@friggframework/core 2.0.0-next.6 → 2.0.0-next.61

package/core/Worker.js

@@ -1,10 +1,9 @@
-const AWS = require('aws-sdk');
+const { SQSClient, GetQueueUrlCommand, SendMessageCommand } = require('@aws-sdk/client-sqs');
 const _ = require('lodash');
 const { RequiredPropertyError } = require('../errors');
 const { get } = require('../assertions');
 
-AWS.config.update({ region: process.env.AWS_REGION });
-const sqs = new AWS.SQS({ apiVersion: '2012-11-05' });
+const sqs = new SQSClient({ region: process.env.AWS_REGION });
 
 class Worker {
     async getQueueURL(params) {
@@ -12,15 +11,9 @@ class Worker {
         // let params = {
         //     QueueName:  process.env.QueueName
         // };
-        return new Promise((resolve, reject) => {
-            sqs.getQueueUrl(params, (err, data) => {
-                if (err) {
-                    reject(err);
-                } else {
-                    resolve(data.QueueUrl);
-                }
-            });
-        });
+        const command = new GetQueueUrlCommand(params);
+        const data = await sqs.send(command);
+        return data.QueueUrl;
     }
 
     async run(params, context = {}) {
@@ -54,15 +47,9 @@ class Worker {
     }
 
     async sendAsyncSQSMessage(params) {
-        return new Promise((resolve, reject) => {
-            sqs.sendMessage(params, (err, data) => {
-                if (err) {
-                    reject(err);
-                } else {
-                    resolve(data.MessageId);
-                }
-            });
-        });
+        const command = new SendMessageCommand(params);
+        const data = await sqs.send(command);
+        return data.MessageId;
     }
 
     // Throw an exception if the params do not validate

package/core/create-handler.js

@@ -1,7 +1,7 @@
 // This line should be at the top of the webpacked output, so be sure to require createHandler first in any handlers.  "Soon" sourcemaps will be built into Node... after that, this package won't be needed.
-require('source-map-support').install();
+// REMOVING FOR NOW UNTIL WE ADD WEBPACK BACK IN
+// require('source-map-support').install();
 
-const { connectToDatabase } = require('../database/mongo');
 const { initDebugLog, flushDebugLog } = require('../logs');
 const { secretsToEnv } = require('./secrets-to-env');
 
@@ -10,7 +10,6 @@ const createHandler = (optionByName = {}) => {
         eventName = 'Event',
         isUserFacingResponse = true,
         method,
-        shouldUseDatabase = true,
     } = optionByName;
 
     if (!method) {
@@ -33,10 +32,6 @@ const createHandler = (optionByName = {}) => {
             // Helps mongoose reuse the connection.  Lowers response times.
             context.callbackWaitsForEmptyEventLoop = false;
 
-            if (shouldUseDatabase) {
-                await connectToDatabase();
-            }
-
             // Run the Lambda
             return await method(event, context);
         } catch (error) {
@@ -44,6 +39,18 @@ const createHandler = (optionByName = {}) => {
 
             // Don't leak implementation details to end users.
             if (isUserFacingResponse) {
+                // Allow client-safe errors to pass through with their actual message
+                if (error.isClientSafe === true) {
+                    const statusCode = error.statusCode || 400;
+                    return {
+                        statusCode,
+                        body: JSON.stringify({
+                            error: error.message,
+                        }),
+                    };
+                }
+
+                // Hide other errors with generic message
                 return {
                     statusCode: 500,
                     body: JSON.stringify({

package/credential/repositories/credential-repository-documentdb.js

@@ -0,0 +1,304 @@
+const { prisma } = require('../../database/prisma');
+const {
+    toObjectId,
+    fromObjectId,
+    findOne,
+    insertOne,
+    updateOne,
+    deleteOne,
+} = require('../../database/documentdb-utils');
+const {
+    CredentialRepositoryInterface,
+} = require('./credential-repository-interface');
+const {
+    DocumentDBEncryptionService,
+} = require('../../database/documentdb-encryption-service');
+
+/**
+ * Credential repository for DocumentDB.
+ * Uses DocumentDBEncryptionService for field-level encryption.
+ *
+ * Encrypted fields:
+ * - Credential.data.access_token
+ * - Credential.data.refresh_token
+ * - Credential.data.id_token
+ *
+ * SECURITY CRITICAL: All OAuth credentials must be encrypted at rest.
+ *
+ * @see DocumentDBEncryptionService
+ * @see encryption-schema-registry.js
+ */
+class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
+    constructor() {
+        super();
+        this.prisma = prisma;
+        this.encryptionService = new DocumentDBEncryptionService();
+    }
+
+    async findCredentialById(id) {
+        const objectId = toObjectId(id);
+        if (!objectId) return null;
+        const doc = await findOne(this.prisma, 'Credential', { _id: objectId });
+        if (!doc) return null;
+
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            doc
+        );
+        return this._mapCredentialById(decryptedCredential);
+    }
+
+    async updateAuthenticationStatus(credentialId, authIsValid) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return { acknowledged: false, modifiedCount: 0 };
+        const result = await updateOne(
+            this.prisma,
+            'Credential',
+            { _id: objectId },
+            {
+                $set: { authIsValid, updatedAt: new Date() },
+            }
+        );
+        const modified = result?.nModified ?? result?.n ?? 0;
+        return { acknowledged: true, modifiedCount: modified };
+    }
+
+    async deleteCredentialById(credentialId) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return { acknowledged: true, deletedCount: 0 };
+        const result = await deleteOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        const deleted = result?.n ?? 0;
+        return { acknowledged: true, deletedCount: deleted };
+    }
+
+    async upsertCredential(credentialDetails) {
+        const { identifiers, details } = credentialDetails;
+        if (!identifiers)
+            throw new Error('identifiers required to upsert credential');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
+        }
+        if (!identifiers.externalId) {
+            throw new Error(
+                'externalId required in identifiers to prevent credential collision. When multiple credentials exist for the same user, both userId and externalId are needed to uniquely identify which credential to update.'
+            );
+        }
+
+        const filter = this._buildIdentifierFilter(identifiers);
+        const existing = await findOne(this.prisma, 'Credential', filter);
+        const now = new Date();
+
+        const { authIsValid, ...oauthData } = details || {};
+
+        if (existing) {
+            const decryptedExisting =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    existing
+                );
+            const mergedData = {
+                ...(decryptedExisting.data || {}),
+                ...oauthData,
+            };
+
+            const updateDocument = {
+                userId: existing.userId,
+                externalId: existing.externalId,
+                authIsValid: authIsValid !== undefined ? authIsValid : existing.authIsValid,
+                data: mergedData,
+                updatedAt: now,
+            };
+
+            const encryptedUpdate = await this.encryptionService.encryptFields(
+                'Credential',
+                { data: updateDocument.data }
+            );
+
+            await updateOne(
+                this.prisma,
+                'Credential',
+                { _id: existing._id },
+                {
+                    $set: {
+                        userId: updateDocument.userId,
+                        externalId: updateDocument.externalId,
+                        authIsValid: updateDocument.authIsValid,
+                        data: encryptedUpdate.data,
+                        updatedAt: updateDocument.updatedAt,
+                    },
+                }
+            );
+
+            const updated = await findOne(this.prisma, 'Credential', {
+                _id: existing._id,
+            });
+            const decryptedCredential =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    updated
+                );
+            return this._mapCredential(decryptedCredential);
+        }
+
+        const plainDocument = {
+            userId: toObjectId(identifiers.userId),
+            externalId: identifiers.externalId,
+            authIsValid: details.authIsValid,
+            data: { ...oauthData },
+            createdAt: now,
+            updatedAt: now,
+        };
+
+        const encryptedDocument = await this.encryptionService.encryptFields(
+            'Credential',
+            plainDocument
+        );
+
+        const insertedId = await insertOne(
+            this.prisma,
+            'Credential',
+            encryptedDocument
+        );
+
+        const created = await findOne(this.prisma, 'Credential', {
+            _id: insertedId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            created
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    async findCredential(filter) {
+        const query = this._buildFilter(filter);
+        const credential = await findOne(this.prisma, 'Credential', query);
+        if (!credential) return null;
+
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            credential
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    async updateCredential(credentialId, updates) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return null;
+        const existing = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        if (!existing) return null;
+
+        const { authIsValid, ...oauthData } = updates || {};
+
+        const decryptedExisting = await this.encryptionService.decryptFields(
+            'Credential',
+            existing
+        );
+        const mergedData = { ...(decryptedExisting.data || {}), ...oauthData };
+
+        const updateDocument = {
+            userId: existing.userId,
+            externalId: existing.externalId,
+            authIsValid: authIsValid,
+            data: mergedData,
+            updatedAt: new Date(),
+        };
+
+        const encryptedUpdate = await this.encryptionService.encryptFields(
+            'Credential',
+            { data: updateDocument.data }
+        );
+
+        await updateOne(
+            this.prisma,
+            'Credential',
+            { _id: objectId },
+            {
+                $set: {
+                    userId: updateDocument.userId,
+                    externalId: updateDocument.externalId,
+                    authIsValid: updateDocument.authIsValid,
+                    data: encryptedUpdate.data,
+                    updatedAt: updateDocument.updatedAt,
+                },
+            }
+        );
+
+        const updated = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            updated
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    _buildIdentifierFilter(identifiers) {
+        const filter = {};
+        if (identifiers._id || identifiers.id) {
+            const idObj = toObjectId(identifiers._id || identifiers.id);
+            if (idObj) filter._id = idObj;
+        }
+        if (identifiers.userId) {
+            filter.userId = toObjectId(identifiers.userId);
+        }
+        if (identifiers.externalId !== undefined) {
+            filter.externalId = identifiers.externalId;
+        }
+        return filter;
+    }
+
+    _buildFilter(filter) {
+        const query = {};
+        if (!filter) return query;
+        if (filter.credentialId || filter.id) {
+            const idObj = toObjectId(filter.credentialId || filter.id);
+            if (idObj) query._id = idObj;
+        }
+        if (filter.userId !== undefined) {
+            query.userId = filter.userId;
+        }
+        if (filter.externalId !== undefined) {
+            query.externalId = filter.externalId;
+        }
+        return query;
+    }
+
+    /**
+     * Map credential document to application format
+     * Matches MongoDB repository format
+     * @private
+     */
+    _mapCredential(doc) {
+        const data = doc?.data || {};
+        const id = fromObjectId(doc?._id);
+        const userId = doc?.userId;
+        return {
+            id,
+            userId,
+            externalId: doc?.externalId ?? null,
+            authIsValid: doc?.authIsValid ?? null,
+            ...data,
+        };
+    }
+
+    _mapCredentialById(doc) {
+        const data = doc?.data || {};
+        const id = fromObjectId(doc?._id);
+        const userId = doc?.userId;
+        return {
+            id,
+            userId,
+            externalId: doc?.externalId ?? null,
+            authIsValid: doc?.authIsValid ?? null,
+            ...data,
+        };
+    }
+}
+
+module.exports = { CredentialRepositoryDocumentDB };

package/credential/repositories/credential-repository-factory.js

@@ -0,0 +1,54 @@
+const { CredentialRepositoryMongo } = require('./credential-repository-mongo');
+const {
+    CredentialRepositoryPostgres,
+} = require('./credential-repository-postgres');
+const {
+    CredentialRepositoryDocumentDB,
+} = require('./credential-repository-documentdb');
+const config = require('../../database/config');
+
+/**
+ * Credential Repository Factory
+ * Creates the appropriate repository adapter based on database type
+ *
+ * Database-specific implementations:
+ * - MongoDB: Uses String IDs (ObjectId), no conversion needed
+ * - PostgreSQL: Uses Int IDs, converts String ↔ Int
+ *
+ * All repository methods return String IDs regardless of database type,
+ * ensuring application layer consistency.
+ *
+ * Usage:
+ * ```javascript
+ * const repository = createCredentialRepository();
+ * ```
+ *
+ * @returns {CredentialRepositoryInterface} Configured repository adapter
+ */
+function createCredentialRepository() {
+    const dbType = config.DB_TYPE;
+
+    switch (dbType) {
+        case 'mongodb':
+            return new CredentialRepositoryMongo();
+
+        case 'postgresql':
+            return new CredentialRepositoryPostgres();
+
+        case 'documentdb':
+            return new CredentialRepositoryDocumentDB();
+
+        default:
+            throw new Error(
+                `Unsupported database type: ${dbType}. Supported values: 'mongodb', 'documentdb', 'postgresql'`
+            );
+    }
+}
+
+module.exports = {
+    createCredentialRepository,
+    // Export adapters for direct testing
+    CredentialRepositoryMongo,
+    CredentialRepositoryPostgres,
+    CredentialRepositoryDocumentDB,
+};

package/credential/repositories/credential-repository-interface.js

@@ -0,0 +1,98 @@
+/**
+ * Credential Repository Interface
+ * Abstract base class defining the contract for credential persistence adapters
+ *
+ * This follows the Port in Hexagonal Architecture:
+ * - Domain layer depends on this abstraction
+ * - Concrete adapters implement this interface
+ * - Use cases receive repositories via dependency injection
+ *
+ * Note: Currently, Credential model has identical structure across MongoDB and PostgreSQL,
+ * so CredentialRepository serves both. This interface exists for consistency and
+ * future-proofing if database-specific implementations become needed.
+ *
+ * @abstract
+ */
+class CredentialRepositoryInterface {
+    /**
+     * Find credential by ID
+     *
+     * @param {string|number} id - Credential ID
+     * @returns {Promise<Object|null>} Credential object or null
+     * @abstract
+     */
+    async findCredentialById(id) {
+        throw new Error(
+            'Method findCredentialById must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Update authentication status
+     *
+     * @param {string|number} credentialId - Credential ID
+     * @param {boolean} authIsValid - Authentication validity status
+     * @returns {Promise<Object>} Update result
+     * @abstract
+     */
+    async updateAuthenticationStatus(credentialId, authIsValid) {
+        throw new Error(
+            'Method updateAuthenticationStatus must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Permanently remove a credential document
+     *
+     * @param {string|number} credentialId - Credential ID
+     * @returns {Promise<Object>} Deletion result
+     * @abstract
+     */
+    async deleteCredentialById(credentialId) {
+        throw new Error(
+            'Method deleteCredentialById must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Create or update credential matching identifiers
+     *
+     * @param {{identifiers: Object, details: Object}} credentialDetails
+     * @returns {Promise<Object>} The persisted credential
+     * @abstract
+     */
+    async upsertCredential(credentialDetails) {
+        throw new Error(
+            'Method upsertCredential must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Find a credential by filter criteria
+     *
+     * @param {Object} filter - Filter criteria
+     * @returns {Promise<Object|null>} Credential object or null if not found
+     * @abstract
+     */
+    async findCredential(filter) {
+        throw new Error(
+            'Method findCredential must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Update a credential by ID
+     *
+     * @param {string|number} credentialId - Credential ID
+     * @param {Object} updates - Fields to update
+     * @returns {Promise<Object|null>} Updated credential object or null if not found
+     * @abstract
+     */
+    async updateCredential(credentialId, updates) {
+        throw new Error(
+            'Method updateCredential must be implemented by subclass'
+        );
+    }
+}
+
+module.exports = { CredentialRepositoryInterface };