@friggframework/core 2.0.0-next.6 → 2.0.0-next.60

package/user/repositories/user-repository-postgres.js

@@ -0,0 +1,360 @@
+const bcrypt = require('bcryptjs');
+const { prisma } = require('../../database/prisma');
+const {
+    createTokenRepository,
+} = require('../../token/repositories/token-repository-factory');
+const { UserRepositoryInterface } = require('./user-repository-interface');
+const { ClientSafeError } = require('../../errors');
+
+/**
+ * PostgreSQL User Repository Adapter
+ * Handles user operations with discriminator pattern support
+ *
+ * PostgreSQL-specific characteristics:
+ * - Uses Int IDs with autoincrement
+ * - Requires ID conversion: String (app layer) ↔ Int (database)
+ * - All returned IDs are converted to strings for application layer consistency
+ */
+class UserRepositoryPostgres extends UserRepositoryInterface {
+    constructor() {
+        super();
+        this.prisma = prisma;
+        this.tokenRepository = createTokenRepository();
+    }
+
+    /**
+     * Convert string ID to integer for PostgreSQL queries
+     * @private
+     * @param {string|number|null|undefined} id - ID to convert
+     * @returns {number|null|undefined} Integer ID or null/undefined
+     * @throws {Error} If ID cannot be converted to integer
+     */
+    _convertId(id) {
+        if (id === null || id === undefined) return id;
+        const parsed = parseInt(id, 10);
+        if (isNaN(parsed)) {
+            throw new Error(`Invalid ID: ${id} cannot be converted to integer`);
+        }
+        return parsed;
+    }
+
+    /**
+     * Convert user object IDs to strings
+     * @private
+     * @param {Object|null} user - User object from database
+     * @returns {Object|null} User with string IDs
+     */
+    _convertUserIds(user) {
+        if (!user) return user;
+        return {
+            ...user,
+            id: user.id?.toString(),
+            organizationId: user.organizationId?.toString(),
+        };
+    }
+
+    /**
+     * Get session token from base64 buffer token
+     * Delegates to TokenRepository
+     *
+     * @param {string} token - Base64 buffer token
+     * @returns {Promise<Object>} Session token object with string IDs
+     */
+    async getSessionToken(token) {
+        const jsonToken =
+            this.tokenRepository.getJSONTokenFromBase64BufferToken(token);
+        const sessionToken = await this.tokenRepository.validateAndGetToken(
+            jsonToken
+        );
+        return sessionToken;
+    }
+
+    /**
+     * Find organization user by ID
+     * Replaces: OrganizationUser.findById(userId)
+     *
+     * @param {string} userId - User ID (string from application layer)
+     * @returns {Promise<Object|null>} User object with string IDs or null
+     */
+    async findOrganizationUserById(userId) {
+        const intId = this._convertId(userId);
+        const user = await this.prisma.user.findFirst({
+            where: {
+                id: intId,
+                type: 'ORGANIZATION',
+            },
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Find individual user by ID
+     * Replaces: IndividualUser.findById(userId)
+     *
+     * @param {string} userId - User ID (string from application layer)
+     * @returns {Promise<Object|null>} User object with string IDs or null
+     */
+    async findIndividualUserById(userId) {
+        const intId = this._convertId(userId);
+        const user = await this.prisma.user.findFirst({
+            where: {
+                id: intId,
+                type: 'INDIVIDUAL',
+            },
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Create token with expiration
+     * Delegates to TokenRepository
+     *
+     * @param {string} userId - User ID (string from application layer)
+     * @param {string} rawToken - Raw unhashed token
+     * @param {number} minutes - Minutes until expiration (default 120)
+     * @returns {Promise<string>} Base64 buffer token
+     */
+    async createToken(userId, rawToken, minutes = 120) {
+        const createdToken = await this.tokenRepository.createTokenWithExpire(
+            userId,
+            rawToken,
+            minutes
+        );
+        return this.tokenRepository.createBase64BufferToken(
+            createdToken,
+            rawToken
+        );
+    }
+
+    /**
+     * Create individual user
+     * Replaces: IndividualUser.create(params)
+     *
+     * @param {Object} params - User creation parameters (with string IDs from application layer)
+     * @param {string} [params.hashword] - Plain text password (will be bcrypt hashed automatically)
+     * @returns {Promise<Object>} Created user object with string IDs
+     */
+    async createIndividualUser(params) {
+        const data = {
+            type: 'INDIVIDUAL',
+            email: params.email,
+            username: params.username,
+            appUserId: params.appUserId,
+            organizationId: this._convertId(
+                params.organization || params.organizationId
+            ),
+        };
+
+        if (
+            params.hashword !== undefined &&
+            params.hashword !== null &&
+            params.hashword !== ''
+        ) {
+            if (typeof params.hashword !== 'string') {
+                throw new ClientSafeError('Password must be a string', 400);
+            }
+
+            // Prevent double-hashing: bcrypt hashes start with $2a$ or $2b$
+            if (params.hashword.startsWith('$2')) {
+                throw new Error(
+                    'Password appears to be already hashed. Pass plain text password only.'
+                );
+            }
+
+            data.hashword = await bcrypt.hash(params.hashword, 10);
+        }
+
+        const user = await this.prisma.user.create({ data });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Create organization user
+     * Replaces: OrganizationUser.create(params)
+     *
+     * @param {Object} params - Organization creation parameters
+     * @returns {Promise<Object>} Created organization object with string IDs
+     */
+    async createOrganizationUser(params) {
+        const user = await this.prisma.user.create({
+            data: {
+                type: 'ORGANIZATION',
+                appOrgId: params.appOrgId,
+                name: params.name,
+            },
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Find individual user by username
+     * Replaces: IndividualUser.findOne({ username })
+     *
+     * @param {string} username - Username to search for
+     * @returns {Promise<Object|null>} User object with string IDs or null
+     */
+    async findIndividualUserByUsername(username) {
+        const user = await this.prisma.user.findFirst({
+            where: {
+                type: 'INDIVIDUAL',
+                username,
+            },
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Find individual user by app user ID
+     * Replaces: IndividualUser.getUserByAppUserId(appUserId)
+     *
+     * @param {string} appUserId - App user ID to search for
+     * @returns {Promise<Object|null>} User object with string IDs or null
+     */
+    async findIndividualUserByAppUserId(appUserId) {
+        const user = await this.prisma.user.findFirst({
+            where: {
+                type: 'INDIVIDUAL',
+                appUserId,
+            },
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Find organization user by app org ID
+     * Replaces: OrganizationUser.getUserByAppOrgId(appOrgId)
+     *
+     * @param {string} appOrgId - App organization ID to search for
+     * @returns {Promise<Object|null>} User object with string IDs or null
+     */
+    async findOrganizationUserByAppOrgId(appOrgId) {
+        const user = await this.prisma.user.findFirst({
+            where: {
+                type: 'ORGANIZATION',
+                appOrgId,
+            },
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Find individual user by email
+     * @param {string} email - Email to search for
+     * @returns {Promise<Object|null>} User object with string IDs or null
+     */
+    async findIndividualUserByEmail(email) {
+        const user = await this.prisma.user.findFirst({
+            where: {
+                type: 'INDIVIDUAL',
+                email,
+            },
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Update individual user
+     * @param {string} userId - User ID (string from application layer)
+     * @param {Object} updates - Fields to update (with string IDs from application layer)
+     * @param {string} [updates.hashword] - Plain text password (will be bcrypt hashed automatically)
+     * @returns {Promise<Object>} Updated user object with string IDs
+     */
+    async updateIndividualUser(userId, updates) {
+        const intId = this._convertId(userId);
+
+        const data = { ...updates };
+
+        if (data.organizationId !== undefined) {
+            data.organizationId = this._convertId(data.organizationId);
+        }
+        if (data.organization !== undefined) {
+            data.organizationId = this._convertId(data.organization);
+            delete data.organization;
+        }
+
+        if (
+            data.hashword !== undefined &&
+            data.hashword !== null &&
+            data.hashword !== ''
+        ) {
+            if (typeof data.hashword !== 'string') {
+                throw new ClientSafeError('Password must be a string', 400);
+            }
+
+            // Prevent double-hashing: bcrypt hashes start with $2a$ or $2b$
+            if (data.hashword.startsWith('$2')) {
+                throw new Error(
+                    'Password appears to be already hashed. Pass plain text password only.'
+                );
+            }
+
+            data.hashword = await bcrypt.hash(data.hashword, 10);
+        }
+
+        const user = await this.prisma.user.update({
+            where: { id: intId },
+            data,
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Update organization user
+     * @param {string} userId - User ID (string from application layer)
+     * @param {Object} updates - Fields to update
+     * @returns {Promise<Object>} Updated user object with string IDs
+     */
+    async updateOrganizationUser(userId, updates) {
+        const intId = this._convertId(userId);
+        const user = await this.prisma.user.update({
+            where: { id: intId },
+            data: updates,
+        });
+        return this._convertUserIds(user);
+    }
+
+    /**
+     * Delete user by ID
+     * @param {string} userId - User ID to delete (string from application layer)
+     * @returns {Promise<boolean>} True if deleted successfully
+     */
+    async deleteUser(userId) {
+        try {
+            const intId = this._convertId(userId);
+            await this.prisma.user.delete({
+                where: { id: intId },
+            });
+            return true;
+        } catch (error) {
+            if (error.code === 'P2025') {
+                // Record not found
+                return false;
+            }
+            throw error;
+        }
+    }
+
+    /**
+     * Link an individual user to an organization user
+     * @param {string} individualUserId - Individual user ID (string from application layer)
+     * @param {string} organizationUserId - Organization user ID (string from application layer)
+     * @returns {Promise<Object>} Updated individual user with string IDs
+     */
+    async linkIndividualToOrganization(individualUserId, organizationUserId) {
+        const intIndividualId = this._convertId(individualUserId);
+        const intOrganizationId = this._convertId(organizationUserId);
+
+        const user = await this.prisma.user.update({
+            where: {
+                id: intIndividualId,
+                type: 'INDIVIDUAL',
+            },
+            data: {
+                organizationId: intOrganizationId,
+            },
+        });
+        return this._convertUserIds(user);
+    }
+}
+
+module.exports = { UserRepositoryPostgres };

package/user/tests/doubles/test-user-repository.js

@@ -0,0 +1,72 @@
+const Boom = require('@hapi/boom');
+const { User } = require('../../user');
+
+class TestUserRepository {
+    constructor({ userConfig }) {
+        this.individualUsers = new Map();
+        this.organizationUsers = new Map();
+        this.tokens = new Map();
+        this.userConfig = userConfig;
+    }
+
+    async getSessionToken(token) {
+        return this.tokens.get(token);
+    }
+
+    async findOrganizationUserById(userId) {
+        return this.organizationUsers.get(userId);
+    }
+
+    async findIndividualUserById(userId) {
+        return this.individualUsers.get(userId);
+    }
+
+    async createToken(userId, rawToken, minutes = 120) {
+        const token = `token-for-${userId}-for-${minutes}-mins`;
+        this.tokens.set(token, { user: userId, rawToken });
+        return token;
+    }
+
+    async createIndividualUser(params) {
+        const individualUserData = { id: `individual-${Date.now()}`, ...params };
+        this.individualUsers.set(individualUserData.id, individualUserData);
+        return individualUserData;
+    }
+
+    async createOrganizationUser(params) {
+        const orgUserData = { ...params, id: `org-${Date.now()}` };
+        this.organizationUsers.set(orgUserData.id, orgUserData);
+        return orgUserData;
+    }
+
+    async findIndividualUserByUsername(username) {
+        for (const userDoc of this.individualUsers.values()) {
+            if (userDoc.username === username) {
+                return userDoc;
+            }
+        }
+        return null;
+    }
+
+    async findIndividualUserByAppUserId(appUserId) {
+        if (!appUserId) return null;
+        for (const userDoc of this.individualUsers.values()) {
+            if (userDoc.appUserId === appUserId) {
+                return userDoc;
+            }
+        }
+        return null;
+    }
+
+    async findOrganizationUserByAppOrgId(appOrgId) {
+        if (!appOrgId) return null;
+        for (const userDoc of this.organizationUsers.values()) {
+            if (userDoc.appOrgId === appOrgId) {
+                return userDoc;
+            }
+        }
+        return null;
+    }
+}
+
+module.exports = { TestUserRepository }; 

package/user/use-cases/authenticate-user.js

@@ -0,0 +1,127 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * Use case for authenticating a user using multiple authentication strategies.
+ * 
+ * Supports three authentication modes in priority order:
+ * 1. Shared Secret (backend-to-backend with x-frigg-api-key + x-frigg headers)
+ * 2. Adopter JWT (custom JWT authentication)
+ * 3. Frigg Native Token (bearer token from /user/login)
+ * 
+ * x-frigg-appUserId and x-frigg-appOrgId headers are automatically supported
+ * for user identification with any auth mode. When present with JWT or Frigg
+ * tokens, they are validated to match the authenticated user.
+ *
+ * @class AuthenticateUser
+ */
+class AuthenticateUser {
+    /**
+     * Creates a new AuthenticateUser instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('./get-user-from-bearer-token').GetUserFromBearerToken} params.getUserFromBearerToken - Use case for bearer token auth.
+     * @param {import('./get-user-from-x-frigg-headers').GetUserFromXFriggHeaders} params.getUserFromXFriggHeaders - Use case for x-frigg header auth.
+     * @param {import('./get-user-from-adopter-jwt').GetUserFromAdopterJwt} params.getUserFromAdopterJwt - Use case for adopter JWT auth.
+     * @param {import('./authenticate-with-shared-secret').AuthenticateWithSharedSecret} params.authenticateWithSharedSecret - Use case for validating shared secret.
+     * @param {Object} params.userConfig - The user config in the app definition.
+     */
+    constructor({
+        getUserFromBearerToken,
+        getUserFromXFriggHeaders,
+        getUserFromAdopterJwt,
+        authenticateWithSharedSecret,
+        userConfig,
+    }) {
+        this.getUserFromBearerToken = getUserFromBearerToken;
+        this.getUserFromXFriggHeaders = getUserFromXFriggHeaders;
+        this.getUserFromAdopterJwt = getUserFromAdopterJwt;
+        this.authenticateWithSharedSecret = authenticateWithSharedSecret;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {Object} req - Express request object with headers.
+     * @returns {Promise<import('../user').User>} The authenticated user object.
+     * @throws {Boom} Unauthorized if no valid authentication provided.
+     * @throws {Boom} Forbidden if x-frigg headers don't match authenticated user.
+     */
+    async execute(req) {
+        const authModes = this.userConfig.authModes || { friggToken: true };
+        const appUserId = req.headers['x-frigg-appuserid'];
+        const appOrgId = req.headers['x-frigg-apporgid'];
+        let user = null;
+
+        // Priority 1: Shared Secret (backend-to-backend with API key)
+        if (authModes.sharedSecret !== false) {
+            const apiKey = req.headers['x-frigg-api-key'];
+            if (apiKey) {
+                // Validate the API key (authentication)
+                await this.authenticateWithSharedSecret.execute(apiKey);
+                // Get user from x-frigg headers (authorization)
+                return await this.getUserFromXFriggHeaders.execute(
+                    appUserId,
+                    appOrgId
+                );
+            }
+        }
+
+        // Priority 2: Adopter JWT (if enabled)
+        if (
+            authModes.adopterJwt === true &&
+            req.headers.authorization?.startsWith('Bearer ')
+        ) {
+            const token = req.headers.authorization.split(' ')[1];
+            // Detect JWT format (3 parts separated by dots)
+            if (token && token.split('.').length === 3) {
+                user = await this.getUserFromAdopterJwt.execute(token);
+                // Validate x-frigg headers match JWT claims if present
+                if (appUserId || appOrgId) {
+                    this.validateUserMatch(user, appUserId, appOrgId);
+                }
+                return user;
+            }
+        }
+
+        // Priority 3: Frigg native token (default)
+        if (authModes.friggToken !== false && req.headers.authorization) {
+            user = await this.getUserFromBearerToken.execute(
+                req.headers.authorization
+            );
+            // Validate x-frigg headers match token user if present
+            if (appUserId || appOrgId) {
+                this.validateUserMatch(user, appUserId, appOrgId);
+            }
+            return user;
+        }
+
+        throw Boom.unauthorized('No valid authentication provided');
+    }
+
+    /**
+     * Validates that x-frigg headers match authenticated user if provided.
+     * This ensures that when both authentication (via token/JWT) and
+     * x-frigg headers are present, they refer to the same user.
+     *
+     * @param {import('../user').User} user - The authenticated user
+     * @param {string} [appUserId] - The x-frigg-appuserid header value
+     * @param {string} [appOrgId] - The x-frigg-apporgid header value
+     * @throws {Boom} 403 Forbidden if headers don't match user
+     */
+    validateUserMatch(user, appUserId, appOrgId) {
+        if (appUserId && user.getAppUserId() !== appUserId) {
+            throw Boom.forbidden(
+                'x-frigg-appuserid header does not match authenticated user'
+            );
+        }
+        if (appOrgId && user.getAppOrgId() !== appOrgId) {
+            throw Boom.forbidden(
+                'x-frigg-apporgid header does not match authenticated user'
+            );
+        }
+    }
+}
+
+module.exports = { AuthenticateUser };
+
+

package/user/use-cases/authenticate-with-shared-secret.js

@@ -0,0 +1,48 @@
+const Boom = require('@hapi/boom');
+
+/**
+ * Use case for authenticating requests with shared secret API key.
+ * This use case ONLY validates the authenticity of the request via API key.
+ * It does NOT retrieve user data - that's handled by GetUserFromXFriggHeaders.
+ *
+ * Used for backend-to-backend communication where the secret proves
+ * the request is legitimate, but user identification comes from x-frigg headers.
+ *
+ * @class AuthenticateWithSharedSecret
+ */
+class AuthenticateWithSharedSecret {
+    /**
+     * Creates a new AuthenticateWithSharedSecret instance.
+     * @param {Object} params - Configuration parameters (none needed currently, but kept for consistency).
+     */
+    constructor() {
+        // No dependencies needed - just validates against env var
+    }
+
+    /**
+     * Validates the provided shared secret against FRIGG_API_KEY.
+     * @async
+     * @param {string} providedSecret - Secret from x-frigg-api-key header
+     * @returns {Promise<boolean>} True if valid (or throws error if invalid)
+     * @throws {Boom} 500 if FRIGG_API_KEY not configured
+     * @throws {Boom} 401 if provided secret doesn't match
+     */
+    async execute(providedSecret) {
+        // Validate secret
+        const expectedSecret = process.env.FRIGG_API_KEY;
+        if (!expectedSecret) {
+            throw Boom.badImplementation(
+                'FRIGG_API_KEY environment variable is not configured. ' +
+                'Set FRIGG_API_KEY to enable shared secret authentication.'
+            );
+        }
+
+        if (!providedSecret || providedSecret !== expectedSecret) {
+            throw Boom.unauthorized('Invalid API key');
+        }
+
+        return true;
+    }
+}
+
+module.exports = { AuthenticateWithSharedSecret };

package/user/use-cases/create-individual-user.js

@@ -0,0 +1,61 @@
+const { get } = require('../../assertions');
+const Boom = require('@hapi/boom');
+const { User } = require('../user');
+
+/**
+ * Use case for creating an individual user.
+ * @class CreateIndividualUser
+ */
+class CreateIndividualUser {
+    /**
+     * Creates a new CreateIndividualUser instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {import('../user-repository-interface').UserRepositoryInterface} params.userRepository - Repository for user data operations.
+     * @param {Object} params.userConfig - The user properties inside of the app definition.
+     */
+    constructor({ userRepository, userConfig }) {
+        this.userRepository = userRepository;
+        this.userConfig = userConfig;
+    }
+
+    /**
+     * Executes the use case.
+     * @async
+     * @param {Object} params - The parameters for creating the user.
+     * @returns {Promise<import('../user').User>} The newly created user object.
+     */
+    async execute(params) {
+        let hashword;
+        if (this.userConfig.usePassword) {
+            hashword = get(params, 'password');
+        }
+
+        const email = get(params, 'email', null);
+        const username = get(params, 'username', null);
+        if (!email && !username) {
+            throw Boom.badRequest('email or username is required');
+        }
+
+        const appUserId = get(params, 'appUserId', null);
+        const organizationUserId = get(params, 'organizationUserId', null);
+
+        const individualUserData = await this.userRepository.createIndividualUser({
+            email,
+            username,
+            hashword,
+            appUserId,
+            organizationUser: organizationUserId,
+        });
+
+        return new User(
+            individualUserData,
+            null,
+            this.userConfig.usePassword,
+            this.userConfig.primary,
+            this.userConfig.individualUserRequired,
+            this.userConfig.organizationUserRequired
+        );
+    }
+}
+
+module.exports = { CreateIndividualUser };