@jmruthers/pace-core 0.5.107 → 0.5.109

package/src/components/PaceAppLayout/PaceAppLayout.tsx

@@ -243,7 +243,7 @@ export interface PaceAppLayoutProps {
  * 
  * 
  * @example
- * Custom navigation items with permission filtering:
+ * Custom navigation items with permission filtering (works independently of route enforcement):
  * ```tsx
  * import { NavigationItem } from '@jmruthers/pace-core';
  * 
@@ -261,13 +261,15 @@ export interface PaceAppLayoutProps {
  *           <PaceAppLayout 
  *             appName="My Custom App" 
  *             navItems={customNavItems}
- *             enforcePermissions={true}
+ *             // Navigation filtering works independently - no need for enforcePermissions
  *             filterNavigationByPermissions={true}
  *             routePermissions={{
  *               '/components': 'read',
  *               '/styles': 'read',
  *               '/meals': 'read'
  *             }}
+ *             // Optionally enable route-level enforcement (separate from navigation filtering)
+ *             // enforcePermissions={true}
  *           />
  *         }>
  *           <Route path="components" element={<ComponentsPage />} />
@@ -367,12 +369,24 @@ export function PaceAppLayout({
       
       // Check if user is super admin first - super admins can access everything
       // regardless of organisation context
-      const { isSuperAdmin } = await import('../../rbac/api');
-      const isSuper = await isSuperAdmin(user.id);
-      
-      if (isSuper) {
-        // Super admin bypass - allow access regardless of organisation context
-        return true;
+      // Gracefully handle RBAC not being initialized (e.g., in tests)
+      try {
+        const { isSuperAdmin } = await import('../../rbac/api');
+        const isSuper = await isSuperAdmin(user.id);
+        
+        if (isSuper) {
+          // Super admin bypass - allow access regardless of organisation context
+          return true;
+        }
+      } catch (error) {
+        // If RBAC is not initialized (e.g., in tests), continue with normal permission check
+        // This prevents errors from breaking permission checks when RBAC isn't available
+        if (error && typeof error === 'object' && 'code' in error && error.code === 'RBAC_NOT_INITIALIZED') {
+          // RBAC not available - proceed with normal permission check
+        } else {
+          // Re-throw unexpected errors
+          throw error;
+        }
       }
       
       // For non-super admins, ensure we have at least organisationId for RBAC
@@ -381,10 +395,16 @@ export function PaceAppLayout({
         return false;
       }
       
+      // Construct the full permission string in format "operation:page.pageId"
+      // If permission already includes ':', use it as-is, otherwise format as "operation:page.pageId"
+      const fullPermission: Permission = permission.includes(':')
+        ? (permission as Permission)
+        : (pageId ? `${permission}:page.${pageId}` : permission) as Permission;
+      
       return await isPermitted({
         userId: user.id,
         scope,
-        permission: permission as Permission,
+        permission: fullPermission,
         pageId
       });
     } catch (error) {
@@ -498,10 +518,12 @@ export function PaceAppLayout({
   }, [enforcePermissions, currentRoutePermission, currentPageId, strictMode, user?.id]);
 
   // Filter navigation items based on permissions
+  // This works independently of route enforcement - navigation filtering doesn't require enforcePermissions
   const [filteredMenuItems, setFilteredMenuItems] = useState<NavigationItem[]>(baseMenuItems);
 
   useEffect(() => {
-    if (!filterNavigationByPermissions || !enforcePermissions) {
+    // Allow navigation filtering without route enforcement
+    if (!filterNavigationByPermissions) {
       setFilteredMenuItems(baseMenuItems);
       return;
     }
@@ -509,29 +531,108 @@ export function PaceAppLayout({
     let isMounted = true;
 
     const filterItems = async () => {
-      const filtered = await Promise.all(
-        baseMenuItems.map(async (item) => {
+      // Wait for organisation context to be ready before filtering
+      // This prevents blocking navigation while context is loading
+      if (!user?.id) {
+        // User not loaded yet - show all items until context is ready
+        if (isMounted) {
+          setFilteredMenuItems(baseMenuItems);
+        }
+        return;
+      }
+
+      // Check if organisation context is available
+      const scope = {
+        organisationId: user.user_metadata?.organisationId || user.app_metadata?.organisationId,
+        eventId: user.user_metadata?.eventId || user.app_metadata?.eventId,
+        appId: user.user_metadata?.appId || user.app_metadata?.appId,
+      };
+
+      // For super admins, show all items (they bypass permission checks)
+      // Gracefully handle RBAC not being initialized (e.g., in tests)
+      try {
+        const { isSuperAdmin } = await import('../../rbac/api');
+        const isSuper = await isSuperAdmin(user.id);
+        
+        if (isSuper) {
+          // Super admins see all navigation items
+          if (isMounted) {
+            setFilteredMenuItems(baseMenuItems);
+          }
+          return;
+        }
+      } catch (error) {
+        // If RBAC is not initialized (e.g., in tests), continue with normal filtering
+        // This prevents errors from breaking navigation when RBAC isn't available
+        if (error && typeof error === 'object' && 'code' in error && error.code === 'RBAC_NOT_INITIALIZED') {
+          // RBAC not available - proceed with normal filtering without super admin check
+          // In this case, we'll filter items normally based on permissions
+        } else {
+          // Re-throw unexpected errors
+          throw error;
+        }
+      }
+
+      // If no organisation context yet, show all items until context is ready
+      // This prevents navigation from being empty while context loads
+      if (!scope.organisationId) {
+        if (isMounted) {
+          setFilteredMenuItems(baseMenuItems);
+        }
+        return;
+      }
+
+      // Organisation context is ready - now filter items based on permissions
+      // OPTIMIZATION: Use batch permission map instead of individual checks to avoid rate limits
+      // This makes 1 call instead of N calls (where N = number of navigation items)
+      try {
+        const { getPermissionMap } = await import('../../rbac/api');
+        const permissionMap = await getPermissionMap({
+          userId: user.id,
+          scope,
+        });
+
+        // Filter items using the permission map (synchronous, no rate limit issues)
+        const filtered = baseMenuItems.map((item) => {
           if (!item.href) return { item, hasAccess: true };
           
           const pageId = pageIdMapping[item.href] || item.href.slice(1) || 'home';
           const permission = routePermissions[item.href] || defaultPermission;
+          const fullPermission: Permission = permission.includes(':')
+            ? (permission as Permission)
+            : (pageId ? `${permission}:page.${pageId}` : permission) as Permission;
+          
+          // Check permission map (super admin check already handled in getPermissionMap)
+          const hasAccess = permissionMap['*'] === true || permissionMap[fullPermission] === true;
           
-          try {
-            const hasAccess = await checkPermission(permission, pageId);
-            return { item, hasAccess };
-          } catch {
-            return { item, hasAccess: false };
+          if (auditLog) {
+            console.log(`[PaceAppLayout] Navigation filtering:`, {
+              item: item.label,
+              href: item.href,
+              pageId,
+              permission: fullPermission,
+              hasAccess,
+            });
           }
-        })
-      );
+          
+          return { item, hasAccess };
+        });
 
-      if (!isMounted) return;
+        if (!isMounted) return;
 
-      const accessibleItems = filtered
-        .filter(({ hasAccess }) => hasAccess)
-        .map(({ item }) => item);
+        const accessibleItems = filtered
+          .filter(({ hasAccess }) => hasAccess)
+          .map(({ item }) => item);
 
-      setFilteredMenuItems(accessibleItems);
+        setFilteredMenuItems(accessibleItems);
+      } catch (error) {
+        // On error, fall back to showing all items (graceful degradation)
+        // This prevents navigation from being empty if permission checks fail
+        console.error('[PaceAppLayout] Failed to load permission map for navigation filtering:', error);
+        if (isMounted) {
+          setFilteredMenuItems(baseMenuItems);
+        }
+      }
     };
 
     filterItems();
@@ -539,7 +640,7 @@ export function PaceAppLayout({
     return () => {
       isMounted = false;
     };
-  }, [baseMenuItems, filterNavigationByPermissions, enforcePermissions, pageIdMapping, routePermissions, defaultPermission]);
+  }, [baseMenuItems, filterNavigationByPermissions, pageIdMapping, routePermissions, defaultPermission, checkPermission, user?.id, user?.user_metadata, user?.app_metadata]);
 
   // NEW: Phase 2 - Enhanced Routing Features
   // Check route access for role-based routing

package/src/components/PaceAppLayout/__tests__/PaceAppLayout.security.test.tsx

@@ -715,7 +715,8 @@ describe('PaceAppLayout Security', () => {
       const { isPermitted } = await import('../../../rbac/api');
       vi.mocked(isPermitted).mockImplementation(({ userId, scope, permission, pageId }) => {
         // Simulate user trying to access admin with read permission
-        if (pageId === 'admin' && permission === 'read') {
+        // Permission is now formatted as "operation:page.pageId"
+        if (pageId === 'admin' && permission === 'read:page.admin') {
           return Promise.resolve(false);
         }
         return Promise.resolve(true);

package/src/components/PaceAppLayout/__tests__/PaceAppLayout.unit.test.tsx

@@ -572,7 +572,7 @@ describe('PaceAppLayout Component', () => {
         expect(mockIsPermitted).toHaveBeenCalledWith({
           userId: 'test-user-id',
           scope: expect.objectContaining({ organisationId: 'test-org-123' }),
-          permission: 'delete',
+          permission: 'delete:page.test-path',
           pageId: 'test-path'
         });
       });
@@ -597,7 +597,7 @@ describe('PaceAppLayout Component', () => {
         expect(mockIsPermitted).toHaveBeenCalledWith({
           userId: 'test-user-id',
           scope: expect.objectContaining({ organisationId: 'test-org-123' }),
-          permission: 'read',
+          permission: 'read:page.custom-page-id',
           pageId: 'custom-page-id'
         });
       });
@@ -816,11 +816,8 @@ describe('PaceAppLayout Component', () => {
     });
 
     it('handles location changes correctly', async () => {
-      // Change location
-      Object.defineProperty(window, 'location', {
-        value: { pathname: '/new-path' },
-        writable: true
-      });
+      // Change location - update the mockLocation object since component uses useLocation()
+      mockLocation.pathname = '/new-path';
       
       render(
         <TestWrapper>
@@ -832,10 +829,13 @@ describe('PaceAppLayout Component', () => {
         expect(mockIsPermitted).toHaveBeenCalledWith({
           userId: 'test-user-id',
           scope: expect.objectContaining({ organisationId: 'test-org-123' }),
-          permission: 'read',
-          pageId: 'test-path'
+          permission: 'read:page.new-path',
+          pageId: 'new-path'
         });
       });
+      
+      // Reset for other tests
+      mockLocation.pathname = '/test-path';
     });
   });
 

package/src/index.ts

@@ -20,6 +20,9 @@
 export { UnifiedAuthProvider, useUnifiedAuth } from './providers/UnifiedAuthProvider';
 export type { UnifiedAuthProviderProps, UnifiedAuthContextType, UserEventAccess } from './providers/UnifiedAuthProvider';
 
+// Session tracking utility (for manual use if needed)
+export { useSessionTracking } from './utils/sessionTracking';
+
 // Provider components (using service architecture)
 export { EventProvider } from './providers/EventProvider';
 export { OrganisationProvider } from './providers/OrganisationProvider';

package/src/providers/services/AuthServiceProvider.tsx

@@ -24,13 +24,14 @@ export const AuthServiceContext = createContext<AuthServiceContextType | null>(n
 export interface AuthServiceProviderProps {
   children: React.ReactNode;
   supabaseClient: SupabaseClient;
+  appName?: string;
 }
 
-export function AuthServiceProvider({ children, supabaseClient }: AuthServiceProviderProps) {
+export function AuthServiceProvider({ children, supabaseClient, appName }: AuthServiceProviderProps) {
   // Create service instance with useMemo to prevent recreation on every render
   const authService = useMemo(
-    () => new AuthService(supabaseClient),
-    [supabaseClient]
+    () => new AuthService(supabaseClient, appName),
+    [supabaseClient, appName]
   );
 
   const [sessionRestoration, setSessionRestoration] = useState<SessionRestorationState>(

package/src/providers/services/UnifiedAuthProvider.tsx

@@ -526,7 +526,7 @@ export function UnifiedAuthProvider({
   dangerouslyDisableInactivity = false
 }: UnifiedAuthProviderProps) {
   return (
-    <AuthServiceProvider supabaseClient={supabaseClient}>
+    <AuthServiceProvider supabaseClient={supabaseClient} appName={appName}>
       <ServiceAwareProviders
         supabaseClient={supabaseClient}
         appName={appName}

package/src/rbac/engine.ts

@@ -474,11 +474,13 @@ export class RBACEngine {
 
     try {
       const { userId, scope } = input;
+      // Call unified function (tech debt removed: consolidated from 2 overloaded versions)
       const { data, error } = await (this.supabase as any).rpc('rbac_permissions_get', {
         p_user_id: userId,
         p_organisation_id: scope.organisationId || null,
         p_event_id: scope.eventId || null,
         p_app_id: scope.appId || null,
+        p_page_id: null, // Optional: can filter to specific page if needed
       });
 
       if (error) {

package/src/services/AuthService.ts

@@ -28,10 +28,12 @@ export class AuthService extends BaseService implements IAuthService {
   private restorationTimeoutId: ReturnType<typeof setTimeout> | null = null;
   private readonly restorationTimeoutMs = 5000;
   private restorationStartTime: number | null = null;
+  private appName: string | undefined = undefined;
 
-  constructor(supabaseClient: SupabaseClient) {
+  constructor(supabaseClient: SupabaseClient, appName?: string) {
     super();
     this.supabaseClient = supabaseClient;
+    this.appName = appName;
   }
 
   // Auth state getters
@@ -386,6 +388,13 @@ export class AuthService extends BaseService implements IAuthService {
               this.session = null;
               this.user = null;
               this.authError = null;
+              
+              // Automatic session tracking (non-blocking)
+              if (session?.user) {
+                this.trackSession('logout', session).catch(err => {
+                  console.warn('[AuthService] Failed to track logout session:', err);
+                });
+              }
             } else if (event === 'SIGNED_IN' || event === 'TOKEN_REFRESHED') {
               this.session = session;
               this.user = session?.user ?? null;
@@ -394,6 +403,14 @@ export class AuthService extends BaseService implements IAuthService {
               if (session) {
                 this.authError = null;
               }
+              
+              // Automatic session tracking for login (non-blocking)
+              // Only track on SIGNED_IN, not TOKEN_REFRESHED (to avoid duplicate login records)
+              if (event === 'SIGNED_IN' && session?.user) {
+                this.trackSession('login', session).catch(err => {
+                  console.warn('[AuthService] Failed to track login session:', err);
+                });
+              }
             } else if (event === 'INITIAL_SESSION') {
               if (session) {
                 this.session = session;
@@ -502,6 +519,67 @@ export class AuthService extends BaseService implements IAuthService {
     }
   }
 
+  /**
+   * Automatically track user session using rbac_session_track
+   * This method is called automatically on SIGNED_IN and SIGNED_OUT events.
+   * It's non-blocking and failures are logged as warnings.
+   */
+  private async trackSession(
+    sessionType: 'login' | 'logout',
+    session: Session | null
+  ): Promise<void> {
+    if (!this.supabaseClient || !session?.user) {
+      return;
+    }
+
+    try {
+      // Resolve app_id from appName if available
+      let appId: string | undefined = undefined;
+      if (this.appName) {
+        const { data, error } = await this.supabaseClient
+          .from('rbac_apps')
+          .select('id')
+          .eq('name', this.appName)
+          .eq('is_active', true)
+          .single();
+        
+        if (!error && data) {
+          appId = data.id;
+        }
+      }
+
+      // Get IP address and user agent from browser (if available)
+      const ipAddress = undefined; // Browser doesn't expose IP directly, could use API
+      const userAgent = typeof navigator !== 'undefined' ? navigator.userAgent : undefined;
+      
+      // Get device fingerprint from localStorage if available
+      // Note: Device fingerprinting should be done by consuming app and passed via custom header
+      // For now, we'll skip it to avoid dependencies
+      const deviceFingerprint = undefined;
+
+      // Call rbac_session_track RPC function
+      // This automatically inserts into rbac_user_sessions AND rbac_user_login_history (for login)
+      const { error } = await (this.supabaseClient as any).rpc('rbac_session_track', {
+        p_user_id: session.user.id,
+        p_session_type: sessionType,
+        p_event_id: null, // Event ID should come from context, not auth service
+        p_app_id: appId,
+        p_ip_address: ipAddress,
+        p_user_agent: userAgent,
+        p_device_fingerprint: deviceFingerprint,
+      });
+
+      if (error) {
+        console.warn(`[AuthService] Failed to track ${sessionType} session:`, error);
+      } else {
+        console.debug(`[AuthService] Successfully tracked ${sessionType} session`);
+      }
+    } catch (error) {
+      // Log error but don't throw (non-blocking)
+      console.warn(`[AuthService] Error tracking ${sessionType} session:`, error);
+    }
+  }
+
   private setupErrorHandlers(): void {
     if (typeof window === 'undefined') return;
 

package/src/services/__tests__/AuthService.test.ts

@@ -640,4 +640,188 @@ describe('AuthService', () => {
       expect(authService.isAuthenticated()).toBe(false);
     });
   });
+
+  describe('Automatic Session Tracking', () => {
+    beforeEach(() => {
+      // Mock rpc function for session tracking
+      (mockSupabase as any).rpc = vi.fn();
+      // Mock from().select() chain for app ID resolution
+      (mockSupabase as any).from = vi.fn().mockReturnValue({
+        select: vi.fn().mockReturnValue({
+          eq: vi.fn().mockReturnValue({
+            eq: vi.fn().mockReturnValue({
+              single: vi.fn().mockResolvedValue({
+                data: { id: 'app-id-123' },
+                error: null
+              })
+            })
+          })
+        })
+      });
+    });
+
+    it('should track login session automatically on SIGNED_IN event', async () => {
+      const mockUser = { id: 'user-123', email: 'test@example.com' };
+      const mockSession = { access_token: 'token', user: mockUser };
+      
+      (mockSupabase as any).rpc.mockResolvedValue({ error: null });
+      
+      let authStateCallback: any;
+      mockSupabase.auth.onAuthStateChange.mockImplementation((callback) => {
+        authStateCallback = callback;
+        return { data: { subscription: { unsubscribe: vi.fn() } } };
+      });
+
+      // Initialize with appName to test app ID resolution
+      const authServiceWithApp = new AuthService(mockSupabase as any, 'TEST_APP');
+      await authServiceWithApp.initialize();
+
+      // Simulate SIGNED_IN event
+      if (authStateCallback) {
+        authStateCallback('SIGNED_IN', mockSession);
+        
+        // Wait a bit for async tracking to complete
+        await new Promise(resolve => setTimeout(resolve, 100));
+        
+        // Verify rbac_session_track was called with correct parameters
+        expect((mockSupabase as any).rpc).toHaveBeenCalledWith('rbac_session_track', expect.objectContaining({
+          p_user_id: 'user-123',
+          p_session_type: 'login',
+          p_event_id: null,
+          p_app_id: 'app-id-123', // Should be resolved from appName
+          p_user_agent: expect.any(String), // navigator.userAgent
+        }));
+      }
+
+      authServiceWithApp.cleanup();
+    });
+
+    it('should track logout session automatically on SIGNED_OUT event', async () => {
+      const mockUser = { id: 'user-123', email: 'test@example.com' };
+      const mockSession = { access_token: 'token', user: mockUser };
+      
+      (mockSupabase as any).rpc.mockResolvedValue({ error: null });
+      
+      let authStateCallback: any;
+      mockSupabase.auth.onAuthStateChange.mockImplementation((callback) => {
+        authStateCallback = callback;
+        return { data: { subscription: { unsubscribe: vi.fn() } } };
+      });
+
+      const authServiceWithApp = new AuthService(mockSupabase as any, 'TEST_APP');
+      await authServiceWithApp.initialize();
+
+      // Simulate SIGNED_OUT event
+      if (authStateCallback) {
+        authStateCallback('SIGNED_OUT', mockSession);
+        
+        // Wait a bit for async tracking to complete
+        await new Promise(resolve => setTimeout(resolve, 100));
+        
+        // Verify rbac_session_track was called with logout type
+        expect((mockSupabase as any).rpc).toHaveBeenCalledWith('rbac_session_track', expect.objectContaining({
+          p_user_id: 'user-123',
+          p_session_type: 'logout',
+        }));
+      }
+
+      authServiceWithApp.cleanup();
+    });
+
+    it('should NOT track session on TOKEN_REFRESHED event (to avoid duplicate login records)', async () => {
+      const mockUser = { id: 'user-123', email: 'test@example.com' };
+      const mockSession = { access_token: 'new_token', user: mockUser };
+      
+      (mockSupabase as any).rpc.mockResolvedValue({ error: null });
+      
+      let authStateCallback: any;
+      mockSupabase.auth.onAuthStateChange.mockImplementation((callback) => {
+        authStateCallback = callback;
+        return { data: { subscription: { unsubscribe: vi.fn() } } };
+      });
+
+      const authServiceWithApp = new AuthService(mockSupabase as any, 'TEST_APP');
+      await authServiceWithApp.initialize();
+
+      // Simulate TOKEN_REFRESHED event
+      if (authStateCallback) {
+        authStateCallback('TOKEN_REFRESHED', mockSession);
+        
+        // Wait a bit for any async operations
+        await new Promise(resolve => setTimeout(resolve, 100));
+        
+        // Verify rbac_session_track was NOT called
+        expect((mockSupabase as any).rpc).not.toHaveBeenCalled();
+      }
+
+      authServiceWithApp.cleanup();
+    });
+
+    it('should handle tracking errors gracefully without breaking authentication', async () => {
+      const mockUser = { id: 'user-123', email: 'test@example.com' };
+      const mockSession = { access_token: 'token', user: mockUser };
+      const consoleWarnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      
+      (mockSupabase as any).rpc.mockRejectedValue(new Error('Tracking failed'));
+      
+      let authStateCallback: any;
+      mockSupabase.auth.onAuthStateChange.mockImplementation((callback) => {
+        authStateCallback = callback;
+        return { data: { subscription: { unsubscribe: vi.fn() } } };
+      });
+
+      const authServiceWithApp = new AuthService(mockSupabase as any, 'TEST_APP');
+      await authServiceWithApp.initialize();
+
+      // Simulate SIGNED_IN event
+      if (authStateCallback) {
+        authStateCallback('SIGNED_IN', mockSession);
+        
+        // Wait a bit for async tracking to complete
+        await new Promise(resolve => setTimeout(resolve, 100));
+        
+        // Verify error was logged but authentication still succeeded
+        // When rpc throws an exception, it goes to catch block which logs "Error tracking"
+        expect(consoleWarnSpy).toHaveBeenCalledWith(
+          expect.stringContaining('Error tracking login session'),
+          expect.anything()
+        );
+        expect(authServiceWithApp.isAuthenticated()).toBe(true);
+      }
+
+      consoleWarnSpy.mockRestore();
+      authServiceWithApp.cleanup();
+    });
+
+    it('should work without appName (app_id will be null)', async () => {
+      const mockUser = { id: 'user-123', email: 'test@example.com' };
+      const mockSession = { access_token: 'token', user: mockUser };
+      
+      (mockSupabase as any).rpc.mockResolvedValue({ error: null });
+      
+      let authStateCallback: any;
+      mockSupabase.auth.onAuthStateChange.mockImplementation((callback) => {
+        authStateCallback = callback;
+        return { data: { subscription: { unsubscribe: vi.fn() } } };
+      });
+
+      // Initialize without appName
+      await authService.initialize();
+
+      // Simulate SIGNED_IN event
+      if (authStateCallback) {
+        authStateCallback('SIGNED_IN', mockSession);
+        
+        // Wait a bit for async tracking to complete
+        await new Promise(resolve => setTimeout(resolve, 100));
+        
+        // Verify rbac_session_track was called with null app_id
+        expect((mockSupabase as any).rpc).toHaveBeenCalledWith('rbac_session_track', expect.objectContaining({
+          p_user_id: 'user-123',
+          p_session_type: 'login',
+          p_app_id: undefined, // Should be undefined when appName not provided
+        }));
+      }
+    });
+  });
 });