@jmruthers/pace-core 0.5.109 → 0.5.111

package/src/rbac/api.ts

@@ -17,6 +17,7 @@ import {
   PermissionMap,
   PermissionCheck,
   RBACNotInitializedError,
+  OrganisationContextRequiredError,
   RBACAppContext,
   RBACRoleContext,
 } from './types';
@@ -49,7 +50,8 @@ export function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<R
   
   createRBACConfig(fullConfig);
   
-  globalEngine = createRBACEngine(supabase);
+  // Pass security config to engine if provided
+  globalEngine = createRBACEngine(supabase, config?.security);
   
   // Setup audit manager
   const auditManager = createAuditManager(supabase);
@@ -146,7 +148,7 @@ export async function getRoleContext(input: {
  * const canManage = await isPermitted({
  *   userId: 'user-123',
  *   scope: { organisationId: 'org-456' },
- *   permission: 'manage:events',
+ *   permission: 'update:events',
  *   pageId: 'page-789'
  * });
  * ```
@@ -154,11 +156,16 @@ export async function getRoleContext(input: {
 export async function isPermitted(input: PermissionCheck): Promise<boolean> {
   const engine = getEngine();
   
+  // Validate organisation context is required
+  if (!input.scope.organisationId) {
+    throw new OrganisationContextRequiredError();
+  }
+  
   // Create security context from input
-  // SecurityContext requires organisationId as UUID, so we use a valid fallback
+  // OrganisationId is required - it can always be derived from event context in event-based apps
   const securityContext: SecurityContext = {
     userId: input.userId,
-    organisationId: input.scope.organisationId || input.userId, // Fallback to userId as UUID
+    organisationId: input.scope.organisationId, // Required - no fallback
     timestamp: new Date(),
     // Optional fields can be omitted
   };
@@ -348,11 +355,19 @@ export async function isEventAdmin(userId: UUID, scope: Scope): Promise<boolean>
  * @param organisationId - Organisation ID (optional)
  */
 export function invalidateUserCache(userId: UUID, organisationId?: UUID): void {
-  if (organisationId) {
-    rbacCache.invalidate(CACHE_PATTERNS.PERMISSION(userId, organisationId));
-  } else {
-    rbacCache.invalidate(CACHE_PATTERNS.USER(userId));
-  }
+  const patterns = organisationId
+    ? [
+        CACHE_PATTERNS.PERMISSION(userId, organisationId),
+        `access:${userId}:${organisationId}:`,
+        `map:${userId}:${organisationId}:`,
+      ]
+    : [
+        `perm:${userId}:`,
+        `access:${userId}:`,
+        `map:${userId}:`,
+      ];
+
+  patterns.forEach(pattern => rbacCache.invalidate(pattern));
 }
 
 /**
@@ -388,3 +403,6 @@ export function invalidateAppCache(appId: UUID): void {
 export function clearCache(): void {
   rbacCache.clear();
 }
+
+// Re-export OrganisationContextRequiredError for convenience
+export { OrganisationContextRequiredError } from './types';

package/src/rbac/audit.test.ts

@@ -143,7 +143,7 @@ describe('RBACAuditManager', () => {
         eventId: 'event-789',
         appId: 'app-101' as UUID,
         pageId: 'page-202' as UUID,
-        permission: 'manage:users',
+        permission: 'update:users',
         source: 'api' as AuditEventSource,
         metadata: { reason: 'Insufficient role' }
       };
@@ -159,7 +159,7 @@ describe('RBACAuditManager', () => {
             event_id: 'event-789',
             app_id: 'app-101',
             page_id: 'page-202',
-            permission: 'manage:users',
+            permission: 'update:users',
             source: 'api',
             metadata: expect.objectContaining({ reason: 'Insufficient role' })
           })

package/src/rbac/audit.ts

@@ -163,13 +163,22 @@ export class RBACAuditManager {
     }
 
     try {
-      // For events without organisationId, store in a special way
+      // Since organisationId is now required in SecurityContext, this should rarely happen
+      // But we still handle the edge case properly without masking it
+      if (!event.organisationId) {
+        console.warn('[RBAC Audit] Audit event without organisation context - this should be investigated:', {
+          userId: event.userId,
+          eventType: event.type,
+          note: 'Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation.'
+        });
+      }
+
       const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {
         event_type: event.type,
         user_id: event.userId,
-        // CRITICAL: Store organisationId even if null for auditing
-        // Use a fallback UUID if organisation context is missing (for database constraint)
-        organisation_id: event.organisationId || '00000000-0000-0000-0000-000000000000' as UUID,
+        // Store organisationId - nullable to properly track missing context cases
+        // Do NOT use fallback UUID as it masks security issues
+        organisation_id: event.organisationId || null, // Explicitly null if missing
         event_id: 'eventId' in event ? event.eventId : undefined,
         app_id: 'appId' in event ? event.appId : undefined,
         page_id: 'pageId' in event ? event.pageId : undefined,
@@ -182,7 +191,7 @@ export class RBACAuditManager {
           ...event.metadata,
           cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,
           cache_source: 'cache_source' in event ? event.cache_source : undefined,
-          // Store a flag indicating this event had no organisation context
+          // Explicit flag indicating this event had no organisation context
           no_organisation_context: !event.organisationId,
         },
       };

package/src/rbac/cache.test.ts

@@ -129,6 +129,18 @@ describe('RBACCache', () => {
       expect(cache.get('org-789-data')).not.toBeNull();
     });
 
+    it('supports wildcard patterns spanning cache segments', () => {
+      cache.set('perm:user-123:org-789:null:null:view:dashboard', true);
+      cache.set('perm:user-456:org-789:null:null:view:dashboard', true);
+      cache.set('perm:user-123:org-000:null:null:view:dashboard', true);
+
+      cache.invalidate('perm:*:org-789:*');
+
+      expect(cache.get('perm:user-123:org-789:null:null:view:dashboard')).toBeNull();
+      expect(cache.get('perm:user-456:org-789:null:null:view:dashboard')).toBeNull();
+      expect(cache.get('perm:user-123:org-000:null:null:view:dashboard')).toBe(true);
+    });
+
     it('handles empty pattern gracefully', () => {
       expect(() => cache.invalidate('')).not.toThrow();
     });

package/src/rbac/cache.ts

@@ -72,18 +72,38 @@ export class RBACCache {
    * @param pattern - Pattern to match against cache keys
    */
   invalidate(pattern: string): void {
+    const trimmedPattern = pattern?.trim();
+
+    if (!trimmedPattern) {
+      return;
+    }
+
+    const matcher = this.createMatcher(trimmedPattern);
     const keysToDelete: string[] = [];
-    
+
     for (const key of this.cache.keys()) {
-      if (key.includes(pattern)) {
+      if (matcher(key)) {
         keysToDelete.push(key);
       }
     }
 
     keysToDelete.forEach(key => this.cache.delete(key));
-    
+
     // Notify invalidation callbacks
-    this.invalidationCallbacks.forEach(callback => callback(pattern));
+    this.invalidationCallbacks.forEach(callback => callback(trimmedPattern));
+  }
+
+  private createMatcher(pattern: string): (key: string) => boolean {
+    if (pattern.includes('*')) {
+      const escapedSegments = pattern
+        .split('*')
+        .map(segment => segment.replace(/[|\\{}()[\]^$+?.-]/g, '\\$&'));
+      const regexPattern = escapedSegments.join('.*');
+      const regex = new RegExp(regexPattern);
+      return (key: string) => regex.test(key);
+    }
+
+    return (key: string) => key.includes(pattern);
   }
 
   /**
@@ -239,9 +259,9 @@ export const rbacCache = new RBACCache();
  * Cache key patterns for invalidation
  */
 export const CACHE_PATTERNS = {
-  USER: (userId: UUID) => `user:${userId}`,
-  ORGANISATION: (organisationId: UUID) => `org:${organisationId}`,
-  EVENT: (eventId: string) => `event:${eventId}`,
-  APP: (appId: UUID) => `app:${appId}`,
-  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}`,
+  USER: (userId: UUID) => `:${userId}:`,
+  ORGANISATION: (organisationId: UUID) => `:${organisationId}:`,
+  EVENT: (eventId: string) => `:${eventId}:`,
+  APP: (appId: UUID) => `:${appId}`,
+  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}:`,
 } as const;

package/src/rbac/components/EnhancedNavigationMenu.test.tsx

@@ -74,7 +74,7 @@ const mockNavigationItems: NavigationItem[] = [
     id: 'admin',
     label: 'Admin',
     path: '/admin',
-    permissions: ['manage:admin'] as Permission[],
+    permissions: ['update:admin'] as Permission[],
     pageId: 'page-admin',
     accessLevel: 'admin',
     meta: {

package/src/rbac/components/NavigationGuard.tsx

@@ -65,7 +65,7 @@
  */
 
 import React, { useMemo, useCallback, useEffect, useState } from 'react';
-import { useCan } from '../hooks';
+import { useMultiplePermissions } from '../hooks/usePermissions';
 import { useUnifiedAuth } from '../../providers/UnifiedAuthProvider';
 import { UUID, Permission, Scope } from '../types';
 import { createScopeFromEvent } from '../utils/eventContext';
@@ -176,26 +176,26 @@ export function NavigationGuard({
     resolveScope();
   }, [scope, selectedOrganisation, selectedEvent, supabase]);
 
-  // Check permissions using the first permission as a representative
-  // For multiple permissions, we'll check them sequentially
-  const representativePermission = navigationItem.permissions[0];
-  const { can, isLoading, error } = useCan(
+  // Check all permissions using useMultiplePermissions hook
+  const { results: permissionResults, isLoading, error } = useMultiplePermissions(
     user?.id || '',
     resolvedScope || { eventId: selectedEvent?.event_id || undefined },
-    representativePermission,
-    navigationItem.pageId,
+    navigationItem.permissions || [],
     true // Use cache
   );
 
-  // Determine if user has required permissions
+  // Determine if user has required permissions based on requireAll prop
   const hasRequiredPermissions = useMemo((): boolean => {
-    if (navigationItem.permissions.length === 0) return true;
+    if (!navigationItem.permissions || navigationItem.permissions.length === 0) return true;
     
-    // For now, use the representative permission result
-    // In a future enhancement, we could check all permissions
-    // but this would require multiple useCan hooks or a custom hook
-    return can;
-  }, [navigationItem.permissions, can]);
+    if (requireAll) {
+      // User must have ALL permissions
+      return Object.values(permissionResults).every(result => result === true);
+    } else {
+      // User must have ANY permission (default behavior)
+      return Object.values(permissionResults).some(result => result === true);
+    }
+  }, [navigationItem.permissions, permissionResults, requireAll]);
 
   // Handle permission check completion
   useEffect(() => {

package/src/rbac/components/NavigationProvider.test.tsx

@@ -57,7 +57,7 @@ const mockNavigationItems: NavigationItem[] = [
     id: 'admin',
     label: 'Admin',
     path: '/admin',
-    permissions: ['manage:admin'] as Permission[],
+    permissions: ['update:admin'] as Permission[],
     pageId: 'page-admin',
     accessLevel: 'admin'
   }

package/src/rbac/components/PagePermissionGuard.tsx

@@ -148,41 +148,6 @@ const PagePermissionGuardComponent = ({
   const supabaseRef = useRef(supabase);
   supabaseRef.current = supabase;
   
-  // Track the last scope we called useCan with to prevent infinite loops
-  const lastScopeRef = useRef<string | null>(null);
-  
-  // Use a ref to store the stable scope and only update it when it actually changes
-  const stableScopeRef = useRef<{ organisationId: string; appId: string; eventId: string | undefined }>({ 
-    organisationId: '', 
-    appId: '', 
-    eventId: undefined 
-  });
-  
-  // Only update the stable scope if the resolved scope has actually changed
-  if (resolvedScope && resolvedScope.organisationId) {
-    const newScope = {
-      organisationId: resolvedScope.organisationId,
-      appId: resolvedScope.appId,
-      eventId: resolvedScope.eventId
-    };
-    
-      // Only update if the scope has actually changed
-      if (stableScopeRef.current.organisationId !== newScope.organisationId ||
-          stableScopeRef.current.eventId !== newScope.eventId ||
-          stableScopeRef.current.appId !== newScope.appId) {
-        stableScopeRef.current = {
-          organisationId: newScope.organisationId,
-          appId: newScope.appId || '',
-          eventId: newScope.eventId
-        };
-      }
-  } else if (!resolvedScope) {
-    // Reset to empty scope when no resolved scope
-    stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
-  }
-  
-  const stableScope = stableScopeRef.current;
-
   // Resolve scope - either use provided scope or resolve from context
   useEffect(() => {
     const abortController = new AbortController();
@@ -412,9 +377,23 @@ const PagePermissionGuardComponent = ({
     return `${operation}:page.${pageName}` as Permission;
   }, [operation, pageName]);
 
+  // Create a stable scope that only includes valid values
+  // OrganisationId is required - use undefined if not available, useCan will handle loading state
+  const stableScope = useMemo(() => {
+    if (resolvedScope && resolvedScope.organisationId) {
+      return {
+        organisationId: resolvedScope.organisationId,
+        appId: resolvedScope.appId || undefined,
+        eventId: resolvedScope.eventId || undefined
+      };
+    }
+    // Return scope without organisationId - useCan will keep loading state until resolved
+    // Scope.organisationId is optional, so undefined is valid
+    return { organisationId: undefined, appId: undefined, eventId: undefined };
+  }, [resolvedScope]);
 
-  // Check if user has permission - only call useCan when we have a resolved scope
-  // If resolvedScope is null, we're still resolving, so show loading state
+  // Check if user has permission - only call useCan when we have a resolved scope with valid organisationId
+  // If resolvedScope is null or has no organisationId, useCan will keep isLoading=true
   const { can, isLoading: canIsLoading, error: canError } = useCan(
     user?.id || '',
     stableScope,
@@ -464,12 +443,17 @@ const PagePermissionGuardComponent = ({
       console.error(`[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
         pageName,
         operation,
+        permission: `${operation}:page.${pageName}`,
+        pageId: effectivePageId,
         userId: user?.id,
         scope: resolvedScope,
+        scopeValid: resolvedScope && resolvedScope.organisationId ? true : false,
+        checkError,
+        canError,
         timestamp: new Date().toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, can, pageName, operation, user?.id, resolvedScope]);
+  }, [strictMode, hasChecked, isLoading, can, pageName, operation, effectivePageId, user?.id, resolvedScope, checkError, canError]);
 
   // Calculate the actual render state - FIXED: Proper state calculation
   // Add defensive checks to ensure we have valid state

package/src/rbac/components/PagePermissionProvider.test.tsx

@@ -38,7 +38,7 @@ const mockScope: Scope = {
   appId: 'app-789' as UUID
 };
 
-const mockPermissions = ['read:users', 'manage:users'] as const;
+const mockPermissions = ['read:users', 'update:users'] as const;
 const mockPageId = 'page-123';
 
 // Test component

package/src/rbac/components/PermissionEnforcer.tsx

@@ -19,7 +19,7 @@
  * ```tsx
  * // Basic permission enforcement
  * <PermissionEnforcer
- *   permissions={['read:events', 'manage:events']}
+ *   permissions={['read:events', 'update:events']}
  *   operation="event-management"
  *   fallback={<AccessDeniedPage />}
  * >
@@ -67,7 +67,7 @@
  */
 
 import React, { useMemo, useCallback, useEffect, useState } from 'react';
-import { useCan } from '../hooks';
+import { useMultiplePermissions } from '../hooks/usePermissions';
 import { useUnifiedAuth } from '../../providers/UnifiedAuthProvider';
 import { UUID, Permission, Scope } from '../types';
 import { createScopeFromEvent } from '../utils/eventContext';
@@ -129,7 +129,6 @@ export function PermissionEnforcer({
   const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
   const [hasChecked, setHasChecked] = useState(false);
   const [checkError, setCheckError] = useState<Error | null>(null);
-  const [permissionResults, setPermissionResults] = useState<Record<string, boolean>>({});
   const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);
 
   // Resolve scope - either use provided scope or resolve from context
@@ -182,26 +181,31 @@ export function PermissionEnforcer({
     resolveScope();
   }, [scope, selectedOrganisation, selectedEvent, supabase]);
 
-  // Check permissions using the first permission as a representative
-  // For multiple permissions, we'll check them sequentially
-  const representativePermission = permissions[0];
-  const { can, isLoading, error } = useCan(
+  // Check all permissions using useMultiplePermissions hook
+  const { results: permissionResults, isLoading, error } = useMultiplePermissions(
     user?.id || '',
     resolvedScope || { eventId: selectedEvent?.event_id || undefined },
-    representativePermission,
-    undefined,
+    permissions,
     true // Use cache
   );
 
-  // Determine if user has required permissions
+  // Determine if user has required permissions based on requireAll prop
   const hasRequiredPermissions = useMemo((): boolean => {
     if (permissions.length === 0) return true;
     
-    // For now, use the representative permission result
-    // In a future enhancement, we could check all permissions
-    // but this would require multiple useCan hooks or a custom hook
-    return can;
-  }, [permissions, can]);
+    // If permissionResults is not yet available or empty, deny access
+    if (!permissionResults || Object.keys(permissionResults).length === 0) {
+      return false;
+    }
+    
+    if (requireAll) {
+      // User must have ALL permissions
+      return Object.values(permissionResults).every(result => result === true);
+    } else {
+      // User must have ANY permission (default behavior)
+      return Object.values(permissionResults).some(result => result === true);
+    }
+  }, [permissions, permissionResults, requireAll]);
 
   // Handle permission check completion
   useEffect(() => {

package/src/rbac/components/RoleBasedRouter.tsx

@@ -79,6 +79,9 @@ export interface RouteConfig {
   /** Permissions required for this route */
   permissions: Permission[];
   
+  /** If true, this route is public and doesn't require permission checks */
+  public?: boolean;
+  
   /** Roles that can access this route */
   roles?: string[];
   
@@ -232,10 +235,13 @@ export function RoleBasedRouter({
     currentRouteConfig?.pageId
   );
 
-  // If route has no permissions, deny access (secure by default)
+  // Check if route is public
+  const isPublicRoute = currentRouteConfig?.public === true;
+  
+  // If route has no permissions and is not public, deny access (secure by default)
   const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
-  const finalCanAccess = hasPermissions ? canAccessCurrentRoute : false;
-  const finalLoading = hasPermissions ? permissionLoading : false;
+  const finalCanAccess = isPublicRoute ? true : (hasPermissions ? canAccessCurrentRoute : false);
+  const finalLoading = isPublicRoute ? false : (hasPermissions ? permissionLoading : false);
 
   // Get all accessible routes for current user
   const getAccessibleRoutes = useCallback((): RouteConfig[] => {
@@ -323,13 +329,14 @@ export function RoleBasedRouter({
     
     // Use the actual permission check result
     const allowed = finalCanAccess;
+    // Log route access (including public routes for audit monitoring)
     recordRouteAccess(currentPath, allowed, currentRouteConfig);
     
-    if (!allowed) {
-      // Redirect to fallback route
+    if (!allowed && !isPublicRoute) {
+      // Redirect to fallback route (skip for public routes)
       navigate(fallbackRoute, { replace: true });
     }
-  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute]);
+  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute, isPublicRoute]);
 
   // Context value
   const contextValue = useMemo((): RoleBasedRouterContextType => ({
@@ -350,8 +357,8 @@ export function RoleBasedRouter({
     auditLog
   ]);
 
-  // Show loading state while checking permissions
-  if (finalLoading) {
+  // Show loading state while checking permissions (skip for public routes)
+  if (finalLoading && !isPublicRoute) {
     return (
       <div className="flex items-center justify-center min-h-screen">
         <div className="text-center">
@@ -363,7 +370,7 @@ export function RoleBasedRouter({
   }
 
   // Show unauthorized component if user can't access current route
-  if (currentRouteConfig && !finalCanAccess) {
+  if (currentRouteConfig && !finalCanAccess && !isPublicRoute) {
     return (
       <UnauthorizedComponent 
         route={currentRoute}