@friggframework/core 2.0.0-next.44 → 2.0.0-next.46

package/user/use-cases/get-user-from-adopter-jwt.js

@@ -0,0 +1,149 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * STUB: Use case for retrieving a user from adopter-provided JWT token.
+ *
+ * This is a stub implementation for future JWT authentication support.
+ * When implemented, this will allow adopters to use their own JWT tokens
+ * for authentication instead of Frigg's native token system.
+ *
+ * FUTURE IMPLEMENTATION REQUIREMENTS:
+ * - Validate JWT signature using jwtConfig.secret from app definition
+ * - Support configurable signing algorithms (HS256, HS384, HS512, RS256, RS384, RS512)
+ * - Extract user identifiers from JWT claims based on jwtConfig.userIdClaim and jwtConfig.orgIdClaim
+ * - Find or create user based on extracted claim values
+ * - Handle token expiration and validation errors
+ * - Support refresh tokens (optional)
+ * - Validate user ID conflicts if both individual and org IDs present in JWT
+ *
+ * RECOMMENDED IMPLEMENTATION:
+ * - Use 'jsonwebtoken' package for JWT parsing and validation
+ * - Cache JWT public keys for RS* algorithms
+ * - Add comprehensive error handling for invalid tokens
+ * - Log authentication attempts for security auditing
+ *
+ * @todo Implement JWT validation with jsonwebtoken package
+ * @todo Add unit tests for JWT parsing and claim extraction
+ * @todo Document adopter JWT integration guide in Frigg docs
+ * @todo Add support for JWT refresh tokens
+ * @todo Implement JWT public key caching for RS* algorithms
+ *
+ * @class GetUserFromAdopterJwt
+ */
+class GetUserFromAdopterJwt {
+    /**
+     * Creates a new GetUserFromAdopterJwt instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../repositories/user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {string} jwtToken - The JWT token from the Authorization header.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} 501 Not Implemented - This feature is not yet available.
+     */
+    async execute(jwtToken) {
+        throw Boom.notImplemented(
+            'Adopter JWT authentication is not yet implemented. ' +
+                'This feature is planned for a future Frigg release. ' +
+                'Please use one of the supported authentication modes instead: ' +
+                'friggToken (native bearer token) or xFriggHeaders (backend-to-backend with x-frigg-appUserId/appOrgId headers).'
+        );
+
+        /* FUTURE IMPLEMENTATION PSEUDOCODE:
+
+        const jwt = require('jsonwebtoken');
+        
+        // Validate JWT configuration exists
+        if (!this.userConfig.jwtConfig || !this.userConfig.jwtConfig.secret) {
+            throw Boom.badImplementation('JWT configuration is required when adopterJwt auth mode is enabled');
+        }
+        
+        try {
+            // Verify and decode JWT
+            const decoded = jwt.verify(jwtToken, this.userConfig.jwtConfig.secret, {
+                algorithms: [this.userConfig.jwtConfig.algorithm || 'HS256']
+            });
+            
+            // Extract user identifiers from claims
+            const appUserId = decoded[this.userConfig.jwtConfig.userIdClaim || 'sub'];
+            const appOrgId = decoded[this.userConfig.jwtConfig.orgIdClaim || 'org_id'];
+            
+            // At least one identifier required
+            if (!appUserId && !appOrgId) {
+                throw Boom.badRequest('JWT must contain user or organization identifier claims');
+            }
+            
+            // Find existing users
+            let individualUserData = null;
+            let organizationUserData = null;
+            
+            if (appUserId) {
+                individualUserData = await this.userRepository.findIndividualUserByAppUserId(appUserId);
+            }
+            
+            if (appOrgId) {
+                organizationUserData = await this.userRepository.findOrganizationUserByAppOrgId(appOrgId);
+            }
+            
+            // Validate no conflicts if both IDs present
+            if (appUserId && appOrgId && individualUserData && organizationUserData) {
+                const individualOrgId = individualUserData.organizationUser?.toString();
+                const expectedOrgId = organizationUserData.id?.toString();
+                
+                if (individualOrgId !== expectedOrgId) {
+                    throw Boom.badRequest(
+                        'User ID mismatch: JWT claims refer to different users. ' +
+                        'Individual and organization IDs must belong to the same user.'
+                    );
+                }
+            }
+            
+            // Auto-create if not found
+            if (!individualUserData && !organizationUserData) {
+                if (appUserId) {
+                    individualUserData = await this.userRepository.createIndividualUser({
+                        appUserId,
+                        username: `jwt-user-${appUserId}`,
+                        email: decoded.email || `${appUserId}@jwt.local`,
+                    });
+                } else {
+                    organizationUserData = await this.userRepository.createOrganizationUser({
+                        appOrgId,
+                    });
+                }
+            }
+            
+            return new User(
+                individualUserData,
+                organizationUserData,
+                this.userConfig.usePassword,
+                this.userConfig.primary,
+                this.userConfig.individualUserRequired,
+                this.userConfig.organizationUserRequired
+            );
+            
+        } catch (error) {
+            if (error.name === 'TokenExpiredError') {
+                throw Boom.unauthorized('JWT token has expired');
+            } else if (error.name === 'JsonWebTokenError') {
+                throw Boom.unauthorized('Invalid JWT token');
+            } else if (error.isBoom) {
+                throw error;
+            }
+            throw Boom.unauthorized('JWT authentication failed');
+        }
+        */
+    }
+}
+
+module.exports = { GetUserFromAdopterJwt };
+
+

package/user/use-cases/get-user-from-x-frigg-headers.js

@@ -0,0 +1,106 @@
+const Boom = require('@hapi/boom');
+const { User } = require('../user');
+
+/**
+ * Use case for retrieving or creating a user from x-frigg header identifiers.
+ * Supports backend-to-backend API communication using application user IDs.
+ *
+ * @class GetUserFromXFriggHeaders
+ */
+class GetUserFromXFriggHeaders {
+    /**
+     * Creates a new GetUserFromXFriggHeaders instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../repositories/user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {string} [appUserId] - The app user ID from x-frigg-appUserId header.
+     * @param {string} [appOrgId] - The app organization ID from x-frigg-appOrgId header.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} 400 Bad Request if neither ID is provided or if both IDs are provided but belong to different users.
+     */
+    async execute(appUserId, appOrgId) {
+        // At least one header must be provided
+        if (!appUserId && !appOrgId) {
+            throw Boom.badRequest(
+                'At least one of x-frigg-appUserId or x-frigg-appOrgId headers is required for backend-to-backend authentication'
+            );
+        }
+
+        // Find users by both IDs if both are provided
+        let individualUserData = null;
+        let organizationUserData = null;
+
+        if (appUserId && this.userConfig.individualUserRequired !== false) {
+            individualUserData =
+                await this.userRepository.findIndividualUserByAppUserId(
+                    appUserId
+                );
+        }
+
+        if (appOrgId && this.userConfig.organizationUserRequired) {
+            organizationUserData =
+                await this.userRepository.findOrganizationUserByAppOrgId(
+                    appOrgId
+                );
+        }
+
+        // VALIDATION: If both IDs provided and both users exist, verify they match
+        if (
+            appUserId &&
+            appOrgId &&
+            individualUserData &&
+            organizationUserData
+        ) {
+            // Check if individual user is linked to the org user
+            const individualOrgId =
+                individualUserData.organizationUser?.toString();
+            const expectedOrgId = organizationUserData.id?.toString();
+
+            if (individualOrgId !== expectedOrgId) {
+                throw Boom.badRequest(
+                    'User ID mismatch: x-frigg-appUserId and x-frigg-appOrgId refer to different users. ' +
+                        'Provide only one identifier or ensure they belong to the same user.'
+                );
+            }
+        }
+
+        // Auto-create user if not found
+        if (!individualUserData && !organizationUserData) {
+            if (appUserId) {
+                individualUserData =
+                    await this.userRepository.createIndividualUser({
+                        appUserId,
+                        username: `app-user-${appUserId}`,
+                        email: `${appUserId}@app.local`,
+                    });
+            } else {
+                organizationUserData =
+                    await this.userRepository.createOrganizationUser({
+                        appOrgId,
+                    });
+            }
+        }
+
+        return new User(
+            individualUserData,
+            organizationUserData,
+            this.userConfig.usePassword,
+            this.userConfig.primary,
+            this.userConfig.individualUserRequired,
+            this.userConfig.organizationUserRequired
+        );
+    }
+}
+
+module.exports = { GetUserFromXFriggHeaders };
+
+

package/user/use-cases/login-user.js

@@ -65,7 +65,7 @@ class LoginUser {
                     this.userConfig.organizationUserRequired
                 );
 
-                if (!individualUser.isPasswordValid(password)) {
+                if (!(await individualUser.isPasswordValid(password))) {
                     throw Boom.unauthorized('Incorrect username or password');
                 }
 

package/user/user.js

@@ -41,12 +41,12 @@ class User {
         return this.usePassword;
     }
 
-    isPasswordValid(password) {
+    async isPasswordValid(password) {
         if (!this.isPasswordRequired()) {
             return true;
         }
 
-        return bcrypt.compareSync(password, this.getPrimaryUser().hashword);
+        return await bcrypt.compare(password, this.getPrimaryUser().hashword);
     }
 
     setIndividualUser(individualUser) {
@@ -72,6 +72,22 @@ class User {
     getOrganizationUser() {
         return this.organizationUser;
     }
+
+    /**
+     * Gets the appUserId from the individual user if present.
+     * @returns {string|null} The app user ID or null
+     */
+    getAppUserId() {
+        return this.individualUser?.appUserId || null;
+    }
+
+    /**
+     * Gets the appOrgId from the organization user if present.
+     * @returns {string|null} The app organization ID or null
+     */
+    getAppOrgId() {
+        return this.organizationUser?.appOrgId || null;
+    }
 }
 
 module.exports = { User }; 

package/websocket/repositories/websocket-connection-repository-mongo.js

@@ -1,5 +1,8 @@
 const { prisma } = require('../../database/prisma');
-const AWS = require('aws-sdk');
+const {
+    ApiGatewayManagementApiClient,
+    PostToConnectionCommand,
+} = require('@aws-sdk/client-apigatewaymanagementapi');
 const {
     WebsocketConnectionRepositoryInterface,
 } = require('./websocket-connection-repository-interface');
@@ -74,20 +77,18 @@ class WebsocketConnectionRepositoryMongo extends WebsocketConnectionRepositoryIn
             return connections.map((conn) => ({
                 connectionId: conn.connectionId,
                 send: async (data) => {
-                    const apigwManagementApi = new AWS.ApiGatewayManagementApi({
-                        apiVersion: '2018-11-29',
+                    const apigwManagementApi = new ApiGatewayManagementApiClient({
                         endpoint: process.env.WEBSOCKET_API_ENDPOINT,
                     });
 
                     try {
-                        await apigwManagementApi
-                            .postToConnection({
-                                ConnectionId: conn.connectionId,
-                                Data: JSON.stringify(data),
-                            })
-                            .promise();
+                        const command = new PostToConnectionCommand({
+                            ConnectionId: conn.connectionId,
+                            Data: JSON.stringify(data),
+                        });
+                        await apigwManagementApi.send(command);
                     } catch (error) {
-                        if (error.statusCode === 410) {
+                        if (error.statusCode === 410 || error.$metadata?.httpStatusCode === 410) {
                             console.log(
                                 `Stale connection ${conn.connectionId}`
                             );

package/websocket/repositories/websocket-connection-repository-postgres.js

@@ -1,5 +1,8 @@
 const { prisma } = require('../../database/prisma');
-const AWS = require('aws-sdk');
+const {
+    ApiGatewayManagementApiClient,
+    PostToConnectionCommand,
+} = require('@aws-sdk/client-apigatewaymanagementapi');
 const {
     WebsocketConnectionRepositoryInterface,
 } = require('./websocket-connection-repository-interface');
@@ -108,20 +111,18 @@ class WebsocketConnectionRepositoryPostgres extends WebsocketConnectionRepositor
             return connections.map((conn) => ({
                 connectionId: conn.connectionId,
                 send: async (data) => {
-                    const apigwManagementApi = new AWS.ApiGatewayManagementApi({
-                        apiVersion: '2018-11-29',
+                    const apigwManagementApi = new ApiGatewayManagementApiClient({
                         endpoint: process.env.WEBSOCKET_API_ENDPOINT,
                     });
 
                     try {
-                        await apigwManagementApi
-                            .postToConnection({
-                                ConnectionId: conn.connectionId,
-                                Data: JSON.stringify(data),
-                            })
-                            .promise();
+                        const command = new PostToConnectionCommand({
+                            ConnectionId: conn.connectionId,
+                            Data: JSON.stringify(data),
+                        });
+                        await apigwManagementApi.send(command);
                     } catch (error) {
-                        if (error.statusCode === 410) {
+                        if (error.statusCode === 410 || error.$metadata?.httpStatusCode === 410) {
                             console.log(
                                 `Stale connection ${conn.connectionId}`
                             );

package/websocket/repositories/websocket-connection-repository.js

@@ -1,5 +1,8 @@
 const { prisma } = require('../../database/prisma');
-const AWS = require('aws-sdk');
+const {
+    ApiGatewayManagementApiClient,
+    PostToConnectionCommand,
+} = require('@aws-sdk/client-apigatewaymanagementapi');
 const {
     WebsocketConnectionRepositoryInterface,
 } = require('./websocket-connection-repository-interface');
@@ -79,20 +82,18 @@ class WebsocketConnectionRepository extends WebsocketConnectionRepositoryInterfa
             return connections.map((conn) => ({
                 connectionId: conn.connectionId,
                 send: async (data) => {
-                    const apigwManagementApi = new AWS.ApiGatewayManagementApi({
-                        apiVersion: '2018-11-29',
+                    const apigwManagementApi = new ApiGatewayManagementApiClient({
                         endpoint: process.env.WEBSOCKET_API_ENDPOINT,
                     });
 
                     try {
-                        await apigwManagementApi
-                            .postToConnection({
-                                ConnectionId: conn.connectionId,
-                                Data: JSON.stringify(data),
-                            })
-                            .promise();
+                        const command = new PostToConnectionCommand({
+                            ConnectionId: conn.connectionId,
+                            Data: JSON.stringify(data),
+                        });
+                        await apigwManagementApi.send(command);
                     } catch (error) {
-                        if (error.statusCode === 410) {
+                        if (error.statusCode === 410 || error.$metadata?.httpStatusCode === 410) {
                             console.log(
                                 `Stale connection ${conn.connectionId}`
                             );

package/application/commands/integration-commands.test.js

@@ -1,123 +0,0 @@
-jest.mock('../../database/config', () => ({
-    DB_TYPE: 'mongodb',
-    getDatabaseType: jest.fn(() => 'mongodb'),
-    PRISMA_LOG_LEVEL: 'error,warn',
-    PRISMA_QUERY_LOGGING: false,
-}));
-
-const mockFindExecute = jest.fn();
-
-jest.mock('../../integrations/use-cases/find-integration-context-by-external-entity-id', () => {
-    return {
-        FindIntegrationContextByExternalEntityIdUseCase: jest
-            .fn()
-            .mockImplementation(() => ({
-                execute: mockFindExecute,
-            })),
-    };
-});
-
-const {
-    createIntegrationCommands,
-    findIntegrationContextByExternalEntityId,
-} = require('./integration-commands');
-const {
-    FindIntegrationContextByExternalEntityIdUseCase,
-} = require('../../integrations/use-cases/find-integration-context-by-external-entity-id');
-const { DummyIntegration } = require('../../integrations/tests/doubles/dummy-integration-class');
-
-describe('integration commands', () => {
-    beforeEach(() => {
-        jest.clearAllMocks();
-        mockFindExecute.mockReset();
-    });
-
-    it('requires an integrationClass when creating commands', () => {
-        expect(() => createIntegrationCommands()).toThrow(
-            'integrationClass is required',
-        );
-    });
-
-    it('creates use cases with default repositories', () => {
-        createIntegrationCommands({
-            integrationClass: DummyIntegration,
-        });
-
-        // Verify that the use case is created with default repositories instantiated internally
-        expect(
-            FindIntegrationContextByExternalEntityIdUseCase,
-        ).toHaveBeenCalledWith({
-            integrationRepository: expect.any(Object),
-            moduleRepository: expect.any(Object),
-            loadIntegrationContextUseCase: expect.any(Object),
-        });
-    });
-
-    it('returns context when findIntegrationContextByExternalEntityId succeeds', async () => {
-        const expectedContext = { record: { id: 'integration-1' } };
-        mockFindExecute.mockResolvedValue({ context: expectedContext });
-        const commands = createIntegrationCommands({
-            integrationClass: DummyIntegration,
-        });
-
-        const result = await commands.findIntegrationContextByExternalEntityId(
-            'ext-1',
-        );
-
-        expect(mockFindExecute).toHaveBeenCalledWith({
-            externalEntityId: 'ext-1',
-        });
-        expect(result).toEqual({ context: expectedContext });
-    });
-
-    it('maps known errors to status codes', async () => {
-        const error = Object.assign(new Error('Entity missing'), {
-            code: 'ENTITY_NOT_FOUND',
-        });
-        mockFindExecute.mockRejectedValue(error);
-        const commands = createIntegrationCommands({
-            integrationClass: DummyIntegration,
-        });
-
-        const result = await commands.findIntegrationContextByExternalEntityId(
-            'ext-1',
-        );
-
-        expect(result).toEqual({
-            error: 401,
-            reason: 'Entity missing',
-            code: 'ENTITY_NOT_FOUND',
-        });
-    });
-
-    it('delegates loadIntegrationContextById to the loader use case', async () => {
-        // This test verifies that the command properly delegates to the use case
-        // We can't easily mock the internal use case, so we'll test the integration
-        const commands = createIntegrationCommands({
-            integrationClass: DummyIntegration,
-        });
-
-        // The actual use case will be called - this is more of an integration test
-        // For unit testing, we'd need to refactor to allow DI of the use case
-        // But since we've decided to always use default use cases, this is acceptable
-        const result = await commands.loadIntegrationContextById('integration-1');
-
-        // Result will have error since we don't have a real database
-        expect(result).toHaveProperty('error');
-    });
-
-    it('exposes a one-off helper for finding integration context by external entity id', async () => {
-        const expectedContext = { record: { id: 'integration-1' } };
-        mockFindExecute.mockResolvedValue({ context: expectedContext });
-
-        const result = await findIntegrationContextByExternalEntityId({
-            integrationClass: DummyIntegration,
-            externalEntityId: 'ext-2',
-        });
-
-        expect(mockFindExecute).toHaveBeenCalledWith({
-            externalEntityId: 'ext-2',
-        });
-        expect(result).toEqual({ context: expectedContext });
-    });
-});