@jmruthers/pace-core 0.5.181 → 0.5.183

package/src/rbac/secureClient.ts

@@ -21,6 +21,7 @@ import { OrganisationContextRequiredError } from './types';
  */
 export class SecureSupabaseClient {
   private supabase: SupabaseClient<Database>;
+  private edgeFunctionClient: SupabaseClient<Database> | null = null;
   private supabaseUrl: string;
   private supabaseKey: string;
   private organisationId: UUID;
@@ -40,7 +41,9 @@ export class SecureSupabaseClient {
     this.eventId = eventId;
     this.appId = appId;
 
-    // Create the base Supabase client
+    // Create the base Supabase client with context headers
+    // Note: We'll override functions.invoke to exclude headers for Edge Functions
+    // as they may not have CORS configured to accept custom headers
     this.supabase = createClient<Database>(supabaseUrl, supabaseKey, {
       global: {
         headers: {
@@ -53,6 +56,10 @@ export class SecureSupabaseClient {
 
     // Override the auth methods to inject context
     this.setupContextInjection();
+    
+    // Override functions.invoke to exclude custom headers for Edge Functions
+    // Edge Functions may not have CORS configured to accept custom headers
+    this.setupEdgeFunctionHandling();
   }
 
   /**
@@ -61,11 +68,12 @@ export class SecureSupabaseClient {
   private setupContextInjection() {
     const originalFrom = this.supabase.from.bind(this.supabase);
     
-    this.supabase.from = (table: string) => {
+    (this.supabase as any).from = (table: string): any => {
       // Validate context before allowing any database operations
       this.validateContext();
       
-      const query = originalFrom(table);
+      // Type assertion needed because table is a string but Supabase expects specific table names
+      const query = originalFrom(table as any);
       
       // Inject organisation context into all queries
       return this.injectContext(query);
@@ -75,7 +83,8 @@ export class SecureSupabaseClient {
     
     // Override rpc method to inject context
     // Type assertion needed because we're wrapping the generic rpc method
-    (this.supabase as any).rpc = (fn: string, args?: any, options?: any) => {
+    // The fn parameter is typed as string to match Supabase's rpc signature
+    (this.supabase as any).rpc = (fn: string, args?: any, options?: any): any => {
       // Validate context before allowing any RPC calls
       this.validateContext();
       
@@ -87,10 +96,36 @@ export class SecureSupabaseClient {
         p_app_id: this.appId,
       };
       
-      return originalRpc(fn, contextArgs, options);
+      return originalRpc(fn as any, contextArgs, options);
     };
   }
 
+  /**
+   * Setup Edge Function handling to bypass custom headers
+   * Edge Functions may not have CORS configured to accept custom headers,
+   * so we create a separate client without custom headers for Edge Function calls
+   * 
+   * NOTE: We store the edge function client but don't override functions here.
+   * Instead, we provide a method to get the edge function client for direct use.
+   * This avoids interfering with the main client's operations.
+   */
+  private setupEdgeFunctionHandling() {
+    // Create a separate client without custom headers for Edge Functions
+    // This prevents CORS errors when Edge Functions don't accept custom headers
+    // Store it as an instance variable to avoid creating multiple clients
+    // We'll use this client directly for Edge Function calls instead of overriding
+    this.edgeFunctionClient = createClient<Database>(this.supabaseUrl, this.supabaseKey);
+  }
+
+  /**
+   * Get a client for Edge Function calls without custom headers
+   * Edge Functions may not have CORS configured to accept custom headers
+   * @returns Supabase client without custom headers for Edge Function calls
+   */
+  getEdgeFunctionClient(): SupabaseClient<Database> {
+    return this.edgeFunctionClient || this.supabase;
+  }
+
   /**
    * Inject organisation context into a query
    */
@@ -190,7 +225,19 @@ export class SecureSupabaseClient {
    * @internal
    */
   getClient(): SupabaseClient<Database> {
-    return this.supabase;
+    // Return a proxy that intercepts functions.invoke calls to use edge function client
+    // This avoids CORS issues with Edge Functions while keeping the main client intact
+    return new Proxy(this.supabase, {
+      get: (target, prop) => {
+        if (prop === 'functions' && this.edgeFunctionClient) {
+          // Return the edge function client's functions for invoke calls
+          // This bypasses custom headers that cause CORS errors
+          return this.edgeFunctionClient.functions;
+        }
+        // For all other properties, return the original
+        return (target as any)[prop];
+      }
+    }) as SupabaseClient<Database>;
   }
 }
 

package/src/rbac/security.ts

@@ -187,6 +187,9 @@ export class RBACSecurityValidator {
    * Log security event for monitoring
    * @param event - Security event details
    */
+  private static rateLimitWarningCount = new Map<UUID, { count: number; lastWarning: number }>();
+  private static readonly RATE_LIMIT_WARNING_THROTTLE_MS = 5000; // Only warn once per 5 seconds per user
+  
   static logSecurityEvent(event: {
     type:
       | 'permission_denied'
@@ -209,7 +212,40 @@ export class RBACSecurityValidator {
       severity: this.getEventSeverity(event.type),
     };
 
-    // Log security event - could be sent to security monitoring service in production
+    // Throttle rate limit warnings to prevent console flooding
+    if (event.type === 'rate_limit_exceeded') {
+      const now = Date.now();
+      const userWarning = this.rateLimitWarningCount.get(event.userId);
+      
+      if (userWarning) {
+        const timeSinceLastWarning = now - userWarning.lastWarning;
+        if (timeSinceLastWarning < this.RATE_LIMIT_WARNING_THROTTLE_MS) {
+          // Still within throttle window - increment count but don't log
+          userWarning.count++;
+          this.rateLimitWarningCount.set(event.userId, userWarning);
+          return; // Skip logging to prevent console flooding
+        } else {
+          // Throttle window expired - log with count and reset
+          log.warn('Security event (throttled):', {
+            ...securityEvent,
+            details: {
+              ...securityEvent.details,
+              suppressedWarnings: userWarning.count,
+              message: `Rate limit exceeded (${userWarning.count + 1} times in last ${Math.round(timeSinceLastWarning / 1000)}s)`
+            }
+          });
+          this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
+          return;
+        }
+      } else {
+        // First warning for this user - log it
+        this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
+        log.warn('Security event:', securityEvent);
+        return;
+      }
+    }
+
+    // Log other security events normally
     log.warn('Security event:', securityEvent);
 
     // TODO: Send to security monitoring service

package/src/{types/rbac-functions.ts → rbac/types/functions.ts}

@@ -1,25 +1,27 @@
 /**
  * @file RBAC Function Types
  * @package @jmruthers/pace-core
- * @module RBAC/Types
+ * @module RBAC/Types/Functions
  * @since 1.0.0
  * 
- * TypeScript types for standardized RBAC functions.
+ * TypeScript types for standardized RBAC RPC functions.
+ * These types define the parameters and return types for database RPC functions.
  */
 
-import { UUID } from '../rbac/types';
+import type { UUID, Operation } from '../types';
+import type { AppId, PageId } from '../../types/core';
 
 // ============================================================================
 // PERMISSION CHECKING FUNCTION TYPES
 // ============================================================================
 
 export interface RBACPermissionCheckParams {
-  p_operation: string;
+  p_operation: Operation;
   p_page_name: string;
   p_user_id?: UUID;
   p_organisation_id?: UUID;
   p_event_id?: string;
-  p_app_id?: UUID;
+  p_app_id?: AppId | UUID;
 }
 
 export interface RBACPermissionCheckResult {
@@ -33,8 +35,8 @@ export interface RBACPermissionsGetParams {
   p_user_id: UUID; // REQUIRED - no default, must be explicitly provided
   p_organisation_id?: UUID;
   p_event_id?: string;
-  p_app_id?: UUID;
-  p_page_id?: UUID;
+  p_app_id?: AppId | UUID;
+  p_page_id?: PageId | UUID;
 }
 
 export interface RBACPermissionsGetResult {
@@ -49,19 +51,19 @@ export interface RBACAccessValidateParams {
   p_resource_type: 'organisation' | 'event';
   p_resource_id: string;
   p_user_id?: UUID;
-  p_operation?: string;
+  p_operation?: Operation;
 }
 
 export interface RBACAccessValidateResult {
   has_access: boolean;
-  access_level: 'super_admin' | 'organisation' | 'event' | 'none';
+  access_level: AccessLevelContext;
   context_id: string | null;
 }
 
 export interface RBACPageAccessCheckParams {
-  p_app_id: UUID;
-  p_page_id: string;
-  p_operation: string;
+  p_app_id: AppId | UUID;
+  p_page_id: PageId | UUID;
+  p_operation: Operation;
   p_user_id?: UUID;
   p_event_id?: string;
   p_organisation_id?: UUID;
@@ -105,7 +107,7 @@ export interface RBACRolesListParams {
   p_user_id?: UUID;
   p_organisation_id?: UUID;
   p_event_id?: string;
-  p_app_id?: UUID;
+  p_app_id?: AppId | UUID;
 }
 
 export interface RBACRolesListResult {
@@ -140,7 +142,7 @@ export interface RBACSessionTrackParams {
   p_user_id?: UUID;
   p_session_type?: 'web' | 'mobile' | 'api' | 'admin';
   p_event_id?: string;
-  p_app_id?: UUID;
+  p_app_id?: AppId | UUID;
   p_ip_address?: string;
   p_user_agent?: string;
 }
@@ -157,7 +159,7 @@ export interface RBACAuditLogParams {
   p_user_id?: UUID;
   p_organisation_id?: UUID;
   p_permission?: string;
-  p_metadata?: Record<string, any>;
+  p_metadata?: Record<string, unknown>;
   p_ip_address?: string;
   p_user_agent?: string;
 }
@@ -218,23 +220,20 @@ export enum RBACErrorCode {
   GRANTED_BY_NOT_FOUND = 'GRANTED_BY_NOT_FOUND',
 }
 
-// ============================================================================
-// ROLE TYPES
-// ============================================================================
-
-export type GlobalRole = 'super_admin';
-export type OrganisationRole = 'supporter' | 'member' | 'leader' | 'org_admin';
-export type EventAppRole = 'viewer' | 'participant' | 'planner' | 'event_admin';
-
-export type RBACRole = GlobalRole | OrganisationRole | EventAppRole;
-
 // ============================================================================
 // PERMISSION TYPES
 // ============================================================================
 
-export type PermissionOperation = 'read' | 'create' | 'update' | 'delete';
+/**
+ * Permission source indicates where a permission was granted from
+ */
 export type PermissionSource = 'global' | 'organisation' | 'event_app' | 'default' | 'none';
-export type AccessLevel = 'super_admin' | 'organisation' | 'event' | 'none';
+
+/**
+ * Access level context for RPC functions (different from RBAC AccessLevel)
+ * Indicates the scope/context of access validation
+ */
+export type AccessLevelContext = 'super_admin' | 'organisation' | 'event' | 'none';
 
 // ============================================================================
 // SESSION TYPES
@@ -268,10 +267,10 @@ export interface RBACContext {
   user_id: UUID;
   organisation_id?: UUID;
   event_id?: string;
-  app_id?: UUID;
+  app_id?: AppId | UUID;
 }
 
-export interface RBACResult<T = any> {
+export interface RBACResult<T = unknown> {
   success: boolean;
   data?: T;
   error?: string;
@@ -284,8 +283,9 @@ export interface RBACResult<T = any> {
 
 export type RBACFunctionResponse<T> = {
   data: T | null;
-  error: any | null;
+  error: unknown | null;
   count?: number | null;
   status: number;
   statusText: string;
 };
+

package/src/rbac/types.ts

@@ -9,6 +9,7 @@
  */
 
 import type React from 'react';
+import type { AppId, PageId } from '../types/core';
 
 // ============================================================================
 // CORE TYPES
@@ -30,14 +31,14 @@ export type AccessLevel =
 export type Scope = {
   organisationId?: UUID;
   eventId?: string; // event_id is text/varchar
-  appId?: UUID;
+  appId?: AppId | UUID;
 };
 
 export type PermissionCheck = {
   userId: UUID;
   scope: Scope;
   permission: Permission;
-  pageId?: UUID | string;
+  pageId?: PageId | UUID;
 };
 
 export type PermissionMap = Record<Permission, boolean> & Partial<Record<'*', boolean>>;

package/src/services/AuthService.ts

@@ -8,19 +8,27 @@
  * Handles user authentication, session management, and auth-related operations.
  */
 
-import { type SupabaseClient, type User, type Session, AuthError } from '@supabase/supabase-js';
+import { type SupabaseClient, type User, type Session, AuthError, type AuthChangeEvent, type Session as SupabaseSession } from '@supabase/supabase-js';
 import type { SessionRestorationState } from '../types/auth';
 import { BaseService } from './base/BaseService';
 import { IAuthService, AuthResult } from './interfaces/IAuthService';
 import { logger } from '../utils/core/logger';
 
+type AuthStateSubscription = {
+  data: {
+    subscription: {
+      unsubscribe: () => void;
+    };
+  };
+};
+
 export class AuthService extends BaseService implements IAuthService {
   private user: User | null = null;
   private session: Session | null = null;
   private authLoading = false;
   private authError: AuthError | null = null;
   private supabaseClient: SupabaseClient | null = null;
-  private authStateSubscription: any = null;
+  private authStateSubscription: { unsubscribe: () => void } | null = null;
   private sessionRestorationState: SessionRestorationState = {
     isRestoring: false,
     restorationComplete: false,
@@ -30,6 +38,8 @@ export class AuthService extends BaseService implements IAuthService {
   private readonly restorationTimeoutMs = 5000;
   private restorationStartTime: number | null = null;
   private appName: string | undefined = undefined;
+  private errorHandler: ((event: ErrorEvent) => void) | null = null;
+  private unhandledRejectionHandler: ((event: PromiseRejectionEvent) => void) | null = null;
 
   constructor(supabaseClient: SupabaseClient, appName?: string) {
     super();
@@ -294,7 +304,7 @@ export class AuthService extends BaseService implements IAuthService {
   }
 
   cleanup(): void {
-    if (this.authStateSubscription && typeof this.authStateSubscription.unsubscribe === 'function') {
+    if (this.authStateSubscription) {
       this.authStateSubscription.unsubscribe();
       this.authStateSubscription = null;
     }
@@ -328,7 +338,6 @@ export class AuthService extends BaseService implements IAuthService {
     };
     this.authLoading = true;
     this.restorationStartTime = Date.now();
-    logger.debug('AuthService', 'Starting session restoration at', this.restorationStartTime);
     this.notify();
 
     this.restorationTimeoutId = setTimeout(() => {
@@ -357,9 +366,7 @@ export class AuthService extends BaseService implements IAuthService {
     this.authLoading = false;
 
     if (error) {
-      logger.warn('AuthService', 'Session restoration finished with error:', error, 'duration(ms):', duration ?? 'unknown');
-    } else {
-      logger.debug('AuthService', 'Session restoration completed successfully in', duration ?? 'unknown', 'ms');
+      logger.warn('AuthService', 'Session restoration finished with error:', error);
     }
 
     this.notify();
@@ -380,10 +387,9 @@ export class AuthService extends BaseService implements IAuthService {
     }
 
     try {
-      this.authStateSubscription = this.supabaseClient.auth.onAuthStateChange(
-        (event, session) => {
+      const subscription = this.supabaseClient.auth.onAuthStateChange(
+        (event: AuthChangeEvent, session: SupabaseSession | null) => {
           try {
-            logger.debug('AuthService', 'Auth state change event received:', event);
             // Handle different auth events
             if (event === 'SIGNED_OUT') {
               this.session = null;
@@ -445,6 +451,7 @@ export class AuthService extends BaseService implements IAuthService {
           }
         }
       );
+      this.authStateSubscription = subscription.data.subscription;
     } catch (error) {
       logger.error('AuthService', 'Failed to setup auth state listener:', error);
       throw error; // Re-throw to propagate to the provider
@@ -462,7 +469,6 @@ export class AuthService extends BaseService implements IAuthService {
     this.startSessionRestoration();
 
     try {
-      logger.debug('AuthService', 'Fetching existing session from Supabase');
       let currentSession: Session | null = null;
       let sessionError: AuthError | null = null;
 
@@ -472,14 +478,12 @@ export class AuthService extends BaseService implements IAuthService {
         sessionError = error ?? null;
       } catch (error) {
         // Handle cases where getSession might not exist (mocked/test clients)
-        logger.debug('AuthService', 'getSession unavailable, treating as no active session');
         currentSession = null;
         sessionError = null;
       }
 
       if (sessionError) {
         // Record error but continue to attempt getUser to satisfy edge cases
-        logger.debug('AuthService', 'getSession returned error, attempting to fetch user anyway');
         this.authError = sessionError;
         
         // Attempt getUser as fallback when getSession fails
@@ -498,7 +502,6 @@ export class AuthService extends BaseService implements IAuthService {
           }
         } catch (getUserError) {
           // If getUser also fails, we've already recorded the sessionError
-          logger.debug('AuthService', 'getUser also failed:', getUserError);
         }
       }
 
@@ -510,7 +513,7 @@ export class AuthService extends BaseService implements IAuthService {
         // Only skip getUser if we didn't already attempt it due to a sessionError
         // Treat missing session as a normal cold-start state on public pages (e.g., login)
         // Do not call getUser() which can raise AuthSessionMissingError and surface a noisy banner
-        logger.debug('AuthService', 'No active session found; treating as normal unauthenticated state');
+        // No active session found; treating as normal unauthenticated state
         this.session = null;
         this.user = null;
         this.authError = null;
@@ -570,7 +573,8 @@ export class AuthService extends BaseService implements IAuthService {
 
       // Call rbac_session_track RPC function
       // This automatically inserts into rbac_user_sessions AND rbac_user_login_history (for login)
-      const { error } = await (this.supabaseClient as any).rpc('rbac_session_track', {
+      // Note: Using type assertion for RPC call as Supabase doesn't provide full typing for custom RPC functions
+      const { error } = await (this.supabaseClient as unknown as { rpc: (name: string, params: Record<string, unknown>) => Promise<{ error: Error | null }> }).rpc('rbac_session_track', {
         p_user_id: session.user.id,
         p_session_type: sessionType,
         p_event_id: null, // Event ID should come from context, not auth service
@@ -582,8 +586,6 @@ export class AuthService extends BaseService implements IAuthService {
 
       if (error) {
         logger.warn('AuthService', `Failed to track ${sessionType} session:`, error);
-      } else {
-        logger.debug('AuthService', `Successfully tracked ${sessionType} session`);
       }
     } catch (error) {
       // Log error but don't throw (non-blocking)
@@ -594,7 +596,7 @@ export class AuthService extends BaseService implements IAuthService {
   private setupErrorHandlers(): void {
     if (typeof window === 'undefined') return;
 
-    const handleError = (event: ErrorEvent) => {
+    this.errorHandler = (event: ErrorEvent) => {
       if (event.error?.message?.includes('AuthSessionMissingError') || 
           event.error?.message?.includes('Auth session missing')) {
         logger.warn('AuthService', 'Suppressing AuthSessionMissingError during logout');
@@ -603,7 +605,7 @@ export class AuthService extends BaseService implements IAuthService {
       }
     };
 
-    const handleUnhandledRejection = (event: PromiseRejectionEvent) => {
+    this.unhandledRejectionHandler = (event: PromiseRejectionEvent) => {
       if (event.reason?.message?.includes('AuthSessionMissingError') ||
           event.reason?.message?.includes('Auth session missing')) {
         logger.warn('AuthService', 'Suppressing unhandled AuthSessionMissingError');
@@ -612,15 +614,21 @@ export class AuthService extends BaseService implements IAuthService {
       }
     };
 
-    window.addEventListener('error', handleError);
-    window.addEventListener('unhandledrejection', handleUnhandledRejection);
+    window.addEventListener('error', this.errorHandler);
+    window.addEventListener('unhandledrejection', this.unhandledRejectionHandler);
   }
 
   private removeErrorHandlers(): void {
     if (typeof window === 'undefined') return;
 
-    // Note: We can't remove specific handlers without storing references
-    // In a real implementation, you'd store the handler references
-    // For now, we'll rely on the service being cleaned up
+    if (this.errorHandler) {
+      window.removeEventListener('error', this.errorHandler);
+      this.errorHandler = null;
+    }
+
+    if (this.unhandledRejectionHandler) {
+      window.removeEventListener('unhandledrejection', this.unhandledRejectionHandler);
+      this.unhandledRejectionHandler = null;
+    }
   }
 }