@friggframework/core 2.0.0-next.44 → 2.0.0-next.46

package/prisma-mongodb/schema.prisma

@@ -3,8 +3,10 @@
 // Migration from Mongoose ODM to Prisma ORM
 
 generator client {
-  provider = "prisma-client-js"
-  output   = "../node_modules/@prisma-mongodb/client"
+  provider      = "prisma-client-js"
+  output        = "../generated/prisma-mongodb"
+  binaryTargets = ["native", "rhel-openssl-3.0.x"] // native for local dev, rhel for Lambda deployment
+  engineType    = "binary" // Use binary engines (smaller size)
 }
 
 datasource db {
@@ -19,8 +21,8 @@ datasource db {
 /// User model with discriminator pattern support
 /// Replaces Mongoose discriminators (IndividualUser, OrganizationUser)
 model User {
-  id    String   @id @default(auto()) @map("_id") @db.ObjectId
-  type  UserType
+  id   String   @id @default(auto()) @map("_id") @db.ObjectId
+  type UserType
 
   // Timestamps
   createdAt DateTime @default(now())
@@ -87,12 +89,11 @@ model Token {
 /// OAuth credentials and API tokens
 /// All sensitive data encrypted with KMS at rest
 model Credential {
-  id         String   @id @default(auto()) @map("_id") @db.ObjectId
-  userId     String?  @db.ObjectId
-  user       User?    @relation(fields: [userId], references: [id], onDelete: Cascade)
-  subType    String?
+  id          String   @id @default(auto()) @map("_id") @db.ObjectId
+  userId      String?  @db.ObjectId
+  user        User?    @relation(fields: [userId], references: [id], onDelete: Cascade)
   authIsValid Boolean?
-  externalId String?
+  externalId  String?
 
   // Dynamic OAuth fields stored as JSON (encrypted via Prisma middleware)
   // Contains: access_token, refresh_token, domain, expires_in, token_type, etc.
@@ -114,7 +115,6 @@ model Entity {
   id           String      @id @default(auto()) @map("_id") @db.ObjectId
   credentialId String?     @db.ObjectId
   credential   Credential? @relation(fields: [credentialId], references: [id], onDelete: SetNull)
-  subType      String?
   userId       String?     @db.ObjectId
   user         User?       @relation(fields: [userId], references: [id], onDelete: Cascade)
   name         String?
@@ -125,11 +125,11 @@ model Entity {
   updatedAt DateTime @updatedAt
 
   // Relations - many-to-many with scalar lists
-  integrations    Integration[] @relation("IntegrationEntities", fields: [integrationIds], references: [id])
-  integrationIds  String[]      @db.ObjectId
+  integrations   Integration[] @relation("IntegrationEntities", fields: [integrationIds], references: [id])
+  integrationIds String[]      @db.ObjectId
 
-  syncs           Sync[]        @relation("SyncEntities", fields: [syncIds], references: [id])
-  syncIds         String[]      @db.ObjectId
+  syncs   Sync[]   @relation("SyncEntities", fields: [syncIds], references: [id])
+  syncIds String[] @db.ObjectId
 
   dataIdentifiers    DataIdentifier[]
   associationObjects AssociationObject[]
@@ -153,7 +153,7 @@ model Integration {
   status IntegrationStatus @default(ENABLED)
 
   // Configuration and version
-  config  Json?   // Integration configuration object
+  config  Json? // Integration configuration object
   version String?
 
   // Entity references (many-to-many via explicit scalar list)
@@ -320,11 +320,11 @@ model Association {
 /// Association object entry
 /// Replaces nested array structure in Mongoose
 model AssociationObject {
-  id            String       @id @default(auto()) @map("_id") @db.ObjectId
-  associationId String       @db.ObjectId
-  association   Association  @relation(fields: [associationId], references: [id], onDelete: Cascade)
-  entityId      String       @db.ObjectId
-  entity        Entity       @relation(fields: [entityId], references: [id], onDelete: Cascade)
+  id            String      @id @default(auto()) @map("_id") @db.ObjectId
+  associationId String      @db.ObjectId
+  association   Association @relation(fields: [associationId], references: [id], onDelete: Cascade)
+  entityId      String      @db.ObjectId
+  entity        Entity      @relation(fields: [entityId], references: [id], onDelete: Cascade)
   objectType    String
   objId         String
   metadata      Json? // Optional metadata
@@ -359,4 +359,4 @@ model WebsocketConnection {
 
   @@index([connectionId])
   @@map("WebsocketConnection")
-}
+}

package/prisma-postgresql/schema.prisma

@@ -3,8 +3,10 @@
 // Converted from MongoDB schema for relational database support
 
 generator client {
-  provider = "prisma-client-js"
-  output   = "../node_modules/@prisma-postgresql/client"
+  provider      = "prisma-client-js"
+  output        = "../generated/prisma-postgresql"
+  binaryTargets = ["native", "rhel-openssl-3.0.x"] // native for local dev, rhel for Lambda deployment
+  engineType    = "binary" // Use binary engines (smaller size)
 }
 
 datasource db {
@@ -19,8 +21,8 @@ datasource db {
 /// User model with discriminator pattern support
 /// Replaces Mongoose discriminators (IndividualUser, OrganizationUser)
 model User {
-  id    Int      @id @default(autoincrement())
-  type  UserType
+  id   Int      @id @default(autoincrement())
+  type UserType
 
   // Timestamps
   createdAt DateTime @default(now())
@@ -85,12 +87,11 @@ model Token {
 /// OAuth credentials and API tokens
 /// All sensitive data encrypted with KMS at rest
 model Credential {
-  id         Int      @id @default(autoincrement())
-  userId     Int?
-  user       User?    @relation(fields: [userId], references: [id], onDelete: Cascade)
-  subType    String?
+  id          Int      @id @default(autoincrement())
+  userId      Int?
+  user        User?    @relation(fields: [userId], references: [id], onDelete: Cascade)
   authIsValid Boolean?
-  externalId String?
+  externalId  String?
 
   // Dynamic OAuth fields stored as JSON (encrypted via Prisma middleware)
   // Contains: access_token, refresh_token, domain, expires_in, token_type, etc.
@@ -111,7 +112,6 @@ model Entity {
   id           Int         @id @default(autoincrement())
   credentialId Int?
   credential   Credential? @relation(fields: [credentialId], references: [id], onDelete: SetNull)
-  subType      String?
   userId       Int?
   user         User?       @relation(fields: [userId], references: [id], onDelete: Cascade)
   name         String?
@@ -146,7 +146,7 @@ model Integration {
   status IntegrationStatus @default(ENABLED)
 
   // Configuration and version
-  config  Json?   // Integration configuration object
+  config  Json? // Integration configuration object
   version String?
 
   // Entity references (many-to-many via implicit join table)
@@ -225,11 +225,11 @@ model Sync {
 /// Data identifier for sync operations
 /// Replaces nested array structure in Mongoose
 model DataIdentifier {
-  id       Int     @id @default(autoincrement())
+  id       Int    @id @default(autoincrement())
   syncId   Int?
-  sync     Sync?   @relation(fields: [syncId], references: [id], onDelete: Cascade)
+  sync     Sync?  @relation(fields: [syncId], references: [id], onDelete: Cascade)
   entityId Int
-  entity   Entity  @relation(fields: [entityId], references: [id], onDelete: Cascade)
+  entity   Entity @relation(fields: [entityId], references: [id], onDelete: Cascade)
 
   // Identifier data (can be any structure)
   idData Json
@@ -332,7 +332,7 @@ model Process {
 
 /// Generic state storage
 model State {
-  id    Int  @id @default(autoincrement())
+  id    Int   @id @default(autoincrement())
   state Json?
 }
 

package/queues/queuer-util.js

@@ -1,19 +1,34 @@
 const { v4: uuid } = require('uuid');
-const AWS = require('aws-sdk');
+const { SQSClient, SendMessageCommand, SendMessageBatchCommand } = require('@aws-sdk/client-sqs');
+
 const awsConfigOptions = () => {
     const config = {};
     if (process.env.IS_OFFLINE) {
         console.log('Running in offline mode');
+        config.credentials = {
+            accessKeyId: 'test-aws-key',
+            secretAccessKey: 'test-aws-secret',
+        };
+        config.region = 'us-east-1';
     }
     if (process.env.AWS_ENDPOINT) {
         config.endpoint = process.env.AWS_ENDPOINT;
     }
     return config;
 };
-AWS.config.update(awsConfigOptions());
-const sqs = new AWS.SQS();
+
+const sqs = new SQSClient(awsConfigOptions());
 
 const QueuerUtil = {
+    send: async (message, queueUrl) => {
+        console.log(`Enqueuing message to SQS queue ${queueUrl}`);
+        const command = new SendMessageCommand({
+            MessageBody: JSON.stringify(message),
+            QueueUrl: queueUrl,
+        });
+        return sqs.send(command);
+    },
+
     batchSend: async (entries = [], queueUrl) => {
         console.log(
             `Enqueuing ${entries.length} entries on SQS to queue ${queueUrl}`
@@ -29,12 +44,11 @@ const QueuerUtil = {
             // Sends 10, then purges the buffer
             if (buffer.length === batchSize) {
                 console.log('Buffer at 10, sending batch');
-                await sqs
-                    .sendMessageBatch({
-                        Entries: buffer,
-                        QueueUrl: queueUrl,
-                    })
-                    .promise();
+                const command = new SendMessageBatchCommand({
+                    Entries: buffer,
+                    QueueUrl: queueUrl,
+                });
+                await sqs.send(command);
                 // Purge the buffer
                 buffer.splice(0, buffer.length);
             }
@@ -44,12 +58,11 @@ const QueuerUtil = {
         // If any remaining entries under 10 are left in the buffer, send and return
         if (buffer.length > 0) {
             console.log(buffer);
-            return sqs
-                .sendMessageBatch({
-                    Entries: buffer,
-                    QueueUrl: queueUrl,
-                })
-                .promise();
+            const command = new SendMessageBatchCommand({
+                Entries: buffer,
+                QueueUrl: queueUrl,
+            });
+            return sqs.send(command);
         }
 
         // If we're exact... just return an empty object for now

package/types/core/index.d.ts

@@ -1,5 +1,5 @@
 declare module "@friggframework/core" {
-  import { SQS } from "aws-sdk";
+  import type { SendMessageCommandInput } from "@aws-sdk/client-sqs";
 
   export class Delegate implements IFriggDelegate {
     delegate: any;
@@ -50,5 +50,5 @@ declare module "@friggframework/core" {
     QueueOwnerAWSAccountId?: string;
   };
 
-  type SendSQSMessageParams = SQS.SendMessageRequest;
+  type SendSQSMessageParams = SendMessageCommandInput;
 }

package/types/module-plugin/index.d.ts

@@ -5,7 +5,6 @@ declare module "@friggframework/module-plugin" {
   export class Credential extends Model {
     userId: string;
     authIsValid: boolean;
-    subType: string;
     externalId: string;
   }
 
@@ -13,7 +12,6 @@ declare module "@friggframework/module-plugin" {
 
   export class Entity extends Model {
     credentialId: string;
-    subType: string;
     userId: string;
     name: string;
     externalId: string;

package/user/repositories/user-repository-mongo.js

@@ -1,4 +1,4 @@
-//todo: this repository is tightly coupled to the token repository.
+const bcrypt = require('bcryptjs');
 const { prisma } = require('../../database/prisma');
 const {
     createTokenRepository,
@@ -95,19 +95,38 @@ class UserRepositoryMongo extends UserRepositoryInterface {
      * Replaces: IndividualUser.create(params)
      *
      * @param {Object} params - User creation parameters
+     * @param {string} [params.hashword] - Plain text password (will be bcrypt hashed automatically)
      * @returns {Promise<Object>} Created user object with string IDs
      */
     async createIndividualUser(params) {
-        return await this.prisma.user.create({
-            data: {
-                type: 'INDIVIDUAL',
-                email: params.email,
-                username: params.username,
-                hashword: params.hashword,
-                appUserId: params.appUserId,
-                organizationId: params.organization || params.organizationId,
-            },
-        });
+        const data = {
+            type: 'INDIVIDUAL',
+            email: params.email,
+            username: params.username,
+            appUserId: params.appUserId,
+            organizationId: params.organization || params.organizationId,
+        };
+
+        if (
+            params.hashword !== undefined &&
+            params.hashword !== null &&
+            params.hashword !== ''
+        ) {
+            if (typeof params.hashword !== 'string') {
+                throw new Error('Password must be a string');
+            }
+
+            // Prevent double-hashing: bcrypt hashes start with $2a$ or $2b$
+            if (params.hashword.startsWith('$2')) {
+                throw new Error(
+                    'Password appears to be already hashed. Pass plain text password only.'
+                );
+            }
+
+            data.hashword = await bcrypt.hash(params.hashword, 10);
+        }
+
+        return await this.prisma.user.create({ data });
     }
 
     /**
@@ -204,12 +223,34 @@ class UserRepositoryMongo extends UserRepositoryInterface {
      * Update individual user
      * @param {string} userId - User ID
      * @param {Object} updates - Fields to update
+     * @param {string} [updates.hashword] - Plain text password (will be bcrypt hashed automatically)
      * @returns {Promise<Object>} Updated user object with string IDs
      */
     async updateIndividualUser(userId, updates) {
+        const data = { ...updates };
+
+        if (
+            data.hashword !== undefined &&
+            data.hashword !== null &&
+            data.hashword !== ''
+        ) {
+            if (typeof data.hashword !== 'string') {
+                throw new Error('Password must be a string');
+            }
+
+            // Prevent double-hashing: bcrypt hashes start with $2a$ or $2b$
+            if (data.hashword.startsWith('$2')) {
+                throw new Error(
+                    'Password appears to be already hashed. Pass plain text password only.'
+                );
+            }
+
+            data.hashword = await bcrypt.hash(data.hashword, 10);
+        }
+
         return await this.prisma.user.update({
             where: { id: userId },
-            data: updates,
+            data,
         });
     }
 

package/user/repositories/user-repository-postgres.js

@@ -1,4 +1,4 @@
-//todo: this repository is tightly coupled to the token repository.
+const bcrypt = require('bcryptjs');
 const { prisma } = require('../../database/prisma');
 const {
     createTokenRepository,
@@ -130,21 +130,40 @@ class UserRepositoryPostgres extends UserRepositoryInterface {
      * Replaces: IndividualUser.create(params)
      *
      * @param {Object} params - User creation parameters (with string IDs from application layer)
+     * @param {string} [params.hashword] - Plain text password (will be bcrypt hashed automatically)
      * @returns {Promise<Object>} Created user object with string IDs
      */
     async createIndividualUser(params) {
-        const user = await this.prisma.user.create({
-            data: {
-                type: 'INDIVIDUAL',
-                email: params.email,
-                username: params.username,
-                hashword: params.hashword,
-                appUserId: params.appUserId,
-                organizationId: this._convertId(
-                    params.organization || params.organizationId
-                ),
-            },
-        });
+        const data = {
+            type: 'INDIVIDUAL',
+            email: params.email,
+            username: params.username,
+            appUserId: params.appUserId,
+            organizationId: this._convertId(
+                params.organization || params.organizationId
+            ),
+        };
+
+        if (
+            params.hashword !== undefined &&
+            params.hashword !== null &&
+            params.hashword !== ''
+        ) {
+            if (typeof params.hashword !== 'string') {
+                throw new Error('Password must be a string');
+            }
+
+            // Prevent double-hashing: bcrypt hashes start with $2a$ or $2b$
+            if (params.hashword.startsWith('$2')) {
+                throw new Error(
+                    'Password appears to be already hashed. Pass plain text password only.'
+                );
+            }
+
+            data.hashword = await bcrypt.hash(params.hashword, 10);
+        }
+
+        const user = await this.prisma.user.create({ data });
         return this._convertUserIds(user);
     }
 
@@ -249,13 +268,14 @@ class UserRepositoryPostgres extends UserRepositoryInterface {
      * Update individual user
      * @param {string} userId - User ID (string from application layer)
      * @param {Object} updates - Fields to update (with string IDs from application layer)
+     * @param {string} [updates.hashword] - Plain text password (will be bcrypt hashed automatically)
      * @returns {Promise<Object>} Updated user object with string IDs
      */
     async updateIndividualUser(userId, updates) {
         const intId = this._convertId(userId);
 
-        // Convert organizationId if present in updates
         const data = { ...updates };
+
         if (data.organizationId !== undefined) {
             data.organizationId = this._convertId(data.organizationId);
         }
@@ -264,6 +284,25 @@ class UserRepositoryPostgres extends UserRepositoryInterface {
             delete data.organization;
         }
 
+        if (
+            data.hashword !== undefined &&
+            data.hashword !== null &&
+            data.hashword !== ''
+        ) {
+            if (typeof data.hashword !== 'string') {
+                throw new Error('Password must be a string');
+            }
+
+            // Prevent double-hashing: bcrypt hashes start with $2a$ or $2b$
+            if (data.hashword.startsWith('$2')) {
+                throw new Error(
+                    'Password appears to be already hashed. Pass plain text password only.'
+                );
+            }
+
+            data.hashword = await bcrypt.hash(data.hashword, 10);
+        }
+
         const user = await this.prisma.user.update({
             where: { id: intId },
             data,

package/user/use-cases/authenticate-user.js

@@ -0,0 +1,127 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * Use case for authenticating a user using multiple authentication strategies.
+ * 
+ * Supports three authentication modes in priority order:
+ * 1. Shared Secret (backend-to-backend with x-frigg-api-key + x-frigg headers)
+ * 2. Adopter JWT (custom JWT authentication)
+ * 3. Frigg Native Token (bearer token from /user/login)
+ * 
+ * x-frigg-appUserId and x-frigg-appOrgId headers are automatically supported
+ * for user identification with any auth mode. When present with JWT or Frigg
+ * tokens, they are validated to match the authenticated user.
+ *
+ * @class AuthenticateUser
+ */
+class AuthenticateUser {
+    /**
+     * Creates a new AuthenticateUser instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('./get-user-from-bearer-token').GetUserFromBearerToken} params.getUserFromBearerToken - Use case for bearer token auth.
+     * @param {import('./get-user-from-x-frigg-headers').GetUserFromXFriggHeaders} params.getUserFromXFriggHeaders - Use case for x-frigg header auth.
+     * @param {import('./get-user-from-adopter-jwt').GetUserFromAdopterJwt} params.getUserFromAdopterJwt - Use case for adopter JWT auth.
+     * @param {import('./authenticate-with-shared-secret').AuthenticateWithSharedSecret} params.authenticateWithSharedSecret - Use case for validating shared secret.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({
+        getUserFromBearerToken,
+        getUserFromXFriggHeaders,
+        getUserFromAdopterJwt,
+        authenticateWithSharedSecret,
+        userConfig,
+    }) {
+        this.getUserFromBearerToken = getUserFromBearerToken;
+        this.getUserFromXFriggHeaders = getUserFromXFriggHeaders;
+        this.getUserFromAdopterJwt = getUserFromAdopterJwt;
+        this.authenticateWithSharedSecret = authenticateWithSharedSecret;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {Object} req - Express request object with headers.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} Unauthorized if no valid authentication provided.
+     * @throws {Boom} Forbidden if x-frigg headers don't match authenticated user.
+     */
+    async execute(req) {
+        const authModes = this.userConfig.authModes || { friggToken: true };
+        const appUserId = req.headers['x-frigg-appuserid'];
+        const appOrgId = req.headers['x-frigg-apporgid'];
+        let user = null;
+
+        // Priority 1: Shared Secret (backend-to-backend with API key)
+        if (authModes.sharedSecret !== false) {
+            const apiKey = req.headers['x-frigg-api-key'];
+            if (apiKey) {
+                // Validate the API key (authentication)
+                await this.authenticateWithSharedSecret.execute(apiKey);
+                // Get user from x-frigg headers (authorization)
+                return await this.getUserFromXFriggHeaders.execute(
+                    appUserId,
+                    appOrgId
+                );
+            }
+        }
+
+        // Priority 2: Adopter JWT (if enabled)
+        if (
+            authModes.adopterJwt === true &&
+            req.headers.authorization?.startsWith('Bearer ')
+        ) {
+            const token = req.headers.authorization.split(' ')[1];
+            // Detect JWT format (3 parts separated by dots)
+            if (token && token.split('.').length === 3) {
+                user = await this.getUserFromAdopterJwt.execute(token);
+                // Validate x-frigg headers match JWT claims if present
+                if (appUserId || appOrgId) {
+                    this.validateUserMatch(user, appUserId, appOrgId);
+                }
+                return user;
+            }
+        }
+
+        // Priority 3: Frigg native token (default)
+        if (authModes.friggToken !== false && req.headers.authorization) {
+            user = await this.getUserFromBearerToken.execute(
+                req.headers.authorization
+            );
+            // Validate x-frigg headers match token user if present
+            if (appUserId || appOrgId) {
+                this.validateUserMatch(user, appUserId, appOrgId);
+            }
+            return user;
+        }
+
+        throw Boom.unauthorized('No valid authentication provided');
+    }
+
+    /**
+     * Validates that x-frigg headers match authenticated user if provided.
+     * This ensures that when both authentication (via token/JWT) and
+     * x-frigg headers are present, they refer to the same user.
+     *
+     * @param {import('../user').User} user - The authenticated user
+     * @param {string} [appUserId] - The x-frigg-appuserid header value
+     * @param {string} [appOrgId] - The x-frigg-apporgid header value
+     * @throws {Boom} 403 Forbidden if headers don't match user
+     */
+    validateUserMatch(user, appUserId, appOrgId) {
+        if (appUserId && user.getAppUserId() !== appUserId) {
+            throw Boom.forbidden(
+                'x-frigg-appuserid header does not match authenticated user'
+            );
+        }
+        if (appOrgId && user.getAppOrgId() !== appOrgId) {
+            throw Boom.forbidden(
+                'x-frigg-apporgid header does not match authenticated user'
+            );
+        }
+    }
+}
+
+module.exports = { AuthenticateUser };
+
+

package/user/use-cases/authenticate-with-shared-secret.js

@@ -0,0 +1,48 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * Use case for authenticating requests with shared secret API key.
+ * This use case ONLY validates the authenticity of the request via API key.
+ * It does NOT retrieve user data - that's handled by GetUserFromXFriggHeaders.
+ *
+ * Used for backend-to-backend communication where the secret proves
+ * the request is legitimate, but user identification comes from x-frigg headers.
+ *
+ * @class AuthenticateWithSharedSecret
+ */
+class AuthenticateWithSharedSecret {
+    /**
+     * Creates a new AuthenticateWithSharedSecret instance.
+     * @param {Object} params - Configuration parameters (none needed currently, but kept for consistency).
+     */
+    constructor() {
+        // No dependencies needed - just validates against env var
+    }
+
+    /**
+     * Validates the provided shared secret against FRIGG_API_KEY.
+     * @async
+     * @param {string} providedSecret - Secret from x-frigg-api-key header
+     * @returns {Promise<boolean>} True if valid (or throws error if invalid)
+     * @throws {Boom} 500 if FRIGG_API_KEY not configured
+     * @throws {Boom} 401 if provided secret doesn't match
+     */
+    async execute(providedSecret) {
+        // Validate secret
+        const expectedSecret = process.env.FRIGG_API_KEY;
+        if (!expectedSecret) {
+            throw Boom.badImplementation(
+                'FRIGG_API_KEY environment variable is not configured. ' +
+                'Set FRIGG_API_KEY to enable shared secret authentication.'
+            );
+        }
+
+        if (!providedSecret || providedSecret !== expectedSecret) {
+            throw Boom.unauthorized('Invalid API key');
+        }
+
+        return true;
+    }
+}
+
+module.exports = { AuthenticateWithSharedSecret };