@friggframework/core 2.0.0-next.53 → 2.0.0-next.55

package/credential/repositories/credential-repository-postgres.js

@@ -36,7 +36,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Find credential by ID
-     * Replaces: Credential.findById(id)
      *
      * @param {string} id - Credential ID (string from application layer)
      * @returns {Promise<Object|null>} Credential object with string IDs or null
@@ -51,14 +50,11 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             return null;
         }
 
-        // Extract data from JSON field
         const data = credential.data || {};
 
         return {
-            _id: credential.id.toString(),
             id: credential.id.toString(),
-            user: credential.userId?.toString(),
-            userId: credential.userId?.toString(),
+            userId: credential.userId.toString(),
             externalId: credential.externalId,
             authIsValid: credential.authIsValid,
             ...data, // Spread OAuth tokens from JSON field
@@ -67,7 +63,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Update authentication status
-     * Replaces: Credential.updateOne({ _id: credentialId }, { $set: { authIsValid } })
      *
      * @param {string} credentialId - Credential ID (string from application layer)
      * @param {boolean} authIsValid - Authentication validity status
@@ -85,7 +80,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Permanently remove a credential document
-     * Replaces: Credential.deleteOne({ _id: credentialId })
      *
      * @param {string} credentialId - Credential ID (string from application layer)
      * @returns {Promise<Object>} Deletion result
@@ -108,7 +102,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Create or update credential matching identifiers
-     * Replaces: Credential.findOneAndUpdate(query, update, { upsert: true })
      *
      * @param {{identifiers: Object, details: Object}} credentialDetails
      * @returns {Promise<Object>} The persisted credential with string IDs
@@ -118,22 +111,21 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         if (!identifiers)
             throw new Error('identifiers required to upsert credential');
 
-        if (!identifiers.user && !identifiers.userId) {
-            throw new Error('user or userId required in identifiers');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
         }
         if (!identifiers.externalId) {
             throw new Error(
                 'externalId required in identifiers to prevent credential collision. ' +
-                'When multiple credentials exist for the same user, both userId and externalId ' +
-                'are needed to uniquely identify which credential to update.'
+                    'When multiple credentials exist for the same user, both userId and externalId ' +
+                    'are needed to uniquely identify which credential to update.'
             );
         }
 
         const where = this._convertIdentifiersToWhere(identifiers);
 
-        const { user, externalId } = identifiers;
+        const { externalId } = identifiers;
 
-        // Separate schema fields from dynamic OAuth data
         const { authIsValid, ...oauthData } = details;
 
         const existing = await this.prisma.credential.findFirst({ where });
@@ -144,15 +136,9 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             const updated = await this.prisma.credential.update({
                 where: { id: existing.id },
                 data: {
-                    userId: this._convertId(user || existing.userId),
-                    externalId:
-                        externalId !== undefined
-                            ? externalId
-                            : existing.externalId,
-                    authIsValid:
-                        authIsValid !== undefined
-                            ? authIsValid
-                            : existing.authIsValid,
+                    userId: this._convertId(existing.userId),
+                    externalId: existing.externalId,
+                    authIsValid: authIsValid,
                     data: mergedData,
                 },
             });
@@ -168,10 +154,9 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
         const created = await this.prisma.credential.create({
             data: {
-                userId: this._convertId(user),
+                userId: this._convertId(identifiers.userId),
                 externalId,
                 authIsValid: authIsValid,
-                
                 data: oauthData,
             },
         });
@@ -187,7 +172,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Find a credential by filter criteria
-     * Replaces: Credential.findOne(query)
      *
      * @param {Object} filter
      * @param {string} [filter.userId] - User ID (string from application layer)
@@ -215,21 +199,18 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             authIsValid: credential.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
 
     /**
      * Update a credential by ID
-     * Replaces: Credential.findByIdAndUpdate(credentialId, { $set: updates })
      *
      * @param {string} credentialId - Credential ID (string from application layer)
      * @param {Object} updates - Fields to update
      * @returns {Promise<Object|null>} Updated credential object with string IDs or null if not found
      */
     async updateCredential(credentialId, updates) {
-        // Get existing credential to merge OAuth data
         const intId = this._convertId(credentialId);
         const existing = await this.prisma.credential.findUnique({
             where: { id: intId },
@@ -239,21 +220,16 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             return null;
         }
 
-        // Separate schema fields from OAuth data
-        const { user, authIsValid, ...oauthData } =
-            updates;
+        const { authIsValid, ...oauthData } = updates;
 
-        // Merge OAuth data with existing
         const mergedData = { ...(existing.data || {}), ...oauthData };
 
         const updated = await this.prisma.credential.update({
             where: { id: intId },
             data: {
-                userId: this._convertId(userId || user || existing.userId),
-                externalId:
-                    externalId !== undefined ? externalId : existing.externalId,
-                authIsValid:
-                    authIsValid !== undefined ? authIsValid : existing.authIsValid,
+                userId: this._convertId(existing.userId),
+                externalId: existing.externalId,
+                authIsValid: authIsValid,
                 data: mergedData,
             },
         });
@@ -267,7 +243,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             authIsValid: updated.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
@@ -282,7 +257,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         const where = {};
 
         if (identifiers.id) where.id = this._convertId(identifiers.id);
-        if (identifiers.user) where.userId = this._convertId(identifiers.user);
         if (identifiers.userId)
             where.userId = this._convertId(identifiers.userId);
         if (identifiers.externalId) where.externalId = identifiers.externalId;
@@ -302,7 +276,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         if (filter.credentialId)
             where.id = this._convertId(filter.credentialId);
         if (filter.id) where.id = this._convertId(filter.id);
-        if (filter.user) where.userId = this._convertId(filter.user);
         if (filter.userId) where.userId = this._convertId(filter.userId);
         if (filter.externalId) where.externalId = filter.externalId;
 

package/credential/use-cases/get-credential-for-user.js

@@ -4,14 +4,18 @@ class GetCredentialForUser {
     }
 
     async execute(credentialId, userId) {
-        const credential = await this.credentialRepository.findCredentialById(credentialId);
+        const credential = await this.credentialRepository.findCredentialById(
+            credentialId
+        );
 
         if (!credential) {
             throw new Error(`Credential with id ${credentialId} not found`);
         }
 
-        if (credential.user.toString() !== userId.toString()) {
-            throw new Error(`Credential ${credentialId} does not belong to user ${userId}`);
+        if (credential.userId.toString() !== userId.toString()) {
+            throw new Error(
+                `Credential ${credentialId} does not belong to user ${userId}`
+            );
         }
 
         return credential;

package/database/config.js

@@ -10,7 +10,7 @@
  * 1. DB_TYPE environment variable (set for migration handlers)
  * 2. App definition (backend/index.js Definition.database configuration)
  *
- * @returns {'mongodb'|'postgresql'} Database type
+ * @returns {'mongodb'|'postgresql'|'documentdb'} Database type
  * @throws {Error} If database type cannot be determined or app definition missing
  */
 function getDatabaseType() {
@@ -93,7 +93,7 @@ function getDatabaseType() {
             return 'mongodb';
         }
         if (database.documentDB?.enable === true) {
-            return 'mongodb'; // DocumentDB is MongoDB-compatible
+            return 'documentdb';
         }
 
         throw new Error(
@@ -114,7 +114,7 @@ function getDatabaseType() {
 
 /**
  * Cached database type (lazy evaluation)
- * @type {'mongodb'|'postgresql'|null}
+ * @type {'mongodb'|'postgresql'|'documentdb'|null}
  */
 let cachedDbType = null;
 
@@ -140,7 +140,7 @@ module.exports = {
 /**
  * Lazy-evaluated database type determined from app definition
  * Only evaluates when accessed, preventing module load failures in test environments
- * @type {'mongodb'|'postgresql'}
+ * @type {'mongodb'|'postgresql'|'documentdb'}
  */
 Object.defineProperty(module.exports, 'DB_TYPE', {
     get() {

package/database/documentdb-encryption-service.js

@@ -0,0 +1,330 @@
+const { Cryptor } = require('../encrypt/Cryptor');
+const { getEncryptedFields, loadCustomEncryptionSchema } = require('./encryption/encryption-schema-registry');
+
+/**
+ * Encryption service specifically for DocumentDB repositories
+ * that use $runCommandRaw and bypass Prisma Client Extensions.
+ *
+ * Provides document-level encryption/decryption, handling nested fields
+ * according to the encryption schema registry.
+ *
+ * @class DocumentDBEncryptionService
+ * @example
+ * const service = new DocumentDBEncryptionService();
+ *
+ * // Encrypt before write
+ * const encrypted = await service.encryptFields('Credential', document);
+ * await insertOne(prisma, 'Credential', encrypted);
+ *
+ * // Decrypt after read
+ * const doc = await findOne(prisma, 'Credential', filter);
+ * const decrypted = await service.decryptFields('Credential', doc);
+ */
+class DocumentDBEncryptionService {
+    /**
+     * @param {Object} options - Configuration options
+     * @param {Cryptor} [options.cryptor] - Optional Cryptor instance for dependency injection (useful for testing)
+     */
+    constructor({ cryptor = null } = {}) {
+        if (cryptor) {
+            // Dependency injection - use provided Cryptor (for testing)
+            this.cryptor = cryptor;
+            this.enabled = true;
+        } else {
+            // Default behavior - create Cryptor from environment
+            this._initializeCryptor();
+        }
+    }
+
+    /**
+     * Initialize Cryptor with environment-based configuration.
+     * Matches the logic from @friggframework/core/database/prisma.js
+     *
+     * Encryption is bypassed in dev/test/local stages.
+     * Production uses AWS KMS (if available) or AES encryption.
+     *
+     * @private
+     */
+    _initializeCryptor() {
+        // Load custom encryption schema from app definition BEFORE checking configuration
+        // This ensures custom fields (like User.username) are registered before any encryption operations
+        loadCustomEncryptionSchema();
+
+        // Match logic from packages/core/database/prisma.js
+        const stage = process.env.STAGE || process.env.NODE_ENV || 'development';
+        const bypassEncryption = ['dev', 'test', 'local'].includes(stage.toLowerCase());
+
+        if (bypassEncryption) {
+            this.cryptor = null;
+            this.enabled = false;
+            return;
+        }
+
+        // Determine encryption method (ensure boolean values)
+        const hasKMS = !!(process.env.KMS_KEY_ARN && process.env.KMS_KEY_ARN.trim() !== '');
+        const hasAES = !!(process.env.AES_KEY_ID && process.env.AES_KEY_ID.trim() !== '');
+
+        if (!hasKMS && !hasAES) {
+            console.warn('[DocumentDBEncryptionService] No encryption keys configured. Encryption disabled.');
+            this.cryptor = null;
+            this.enabled = false;
+            return;
+        }
+
+        // KMS takes precedence over AES
+        const shouldUseAws = hasKMS;
+        this.cryptor = new Cryptor({ shouldUseAws });
+        this.enabled = true;
+    }
+
+    /**
+     * Encrypt sensitive fields in a document before storing to DocumentDB.
+     *
+     * Reads field paths from encryption-schema-registry.js and encrypts
+     * only the fields defined for the given model.
+     *
+     * @param {string} modelName - Model name from schema registry (e.g., 'User', 'Credential')
+     * @param {Object} document - Document to encrypt
+     * @returns {Promise<Object>} - New document with encrypted fields (original unchanged)
+     *
+     * @example
+     * const plainDoc = {
+     *   userId: '123',
+     *   data: { access_token: 'plain_secret' }
+     * };
+     * const encrypted = await service.encryptFields('Credential', plainDoc);
+     * // encrypted.data.access_token = "keyId:iv:cipher:encKey"
+     */
+    async encryptFields(modelName, document) {
+        // Bypass if encryption disabled
+        if (!this.enabled || !this.cryptor) {
+            return document;
+        }
+
+        // Validate input
+        if (!document || typeof document !== 'object') {
+            return document;
+        }
+
+        // Get encrypted fields from registry
+        const encryptedFieldsConfig = getEncryptedFields(modelName);
+        if (!encryptedFieldsConfig || encryptedFieldsConfig.length === 0) {
+            return document;
+        }
+
+        // Deep clone to prevent mutation (preserves Date, RegExp, Buffer)
+        const result = structuredClone(document);
+
+        // Encrypt each field path
+        for (const fieldPath of encryptedFieldsConfig) {
+            await this._encryptFieldPath(result, fieldPath, modelName);
+        }
+
+        return result;
+    }
+
+    /**
+     * Decrypt sensitive fields in a document after reading from DocumentDB.
+     *
+     * Reads field paths from encryption-schema-registry.js and decrypts
+     * only the fields defined for the given model.
+     *
+     * @param {string} modelName - Model name from schema registry
+     * @param {Object} document - Document to decrypt
+     * @returns {Promise<Object>} - New document with decrypted fields (original unchanged)
+     *
+     * @example
+     * const encryptedDoc = {
+     *   userId: '123',
+     *   data: { access_token: 'keyId:iv:cipher:encKey' }
+     * };
+     * const decrypted = await service.decryptFields('Credential', encryptedDoc);
+     * // decrypted.data.access_token = "plain_secret"
+     */
+    async decryptFields(modelName, document) {
+        // Bypass if encryption disabled
+        if (!this.enabled || !this.cryptor) {
+            return document;
+        }
+
+        // Validate input
+        if (!document || typeof document !== 'object') {
+            return document;
+        }
+
+        // Get encrypted fields from registry
+        const encryptedFieldsConfig = getEncryptedFields(modelName);
+        if (!encryptedFieldsConfig || encryptedFieldsConfig.length === 0) {
+            return document;
+        }
+
+        // Deep clone to prevent mutation (preserves Date, RegExp, Buffer)
+        const result = structuredClone(document);
+
+        // Decrypt each field path
+        for (const fieldPath of encryptedFieldsConfig) {
+            await this._decryptFieldPath(result, fieldPath, modelName);
+        }
+
+        return result;
+    }
+
+    /**
+     * Encrypt a specific field path in a document (handles nested fields).
+     *
+     * @private
+     * @param {Object} document - Document to modify (mutated in place)
+     * @param {string} fieldPath - Field path from schema registry (e.g., 'data.access_token')
+     * @param {string} modelName - For error logging context
+     */
+    async _encryptFieldPath(document, fieldPath, modelName) {
+        // Parse field path
+        const parts = fieldPath.split('.');
+
+        // Navigate to parent object
+        let current = document;
+        for (let i = 0; i < parts.length - 1; i++) {
+            if (!current[parts[i]]) {
+                // Path doesn't exist, nothing to encrypt
+                return;
+            }
+            current = current[parts[i]];
+        }
+
+        // Get field name and value
+        const fieldName = parts[parts.length - 1];
+        const value = current[fieldName];
+
+        // Skip if already encrypted or empty
+        if (!value || this._isEncryptedValue(value)) {
+            return;
+        }
+
+        try {
+            // Convert to string if needed
+            const stringValue = typeof value === 'string'
+                ? value
+                : JSON.stringify(value);
+
+            // Encrypt using Cryptor
+            current[fieldName] = await this.cryptor.encrypt(stringValue);
+        } catch (error) {
+            console.error(`[DocumentDBEncryptionService] Failed to encrypt ${modelName}.${fieldPath}:`, error.message);
+            throw error;
+        }
+    }
+
+    /**
+     * Decrypt a specific field path in a document (handles nested fields).
+     *
+     * @private
+     * @param {Object} document - Document to modify (mutated in place)
+     * @param {string} fieldPath - Field path from schema registry
+     * @param {string} modelName - For error logging context
+     */
+    async _decryptFieldPath(document, fieldPath, modelName) {
+        // Parse field path
+        const parts = fieldPath.split('.');
+
+        // Navigate to parent object
+        let current = document;
+        for (let i = 0; i < parts.length - 1; i++) {
+            if (!current[parts[i]]) {
+                // Path doesn't exist, nothing to decrypt
+                return;
+            }
+            current = current[parts[i]];
+        }
+
+        // Get field name and encrypted value
+        const fieldName = parts[parts.length - 1];
+        const encryptedValue = current[fieldName];
+
+        // Skip if not encrypted format
+        if (!encryptedValue || !this._isEncryptedValue(encryptedValue)) {
+            return;
+        }
+
+        try {
+            // Decrypt using Cryptor
+            const decryptedString = await this.cryptor.decrypt(encryptedValue);
+
+            // Try to parse as JSON (for objects/arrays)
+            try {
+                current[fieldName] = JSON.parse(decryptedString);
+            } catch {
+                // Not JSON, return as string
+                current[fieldName] = decryptedString;
+            }
+        } catch (error) {
+            const errorContext = {
+                modelName,
+                fieldPath,
+                encryptedValuePrefix: encryptedValue.substring(0, 20),
+                errorMessage: error.message
+            };
+
+            console.error(
+                `[DocumentDBEncryptionService] Failed to decrypt ${modelName}.${fieldPath}:`,
+                JSON.stringify(errorContext)
+            );
+
+            // Throw error to fail fast - don't silently corrupt data
+            throw new Error(`Decryption failed for ${modelName}.${fieldPath}: ${error.message}`);
+        }
+    }
+
+    /**
+     * Check if a value is in encrypted format.
+     *
+     * Encrypted format: "keyId:iv:cipher:encKey" (envelope encryption)
+     * All parts are base64-encoded strings.
+     *
+     * @private
+     * @param {any} value - Value to check
+     * @returns {boolean} - True if value is encrypted
+     *
+     * @example
+     * _isEncryptedValue("plain_text")  // false
+     * _isEncryptedValue("YWVzLWtleS0x:TXlJVkhlcmU=:QWN0dWFsQ2lwaGVy:RW5jcnlwdGVk")  // true
+     * _isEncryptedValue(null)  // false
+     * _isEncryptedValue({})  // false
+     */
+    _isEncryptedValue(value) {
+        // Must be string
+        if (typeof value !== 'string') {
+            return false;
+        }
+
+        // Must have exactly 4 colon-separated parts
+        const parts = value.split(':');
+        if (parts.length !== 4) {
+            return false;
+        }
+
+        // Enhanced validation: check for base64 pattern
+        // This prevents false positives on URLs, connection strings, etc.
+        const base64Pattern = /^[A-Za-z0-9+/=]+$/;
+
+        // All parts should be base64-encoded
+        if (!parts.every(part => base64Pattern.test(part))) {
+            return false;
+        }
+
+        // Encrypted values should be sufficiently long to be valid
+        // Real encrypted values from Cryptor are always >50 chars due to envelope encryption format:
+        // - keyId (base64): ~12 chars minimum
+        // - iv (base64): ~24 chars for 16-byte IV
+        // - ciphertext (base64): varies, minimum ~16 chars for small values
+        // - encryptedKey (base64): ~44 chars for 32-byte data key
+        // Total minimum: ~96 chars, so 50 is a safe lower bound
+        // This prevents false positives on non-encrypted strings that happen to have 4 colons
+        if (value.length < 50) {
+            return false;
+        }
+
+        return true;
+    }
+}
+
+module.exports = { DocumentDBEncryptionService };