@friggframework/core 2.0.0-next.54 → 2.0.0-next.55

package/application/commands/credential-commands.js

@@ -56,7 +56,7 @@ function createCredentialCommands() {
                 }
 
                 const credentialData = {
-                    identifiers: { user: userId, externalId },
+                    identifiers: { userId, externalId },
                     details: {
                         access_token,
                         authIsValid,

package/core/create-handler.js

@@ -39,6 +39,18 @@ const createHandler = (optionByName = {}) => {
 
             // Don't leak implementation details to end users.
             if (isUserFacingResponse) {
+                // Allow client-safe errors to pass through with their actual message
+                if (error.isClientSafe === true) {
+                    const statusCode = error.statusCode || 400;
+                    return {
+                        statusCode,
+                        body: JSON.stringify({
+                            error: error.message,
+                        }),
+                    };
+                }
+
+                // Hide other errors with generic message
                 return {
                     statusCode: 500,
                     body: JSON.stringify({

package/credential/repositories/credential-repository-documentdb.js

@@ -10,7 +10,9 @@ const {
 const {
     CredentialRepositoryInterface,
 } = require('./credential-repository-interface');
-const { DocumentDBEncryptionService } = require('../../database/documentdb-encryption-service');
+const {
+    DocumentDBEncryptionService,
+} = require('../../database/documentdb-encryption-service');
 
 /**
  * Credential repository for DocumentDB.
@@ -20,7 +22,6 @@ const { DocumentDBEncryptionService } = require('../../database/documentdb-encry
  * - Credential.data.access_token
  * - Credential.data.refresh_token
  * - Credential.data.id_token
- * - Credential.data.domain
  *
  * SECURITY CRITICAL: All OAuth credentials must be encrypted at rest.
  *
@@ -40,8 +41,10 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
         const doc = await findOne(this.prisma, 'Credential', { _id: objectId });
         if (!doc) return null;
 
-        // Decrypt sensitive fields using service
-        const decryptedCredential = await this.encryptionService.decryptFields('Credential', doc);
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            doc
+        );
         return this._mapCredentialById(decryptedCredential);
     }
 
@@ -63,16 +66,19 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
     async deleteCredentialById(credentialId) {
         const objectId = toObjectId(credentialId);
         if (!objectId) return { acknowledged: true, deletedCount: 0 };
-        const result = await deleteOne(this.prisma, 'Credential', { _id: objectId });
+        const result = await deleteOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
         const deleted = result?.n ?? 0;
         return { acknowledged: true, deletedCount: deleted };
     }
 
     async upsertCredential(credentialDetails) {
         const { identifiers, details } = credentialDetails;
-        if (!identifiers) throw new Error('identifiers required to upsert credential');
-        if (!identifiers.user && !identifiers.userId) {
-            throw new Error('user or userId required in identifiers');
+        if (!identifiers)
+            throw new Error('identifiers required to upsert credential');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
         }
         if (!identifiers.externalId) {
             throw new Error(
@@ -82,32 +88,29 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
 
         const filter = this._buildIdentifierFilter(identifiers);
         const existing = await findOne(this.prisma, 'Credential', filter);
-
-        const {
-            user,
-            userId,
-            authIsValid,
-            externalId,
-            ...oauthData
-        } = details || {};
-
         const now = new Date();
 
+        const { authIsValid, ...oauthData } = details || {};
+
         if (existing) {
-            // Decrypt existing credential data first
-            const decryptedExisting = await this.encryptionService.decryptFields('Credential', existing);
-            const mergedData = { ...(decryptedExisting.data || {}), ...oauthData };
+            const decryptedExisting =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    existing
+                );
+            const mergedData = {
+                ...(decryptedExisting.data || {}),
+                ...oauthData,
+            };
 
-            // Build update document
             const updateDocument = {
-                userId: toObjectId(userId || user) || existing.userId || null,
-                externalId: externalId !== undefined ? externalId : existing.externalId,
-                authIsValid: authIsValid !== undefined ? authIsValid : existing.authIsValid,
+                userId: existing.userId,
+                externalId: existing.externalId,
+                authIsValid: authIsValid,
                 data: mergedData,
                 updatedAt: now,
             };
 
-            // Encrypt before storing
             const encryptedUpdate = await this.encryptionService.encryptFields(
                 'Credential',
                 { data: updateDocument.data }
@@ -128,33 +131,44 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
                 }
             );
 
-            // Read back and decrypt
-            const updated = await findOne(this.prisma, 'Credential', { _id: existing._id });
-            const decryptedCredential = await this.encryptionService.decryptFields('Credential', updated);
+            const updated = await findOne(this.prisma, 'Credential', {
+                _id: existing._id,
+            });
+            const decryptedCredential =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    updated
+                );
             return this._mapCredential(decryptedCredential);
         }
 
-        // Build plain text document
         const plainDocument = {
-            userId: toObjectId(userId || user || identifiers.user),
-            externalId: externalId !== undefined ? externalId : identifiers.externalId,
-            authIsValid: authIsValid ?? null,
-            data: oauthData,
+            userId: identifiers.userId,
+            externalId: identifiers.externalId,
+            authIsValid: details.authIsValid,
+            data: { ...oauthData },
             createdAt: now,
             updatedAt: now,
         };
 
-        // Encrypt before storing
         const encryptedDocument = await this.encryptionService.encryptFields(
             'Credential',
             plainDocument
         );
 
-        const insertedId = await insertOne(this.prisma, 'Credential', encryptedDocument);
+        const insertedId = await insertOne(
+            this.prisma,
+            'Credential',
+            encryptedDocument
+        );
 
-        // Read back and decrypt
-        const created = await findOne(this.prisma, 'Credential', { _id: insertedId });
-        const decryptedCredential = await this.encryptionService.decryptFields('Credential', created);
+        const created = await findOne(this.prisma, 'Credential', {
+            _id: insertedId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            created
+        );
         return this._mapCredential(decryptedCredential);
     }
 
@@ -163,39 +177,37 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
         const credential = await findOne(this.prisma, 'Credential', query);
         if (!credential) return null;
 
-        // Decrypt sensitive fields using service
-        const decryptedCredential = await this.encryptionService.decryptFields('Credential', credential);
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            credential
+        );
         return this._mapCredential(decryptedCredential);
     }
 
     async updateCredential(credentialId, updates) {
         const objectId = toObjectId(credentialId);
         if (!objectId) return null;
-        const existing = await findOne(this.prisma, 'Credential', { _id: objectId });
+        const existing = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
         if (!existing) return null;
 
-        const {
-            user,
-            userId,
-            authIsValid,
-            externalId,
-            ...oauthData
-        } = updates || {};
+        const { authIsValid, ...oauthData } = updates || {};
 
-        // Decrypt existing credential data first
-        const decryptedExisting = await this.encryptionService.decryptFields('Credential', existing);
+        const decryptedExisting = await this.encryptionService.decryptFields(
+            'Credential',
+            existing
+        );
         const mergedData = { ...(decryptedExisting.data || {}), ...oauthData };
 
-        // Build update document
         const updateDocument = {
-            userId: toObjectId(userId || user) || existing.userId || null,
-            externalId: externalId !== undefined ? externalId : existing.externalId,
-            authIsValid: authIsValid !== undefined ? authIsValid : existing.authIsValid,
+            userId: existing.userId,
+            externalId: existing.externalId,
+            authIsValid: authIsValid,
             data: mergedData,
             updatedAt: new Date(),
         };
 
-        // Encrypt before storing
         const encryptedUpdate = await this.encryptionService.encryptFields(
             'Credential',
             { data: updateDocument.data }
@@ -216,9 +228,13 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
             }
         );
 
-        // Read back and decrypt
-        const updated = await findOne(this.prisma, 'Credential', { _id: objectId });
-        const decryptedCredential = await this.encryptionService.decryptFields('Credential', updated);
+        const updated = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            updated
+        );
         return this._mapCredential(decryptedCredential);
     }
 
@@ -228,9 +244,8 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
             const idObj = toObjectId(identifiers._id || identifiers.id);
             if (idObj) filter._id = idObj;
         }
-        if (identifiers.user || identifiers.userId) {
-            const userObj = toObjectId(identifiers.user || identifiers.userId);
-            if (userObj) filter.userId = userObj;
+        if (identifiers.userId) {
+            filter.userId = identifiers.userId;
         }
         if (identifiers.externalId !== undefined) {
             filter.externalId = identifiers.externalId;
@@ -245,9 +260,8 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
             const idObj = toObjectId(filter.credentialId || filter.id);
             if (idObj) query._id = idObj;
         }
-        if (filter.user || filter.userId) {
-            const userObj = toObjectId(filter.user || filter.userId);
-            if (userObj) query.userId = userObj;
+        if (filter.userId !== undefined) {
+            query.userId = filter.userId;
         }
         if (filter.externalId !== undefined) {
             query.externalId = filter.externalId;
@@ -256,15 +270,14 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
     }
 
     /**
-     * Map credential document to application format (without legacy fields)
-     * Used by findCredential, upsertCredential, updateCredential
+     * Map credential document to application format
      * Matches MongoDB repository format
      * @private
      */
     _mapCredential(doc) {
         const data = doc?.data || {};
         const id = fromObjectId(doc?._id);
-        const userId = fromObjectId(doc?.userId);
+        const userId = doc?.userId;
         return {
             id,
             userId,
@@ -274,20 +287,12 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
         };
     }
 
-    /**
-     * Map credential document with legacy fields for findCredentialById
-     * Includes _id and user fields for backward compatibility
-     * Matches MongoDB repository format
-     * @private
-     */
     _mapCredentialById(doc) {
         const data = doc?.data || {};
         const id = fromObjectId(doc?._id);
-        const userId = fromObjectId(doc?.userId);
+        const userId = doc?.userId;
         return {
-            _id: id,
             id,
-            user: userId,
             userId,
             externalId: doc?.externalId ?? null,
             authIsValid: doc?.authIsValid ?? null,
@@ -297,4 +302,3 @@ class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
 }
 
 module.exports = { CredentialRepositoryDocumentDB };
-

package/credential/repositories/credential-repository-mongo.js

@@ -38,9 +38,7 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
         const data = credential.data || {};
 
         return {
-            _id: credential.id,
             id: credential.id,
-            user: credential.userId,
             userId: credential.userId,
             externalId: credential.externalId,
             authIsValid: credential.authIsValid,
@@ -80,7 +78,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             return { acknowledged: true, deletedCount: 1 };
         } catch (error) {
             if (error.code === 'P2025') {
-                // Record not found
                 return { acknowledged: true, deletedCount: 0 };
             }
             throw error;
@@ -99,49 +96,32 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
         if (!identifiers)
             throw new Error('identifiers required to upsert credential');
 
-        if (!identifiers.user && !identifiers.userId) {
-            throw new Error('user or userId required in identifiers');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
         }
         if (!identifiers.externalId) {
             throw new Error(
                 'externalId required in identifiers to prevent credential collision. ' +
-                'When multiple credentials exist for the same user, both userId and externalId ' +
-                'are needed to uniquely identify which credential to update.'
+                    'When multiple credentials exist for the same user, both userId and externalId ' +
+                    'are needed to uniquely identify which credential to update.'
             );
         }
 
-        // Build where clause from identifiers
         const where = this._convertIdentifiersToWhere(identifiers);
 
-        // Separate schema fields from dynamic OAuth data
-        const {
-            user,
-            userId,
-            externalId,
-            authIsValid,
-            
-            ...oauthData
-        } = details;
-
-        // Find existing credential
+        const { authIsValid, ...oauthData } = details;
+
         const existing = await this.prisma.credential.findFirst({ where });
 
         if (existing) {
-            // Update existing - merge OAuth data into existing data JSON
             const mergedData = { ...(existing.data || {}), ...oauthData };
 
             const updated = await this.prisma.credential.update({
                 where: { id: existing.id },
                 data: {
-                    userId: userId || user || existing.userId,
-                    externalId:
-                        externalId !== undefined
-                            ? externalId
-                            : existing.externalId,
-                    authIsValid:
-                        authIsValid !== undefined
-                            ? authIsValid
-                            : existing.authIsValid,
+                    userId: existing.userId,
+                    externalId: existing.externalId,
+                    authIsValid: authIsValid,
                     data: mergedData,
                 },
             });
@@ -155,13 +135,11 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             };
         }
 
-        // Create new credential
         const created = await this.prisma.credential.create({
             data: {
-                userId: userId || user,
-                externalId,
+                userId: identifiers.userId,
+                externalId: identifiers.externalId,
                 authIsValid: authIsValid,
-                
                 data: oauthData,
             },
         });
@@ -205,7 +183,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             authIsValid: credential.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
@@ -219,7 +196,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
      * @returns {Promise<Object|null>} Updated credential object or null if not found
      */
     async updateCredential(credentialId, updates) {
-        // Get existing credential to merge OAuth data
         const existing = await this.prisma.credential.findUnique({
             where: { id: credentialId },
         });
@@ -228,27 +204,16 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             return null;
         }
 
-        // Separate schema fields from OAuth data
-        const {
-            user,
-            userId,
-            externalId,
-            authIsValid,
-            
-            ...oauthData
-        } = updates;
-
-        // Merge OAuth data with existing
+        const { authIsValid, ...oauthData } = updates;
+
         const mergedData = { ...(existing.data || {}), ...oauthData };
 
         const updated = await this.prisma.credential.update({
             where: { id: credentialId },
             data: {
-                userId: userId || user || existing.userId,
-                externalId:
-                    externalId !== undefined ? externalId : existing.externalId,
-                authIsValid:
-                    authIsValid !== undefined ? authIsValid : existing.authIsValid,
+                userId: existing.userId,
+                externalId: existing.externalId,
+                authIsValid: authIsValid,
                 data: mergedData,
             },
         });
@@ -262,7 +227,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
             authIsValid: updated.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
@@ -278,7 +242,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
 
         if (identifiers._id) where.id = identifiers._id;
         if (identifiers.id) where.id = identifiers.id;
-        if (identifiers.user) where.userId = identifiers.user;
         if (identifiers.userId) where.userId = identifiers.userId;
         if (identifiers.externalId) where.externalId = identifiers.externalId;
 
@@ -296,7 +259,6 @@ class CredentialRepositoryMongo extends CredentialRepositoryInterface {
 
         if (filter.credentialId) where.id = filter.credentialId;
         if (filter.id) where.id = filter.id;
-        if (filter.user) where.userId = filter.user;
         if (filter.userId) where.userId = filter.userId;
         if (filter.externalId) where.externalId = filter.externalId;
 

package/credential/repositories/credential-repository-postgres.js

@@ -36,7 +36,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Find credential by ID
-     * Replaces: Credential.findById(id)
      *
      * @param {string} id - Credential ID (string from application layer)
      * @returns {Promise<Object|null>} Credential object with string IDs or null
@@ -51,14 +50,11 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             return null;
         }
 
-        // Extract data from JSON field
         const data = credential.data || {};
 
         return {
-            _id: credential.id.toString(),
             id: credential.id.toString(),
-            user: credential.userId?.toString(),
-            userId: credential.userId?.toString(),
+            userId: credential.userId.toString(),
             externalId: credential.externalId,
             authIsValid: credential.authIsValid,
             ...data, // Spread OAuth tokens from JSON field
@@ -67,7 +63,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Update authentication status
-     * Replaces: Credential.updateOne({ _id: credentialId }, { $set: { authIsValid } })
      *
      * @param {string} credentialId - Credential ID (string from application layer)
      * @param {boolean} authIsValid - Authentication validity status
@@ -85,7 +80,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Permanently remove a credential document
-     * Replaces: Credential.deleteOne({ _id: credentialId })
      *
      * @param {string} credentialId - Credential ID (string from application layer)
      * @returns {Promise<Object>} Deletion result
@@ -108,7 +102,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Create or update credential matching identifiers
-     * Replaces: Credential.findOneAndUpdate(query, update, { upsert: true })
      *
      * @param {{identifiers: Object, details: Object}} credentialDetails
      * @returns {Promise<Object>} The persisted credential with string IDs
@@ -118,22 +111,21 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         if (!identifiers)
             throw new Error('identifiers required to upsert credential');
 
-        if (!identifiers.user && !identifiers.userId) {
-            throw new Error('user or userId required in identifiers');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
         }
         if (!identifiers.externalId) {
             throw new Error(
                 'externalId required in identifiers to prevent credential collision. ' +
-                'When multiple credentials exist for the same user, both userId and externalId ' +
-                'are needed to uniquely identify which credential to update.'
+                    'When multiple credentials exist for the same user, both userId and externalId ' +
+                    'are needed to uniquely identify which credential to update.'
             );
         }
 
         const where = this._convertIdentifiersToWhere(identifiers);
 
-        const { user, externalId } = identifiers;
+        const { externalId } = identifiers;
 
-        // Separate schema fields from dynamic OAuth data
         const { authIsValid, ...oauthData } = details;
 
         const existing = await this.prisma.credential.findFirst({ where });
@@ -144,15 +136,9 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             const updated = await this.prisma.credential.update({
                 where: { id: existing.id },
                 data: {
-                    userId: this._convertId(user || existing.userId),
-                    externalId:
-                        externalId !== undefined
-                            ? externalId
-                            : existing.externalId,
-                    authIsValid:
-                        authIsValid !== undefined
-                            ? authIsValid
-                            : existing.authIsValid,
+                    userId: this._convertId(existing.userId),
+                    externalId: existing.externalId,
+                    authIsValid: authIsValid,
                     data: mergedData,
                 },
             });
@@ -168,10 +154,9 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
         const created = await this.prisma.credential.create({
             data: {
-                userId: this._convertId(user),
+                userId: this._convertId(identifiers.userId),
                 externalId,
                 authIsValid: authIsValid,
-                
                 data: oauthData,
             },
         });
@@ -187,7 +172,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
 
     /**
      * Find a credential by filter criteria
-     * Replaces: Credential.findOne(query)
      *
      * @param {Object} filter
      * @param {string} [filter.userId] - User ID (string from application layer)
@@ -215,21 +199,18 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             authIsValid: credential.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
 
     /**
      * Update a credential by ID
-     * Replaces: Credential.findByIdAndUpdate(credentialId, { $set: updates })
      *
      * @param {string} credentialId - Credential ID (string from application layer)
      * @param {Object} updates - Fields to update
      * @returns {Promise<Object|null>} Updated credential object with string IDs or null if not found
      */
     async updateCredential(credentialId, updates) {
-        // Get existing credential to merge OAuth data
         const intId = this._convertId(credentialId);
         const existing = await this.prisma.credential.findUnique({
             where: { id: intId },
@@ -239,21 +220,16 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             return null;
         }
 
-        // Separate schema fields from OAuth data
-        const { user, authIsValid, ...oauthData } =
-            updates;
+        const { authIsValid, ...oauthData } = updates;
 
-        // Merge OAuth data with existing
         const mergedData = { ...(existing.data || {}), ...oauthData };
 
         const updated = await this.prisma.credential.update({
             where: { id: intId },
             data: {
-                userId: this._convertId(userId || user || existing.userId),
-                externalId:
-                    externalId !== undefined ? externalId : existing.externalId,
-                authIsValid:
-                    authIsValid !== undefined ? authIsValid : existing.authIsValid,
+                userId: this._convertId(existing.userId),
+                externalId: existing.externalId,
+                authIsValid: authIsValid,
                 data: mergedData,
             },
         });
@@ -267,7 +243,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
             authIsValid: updated.authIsValid,
             access_token: data.access_token,
             refresh_token: data.refresh_token,
-            domain: data.domain,
             ...data,
         };
     }
@@ -282,7 +257,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         const where = {};
 
         if (identifiers.id) where.id = this._convertId(identifiers.id);
-        if (identifiers.user) where.userId = this._convertId(identifiers.user);
         if (identifiers.userId)
             where.userId = this._convertId(identifiers.userId);
         if (identifiers.externalId) where.externalId = identifiers.externalId;
@@ -302,7 +276,6 @@ class CredentialRepositoryPostgres extends CredentialRepositoryInterface {
         if (filter.credentialId)
             where.id = this._convertId(filter.credentialId);
         if (filter.id) where.id = this._convertId(filter.id);
-        if (filter.user) where.userId = this._convertId(filter.user);
         if (filter.userId) where.userId = this._convertId(filter.userId);
         if (filter.externalId) where.externalId = filter.externalId;