@jmruthers/pace-core 0.5.181 → 0.5.182

package/src/utils/secureDataAccess.ts

@@ -1,377 +0,0 @@
-/**
- * @file Secure Data Access Utility
- * @package @jmruthers/pace-core
- * @module Utils/SecureDataAccess
- * @since 0.4.0
- *
- * Secure data access utilities that enforce organisation context for all database operations.
- * Prevents data leakage between organisations and ensures proper access validation.
- */
-
-import type { SupabaseClient } from '@supabase/supabase-js';
-
-// Generic database record type
-export interface DatabaseRecord {
-  id: string;
-  organisation_id: string;
-  [key: string]: unknown;
-}
-
-// Generic data for insert/update operations
-export interface DatabaseData {
-  [key: string]: unknown;
-}
-
-// Generic filters for queries
-export interface DatabaseFilters {
-  [key: string]: unknown;
-}
-
-// Secure query options
-export interface SecureQueryOptions {
-  table: string;
-  select: string;
-  organisationId: string;
-  filters?: DatabaseFilters;
-  orderBy?: string;
-  limit?: number;
-  offset?: number;
-}
-
-export interface SecureDataAccess {
-  // Secure query methods
-  secureQuery: <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions) => Promise<T[]>;
-  secureSingleQuery: <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions) => Promise<T | null>;
-  
-  // Secure mutation methods
-  secureInsert: <T extends DatabaseRecord = DatabaseRecord>(table: string, data: DatabaseData, organisationId: string) => Promise<T | null>;
-  secureUpdate: <T extends DatabaseRecord = DatabaseRecord>(table: string, data: DatabaseData, filters: DatabaseFilters, organisationId: string) => Promise<T | null>;
-  secureDelete: (table: string, filters: DatabaseFilters, organisationId: string) => Promise<boolean>;
-  
-  // Organisation-scoped queries
-  queryByOrganisation: <T extends DatabaseRecord = DatabaseRecord>(table: string, select: string, organisationId: string, filters?: DatabaseFilters) => Promise<T[]>;
-  
-  // Validation helpers
-  validateOrganisationContext: (organisationId: string) => void;
-  ensureOrganisationColumn: (table: string) => boolean;
-}
-
-export interface SecureQueryBuilder {
-  table: string;
-  select: string;
-  organisationId: string;
-  filters?: DatabaseFilters;
-  orderBy?: string;
-  limit?: number;
-  offset?: number;
-}
-
-/**
- * Create a secure data access instance
- * @param supabase - Supabase client instance
- * @param organisationId - Current organisation context
- * @param isSuperAdmin - Whether user has super admin privileges
- * @returns Secure data access utilities
- */
-export const createSecureDataAccess = (
-  supabase: SupabaseClient,
-  organisationId: string,
-  isSuperAdmin: boolean = false
-): SecureDataAccess => {
-  
-  // Validate organisation context
-  const validateOrganisationContext = (orgId: string): void => {
-    if (!orgId) {
-      throw new Error('Organisation context is required for secure data access');
-    }
-    
-    if (!isSuperAdmin && !orgId) {
-      throw new Error('Organisation context is mandatory for non-super admin users');
-    }
-  };
-
-  // Check if table has organisation_id column
-  const ensureOrganisationColumn = (table: string): boolean => {
-    // This is a simplified check - in production you might want to cache this
-    const tablesWithOrganisation = [
-      'event',  'organisation_settings',
-      'rbac_event_app_roles', 'rbac_organisation_roles',
-      // SECURITY: Phase 2 additions - complete organisation table mapping
-      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',
-      // SECURITY: Emergency additions for Phase 1 fixes
-      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',
-      // SECURITY: Phase 3A additions - medical and personal data
-      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',
-      'pace_consent', 'pace_contact', 'pace_id_documents', 'pace_qualifications',
-      'form_responses', 'form_response_values', 'forms',
-      // SECURITY: Phase 3B additions - remaining critical tables
-      'invoice', 'line_item', 'credit_balance', 'payment_method',
-      'form_contexts', 'form_field_config', 'form_fields',
-      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', 
-      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', 
-      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'
-    ];
-    
-    return tablesWithOrganisation.includes(table);
-  };
-
-  // Build secure query with organisation context
-  const buildSecureQuery = (options: SecureQueryBuilder) => {
-    const { table, select, organisationId: orgId, filters, orderBy, limit, offset } = options;
-    
-    validateOrganisationContext(orgId);
-    
-    let query = supabase
-      .from(table)
-      .select(select);
-    
-    // Add organisation filter (unless super admin)
-    if (!isSuperAdmin && ensureOrganisationColumn(table)) {
-      query = query.eq('organisation_id', orgId);
-    }
-    
-    // Add additional filters
-    if (filters) {
-      Object.entries(filters).forEach(([key, value]) => {
-        if (value !== undefined && value !== null) {
-          // Handle qualified column names (e.g., 'users.role')
-          const columnName = key.includes('.') ? key.split('.').pop()! : key;
-          query = query.eq(columnName, value);
-        }
-      });
-    }
-    
-    // Add ordering
-    if (orderBy) {
-      // Only use the column name, not a qualified name
-      const orderByColumn = orderBy.split('.').pop();
-      if (orderByColumn) {
-        query = query.order(orderByColumn);
-      }
-    }
-    
-    // Add pagination
-    if (limit) {
-      query = query.limit(limit);
-    }
-    
-    if (offset) {
-      query = query.range(offset, offset + (limit || 10) - 1);
-    }
-    
-    return query;
-  };
-
-  // Secure query for multiple results
-  const secureQuery = async <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions): Promise<T[]> => {
-    const { table, select, organisationId: orgId, filters, orderBy, limit, offset } = options;
-    
-    try {
-      const query = buildSecureQuery({
-        table,
-        select,
-        organisationId: orgId,
-        filters,
-        orderBy,
-        limit,
-        offset
-      });
-      
-      const { data, error } = await query;
-      
-      if (error) {
-        throw error;
-      }
-      
-      // Ensure data is an array and not an error type
-      if (Array.isArray(data)) {
-        return data as unknown as T[];
-      }
-      
-      return [];
-    } catch (error) {
-      throw error;
-    }
-  };
-
-  // Secure query for single result
-  const secureSingleQuery = async <T extends DatabaseRecord = DatabaseRecord>(options: SecureQueryOptions): Promise<T | null> => {
-    const { table, select, organisationId: orgId, filters, orderBy, limit, offset } = options;
-    
-    try {
-      const query = buildSecureQuery({
-        table,
-        select,
-        organisationId: orgId,
-        filters,
-        orderBy,
-        limit,
-        offset
-      });
-      
-      const { data, error } = await query.single();
-      
-      if (error) {
-        if (error.code === 'PGRST116') {
-          // No rows returned
-          return null;
-        }
-        throw error;
-      }
-      
-      // Ensure data is not an error type
-      if (data && typeof data === 'object' && !('code' in data)) {
-        return data as unknown as T;
-      }
-      
-      return null;
-    } catch (error) {
-      throw error;
-    }
-  };
-
-  // Secure insert with organisation context
-  const secureInsert = async <T extends DatabaseRecord = DatabaseRecord>(
-    table: string, 
-    data: DatabaseData, 
-    organisationId: string
-  ): Promise<T | null> => {
-    validateOrganisationContext(organisationId);
-    
-    try {
-      const insertData = {
-        ...data,
-        organisation_id: organisationId
-      };
-      
-      const { data: result, error } = await supabase
-        .from(table)
-        .insert(insertData)
-        .select()
-        .single();
-      
-      if (error) {
-        throw error;
-      }
-      
-      return result;
-    } catch (error) {
-      throw error;
-    }
-  };
-
-  // Secure update with organisation context
-  const secureUpdate = async <T extends DatabaseRecord = DatabaseRecord>(
-    table: string, 
-    data: DatabaseData, 
-    filters: DatabaseFilters, 
-    organisationId: string
-  ): Promise<T | null> => {
-    validateOrganisationContext(organisationId);
-    
-    try {
-      let query = supabase
-        .from(table)
-        .update(data);
-      
-      // Add organisation filter (unless super admin)
-      if (!isSuperAdmin && ensureOrganisationColumn(table)) {
-        query = query.eq('organisation_id', organisationId);
-      }
-      
-      // Add additional filters
-      if (filters) {
-        Object.entries(filters).forEach(([key, value]) => {
-          if (value !== undefined && value !== null) {
-            query = query.eq(key, value);
-          }
-        });
-      }
-      
-      const { data: result, error } = await query.select().single();
-      
-      if (error) {
-        throw error;
-      }
-      
-      return result;
-    } catch (error) {
-      throw error;
-    }
-  };
-
-  // Secure delete with organisation context
-  const secureDelete = async (
-    table: string, 
-    filters: DatabaseFilters, 
-    organisationId: string
-  ): Promise<boolean> => {
-    validateOrganisationContext(organisationId);
-    
-    try {
-      let query = supabase
-        .from(table)
-        .delete();
-      
-      // Add organisation filter (unless super admin)
-      if (!isSuperAdmin && ensureOrganisationColumn(table)) {
-        query = query.eq('organisation_id', organisationId);
-      }
-      
-      // Add additional filters
-      if (filters) {
-        Object.entries(filters).forEach(([key, value]) => {
-          if (value !== undefined && value !== null) {
-            query = query.eq(key, value);
-          }
-        });
-      }
-      
-      const { error } = await query;
-      
-      if (error) {
-        throw error;
-      }
-      
-      return true;
-    } catch (error) {
-      throw error;
-    }
-  };
-
-  // Organisation-scoped query helper
-  const queryByOrganisation = async <T extends DatabaseRecord = DatabaseRecord>(
-    table: string, 
-    select: string, 
-    organisationId: string, 
-    filters?: DatabaseFilters
-  ): Promise<T[]> => {
-    return secureQuery<T>({
-      table,
-      select,
-      organisationId,
-      filters
-    });
-  };
-
-  return {
-    secureQuery,
-    secureSingleQuery,
-    secureInsert,
-    secureUpdate,
-    secureDelete,
-    queryByOrganisation,
-    validateOrganisationContext,
-    ensureOrganisationColumn
-  };
-};
-
-/**
- * Hook for secure data access
- * @returns Secure data access utilities
- */
-export const useSecureDataAccess = (): SecureDataAccess => {
-  // This would typically get the context from providers
-  // For now, we'll create a placeholder that can be used with explicit parameters
-  throw new Error('useSecureDataAccess must be used with explicit parameters. Use createSecureDataAccess instead.');
-}; 

package/src/utils/secureErrors.ts

@@ -1,79 +0,0 @@
-/**
- * @file Secure error handling utilities
- */
-
-import { AuthError, AuthErrorCode, RequestId } from '../types/unified';
-
-export class SecureError extends Error {
-  public readonly code: AuthErrorCode;
-  public readonly statusCode: number;
-  public readonly userMessage: string;
-
-  constructor(message: string, code: AuthErrorCode, statusCode: number = 500, userMessage?: string) {
-    super(message);
-    this.name = 'SecureError';
-    this.code = code;
-    this.statusCode = statusCode;
-    this.userMessage = userMessage || message;
-  }
-}
-
-export function createSecureError(
-  message: string,
-  code: AuthErrorCode,
-  statusCode: number = 500,
-  userMessage?: string
-): SecureError {
-  return new SecureError(message, code, statusCode, userMessage);
-}
-
-export function convertToAuthError(error: SecureError | Error | unknown): AuthError {
-  if (error instanceof SecureError) {
-    return {
-      message: error.message,
-      code: error.code,
-      user_message: error.userMessage,
-      __isAuthError: true,
-      name: 'AuthError',
-      timestamp: Date.now()
-    };
-  }
-
-  if (error instanceof Error) {
-    return {
-      message: error.message,
-      code: AuthErrorCode.UNKNOWN_ERROR,
-      user_message: error.message,
-      __isAuthError: true,
-      name: 'AuthError',
-      timestamp: Date.now()
-    };
-  }
-
-  return {
-    message: 'Unknown error occurred',
-    code: AuthErrorCode.UNKNOWN_ERROR,
-    user_message: 'Unknown error occurred',
-    __isAuthError: true,
-    name: 'AuthError',
-    timestamp: Date.now()
-  };
-}
-
-export function isSecureError(error: unknown): error is SecureError {
-  return error instanceof SecureError;
-}
-
-export function sanitizeError(error: unknown): AuthError {
-  return convertToAuthError(error);
-}
-
-export function generateRequestId(): RequestId {
-  return `req_${Date.now()}_${Math.random().toString(36).substr(2, 9)}` as RequestId;
-}
-
-export function logSecurityEvent(event: string, details?: unknown): void {
-  // In production, this would send to a proper logging service
-  // For now, we'll log to console.warn for testing purposes
-  console.warn(`[SECURITY] ${event}`, details);
-}

package/src/utils/security.ts

@@ -1,156 +0,0 @@
-
-import type { SupabaseClient } from '@supabase/supabase-js';
-
-export interface SecurityEvent {
-  type: string;
-  timestamp: Date;
-  userId?: string;
-  details: Record<string, unknown>;
-}
-
-export function logSecurityEvent(event: SecurityEvent): void {
-  // In production, this should log to your security monitoring system
-  // For now, we'll log to console.warn for testing purposes
-  console.warn('[SECURITY EVENT]', {
-    ...event,
-    timestamp: event.timestamp.toISOString()
-  });
-}
-
-export function validateUserSession(userId: string, sessionToken?: string): Promise<boolean> {
-  // Mock implementation - replace with actual session validation
-  if (!userId || typeof userId !== 'string') {
-    logSecurityEvent({
-      type: 'invalid_session_validation',
-      timestamp: new Date(),
-      details: { reason: 'Invalid userId provided' }
-    });
-    return Promise.resolve(false);
-  }
-  
-  if (sessionToken && sessionToken.length < 10) {
-    logSecurityEvent({
-      type: 'suspicious_session_token',
-      timestamp: new Date(),
-      userId,
-      details: { reason: 'Session token too short' }
-    });
-    return Promise.resolve(false);
-  }
-  
-  return Promise.resolve(true);
-}
-
-export function createSecureSession(
-  _supabaseClient: SupabaseClient,
-  sessionData: { userId: string; deviceFingerprint?: string }
-): Promise<string> {
-  // Mock implementation - in production, create actual secure session
-  const sessionId = `sess_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
-  
-  logSecurityEvent({
-    type: 'session_created',
-    timestamp: new Date(),
-    userId: sessionData.userId,
-    details: { 
-      sessionId,
-      hasDeviceFingerprint: !!sessionData.deviceFingerprint
-    }
-  });
-  
-  return Promise.resolve(sessionId);
-}
-
-export function invalidateSession(
-  _supabaseClient: SupabaseClient,
-  sessionId: string
-): Promise<void> {
-  // Mock implementation - in production, invalidate actual session
-  logSecurityEvent({
-    type: 'session_invalidated',
-    timestamp: new Date(),
-    details: { sessionId }
-  });
-  
-  return Promise.resolve();
-}
-
-export function getSecurityHeaders(): Record<string, string> {
-  return {
-    'X-Content-Type-Options': 'nosniff',
-    'X-Frame-Options': 'DENY',
-    'X-XSS-Protection': '1; mode=block',
-    'Referrer-Policy': 'strict-origin-when-cross-origin',
-    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
-  };
-}
-
-export function validateSecurityHeaders(headers: Record<string, string>): boolean {
-  const requiredHeaders = ['X-Content-Type-Options', 'X-Frame-Options'];
-  const missingHeaders = requiredHeaders.filter(header => !headers[header]);
-  
-  if (missingHeaders.length > 0) {
-    logSecurityEvent({
-      type: 'missing_security_headers',
-      timestamp: new Date(),
-      details: { missingHeaders }
-    });
-    return false;
-  }
-  
-  return true;
-}
-
-export function generateDeviceFingerprint(): string {
-  // Basic device fingerprinting - in production, use more sophisticated methods
-  const canvas = document.createElement('canvas');
-  const ctx = canvas.getContext('2d');
-  if (ctx) {
-    ctx.textBaseline = 'top';
-    ctx.font = '14px Arial';
-    ctx.fillText('Device fingerprint', 2, 2);
-  }
-  
-  const fingerprint = [
-    navigator.userAgent,
-    navigator.language,
-    screen.width + 'x' + screen.height,
-    new Date().getTimezoneOffset(),
-    canvas.toDataURL()
-  ].join('|');
-  
-  // Simple hash function for demonstration
-  let hash = 0;
-  for (let i = 0; i < fingerprint.length; i++) {
-    const char = fingerprint.charCodeAt(i);
-    hash = ((hash << 5) - hash) + char;
-    hash = hash & hash; // Convert to 32-bit integer
-  }
-  
-  return Math.abs(hash).toString(16);
-}
-
-export function validateDeviceFingerprint(fingerprint: string, expectedFingerprint?: string): boolean {
-  if (!fingerprint || typeof fingerprint !== 'string') {
-    logSecurityEvent({
-      type: 'invalid_device_fingerprint',
-      timestamp: new Date(),
-      details: { reason: 'Invalid fingerprint format' }
-    });
-    return false;
-  }
-  
-  if (expectedFingerprint && fingerprint !== expectedFingerprint) {
-    logSecurityEvent({
-      type: 'device_fingerprint_mismatch',
-      timestamp: new Date(),
-      details: { 
-        provided: fingerprint,
-        expected: expectedFingerprint
-      }
-    });
-    return false;
-  }
-  
-  return true;
-}

package/src/utils/securityMonitor.ts

@@ -1,45 +0,0 @@
-
-interface SecurityEvent {
-  id?: string;
-  action: string;
-  details: Record<string, any>;
-  timestamp?: number;
-}
-
-interface SecurityAlert {
-  id: string;
-  type: string;
-  message: string;
-  timestamp: Date;
-}
-
-class SecurityMonitor {
-  private events: SecurityEvent[] = [];
-
-  logEvent(event: SecurityEvent) {
-    const eventWithId = {
-      ...event,
-      id: Math.random().toString(36).substr(2, 9),
-      timestamp: Date.now()
-    };
-    this.events.push(eventWithId);
-  }
-
-  getEvents(): SecurityEvent[] {
-    return [...this.events];
-  }
-
-  clearEvents() {
-    this.events = [];
-  }
-
-  createAlert(alert: Omit<SecurityAlert, 'id' | 'timestamp'>): SecurityAlert {
-    return {
-      ...alert,
-      id: Math.random().toString(36).substr(2, 9),
-      timestamp: new Date()
-    };
-  }
-}
-
-export const securityMonitor = new SecurityMonitor();