@jmruthers/pace-core 0.5.109 → 0.5.111

package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx

@@ -11,12 +11,12 @@ import { render, screen, waitFor } from '@testing-library/react';
 import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ReactNode } from 'react';
 import { PermissionEnforcer } from '../PermissionEnforcer';
-import { useCan } from '../../hooks';
+import { useMultiplePermissions } from '../../hooks/usePermissions';
 import { useUnifiedAuth } from '../../../providers/UnifiedAuthProvider';
 
 // Mock the RBAC hooks
-vi.mock('../../hooks', () => ({
-  useCan: vi.fn()
+vi.mock('../../hooks/usePermissions', () => ({
+  useMultiplePermissions: vi.fn()
 }));
 
 // Mock the auth provider
@@ -43,7 +43,7 @@ const mockScope = {
   appId: 'app-123'
 };
 
-const mockPermissions = ['read:events', 'manage:events'] as const;
+const mockPermissions = ['read:events', 'update:events'] as const;
 const mockOperation = 'event-management';
 
 // Test component
@@ -60,7 +60,7 @@ const TestLoading = () => (
 );
 
 describe('PermissionEnforcer Component', () => {
-  const mockUseCan = vi.mocked(useCan);
+  const mockUseMultiplePermissions = vi.mocked(useMultiplePermissions);
   const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
   const mockCreateScopeFromEvent = vi.mocked(createScopeFromEvent);
 
@@ -75,19 +75,24 @@ describe('PermissionEnforcer Component', () => {
       supabase: {} as any
     });
     
-    mockUseCan.mockReturnValue({
-      can: true,
+    mockUseMultiplePermissions.mockReturnValue({
+      results: {
+        'read:events': true,
+        'update:events': true
+      } as Record<string, boolean>,
       isLoading: false,
-      error: null
+      error: null,
+      refetch: vi.fn()
     });
   });
 
     describe('Rendering', () => {
     it('renders children when permission is granted', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true, 'update:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -106,10 +111,11 @@ describe('PermissionEnforcer Component', () => {
     });
 
     it('renders fallback when permission is denied', async () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -128,11 +134,12 @@ describe('PermissionEnforcer Component', () => {
       }, { interval: 10 });
     });
 
-    it('shows loading state during permission check', () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+    it('shows loading state during permission check', async () => {
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: true,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -150,10 +157,11 @@ describe('PermissionEnforcer Component', () => {
     });
 
     it('uses default fallback when none provided', async () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -172,10 +180,11 @@ describe('PermissionEnforcer Component', () => {
     });
 
     it('uses default loading when none provided', () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: true,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -195,10 +204,11 @@ describe('PermissionEnforcer Component', () => {
     it('enforces single permission correctly', async () => {
       const singlePermission = ['read:events'] as const;
       
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -214,23 +224,23 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events'], // singlePermission only includes read:events
         true
       );
     });
 
-    it('enforces multiple permissions with AND logic', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+    it('enforces multiple permissions with AND logic (requireAll=true)', async () => {
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true, 'update:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -247,25 +257,25 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      // Should check the first permission as representative
-      expect(mockUseCan).toHaveBeenCalledWith(
+      // Should check all permissions when requireAll=true
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'],
         true
       );
     });
 
     it('handles permission checking errors gracefully', async () => {
       const error = new Error('Permission check failed');
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: false,
-        error
+        error,
+        refetch: vi.fn()
       });
 
       render(
@@ -284,10 +294,11 @@ describe('PermissionEnforcer Component', () => {
     });
 
     it('handles empty permissions array', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -313,10 +324,11 @@ describe('PermissionEnforcer Component', () => {
         appId: 'custom-app'
       };
 
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -333,20 +345,20 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         customScope,
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
 
     it('resolves scope from organisation and event context', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -362,14 +374,13 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
@@ -382,10 +393,11 @@ describe('PermissionEnforcer Component', () => {
         supabase: {} as any
       });
 
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -401,14 +413,13 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: undefined
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
@@ -427,10 +438,11 @@ describe('PermissionEnforcer Component', () => {
         appId: 'resolved-app'
       });
 
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -447,14 +459,13 @@ describe('PermissionEnforcer Component', () => {
       }, { interval: 10 });
 
       expect(mockCreateScopeFromEvent).toHaveBeenCalledWith({}, 'event-123');
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'resolved-org',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
@@ -513,10 +524,11 @@ describe('PermissionEnforcer Component', () => {
     it('prevents bypassing in strict mode', async () => {
       const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
       
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -549,10 +561,11 @@ describe('PermissionEnforcer Component', () => {
     it('logs security violations for audit', async () => {
       const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
       
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -586,10 +599,11 @@ describe('PermissionEnforcer Component', () => {
     it('calls onDenied callback when access is denied', async () => {
       const onDeniedSpy = vi.fn();
       
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -613,10 +627,11 @@ describe('PermissionEnforcer Component', () => {
     it('does not call onDenied when access is granted', async () => {
       const onDeniedSpy = vi.fn();
       
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -641,10 +656,11 @@ describe('PermissionEnforcer Component', () => {
     it('respects strictMode setting', async () => {
       const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
       
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -672,10 +688,11 @@ describe('PermissionEnforcer Component', () => {
     it('respects auditLog setting', async () => {
       const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
       
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -700,11 +717,12 @@ describe('PermissionEnforcer Component', () => {
       consoleSpy.mockRestore();
     });
 
-    it('respects requireAll setting', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+    it('respects requireAll=false (any permission granted)', async () => {
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -721,15 +739,14 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      // Should still check the first permission as representative
-      expect(mockUseCan).toHaveBeenCalledWith(
+      // Should check all permissions and allow access if any is granted
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'],
         true
       );
     });
@@ -744,10 +761,11 @@ describe('PermissionEnforcer Component', () => {
         supabase: {} as any
       });
 
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
 
       render(
@@ -764,24 +782,24 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
       }, { interval: 10 });
 
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         '',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
 
     it('handles permission check errors', async () => {
       const error = new Error('Database connection failed');
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: false,
-        error
+        error,
+        refetch: vi.fn()
       });
 
       render(

package/src/rbac/config.ts

@@ -9,6 +9,7 @@
 
 import { SupabaseClient } from '@supabase/supabase-js';
 import { Database } from '../types/database';
+import { RBACSecurityConfig } from './security';
 
 export type LogLevel = 'error' | 'warn' | 'info' | 'debug';
 
@@ -26,6 +27,7 @@ export interface RBACConfig {
     enabled?: boolean;
     logLevel?: LogLevel;
   };
+  security?: Partial<RBACSecurityConfig>;
 }
 
 export interface RBACLogger {

package/src/rbac/docs/event-based-apps.md

@@ -40,7 +40,7 @@ import { PermissionEnforcer } from '@jmruthers/pace-core/rbac';
 function EventDashboard() {
   return (
     <PermissionEnforcer
-      permissions={['read:events', 'manage:participants']}
+      permissions={['read:events', 'update:participants']}
       operation="dashboard"
     >
       <div>Event Dashboard Content</div>
@@ -84,7 +84,7 @@ const navigationItems = [
     id: 'settings',
     name: 'Settings',
     path: '/event/settings',
-    permissions: ['manage:events']
+    permissions: ['update:events']
   }
 ];
 
@@ -118,7 +118,7 @@ function EventComponent() {
   const { can: canManageEvents } = useCan(
     userId,
     { eventId: selectedEventId },
-    'manage:events'
+    'update:events'
   );
 
   return (
@@ -178,19 +178,19 @@ These permissions are specific to an event and app combination:
 ```typescript
 const EVENT_APP_PERMISSIONS = {
   // Event management
-  MANAGE_EVENT: 'manage:event',
+  MANAGE_EVENT: 'update:event',
   READ_EVENT: 'read:event',
   UPDATE_EVENT: 'update:event',
   
   // Participant management
-  MANAGE_PARTICIPANTS: 'manage:participants',
+  MANAGE_PARTICIPANTS: 'update:participants',
   READ_PARTICIPANTS: 'read:participants',
   CREATE_PARTICIPANTS: 'create:participants',
   UPDATE_PARTICIPANTS: 'update:participants',
   DELETE_PARTICIPANTS: 'delete:participants',
   
   // App-specific permissions
-  MANAGE_APP: 'manage:app',
+  MANAGE_APP: 'update:app',
   READ_APP: 'read:app',
   UPDATE_APP: 'update:app',
 };

package/src/rbac/engine.ts

@@ -36,7 +36,8 @@ import {
   RBACSecurityValidator, 
   RBACSecurityMiddleware, 
   SecurityContext,
-  DEFAULT_SECURITY_CONFIG 
+  DEFAULT_SECURITY_CONFIG,
+  RBACSecurityConfig
 } from './security';
 
 /**
@@ -49,9 +50,14 @@ export class RBACEngine {
   private supabase: SupabaseClient<Database>;
   private securityMiddleware: RBACSecurityMiddleware;
 
-  constructor(supabase: SupabaseClient<Database>) {
+  constructor(supabase: SupabaseClient<Database>, securityConfig?: Partial<RBACSecurityConfig>) {
     this.supabase = supabase;
-    this.securityMiddleware = new RBACSecurityMiddleware(DEFAULT_SECURITY_CONFIG);
+    // Merge provided security config with defaults
+    const mergedSecurityConfig: RBACSecurityConfig = {
+      ...DEFAULT_SECURITY_CONFIG,
+      ...securityConfig,
+    };
+    this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);
     
     // Initialize cache invalidation for automatic cache clearing
     initializeCacheInvalidation(supabase);
@@ -295,6 +301,8 @@ export class RBACEngine {
       return cached;
     }
 
+    const now = new Date().toISOString();
+
     // Check super admin
     const isSuperAdmin = await this.checkSuperAdmin(userId);
     if (isSuperAdmin) {
@@ -311,6 +319,8 @@ export class RBACEngine {
         .eq('organisation_id', scope.organisationId)
         .eq('status', 'active')
         .is('revoked_at', null)
+        .lte('valid_from', now)
+        .or(`valid_to.is.null,valid_to.gte.${now}`)
         .single() as { data: { role: string } | null; error: any };
 
       if (orgRole?.role === 'org_admin') {
@@ -321,7 +331,6 @@ export class RBACEngine {
 
     // Check event-app role
     if (scope.eventId && scope.appId) {
-      const now = new Date().toISOString();
       const { data: eventRole } = await this.supabase
         .from('rbac_event_app_roles')
         .select('role')
@@ -402,10 +411,17 @@ export class RBACEngine {
         .eq('app_id', scope.appId) as { data: Array<{ id: string; page_name: string }> | null };
 
       if (pages) {
+        // OrganisationId is required for permission checks
+        if (!scope.organisationId) {
+          // Return empty permission map if no organisation context
+          rbacCache.set(cacheKey, permissionMap, 60000);
+          return permissionMap;
+        }
+
         // Create a security context for permission checks
         const securityContext: SecurityContext = {
           userId,
-          organisationId: scope.organisationId,
+          organisationId: scope.organisationId, // Required
           timestamp: new Date(),
         };
 
@@ -589,9 +605,13 @@ export class RBACEngine {
  * Create an RBAC engine instance
  * 
  * @param supabase - Supabase client
+ * @param securityConfig - Optional security configuration
  * @returns RBACEngine instance
  */
-export function createRBACEngine(supabase: SupabaseClient<Database>): RBACEngine {
-  return new RBACEngine(supabase);
+export function createRBACEngine(
+  supabase: SupabaseClient<Database>,
+  securityConfig?: Partial<RBACSecurityConfig>
+): RBACEngine {
+  return new RBACEngine(supabase, securityConfig);
 }