@jmruthers/pace-core 0.5.136 → 0.5.139

package/src/utils/secureDataAccess.ts

@@ -0,0 +1,377 @@
+/**
+ * @file Secure Data Access Utility
+ * @package @jmruthers/pace-core
+ * @module Utils/SecureDataAccess
+ * @since 0.4.0
+ *
+ * Secure data access utilities that enforce organisation context for all database operations.
+ * Prevents data leakage between organisations and ensures proper access validation.
+ */
+
+import type { SupabaseClient } from '@supabase/supabase-js';
+
+// Generic database record type
+export interface DatabaseRecord {
+  id: string;
+  organisation_id: string;
+  [key: string]: unknown;
+}
+
+// Generic data for insert/update operations
+export interface DatabaseData {
+  [key: string]: unknown;
+}
+
+// Generic filters for queries
+export interface DatabaseFilters {
+  [key: string]: unknown;
+}
+
+// Secure query options
+export interface SecureQueryOptions {
+  table: string;
+  select: string;
+  organisationId: string;
+  filters?: DatabaseFilters;
+  orderBy?: string;
+  limit?: number;
+  offset?: number;
+}
+
+export interface SecureDataAccess {
+  // Secure query methods
+  secureQuery: <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions) => Promise<T[]>;
+  secureSingleQuery: <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions) => Promise<T | null>;
+  
+  // Secure mutation methods
+  secureInsert: <T extends DatabaseRecord = DatabaseRecord>(table: string, data: DatabaseData, organisationId: string) => Promise<T | null>;
+  secureUpdate: <T extends DatabaseRecord = DatabaseRecord>(table: string, data: DatabaseData, filters: DatabaseFilters, organisationId: string) => Promise<T | null>;
+  secureDelete: (table: string, filters: DatabaseFilters, organisationId: string) => Promise<boolean>;
+  
+  // Organisation-scoped queries
+  queryByOrganisation: <T extends DatabaseRecord = DatabaseRecord>(table: string, select: string, organisationId: string, filters?: DatabaseFilters) => Promise<T[]>;
+  
+  // Validation helpers
+  validateOrganisationContext: (organisationId: string) => void;
+  ensureOrganisationColumn: (table: string) => boolean;
+}
+
+export interface SecureQueryBuilder {
+  table: string;
+  select: string;
+  organisationId: string;
+  filters?: DatabaseFilters;
+  orderBy?: string;
+  limit?: number;
+  offset?: number;
+}
+
+/**
+ * Create a secure data access instance
+ * @param supabase - Supabase client instance
+ * @param organisationId - Current organisation context
+ * @param isSuperAdmin - Whether user has super admin privileges
+ * @returns Secure data access utilities
+ */
+export const createSecureDataAccess = (
+  supabase: SupabaseClient,
+  organisationId: string,
+  isSuperAdmin: boolean = false
+): SecureDataAccess => {
+  
+  // Validate organisation context
+  const validateOrganisationContext = (orgId: string): void => {
+    if (!orgId) {
+      throw new Error('Organisation context is required for secure data access');
+    }
+    
+    if (!isSuperAdmin && !orgId) {
+      throw new Error('Organisation context is mandatory for non-super admin users');
+    }
+  };
+
+  // Check if table has organisation_id column
+  const ensureOrganisationColumn = (table: string): boolean => {
+    // This is a simplified check - in production you might want to cache this
+    const tablesWithOrganisation = [
+      'event',  'organisation_settings',
+      'rbac_event_app_roles', 'rbac_organisation_roles',
+      // SECURITY: Phase 2 additions - complete organisation table mapping
+      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',
+      // SECURITY: Emergency additions for Phase 1 fixes
+      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',
+      // SECURITY: Phase 3A additions - medical and personal data
+      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',
+      'pace_consent', 'pace_contact', 'pace_id_documents', 'pace_qualifications',
+      'form_responses', 'form_response_values', 'forms',
+      // SECURITY: Phase 3B additions - remaining critical tables
+      'invoice', 'line_item', 'credit_balance', 'payment_method',
+      'form_contexts', 'form_field_config', 'form_fields',
+      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', 
+      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', 
+      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'
+    ];
+    
+    return tablesWithOrganisation.includes(table);
+  };
+
+  // Build secure query with organisation context
+  const buildSecureQuery = (options: SecureQueryBuilder) => {
+    const { table, select, organisationId: orgId, filters, orderBy, limit, offset } = options;
+    
+    validateOrganisationContext(orgId);
+    
+    let query = supabase
+      .from(table)
+      .select(select);
+    
+    // Add organisation filter (unless super admin)
+    if (!isSuperAdmin && ensureOrganisationColumn(table)) {
+      query = query.eq('organisation_id', orgId);
+    }
+    
+    // Add additional filters
+    if (filters) {
+      Object.entries(filters).forEach(([key, value]) => {
+        if (value !== undefined && value !== null) {
+          // Handle qualified column names (e.g., 'users.role')
+          const columnName = key.includes('.') ? key.split('.').pop()! : key;
+          query = query.eq(columnName, value);
+        }
+      });
+    }
+    
+    // Add ordering
+    if (orderBy) {
+      // Only use the column name, not a qualified name
+      const orderByColumn = orderBy.split('.').pop();
+      if (orderByColumn) {
+        query = query.order(orderByColumn);
+      }
+    }
+    
+    // Add pagination
+    if (limit) {
+      query = query.limit(limit);
+    }
+    
+    if (offset) {
+      query = query.range(offset, offset + (limit || 10) - 1);
+    }
+    
+    return query;
+  };
+
+  // Secure query for multiple results
+  const secureQuery = async <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions): Promise<T[]> => {
+    const { table, select, organisationId: orgId, filters, orderBy, limit, offset } = options;
+    
+    try {
+      const query = buildSecureQuery({
+        table,
+        select,
+        organisationId: orgId,
+        filters,
+        orderBy,
+        limit,
+        offset
+      });
+      
+      const { data, error } = await query;
+      
+      if (error) {
+        throw error;
+      }
+      
+      // Ensure data is an array and not an error type
+      if (Array.isArray(data)) {
+        return data as unknown as T[];
+      }
+      
+      return [];
+    } catch (error) {
+      throw error;
+    }
+  };
+
+  // Secure query for single result
+  const secureSingleQuery = async <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions): Promise<T | null> => {
+    const { table, select, organisationId: orgId, filters, orderBy, limit, offset } = options;
+    
+    try {
+      const query = buildSecureQuery({
+        table,
+        select,
+        organisationId: orgId,
+        filters,
+        orderBy,
+        limit,
+        offset
+      });
+      
+      const { data, error } = await query.single();
+      
+      if (error) {
+        if (error.code === 'PGRST116') {
+          // No rows returned
+          return null;
+        }
+        throw error;
+      }
+      
+      // Ensure data is not an error type
+      if (data && typeof data === 'object' && !('code' in data)) {
+        return data as unknown as T;
+      }
+      
+      return null;
+    } catch (error) {
+      throw error;
+    }
+  };
+
+  // Secure insert with organisation context
+  const secureInsert = async <T extends DatabaseRecord = DatabaseRecord>(
+    table: string, 
+    data: DatabaseData, 
+    organisationId: string
+  ): Promise<T | null> => {
+    validateOrganisationContext(organisationId);
+    
+    try {
+      const insertData = {
+        ...data,
+        organisation_id: organisationId
+      };
+      
+      const { data: result, error } = await supabase
+        .from(table)
+        .insert(insertData)
+        .select()
+        .single();
+      
+      if (error) {
+        throw error;
+      }
+      
+      return result;
+    } catch (error) {
+      throw error;
+    }
+  };
+
+  // Secure update with organisation context
+  const secureUpdate = async <T extends DatabaseRecord = DatabaseRecord>(
+    table: string, 
+    data: DatabaseData, 
+    filters: DatabaseFilters, 
+    organisationId: string
+  ): Promise<T | null> => {
+    validateOrganisationContext(organisationId);
+    
+    try {
+      let query = supabase
+        .from(table)
+        .update(data);
+      
+      // Add organisation filter (unless super admin)
+      if (!isSuperAdmin && ensureOrganisationColumn(table)) {
+        query = query.eq('organisation_id', organisationId);
+      }
+      
+      // Add additional filters
+      if (filters) {
+        Object.entries(filters).forEach(([key, value]) => {
+          if (value !== undefined && value !== null) {
+            query = query.eq(key, value);
+          }
+        });
+      }
+      
+      const { data: result, error } = await query.select().single();
+      
+      if (error) {
+        throw error;
+      }
+      
+      return result;
+    } catch (error) {
+      throw error;
+    }
+  };
+
+  // Secure delete with organisation context
+  const secureDelete = async (
+    table: string, 
+    filters: DatabaseFilters, 
+    organisationId: string
+  ): Promise<boolean> => {
+    validateOrganisationContext(organisationId);
+    
+    try {
+      let query = supabase
+        .from(table)
+        .delete();
+      
+      // Add organisation filter (unless super admin)
+      if (!isSuperAdmin && ensureOrganisationColumn(table)) {
+        query = query.eq('organisation_id', organisationId);
+      }
+      
+      // Add additional filters
+      if (filters) {
+        Object.entries(filters).forEach(([key, value]) => {
+          if (value !== undefined && value !== null) {
+            query = query.eq(key, value);
+          }
+        });
+      }
+      
+      const { error } = await query;
+      
+      if (error) {
+        throw error;
+      }
+      
+      return true;
+    } catch (error) {
+      throw error;
+    }
+  };
+
+  // Organisation-scoped query helper
+  const queryByOrganisation = async <T extends DatabaseRecord = DatabaseRecord>(
+    table: string, 
+    select: string, 
+    organisationId: string, 
+    filters?: DatabaseFilters
+  ): Promise<T[]> => {
+    return secureQuery<T>({
+      table,
+      select,
+      organisationId,
+      filters
+    });
+  };
+
+  return {
+    secureQuery,
+    secureSingleQuery,
+    secureInsert,
+    secureUpdate,
+    secureDelete,
+    queryByOrganisation,
+    validateOrganisationContext,
+    ensureOrganisationColumn
+  };
+};
+
+/**
+ * Hook for secure data access
+ * @returns Secure data access utilities
+ */
+export const useSecureDataAccess = (): SecureDataAccess => {
+  // This would typically get the context from providers
+  // For now, we'll create a placeholder that can be used with explicit parameters
+  throw new Error('useSecureDataAccess must be used with explicit parameters. Use createSecureDataAccess instead.');
+}; 

package/src/utils/secureErrors.ts

@@ -0,0 +1,79 @@
+/**
+ * @file Secure error handling utilities
+ */
+
+import { AuthError, AuthErrorCode, RequestId } from '../types/unified';
+
+export class SecureError extends Error {
+  public readonly code: AuthErrorCode;
+  public readonly statusCode: number;
+  public readonly userMessage: string;
+
+  constructor(message: string, code: AuthErrorCode, statusCode: number = 500, userMessage?: string) {
+    super(message);
+    this.name = 'SecureError';
+    this.code = code;
+    this.statusCode = statusCode;
+    this.userMessage = userMessage || message;
+  }
+}
+
+export function createSecureError(
+  message: string,
+  code: AuthErrorCode,
+  statusCode: number = 500,
+  userMessage?: string
+): SecureError {
+  return new SecureError(message, code, statusCode, userMessage);
+}
+
+export function convertToAuthError(error: SecureError | Error | unknown): AuthError {
+  if (error instanceof SecureError) {
+    return {
+      message: error.message,
+      code: error.code,
+      user_message: error.userMessage,
+      __isAuthError: true,
+      name: 'AuthError',
+      timestamp: Date.now()
+    };
+  }
+
+  if (error instanceof Error) {
+    return {
+      message: error.message,
+      code: AuthErrorCode.UNKNOWN_ERROR,
+      user_message: error.message,
+      __isAuthError: true,
+      name: 'AuthError',
+      timestamp: Date.now()
+    };
+  }
+
+  return {
+    message: 'Unknown error occurred',
+    code: AuthErrorCode.UNKNOWN_ERROR,
+    user_message: 'Unknown error occurred',
+    __isAuthError: true,
+    name: 'AuthError',
+    timestamp: Date.now()
+  };
+}
+
+export function isSecureError(error: unknown): error is SecureError {
+  return error instanceof SecureError;
+}
+
+export function sanitizeError(error: unknown): AuthError {
+  return convertToAuthError(error);
+}
+
+export function generateRequestId(): RequestId {
+  return `req_${Date.now()}_${Math.random().toString(36).substr(2, 9)}` as RequestId;
+}
+
+export function logSecurityEvent(event: string, details?: unknown): void {
+  // In production, this would send to a proper logging service
+  // For now, we'll log to console.warn for testing purposes
+  console.warn(`[SECURITY] ${event}`, details);
+}

package/src/utils/secureStorage.ts

@@ -0,0 +1,244 @@
+
+/**
+ * @file Secure Storage Utilities
+ * @description Encrypted storage wrapper for sensitive data
+ */
+
+export interface SecureStorageOptions {
+  encrypt?: boolean;
+  expiry?: number; // TTL in milliseconds
+}
+
+/**
+ * Secure storage implementation with encryption support
+ */
+class SecureStorageImpl {
+  private encryptionKey: CryptoKey | null = null;
+  private initialized = false;
+
+  /**
+   * Initialize secure storage with encryption
+   */
+  async init(): Promise<void> {
+    if (this.initialized) return;
+
+    try {
+      // Check if Web Crypto API is available
+      if (window.crypto && window.crypto.subtle) {
+        // Generate or retrieve encryption key
+        const keyData = localStorage.getItem('_sec_key');
+        if (keyData) {
+          try {
+            const keyBuffer = this.base64ToArrayBuffer(keyData);
+            this.encryptionKey = await window.crypto.subtle.importKey(
+              'raw',
+              keyBuffer,
+              { name: 'AES-GCM' },
+              false,
+              ['encrypt', 'decrypt']
+            );
+          } catch (error) {
+            await this.generateNewKey();
+          }
+        } else {
+          await this.generateNewKey();
+        }
+      }
+      this.initialized = true;
+    } catch (error) {
+      this.initialized = true;
+    }
+  }
+
+  /**
+   * Store item securely
+   */
+  async setItem(
+    key: string,
+    value: string,
+    options: SecureStorageOptions = {}
+  ): Promise<void> {
+    await this.init();
+
+    const data = {
+      value,
+      timestamp: Date.now(),
+      expiry: options.expiry ? Date.now() + options.expiry : undefined,
+    };
+
+    const serialized = JSON.stringify(data);
+    
+    if (options.encrypt && this.encryptionKey) {
+      try {
+        const encrypted = await this.encrypt(serialized);
+        localStorage.setItem(`_sec_${key}`, encrypted);
+        return;
+      } catch (error) {
+        // Silent fail - store as plain text
+      }
+    }
+
+    localStorage.setItem(key, serialized);
+  }
+
+  /**
+   * Retrieve item securely
+   */
+  async getItem(key: string): Promise<string | null> {
+    await this.init();
+
+    // Try encrypted storage first
+    const encryptedData = localStorage.getItem(`_sec_${key}`);
+    if (encryptedData && this.encryptionKey) {
+      try {
+        const decrypted = await this.decrypt(encryptedData);
+        const parsed = JSON.parse(decrypted);
+        
+        // Check expiry
+        if (parsed.expiry && Date.now() > parsed.expiry) {
+          await this.removeItem(key);
+          return null;
+        }
+        
+        return parsed.value;
+      } catch (error) {
+        // Silent fail - try plain storage
+      }
+    }
+
+    // Fallback to plain storage
+    const plainData = localStorage.getItem(key);
+    if (!plainData) return null;
+
+    try {
+      const parsed = JSON.parse(plainData);
+      
+      // Check expiry
+      if (parsed.expiry && Date.now() > parsed.expiry) {
+        await this.removeItem(key);
+        return null;
+      }
+      
+      return parsed.value || plainData;
+    } catch (error) {
+      // If parsing fails, return as-is (backward compatibility)
+      return plainData;
+    }
+  }
+
+  /**
+   * Remove item
+   */
+  async removeItem(key: string): Promise<void> {
+    localStorage.removeItem(key);
+    localStorage.removeItem(`_sec_${key}`);
+  }
+
+  /**
+   * Clear all secure storage
+   */
+  async clear(): Promise<void> {
+    const keys = Object.keys(localStorage);
+    for (const key of keys) {
+      if (key.startsWith('_sec_')) {
+        localStorage.removeItem(key);
+      }
+    }
+  }
+
+  /**
+   * Generate new encryption key
+   */
+  private async generateNewKey(): Promise<void> {
+    if (!window.crypto?.subtle) return;
+
+    try {
+      this.encryptionKey = await window.crypto.subtle.generateKey(
+        { name: 'AES-GCM', length: 256 },
+        true,
+        ['encrypt', 'decrypt']
+      );
+
+      // Export and store key
+      const exportedKey = await window.crypto.subtle.exportKey('raw', this.encryptionKey);
+      const keyData = this.arrayBufferToBase64(exportedKey);
+      localStorage.setItem('_sec_key', keyData);
+    } catch (error) {
+      // Silent fail - encryption not available
+    }
+  }
+
+  /**
+   * Encrypt data
+   */
+  private async encrypt(data: string): Promise<string> {
+    if (!this.encryptionKey || !window.crypto?.subtle) {
+      throw new Error('Encryption not available');
+    }
+
+    const encoder = new TextEncoder();
+    const dataBuffer = encoder.encode(data);
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: 'AES-GCM', iv },
+      this.encryptionKey,
+      dataBuffer
+    );
+
+    // Combine IV and encrypted data
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv);
+    combined.set(new Uint8Array(encrypted), iv.length);
+
+    return this.arrayBufferToBase64(combined.buffer);
+  }
+
+  /**
+   * Decrypt data
+   */
+  private async decrypt(encryptedData: string): Promise<string> {
+    if (!this.encryptionKey || !window.crypto?.subtle) {
+      throw new Error('Decryption not available');
+    }
+
+    const combined = this.base64ToArrayBuffer(encryptedData);
+    const iv = combined.slice(0, 12);
+    const encrypted = combined.slice(12);
+
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: 'AES-GCM', iv },
+      this.encryptionKey,
+      encrypted
+    );
+
+    const decoder = new TextDecoder();
+    return decoder.decode(decrypted);
+  }
+
+  /**
+   * Convert ArrayBuffer to base64
+   */
+  private arrayBufferToBase64(buffer: ArrayBuffer): string {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (let i = 0; i < bytes.byteLength; i++) {
+      binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+  }
+
+  /**
+   * Convert base64 to ArrayBuffer
+   */
+  private base64ToArrayBuffer(base64: string): ArrayBuffer {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+  }
+}
+
+export const secureStorage = new SecureStorageImpl();