@friggframework/core 2.0.0-next.5 → 2.0.0-next.51

package/user/use-cases/authenticate-user.js

@@ -0,0 +1,127 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * Use case for authenticating a user using multiple authentication strategies.
+ * 
+ * Supports three authentication modes in priority order:
+ * 1. Shared Secret (backend-to-backend with x-frigg-api-key + x-frigg headers)
+ * 2. Adopter JWT (custom JWT authentication)
+ * 3. Frigg Native Token (bearer token from /user/login)
+ * 
+ * x-frigg-appUserId and x-frigg-appOrgId headers are automatically supported
+ * for user identification with any auth mode. When present with JWT or Frigg
+ * tokens, they are validated to match the authenticated user.
+ *
+ * @class AuthenticateUser
+ */
+class AuthenticateUser {
+    /**
+     * Creates a new AuthenticateUser instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('./get-user-from-bearer-token').GetUserFromBearerToken} params.getUserFromBearerToken - Use case for bearer token auth.
+     * @param {import('./get-user-from-x-frigg-headers').GetUserFromXFriggHeaders} params.getUserFromXFriggHeaders - Use case for x-frigg header auth.
+     * @param {import('./get-user-from-adopter-jwt').GetUserFromAdopterJwt} params.getUserFromAdopterJwt - Use case for adopter JWT auth.
+     * @param {import('./authenticate-with-shared-secret').AuthenticateWithSharedSecret} params.authenticateWithSharedSecret - Use case for validating shared secret.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({
+        getUserFromBearerToken,
+        getUserFromXFriggHeaders,
+        getUserFromAdopterJwt,
+        authenticateWithSharedSecret,
+        userConfig,
+    }) {
+        this.getUserFromBearerToken = getUserFromBearerToken;
+        this.getUserFromXFriggHeaders = getUserFromXFriggHeaders;
+        this.getUserFromAdopterJwt = getUserFromAdopterJwt;
+        this.authenticateWithSharedSecret = authenticateWithSharedSecret;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {Object} req - Express request object with headers.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} Unauthorized if no valid authentication provided.
+     * @throws {Boom} Forbidden if x-frigg headers don't match authenticated user.
+     */
+    async execute(req) {
+        const authModes = this.userConfig.authModes || { friggToken: true };
+        const appUserId = req.headers['x-frigg-appuserid'];
+        const appOrgId = req.headers['x-frigg-apporgid'];
+        let user = null;
+
+        // Priority 1: Shared Secret (backend-to-backend with API key)
+        if (authModes.sharedSecret !== false) {
+            const apiKey = req.headers['x-frigg-api-key'];
+            if (apiKey) {
+                // Validate the API key (authentication)
+                await this.authenticateWithSharedSecret.execute(apiKey);
+                // Get user from x-frigg headers (authorization)
+                return await this.getUserFromXFriggHeaders.execute(
+                    appUserId,
+                    appOrgId
+                );
+            }
+        }
+
+        // Priority 2: Adopter JWT (if enabled)
+        if (
+            authModes.adopterJwt === true &&
+            req.headers.authorization?.startsWith('Bearer ')
+        ) {
+            const token = req.headers.authorization.split(' ')[1];
+            // Detect JWT format (3 parts separated by dots)
+            if (token && token.split('.').length === 3) {
+                user = await this.getUserFromAdopterJwt.execute(token);
+                // Validate x-frigg headers match JWT claims if present
+                if (appUserId || appOrgId) {
+                    this.validateUserMatch(user, appUserId, appOrgId);
+                }
+                return user;
+            }
+        }
+
+        // Priority 3: Frigg native token (default)
+        if (authModes.friggToken !== false && req.headers.authorization) {
+            user = await this.getUserFromBearerToken.execute(
+                req.headers.authorization
+            );
+            // Validate x-frigg headers match token user if present
+            if (appUserId || appOrgId) {
+                this.validateUserMatch(user, appUserId, appOrgId);
+            }
+            return user;
+        }
+
+        throw Boom.unauthorized('No valid authentication provided');
+    }
+
+    /**
+     * Validates that x-frigg headers match authenticated user if provided.
+     * This ensures that when both authentication (via token/JWT) and
+     * x-frigg headers are present, they refer to the same user.
+     *
+     * @param {import('../user').User} user - The authenticated user
+     * @param {string} [appUserId] - The x-frigg-appuserid header value
+     * @param {string} [appOrgId] - The x-frigg-apporgid header value
+     * @throws {Boom} 403 Forbidden if headers don't match user
+     */
+    validateUserMatch(user, appUserId, appOrgId) {
+        if (appUserId && user.getAppUserId() !== appUserId) {
+            throw Boom.forbidden(
+                'x-frigg-appuserid header does not match authenticated user'
+            );
+        }
+        if (appOrgId && user.getAppOrgId() !== appOrgId) {
+            throw Boom.forbidden(
+                'x-frigg-apporgid header does not match authenticated user'
+            );
+        }
+    }
+}
+
+module.exports = { AuthenticateUser };
+
+

package/user/use-cases/authenticate-with-shared-secret.js

@@ -0,0 +1,48 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * Use case for authenticating requests with shared secret API key.
+ * This use case ONLY validates the authenticity of the request via API key.
+ * It does NOT retrieve user data - that's handled by GetUserFromXFriggHeaders.
+ *
+ * Used for backend-to-backend communication where the secret proves
+ * the request is legitimate, but user identification comes from x-frigg headers.
+ *
+ * @class AuthenticateWithSharedSecret
+ */
+class AuthenticateWithSharedSecret {
+    /**
+     * Creates a new AuthenticateWithSharedSecret instance.
+     * @param {Object} params - Configuration parameters (none needed currently, but kept for consistency).
+     */
+    constructor() {
+        // No dependencies needed - just validates against env var
+    }
+
+    /**
+     * Validates the provided shared secret against FRIGG_API_KEY.
+     * @async
+     * @param {string} providedSecret - Secret from x-frigg-api-key header
+     * @returns {Promise<boolean>} True if valid (or throws error if invalid)
+     * @throws {Boom} 500 if FRIGG_API_KEY not configured
+     * @throws {Boom} 401 if provided secret doesn't match
+     */
+    async execute(providedSecret) {
+        // Validate secret
+        const expectedSecret = process.env.FRIGG_API_KEY;
+        if (!expectedSecret) {
+            throw Boom.badImplementation(
+                'FRIGG_API_KEY environment variable is not configured. ' +
+                'Set FRIGG_API_KEY to enable shared secret authentication.'
+            );
+        }
+
+        if (!providedSecret || providedSecret !== expectedSecret) {
+            throw Boom.unauthorized('Invalid API key');
+        }
+
+        return true;
+    }
+}
+
+module.exports = { AuthenticateWithSharedSecret };

package/user/use-cases/create-individual-user.js

@@ -0,0 +1,61 @@
+const { get } = require('../../assertions');
+const Boom = require('@hapi/boom');
+const { User } = require('../user');
+
+/**
+ * Use case for creating an individual user.
+ * @class CreateIndividualUser
+ */
+class CreateIndividualUser {
+    /**
+     * Creates a new CreateIndividualUser instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user properties inside of the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {Object} params - The parameters for creating the user.
+     * @returns {Promise<import('../user').User>} The newly created user object.
+     */
+    async execute(params) {
+        let hashword;
+        if (this.userConfig.usePassword) {
+            hashword = get(params, 'password');
+        }
+
+        const email = get(params, 'email', null);
+        const username = get(params, 'username', null);
+        if (!email && !username) {
+            throw Boom.badRequest('email or username is required');
+        }
+
+        const appUserId = get(params, 'appUserId', null);
+        const organizationUserId = get(params, 'organizationUserId', null);
+
+        const individualUserData = await this.userRepository.createIndividualUser({
+            email,
+            username,
+            hashword,
+            appUserId,
+            organizationUser: organizationUserId,
+        });
+
+        return new User(
+            individualUserData,
+            null,
+            this.userConfig.usePassword,
+            this.userConfig.primary,
+            this.userConfig.individualUserRequired,
+            this.userConfig.organizationUserRequired
+        );
+    }
+}
+
+module.exports = { CreateIndividualUser };

package/user/use-cases/create-organization-user.js

@@ -0,0 +1,47 @@
+const { get } = require('../../assertions');
+const { User } = require('../user');
+
+/**
+ * Use case for creating an organization user.
+ * @class CreateOrganizationUser
+ */
+class CreateOrganizationUser {
+    /**
+     * Creates a new CreateOrganizationUser instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user properties inside of the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {Object} params - The parameters for creating the user.
+     * @returns {Promise<import('../user').User>} The newly created user object.
+     */
+    async execute(params) {
+        const name = get(params, 'name');
+        const appOrgId = get(params, 'appOrgId');
+
+        const organizationUserData =
+            await this.userRepository.createOrganizationUser({
+                name,
+                appOrgId,
+            });
+
+        return new User(
+            null,
+            organizationUserData,
+            this.userConfig.usePassword,
+            this.userConfig.primary,
+            this.userConfig.individualUserRequired,
+            this.userConfig.organizationUserRequired
+        );
+    }
+}
+
+module.exports = { CreateOrganizationUser }; 

package/user/use-cases/create-token-for-user-id.js

@@ -0,0 +1,30 @@
+const crypto = require('crypto');
+
+/**
+ * Use case for creating a token for a user ID.
+ * @class CreateTokenForUserId
+ */
+class CreateTokenForUserId {
+    /**
+     * Creates a new CreateTokenForUserId instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     */
+    constructor({ userRepository }) {
+        this.userRepository = userRepository;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {string} userId - The ID of the user to create a token for.
+     * @param {number} minutes - The number of minutes until the token expires.
+     * @returns {Promise<string>} The user token.
+     */
+    async execute(userId, minutes) {
+        const rawToken = crypto.randomBytes(20).toString('hex');
+        return this.userRepository.createToken(userId, rawToken, minutes);
+    }
+}
+
+module.exports = { CreateTokenForUserId }; 

package/user/use-cases/get-user-from-adopter-jwt.js

@@ -0,0 +1,149 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * STUB: Use case for retrieving a user from adopter-provided JWT token.
+ *
+ * This is a stub implementation for future JWT authentication support.
+ * When implemented, this will allow adopters to use their own JWT tokens
+ * for authentication instead of Frigg's native token system.
+ *
+ * FUTURE IMPLEMENTATION REQUIREMENTS:
+ * - Validate JWT signature using jwtConfig.secret from app definition
+ * - Support configurable signing algorithms (HS256, HS384, HS512, RS256, RS384, RS512)
+ * - Extract user identifiers from JWT claims based on jwtConfig.userIdClaim and jwtConfig.orgIdClaim
+ * - Find or create user based on extracted claim values
+ * - Handle token expiration and validation errors
+ * - Support refresh tokens (optional)
+ * - Validate user ID conflicts if both individual and org IDs present in JWT
+ *
+ * RECOMMENDED IMPLEMENTATION:
+ * - Use 'jsonwebtoken' package for JWT parsing and validation
+ * - Cache JWT public keys for RS* algorithms
+ * - Add comprehensive error handling for invalid tokens
+ * - Log authentication attempts for security auditing
+ *
+ * @todo Implement JWT validation with jsonwebtoken package
+ * @todo Add unit tests for JWT parsing and claim extraction
+ * @todo Document adopter JWT integration guide in Frigg docs
+ * @todo Add support for JWT refresh tokens
+ * @todo Implement JWT public key caching for RS* algorithms
+ *
+ * @class GetUserFromAdopterJwt
+ */
+class GetUserFromAdopterJwt {
+    /**
+     * Creates a new GetUserFromAdopterJwt instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../repositories/user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {string} jwtToken - The JWT token from the Authorization header.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} 501 Not Implemented - This feature is not yet available.
+     */
+    async execute(jwtToken) {
+        throw Boom.notImplemented(
+            'Adopter JWT authentication is not yet implemented. ' +
+                'This feature is planned for a future Frigg release. ' +
+                'Please use one of the supported authentication modes instead: ' +
+                'friggToken (native bearer token) or xFriggHeaders (backend-to-backend with x-frigg-appUserId/appOrgId headers).'
+        );
+
+        /* FUTURE IMPLEMENTATION PSEUDOCODE:
+
+        const jwt = require('jsonwebtoken');
+        
+        // Validate JWT configuration exists
+        if (!this.userConfig.jwtConfig || !this.userConfig.jwtConfig.secret) {
+            throw Boom.badImplementation('JWT configuration is required when adopterJwt auth mode is enabled');
+        }
+        
+        try {
+            // Verify and decode JWT
+            const decoded = jwt.verify(jwtToken, this.userConfig.jwtConfig.secret, {
+                algorithms: [this.userConfig.jwtConfig.algorithm || 'HS256']
+            });
+            
+            // Extract user identifiers from claims
+            const appUserId = decoded[this.userConfig.jwtConfig.userIdClaim || 'sub'];
+            const appOrgId = decoded[this.userConfig.jwtConfig.orgIdClaim || 'org_id'];
+            
+            // At least one identifier required
+            if (!appUserId && !appOrgId) {
+                throw Boom.badRequest('JWT must contain user or organization identifier claims');
+            }
+            
+            // Find existing users
+            let individualUserData = null;
+            let organizationUserData = null;
+            
+            if (appUserId) {
+                individualUserData = await this.userRepository.findIndividualUserByAppUserId(appUserId);
+            }
+            
+            if (appOrgId) {
+                organizationUserData = await this.userRepository.findOrganizationUserByAppOrgId(appOrgId);
+            }
+            
+            // Validate no conflicts if both IDs present
+            if (appUserId && appOrgId && individualUserData && organizationUserData) {
+                const individualOrgId = individualUserData.organizationUser?.toString();
+                const expectedOrgId = organizationUserData.id?.toString();
+                
+                if (individualOrgId !== expectedOrgId) {
+                    throw Boom.badRequest(
+                        'User ID mismatch: JWT claims refer to different users. ' +
+                        'Individual and organization IDs must belong to the same user.'
+                    );
+                }
+            }
+            
+            // Auto-create if not found
+            if (!individualUserData && !organizationUserData) {
+                if (appUserId) {
+                    individualUserData = await this.userRepository.createIndividualUser({
+                        appUserId,
+                        username: `jwt-user-${appUserId}`,
+                        email: decoded.email || `${appUserId}@jwt.local`,
+                    });
+                } else {
+                    organizationUserData = await this.userRepository.createOrganizationUser({
+                        appOrgId,
+                    });
+                }
+            }
+            
+            return new User(
+                individualUserData,
+                organizationUserData,
+                this.userConfig.usePassword,
+                this.userConfig.primary,
+                this.userConfig.individualUserRequired,
+                this.userConfig.organizationUserRequired
+            );
+            
+        } catch (error) {
+            if (error.name === 'TokenExpiredError') {
+                throw Boom.unauthorized('JWT token has expired');
+            } else if (error.name === 'JsonWebTokenError') {
+                throw Boom.unauthorized('Invalid JWT token');
+            } else if (error.isBoom) {
+                throw error;
+            }
+            throw Boom.unauthorized('JWT authentication failed');
+        }
+        */
+    }
+}
+
+module.exports = { GetUserFromAdopterJwt };
+
+

package/user/use-cases/get-user-from-bearer-token.js

@@ -0,0 +1,77 @@
+const Boom = require('@hapi/boom');
+const { User } = require('../user');
+
+/**
+ * Use case for retrieving a user from a bearer token.
+ * @class GetUserFromBearerToken
+ */
+class GetUserFromBearerToken {
+    /**
+     * Creates a new GetUserFromBearerToken instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {string} bearerToken - The bearer token from the authorization header.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} 401 Unauthorized if the token is missing, malformed, or invalid.
+     */
+    async execute(bearerToken) {
+        if (!bearerToken) {
+            throw Boom.unauthorized('Missing Authorization Header');
+        }
+
+        const token = bearerToken.split(' ')[1]?.trim();
+        if (!token) {
+            throw Boom.unauthorized('Invalid Token Format');
+        }
+
+        const sessionToken = await this.userRepository.getSessionToken(token);
+
+        if (!sessionToken) {
+            throw Boom.unauthorized('Session Token Not Found');
+        }
+
+        if (this.userConfig.primary === 'organization') {
+            const organizationUserData = await this.userRepository.findOrganizationUserById(sessionToken.user);
+
+            if (!organizationUserData) {
+                throw Boom.unauthorized('Organization User Not Found');
+            }
+
+            return new User(
+                null,
+                organizationUserData,
+                this.userConfig.usePassword,
+                this.userConfig.primary,
+                this.userConfig.individualUserRequired,
+                this.userConfig.organizationUserRequired
+            );
+        }
+
+        const individualUserData = await this.userRepository.findIndividualUserById(sessionToken.user);
+
+        if (!individualUserData) {
+            throw Boom.unauthorized('Individual User Not Found');
+        }
+
+        return new User(
+            individualUserData,
+            null,
+            this.userConfig.usePassword,
+            this.userConfig.primary,
+            this.userConfig.individualUserRequired,
+            this.userConfig.organizationUserRequired
+        );
+    }
+}
+
+module.exports = { GetUserFromBearerToken }; 

package/user/use-cases/get-user-from-x-frigg-headers.js

@@ -0,0 +1,106 @@
+const Boom = require('@hapi/boom');
+const { User } = require('../user');
+
+/**
+ * Use case for retrieving or creating a user from x-frigg header identifiers.
+ * Supports backend-to-backend API communication using application user IDs.
+ *
+ * @class GetUserFromXFriggHeaders
+ */
+class GetUserFromXFriggHeaders {
+    /**
+     * Creates a new GetUserFromXFriggHeaders instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../repositories/user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {string} [appUserId] - The app user ID from x-frigg-appUserId header.
+     * @param {string} [appOrgId] - The app organization ID from x-frigg-appOrgId header.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} 400 Bad Request if neither ID is provided or if both IDs are provided but belong to different users.
+     */
+    async execute(appUserId, appOrgId) {
+        // At least one header must be provided
+        if (!appUserId && !appOrgId) {
+            throw Boom.badRequest(
+                'At least one of x-frigg-appUserId or x-frigg-appOrgId headers is required for backend-to-backend authentication'
+            );
+        }
+
+        // Find users by both IDs if both are provided
+        let individualUserData = null;
+        let organizationUserData = null;
+
+        if (appUserId && this.userConfig.individualUserRequired !== false) {
+            individualUserData =
+                await this.userRepository.findIndividualUserByAppUserId(
+                    appUserId
+                );
+        }
+
+        if (appOrgId && this.userConfig.organizationUserRequired) {
+            organizationUserData =
+                await this.userRepository.findOrganizationUserByAppOrgId(
+                    appOrgId
+                );
+        }
+
+        // VALIDATION: If both IDs provided and both users exist, verify they match
+        if (
+            appUserId &&
+            appOrgId &&
+            individualUserData &&
+            organizationUserData
+        ) {
+            // Check if individual user is linked to the org user
+            const individualOrgId =
+                individualUserData.organizationUser?.toString();
+            const expectedOrgId = organizationUserData.id?.toString();
+
+            if (individualOrgId !== expectedOrgId) {
+                throw Boom.badRequest(
+                    'User ID mismatch: x-frigg-appUserId and x-frigg-appOrgId refer to different users. ' +
+                        'Provide only one identifier or ensure they belong to the same user.'
+                );
+            }
+        }
+
+        // Auto-create user if not found
+        if (!individualUserData && !organizationUserData) {
+            if (appUserId) {
+                individualUserData =
+                    await this.userRepository.createIndividualUser({
+                        appUserId,
+                        username: `app-user-${appUserId}`,
+                        email: `${appUserId}@app.local`,
+                    });
+            } else {
+                organizationUserData =
+                    await this.userRepository.createOrganizationUser({
+                        appOrgId,
+                    });
+            }
+        }
+
+        return new User(
+            individualUserData,
+            organizationUserData,
+            this.userConfig.usePassword,
+            this.userConfig.primary,
+            this.userConfig.individualUserRequired,
+            this.userConfig.organizationUserRequired
+        );
+    }
+}
+
+module.exports = { GetUserFromXFriggHeaders };
+
+