@friggframework/core 2.0.0-next.41 → 2.0.0-next.43

package/database/encryption/encryption-schema-registry.test.js

@@ -0,0 +1,392 @@
+const {
+    CORE_ENCRYPTION_SCHEMA,
+    getEncryptedFields,
+    hasEncryptedFields,
+    getEncryptedModels,
+    registerCustomSchema,
+    validateCustomSchema,
+    resetCustomSchema,
+} = require('./encryption-schema-registry');
+
+describe('Encryption Schema Registry', () => {
+    afterEach(() => {
+        // Reset custom schema after each test
+        resetCustomSchema();
+    });
+
+    describe('CORE_ENCRYPTION_SCHEMA', () => {
+        it('should define encrypted fields for Credential model', () => {
+            expect(CORE_ENCRYPTION_SCHEMA.Credential).toBeDefined();
+            expect(CORE_ENCRYPTION_SCHEMA.Credential.fields).toContain(
+                'data.access_token'
+            );
+            expect(CORE_ENCRYPTION_SCHEMA.Credential.fields).toContain(
+                'data.refresh_token'
+            );
+            expect(CORE_ENCRYPTION_SCHEMA.Credential.fields).toContain(
+                'data.id_token'
+            );
+        });
+
+        it('should define encrypted fields for IntegrationMapping model', () => {
+            expect(CORE_ENCRYPTION_SCHEMA.IntegrationMapping).toBeDefined();
+            expect(CORE_ENCRYPTION_SCHEMA.IntegrationMapping.fields).toContain(
+                'mapping'
+            );
+        });
+
+        it('should define encrypted fields for User model', () => {
+            expect(CORE_ENCRYPTION_SCHEMA.User).toBeDefined();
+            expect(CORE_ENCRYPTION_SCHEMA.User.fields).toContain('hashword');
+        });
+
+        it('should define encrypted fields for Token model', () => {
+            expect(CORE_ENCRYPTION_SCHEMA.Token).toBeDefined();
+            expect(CORE_ENCRYPTION_SCHEMA.Token.fields).toContain('token');
+        });
+    });
+
+    describe('getEncryptedFields', () => {
+        it('should return encrypted fields for Credential model', () => {
+            const fields = getEncryptedFields('Credential');
+
+            expect(fields).toEqual([
+                'data.access_token',
+                'data.refresh_token',
+                'data.id_token',
+            ]);
+        });
+
+        it('should return encrypted fields for User model', () => {
+            const fields = getEncryptedFields('User');
+
+            expect(fields).toEqual(['hashword']);
+        });
+
+        it('should return empty array for model without encrypted fields', () => {
+            const fields = getEncryptedFields('NonExistentModel');
+
+            expect(fields).toEqual([]);
+        });
+
+        it('should return empty array for undefined model', () => {
+            const fields = getEncryptedFields(undefined);
+
+            expect(fields).toEqual([]);
+        });
+
+        it('should return empty array for null model', () => {
+            const fields = getEncryptedFields(null);
+
+            expect(fields).toEqual([]);
+        });
+
+        it('should support nested JSON paths', () => {
+            const fields = getEncryptedFields('Credential');
+            const nestedFields = fields.filter((f) => f.includes('.'));
+
+            expect(nestedFields.length).toBeGreaterThan(0);
+            expect(nestedFields).toContain('data.access_token');
+        });
+    });
+
+    describe('hasEncryptedFields', () => {
+        it('should return true for models with encrypted fields', () => {
+            expect(hasEncryptedFields('Credential')).toBe(true);
+            expect(hasEncryptedFields('User')).toBe(true);
+            expect(hasEncryptedFields('Token')).toBe(true);
+            expect(hasEncryptedFields('IntegrationMapping')).toBe(true);
+        });
+
+        it('should return false for models without encrypted fields', () => {
+            expect(hasEncryptedFields('State')).toBe(false);
+            expect(hasEncryptedFields('NonExistentModel')).toBe(false);
+        });
+
+        it('should return false for undefined model', () => {
+            expect(hasEncryptedFields(undefined)).toBe(false);
+        });
+
+        it('should return false for null model', () => {
+            expect(hasEncryptedFields(null)).toBe(false);
+        });
+    });
+
+    describe('getEncryptedModels', () => {
+        it('should return list of all models with encryption', () => {
+            const models = getEncryptedModels();
+
+            expect(models).toContain('Credential');
+            expect(models).toContain('IntegrationMapping');
+            expect(models).toContain('User');
+            expect(models).toContain('Token');
+        });
+
+        it('should return array with length equal to encrypted models', () => {
+            const models = getEncryptedModels();
+
+            expect(models.length).toBe(
+                Object.keys(CORE_ENCRYPTION_SCHEMA).length
+            );
+        });
+
+        it('should return unique model names', () => {
+            const models = getEncryptedModels();
+            const uniqueModels = [...new Set(models)];
+
+            expect(models.length).toBe(uniqueModels.length);
+        });
+    });
+
+    describe('Schema Validation', () => {
+        it('should have valid field paths (no leading/trailing dots)', () => {
+            const models = getEncryptedModels();
+
+            models.forEach((modelName) => {
+                const fields = getEncryptedFields(modelName);
+
+                fields.forEach((fieldPath) => {
+                    expect(fieldPath).not.toMatch(/^\./);
+                    expect(fieldPath).not.toMatch(/\.$/);
+                    expect(fieldPath.length).toBeGreaterThan(0);
+                });
+            });
+        });
+
+        it('should not have duplicate field paths within a model', () => {
+            const models = getEncryptedModels();
+
+            models.forEach((modelName) => {
+                const fields = getEncryptedFields(modelName);
+                const uniqueFields = [...new Set(fields)];
+
+                expect(fields.length).toBe(uniqueFields.length);
+            });
+        });
+
+        it('should have at least one field per encrypted model', () => {
+            const models = getEncryptedModels();
+
+            models.forEach((modelName) => {
+                const fields = getEncryptedFields(modelName);
+
+                expect(fields.length).toBeGreaterThan(0);
+            });
+        });
+    });
+
+    describe('Custom Schema Registration', () => {
+        describe('validateCustomSchema', () => {
+            it('should validate a valid custom schema', () => {
+                const customSchema = {
+                    MyModel: {
+                        fields: ['secretField', 'data.apiKey'],
+                    },
+                };
+
+                const result = validateCustomSchema(customSchema);
+
+                expect(result.valid).toBe(true);
+                expect(result.errors).toEqual([]);
+            });
+
+            it('should reject non-object schema', () => {
+                const result = validateCustomSchema('invalid');
+
+                expect(result.valid).toBe(false);
+                expect(result.errors).toContain(
+                    'Custom schema must be an object'
+                );
+            });
+
+            it('should reject model without fields array', () => {
+                const customSchema = {
+                    MyModel: {
+                        notFields: ['test'],
+                    },
+                };
+
+                const result = validateCustomSchema(customSchema);
+
+                expect(result.valid).toBe(false);
+                expect(result.errors[0]).toContain('must have a "fields" array');
+            });
+
+            it('should reject invalid field paths', () => {
+                const customSchema = {
+                    MyModel: {
+                        fields: ['validField', '', null],
+                    },
+                };
+
+                const result = validateCustomSchema(customSchema);
+
+                expect(result.valid).toBe(false);
+                expect(result.errors.length).toBeGreaterThan(0);
+            });
+
+            it('should prevent overriding core encrypted fields', () => {
+                const customSchema = {
+                    Credential: {
+                        fields: ['data.access_token'], // Core field
+                    },
+                };
+
+                const result = validateCustomSchema(customSchema);
+
+                expect(result.valid).toBe(false);
+                expect(result.errors[0]).toContain('Cannot override core');
+                expect(result.errors[0]).toContain('data.access_token');
+            });
+
+            it('should allow adding new fields to core models', () => {
+                const customSchema = {
+                    Credential: {
+                        fields: ['data.customField'], // New field
+                    },
+                };
+
+                const result = validateCustomSchema(customSchema);
+
+                expect(result.valid).toBe(true);
+                expect(result.errors).toEqual([]);
+            });
+        });
+
+        describe('registerCustomSchema', () => {
+            it('should register a valid custom schema', () => {
+                const customSchema = {
+                    MyCustomModel: {
+                        fields: ['secretData', 'apiKey'],
+                    },
+                };
+
+                expect(() => registerCustomSchema(customSchema)).not.toThrow();
+
+                const fields = getEncryptedFields('MyCustomModel');
+                expect(fields).toEqual(['secretData', 'apiKey']);
+            });
+
+            it('should throw error for invalid schema', () => {
+                const invalidSchema = {
+                    MyModel: {
+                        fields: ['validField', ''], // Empty string invalid
+                    },
+                };
+
+                expect(() => registerCustomSchema(invalidSchema)).toThrow(
+                    'Invalid custom encryption schema'
+                );
+            });
+
+            it('should handle empty schema gracefully', () => {
+                expect(() => registerCustomSchema({})).not.toThrow();
+                expect(() => registerCustomSchema(null)).not.toThrow();
+            });
+
+            it('should throw when trying to override core fields', () => {
+                const invalidSchema = {
+                    User: {
+                        fields: ['hashword'], // Core field
+                    },
+                };
+
+                expect(() => registerCustomSchema(invalidSchema)).toThrow(
+                    'Cannot override core'
+                );
+            });
+        });
+
+        describe('Custom schema merging', () => {
+            it('should merge custom fields with core fields', () => {
+                const customSchema = {
+                    Credential: {
+                        fields: ['data.customToken', 'data.customSecret'],
+                    },
+                };
+
+                registerCustomSchema(customSchema);
+
+                const fields = getEncryptedFields('Credential');
+
+                // Should include both core and custom
+                expect(fields).toContain('data.access_token'); // Core
+                expect(fields).toContain('data.customToken'); // Custom
+                expect(fields).toContain('data.customSecret'); // Custom
+            });
+
+            it('should deduplicate merged fields', () => {
+                const customSchema = {
+                    Credential: {
+                        fields: ['data.newField'],
+                    },
+                };
+
+                registerCustomSchema(customSchema);
+
+                const fields = getEncryptedFields('Credential');
+                const uniqueFields = [...new Set(fields)];
+
+                expect(fields.length).toBe(uniqueFields.length);
+            });
+
+            it('should include custom models in getEncryptedModels', () => {
+                const customSchema = {
+                    MyCustomModel: {
+                        fields: ['secret'],
+                    },
+                };
+
+                registerCustomSchema(customSchema);
+
+                const models = getEncryptedModels();
+
+                expect(models).toContain('MyCustomModel');
+                expect(models).toContain('Credential'); // Core model still there
+            });
+
+            it('should report custom models have encrypted fields', () => {
+                const customSchema = {
+                    MyCustomModel: {
+                        fields: ['secret'],
+                    },
+                };
+
+                registerCustomSchema(customSchema);
+
+                expect(hasEncryptedFields('MyCustomModel')).toBe(true);
+            });
+        });
+
+        describe('resetCustomSchema', () => {
+            it('should clear custom schema', () => {
+                const customSchema = {
+                    MyModel: {
+                        fields: ['secret'],
+                    },
+                };
+
+                registerCustomSchema(customSchema);
+                expect(hasEncryptedFields('MyModel')).toBe(true);
+
+                resetCustomSchema();
+                expect(hasEncryptedFields('MyModel')).toBe(false);
+            });
+
+            it('should not affect core schema', () => {
+                const customSchema = {
+                    MyModel: {
+                        fields: ['secret'],
+                    },
+                };
+
+                registerCustomSchema(customSchema);
+                resetCustomSchema();
+
+                // Core models still encrypted
+                expect(hasEncryptedFields('Credential')).toBe(true);
+                expect(hasEncryptedFields('User')).toBe(true);
+            });
+        });
+    });
+});

package/database/encryption/field-encryption-service.js

@@ -0,0 +1,226 @@
+/**
+ * Field Encryption Service
+ *
+ * Infrastructure layer service that orchestrates field-level encryption/decryption.
+ * Handles nested JSON paths (e.g., 'data.access_token') and bulk operations.
+ */
+class FieldEncryptionService {
+    constructor({ cryptor, schema }) {
+        if (!cryptor) {
+            throw new Error('Cryptor instance required');
+        }
+        if (!schema || typeof schema.getEncryptedFields !== 'function') {
+            throw new Error('Schema with getEncryptedFields method required');
+        }
+
+        this.cryptor = cryptor;
+        this.schema = schema;
+    }
+
+    async encryptFields(modelName, document) {
+        if (!document || typeof document !== 'object') {
+            return document;
+        }
+
+        const fields = this.schema.getEncryptedFields(modelName);
+        if (fields.length === 0) {
+            return document;
+        }
+
+        const encrypted = this._deepClone(document);
+
+        // Parallelize encryption of multiple fields
+        const encryptionPromises = fields.map(async (fieldPath) => {
+            const value = this._getNestedValue(encrypted, fieldPath);
+
+            if (this._shouldEncrypt(value)) {
+                const serializedValue = this._serializeForEncryption(value);
+                const encryptedValue = await this.cryptor.encrypt(serializedValue);
+                return { fieldPath, encryptedValue };
+            }
+            return null;
+        });
+
+        const results = await Promise.all(encryptionPromises);
+
+        // Apply encrypted values
+        for (const result of results) {
+            if (result) {
+                this._setNestedValue(encrypted, result.fieldPath, result.encryptedValue);
+            }
+        }
+
+        return encrypted;
+    }
+
+    async decryptFields(modelName, document) {
+        if (!document || typeof document !== 'object') {
+            return document;
+        }
+
+        const fields = this.schema.getEncryptedFields(modelName);
+        if (fields.length === 0) {
+            return document;
+        }
+
+        const decrypted = this._deepClone(document);
+
+        // Parallelize decryption of multiple fields
+        const decryptionPromises = fields.map(async (fieldPath) => {
+            const value = this._getNestedValue(decrypted, fieldPath);
+
+            if (this._isEncrypted(value)) {
+                const decryptedValue = await this.cryptor.decrypt(value);
+                const deserializedValue = this._deserializeAfterDecryption(decryptedValue);
+                return { fieldPath, decryptedValue: deserializedValue };
+            }
+            return null;
+        });
+
+        const results = await Promise.all(decryptionPromises);
+
+        // Apply decrypted values
+        for (const result of results) {
+            if (result) {
+                this._setNestedValue(decrypted, result.fieldPath, result.decryptedValue);
+            }
+        }
+
+        return decrypted;
+    }
+
+    async encryptFieldsInBulk(modelName, documents) {
+        if (!Array.isArray(documents)) {
+            return documents;
+        }
+
+        return Promise.all(
+            documents.map((doc) => this.encryptFields(modelName, doc))
+        );
+    }
+
+    async decryptFieldsInBulk(modelName, documents) {
+        if (!Array.isArray(documents)) {
+            return documents;
+        }
+
+        return Promise.all(
+            documents.map((doc) => this.decryptFields(modelName, doc))
+        );
+    }
+
+    _shouldEncrypt(value) {
+        return (
+            value !== null &&
+            value !== undefined &&
+            value !== '' &&
+            !this._isEncrypted(value)
+        );
+    }
+
+    _isEncrypted(value) {
+        if (typeof value !== 'string') {
+            return false;
+        }
+
+        const parts = value.split(':');
+        return parts.length >= 4;
+    }
+
+    _getNestedValue(obj, path) {
+        if (!obj || !path) {
+            return undefined;
+        }
+
+        return path.split('.').reduce((current, key) => {
+            return current?.[key];
+        }, obj);
+    }
+
+    _setNestedValue(obj, path, value) {
+        if (!obj || !path) {
+            return;
+        }
+
+        const keys = path.split('.');
+        const lastKey = keys.pop();
+
+        const target = keys.reduce((current, key) => {
+            if (!current[key] || typeof current[key] !== 'object') {
+                current[key] = {};
+            }
+            return current[key];
+        }, obj);
+
+        target[lastKey] = value;
+    }
+
+    _deepClone(obj) {
+        // Use structuredClone (Node.js 17+) for better performance
+        // Falls back to custom implementation for older Node versions
+        if (typeof structuredClone !== 'undefined') {
+            try {
+                return structuredClone(obj);
+            } catch {
+                // Fall through to custom implementation
+            }
+        }
+
+        // Custom fallback for older environments
+        if (obj === null || typeof obj !== 'object') {
+            return obj;
+        }
+
+        if (obj instanceof Date) {
+            return new Date(obj.getTime());
+        }
+
+        if (Array.isArray(obj)) {
+            return obj.map((item) => this._deepClone(item));
+        }
+
+        const cloned = {};
+        for (const key in obj) {
+            if (obj.hasOwnProperty(key)) {
+                cloned[key] = this._deepClone(obj[key]);
+            }
+        }
+
+        return cloned;
+    }
+
+    /**
+     * Serialize a value for encryption
+     * Objects/arrays are JSON stringified, primitives are converted to strings
+     * @private
+     */
+    _serializeForEncryption(value) {
+        if (typeof value === 'object' && value !== null) {
+            // JSON.stringify for objects and arrays
+            return JSON.stringify(value);
+        }
+        // For primitives (string, number, boolean), convert to string
+        return String(value);
+    }
+
+    /**
+     * Deserialize a value after decryption
+     * Attempts to parse as JSON, returns string if parsing fails
+     * @private
+     */
+    _deserializeAfterDecryption(value) {
+        if (typeof value !== 'string') {
+            return value;
+        }
+
+        // Try to parse as JSON
+        try {
+            return JSON.parse(value);
+        } catch {
+            // Not valid JSON, return as-is (likely was a plain string field)
+            return value;
+        }
+    }
+}
+
+module.exports = { FieldEncryptionService };