@jmruthers/pace-core 0.5.181 → 0.5.182

package/src/rbac/hooks/useRBAC.ts

@@ -69,28 +69,7 @@ export function useRBAC(pageId?: string): UserRBACContext {
   // This prevents premature loading when appConfig hasn't loaded yet
   const requiresEvent = appConfig?.requires_event ?? (appConfig === null ? true : false);
   
-  // Only log hook initialization if user is authenticated to avoid noise during login
-  // Log hook initialization for debugging (use warn level so it's always visible)
-  // Also use direct console.log as fallback to ensure visibility
-  if (user && session) {
-    const hookInitLog = {
-      appName,
-      requiresEvent,
-      appConfig: appConfig ? JSON.stringify(appConfig) : 'null',
-      hasUser: !!user,
-      hasSession: !!session,
-      hasSelectedEvent: !!selectedEvent,
-      eventLoading,
-      selectedEventId: selectedEvent?.event_id,
-      hasSelectedOrganisation: !!selectedOrganisation,
-      organisationId: selectedOrganisation?.id,
-      orgContextReady,
-      orgLoading
-    };
-    logger.warn('[useRBAC] Hook initialized', hookInitLog);
-    // Direct console.log as fallback to ensure we can see if hook is called
-    console.warn('[useRBAC] Hook initialized (direct log)', hookInitLog);
-  }
+  // Removed excessive logging - hook initialization logged only on first mount or significant changes
 
   const [globalRole, setGlobalRole] = useState<GlobalRole | null>(null);
   const [organisationRole, setOrganisationRole] = useState<OrganisationRole | null>(null);
@@ -120,13 +99,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
     // This is critical - without organisation ID, RPC calls can't resolve permissions
     if (orgLoading || !orgContextReady || !selectedOrganisation?.id) {
       setIsLoading(true);
-      logger.warn('[useRBAC] Waiting for organisation context before loading RBAC context', {
-        orgLoading,
-        orgContextReady,
-        hasSelectedOrganisation: !!selectedOrganisation,
-        organisationId: selectedOrganisation?.id,
-        appName
-      });
       return;
     }
 
@@ -138,13 +110,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
         // This prevents premature RPC calls that can cause NetworkError
         // Set loading state so React knows we're waiting
         setIsLoading(true);
-        logger.warn('[useRBAC] Waiting for event context before loading RBAC context', {
-          eventLoading,
-          hasSelectedEvent: !!selectedEvent,
-          appName,
-          selectedEventId: selectedEvent?.event_id,
-          organisationId: selectedOrganisation?.id
-        });
         return;
       }
     }
@@ -152,7 +117,9 @@ export function useRBAC(pageId?: string): UserRBACContext {
     setIsLoading(true);
     setError(null);
 
-    logger.warn('[useRBAC] Loading RBAC context', {
+    // Only log at debug level - loading RBAC context is normal operation
+    // Changed from warn to debug to reduce console noise
+    logger.debug('[useRBAC] Loading RBAC context', {
       appName,
       requiresEvent,
       hasSelectedEvent: !!selectedEvent,
@@ -195,15 +162,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
         appId,
       };
       
-      // Log scope to verify it's built correctly
-      logger.warn('[useRBAC] Building scope for RBAC context', {
-        organisationId: scope.organisationId,
-        eventId: scope.eventId,
-        appId: scope.appId,
-        hasOrganisationId: !!scope.organisationId,
-        hasEventId: !!scope.eventId
-      });
-      
       setCurrentScope(scope);
 
       const [map, roleContext, accessLevel] = await Promise.all([
@@ -217,13 +175,15 @@ export function useRBAC(pageId?: string): UserRBACContext {
       setOrganisationRole(roleContext.organisationRole);
       setEventAppRole(roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel));
       
-      logger.warn('[useRBAC] RBAC context loaded successfully', {
-        appName,
-        permissionCount: Object.keys(map).length,
-        globalRole: roleContext.globalRole,
-        organisationRole: roleContext.organisationRole,
-        eventAppRole: roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel)
-      });
+      // Only log on first successful load or if there's an issue
+      const permissionCount = Object.keys(map).length;
+      if (permissionCount === 0) {
+        logger.warn('[useRBAC] RBAC context loaded but returned 0 permissions', {
+          appName,
+          organisationId: selectedOrganisation.id,
+          eventId: selectedEvent?.event_id
+        });
+      }
     } catch (err) {
       const handledError = err instanceof Error ? err : new Error('Failed to load RBAC context');
       logger.error('[useRBAC] Error loading RBAC context:', handledError);
@@ -260,20 +220,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
   const canManageEvent = useMemo(() => isSuperAdmin || eventAppRole === 'event_admin', [isSuperAdmin, eventAppRole]);
 
   useEffect(() => {
-    // Log when effect runs to help debug
-    logger.warn('[useRBAC] useEffect triggered - calling loadRBACContext', {
-      appName,
-      requiresEvent,
-      eventLoading,
-      hasSelectedEvent: !!selectedEvent,
-      selectedEventId: selectedEvent?.event_id,
-      hasUser: !!user,
-      hasSession: !!session,
-      hasSelectedOrganisation: !!selectedOrganisation,
-      organisationId: selectedOrganisation?.id,
-      orgContextReady,
-      orgLoading
-    });
     loadRBACContext();
   }, [loadRBACContext, appName, requiresEvent, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
 

package/src/rbac/hooks/useResolvedScope.ts

@@ -108,6 +108,17 @@ export function useResolvedScope({
     let cancelled = false;
     
     const resolveScope = async () => {
+      // OPTIMIZATION: If all inputs are null/undefined, immediately return empty scope
+      // This indicates pre-filtered mode where we don't need to resolve scope
+      if (!supabase && !selectedOrganisationId && !selectedEventId) {
+        if (!cancelled) {
+          setResolvedScope(null);
+          setIsLoading(false);
+          setError(null);
+        }
+        return;
+      }
+      
       setIsLoading(true);
       setError(null);
       

package/src/rbac/hooks/useSecureSupabase.ts

@@ -0,0 +1,308 @@
+/**
+ * @file Secure Supabase Client Hook
+ * @package @jmruthers/pace-core
+ * @module RBAC/Hooks
+ * @since 1.0.0
+ *
+ * React hook for getting a secure Supabase client with automatic context injection
+ * and caching to prevent multiple client instances.
+ *
+ * ## Overview
+ *
+ * This hook provides a secure Supabase client that automatically injects
+ * organisation and event context for all database operations, while preventing
+ * the creation of multiple Supabase client instances (which causes the
+ * "Multiple GoTrueClient instances" warning).
+ *
+ * ## Features
+ *
+ * - **Automatic Context Injection**: Organisation, event, and app context are
+ *   automatically injected into all database queries
+ * - **Client Instance Caching**: Prevents creating duplicate Supabase clients
+ *   for the same context, eliminating the "Multiple GoTrueClient instances" warning
+ * - **Automatic Fallback**: Falls back to base client when context is unavailable
+ * - **Type-Safe**: Full TypeScript support with proper type inference
+ *
+ * ## Usage
+ *
+ * ### Basic Usage
+ *
+ * ```tsx
+ * import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+ *
+ * function MyComponent() {
+ *   const supabase = useSecureSupabase();
+ *
+ *   if (!supabase) {
+ *     return <div>Loading context...</div>;
+ *   }
+ *
+ *   const fetchData = async () => {
+ *     const { data, error } = await supabase
+ *       .from('users')
+ *       .select('*');
+ *     // Organisation context is automatically injected
+ *   };
+ *
+ *   return <div>...</div>;
+ * }
+ * ```
+ *
+ * ### With Base Client Fallback
+ *
+ * ```tsx
+ * import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+ * import { supabase } from './lib/supabase';
+ *
+ * function MyComponent() {
+ *   // Provide base client as fallback
+ *   const secureSupabase = useSecureSupabase(supabase);
+ *
+ *   // secureSupabase will be the secure client when context is available,
+ *   // or the base client when context is unavailable
+ * }
+ * ```
+ *
+ * ## How It Works
+ *
+ * 1. **Context Resolution**: The hook uses `useResolvedScope` to get the current
+ *    organisation, event, and app context
+ * 2. **Client Caching**: Clients are cached by context key (organisationId-eventId-appId)
+ *    to prevent duplicate instances
+ * 3. **Automatic Injection**: The secure client automatically injects context headers
+ *    into all database operations
+ * 4. **Fallback Behavior**: When context is unavailable or event is loading, the hook
+ *    returns the base client (or null if no base client provided)
+ *
+ * ## Security
+ *
+ * - **Organisation Context Enforcement**: All queries automatically include organisation
+ *   context, preventing cross-organisation data access
+ * - **Event Context Injection**: Event context is automatically included when available
+ * - **App Context Support**: App context is included when resolved from scope
+ *
+ * ## Performance
+ *
+ * - **Client Instance Caching**: Prevents creating multiple Supabase clients for the
+ *   same context, reducing memory usage and eliminating the "Multiple GoTrueClient
+ *   instances" warning
+ * - **Cache Management**: Automatically cleans up old cache entries (keeps last 5)
+ *   to prevent memory leaks
+ * - **Stable References**: Returns stable client references to prevent unnecessary
+ *   re-renders in consuming components
+ *
+ * ## Requirements
+ *
+ * - Must be used within `UnifiedAuthProvider` context
+ * - Requires `useOrganisations` and `useEvents` hooks to be available
+ * - Environment variables `VITE_SUPABASE_URL` and `VITE_SUPABASE_ANON_KEY` must be set
+ *   (or `NEXT_PUBLIC_SUPABASE_URL` and `NEXT_PUBLIC_SUPABASE_ANON_KEY` for Next.js)
+ *
+ * ## See Also
+ *
+ * - {@link SecureSupabaseClient} - The underlying secure client class
+ * - {@link createSecureClient} - Function to create secure clients manually
+ * - {@link useResolvedScope} - Hook for resolving RBAC scope
+ *
+ * @security
+ * - Enforces organisation context on all queries
+ * - Prevents cross-organisation data access
+ * - Automatic context injection
+ *
+ * @performance
+ * - Client instance caching prevents duplicate creation
+ * - Reuses cached clients for same context
+ * - Automatic cache cleanup
+ */
+
+import { useMemo, useRef } from 'react';
+import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
+import { useOrganisations } from '../../hooks/useOrganisations';
+import { useEvents } from '../../hooks/useEvents';
+import { useResolvedScope } from './useResolvedScope';
+import { createSecureClient, SecureSupabaseClient } from '../secureClient';
+import type { Database } from '../../types/database';
+import type { SupabaseClient } from '@supabase/supabase-js';
+import { logger } from '../../utils/core/logger';
+
+// Cache secure clients by context to prevent creating multiple instances
+// This prevents the "Multiple GoTrueClient instances" warning
+const secureClientCache = new Map<string, SecureSupabaseClient>();
+
+// Maximum cache size to prevent memory leaks
+const MAX_CACHE_SIZE = 5;
+
+/**
+ * Get cache key for secure client based on context
+ */
+function getCacheKey(
+  organisationId: string,
+  eventId: string | undefined,
+  appId: string | undefined
+): string {
+  return `${organisationId}-${eventId || 'no-event'}-${appId || 'no-app'}`;
+}
+
+/**
+ * Get Supabase URL and key from environment
+ */
+function getSupabaseConfig(): { url: string; key: string } | null {
+  // Try to get from environment variables
+  const getEnvVar = (key: string): string | undefined => {
+    if (typeof import.meta !== 'undefined' && (import.meta as any).env) {
+      return (import.meta as any).env[key];
+    }
+    if (typeof process !== 'undefined' && process.env) {
+      return process.env[key];
+    }
+    return undefined;
+  };
+
+  const supabaseUrl = getEnvVar('VITE_SUPABASE_URL') || 
+                     getEnvVar('NEXT_PUBLIC_SUPABASE_URL') || 
+                     null;
+                     
+  const supabaseKey = getEnvVar('VITE_SUPABASE_ANON_KEY') || 
+                     getEnvVar('NEXT_PUBLIC_SUPABASE_ANON_KEY') || 
+                     null;
+
+  if (!supabaseUrl || !supabaseKey) {
+    return null;
+  }
+
+  return { url: supabaseUrl, key: supabaseKey };
+}
+
+/**
+ * Hook to get a secure Supabase client with automatic context injection
+ * 
+ * Returns a secure client when organisation context is available,
+ * otherwise returns null. The client automatically injects organisation
+ * and event context into all database operations.
+ * 
+ * Uses caching to prevent creating multiple Supabase client instances,
+ * which causes the "Multiple GoTrueClient instances" warning.
+ * 
+ * @param baseClient - Optional base Supabase client to use as fallback
+ * @returns Secure Supabase client or null if context is not available
+ * 
+ * @example
+ * ```tsx
+ * import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+ * 
+ * function MyComponent() {
+ *   const supabase = useSecureSupabase();
+ *   
+ *   if (!supabase) {
+ *     return <div>Loading context...</div>;
+ *   }
+ *   
+ *   // Use supabase client - organisation context is automatically injected
+ *   const { data } = await supabase.from('users').select('*');
+ * }
+ * ```
+ */
+export function useSecureSupabase(
+  baseClient?: SupabaseClient<Database> | null
+): SupabaseClient<Database> | null {
+  const { user, supabase: authSupabase } = useUnifiedAuth();
+  const { selectedOrganisation } = useOrganisations();
+  const eventsContext = useEvents();
+  const { selectedEvent } = eventsContext;
+  const eventLoading = 'eventLoading' in eventsContext ? eventsContext.eventLoading : false;
+
+  // Resolve scope to get appId
+  const { resolvedScope } = useResolvedScope({
+    supabase: authSupabase || null,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: selectedEvent?.event_id || null
+  });
+
+  // Track previous context to detect changes
+  const prevContextRef = useRef<{
+    organisationId: string | undefined;
+    eventId: string | undefined;
+    appId: string | undefined;
+  }>({
+    organisationId: undefined,
+    eventId: undefined,
+    appId: undefined
+  });
+
+  return useMemo(() => {
+    // If event is loading, return base client or null to avoid recreating client unnecessarily
+    if (eventLoading) {
+      return baseClient || authSupabase || null;
+    }
+    
+    // If we have organisation context, create or reuse a secure client
+    if (selectedOrganisation?.id && user?.id) {
+      const organisationId = selectedOrganisation.id;
+      const eventId = selectedEvent?.event_id;
+      
+      // Get appId from resolved scope if available
+      const appId = resolvedScope?.appId;
+
+      // Update previous context
+      prevContextRef.current = { organisationId, eventId, appId };
+
+      // Check cache first
+      const cacheKey = getCacheKey(organisationId, eventId, appId);
+      const cachedClient = secureClientCache.get(cacheKey);
+
+      if (cachedClient) {
+        // Reuse cached client - prevents creating multiple instances
+        return cachedClient.getClient();
+      }
+
+      // Get Supabase configuration
+      const config = getSupabaseConfig();
+      if (!config || !config.url || !config.key) {
+        logger.warn('useSecureSupabase', 'Missing Supabase environment variables. Falling back to base client.', {
+          note: 'Ensure VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY are set in your environment.'
+        });
+        return baseClient || authSupabase || null;
+      }
+
+      try {
+        const secureClient = createSecureClient(
+          config.url,
+          config.key,
+          organisationId as any, // organisationId is string, UUID is string alias
+          eventId,
+          appId as any // appId is string | undefined, UUID is string alias
+        );
+
+        // Cache the client for reuse
+        secureClientCache.set(cacheKey, secureClient);
+
+        // Clean up old cache entries to prevent memory leaks
+        if (secureClientCache.size > MAX_CACHE_SIZE) {
+          const firstKey = secureClientCache.keys().next().value;
+          if (firstKey) {
+            secureClientCache.delete(firstKey);
+          }
+        }
+
+        // Return the underlying client for compatibility
+        return secureClient.getClient();
+      } catch (error) {
+        logger.error('useSecureSupabase', 'Failed to create secure client', error);
+        // Fallback to base client
+        return baseClient || authSupabase || null;
+      }
+    }
+
+    // Fallback to base client when context is not available
+    return baseClient || authSupabase || null;
+  }, [
+    selectedOrganisation?.id,
+    selectedEvent?.event_id,
+    user?.id,
+    eventLoading,
+    resolvedScope?.appId,
+    baseClient,
+    authSupabase
+  ]);
+}
+

package/src/rbac/index.ts

@@ -27,6 +27,9 @@ export type {
   MissingUserContextError,
 } from './types';
 
+// Function types (RPC function parameters and results)
+export * from './types/functions';
+
 // Configuration
 export type {
   RBACConfig,

package/src/rbac/secureClient.ts

@@ -21,6 +21,7 @@ import { OrganisationContextRequiredError } from './types';
  */
 export class SecureSupabaseClient {
   private supabase: SupabaseClient<Database>;
+  private edgeFunctionClient: SupabaseClient<Database> | null = null;
   private supabaseUrl: string;
   private supabaseKey: string;
   private organisationId: UUID;
@@ -40,7 +41,9 @@ export class SecureSupabaseClient {
     this.eventId = eventId;
     this.appId = appId;
 
-    // Create the base Supabase client
+    // Create the base Supabase client with context headers
+    // Note: We'll override functions.invoke to exclude headers for Edge Functions
+    // as they may not have CORS configured to accept custom headers
     this.supabase = createClient<Database>(supabaseUrl, supabaseKey, {
       global: {
         headers: {
@@ -53,6 +56,10 @@ export class SecureSupabaseClient {
 
     // Override the auth methods to inject context
     this.setupContextInjection();
+    
+    // Override functions.invoke to exclude custom headers for Edge Functions
+    // Edge Functions may not have CORS configured to accept custom headers
+    this.setupEdgeFunctionHandling();
   }
 
   /**
@@ -61,11 +68,12 @@ export class SecureSupabaseClient {
   private setupContextInjection() {
     const originalFrom = this.supabase.from.bind(this.supabase);
     
-    this.supabase.from = (table: string) => {
+    (this.supabase as any).from = (table: string): any => {
       // Validate context before allowing any database operations
       this.validateContext();
       
-      const query = originalFrom(table);
+      // Type assertion needed because table is a string but Supabase expects specific table names
+      const query = originalFrom(table as any);
       
       // Inject organisation context into all queries
       return this.injectContext(query);
@@ -75,7 +83,8 @@ export class SecureSupabaseClient {
     
     // Override rpc method to inject context
     // Type assertion needed because we're wrapping the generic rpc method
-    (this.supabase as any).rpc = (fn: string, args?: any, options?: any) => {
+    // The fn parameter is typed as string to match Supabase's rpc signature
+    (this.supabase as any).rpc = (fn: string, args?: any, options?: any): any => {
       // Validate context before allowing any RPC calls
       this.validateContext();
       
@@ -87,10 +96,36 @@ export class SecureSupabaseClient {
         p_app_id: this.appId,
       };
       
-      return originalRpc(fn, contextArgs, options);
+      return originalRpc(fn as any, contextArgs, options);
     };
   }
 
+  /**
+   * Setup Edge Function handling to bypass custom headers
+   * Edge Functions may not have CORS configured to accept custom headers,
+   * so we create a separate client without custom headers for Edge Function calls
+   * 
+   * NOTE: We store the edge function client but don't override functions here.
+   * Instead, we provide a method to get the edge function client for direct use.
+   * This avoids interfering with the main client's operations.
+   */
+  private setupEdgeFunctionHandling() {
+    // Create a separate client without custom headers for Edge Functions
+    // This prevents CORS errors when Edge Functions don't accept custom headers
+    // Store it as an instance variable to avoid creating multiple clients
+    // We'll use this client directly for Edge Function calls instead of overriding
+    this.edgeFunctionClient = createClient<Database>(this.supabaseUrl, this.supabaseKey);
+  }
+
+  /**
+   * Get a client for Edge Function calls without custom headers
+   * Edge Functions may not have CORS configured to accept custom headers
+   * @returns Supabase client without custom headers for Edge Function calls
+   */
+  getEdgeFunctionClient(): SupabaseClient<Database> {
+    return this.edgeFunctionClient || this.supabase;
+  }
+
   /**
    * Inject organisation context into a query
    */
@@ -190,7 +225,19 @@ export class SecureSupabaseClient {
    * @internal
    */
   getClient(): SupabaseClient<Database> {
-    return this.supabase;
+    // Return a proxy that intercepts functions.invoke calls to use edge function client
+    // This avoids CORS issues with Edge Functions while keeping the main client intact
+    return new Proxy(this.supabase, {
+      get: (target, prop) => {
+        if (prop === 'functions' && this.edgeFunctionClient) {
+          // Return the edge function client's functions for invoke calls
+          // This bypasses custom headers that cause CORS errors
+          return this.edgeFunctionClient.functions;
+        }
+        // For all other properties, return the original
+        return (target as any)[prop];
+      }
+    }) as SupabaseClient<Database>;
   }
 }
 

package/src/rbac/security.ts

@@ -187,6 +187,9 @@ export class RBACSecurityValidator {
    * Log security event for monitoring
    * @param event - Security event details
    */
+  private static rateLimitWarningCount = new Map<UUID, { count: number; lastWarning: number }>();
+  private static readonly RATE_LIMIT_WARNING_THROTTLE_MS = 5000; // Only warn once per 5 seconds per user
+  
   static logSecurityEvent(event: {
     type:
       | 'permission_denied'
@@ -209,7 +212,40 @@ export class RBACSecurityValidator {
       severity: this.getEventSeverity(event.type),
     };
 
-    // Log security event - could be sent to security monitoring service in production
+    // Throttle rate limit warnings to prevent console flooding
+    if (event.type === 'rate_limit_exceeded') {
+      const now = Date.now();
+      const userWarning = this.rateLimitWarningCount.get(event.userId);
+      
+      if (userWarning) {
+        const timeSinceLastWarning = now - userWarning.lastWarning;
+        if (timeSinceLastWarning < this.RATE_LIMIT_WARNING_THROTTLE_MS) {
+          // Still within throttle window - increment count but don't log
+          userWarning.count++;
+          this.rateLimitWarningCount.set(event.userId, userWarning);
+          return; // Skip logging to prevent console flooding
+        } else {
+          // Throttle window expired - log with count and reset
+          log.warn('Security event (throttled):', {
+            ...securityEvent,
+            details: {
+              ...securityEvent.details,
+              suppressedWarnings: userWarning.count,
+              message: `Rate limit exceeded (${userWarning.count + 1} times in last ${Math.round(timeSinceLastWarning / 1000)}s)`
+            }
+          });
+          this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
+          return;
+        }
+      } else {
+        // First warning for this user - log it
+        this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
+        log.warn('Security event:', securityEvent);
+        return;
+      }
+    }
+
+    // Log other security events normally
     log.warn('Security event:', securityEvent);
 
     // TODO: Send to security monitoring service