
+    HealthCheckRepositoryMongoDB,
+    HealthCheckRepositoryPostgreSQL,
+};

package/database/repositories/health-check-repository-interface.js

@@ -0,0 +1,86 @@
+/**
+ * Health Check Repository Interface
+ * Abstract base class defining the contract for health check persistence adapters
+ *
+ * This follows the Port in Hexagonal Architecture:
+ * - Domain layer depends on this abstraction
+ * - Concrete adapters implement this interface
+ * - Use cases receive repositories via dependency injection
+ *
+ * Note: Currently, HealthCheckRepository has identical structure across MongoDB and PostgreSQL,
+ * so HealthCheckRepository serves both. This interface exists for consistency and
+ * future-proofing if database-specific implementations become needed.
+ *
+ * @abstract
+ */
+class HealthCheckRepositoryInterface {
+    /**
+     * Ping database to verify connectivity
+     *
+     * @param {number} maxTimeMS - Maximum time in milliseconds
+     * @returns {Promise<number>} Response time in milliseconds
+     * @abstract
+     */
+    async pingDatabase(maxTimeMS) {
+        throw new Error('Method pingDatabase must be implemented by subclass');
+    }
+
+    /**
+     * Save a test document
+     *
+     * @param {Object} TestModel - Prisma model
+     * @param {Object} data - Data to save
+     * @returns {Promise<Object>} Saved document
+     * @abstract
+     */
+    async saveTestDocument(TestModel, data) {
+        throw new Error('Method saveTestDocument must be implemented by subclass');
+    }
+
+    /**
+     * Find test document by ID
+     *
+     * @param {Object} TestModel - Prisma model
+     * @param {string|number} id - Document ID
+     * @returns {Promise<Object|null>} Document or null
+     * @abstract
+     */
+    async findTestDocumentById(TestModel, id) {
+        throw new Error('Method findTestDocumentById must be implemented by subclass');
+    }
+
+    /**
+     * Get raw document from collection
+     *
+     * @param {string} collectionName - Collection name
+     * @param {Object} filter - Filter criteria
+     * @returns {Promise<Object|null>} Raw document or null
+     * @abstract
+     */
+    async getRawDocumentFromCollection(collectionName, filter) {
+        throw new Error('Method getRawDocumentFromCollection must be implemented by subclass');
+    }
+
+    /**
+     * Delete test document
+     *
+     * @param {Object} TestModel - Prisma model
+     * @param {string|number} id - Document ID
+     * @returns {Promise<Object>} Deletion result
+     * @abstract
+     */
+    async deleteTestDocument(TestModel, id) {
+        throw new Error('Method deleteTestDocument must be implemented by subclass');
+    }
+
+    /**
+     * Get database connection state
+     *
+     * @returns {Object} Connection state info
+     */
+    getDatabaseConnectionState() {
+        throw new Error('Method getDatabaseConnectionState must be implemented by subclass');
+    }
+}
+
+module.exports = { HealthCheckRepositoryInterface };

package/database/repositories/health-check-repository-mongodb.js

@@ -0,0 +1,72 @@
+const { prisma } = require('../prisma');
+const { mongoose } = require('../mongoose');
+const {
+    HealthCheckRepositoryInterface,
+} = require('./health-check-repository-interface');
+
+/**
+ * MongoDB-specific Health Check Repository
+ *
+ * Provides MongoDB-specific database operations for health testing.
+ * Uses Mongoose for MongoDB-specific operations (raw access, ping).
+ */
+class HealthCheckRepositoryMongoDB extends HealthCheckRepositoryInterface {
+    constructor() {
+        super();
+    }
+
+    getDatabaseConnectionState() {
+        const stateMap = {
+            0: 'disconnected',
+            1: 'connected',
+            2: 'connecting',
+            3: 'disconnecting',
+        };
+        const readyState = mongoose.connection.readyState;
+
+        return {
+            readyState,
+            stateName: stateMap[readyState],
+            isConnected: readyState === 1,
+        };
+    }
+
+    async pingDatabase(maxTimeMS = 2000) {
+        const pingStart = Date.now();
+        await mongoose.connection.db.admin().ping({ maxTimeMS });
+        return Date.now() - pingStart;
+    }
+
+    async createCredential(credentialData) {
+        return await prisma.credential.create({
+            data: credentialData,
+        });
+    }
+
+    async findCredentialById(id) {
+        return await prisma.credential.findUnique({
+            where: { id },
+        });
+    }
+
+    /**
+     * Get raw credential from MongoDB bypassing Prisma encryption extension
+     * Uses Mongoose to access raw MongoDB collection
+     * @param {string} id - Credential ID
+     * @returns {Promise<Object|null>} Raw credential from database
+     */
+    async getRawCredentialById(id) {
+        const { ObjectId } = require('mongodb');
+        return await mongoose.connection.db
+            .collection('Credential')
+            .findOne({ _id: new ObjectId(id) });
+    }
+
+    async deleteCredential(id) {
+        await prisma.credential.delete({
+            where: { id },
+        });
+    }
+}
+
+module.exports = { HealthCheckRepositoryMongoDB };

package/database/repositories/health-check-repository-postgres.js

@@ -0,0 +1,75 @@
+const { prisma } = require('../prisma');
+const {
+    HealthCheckRepositoryInterface,
+} = require('./health-check-repository-interface');
+
+/**
+ * PostgreSQL-specific Health Check Repository
+ *
+ * Provides PostgreSQL-specific database operations for health testing.
+ * Uses Prisma raw queries for PostgreSQL-specific operations.
+ */
+class HealthCheckRepositoryPostgreSQL extends HealthCheckRepositoryInterface {
+    constructor() {
+        super();
+    }
+
+    getDatabaseConnectionState() {
+        // PostgreSQL connection state via Prisma
+        // Note: Prisma doesn't expose connection state like Mongoose
+        // We check if prisma is connected by attempting a query
+        return {
+            readyState: 1, // Assume connected if Prisma instance exists
+            stateName: 'connected',
+            isConnected: true,
+        };
+    }
+
+    async pingDatabase(maxTimeMS = 2000) {
+        const pingStart = Date.now();
+
+        // PostgreSQL ping using SELECT 1
+        await prisma.$queryRaw`SELECT 1`;
+
+        return Date.now() - pingStart;
+    }
+
+    async createCredential(credentialData) {
+        return await prisma.credential.create({
+            data: credentialData,
+        });
+    }
+
+    async findCredentialById(id) {
+        return await prisma.credential.findUnique({
+            where: { id },
+        });
+    }
+
+    /**
+     * Get raw credential from PostgreSQL bypassing Prisma encryption extension
+     * Uses $queryRaw to access raw PostgreSQL table
+     * @param {string} id - Credential ID
+     * @returns {Promise<Object|null>} Raw credential from database
+     */
+    async getRawCredentialById(id) {
+        const results = await prisma.$queryRaw`
+            SELECT * FROM "Credential" WHERE id = ${id}
+        `;
+
+        if (!results || results.length === 0) {
+            return null;
+        }
+
+        // Return first result
+        return results[0];
+    }
+
+    async deleteCredential(id) {
+        await prisma.credential.delete({
+            where: { id },
+        });
+    }
+}
+
+module.exports = { HealthCheckRepositoryPostgreSQL };

package/database/repositories/health-check-repository.js

@@ -0,0 +1,108 @@
+const { prisma } = require('../prisma');
+const { mongoose } = require('../mongoose');
+const {
+    HealthCheckRepositoryInterface,
+} = require('./health-check-repository-interface');
+
+/**
+ * Repository for Health Check database operations.
+ * Provides atomic database operations for health testing.
+ *
+ * Follows DDD/Hexagonal Architecture:
+ * - Infrastructure Layer (this repository)
+ * - Pure database operations only, no business logic
+ * - Used by Application Layer (Use Cases)
+ *
+ * Works identically for both MongoDB and PostgreSQL:
+ * - Uses Prisma for database operations
+ * - Encryption happens transparently via Prisma extension
+ * - Both MongoDB and PostgreSQL use same Prisma API
+ *
+ * Migration from Mongoose to Prisma:
+ * - Replaced Mongoose models with Prisma client
+ * - Uses Credential model for encryption testing
+ * - Maintains same method signatures for compatibility
+ */
+class HealthCheckRepository extends HealthCheckRepositoryInterface {
+    constructor() {
+        super();
+    }
+
+    /**
+     * Get database connection state
+     * @returns {Object} Object with readyState, stateName, and isConnected
+     */
+    getDatabaseConnectionState() {
+        const stateMap = {
+            0: 'disconnected',
+            1: 'connected',
+            2: 'connecting',
+            3: 'disconnecting',
+        };
+        const readyState = mongoose.connection.readyState;
+
+        return {
+            readyState,
+            stateName: stateMap[readyState],
+            isConnected: readyState === 1,
+        };
+    }
+
+    /**
+     * Ping the database to verify connectivity
+     * @param {number} maxTimeMS - Maximum time to wait for ping response
+     * @returns {Promise<number>} Response time in milliseconds
+     * @throws {Error} If database is not connected or ping fails
+     */
+    async pingDatabase(maxTimeMS = 2000) {
+        const pingStart = Date.now();
+        await mongoose.connection.db.admin().ping({ maxTimeMS });
+        return Date.now() - pingStart;
+    }
+
+    /**
+     * Create a test credential for encryption testing
+     * @param {Object} credentialData - Credential data to create
+     * @returns {Promise<Object>} Created credential
+     */
+    async createCredential(credentialData) {
+        return await prisma.credential.create({
+            data: credentialData,
+        });
+    }
+
+    /**
+     * Find a credential by ID
+     * @param {string} id - Credential ID
+     * @returns {Promise<Object|null>} Found credential or null
+     */
+    async findCredentialById(id) {
+        return await prisma.credential.findUnique({
+            where: { id },
+        });
+    }
+
+    /**
+     * Get raw credential from database bypassing Prisma encryption extension
+     * @param {string} id - Credential ID
+     * @returns {Promise<Object|null>} Raw credential from database
+     */
+    async getRawCredentialById(id) {
+        return await mongoose.connection.db
+            .collection('credentials')
+            .findOne({ _id: id });
+    }
+
+    /**
+     * Delete a credential by ID
+     * @param {string} id - Credential ID
+     * @returns {Promise<void>}
+     */
+    async deleteCredential(id) {
+        await prisma.credential.delete({
+            where: { id },
+        });
+    }
+}
+
+module.exports = { HealthCheckRepository };

package/database/use-cases/check-database-health-use-case.js

@@ -0,0 +1,34 @@
+/**
+ * Use Case for checking database health.
+ * Contains business logic for determining database connectivity and health status.
+ */
+class CheckDatabaseHealthUseCase {
+    /**
+     * @param {Object} params
+     * @param {import('../health-check-repository-interface').HealthCheckRepositoryInterface} params.healthCheckRepository
+     */
+    constructor({ healthCheckRepository }) {
+        this.repository = healthCheckRepository;
+    }
+
+    /**
+     * Execute database health check
+     * @returns {Promise<Object>} Health check result with status, state, and response time
+     */
+    async execute() {
+        const { stateName, isConnected } = this.repository.getDatabaseConnectionState();
+
+        const result = {
+            status: isConnected ? 'healthy' : 'unhealthy',
+            state: stateName,
+        };
+
+        if (isConnected) {
+            result.responseTime = await this.repository.pingDatabase(2000);
+        }
+
+        return result;
+    }
+}
+
+module.exports = { CheckDatabaseHealthUseCase };

package/database/use-cases/check-encryption-health-use-case.js

@@ -0,0 +1,82 @@
+class CheckEncryptionHealthUseCase {
+    constructor({ testEncryptionUseCase }) {
+        this.testEncryptionUseCase = testEncryptionUseCase;
+    }
+
+    async execute() {
+        const config = this._getEncryptionConfiguration();
+
+        if (config.isBypassed || config.mode === 'none') {
+            const testResult = config.isBypassed
+                ? 'Encryption bypassed for this stage'
+                : 'No encryption keys configured';
+
+            return {
+                status: 'disabled',
+                mode: config.mode,
+                bypassed: config.isBypassed,
+                stage: config.stage,
+                testResult,
+                encryptionWorks: false,
+                debug: {
+                    hasKMS: config.hasKMS,
+                    hasAES: config.hasAES,
+                },
+            };
+        }
+
+        try {
+            const testResults = await this.testEncryptionUseCase.execute();
+
+            return {
+                ...testResults,
+                mode: config.mode,
+                bypassed: config.isBypassed,
+                stage: config.stage,
+                debug: {
+                    hasKMS: config.hasKMS,
+                    hasAES: config.hasAES,
+                },
+            };
+        } catch (error) {
+            return {
+                status: 'unhealthy',
+                mode: config.mode,
+                bypassed: config.isBypassed,
+                stage: config.stage,
+                testResult: `Encryption test failed: ${error.message}`,
+                encryptionWorks: false,
+                debug: {
+                    hasKMS: config.hasKMS,
+                    hasAES: config.hasAES,
+                },
+            };
+        }
+    }
+
+    _getEncryptionConfiguration() {
+        const { STAGE, BYPASS_ENCRYPTION_STAGE, KMS_KEY_ARN, AES_KEY_ID } =
+            process.env;
+
+        const defaultBypassStages = ['dev', 'test', 'local'];
+        const useEnv = BYPASS_ENCRYPTION_STAGE !== undefined;
+        const bypassStages = useEnv
+            ? BYPASS_ENCRYPTION_STAGE.split(',').map((s) => s.trim())
+            : defaultBypassStages;
+
+        const isBypassed = bypassStages.includes(STAGE);
+        const hasAES = AES_KEY_ID && AES_KEY_ID.trim() !== '';
+        const hasKMS = KMS_KEY_ARN && KMS_KEY_ARN.trim() !== '' && !hasAES;
+        const mode = hasAES ? 'aes' : hasKMS ? 'kms' : 'none';
+
+        return {
+            stage: STAGE || null,
+            isBypassed,
+            hasAES,
+            hasKMS,
+            mode,
+        };
+    }
+}
+
+module.exports = { CheckEncryptionHealthUseCase };