@friggframework/core 2.0.0-next.41 → 2.0.0-next.43

package/database/use-cases/test-encryption-use-case.js

@@ -0,0 +1,252 @@
+/**
+ * Use Case for testing encryption functionality.
+ * Contains business logic for verifying that encryption and decryption work correctly.
+ *
+ * Follows DDD/Hexagonal Architecture:
+ * - Application Layer (this use case)
+ * - Depends on Infrastructure Layer (HealthCheckRepository)
+ */
+class TestEncryptionUseCase {
+    /**
+     * @param {Object} params
+     * @param {import('../health-check-repository-interface').HealthCheckRepositoryInterface} params.healthCheckRepository
+     */
+    constructor({ healthCheckRepository }) {
+        this.repository = healthCheckRepository;
+    }
+
+    /**
+     * Execute encryption test
+     * Orchestrates the full encryption test workflow using Prisma
+     * @returns {Promise<Object>} Test results with status and details
+     */
+    async execute() {
+        const testData = {
+            testSecret: 'This is a secret value that should be encrypted',
+            normalField: 'This is a normal field that should not be encrypted',
+            nestedSecret: {
+                value: 'This is a nested secret that should be encrypted',
+            },
+        };
+
+        const credentialData = this._mapTestDataToCredential(testData);
+
+        const credential = await this._withTimeout(
+            this.repository.createCredential(credentialData),
+            5000,
+            'Save operation timed out'
+        );
+
+        try {
+            const retrievedCredential = await this._withTimeout(
+                this.repository.findCredentialById(credential.id),
+                5000,
+                'Find operation timed out'
+            );
+
+            const retrievedTestData =
+                this._mapCredentialToTestData(retrievedCredential);
+            const decryptionWorks = this._verifyDecryption(
+                retrievedTestData,
+                testData
+            );
+
+            const rawCredential = await this._withTimeout(
+                this.repository.getRawCredentialById(credential.id),
+                5000,
+                'Database verification timed out'
+            );
+
+            const rawTestData = this._mapRawCredentialToTestData(rawCredential);
+            const encryptionResults = this._verifyEncryptionInDatabase(
+                rawTestData,
+                testData
+            );
+
+            return this._evaluateEncryptionResults(
+                decryptionWorks,
+                encryptionResults
+            );
+        } finally {
+            await this._withTimeout(
+                this.repository.deleteCredential(credential.id),
+                5000,
+                'Delete operation timed out'
+            );
+        }
+    }
+
+    /**
+     * Map test data format to Credential model format
+     * @param {Object} testData - Test data with testSecret, normalField, nestedSecret
+     * @returns {Object} Credential data structure
+     * @private
+     */
+    _mapTestDataToCredential(testData) {
+        return {
+            user_id: 'test-encryption-user',
+            entity_id: 'test-encryption-entity',
+            data: {
+                access_token: testData.testSecret,
+                refresh_token: testData.nestedSecret?.value,
+                domain: testData.normalField,
+            },
+        };
+    }
+
+    /**
+     * Map Credential model format to test data format
+     * @param {Object} credential - Credential from database
+     * @returns {Object} Test data format
+     * @private
+     */
+    _mapCredentialToTestData(credential) {
+        if (!credential) {
+            return null;
+        }
+
+        return {
+            id: credential.id,
+            testSecret: credential.data.access_token,
+            normalField: credential.data.domain,
+            nestedSecret: {
+                value: credential.data.refresh_token,
+            },
+        };
+    }
+
+    /**
+     * Map raw Credential data to test data format
+     * @param {Object} rawCredential - Raw credential from database
+     * @returns {Object} Test data format with raw encrypted values
+     * @private
+     */
+    _mapRawCredentialToTestData(rawCredential) {
+        if (!rawCredential) {
+            return null;
+        }
+
+        return {
+            testSecret: rawCredential.data?.access_token,
+            normalField: rawCredential.data?.domain,
+            nestedSecret: {
+                value: rawCredential.data?.refresh_token,
+            },
+        };
+    }
+
+    /**
+     * Verify that a document was decrypted correctly
+     * @param {Object} retrievedDoc - Document retrieved from database
+     * @param {Object} originalData - Original unencrypted data
+     * @returns {boolean} True if decryption worked correctly
+     * @private
+     */
+    _verifyDecryption(retrievedDoc, originalData) {
+        return (
+            retrievedDoc &&
+            retrievedDoc.testSecret === originalData.testSecret &&
+            retrievedDoc.normalField === originalData.normalField &&
+            retrievedDoc.nestedSecret?.value === originalData.nestedSecret.value
+        );
+    }
+
+    /**
+     * Verify that data was encrypted in the database
+     * Business rule: Encrypted fields should contain ':' and differ from original
+     * @param {Object} rawDoc - Raw document from database
+     * @param {Object} originalData - Original unencrypted data
+     * @returns {Object} Encryption verification results
+     * @private
+     */
+    _verifyEncryptionInDatabase(rawDoc, originalData) {
+        const secretIsEncrypted =
+            rawDoc &&
+            typeof rawDoc.testSecret === 'string' &&
+            rawDoc.testSecret.includes(':') &&
+            rawDoc.testSecret !== originalData.testSecret;
+
+        const nestedIsEncrypted =
+            rawDoc?.nestedSecret?.value &&
+            typeof rawDoc.nestedSecret.value === 'string' &&
+            rawDoc.nestedSecret.value.includes(':') &&
+            rawDoc.nestedSecret.value !== originalData.nestedSecret.value;
+
+        const normalNotEncrypted =
+            rawDoc && rawDoc.normalField === originalData.normalField;
+
+        return {
+            secretIsEncrypted,
+            nestedIsEncrypted,
+            normalNotEncrypted,
+        };
+    }
+
+    /**
+     * Evaluate encryption test results
+     * Business logic for determining if encryption is healthy
+     * @param {boolean} decryptionWorks - Whether decryption succeeded
+     * @param {Object} encryptionResults - Encryption verification results
+     * @returns {Object} Test status and result message
+     * @private
+     */
+    _evaluateEncryptionResults(decryptionWorks, encryptionResults) {
+        const { secretIsEncrypted, nestedIsEncrypted, normalNotEncrypted } =
+            encryptionResults;
+
+        if (
+            decryptionWorks &&
+            secretIsEncrypted &&
+            nestedIsEncrypted &&
+            normalNotEncrypted
+        ) {
+            return {
+                status: 'enabled',
+                testResult:
+                    'Encryption and decryption verified successfully',
+                encryptionWorks: true,
+            };
+        }
+
+        if (decryptionWorks && (!secretIsEncrypted || !nestedIsEncrypted)) {
+            return {
+                status: 'unhealthy',
+                testResult: 'Fields are not being encrypted in database',
+                encryptionWorks: false,
+            };
+        }
+
+        if (decryptionWorks && !normalNotEncrypted) {
+            return {
+                status: 'unhealthy',
+                testResult: 'Normal fields are being incorrectly encrypted',
+                encryptionWorks: false,
+            };
+        }
+
+        return {
+            status: 'unhealthy',
+            testResult: 'Decryption failed or data mismatch',
+            encryptionWorks: false,
+        };
+    }
+
+    /**
+     * Execute promise with timeout
+     * @param {Promise} promise - Promise to execute
+     * @param {number} ms - Timeout in milliseconds
+     * @param {string} errorMessage - Error message for timeout
+     * @returns {Promise} Promise that rejects on timeout
+     * @private
+     */
+    _withTimeout(promise, ms, errorMessage) {
+        return Promise.race([
+            promise,
+            new Promise((_, reject) =>
+                setTimeout(() => reject(new Error(errorMessage)), ms)
+            ),
+        ]);
+    }
+}
+
+module.exports = { TestEncryptionUseCase };

package/encrypt/Cryptor.js

@@ -1,22 +1,28 @@
+/**
+ * Cryptor - Encryption Service Adapter
+ *
+ * Infrastructure Layer adapter for AWS KMS and local AES encryption.
+ * Provides envelope encryption pattern for field-level encryption.
+ *
+ * Envelope Encryption Pattern:
+ * 1. Generate Data Encryption Key (DEK) via KMS or locally
+ * 2. Encrypt field value with DEK using AES-256-CTR
+ * 3. Encrypt DEK with Master Key (KMS CMK or AES_KEY)
+ * 4. Return format: "keyId:encryptedText:encryptedKey"
+ *
+ * Benefits:
+ * - Reduces KMS API calls (unique DEK per operation)
+ * - Master key never leaves KMS
+ * - Enables key rotation without re-encrypting data
+ */
+
 const crypto = require('crypto');
 const AWS = require('aws-sdk');
-const { get, set } = require('lodash');
 const aes = require('./aes');
 
-const hasValue = (a) => a !== undefined && a !== null && a !== '';
-
 class Cryptor {
-    constructor({ fields, shouldUseAws }) {
+    constructor({ shouldUseAws }) {
         this.shouldUseAws = shouldUseAws;
-        this.fields = fields;
-
-        this.permutationsByField = {};
-
-        for (const field of fields) {
-            this.permutationsByField[field] = this.calculatePermutations(
-                field.split('.')
-            );
-        }
     }
 
     async generateDataKey() {
@@ -56,7 +62,7 @@ class Cryptor {
         const key = availableKeys[keyId];
 
         if (!key) {
-            throw new Error(`No encryption key found with ID "${keyId}"`);
+            throw new Error('Encryption key not found');
         }
 
         return key;
@@ -79,146 +85,9 @@ class Cryptor {
         return aes.decrypt(encryptedKey, key);
     }
 
-    // If the field has a value in the document, apply async function f to that field.
-    async setInDocument(doc, f) {
-        // Use the Mongoose document get/set when available (not for insertMany)
-        if (doc.get) {
-            for (const field of this.fields) {
-                const value = doc.get(field);
-                if (hasValue(value)) {
-                    doc.set(field, await f(value));
-                }
-            }
-            return;
-        }
-
-        // Otherwise use permutations.
-        for (const field of this.fields) {
-            const updatedDoc = await this.applyAll(doc, field, f);
-            Object.assign(doc, updatedDoc);
-        }
-    }
-
-    // Calculate all possible permutations for a nested field.  For example a
-    // field "deeply.nested.field" might be referred to in a Mongo query as
-    // { deeply: { 'nested.field': {} } } or { 'deeply.nested.field': {} }
-    // etc.  For a given path, this gives all path parts to check in a format
-    // that lodash understands when using get and set with an array of path
-    // parts e.g. get(o, ['deeply', 'nested.parts'])
-    calculatePermutations = (parts) => {
-        if (!parts.length) return [];
-        if (parts.length === 1) return [parts];
-
-        const combos = [];
-
-        for (let i = 0; i < parts.length; i += 1) {
-            const frontPath = parts.slice(0, i + 1).join('.');
-            const rest = parts.slice(i + 1);
-
-            if (rest.length) {
-                combos.push(
-                    ...this.calculatePermutations(rest).map((child) => [
-                        frontPath,
-                        ...child,
-                    ])
-                );
-            } else {
-                combos.push([frontPath]);
-            }
-        }
-
-        return combos;
-    };
-
-    // Encrypt all possible permutations of a field (possibly nested), if there
-    // is a value at that path permutation.
-    async applyAll(o, field, f) {
-        const clone = { ...o };
-        const permutations = this.permutationsByField[field];
-
-        for (const path of permutations) {
-            const value = get(o, path);
-            if (hasValue(value)) {
-                set(clone, path, await f(value));
-            }
-        }
-
-        return clone;
-    }
-
-    async processFieldsInDocuments(docs, f) {
-        const promises = docs
-            .filter(Boolean)
-            .flatMap((doc) => this.setInDocument(doc, f));
-
-        return Promise.all(promises);
-    }
-
-    async encryptFieldsInDocuments(docs) {
-        await this.processFieldsInDocuments(docs, this.encrypt.bind(this));
-    }
-
-    async decryptFieldsInDocuments(docs) {
-        await this.processFieldsInDocuments(docs, this.decrypt.bind(this));
-    }
-
-    async encryptFieldsInQuery(query) {
-        for (const field of this.fields) {
-            const originalUpdate = query.getUpdate();
-            const updatedUpdate = await this.applyAll(
-                originalUpdate,
-                field,
-                this.encrypt.bind(this)
-            );
-
-            if (originalUpdate.$set) {
-                const updatedSetUpdate = await this.applyAll(
-                    originalUpdate.$set,
-                    field,
-                    this.encrypt.bind(this)
-                );
-                updatedUpdate.$set = { ...updatedSetUpdate };
-            }
-
-            if (originalUpdate.$setOnInsert) {
-                const updatedSetOnInsertUpdate = await this.applyAll(
-                    originalUpdate.$setOnInsert,
-                    field,
-                    this.encrypt.bind(this)
-                );
-                updatedUpdate.$setOnInsert = { ...updatedSetOnInsertUpdate };
-            }
-
-            query.setUpdate(updatedUpdate);
-        }
-    }
-
-    expectNotToUpdateManyEncrypted(update) {
-        for (const field of this.fields) {
-            if (update.$set && hasValue(update.$set[field])) {
-                throw new Error(
-                    'Attempted to update encrypted field of multiple documents'
-                );
-            }
-
-            if (update.$setOnInsert && hasValue(update.$setOnInsert[field])) {
-                throw new Error(
-                    'Attempted to update encrypted field of multiple documents'
-                );
-            }
-
-            if (hasValue(update[field])) {
-                throw new Error(
-                    'Attempted to update encrypted field of multiple documents'
-                );
-            }
-        }
-    }
-
     async encrypt(text) {
         const { keyId, encryptedKey, plaintext } = await this.generateDataKey();
         const encryptedText = aes.encrypt(text, plaintext);
-
         return `${keyId}:${encryptedText}:${encryptedKey}`;
     }
 
@@ -228,7 +97,6 @@ class Cryptor {
         const encryptedText = `${split[1]}:${split[2]}`;
         const encryptedKey = Buffer.from(split[3], 'base64');
         const plaintext = await this.decryptDataKey(keyId, encryptedKey);
-
         return aes.decrypt(encryptedText, plaintext);
     }
 }

package/encrypt/index.js

@@ -1,4 +1,3 @@
-const { Encrypt } = require('./encrypt');
 const { Cryptor } = require('./Cryptor');
 
-module.exports = { Encrypt, Cryptor };
+module.exports = { Cryptor };

package/encrypt/test-encrypt.js

@@ -1,7 +1,5 @@
-const AWS = require('aws-sdk');
 const { mongoose } = require('../database/mongoose');
 const crypto = require('crypto');
-const { Encrypt } = require('./encrypt');
 
 const hexPattern = /^[a-f0-9]+$/i; // match hex strings of length >= 1
 

package/handlers/app-definition-loader.js

@@ -0,0 +1,38 @@
+const { findNearestBackendPackageJson } = require('@friggframework/core/utils');
+const path = require('node:path');
+const fs = require('fs-extra');
+
+/**
+ * Loads the App definition from the nearest backend package
+ * @function loadAppDefinition
+ * @description Searches for the nearest backend package.json, loads the corresponding index.js file,
+ * and extracts the application definition containing integrations and user configuration.
+ * @returns {{integrations: Array<object>, userConfig: object | null}} An object containing the application definition.
+ * @throws {Error} Throws error if backend package.json cannot be found.
+ * @throws {Error} Throws error if index.js file cannot be found in the backend directory.
+ * @example
+ * const { integrations, userConfig } = loadAppDefinition();
+ * console.log(`Found ${integrations.length} integrations`);
+ */
+function loadAppDefinition() {
+    const backendPath = findNearestBackendPackageJson();
+    if (!backendPath) {
+        throw new Error('Could not find backend package.json');
+    }
+
+    const backendDir = path.dirname(backendPath);
+    const backendFilePath = path.join(backendDir, 'index.js');
+    if (!fs.existsSync(backendFilePath)) {
+        throw new Error('Could not find index.js');
+    }
+
+    const backendJsFile = require(backendFilePath);
+    const appDefinition = backendJsFile.Definition;
+
+    const { integrations = [], user: userConfig = null } = appDefinition;
+    return { integrations, userConfig };
+}
+
+module.exports = {
+    loadAppDefinition,
+}; 

package/handlers/app-handler-helpers.js

@@ -3,7 +3,6 @@ const express = require('express');
 const bodyParser = require('body-parser');
 const cors = require('cors');
 const Boom = require('@hapi/boom');
-const loadUserManager = require('./routers/middleware/loadUser');
 const serverlessHttp = require('serverless-http');
 
 const createApp = (applyMiddleware) => {
@@ -20,8 +19,6 @@ const createApp = (applyMiddleware) => {
         })
     );
 
-    app.use(loadUserManager);
-
     if (applyMiddleware) applyMiddleware(app);
 
     // Handle sending error response and logging server errors to console

package/handlers/auth-flow.integration.test.js

@@ -0,0 +1,147 @@
+jest.mock('../database/config', () => ({
+    DB_TYPE: 'mongodb',
+    getDatabaseType: jest.fn(() => 'mongodb'),
+    PRISMA_LOG_LEVEL: 'error,warn',
+    PRISMA_QUERY_LOGGING: false,
+}));
+
+const { IntegrationEventDispatcher } = require('./integration-event-dispatcher');
+const { IntegrationBase } = require('../integrations/integration-base');
+
+class SimulatedAsanaIntegration extends IntegrationBase {
+    static Definition = {
+        name: 'asana',
+        version: '1.0.0',
+        modules: {},
+        routes: [
+            { path: '/auth', method: 'GET', event: 'AUTH_REQUEST' },
+            { path: '/auth/redirect/:provider', method: 'GET', event: 'AUTH_REDIRECT' },
+            { path: '/form', method: 'GET', event: 'LOAD_FORM' },
+        ],
+    };
+
+    constructor(params = {}) {
+        super(params);
+        this.events = {
+            AUTH_REQUEST: { handler: this.authRequest.bind(this) },
+            AUTH_REDIRECT: { handler: this.authRedirect.bind(this) },
+            LOAD_FORM: { handler: this.loadForm.bind(this) },
+        };
+    }
+
+    async authRequest() {
+        return {
+            success: true,
+            action: 'redirect',
+            hydrated: this.isHydrated,
+        };
+    }
+
+    async authRedirect({ req }) {
+        const { code } = req.query || {};
+        return {
+            success: true,
+            action: 'tokens_received',
+            receivedCode: code,
+            hydrated: this.isHydrated,
+        };
+    }
+
+    async loadForm() {
+        if (!this.isHydrated && SimulatedAsanaIntegration.testRecord) {
+            this.setIntegrationRecord({
+                record: SimulatedAsanaIntegration.testRecord.record,
+                modules: SimulatedAsanaIntegration.testRecord.modules,
+            });
+        }
+
+        this.assertHydrated('Integration not found - must authenticate first');
+
+        return {
+            success: true,
+            form: {
+                fields: ['field1', 'field2'],
+            },
+            integrationId: this.id,
+        };
+    }
+}
+
+describe('IntegrationEventDispatcher auth flow', () => {
+    const createDispatcher = () =>
+        new IntegrationEventDispatcher(new SimulatedAsanaIntegration());
+
+    beforeEach(() => {
+        SimulatedAsanaIntegration.testRecord = null;
+    });
+
+    it('handles auth request without hydration', async () => {
+        const dispatcher = createDispatcher();
+        const result = await dispatcher.dispatchHttp({
+            event: 'AUTH_REQUEST',
+            req: { params: { provider: 'asana' }, query: {} },
+            res: {},
+            next: jest.fn(),
+        });
+
+        expect(result).toEqual({ success: true, action: 'redirect', hydrated: false });
+    });
+
+    it('handles auth redirect without hydration', async () => {
+        const dispatcher = createDispatcher();
+        const result = await dispatcher.dispatchHttp({
+            event: 'AUTH_REDIRECT',
+            req: { params: { provider: 'asana' }, query: { code: 'abc123' } },
+            res: {},
+            next: jest.fn(),
+        });
+
+        expect(result).toEqual({
+            success: true,
+            action: 'tokens_received',
+            receivedCode: 'abc123',
+            hydrated: false,
+        });
+    });
+
+    it('throws for protected routes when no record is loaded', async () => {
+        const dispatcher = createDispatcher();
+        await expect(
+            dispatcher.dispatchHttp({
+                event: 'LOAD_FORM',
+                req: { query: {} },
+                res: {},
+                next: jest.fn(),
+            })
+        ).rejects.toThrow('Integration not found - must authenticate first');
+    });
+
+    it('allows handlers to hydrate explicitly before continuing', async () => {
+        SimulatedAsanaIntegration.testRecord = {
+            record: {
+                id: 'integration-123',
+                userId: 'user-456',
+                config: { type: 'asana' },
+                status: 'ENABLED',
+                version: '1.0.0',
+                messages: { errors: [], warnings: [] },
+                entities: [],
+            },
+            modules: [],
+        };
+
+        const dispatcher = createDispatcher();
+        const result = await dispatcher.dispatchHttp({
+            event: 'LOAD_FORM',
+            req: { query: {} },
+            res: {},
+            next: jest.fn(),
+        });
+
+        expect(result).toEqual({
+            success: true,
+            form: { fields: ['field1', 'field2'] },
+            integrationId: 'integration-123',
+        });
+    });
+});