@jmruthers/pace-core 0.5.108 → 0.5.110

package/src/components/NavigationMenu/NavigationMenu.tsx

@@ -462,10 +462,16 @@ export const NavigationMenu = React.forwardRef<
       return (items || []).filter(item => !item.meta?.hidden);
     }
     
-    return (items || []).filter(item => {
-      // Check if item should be hidden
-      if (item.meta?.hidden) return false;
-      
+    // Helper function to derive page ID from href
+    const getPageIdFromHref = (href?: string): string | null => {
+      if (!href) return null;
+      // Remove leading slash and any query params/hash
+      const path = href.split('?')[0].split('#')[0].replace(/^\//, '');
+      return path || 'home';
+    };
+    
+    // Helper function to check if item has permission to be shown
+    const hasItemPermission = (item: NavigationItem): boolean => {
       // Check permissions if available
       if (item.permissions && item.permissions.length > 0) {
         // Convert string permissions to Permission type and check
@@ -547,8 +553,66 @@ export const NavigationMenu = React.forwardRef<
         }
       }
       
+      // NEW: Auto-check page permissions for items with href but no explicit permissions
+      // If item has an href but no explicit permissions/roles/accessLevel, check page permission
+      if (item.href && !item.permissions && !item.roles && !item.accessLevel) {
+        const pageId = item.pageId || getPageIdFromHref(item.href);
+        if (pageId) {
+          // Check for read permission on the page
+          const pagePermission: Permission = `read:page.${pageId}` as Permission;
+          
+          // Check permission map (super admin has access to everything via '*' key)
+          const hasPagePermission = permissionMap['*'] === true || permissionMap[pagePermission] === true;
+          
+          if (!hasPagePermission) {
+            if (auditLog) {
+              console.log(`[NavigationMenu] Filtering out navigation item "${item.label}" - no page permission:`, {
+                itemId: item.id,
+                href: item.href,
+                pageId,
+                permission: pagePermission,
+                hasPermission: hasPagePermission
+              });
+            }
+            return false;
+          }
+        }
+      }
+      
       return true;
-    });
+    };
+    
+    // Helper function to filter items recursively (creates new objects to avoid mutations)
+    const filterItem = (item: NavigationItem): NavigationItem | null => {
+      // Check if item should be hidden
+      if (item.meta?.hidden) return null;
+      
+      // Check if item has permission
+      if (!hasItemPermission(item)) return null;
+      
+      // Recursively filter children if present
+      let filteredChildren: NavigationItem[] | undefined;
+      if (item.children && item.children.length > 0) {
+        filteredChildren = item.children
+          .map(child => filterItem(child))
+          .filter((child): child is NavigationItem => child !== null);
+        
+        // If parent has no accessible children, hide the parent too (unless it has its own href)
+        if (filteredChildren.length === 0 && !item.href) {
+          return null;
+        }
+      }
+      
+      // Return filtered item (with filtered children if applicable)
+      return {
+        ...item,
+        children: filteredChildren
+      };
+    };
+    
+    return (items || [])
+      .map(item => filterItem(item))
+      .filter((item): item is NavigationItem => item !== null);
   }, [
     items, 
     filterByPermissions, 
@@ -558,7 +622,8 @@ export const NavigationMenu = React.forwardRef<
     hasAnyPermission, 
     scopeLoading, 
     permissionsLoading,
-    resolvedScope
+    resolvedScope,
+    auditLog
   ]);
 
   // Log navigation access attempts for debugging

package/src/components/PaceAppLayout/PaceAppLayout.test.tsx

@@ -540,7 +540,7 @@ describe('PaceAppLayout Component', () => {
             eventId: 'event-123',
             appId: 'app-123',
           },
-          permission: 'update',
+          permission: 'update:page.dashboard-page',
           pageId: 'dashboard-page',
         });
       }, { timeout: 3000 });
@@ -571,7 +571,7 @@ describe('PaceAppLayout Component', () => {
             eventId: 'event-123',
             appId: 'app-123',
           },
-          permission: 'create',
+          permission: 'create:page.dashboard',
           pageId: 'dashboard',
         });
       }, { timeout: 3000 });

package/src/components/PaceAppLayout/PaceAppLayout.tsx

@@ -395,10 +395,16 @@ export function PaceAppLayout({
         return false;
       }
       
+      // Construct the full permission string in format "operation:page.pageId"
+      // If permission already includes ':', use it as-is, otherwise format as "operation:page.pageId"
+      const fullPermission: Permission = permission.includes(':')
+        ? (permission as Permission)
+        : (pageId ? `${permission}:page.${pageId}` : permission) as Permission;
+      
       return await isPermitted({
         userId: user.id,
         scope,
-        permission: permission as Permission,
+        permission: fullPermission,
         pageId
       });
     } catch (error) {
@@ -577,30 +583,56 @@ export function PaceAppLayout({
       }
 
       // Organisation context is ready - now filter items based on permissions
-      const filtered = await Promise.all(
-        baseMenuItems.map(async (item) => {
+      // OPTIMIZATION: Use batch permission map instead of individual checks to avoid rate limits
+      // This makes 1 call instead of N calls (where N = number of navigation items)
+      try {
+        const { getPermissionMap } = await import('../../rbac/api');
+        const permissionMap = await getPermissionMap({
+          userId: user.id,
+          scope,
+        });
+
+        // Filter items using the permission map (synchronous, no rate limit issues)
+        const filtered = baseMenuItems.map((item) => {
           if (!item.href) return { item, hasAccess: true };
           
           const pageId = pageIdMapping[item.href] || item.href.slice(1) || 'home';
           const permission = routePermissions[item.href] || defaultPermission;
+          const fullPermission: Permission = permission.includes(':')
+            ? (permission as Permission)
+            : (pageId ? `${permission}:page.${pageId}` : permission) as Permission;
           
-          try {
-            const hasAccess = await checkPermission(permission, pageId);
-            return { item, hasAccess };
-          } catch {
-            // On error, default to hiding the item (fail-safe)
-            return { item, hasAccess: false };
+          // Check permission map (super admin check already handled in getPermissionMap)
+          const hasAccess = permissionMap['*'] === true || permissionMap[fullPermission] === true;
+          
+          if (auditLog) {
+            console.log(`[PaceAppLayout] Navigation filtering:`, {
+              item: item.label,
+              href: item.href,
+              pageId,
+              permission: fullPermission,
+              hasAccess,
+            });
           }
-        })
-      );
+          
+          return { item, hasAccess };
+        });
 
-      if (!isMounted) return;
+        if (!isMounted) return;
 
-      const accessibleItems = filtered
-        .filter(({ hasAccess }) => hasAccess)
-        .map(({ item }) => item);
+        const accessibleItems = filtered
+          .filter(({ hasAccess }) => hasAccess)
+          .map(({ item }) => item);
 
-      setFilteredMenuItems(accessibleItems);
+        setFilteredMenuItems(accessibleItems);
+      } catch (error) {
+        // On error, fall back to showing all items (graceful degradation)
+        // This prevents navigation from being empty if permission checks fail
+        console.error('[PaceAppLayout] Failed to load permission map for navigation filtering:', error);
+        if (isMounted) {
+          setFilteredMenuItems(baseMenuItems);
+        }
+      }
     };
 
     filterItems();

package/src/components/PaceAppLayout/__tests__/PaceAppLayout.security.test.tsx

@@ -715,7 +715,8 @@ describe('PaceAppLayout Security', () => {
       const { isPermitted } = await import('../../../rbac/api');
       vi.mocked(isPermitted).mockImplementation(({ userId, scope, permission, pageId }) => {
         // Simulate user trying to access admin with read permission
-        if (pageId === 'admin' && permission === 'read') {
+        // Permission is now formatted as "operation:page.pageId"
+        if (pageId === 'admin' && permission === 'read:page.admin') {
           return Promise.resolve(false);
         }
         return Promise.resolve(true);

package/src/components/PaceAppLayout/__tests__/PaceAppLayout.unit.test.tsx

@@ -572,7 +572,7 @@ describe('PaceAppLayout Component', () => {
         expect(mockIsPermitted).toHaveBeenCalledWith({
           userId: 'test-user-id',
           scope: expect.objectContaining({ organisationId: 'test-org-123' }),
-          permission: 'delete',
+          permission: 'delete:page.test-path',
           pageId: 'test-path'
         });
       });
@@ -597,7 +597,7 @@ describe('PaceAppLayout Component', () => {
         expect(mockIsPermitted).toHaveBeenCalledWith({
           userId: 'test-user-id',
           scope: expect.objectContaining({ organisationId: 'test-org-123' }),
-          permission: 'read',
+          permission: 'read:page.custom-page-id',
           pageId: 'custom-page-id'
         });
       });
@@ -816,11 +816,8 @@ describe('PaceAppLayout Component', () => {
     });
 
     it('handles location changes correctly', async () => {
-      // Change location
-      Object.defineProperty(window, 'location', {
-        value: { pathname: '/new-path' },
-        writable: true
-      });
+      // Change location - update the mockLocation object since component uses useLocation()
+      mockLocation.pathname = '/new-path';
       
       render(
         <TestWrapper>
@@ -832,10 +829,13 @@ describe('PaceAppLayout Component', () => {
         expect(mockIsPermitted).toHaveBeenCalledWith({
           userId: 'test-user-id',
           scope: expect.objectContaining({ organisationId: 'test-org-123' }),
-          permission: 'read',
-          pageId: 'test-path'
+          permission: 'read:page.new-path',
+          pageId: 'new-path'
         });
       });
+      
+      // Reset for other tests
+      mockLocation.pathname = '/test-path';
     });
   });
 

package/src/index.ts

@@ -20,6 +20,9 @@
 export { UnifiedAuthProvider, useUnifiedAuth } from './providers/UnifiedAuthProvider';
 export type { UnifiedAuthProviderProps, UnifiedAuthContextType, UserEventAccess } from './providers/UnifiedAuthProvider';
 
+// Session tracking utility (for manual use if needed)
+export { useSessionTracking } from './utils/sessionTracking';
+
 // Provider components (using service architecture)
 export { EventProvider } from './providers/EventProvider';
 export { OrganisationProvider } from './providers/OrganisationProvider';

package/src/providers/services/AuthServiceProvider.tsx

@@ -24,13 +24,14 @@ export const AuthServiceContext = createContext<AuthServiceContextType | null>(n
 export interface AuthServiceProviderProps {
   children: React.ReactNode;
   supabaseClient: SupabaseClient;
+  appName?: string;
 }
 
-export function AuthServiceProvider({ children, supabaseClient }: AuthServiceProviderProps) {
+export function AuthServiceProvider({ children, supabaseClient, appName }: AuthServiceProviderProps) {
   // Create service instance with useMemo to prevent recreation on every render
   const authService = useMemo(
-    () => new AuthService(supabaseClient),
-    [supabaseClient]
+    () => new AuthService(supabaseClient, appName),
+    [supabaseClient, appName]
   );
 
   const [sessionRestoration, setSessionRestoration] = useState<SessionRestorationState>(

package/src/providers/services/UnifiedAuthProvider.tsx

@@ -526,7 +526,7 @@ export function UnifiedAuthProvider({
   dangerouslyDisableInactivity = false
 }: UnifiedAuthProviderProps) {
   return (
-    <AuthServiceProvider supabaseClient={supabaseClient}>
+    <AuthServiceProvider supabaseClient={supabaseClient} appName={appName}>
       <ServiceAwareProviders
         supabaseClient={supabaseClient}
         appName={appName}

package/src/rbac/api.test.ts

@@ -119,7 +119,7 @@ describe('RBAC API', () => {
       
       process.env.NODE_ENV = originalEnv;
 
-      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase);
+      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase, undefined);
       expect(mockCreateAuditManager).toHaveBeenCalledWith(mockSupabase);
       expect(mockSetGlobalAuditManager).toHaveBeenCalledWith(mockAuditManager);
       expect(mockLogger.info).toHaveBeenCalledWith('RBAC system initialized successfully');
@@ -203,7 +203,7 @@ describe('RBAC API', () => {
 
       setupRBAC(mockSupabase as any);
 
-      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase);
+      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase, undefined);
     });
 
     it('handles multiple initialization calls', () => {

package/src/rbac/api.ts

@@ -49,7 +49,8 @@ export function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<R
   
   createRBACConfig(fullConfig);
   
-  globalEngine = createRBACEngine(supabase);
+  // Pass security config to engine if provided
+  globalEngine = createRBACEngine(supabase, config?.security);
   
   // Setup audit manager
   const auditManager = createAuditManager(supabase);

package/src/rbac/components/PagePermissionGuard.tsx

@@ -148,41 +148,6 @@ const PagePermissionGuardComponent = ({
   const supabaseRef = useRef(supabase);
   supabaseRef.current = supabase;
   
-  // Track the last scope we called useCan with to prevent infinite loops
-  const lastScopeRef = useRef<string | null>(null);
-  
-  // Use a ref to store the stable scope and only update it when it actually changes
-  const stableScopeRef = useRef<{ organisationId: string; appId: string; eventId: string | undefined }>({ 
-    organisationId: '', 
-    appId: '', 
-    eventId: undefined 
-  });
-  
-  // Only update the stable scope if the resolved scope has actually changed
-  if (resolvedScope && resolvedScope.organisationId) {
-    const newScope = {
-      organisationId: resolvedScope.organisationId,
-      appId: resolvedScope.appId,
-      eventId: resolvedScope.eventId
-    };
-    
-      // Only update if the scope has actually changed
-      if (stableScopeRef.current.organisationId !== newScope.organisationId ||
-          stableScopeRef.current.eventId !== newScope.eventId ||
-          stableScopeRef.current.appId !== newScope.appId) {
-        stableScopeRef.current = {
-          organisationId: newScope.organisationId,
-          appId: newScope.appId || '',
-          eventId: newScope.eventId
-        };
-      }
-  } else if (!resolvedScope) {
-    // Reset to empty scope when no resolved scope
-    stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
-  }
-  
-  const stableScope = stableScopeRef.current;
-
   // Resolve scope - either use provided scope or resolve from context
   useEffect(() => {
     const abortController = new AbortController();
@@ -412,9 +377,22 @@ const PagePermissionGuardComponent = ({
     return `${operation}:page.${pageName}` as Permission;
   }, [operation, pageName]);
 
+  // Create a stable scope that only includes valid values
+  // This ensures useCan doesn't run with empty organisationId which causes it to stay in loading state
+  const stableScope = useMemo(() => {
+    if (resolvedScope && resolvedScope.organisationId) {
+      return {
+        organisationId: resolvedScope.organisationId,
+        appId: resolvedScope.appId || undefined,
+        eventId: resolvedScope.eventId || undefined
+      };
+    }
+    // Return a scope with empty string organisationId - useCan will handle this by keeping loading state
+    return { organisationId: '', appId: undefined, eventId: undefined };
+  }, [resolvedScope]);
 
-  // Check if user has permission - only call useCan when we have a resolved scope
-  // If resolvedScope is null, we're still resolving, so show loading state
+  // Check if user has permission - only call useCan when we have a resolved scope with valid organisationId
+  // If resolvedScope is null or has no organisationId, useCan will keep isLoading=true
   const { can, isLoading: canIsLoading, error: canError } = useCan(
     user?.id || '',
     stableScope,
@@ -464,12 +442,17 @@ const PagePermissionGuardComponent = ({
       console.error(`[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
         pageName,
         operation,
+        permission: `${operation}:page.${pageName}`,
+        pageId: effectivePageId,
         userId: user?.id,
         scope: resolvedScope,
+        scopeValid: resolvedScope && resolvedScope.organisationId ? true : false,
+        checkError,
+        canError,
         timestamp: new Date().toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, can, pageName, operation, user?.id, resolvedScope]);
+  }, [strictMode, hasChecked, isLoading, can, pageName, operation, effectivePageId, user?.id, resolvedScope, checkError, canError]);
 
   // Calculate the actual render state - FIXED: Proper state calculation
   // Add defensive checks to ensure we have valid state

package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx

@@ -949,7 +949,7 @@ describe('PagePermissionGuard Component', () => {
         expect.objectContaining({
           organisationId: '',
           eventId: undefined,
-          appId: ''
+          appId: undefined  // appId is optional and should be undefined when not resolved
         }),
         'read:page.dashboard',
         'dashboard',

package/src/rbac/config.ts

@@ -9,6 +9,7 @@
 
 import { SupabaseClient } from '@supabase/supabase-js';
 import { Database } from '../types/database';
+import { RBACSecurityConfig } from './security';
 
 export type LogLevel = 'error' | 'warn' | 'info' | 'debug';
 
@@ -26,6 +27,7 @@ export interface RBACConfig {
     enabled?: boolean;
     logLevel?: LogLevel;
   };
+  security?: Partial<RBACSecurityConfig>;
 }
 
 export interface RBACLogger {

package/src/rbac/engine.ts

@@ -36,7 +36,8 @@ import {
   RBACSecurityValidator, 
   RBACSecurityMiddleware, 
   SecurityContext,
-  DEFAULT_SECURITY_CONFIG 
+  DEFAULT_SECURITY_CONFIG,
+  RBACSecurityConfig
 } from './security';
 
 /**
@@ -49,9 +50,14 @@ export class RBACEngine {
   private supabase: SupabaseClient<Database>;
   private securityMiddleware: RBACSecurityMiddleware;
 
-  constructor(supabase: SupabaseClient<Database>) {
+  constructor(supabase: SupabaseClient<Database>, securityConfig?: Partial<RBACSecurityConfig>) {
     this.supabase = supabase;
-    this.securityMiddleware = new RBACSecurityMiddleware(DEFAULT_SECURITY_CONFIG);
+    // Merge provided security config with defaults
+    const mergedSecurityConfig: RBACSecurityConfig = {
+      ...DEFAULT_SECURITY_CONFIG,
+      ...securityConfig,
+    };
+    this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);
     
     // Initialize cache invalidation for automatic cache clearing
     initializeCacheInvalidation(supabase);
@@ -474,11 +480,13 @@ export class RBACEngine {
 
     try {
       const { userId, scope } = input;
+      // Call unified function (tech debt removed: consolidated from 2 overloaded versions)
       const { data, error } = await (this.supabase as any).rpc('rbac_permissions_get', {
         p_user_id: userId,
         p_organisation_id: scope.organisationId || null,
         p_event_id: scope.eventId || null,
         p_app_id: scope.appId || null,
+        p_page_id: null, // Optional: can filter to specific page if needed
       });
 
       if (error) {
@@ -587,9 +595,13 @@ export class RBACEngine {
  * Create an RBAC engine instance
  * 
  * @param supabase - Supabase client
+ * @param securityConfig - Optional security configuration
  * @returns RBACEngine instance
  */
-export function createRBACEngine(supabase: SupabaseClient<Database>): RBACEngine {
-  return new RBACEngine(supabase);
+export function createRBACEngine(
+  supabase: SupabaseClient<Database>,
+  securityConfig?: Partial<RBACSecurityConfig>
+): RBACEngine {
+  return new RBACEngine(supabase, securityConfig);
 }
 

package/src/rbac/security.ts

@@ -251,7 +251,7 @@ export const DEFAULT_SECURITY_CONFIG: RBACSecurityConfig = {
   enableInputValidation: true,
   enableRateLimiting: true,
   enableAuditLogging: true,
-  maxPermissionChecksPerMinute: 100,
+  maxPermissionChecksPerMinute: 1000, // Increased from 100 to 1000 for normal app usage
   suspiciousActivityThreshold: 10,
 };
 

package/src/services/AuthService.ts

@@ -28,10 +28,12 @@ export class AuthService extends BaseService implements IAuthService {
   private restorationTimeoutId: ReturnType<typeof setTimeout> | null = null;
   private readonly restorationTimeoutMs = 5000;
   private restorationStartTime: number | null = null;
+  private appName: string | undefined = undefined;
 
-  constructor(supabaseClient: SupabaseClient) {
+  constructor(supabaseClient: SupabaseClient, appName?: string) {
     super();
     this.supabaseClient = supabaseClient;
+    this.appName = appName;
   }
 
   // Auth state getters
@@ -386,6 +388,13 @@ export class AuthService extends BaseService implements IAuthService {
               this.session = null;
               this.user = null;
               this.authError = null;
+              
+              // Automatic session tracking (non-blocking)
+              if (session?.user) {
+                this.trackSession('logout', session).catch(err => {
+                  console.warn('[AuthService] Failed to track logout session:', err);
+                });
+              }
             } else if (event === 'SIGNED_IN' || event === 'TOKEN_REFRESHED') {
               this.session = session;
               this.user = session?.user ?? null;
@@ -394,6 +403,14 @@ export class AuthService extends BaseService implements IAuthService {
               if (session) {
                 this.authError = null;
               }
+              
+              // Automatic session tracking for login (non-blocking)
+              // Only track on SIGNED_IN, not TOKEN_REFRESHED (to avoid duplicate login records)
+              if (event === 'SIGNED_IN' && session?.user) {
+                this.trackSession('login', session).catch(err => {
+                  console.warn('[AuthService] Failed to track login session:', err);
+                });
+              }
             } else if (event === 'INITIAL_SESSION') {
               if (session) {
                 this.session = session;
@@ -502,6 +519,67 @@ export class AuthService extends BaseService implements IAuthService {
     }
   }
 
+  /**
+   * Automatically track user session using rbac_session_track
+   * This method is called automatically on SIGNED_IN and SIGNED_OUT events.
+   * It's non-blocking and failures are logged as warnings.
+   */
+  private async trackSession(
+    sessionType: 'login' | 'logout',
+    session: Session | null
+  ): Promise<void> {
+    if (!this.supabaseClient || !session?.user) {
+      return;
+    }
+
+    try {
+      // Resolve app_id from appName if available
+      let appId: string | undefined = undefined;
+      if (this.appName) {
+        const { data, error } = await this.supabaseClient
+          .from('rbac_apps')
+          .select('id')
+          .eq('name', this.appName)
+          .eq('is_active', true)
+          .single();
+        
+        if (!error && data) {
+          appId = data.id;
+        }
+      }
+
+      // Get IP address and user agent from browser (if available)
+      const ipAddress = undefined; // Browser doesn't expose IP directly, could use API
+      const userAgent = typeof navigator !== 'undefined' ? navigator.userAgent : undefined;
+      
+      // Get device fingerprint from localStorage if available
+      // Note: Device fingerprinting should be done by consuming app and passed via custom header
+      // For now, we'll skip it to avoid dependencies
+      const deviceFingerprint = undefined;
+
+      // Call rbac_session_track RPC function
+      // This automatically inserts into rbac_user_sessions AND rbac_user_login_history (for login)
+      const { error } = await (this.supabaseClient as any).rpc('rbac_session_track', {
+        p_user_id: session.user.id,
+        p_session_type: sessionType,
+        p_event_id: null, // Event ID should come from context, not auth service
+        p_app_id: appId,
+        p_ip_address: ipAddress,
+        p_user_agent: userAgent,
+        p_device_fingerprint: deviceFingerprint,
+      });
+
+      if (error) {
+        console.warn(`[AuthService] Failed to track ${sessionType} session:`, error);
+      } else {
+        console.debug(`[AuthService] Successfully tracked ${sessionType} session`);
+      }
+    } catch (error) {
+      // Log error but don't throw (non-blocking)
+      console.warn(`[AuthService] Error tracking ${sessionType} session:`, error);
+    }
+  }
+
   private setupErrorHandlers(): void {
     if (typeof window === 'undefined') return;