@jmruthers/pace-core 0.5.110 → 0.5.111

package/src/rbac/audit.test.ts

@@ -143,7 +143,7 @@ describe('RBACAuditManager', () => {
         eventId: 'event-789',
         appId: 'app-101' as UUID,
         pageId: 'page-202' as UUID,
-        permission: 'manage:users',
+        permission: 'update:users',
         source: 'api' as AuditEventSource,
         metadata: { reason: 'Insufficient role' }
       };
@@ -159,7 +159,7 @@ describe('RBACAuditManager', () => {
             event_id: 'event-789',
             app_id: 'app-101',
             page_id: 'page-202',
-            permission: 'manage:users',
+            permission: 'update:users',
             source: 'api',
             metadata: expect.objectContaining({ reason: 'Insufficient role' })
           })

package/src/rbac/audit.ts

@@ -163,13 +163,22 @@ export class RBACAuditManager {
     }
 
     try {
-      // For events without organisationId, store in a special way
+      // Since organisationId is now required in SecurityContext, this should rarely happen
+      // But we still handle the edge case properly without masking it
+      if (!event.organisationId) {
+        console.warn('[RBAC Audit] Audit event without organisation context - this should be investigated:', {
+          userId: event.userId,
+          eventType: event.type,
+          note: 'Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation.'
+        });
+      }
+
       const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {
         event_type: event.type,
         user_id: event.userId,
-        // CRITICAL: Store organisationId even if null for auditing
-        // Use a fallback UUID if organisation context is missing (for database constraint)
-        organisation_id: event.organisationId || '00000000-0000-0000-0000-000000000000' as UUID,
+        // Store organisationId - nullable to properly track missing context cases
+        // Do NOT use fallback UUID as it masks security issues
+        organisation_id: event.organisationId || null, // Explicitly null if missing
         event_id: 'eventId' in event ? event.eventId : undefined,
         app_id: 'appId' in event ? event.appId : undefined,
         page_id: 'pageId' in event ? event.pageId : undefined,
@@ -182,7 +191,7 @@ export class RBACAuditManager {
           ...event.metadata,
           cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,
           cache_source: 'cache_source' in event ? event.cache_source : undefined,
-          // Store a flag indicating this event had no organisation context
+          // Explicit flag indicating this event had no organisation context
           no_organisation_context: !event.organisationId,
         },
       };

package/src/rbac/cache.test.ts

@@ -129,6 +129,18 @@ describe('RBACCache', () => {
       expect(cache.get('org-789-data')).not.toBeNull();
     });
 
+    it('supports wildcard patterns spanning cache segments', () => {
+      cache.set('perm:user-123:org-789:null:null:view:dashboard', true);
+      cache.set('perm:user-456:org-789:null:null:view:dashboard', true);
+      cache.set('perm:user-123:org-000:null:null:view:dashboard', true);
+
+      cache.invalidate('perm:*:org-789:*');
+
+      expect(cache.get('perm:user-123:org-789:null:null:view:dashboard')).toBeNull();
+      expect(cache.get('perm:user-456:org-789:null:null:view:dashboard')).toBeNull();
+      expect(cache.get('perm:user-123:org-000:null:null:view:dashboard')).toBe(true);
+    });
+
     it('handles empty pattern gracefully', () => {
       expect(() => cache.invalidate('')).not.toThrow();
     });

package/src/rbac/cache.ts

@@ -72,18 +72,38 @@ export class RBACCache {
    * @param pattern - Pattern to match against cache keys
    */
   invalidate(pattern: string): void {
+    const trimmedPattern = pattern?.trim();
+
+    if (!trimmedPattern) {
+      return;
+    }
+
+    const matcher = this.createMatcher(trimmedPattern);
     const keysToDelete: string[] = [];
-    
+
     for (const key of this.cache.keys()) {
-      if (key.includes(pattern)) {
+      if (matcher(key)) {
         keysToDelete.push(key);
       }
     }
 
     keysToDelete.forEach(key => this.cache.delete(key));
-    
+
     // Notify invalidation callbacks
-    this.invalidationCallbacks.forEach(callback => callback(pattern));
+    this.invalidationCallbacks.forEach(callback => callback(trimmedPattern));
+  }
+
+  private createMatcher(pattern: string): (key: string) => boolean {
+    if (pattern.includes('*')) {
+      const escapedSegments = pattern
+        .split('*')
+        .map(segment => segment.replace(/[|\\{}()[\]^$+?.-]/g, '\\$&'));
+      const regexPattern = escapedSegments.join('.*');
+      const regex = new RegExp(regexPattern);
+      return (key: string) => regex.test(key);
+    }
+
+    return (key: string) => key.includes(pattern);
   }
 
   /**
@@ -239,9 +259,9 @@ export const rbacCache = new RBACCache();
  * Cache key patterns for invalidation
  */
 export const CACHE_PATTERNS = {
-  USER: (userId: UUID) => `user:${userId}`,
-  ORGANISATION: (organisationId: UUID) => `org:${organisationId}`,
-  EVENT: (eventId: string) => `event:${eventId}`,
-  APP: (appId: UUID) => `app:${appId}`,
-  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}`,
+  USER: (userId: UUID) => `:${userId}:`,
+  ORGANISATION: (organisationId: UUID) => `:${organisationId}:`,
+  EVENT: (eventId: string) => `:${eventId}:`,
+  APP: (appId: UUID) => `:${appId}`,
+  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}:`,
 } as const;

package/src/rbac/components/EnhancedNavigationMenu.test.tsx

@@ -74,7 +74,7 @@ const mockNavigationItems: NavigationItem[] = [
     id: 'admin',
     label: 'Admin',
     path: '/admin',
-    permissions: ['manage:admin'] as Permission[],
+    permissions: ['update:admin'] as Permission[],
     pageId: 'page-admin',
     accessLevel: 'admin',
     meta: {

package/src/rbac/components/NavigationGuard.tsx

@@ -65,7 +65,7 @@
  */
 
 import React, { useMemo, useCallback, useEffect, useState } from 'react';
-import { useCan } from '../hooks';
+import { useMultiplePermissions } from '../hooks/usePermissions';
 import { useUnifiedAuth } from '../../providers/UnifiedAuthProvider';
 import { UUID, Permission, Scope } from '../types';
 import { createScopeFromEvent } from '../utils/eventContext';
@@ -176,26 +176,26 @@ export function NavigationGuard({
     resolveScope();
   }, [scope, selectedOrganisation, selectedEvent, supabase]);
 
-  // Check permissions using the first permission as a representative
-  // For multiple permissions, we'll check them sequentially
-  const representativePermission = navigationItem.permissions[0];
-  const { can, isLoading, error } = useCan(
+  // Check all permissions using useMultiplePermissions hook
+  const { results: permissionResults, isLoading, error } = useMultiplePermissions(
     user?.id || '',
     resolvedScope || { eventId: selectedEvent?.event_id || undefined },
-    representativePermission,
-    navigationItem.pageId,
+    navigationItem.permissions || [],
     true // Use cache
   );
 
-  // Determine if user has required permissions
+  // Determine if user has required permissions based on requireAll prop
   const hasRequiredPermissions = useMemo((): boolean => {
-    if (navigationItem.permissions.length === 0) return true;
+    if (!navigationItem.permissions || navigationItem.permissions.length === 0) return true;
     
-    // For now, use the representative permission result
-    // In a future enhancement, we could check all permissions
-    // but this would require multiple useCan hooks or a custom hook
-    return can;
-  }, [navigationItem.permissions, can]);
+    if (requireAll) {
+      // User must have ALL permissions
+      return Object.values(permissionResults).every(result => result === true);
+    } else {
+      // User must have ANY permission (default behavior)
+      return Object.values(permissionResults).some(result => result === true);
+    }
+  }, [navigationItem.permissions, permissionResults, requireAll]);
 
   // Handle permission check completion
   useEffect(() => {

package/src/rbac/components/NavigationProvider.test.tsx

@@ -57,7 +57,7 @@ const mockNavigationItems: NavigationItem[] = [
     id: 'admin',
     label: 'Admin',
     path: '/admin',
-    permissions: ['manage:admin'] as Permission[],
+    permissions: ['update:admin'] as Permission[],
     pageId: 'page-admin',
     accessLevel: 'admin'
   }

package/src/rbac/components/PagePermissionGuard.tsx

@@ -378,7 +378,7 @@ const PagePermissionGuardComponent = ({
   }, [operation, pageName]);
 
   // Create a stable scope that only includes valid values
-  // This ensures useCan doesn't run with empty organisationId which causes it to stay in loading state
+  // OrganisationId is required - use undefined if not available, useCan will handle loading state
   const stableScope = useMemo(() => {
     if (resolvedScope && resolvedScope.organisationId) {
       return {
@@ -387,8 +387,9 @@ const PagePermissionGuardComponent = ({
         eventId: resolvedScope.eventId || undefined
       };
     }
-    // Return a scope with empty string organisationId - useCan will handle this by keeping loading state
-    return { organisationId: '', appId: undefined, eventId: undefined };
+    // Return scope without organisationId - useCan will keep loading state until resolved
+    // Scope.organisationId is optional, so undefined is valid
+    return { organisationId: undefined, appId: undefined, eventId: undefined };
   }, [resolvedScope]);
 
   // Check if user has permission - only call useCan when we have a resolved scope with valid organisationId

package/src/rbac/components/PagePermissionProvider.test.tsx

@@ -38,7 +38,7 @@ const mockScope: Scope = {
   appId: 'app-789' as UUID
 };
 
-const mockPermissions = ['read:users', 'manage:users'] as const;
+const mockPermissions = ['read:users', 'update:users'] as const;
 const mockPageId = 'page-123';
 
 // Test component

package/src/rbac/components/PermissionEnforcer.tsx

@@ -19,7 +19,7 @@
  * ```tsx
  * // Basic permission enforcement
  * <PermissionEnforcer
- *   permissions={['read:events', 'manage:events']}
+ *   permissions={['read:events', 'update:events']}
  *   operation="event-management"
  *   fallback={<AccessDeniedPage />}
  * >
@@ -67,7 +67,7 @@
  */
 
 import React, { useMemo, useCallback, useEffect, useState } from 'react';
-import { useCan } from '../hooks';
+import { useMultiplePermissions } from '../hooks/usePermissions';
 import { useUnifiedAuth } from '../../providers/UnifiedAuthProvider';
 import { UUID, Permission, Scope } from '../types';
 import { createScopeFromEvent } from '../utils/eventContext';
@@ -129,7 +129,6 @@ export function PermissionEnforcer({
   const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
   const [hasChecked, setHasChecked] = useState(false);
   const [checkError, setCheckError] = useState<Error | null>(null);
-  const [permissionResults, setPermissionResults] = useState<Record<string, boolean>>({});
   const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);
 
   // Resolve scope - either use provided scope or resolve from context
@@ -182,26 +181,31 @@ export function PermissionEnforcer({
     resolveScope();
   }, [scope, selectedOrganisation, selectedEvent, supabase]);
 
-  // Check permissions using the first permission as a representative
-  // For multiple permissions, we'll check them sequentially
-  const representativePermission = permissions[0];
-  const { can, isLoading, error } = useCan(
+  // Check all permissions using useMultiplePermissions hook
+  const { results: permissionResults, isLoading, error } = useMultiplePermissions(
     user?.id || '',
     resolvedScope || { eventId: selectedEvent?.event_id || undefined },
-    representativePermission,
-    undefined,
+    permissions,
     true // Use cache
   );
 
-  // Determine if user has required permissions
+  // Determine if user has required permissions based on requireAll prop
   const hasRequiredPermissions = useMemo((): boolean => {
     if (permissions.length === 0) return true;
     
-    // For now, use the representative permission result
-    // In a future enhancement, we could check all permissions
-    // but this would require multiple useCan hooks or a custom hook
-    return can;
-  }, [permissions, can]);
+    // If permissionResults is not yet available or empty, deny access
+    if (!permissionResults || Object.keys(permissionResults).length === 0) {
+      return false;
+    }
+    
+    if (requireAll) {
+      // User must have ALL permissions
+      return Object.values(permissionResults).every(result => result === true);
+    } else {
+      // User must have ANY permission (default behavior)
+      return Object.values(permissionResults).some(result => result === true);
+    }
+  }, [permissions, permissionResults, requireAll]);
 
   // Handle permission check completion
   useEffect(() => {

package/src/rbac/components/RoleBasedRouter.tsx

@@ -79,6 +79,9 @@ export interface RouteConfig {
   /** Permissions required for this route */
   permissions: Permission[];
   
+  /** If true, this route is public and doesn't require permission checks */
+  public?: boolean;
+  
   /** Roles that can access this route */
   roles?: string[];
   
@@ -232,10 +235,13 @@ export function RoleBasedRouter({
     currentRouteConfig?.pageId
   );
 
-  // If route has no permissions, deny access (secure by default)
+  // Check if route is public
+  const isPublicRoute = currentRouteConfig?.public === true;
+  
+  // If route has no permissions and is not public, deny access (secure by default)
   const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
-  const finalCanAccess = hasPermissions ? canAccessCurrentRoute : false;
-  const finalLoading = hasPermissions ? permissionLoading : false;
+  const finalCanAccess = isPublicRoute ? true : (hasPermissions ? canAccessCurrentRoute : false);
+  const finalLoading = isPublicRoute ? false : (hasPermissions ? permissionLoading : false);
 
   // Get all accessible routes for current user
   const getAccessibleRoutes = useCallback((): RouteConfig[] => {
@@ -323,13 +329,14 @@ export function RoleBasedRouter({
     
     // Use the actual permission check result
     const allowed = finalCanAccess;
+    // Log route access (including public routes for audit monitoring)
     recordRouteAccess(currentPath, allowed, currentRouteConfig);
     
-    if (!allowed) {
-      // Redirect to fallback route
+    if (!allowed && !isPublicRoute) {
+      // Redirect to fallback route (skip for public routes)
       navigate(fallbackRoute, { replace: true });
     }
-  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute]);
+  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute, isPublicRoute]);
 
   // Context value
   const contextValue = useMemo((): RoleBasedRouterContextType => ({
@@ -350,8 +357,8 @@ export function RoleBasedRouter({
     auditLog
   ]);
 
-  // Show loading state while checking permissions
-  if (finalLoading) {
+  // Show loading state while checking permissions (skip for public routes)
+  if (finalLoading && !isPublicRoute) {
     return (
       <div className="flex items-center justify-center min-h-screen">
         <div className="text-center">
@@ -363,7 +370,7 @@ export function RoleBasedRouter({
   }
 
   // Show unauthorized component if user can't access current route
-  if (currentRouteConfig && !finalCanAccess) {
+  if (currentRouteConfig && !finalCanAccess && !isPublicRoute) {
     return (
       <UnauthorizedComponent 
         route={currentRoute}