@friggframework/core 2.0.0-next.43 → 2.0.0-next.45

package/user/tests/user-password-encryption-isolation.test.js

@@ -0,0 +1,237 @@
+/**
+ * Password Encryption Isolation Test
+ *
+ * Verifies that password hashing is completely isolated from the encryption system.
+ * Tests that passwords are bcrypt hashed regardless of encryption configuration.
+ *
+ * Key Tests:
+ * - With encryption ENABLED: passwords hashed (not encrypted)
+ * - With encryption DISABLED: passwords still hashed
+ * - Encryption schema does NOT include User.hashword
+ * - Side-by-side: tokens encrypted, passwords hashed
+ */
+
+// Set default DATABASE_URL for testing if not already set
+if (!process.env.DATABASE_URL) {
+    process.env.DATABASE_URL = 'mongodb://localhost:27017/frigg?replicaSet=rs0';
+}
+
+// Enable encryption for testing (bypass test stage check)
+process.env.STAGE = 'integration-test';
+process.env.AES_KEY_ID = 'test-key-id';
+process.env.AES_KEY = 'test-aes-key-32-characters-long!';
+
+jest.mock('../../database/config', () => ({
+    DB_TYPE: 'mongodb',
+    getDatabaseType: jest.fn(() => 'mongodb'),
+    PRISMA_LOG_LEVEL: 'error,warn',
+    PRISMA_QUERY_LOGGING: false,
+}));
+
+const bcrypt = require('bcryptjs');
+const { createUserRepository } = require('../repositories/user-repository-factory');
+const { prisma, connectPrisma, disconnectPrisma, getEncryptionConfig } = require('../../database/prisma');
+const { getEncryptedFields, hasEncryptedFields } = require('../../database/encryption/encryption-schema-registry');
+const { mongoose } = require('../../database/mongoose');
+
+describe('Password Encryption Isolation', () => {
+    const dbType = process.env.DB_TYPE || 'mongodb';
+    let userRepository;
+    let testUserIds = [];
+    const TEST_PASSWORD = 'IsolationTestPassword123!';
+
+    beforeAll(async () => {
+        await connectPrisma();
+        // Connect mongoose for raw database queries
+        if (mongoose.connection.readyState === 0) {
+            await mongoose.connect(process.env.DATABASE_URL);
+        }
+        userRepository = createUserRepository();
+    }, 30000); // 30 second timeout for database connection
+
+    afterAll(async () => {
+        for (const userId of testUserIds) {
+            await userRepository.deleteUser(userId).catch(() => {});
+        }
+        await mongoose.disconnect();
+        await disconnectPrisma();
+    }, 30000); // 30 second timeout for cleanup
+
+    test('✅ Encryption schema does NOT include User.hashword', () => {
+        const userEncryptedFields = getEncryptedFields('User');
+
+        console.log('\n📋 User model encrypted fields:', userEncryptedFields);
+
+        expect(userEncryptedFields).toBeDefined();
+        expect(Array.isArray(userEncryptedFields)).toBe(true);
+        expect(userEncryptedFields).not.toContain('hashword');
+
+        if (userEncryptedFields.length > 0) {
+            console.log('⚠️  WARNING: User model has encrypted fields:', userEncryptedFields);
+            console.log('   Password field (hashword) should NOT be in this list');
+        } else {
+            console.log('✅ User model has no encrypted fields (as expected)');
+        }
+    });
+
+    test('✅ Password is bcrypt hashed regardless of encryption config', async () => {
+        const encryptionConfig = getEncryptionConfig();
+        console.log('\n🔒 Current encryption config:', encryptionConfig);
+
+        const username = `isolation-test-${Date.now()}`;
+        const user = await userRepository.createIndividualUser({
+            username,
+            hashword: TEST_PASSWORD,
+            email: `${username}@test.com`,
+        });
+        testUserIds.push(user.id);
+
+        expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
+        expect(user.hashword).not.toBe(TEST_PASSWORD);
+        expect(user.hashword).not.toContain(':');
+
+        const isValid = await bcrypt.compare(TEST_PASSWORD, user.hashword);
+        expect(isValid).toBe(true);
+
+        console.log('✅ Password correctly hashed with bcrypt');
+        console.log('   Encryption enabled:', encryptionConfig.enabled);
+        console.log('   Hashword format:', user.hashword.substring(0, 20) + '...');
+    });
+
+    test('📊 Field-level encryption status comparison', async () => {
+        const models = ['User', 'Credential', 'Token', 'IntegrationMapping'];
+
+        console.log('\n📊 ENCRYPTION SCHEMA ANALYSIS:');
+        console.log('='.repeat(60));
+
+        for (const model of models) {
+            const fields = getEncryptedFields(model);
+            const hasEncryption = hasEncryptedFields(model);
+
+            console.log(`\n${model}:`);
+            console.log(`  Has encrypted fields: ${hasEncryption}`);
+            console.log(`  Encrypted fields: ${fields.length > 0 ? fields.join(', ') : 'none'}`);
+
+            if (model === 'User') {
+                expect(fields).not.toContain('hashword');
+                console.log('  ✅ Password (hashword) correctly excluded from encryption');
+            } else if (model === 'Credential') {
+                expect(fields).toContain('data.access_token');
+                console.log('  ✅ API tokens correctly included in encryption');
+            }
+        }
+    });
+
+    test('📊 End-to-end: Create user + credential, verify isolation', async () => {
+        const username = `e2e-isolation-${Date.now()}`;
+        const secretToken = 'my-secret-api-token-xyz';
+
+        const user = await userRepository.createIndividualUser({
+            username,
+            hashword: TEST_PASSWORD,
+            email: `${username}@test.com`,
+        });
+        testUserIds.push(user.id);
+
+        const credential = await prisma.credential.create({
+            data: {
+                userId: dbType === 'postgresql' ? parseInt(user.id, 10) : user.id,
+                externalId: `cred-${Date.now()}`,
+                data: {
+                    access_token: secretToken,
+                },
+            },
+        });
+
+        console.log('\n📊 END-TO-END ISOLATION TEST:');
+        console.log('='.repeat(60));
+
+        const fetchedUser = await userRepository.findIndividualUserById(user.id);
+        console.log('\n👤 User Password:');
+        console.log('  Format:', fetchedUser.hashword.substring(0, 30) + '...');
+        console.log('  Is bcrypt:', /^\$2[ab]\$\d{2}\$/.test(fetchedUser.hashword));
+        console.log('  Is encrypted (has :):', fetchedUser.hashword.includes(':'));
+
+        const fetchedCred = await prisma.credential.findUnique({
+            where: { id: credential.id },
+        });
+
+        console.log('\n🔑 Credential Token:');
+        const tokenValue = fetchedCred.data.access_token;
+        console.log('  Raw value:', tokenValue.substring(0, 50) + '...');
+        console.log('  Is encrypted (has :):', tokenValue.includes(':'));
+        console.log('  Equals plain text:', tokenValue === secretToken);
+
+        expect(fetchedUser.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
+        expect(fetchedUser.hashword).not.toContain(':');
+
+        const isPasswordValid = await bcrypt.compare(TEST_PASSWORD, fetchedUser.hashword);
+        expect(isPasswordValid).toBe(true);
+
+        console.log('\n✅ Password: bcrypt hashed (NOT encrypted)');
+
+        const encryptionEnabled = tokenValue !== secretToken;
+        if (encryptionEnabled) {
+            console.log('✅ Credential: properly encrypted');
+            expect(tokenValue).not.toBe(secretToken);
+        } else {
+            console.log('⚠️  Encryption disabled in this environment');
+        }
+
+        console.log('✅ ISOLATION VERIFIED: Passwords use bcrypt, credentials use encryption');
+
+        await prisma.credential.delete({ where: { id: credential.id } });
+    });
+
+    test('🔍 Bcrypt vs Encryption format analysis', () => {
+        const bcryptHash = '$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy';
+        const encryptedValue = 'kms:us-east-1:alias/app-key:AQICAHg...base64...';
+
+        console.log('\n🔍 FORMAT COMPARISON:');
+        console.log('='.repeat(60));
+
+        console.log('\nBcrypt Hash Format:');
+        console.log('  Example:', bcryptHash);
+        console.log('  Pattern: $2[ab]$rounds$salt+hash');
+        console.log('  Length: ~60 chars');
+        console.log('  Colon count:', (bcryptHash.match(/:/g) || []).length);
+        console.log('  Dollar signs: 3');
+
+        console.log('\nEncryption Format:');
+        console.log('  Example:', encryptedValue.substring(0, 50) + '...');
+        console.log('  Pattern: method:region:keyId:base64Ciphertext');
+        console.log('  Colon separators: 3');
+        console.log('  Variable length');
+
+        console.log('\n✅ Formats are clearly distinguishable');
+        console.log('✅ Bcrypt never has colon separators between dollar signs');
+        console.log('✅ Encryption always has exactly 3 colon separators');
+    });
+
+    test('⚠️  Verify password NOT double-processed', async () => {
+        const username = `double-process-test-${Date.now()}`;
+
+        const user = await userRepository.createIndividualUser({
+            username,
+            hashword: TEST_PASSWORD,
+            email: `${username}@test.com`,
+        });
+        testUserIds.push(user.id);
+
+        const hash1 = user.hashword;
+
+        const fetchedUser = await userRepository.findIndividualUserById(user.id);
+        const hash2 = fetchedUser.hashword;
+
+        console.log('\n⚠️  DOUBLE-PROCESSING CHECK:');
+        console.log('Hash after creation:', hash1.substring(0, 30) + '...');
+        console.log('Hash after fetch:   ', hash2.substring(0, 30) + '...');
+        console.log('Hashes match:', hash1 === hash2);
+
+        expect(hash1).toBe(hash2);
+        expect(hash1).toMatch(/^\$2[ab]\$\d{2}\$/);
+        expect(hash2).toMatch(/^\$2[ab]\$\d{2}\$/);
+
+        console.log('✅ No double-processing detected');
+    });
+});

package/user/tests/user-password-hashing.test.js

@@ -0,0 +1,235 @@
+/**
+ * Password Hashing Verification Test
+ *
+ * Verifies that passwords are correctly bcrypt hashed (NOT encrypted) throughout
+ * the user authentication flow. Tests both MongoDB and PostgreSQL.
+ *
+ * Expected Behavior:
+ * - Passwords hashed with bcrypt on creation (format: $2a$ or $2b$)
+ * - Password hashes stored as-is (NOT encrypted with KMS/AES)
+ * - bcrypt.compare() works correctly for authentication
+ * - Password updates also trigger bcrypt hashing
+ */
+
+// Set default DATABASE_URL for testing if not already set
+if (!process.env.DATABASE_URL) {
+    process.env.DATABASE_URL = 'mongodb://localhost:27017/frigg?replicaSet=rs0';
+}
+
+// Enable encryption for testing (bypass test stage check)
+process.env.STAGE = 'integration-test';
+process.env.AES_KEY_ID = 'test-key-id';
+process.env.AES_KEY = 'test-aes-key-32-characters-long!';
+
+jest.mock('../../database/config', () => ({
+    DB_TYPE: 'mongodb',
+    getDatabaseType: jest.fn(() => 'mongodb'),
+    PRISMA_LOG_LEVEL: 'error,warn',
+    PRISMA_QUERY_LOGGING: false,
+}));
+
+const bcrypt = require('bcryptjs');
+const { LoginUser } = require('../use-cases/login-user');
+const { createUserRepository } = require('../repositories/user-repository-factory');
+const { prisma, connectPrisma, disconnectPrisma } = require('../../database/prisma');
+const { mongoose } = require('../../database/mongoose');
+
+describe('Password Hashing Verification - Both Databases', () => {
+    const dbType = process.env.DB_TYPE || 'mongodb';
+    let userRepository;
+    let testUserId;
+    const TEST_PASSWORD = 'MySecurePassword123!';
+    const TEST_USERNAME = `test-user-hash-${Date.now()}`;
+    const userConfig = {
+        usePassword: true,
+        individualUserRequired: true,
+        organizationUserRequired: false,
+        primary: 'individual',
+    };
+
+    beforeAll(async () => {
+        await connectPrisma();
+        // Connect mongoose for raw database queries
+        if (mongoose.connection.readyState === 0) {
+            await mongoose.connect(process.env.DATABASE_URL);
+        }
+        userRepository = createUserRepository();
+    }, 30000); // 30 second timeout for database connection
+
+    afterAll(async () => {
+        if (testUserId) {
+            await userRepository.deleteUser(testUserId).catch(() => {});
+        }
+        await mongoose.disconnect();
+        await disconnectPrisma();
+    }, 30000); // 30 second timeout for cleanup
+
+    describe(`${dbType.toUpperCase()} - Password Hashing`, () => {
+        test('✅ Password is bcrypt hashed on user creation', async () => {
+            const user = await userRepository.createIndividualUser({
+                username: TEST_USERNAME,
+                hashword: TEST_PASSWORD,
+                email: `${TEST_USERNAME}@test.com`,
+            });
+            testUserId = user.id;
+
+            expect(user.hashword).toBeDefined();
+            expect(user.hashword).not.toBe(TEST_PASSWORD);
+            expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
+            expect(user.hashword.length).toBeGreaterThan(50);
+            expect(user.hashword).not.toContain(':');
+
+            console.log('✅ Password hashed correctly:', user.hashword.substring(0, 20) + '...');
+        });
+
+        test('✅ Stored hashword is bcrypt format, NOT encrypted', async () => {
+            const user = await userRepository.findIndividualUserByUsername(TEST_USERNAME);
+
+            expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
+            expect(user.hashword).not.toContain(':');
+            expect(user.hashword.split(':')).toHaveLength(1);
+
+            console.log('✅ Stored password has bcrypt format (not encrypted)');
+        });
+
+        test('✅ bcrypt.compare() verifies correct password', async () => {
+            const user = await userRepository.findIndividualUserByUsername(TEST_USERNAME);
+            const isValid = await bcrypt.compare(TEST_PASSWORD, user.hashword);
+
+            expect(isValid).toBe(true);
+            console.log('✅ bcrypt.compare() successfully verified password');
+        });
+
+        test('✅ bcrypt.compare() rejects incorrect password', async () => {
+            const user = await userRepository.findIndividualUserByUsername(TEST_USERNAME);
+            const isValid = await bcrypt.compare('WrongPassword', user.hashword);
+
+            expect(isValid).toBe(false);
+            console.log('✅ bcrypt.compare() correctly rejected wrong password');
+        });
+
+        test('✅ Login succeeds with correct password', async () => {
+            const loginUser = new LoginUser({ userRepository, userConfig });
+            const user = await loginUser.execute({
+                username: TEST_USERNAME,
+                password: TEST_PASSWORD,
+            });
+
+            expect(user).toBeDefined();
+            expect(user.getId()).toBe(testUserId);
+            console.log('✅ Login successful with correct password');
+        });
+
+        test('✅ Login fails with incorrect password', async () => {
+            const loginUser = new LoginUser({ userRepository, userConfig });
+
+            await expect(
+                loginUser.execute({
+                    username: TEST_USERNAME,
+                    password: 'WrongPassword123',
+                })
+            ).rejects.toThrow('Incorrect username or password');
+
+            console.log('✅ Login correctly rejected incorrect password');
+        });
+
+        test('✅ Password update also hashes the new password', async () => {
+            const newPassword = 'NewSecurePassword456!';
+
+            const updatedUser = await userRepository.updateIndividualUser(testUserId, {
+                hashword: newPassword,
+            });
+
+            expect(updatedUser.hashword).not.toBe(newPassword);
+            expect(updatedUser.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
+            expect(updatedUser.hashword).not.toContain(':');
+
+            const isNewPasswordValid = await bcrypt.compare(newPassword, updatedUser.hashword);
+            expect(isNewPasswordValid).toBe(true);
+
+            const isOldPasswordValid = await bcrypt.compare(TEST_PASSWORD, updatedUser.hashword);
+            expect(isOldPasswordValid).toBe(false);
+
+            console.log('✅ Password update correctly hashed new password');
+        });
+
+        test('📊 Raw database check: bcrypt hash stored directly', async () => {
+            let rawUser;
+            if (dbType === 'postgresql') {
+                const userId = parseInt(testUserId, 10);
+                rawUser = await prisma.$queryRaw`
+                    SELECT hashword FROM "User" WHERE id = ${userId}
+                `;
+                rawUser = rawUser[0];
+            } else {
+                rawUser = await prisma.$queryRawUnsafe(
+                    `db.User.findOne({ _id: ObjectId("${testUserId}") })`
+                ).catch(() => {
+                    return userRepository.findIndividualUserById(testUserId);
+                });
+            }
+
+            console.log('\n📊 RAW DATABASE HASHWORD:');
+            console.log('Format:', rawUser.hashword.substring(0, 30) + '...');
+            console.log('Length:', rawUser.hashword.length);
+
+            expect(rawUser.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
+            expect(rawUser.hashword).not.toContain(':');
+
+            console.log('✅ Raw database stores bcrypt hash (not encrypted)');
+        });
+    });
+
+    describe(`${dbType.toUpperCase()} - Encryption Isolation`, () => {
+        test('📊 COMPARISON: Credential tokens encrypted, passwords hashed', async () => {
+            const credential = await prisma.credential.create({
+                data: {
+                    userId: dbType === 'postgresql' ? parseInt(testUserId, 10) : testUserId,
+                    externalId: `test-cred-${Date.now()}`,
+                    data: {
+                        access_token: 'secret-access-token-12345',
+                        refresh_token: 'secret-refresh-token-67890',
+                    },
+                },
+            });
+
+            const user = await userRepository.findIndividualUserById(testUserId);
+
+            let rawCred;
+            if (dbType === 'postgresql') {
+                rawCred = await prisma.$queryRaw`
+                    SELECT data FROM "Credential" WHERE id = ${credential.id}
+                `;
+                rawCred = rawCred[0];
+            } else {
+                rawCred = await prisma.credential.findUnique({
+                    where: { id: credential.id },
+                });
+            }
+
+            console.log('\n📊 ENCRYPTION COMPARISON:');
+            console.log('Credential token (should be encrypted):');
+            console.log('  Format:', rawCred.data.access_token.substring(0, 50) + '...');
+            console.log('  Has ":" separators:', rawCred.data.access_token.includes(':'));
+            console.log('\nUser password (should be bcrypt hashed):');
+            console.log('  Format:', user.hashword.substring(0, 30) + '...');
+            console.log('  Has ":" separators:', user.hashword.includes(':'));
+
+            const encryptionEnabled = rawCred.data.access_token !== 'secret-access-token-12345';
+
+            if (encryptionEnabled) {
+                expect(rawCred.data.access_token).toContain(':');
+                expect(rawCred.data.access_token.split(':')).toHaveLength(4);
+                console.log('✅ Credential token is encrypted');
+            } else {
+                console.log('⚠️  Encryption disabled in this environment');
+            }
+
+            expect(user.hashword).toMatch(/^\$2[ab]\$\d{2}\$/);
+            expect(user.hashword).not.toContain(':');
+            console.log('✅ Password is bcrypt hashed (NOT encrypted)');
+
+            await prisma.credential.delete({ where: { id: credential.id } });
+        });
+    });
+});

package/user/use-cases/login-user.js

@@ -65,7 +65,7 @@ class LoginUser {
                     this.userConfig.organizationUserRequired
                 );
 
-                if (!individualUser.isPasswordValid(password)) {
+                if (!(await individualUser.isPasswordValid(password))) {
                     throw Boom.unauthorized('Incorrect username or password');
                 }
 

package/user/user.js

@@ -41,12 +41,12 @@ class User {
         return this.usePassword;
     }
 
-    isPasswordValid(password) {
+    async isPasswordValid(password) {
         if (!this.isPasswordRequired()) {
             return true;
         }
 
-        return bcrypt.compareSync(password, this.getPrimaryUser().hashword);
+        return await bcrypt.compare(password, this.getPrimaryUser().hashword);
     }
 
     setIndividualUser(individualUser) {