npm - @jmruthers/pace-core - Versions diffs - 0.5.114 → 0.5.116 - Mend

@jmruthers/pace-core 0.5.114 → 0.5.116

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (236) hide show

package/src/rbac/audit-enhanced.ts DELETED Viewed

@@ -1,351 +0,0 @@
-/**
- * Enhanced RBAC Audit Manager
- * @package @jmruthers/pace-core
- * @module RBAC/AuditEnhanced
- * @since 1.0.0
- *
- * This module provides an enhanced audit manager that can handle both
- * authenticated user contexts and service role contexts for audit logging.
- */
-import { SupabaseClient } from '@supabase/supabase-js';
-import { Database } from '../types/database';
-import {
-  UUID,
-  AuditEventSource,
-  RBACAuditEvent
-} from './types';
-/**
- * Enhanced audit event payload for permission checks
- */
-export interface EnhancedPermissionCheckAuditEvent {
-  type: 'permission_check';
-  userId: UUID;
-  organisationId: UUID;
-  eventId?: string;
-  appId?: UUID;
-  pageId?: UUID;
-  permission: string;
-  decision: boolean;
-  source: AuditEventSource;
-  bypass?: boolean;
-  duration_ms: number;
-  metadata?: Record<string, any>;
-}
-/**
- * Enhanced audit event payload for permission denied
- */
-export interface EnhancedPermissionDeniedAuditEvent {
-  type: 'permission_denied';
-  userId: UUID;
-  organisationId: UUID;
-  eventId?: string;
-  appId?: UUID;
-  pageId?: UUID;
-  permission: string;
-  source: AuditEventSource;
-  metadata?: Record<string, any>;
-}
-/**
- * Enhanced audit event payload for role granted
- */
-export interface EnhancedRoleGrantedAuditEvent {
-  type: 'role_granted';
-  userId: UUID;
-  organisationId: UUID;
-  eventId?: string;
-  appId?: UUID;
-  role: string;
-  grantedBy: UUID;
-  metadata?: Record<string, any>;
-}
-/**
- * Enhanced audit event payload for role revoked
- */
-export interface EnhancedRoleRevokedAuditEvent {
-  type: 'role_denied';
-  userId: UUID;
-  organisationId: UUID;
-  eventId?: string;
-  appId?: UUID;
-  role: string;
-  revokedBy: UUID;
-  metadata?: Record<string, any>;
-}
-/**
- * Enhanced audit event payload for RLS denied
- */
-export interface EnhancedRLSDeniedAuditEvent {
-  type: 'rls_denied';
-  userId: UUID;
-  organisationId: UUID;
-  table: string;
-  operation: string;
-  metadata?: Record<string, any>;
-}
-/**
- * Union type for all enhanced audit events
- */
-export type EnhancedAuditEventPayload =
-  | EnhancedPermissionCheckAuditEvent
-  | EnhancedPermissionDeniedAuditEvent
-  | EnhancedRoleGrantedAuditEvent
-  | EnhancedRoleRevokedAuditEvent
-  | EnhancedRLSDeniedAuditEvent;
-/**
- * Enhanced RBAC Audit Manager
- *
- * Handles emission of structured audit events with better error handling
- * and support for both authenticated and service role contexts.
- */
-export class EnhancedRBACAuditManager {
-  private supabase: SupabaseClient<Database>;
-  private enabled: boolean = true;
-  private fallbackEnabled: boolean = true;
-  constructor(supabase: SupabaseClient<Database>) {
-    this.supabase = supabase;
-  }
-  /**
-   * Enable or disable audit logging
-   *
-   * @param enabled - Whether to enable audit logging
-   */
-  setEnabled(enabled: boolean): void {
-    this.enabled = enabled;
-  }
-  /**
-   * Enable or disable fallback logging (console logging when database fails)
-   *
-   * @param enabled - Whether to enable fallback logging
-   */
-  setFallbackEnabled(enabled: boolean): void {
-    this.fallbackEnabled = enabled;
-  }
-  /**
-   * Check if audit logging is enabled
-   *
-   * @returns True if audit logging is enabled
-   */
-  isEnabled(): boolean {
-    return this.enabled;
-  }
-  /**
-   * Emit an audit event with enhanced error handling
-   *
-   * @param event - Audit event payload
-   * @returns Promise that resolves when event is logged
-   */
-  async emitEvent(event: EnhancedAuditEventPayload): Promise<void> {
-    if (!this.enabled) {
-      return;
-    }
-    // Validate required fields before attempting to insert
-    if (!event.userId || !event.organisationId) {
-      console.warn('[RBAC Audit] Skipping audit event - missing required fields:', {
-        userId: event.userId,
-        organisationId: event.organisationId,
-        eventType: event.type
-      });
-      return;
-    }
-    try {
-      // Validate pageId: only include in page_id column if it's a valid UUID
-      // Otherwise, store it in metadata to avoid database errors
-      const rawPageId = 'pageId' in event ? event.pageId : undefined;
-      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-      const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);
-      const pageIdUuid: UUID | undefined = isValidPageIdUuid ? (rawPageId as UUID) : undefined;
-      const pageIdName: string | undefined = rawPageId && !isValidPageIdUuid ? rawPageId : undefined;
-      const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {
-        event_type: event.type,
-        user_id: event.userId,
-        organisation_id: event.organisationId,
-        event_id: 'eventId' in event ? event.eventId : undefined,
-        app_id: 'appId' in event ? event.appId : undefined,
-        page_id: pageIdUuid, // Only set if it's a valid UUID
-        permission: 'permission' in event ? event.permission : undefined,
-        decision: 'decision' in event ? event.decision : undefined,
-        source: 'source' in event ? event.source : 'api', // Default to 'api' if not provided
-        bypass: 'bypass' in event ? event.bypass : undefined,
-        duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,
-        metadata: {
-          ...(event.metadata || {}),
-          // Store page name/identifier in metadata if it's not a UUID
-          page_name: pageIdName,
-        },
-      };
-      const { error } = await (this.supabase as any)
-        .from('rbac_audit_events')
-        .insert([auditEvent]);
-      if (error) {
-        // Log the error for debugging
-        console.warn('[RBAC Audit] Failed to insert audit event:', {
-          error: error.message,
-          code: error.code,
-          details: error.details,
-          hint: error.hint,
-          event: auditEvent
-        });
-        // Use fallback logging if enabled
-        if (this.fallbackEnabled) {
-          this.logFallbackEvent(event, error);
-        }
-      }
-    } catch (error) {
-      // Log unexpected errors
-      console.error('[RBAC Audit] Unexpected error during audit logging:', error);
-      // Use fallback logging if enabled
-      if (this.fallbackEnabled) {
-        this.logFallbackEvent(event, error);
-      }
-    }
-  }
-  /**
-   * Log event to console as fallback when database logging fails
-   *
-   * @param event - Audit event payload
-   * @param error - The error that occurred
-   */
-  private logFallbackEvent(event: EnhancedAuditEventPayload, error: any): void {
-    console.log('[RBAC Audit Fallback]', {
-      timestamp: new Date().toISOString(),
-      event,
-      error: error?.message || error,
-      note: 'Database audit logging failed, using console fallback'
-    });
-  }
-  /**
-   * Emit a permission check audit event
-   *
-   * @param event - Permission check event data
-   */
-  async emitPermissionCheck(event: Omit<EnhancedPermissionCheckAuditEvent, 'type'>): Promise<void> {
-    await this.emitEvent({
-      type: 'permission_check',
-      ...event,
-    });
-  }
-  /**
-   * Emit a permission denied audit event
-   *
-   * @param event - Permission denied event data
-   */
-  async emitPermissionDenied(event: Omit<EnhancedPermissionDeniedAuditEvent, 'type'>): Promise<void> {
-    await this.emitEvent({
-      type: 'permission_denied',
-      ...event,
-    });
-  }
-  /**
-   * Emit a role granted audit event
-   *
-   * @param event - Role granted event data
-   */
-  async emitRoleGranted(event: Omit<EnhancedRoleGrantedAuditEvent, 'type'>): Promise<void> {
-    await this.emitEvent({
-      type: 'role_granted',
-      ...event,
-    });
-  }
-  /**
-   * Emit a role revoked audit event
-   *
-   * @param event - Role revoked event data
-   */
-  async emitRoleRevoked(event: Omit<EnhancedRoleRevokedAuditEvent, 'type'>): Promise<void> {
-    await this.emitEvent({
-      type: 'role_denied',
-      ...event,
-    });
-  }
-  /**
-   * Emit an RLS denied audit event
-   *
-   * @param event - RLS denied event data
-   */
-  async emitRLSDenied(event: Omit<EnhancedRLSDeniedAuditEvent, 'type'>): Promise<void> {
-    await this.emitEvent({
-      type: 'rls_denied',
-      ...event,
-    });
-  }
-  /**
-   * Get audit events for a user
-   *
-   * @param userId - User ID
-   * @param limit - Maximum number of events to return
-   * @returns Promise resolving to audit events
-   */
-  async getUserAuditEvents(userId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {
-    const { data, error } = await this.supabase
-      .from('rbac_audit_events')
-      .select('*')
-      .eq('user_id', userId)
-      .order('created_at', { ascending: false })
-      .limit(limit);
-    if (error) {
-      throw new Error(`Failed to get audit events: ${error.message}`);
-    }
-    return data || [];
-  }
-  /**
-   * Get audit events for an organisation
-   *
-   * @param organisationId - Organisation ID
-   * @param limit - Maximum number of events to return
-   * @returns Promise resolving to audit events
-   */
-  async getOrganisationAuditEvents(organisationId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {
-    const { data, error } = await this.supabase
-      .from('rbac_audit_events')
-      .select('*')
-      .eq('organisation_id', organisationId)
-      .order('created_at', { ascending: false })
-      .limit(limit);
-    if (error) {
-      throw new Error(`Failed to get audit events: ${error.message}`);
-    }
-    return data || [];
-  }
-}
-/**
- * Create an enhanced audit manager instance
- *
- * @param supabase - Supabase client
- * @returns EnhancedRBACAuditManager instance
- */
-export function createEnhancedAuditManager(supabase: SupabaseClient<Database>): EnhancedRBACAuditManager {
-  return new EnhancedRBACAuditManager(supabase);
-}