@friggframework/core 2.0.0-next.5 → 2.0.0-next.51

package/database/use-cases/run-database-migration-use-case.js

@@ -0,0 +1,137 @@
+/**
+ * Run Database Migration Use Case
+ *
+ * Business logic for running Prisma database migrations.
+ * Orchestrates Prisma client generation and migration execution.
+ *
+ * This use case follows the Frigg hexagonal architecture pattern where:
+ * - Handlers (adapters) call use cases
+ * - Use cases contain business logic and orchestration
+ * - Use cases call repositories/utilities for data access
+ */
+
+class RunDatabaseMigrationUseCase {
+    /**
+     * @param {Object} dependencies
+     * @param {Object} dependencies.prismaRunner - Prisma runner utilities
+     */
+    constructor({ prismaRunner }) {
+        if (!prismaRunner) {
+            throw new Error('prismaRunner dependency is required');
+        }
+        this.prismaRunner = prismaRunner;
+    }
+
+    /**
+     * Execute database migration
+     *
+     * @param {Object} params
+     * @param {string} params.dbType - Database type ('postgresql' or 'mongodb')
+     * @param {string} params.stage - Deployment stage (determines migration command)
+     * @param {boolean} [params.verbose=false] - Enable verbose output
+     * @returns {Promise<Object>} Migration result { success, dbType, stage, command, message }
+     * @throws {MigrationError} If migration fails
+     * @throws {ValidationError} If parameters are invalid
+     */
+    async execute({ dbType, stage, verbose = false }) {
+        // Validation
+        this._validateParams({ dbType, stage });
+
+        // Step 1: Generate Prisma client
+        const generateResult = await this.prismaRunner.runPrismaGenerate(dbType, verbose);
+
+        if (!generateResult.success) {
+            throw new MigrationError(
+                `Failed to generate Prisma client: ${generateResult.error || 'Unknown error'}`,
+                { dbType, stage, step: 'generate', output: generateResult.output }
+            );
+        }
+
+        // Step 2: Run migrations based on database type
+        let migrationResult;
+        let migrationCommand;
+
+        if (dbType === 'postgresql') {
+            migrationCommand = this.prismaRunner.getMigrationCommand(stage);
+            migrationResult = await this.prismaRunner.runPrismaMigrate(migrationCommand, verbose);
+
+            if (!migrationResult.success) {
+                throw new MigrationError(
+                    `PostgreSQL migration failed: ${migrationResult.error || 'Unknown error'}`,
+                    { dbType, stage, command: migrationCommand, step: 'migrate', output: migrationResult.output }
+                );
+            }
+        } else if (dbType === 'mongodb') {
+            migrationCommand = 'db push';
+            // Use non-interactive mode for automated/Lambda environments
+            migrationResult = await this.prismaRunner.runPrismaDbPush(verbose, true);
+
+            if (!migrationResult.success) {
+                throw new MigrationError(
+                    `MongoDB push failed: ${migrationResult.error || 'Unknown error'}`,
+                    { dbType, stage, command: migrationCommand, step: 'push', output: migrationResult.output }
+                );
+            }
+        } else {
+            throw new ValidationError(`Unsupported database type: ${dbType}. Must be 'postgresql' or 'mongodb'.`);
+        }
+
+        // Return success result
+        return {
+            success: true,
+            dbType,
+            stage,
+            command: migrationCommand,
+            message: 'Database migration completed successfully',
+        };
+    }
+
+    /**
+     * Validate execution parameters
+     * @private
+     */
+    _validateParams({ dbType, stage }) {
+        if (!dbType) {
+            throw new ValidationError('dbType is required');
+        }
+
+        if (typeof dbType !== 'string') {
+            throw new ValidationError('dbType must be a string');
+        }
+
+        if (!stage) {
+            throw new ValidationError('stage is required');
+        }
+
+        if (typeof stage !== 'string') {
+            throw new ValidationError('stage must be a string');
+        }
+    }
+}
+
+/**
+ * Custom error for migration failures
+ */
+class MigrationError extends Error {
+    constructor(message, context = {}) {
+        super(message);
+        this.name = 'MigrationError';
+        this.context = context;
+    }
+}
+
+/**
+ * Custom error for validation failures
+ */
+class ValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ValidationError';
+    }
+}
+
+module.exports = {
+    RunDatabaseMigrationUseCase,
+    MigrationError,
+    ValidationError,
+};

package/database/use-cases/test-encryption-use-case.js

@@ -0,0 +1,253 @@
+/**
+ * Use Case for testing encryption functionality.
+ * Contains business logic for verifying that encryption and decryption work correctly.
+ *
+ * Follows DDD/Hexagonal Architecture:
+ * - Application Layer (this use case)
+ * - Depends on Infrastructure Layer (HealthCheckRepository)
+ */
+class TestEncryptionUseCase {
+    /**
+     * @param {Object} params
+     * @param {import('../health-check-repository-interface').HealthCheckRepositoryInterface} params.healthCheckRepository
+     */
+    constructor({ healthCheckRepository }) {
+        this.repository = healthCheckRepository;
+    }
+
+    /**
+     * Execute encryption test
+     * Orchestrates the full encryption test workflow using Prisma
+     * @returns {Promise<Object>} Test results with status and details
+     */
+    async execute() {
+        const testData = {
+            testSecret: 'This is a secret value that should be encrypted',
+            normalField: 'This is a normal field that should not be encrypted',
+            nestedSecret: {
+                value: 'This is a nested secret that should be encrypted',
+            },
+        };
+
+        const credentialData = this._mapTestDataToCredential(testData);
+
+        const credential = await this._withTimeout(
+            this.repository.createCredential(credentialData),
+            5000,
+            'Save operation timed out'
+        );
+
+        try {
+            const retrievedCredential = await this._withTimeout(
+                this.repository.findCredentialById(credential.id),
+                5000,
+                'Find operation timed out'
+            );
+
+            const retrievedTestData =
+                this._mapCredentialToTestData(retrievedCredential);
+            const decryptionWorks = this._verifyDecryption(
+                retrievedTestData,
+                testData
+            );
+
+            const rawCredential = await this._withTimeout(
+                this.repository.getRawCredentialById(credential.id),
+                5000,
+                'Database verification timed out'
+            );
+
+            const rawTestData = this._mapRawCredentialToTestData(rawCredential);
+            const encryptionResults = this._verifyEncryptionInDatabase(
+                rawTestData,
+                testData
+            );
+
+            return this._evaluateEncryptionResults(
+                decryptionWorks,
+                encryptionResults
+            );
+        } finally {
+            await this._withTimeout(
+                this.repository.deleteCredential(credential.id),
+                5000,
+                'Delete operation timed out'
+            );
+        }
+    }
+
+    /**
+     * Map test data format to Credential model format
+     * @param {Object} testData - Test data with testSecret, normalField, nestedSecret
+     * @returns {Object} Credential data structure
+     * @private
+     */
+    _mapTestDataToCredential(testData) {
+        // Note: Using camelCase for Prisma compatibility (both MongoDB and PostgreSQL)
+        // Changed from snake_case (user_id, entity_id) to camelCase (userId, externalId)
+        return {
+            externalId: 'test-encryption-entity',
+            data: {
+                access_token: testData.testSecret,      // Encrypted field
+                refresh_token: testData.nestedSecret?.value, // Encrypted field
+                domain: testData.normalField,           // Not encrypted
+            },
+        };
+    }
+
+    /**
+     * Map Credential model format to test data format
+     * @param {Object} credential - Credential from database
+     * @returns {Object} Test data format
+     * @private
+     */
+    _mapCredentialToTestData(credential) {
+        if (!credential) {
+            return null;
+        }
+
+        return {
+            id: credential.id,
+            testSecret: credential.data.access_token,
+            normalField: credential.data.domain,
+            nestedSecret: {
+                value: credential.data.refresh_token,
+            },
+        };
+    }
+
+    /**
+     * Map raw Credential data to test data format
+     * @param {Object} rawCredential - Raw credential from database
+     * @returns {Object} Test data format with raw encrypted values
+     * @private
+     */
+    _mapRawCredentialToTestData(rawCredential) {
+        if (!rawCredential) {
+            return null;
+        }
+
+        return {
+            testSecret: rawCredential.data?.access_token,
+            normalField: rawCredential.data?.domain,
+            nestedSecret: {
+                value: rawCredential.data?.refresh_token,
+            },
+        };
+    }
+
+    /**
+     * Verify that a document was decrypted correctly
+     * @param {Object} retrievedDoc - Document retrieved from database
+     * @param {Object} originalData - Original unencrypted data
+     * @returns {boolean} True if decryption worked correctly
+     * @private
+     */
+    _verifyDecryption(retrievedDoc, originalData) {
+        return (
+            retrievedDoc &&
+            retrievedDoc.testSecret === originalData.testSecret &&
+            retrievedDoc.normalField === originalData.normalField &&
+            retrievedDoc.nestedSecret?.value === originalData.nestedSecret.value
+        );
+    }
+
+    /**
+     * Verify that data was encrypted in the database
+     * Business rule: Encrypted fields should contain ':' and differ from original
+     * @param {Object} rawDoc - Raw document from database
+     * @param {Object} originalData - Original unencrypted data
+     * @returns {Object} Encryption verification results
+     * @private
+     */
+    _verifyEncryptionInDatabase(rawDoc, originalData) {
+        const secretIsEncrypted =
+            rawDoc &&
+            typeof rawDoc.testSecret === 'string' &&
+            rawDoc.testSecret.includes(':') &&
+            rawDoc.testSecret !== originalData.testSecret;
+
+        const nestedIsEncrypted =
+            rawDoc?.nestedSecret?.value &&
+            typeof rawDoc.nestedSecret.value === 'string' &&
+            rawDoc.nestedSecret.value.includes(':') &&
+            rawDoc.nestedSecret.value !== originalData.nestedSecret.value;
+
+        const normalNotEncrypted =
+            rawDoc && rawDoc.normalField === originalData.normalField;
+
+        return {
+            secretIsEncrypted,
+            nestedIsEncrypted,
+            normalNotEncrypted,
+        };
+    }
+
+    /**
+     * Evaluate encryption test results
+     * Business logic for determining if encryption is healthy
+     * @param {boolean} decryptionWorks - Whether decryption succeeded
+     * @param {Object} encryptionResults - Encryption verification results
+     * @returns {Object} Test status and result message
+     * @private
+     */
+    _evaluateEncryptionResults(decryptionWorks, encryptionResults) {
+        const { secretIsEncrypted, nestedIsEncrypted, normalNotEncrypted } =
+            encryptionResults;
+
+        if (
+            decryptionWorks &&
+            secretIsEncrypted &&
+            nestedIsEncrypted &&
+            normalNotEncrypted
+        ) {
+            return {
+                status: 'enabled',
+                testResult:
+                    'Encryption and decryption verified successfully',
+                encryptionWorks: true,
+            };
+        }
+
+        if (decryptionWorks && (!secretIsEncrypted || !nestedIsEncrypted)) {
+            return {
+                status: 'unhealthy',
+                testResult: 'Fields are not being encrypted in database',
+                encryptionWorks: false,
+            };
+        }
+
+        if (decryptionWorks && !normalNotEncrypted) {
+            return {
+                status: 'unhealthy',
+                testResult: 'Normal fields are being incorrectly encrypted',
+                encryptionWorks: false,
+            };
+        }
+
+        return {
+            status: 'unhealthy',
+            testResult: 'Decryption failed or data mismatch',
+            encryptionWorks: false,
+        };
+    }
+
+    /**
+     * Execute promise with timeout
+     * @param {Promise} promise - Promise to execute
+     * @param {number} ms - Timeout in milliseconds
+     * @param {string} errorMessage - Error message for timeout
+     * @returns {Promise} Promise that rejects on timeout
+     * @private
+     */
+    _withTimeout(promise, ms, errorMessage) {
+        return Promise.race([
+            promise,
+            new Promise((_, reject) =>
+                setTimeout(() => reject(new Error(errorMessage)), ms)
+            ),
+        ]);
+    }
+}
+
+module.exports = { TestEncryptionUseCase };

package/database/use-cases/trigger-database-migration-use-case.js

@@ -0,0 +1,157 @@
+/**
+ * Trigger Database Migration Use Case
+ *
+ * Business logic for triggering async database migrations via SQS queue.
+ * Creates a Process record for tracking and sends migration job to queue.
+ *
+ * This use case follows the Frigg hexagonal architecture pattern where:
+ * - Routers (adapters) call use cases
+ * - Use cases contain business logic and orchestration
+ * - Use cases call repositories for data access
+ * - Use cases delegate infrastructure concerns (SQS) to utilities
+ *
+ * Flow:
+ * 1. Validate migration parameters
+ * 2. Create Process record (state: INITIALIZING)
+ * 3. Send message to SQS queue (fire-and-forget)
+ * 4. Return process info immediately (async pattern)
+ */
+
+const { QueuerUtil } = require('../../queues/queuer-util');
+
+class TriggerDatabaseMigrationUseCase {
+    /**
+     * @param {Object} dependencies
+     * @param {Object} dependencies.migrationStatusRepository - Repository for migration status (S3)
+     * @param {Object} [dependencies.queuerUtil] - SQS utility (injectable for testing)
+     */
+    constructor({ migrationStatusRepository, queuerUtil = QueuerUtil }) {
+        if (!migrationStatusRepository) {
+            throw new Error('migrationStatusRepository dependency is required');
+        }
+        this.migrationStatusRepository = migrationStatusRepository;
+        this.queuerUtil = queuerUtil;
+    }
+
+    /**
+     * Execute database migration trigger
+     *
+     * @param {Object} params
+     * @param {string} params.userId - User ID triggering the migration
+     * @param {string} params.dbType - Database type ('postgresql' or 'mongodb')
+     * @param {string} params.stage - Deployment stage (determines migration command)
+     * @returns {Promise<Object>} Process info { success, processId, state, statusUrl, message }
+     * @throws {ValidationError} If parameters are invalid
+     * @throws {Error} If process creation or queue send fails
+     */
+    async execute({ userId, dbType, stage }) {
+        // Validation
+        this._validateParams({ userId, dbType, stage });
+
+        // Create migration status in S3 (no User table dependency)
+        const migrationStatus = await this.migrationStatusRepository.create({
+            stage: stage || process.env.STAGE || 'production',
+            triggeredBy: userId || 'system',
+            triggeredAt: new Date().toISOString(),
+        });
+
+        console.log(`Created migration status: ${migrationStatus.migrationId}`);
+
+        // Get queue URL from environment
+        const queueUrl = process.env.DB_MIGRATION_QUEUE_URL;
+        if (!queueUrl) {
+            throw new Error(
+                'DB_MIGRATION_QUEUE_URL environment variable is not set. ' +
+                'Cannot send migration to queue.'
+            );
+        }
+
+        // Send message to SQS queue (async fire-and-forget)
+        try {
+            await this.queuerUtil.send(
+                {
+                    migrationId: migrationStatus.migrationId,
+                    dbType,
+                    stage,
+                },
+                queueUrl
+            );
+
+            console.log(`Sent migration job to queue: ${migrationStatus.migrationId}`);
+        } catch (error) {
+            console.error(`Failed to send migration to queue:`, error);
+
+            // Update migration status to FAILED
+            await this.migrationStatusRepository.update({
+                migrationId: migrationStatus.migrationId,
+                stage: migrationStatus.stage,
+                state: 'FAILED',
+                error: `Failed to queue migration: ${error.message}`,
+            });
+
+            throw new Error(
+                `Failed to queue migration: ${error.message}`
+            );
+        }
+
+        // Return migration info immediately (don't wait for migration completion)
+        return {
+            success: true,
+            migrationId: migrationStatus.migrationId,
+            state: migrationStatus.state,
+            statusUrl: `/db-migrate/${migrationStatus.migrationId}`,
+            s3Key: `migrations/${migrationStatus.stage}/${migrationStatus.migrationId}.json`,
+            message: 'Database migration queued successfully',
+        };
+    }
+
+    /**
+     * Validate execution parameters
+     * @private
+     */
+    _validateParams({ userId, dbType, stage }) {
+        // userId is optional for system migrations
+        if (userId && typeof userId !== 'string') {
+            throw new ValidationError('userId must be a string');
+        }
+
+        if (!dbType) {
+            throw new ValidationError('dbType is required');
+        }
+
+        if (typeof dbType !== 'string') {
+            throw new ValidationError('dbType must be a string');
+        }
+
+        const validDbTypes = ['postgresql', 'mongodb'];
+        if (!validDbTypes.includes(dbType)) {
+            throw new ValidationError(
+                `Invalid dbType: "${dbType}". Must be one of: ${validDbTypes.join(', ')}`
+            );
+        }
+
+        if (!stage) {
+            throw new ValidationError('stage is required');
+        }
+
+        if (typeof stage !== 'string') {
+            throw new ValidationError('stage must be a string');
+        }
+    }
+}
+
+/**
+ * Custom error for validation failures
+ */
+class ValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ValidationError';
+    }
+}
+
+module.exports = {
+    TriggerDatabaseMigrationUseCase,
+    ValidationError,
+};
+

package/database/utils/mongodb-collection-utils.js

@@ -0,0 +1,91 @@
+/**
+ * MongoDB Collection Utilities
+ *
+ * Provides utilities for managing MongoDB collections, particularly for
+ * handling the constraint that collections cannot be created inside
+ * multi-document transactions.
+ *
+ * @see https://github.com/prisma/prisma/issues/8305
+ * @see https://www.mongodb.com/docs/manual/core/transactions/#transactions-and-operations
+ */
+
+const { mongoose } = require('../mongoose');
+
+/**
+ * Ensures a MongoDB collection exists
+ *
+ * MongoDB doesn't allow creating collections (namespaces) inside multi-document
+ * transactions. This function checks if a collection exists and creates it if needed,
+ * preventing "Cannot create namespace in multi-document transaction" errors.
+ *
+ * @param {string} collectionName - Name of the collection to ensure exists
+ * @returns {Promise<void>}
+ *
+ * @example
+ * ```js
+ * await ensureCollectionExists('Credential');
+ * // Now safe to create documents in Credential collection
+ * await prisma.credential.create({ data: {...} });
+ * ```
+ */
+async function ensureCollectionExists(collectionName) {
+    try {
+        const collections = await mongoose.connection.db
+            .listCollections({ name: collectionName })
+            .toArray();
+
+        if (collections.length === 0) {
+            // Collection doesn't exist, create it outside of any transaction
+            await mongoose.connection.db.createCollection(collectionName);
+            console.log(`Created MongoDB collection: ${collectionName}`);
+        }
+    } catch (error) {
+        // Collection might already exist due to race condition, or other error
+        // Log warning but don't fail - let subsequent operations handle errors
+        if (error.codeName === 'NamespaceExists') {
+            // This is expected in race conditions, silently continue
+            return;
+        }
+        console.warn(`Error ensuring collection ${collectionName} exists:`, error.message);
+    }
+}
+
+/**
+ * Ensures multiple MongoDB collections exist
+ *
+ * @param {string[]} collectionNames - Array of collection names to ensure exist
+ * @returns {Promise<void>}
+ *
+ * @example
+ * ```js
+ * await ensureCollectionsExist(['Credential', 'User', 'Token']);
+ * ```
+ */
+async function ensureCollectionsExist(collectionNames) {
+    await Promise.all(collectionNames.map(name => ensureCollectionExists(name)));
+}
+
+/**
+ * Checks if a collection exists in MongoDB
+ *
+ * @param {string} collectionName - Name of the collection to check
+ * @returns {Promise<boolean>} True if collection exists, false otherwise
+ */
+async function collectionExists(collectionName) {
+    try {
+        const collections = await mongoose.connection.db
+            .listCollections({ name: collectionName })
+            .toArray();
+
+        return collections.length > 0;
+    } catch (error) {
+        console.error(`Error checking if collection ${collectionName} exists:`, error.message);
+        return false;
+    }
+}
+
+module.exports = {
+    ensureCollectionExists,
+    ensureCollectionsExist,
+    collectionExists,
+};