@friggframework/core 2.0.0-next.8 → 2.0.0-next.80

package/core/Worker.js

@@ -1,10 +1,9 @@
-const AWS = require('aws-sdk');
+const { SQSClient, GetQueueUrlCommand, SendMessageCommand } = require('@aws-sdk/client-sqs');
 const _ = require('lodash');
 const { RequiredPropertyError } = require('../errors');
 const { get } = require('../assertions');
 
-AWS.config.update({ region: process.env.AWS_REGION });
-const sqs = new AWS.SQS({ apiVersion: '2012-11-05' });
+const sqs = new SQSClient({ region: process.env.AWS_REGION });
 
 class Worker {
     async getQueueURL(params) {
@@ -12,25 +11,68 @@ class Worker {
         // let params = {
         //     QueueName:  process.env.QueueName
         // };
-        return new Promise((resolve, reject) => {
-            sqs.getQueueUrl(params, (err, data) => {
-                if (err) {
-                    reject(err);
-                } else {
-                    resolve(data.QueueUrl);
-                }
-            });
-        });
+        const command = new GetQueueUrlCommand(params);
+        const data = await sqs.send(command);
+        return data.QueueUrl;
     }
 
     async run(params, context = {}) {
         const records = get(params, 'Records');
+        const batchItemFailures = [];
+
+        console.log(
+            `[Worker] run: processing ${records.length} record(s)`
+        );
 
         for (const record of records) {
-            const runParams = JSON.parse(record.body);
-            this._validateParams(runParams);
-            await this._run(runParams, context);
+            // Log record entry with SQS-provided attributes useful for tracing
+            // delivery history (ApproximateReceiveCount for retries, etc.).
+            let parsedEvent;
+            try {
+                parsedEvent = JSON.parse(record.body)?.event;
+            } catch {
+                parsedEvent = undefined;
+            }
+            console.log(`[Worker] record begin`, {
+                messageId: record.messageId,
+                event: parsedEvent,
+                receiveCount: record.attributes?.ApproximateReceiveCount,
+            });
+
+            try {
+                const runParams = JSON.parse(record.body);
+                this._validateParams(runParams);
+                await this._run(runParams, context);
+                console.log(`[Worker] record success`, {
+                    messageId: record.messageId,
+                    event: runParams?.event,
+                });
+            } catch (error) {
+                if (error.isHaltError) {
+                    // HaltError means "discard this message, don't retry".
+                    // Treat as success so SQS deletes it from the queue.
+                    // Logged explicitly — silent discards made prod debugging
+                    // extremely hard; keep this visible.
+                    console.warn(`[Worker] record halted (discarded, no retry)`, {
+                        messageId: record.messageId,
+                        event: parsedEvent,
+                        reason: error.message,
+                        statusCode: error.statusCode,
+                    });
+                    continue;
+                }
+                console.error(`[Worker] Failed to process record ${record.messageId}:`, error);
+                batchItemFailures.push({ itemIdentifier: record.messageId });
+            }
         }
+
+        if (batchItemFailures.length > 0) {
+            console.warn(
+                `[Worker] run: returning ${batchItemFailures.length} batchItemFailure(s) of ${records.length}`
+            );
+        }
+
+        return { batchItemFailures };
     }
 
     async _run(params, context = {}) {
@@ -54,15 +96,9 @@ class Worker {
     }
 
     async sendAsyncSQSMessage(params) {
-        return new Promise((resolve, reject) => {
-            sqs.sendMessage(params, (err, data) => {
-                if (err) {
-                    reject(err);
-                } else {
-                    resolve(data.MessageId);
-                }
-            });
-        });
+        const command = new SendMessageCommand(params);
+        const data = await sqs.send(command);
+        return data.MessageId;
     }
 
     // Throw an exception if the params do not validate

package/core/create-handler.js

@@ -1,16 +1,54 @@
 // This line should be at the top of the webpacked output, so be sure to require createHandler first in any handlers.  "Soon" sourcemaps will be built into Node... after that, this package won't be needed.
-require('source-map-support').install();
+// REMOVING FOR NOW UNTIL WE ADD WEBPACK BACK IN
+// require('source-map-support').install();
 
-const { connectToDatabase } = require('../database/mongo');
 const { initDebugLog, flushDebugLog } = require('../logs');
 const { secretsToEnv } = require('./secrets-to-env');
 
+// Best-effort extraction of correlation identifiers from a Lambda event.
+// For SQS: pulls messageIds + parsed event/processId/integrationId from each
+// record body. For HTTP: pulls method+path. Never throws.
+const summarizeLambdaEvent = (event) => {
+    if (!event) return {};
+    if (Array.isArray(event.Records)) {
+        return {
+            source: 'sqs',
+            records: event.Records.map((r) => {
+                let parsed = {};
+                try {
+                    const body = JSON.parse(r.body);
+                    parsed = {
+                        event: body?.event,
+                        processId: body?.data?.processId,
+                        integrationId: body?.data?.integrationId,
+                    };
+                } catch {
+                    // ignore unparseable bodies
+                }
+                return {
+                    messageId: r.messageId,
+                    receiveCount: r.attributes?.ApproximateReceiveCount,
+                    ...parsed,
+                };
+            }),
+        };
+    }
+    if (event.httpMethod || event.requestContext?.http) {
+        return {
+            source: 'http',
+            method:
+                event.httpMethod || event.requestContext?.http?.method,
+            path: event.path || event.rawPath,
+        };
+    }
+    return { source: 'other' };
+};
+
 const createHandler = (optionByName = {}) => {
     const {
         eventName = 'Event',
         isUserFacingResponse = true,
         method,
-        shouldUseDatabase = true,
     } = optionByName;
 
     if (!method) {
@@ -18,7 +56,18 @@ const createHandler = (optionByName = {}) => {
     }
 
     return async (event, context) => {
+        const eventSummary = summarizeLambdaEvent(event);
+
         try {
+            console.info(
+                `[createHandler] ${eventName}: handler entry`,
+                {
+                    eventName,
+                    awsRequestId: context?.awsRequestId,
+                    ...eventSummary,
+                }
+            );
+
             initDebugLog(eventName, event);
 
             const requestMethod = event.httpMethod;
@@ -30,13 +79,9 @@ const createHandler = (optionByName = {}) => {
             // If enabled (i.e. if SECRET_ARN is set in process.env) Fetch secrets from AWS Secrets Manager, and set them as environment variables.
             await secretsToEnv();
 
-            // Helps mongoose reuse the connection.  Lowers response times.
+            // Helps reuse the database connection.  Lowers response times.
             context.callbackWaitsForEmptyEventLoop = false;
 
-            if (shouldUseDatabase) {
-                await connectToDatabase();
-            }
-
             // Run the Lambda
             return await method(event, context);
         } catch (error) {
@@ -44,6 +89,18 @@ const createHandler = (optionByName = {}) => {
 
             // Don't leak implementation details to end users.
             if (isUserFacingResponse) {
+                // Allow client-safe errors to pass through with their actual message
+                if (error.isClientSafe === true) {
+                    const statusCode = error.statusCode || 400;
+                    return {
+                        statusCode,
+                        body: JSON.stringify({
+                            error: error.message,
+                        }),
+                    };
+                }
+
+                // Hide other errors with generic message
                 return {
                     statusCode: 500,
                     body: JSON.stringify({
@@ -55,7 +112,21 @@ const createHandler = (optionByName = {}) => {
             // Handle server-to-server responses.
 
             // Halt errors are logged but suceed and won't be retried.
+            // Log explicitly — silent suppression here previously made stuck
+            // messages invisible to observability tooling. Include
+            // eventSummary so operators can correlate across concurrent
+            // invocations (processId / messageIds / HTTP path).
             if (error.isHaltError === true) {
+                console.warn(
+                    `[createHandler] ${eventName}: halt error suppressed (no retry)`,
+                    {
+                        eventName,
+                        errorName: error.name,
+                        errorMessage: error.message,
+                        statusCode: error.statusCode,
+                        ...eventSummary,
+                    }
+                );
                 return;
             }
 

package/credential/repositories/credential-repository-documentdb.js

@@ -0,0 +1,304 @@
+const { prisma } = require('../../database/prisma');
+const {
+    toObjectId,
+    fromObjectId,
+    findOne,
+    insertOne,
+    updateOne,
+    deleteOne,
+} = require('../../database/documentdb-utils');
+const {
+    CredentialRepositoryInterface,
+} = require('./credential-repository-interface');
+const {
+    DocumentDBEncryptionService,
+} = require('../../database/documentdb-encryption-service');
+
+/**
+ * Credential repository for DocumentDB.
+ * Uses DocumentDBEncryptionService for field-level encryption.
+ *
+ * Encrypted fields:
+ * - Credential.data.access_token
+ * - Credential.data.refresh_token
+ * - Credential.data.id_token
+ *
+ * SECURITY CRITICAL: All OAuth credentials must be encrypted at rest.
+ *
+ * @see DocumentDBEncryptionService
+ * @see encryption-schema-registry.js
+ */
+class CredentialRepositoryDocumentDB extends CredentialRepositoryInterface {
+    constructor() {
+        super();
+        this.prisma = prisma;
+        this.encryptionService = new DocumentDBEncryptionService();
+    }
+
+    async findCredentialById(id) {
+        const objectId = toObjectId(id);
+        if (!objectId) return null;
+        const doc = await findOne(this.prisma, 'Credential', { _id: objectId });
+        if (!doc) return null;
+
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            doc
+        );
+        return this._mapCredentialById(decryptedCredential);
+    }
+
+    async updateAuthenticationStatus(credentialId, authIsValid) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return { acknowledged: false, modifiedCount: 0 };
+        const result = await updateOne(
+            this.prisma,
+            'Credential',
+            { _id: objectId },
+            {
+                $set: { authIsValid, updatedAt: new Date() },
+            }
+        );
+        const modified = result?.nModified ?? result?.n ?? 0;
+        return { acknowledged: true, modifiedCount: modified };
+    }
+
+    async deleteCredentialById(credentialId) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return { acknowledged: true, deletedCount: 0 };
+        const result = await deleteOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        const deleted = result?.n ?? 0;
+        return { acknowledged: true, deletedCount: deleted };
+    }
+
+    async upsertCredential(credentialDetails) {
+        const { identifiers, details } = credentialDetails;
+        if (!identifiers)
+            throw new Error('identifiers required to upsert credential');
+        if (!identifiers.userId) {
+            throw new Error('userId required in identifiers');
+        }
+        if (!identifiers.externalId) {
+            throw new Error(
+                'externalId required in identifiers to prevent credential collision. When multiple credentials exist for the same user, both userId and externalId are needed to uniquely identify which credential to update.'
+            );
+        }
+
+        const filter = this._buildIdentifierFilter(identifiers);
+        const existing = await findOne(this.prisma, 'Credential', filter);
+        const now = new Date();
+
+        const { authIsValid, ...oauthData } = details || {};
+
+        if (existing) {
+            const decryptedExisting =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    existing
+                );
+            const mergedData = {
+                ...(decryptedExisting.data || {}),
+                ...oauthData,
+            };
+
+            const updateDocument = {
+                userId: existing.userId,
+                externalId: existing.externalId,
+                authIsValid: authIsValid !== undefined ? authIsValid : existing.authIsValid,
+                data: mergedData,
+                updatedAt: now,
+            };
+
+            const encryptedUpdate = await this.encryptionService.encryptFields(
+                'Credential',
+                { data: updateDocument.data }
+            );
+
+            await updateOne(
+                this.prisma,
+                'Credential',
+                { _id: existing._id },
+                {
+                    $set: {
+                        userId: updateDocument.userId,
+                        externalId: updateDocument.externalId,
+                        authIsValid: updateDocument.authIsValid,
+                        data: encryptedUpdate.data,
+                        updatedAt: updateDocument.updatedAt,
+                    },
+                }
+            );
+
+            const updated = await findOne(this.prisma, 'Credential', {
+                _id: existing._id,
+            });
+            const decryptedCredential =
+                await this.encryptionService.decryptFields(
+                    'Credential',
+                    updated
+                );
+            return this._mapCredential(decryptedCredential);
+        }
+
+        const plainDocument = {
+            userId: toObjectId(identifiers.userId),
+            externalId: identifiers.externalId,
+            authIsValid: details.authIsValid,
+            data: { ...oauthData },
+            createdAt: now,
+            updatedAt: now,
+        };
+
+        const encryptedDocument = await this.encryptionService.encryptFields(
+            'Credential',
+            plainDocument
+        );
+
+        const insertedId = await insertOne(
+            this.prisma,
+            'Credential',
+            encryptedDocument
+        );
+
+        const created = await findOne(this.prisma, 'Credential', {
+            _id: insertedId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            created
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    async findCredential(filter) {
+        const query = this._buildFilter(filter);
+        const credential = await findOne(this.prisma, 'Credential', query);
+        if (!credential) return null;
+
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            credential
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    async updateCredential(credentialId, updates) {
+        const objectId = toObjectId(credentialId);
+        if (!objectId) return null;
+        const existing = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        if (!existing) return null;
+
+        const { authIsValid, ...oauthData } = updates || {};
+
+        const decryptedExisting = await this.encryptionService.decryptFields(
+            'Credential',
+            existing
+        );
+        const mergedData = { ...(decryptedExisting.data || {}), ...oauthData };
+
+        const updateDocument = {
+            userId: existing.userId,
+            externalId: existing.externalId,
+            authIsValid: authIsValid,
+            data: mergedData,
+            updatedAt: new Date(),
+        };
+
+        const encryptedUpdate = await this.encryptionService.encryptFields(
+            'Credential',
+            { data: updateDocument.data }
+        );
+
+        await updateOne(
+            this.prisma,
+            'Credential',
+            { _id: objectId },
+            {
+                $set: {
+                    userId: updateDocument.userId,
+                    externalId: updateDocument.externalId,
+                    authIsValid: updateDocument.authIsValid,
+                    data: encryptedUpdate.data,
+                    updatedAt: updateDocument.updatedAt,
+                },
+            }
+        );
+
+        const updated = await findOne(this.prisma, 'Credential', {
+            _id: objectId,
+        });
+        const decryptedCredential = await this.encryptionService.decryptFields(
+            'Credential',
+            updated
+        );
+        return this._mapCredential(decryptedCredential);
+    }
+
+    _buildIdentifierFilter(identifiers) {
+        const filter = {};
+        if (identifiers._id || identifiers.id) {
+            const idObj = toObjectId(identifiers._id || identifiers.id);
+            if (idObj) filter._id = idObj;
+        }
+        if (identifiers.userId) {
+            filter.userId = toObjectId(identifiers.userId);
+        }
+        if (identifiers.externalId !== undefined) {
+            filter.externalId = identifiers.externalId;
+        }
+        return filter;
+    }
+
+    _buildFilter(filter) {
+        const query = {};
+        if (!filter) return query;
+        if (filter.credentialId || filter.id) {
+            const idObj = toObjectId(filter.credentialId || filter.id);
+            if (idObj) query._id = idObj;
+        }
+        if (filter.userId !== undefined) {
+            query.userId = filter.userId;
+        }
+        if (filter.externalId !== undefined) {
+            query.externalId = filter.externalId;
+        }
+        return query;
+    }
+
+    /**
+     * Map credential document to application format
+     * Matches MongoDB repository format
+     * @private
+     */
+    _mapCredential(doc) {
+        const data = doc?.data || {};
+        const id = fromObjectId(doc?._id);
+        const userId = doc?.userId;
+        return {
+            id,
+            userId,
+            externalId: doc?.externalId ?? null,
+            authIsValid: doc?.authIsValid ?? null,
+            ...data,
+        };
+    }
+
+    _mapCredentialById(doc) {
+        const data = doc?.data || {};
+        const id = fromObjectId(doc?._id);
+        const userId = doc?.userId;
+        return {
+            id,
+            userId,
+            externalId: doc?.externalId ?? null,
+            authIsValid: doc?.authIsValid ?? null,
+            ...data,
+        };
+    }
+}
+
+module.exports = { CredentialRepositoryDocumentDB };

package/credential/repositories/credential-repository-factory.js

@@ -0,0 +1,54 @@
+const { CredentialRepositoryMongo } = require('./credential-repository-mongo');
+const {
+    CredentialRepositoryPostgres,
+} = require('./credential-repository-postgres');
+const {
+    CredentialRepositoryDocumentDB,
+} = require('./credential-repository-documentdb');
+const config = require('../../database/config');
+
+/**
+ * Credential Repository Factory
+ * Creates the appropriate repository adapter based on database type
+ *
+ * Database-specific implementations:
+ * - MongoDB: Uses String IDs (ObjectId), no conversion needed
+ * - PostgreSQL: Uses Int IDs, converts String ↔ Int
+ *
+ * All repository methods return String IDs regardless of database type,
+ * ensuring application layer consistency.
+ *
+ * Usage:
+ * ```javascript
+ * const repository = createCredentialRepository();
+ * ```
+ *
+ * @returns {CredentialRepositoryInterface} Configured repository adapter
+ */
+function createCredentialRepository() {
+    const dbType = config.DB_TYPE;
+
+    switch (dbType) {
+        case 'mongodb':
+            return new CredentialRepositoryMongo();
+
+        case 'postgresql':
+            return new CredentialRepositoryPostgres();
+
+        case 'documentdb':
+            return new CredentialRepositoryDocumentDB();
+
+        default:
+            throw new Error(
+                `Unsupported database type: ${dbType}. Supported values: 'mongodb', 'documentdb', 'postgresql'`
+            );
+    }
+}
+
+module.exports = {
+    createCredentialRepository,
+    // Export adapters for direct testing
+    CredentialRepositoryMongo,
+    CredentialRepositoryPostgres,
+    CredentialRepositoryDocumentDB,
+};

package/credential/repositories/credential-repository-interface.js

@@ -0,0 +1,98 @@
+/**
+ * Credential Repository Interface
+ * Abstract base class defining the contract for credential persistence adapters
+ *
+ * This follows the Port in Hexagonal Architecture:
+ * - Domain layer depends on this abstraction
+ * - Concrete adapters implement this interface
+ * - Use cases receive repositories via dependency injection
+ *
+ * Note: Currently, Credential model has identical structure across MongoDB and PostgreSQL,
+ * so CredentialRepository serves both. This interface exists for consistency and
+ * future-proofing if database-specific implementations become needed.
+ *
+ * @abstract
+ */
+class CredentialRepositoryInterface {
+    /**
+     * Find credential by ID
+     *
+     * @param {string|number} id - Credential ID
+     * @returns {Promise<Object|null>} Credential object or null
+     * @abstract
+     */
+    async findCredentialById(id) {
+        throw new Error(
+            'Method findCredentialById must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Update authentication status
+     *
+     * @param {string|number} credentialId - Credential ID
+     * @param {boolean} authIsValid - Authentication validity status
+     * @returns {Promise<Object>} Update result
+     * @abstract
+     */
+    async updateAuthenticationStatus(credentialId, authIsValid) {
+        throw new Error(
+            'Method updateAuthenticationStatus must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Permanently remove a credential document
+     *
+     * @param {string|number} credentialId - Credential ID
+     * @returns {Promise<Object>} Deletion result
+     * @abstract
+     */
+    async deleteCredentialById(credentialId) {
+        throw new Error(
+            'Method deleteCredentialById must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Create or update credential matching identifiers
+     *
+     * @param {{identifiers: Object, details: Object}} credentialDetails
+     * @returns {Promise<Object>} The persisted credential
+     * @abstract
+     */
+    async upsertCredential(credentialDetails) {
+        throw new Error(
+            'Method upsertCredential must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Find a credential by filter criteria
+     *
+     * @param {Object} filter - Filter criteria
+     * @returns {Promise<Object|null>} Credential object or null if not found
+     * @abstract
+     */
+    async findCredential(filter) {
+        throw new Error(
+            'Method findCredential must be implemented by subclass'
+        );
+    }
+
+    /**
+     * Update a credential by ID
+     *
+     * @param {string|number} credentialId - Credential ID
+     * @param {Object} updates - Fields to update
+     * @returns {Promise<Object|null>} Updated credential object or null if not found
+     * @abstract
+     */
+    async updateCredential(credentialId, updates) {
+        throw new Error(
+            'Method updateCredential must be implemented by subclass'
+        );
+    }
+}
+
+module.exports = { CredentialRepositoryInterface };