@jmruthers/pace-core 0.5.182 → 0.5.183

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jmruthers/pace-core",
-  "version": "0.5.182",
+  "version": "0.5.183",
   "description": "Clean, modern React component library with Tailwind v4 styling and native utilities",
   "private": false,
   "publishConfig": {

package/src/hooks/public/usePublicEventLogo.test.ts

@@ -0,0 +1,147 @@
+import { renderHook, waitFor, act } from '@testing-library/react';
+import { describe, it, expect, vi, beforeEach, afterEach, afterAll } from 'vitest';
+import {
+  usePublicEventLogo,
+  clearPublicLogoCache,
+  getPublicLogoCacheStats
+} from './usePublicEventLogo';
+import { createMockSupabaseClient } from '../../__tests__/helpers/supabaseMock';
+import type { SupabaseClient } from '@supabase/supabase-js';
+import type { Database } from '../../types/database';
+
+vi.mock('../../utils/core/logger', () => {
+  const logger = {
+    debug: vi.fn(),
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn()
+  };
+  return {
+    createLogger: vi.fn(() => logger)
+  };
+});
+
+const VALID_ORG_ID = '123e4567-e89b-12d3-a456-426614174000';
+const originalFetch = globalThis.fetch;
+
+describe('usePublicEventLogo', () => {
+  let mockSupabase: SupabaseClient<Database>;
+  let fetchMock: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    mockSupabase = createMockSupabaseClient() as unknown as SupabaseClient<Database>;
+    fetchMock = vi.fn().mockResolvedValue({ ok: true });
+    (globalThis as any).fetch = fetchMock;
+    clearPublicLogoCache();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    clearPublicLogoCache();
+  });
+
+  afterAll(() => {
+    (globalThis as any).fetch = originalFetch;
+  });
+
+  it('fetches and caches the logo when RPC succeeds', async () => {
+    const logoUrl = 'https://cdn.example.com/logo.png';
+    (mockSupabase.rpc as any).mockResolvedValue({ data: [{ logo_url: logoUrl }], error: null });
+
+    const { result } = renderHook(() =>
+      usePublicEventLogo('event-123', 'Big Event', VALID_ORG_ID, {
+        supabase: mockSupabase
+      })
+    );
+
+    await waitFor(() => expect(result.current.logoUrl).toBe(logoUrl));
+    expect(result.current.fallbackText).toBe('BE');
+    expect(fetchMock).toHaveBeenCalledWith(logoUrl, { method: 'HEAD' });
+
+    const stats = getPublicLogoCacheStats();
+    expect(stats.size).toBe(1);
+    expect(stats.keys[0]).toContain('event-123');
+  });
+
+  it('refetch clears cache and requests fresh data', async () => {
+    const firstUrl = 'https://cdn.example.com/logo.png';
+    const secondUrl = 'https://cdn.example.com/logo-2.png';
+    (mockSupabase.rpc as any)
+      .mockResolvedValueOnce({ data: [{ logo_url: firstUrl }], error: null })
+      .mockResolvedValueOnce({ data: [{ logo_url: secondUrl }], error: null });
+
+    const { result } = renderHook(() =>
+      usePublicEventLogo('event-123', 'Big Event', VALID_ORG_ID, {
+        supabase: mockSupabase
+      })
+    );
+
+    await waitFor(() => expect(result.current.logoUrl).toBe(firstUrl));
+
+    await act(async () => {
+      await result.current.refetch();
+    });
+
+    await waitFor(() => expect(result.current.logoUrl).toBe(secondUrl));
+    expect((mockSupabase.rpc as any)).toHaveBeenCalledTimes(2);
+  });
+
+  it('exposes error state when RPC fails', async () => {
+    (mockSupabase.rpc as any).mockResolvedValue({ data: null, error: { message: 'RPC failed' } });
+
+    const { result } = renderHook(() =>
+      usePublicEventLogo('event-123', 'Big Event', VALID_ORG_ID, {
+        supabase: mockSupabase
+      })
+    );
+
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
+    expect(result.current.logoUrl).toBeNull();
+    expect(result.current.error).toEqual(new Error('RPC failed'));
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it('skips image validation when disabled', async () => {
+    const logoUrl = 'https://cdn.example.com/logo.png';
+    (mockSupabase.rpc as any).mockResolvedValue({ data: [{ logo_url: logoUrl }], error: null });
+
+    const { result } = renderHook(() =>
+      usePublicEventLogo('event-123', 'Big Event', VALID_ORG_ID, {
+        supabase: mockSupabase,
+        validateImage: false
+      })
+    );
+
+    await waitFor(() => expect(result.current.logoUrl).toBe(logoUrl));
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it('uses custom fallback text generator', () => {
+    const { result } = renderHook(() =>
+      usePublicEventLogo(undefined, 'Public Event', VALID_ORG_ID, {
+        supabase: mockSupabase,
+        generateFallbackText: () => 'CSTM'
+      })
+    );
+
+    expect(result.current.fallbackText).toBe('CSTM');
+    expect(result.current.logoUrl).toBeNull();
+  });
+
+  it('clears cached logo entries when clearPublicLogoCache is called', async () => {
+    const logoUrl = 'https://cdn.example.com/logo.png';
+    (mockSupabase.rpc as any).mockResolvedValue({ data: [{ logo_url: logoUrl }], error: null });
+
+    const { result } = renderHook(() =>
+      usePublicEventLogo('event-123', 'Big Event', VALID_ORG_ID, {
+        supabase: mockSupabase
+      })
+    );
+
+    await waitFor(() => expect(result.current.logoUrl).toBe(logoUrl));
+    expect(getPublicLogoCacheStats().size).toBe(1);
+
+    clearPublicLogoCache();
+    expect(getPublicLogoCacheStats().size).toBe(0);
+  });
+});

package/src/styles/index.test.ts

@@ -0,0 +1,21 @@
+import { getAllStylePaths, getStylePath, styleConfig } from './index';
+
+describe('styles exports', () => {
+  it('exposes metadata for the core stylesheet', () => {
+    expect(styleConfig.core).toEqual({
+      path: './core.css',
+      description: expect.stringContaining('Complete CSS foundation')
+    });
+  });
+
+  it('returns the correct path for a requested style', () => {
+    expect(getStylePath('core')).toBe('./core.css');
+  });
+
+  it('lists all available style paths exactly once', () => {
+    const allPaths = getAllStylePaths();
+
+    expect(allPaths).toEqual(['./core.css']);
+    expect(new Set(allPaths).size).toBe(allPaths.length);
+  });
+});

package/src/types/__tests__/organisation.roles.test.ts

@@ -0,0 +1,55 @@
+import { describe, expect, it } from 'vitest';
+import { ORGANISATION_ROLE_PERMISSIONS, type OrganisationPermission } from '../organisation';
+
+const EXPECTED_ROLE_ORDER = ['supporter', 'member', 'leader', 'org_admin'] as const;
+const ALLOWED_PERMISSIONS: OrganisationPermission[] = [
+  'view_basic',
+  'view_details',
+  'moderate_content',
+  'manage_events',
+  'manage_members',
+  'manage_settings',
+  '*'
+];
+
+describe('[types] Organisation role permissions', () => {
+  it('exposes all supported roles in a predictable order', () => {
+    expect(Object.keys(ORGANISATION_ROLE_PERMISSIONS)).toEqual(Array.from(EXPECTED_ROLE_ORDER));
+  });
+
+  it('only uses recognised permission tokens', () => {
+    Object.values(ORGANISATION_ROLE_PERMISSIONS).forEach(permissionList => {
+      permissionList.forEach(permission => {
+        expect(ALLOWED_PERMISSIONS).toContain(permission);
+      });
+    });
+  });
+
+  it('enforces progressive access (each role is a superset of the previous one)', () => {
+    const supporter = new Set(ORGANISATION_ROLE_PERMISSIONS.supporter);
+    const member = new Set(ORGANISATION_ROLE_PERMISSIONS.member);
+    const leader = new Set(ORGANISATION_ROLE_PERMISSIONS.leader);
+    const admin = new Set(ORGANISATION_ROLE_PERMISSIONS.org_admin);
+
+    supporter.forEach(permission => {
+      expect(member.has(permission)).toBe(true);
+      expect(leader.has(permission)).toBe(true);
+      expect(admin.has(permission)).toBe(true);
+    });
+
+    member.forEach(permission => {
+      expect(leader.has(permission)).toBe(true);
+      expect(admin.has(permission)).toBe(true);
+    });
+
+    leader.forEach(permission => {
+      expect(admin.has(permission)).toBe(true);
+    });
+  });
+
+  it('retains privileged capabilities for the organisation admin role', () => {
+    expect(ORGANISATION_ROLE_PERMISSIONS.org_admin).toEqual(
+      expect.arrayContaining(['manage_members', 'manage_settings'])
+    );
+  });
+});

package/src/utils/audit/audit.test.ts

@@ -0,0 +1,65 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import {
+  auditLogger,
+  logAuthEvent,
+  logPermissionEvent,
+  logSecurityEvent,
+  logAuditEvent
+} from './audit';
+
+describe('audit logger utility', () => {
+  beforeEach(() => {
+    auditLogger.clearEvents();
+    vi.useRealTimers();
+  });
+
+  it('attaches timestamps to every raw log entry', () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2024-01-01T00:00:00Z'));
+
+    auditLogger.log({ type: 'auth', action: 'login', severity: 'high' });
+
+    const [event] = auditLogger.getEvents();
+    expect(event).toMatchObject({ type: 'auth', action: 'login', severity: 'high' });
+    expect(event.timestamp).toBe(Date.now());
+  });
+
+  it('filters security events without mutating the original queue', async () => {
+    await auditLogger.logAuthEvent({ event: 'login', userId: 'user-1' });
+    await auditLogger.logSecurityEvent({ event: 'policy_violation', data: { ip: '127.0.0.1' } });
+    await auditLogger.logPermissionEvent({ event: 'role_grant', userId: 'user-2' });
+
+    const securityEvents = await auditLogger.getSecurityEvents();
+    expect(securityEvents).toHaveLength(1);
+    expect(securityEvents[0]).toMatchObject({ type: 'security', event: 'policy_violation' });
+
+    const allEvents = auditLogger.getEvents();
+    expect(allEvents).toHaveLength(3);
+    expect(allEvents).not.toBe(securityEvents); // defensive copy for getEvents
+  });
+
+  it('records structured data through the async wrappers', async () => {
+    await auditLogger.logPermissionEvent({ event: 'role_update', userId: 'user-123', data: { scope: 'org' } });
+
+    const [permissionEvent] = auditLogger.getEvents();
+    expect(permissionEvent).toMatchObject({
+      type: 'permission',
+      event: 'role_update',
+      userId: 'user-123',
+      data: { scope: 'org' }
+    });
+    expect(typeof permissionEvent.timestamp).toBe('number');
+  });
+
+  it('routes the public helper functions through the shared logger instance', () => {
+    logAuthEvent('login_attempt', 'alpha', { method: 'password' });
+    logPermissionEvent('grant_role', 'beta', { role: 'leader' });
+    logSecurityEvent('rate_limit', 'system', { ip: '127.0.0.1' });
+    logAuditEvent('generic_event', 'gamma');
+
+    const events = auditLogger.getEvents();
+    expect(events).toHaveLength(4);
+    expect(events.map(event => event.type)).toEqual(['auth', 'permission', 'security', 'auth']);
+    expect(events[3]).toMatchObject({ action: 'generic_event', user: 'gamma' });
+  });
+});

package/src/utils/device/deviceFingerprint.test.ts

@@ -0,0 +1,171 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { generateDeviceFingerprint, validateDeviceFingerprint, type DeviceFingerprint } from './deviceFingerprint';
+import { secureStorage } from '../security/secureStorage';
+
+vi.mock('../security/secureStorage', () => ({
+  secureStorage: {
+    setItem: vi.fn()
+  }
+}));
+
+describe('device fingerprinting utilities', () => {
+  const setItemMock = secureStorage.setItem as ReturnType<typeof vi.fn>;
+  const originalCreateElement = document.createElement.bind(document);
+  let createElementSpy: ReturnType<typeof vi.spyOn>;
+  let intlSpy: ReturnType<typeof vi.spyOn>;
+
+  beforeEach(() => {
+    setItemMock.mockReset();
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2024-01-01T00:00:00Z'));
+
+    Object.defineProperty(window.navigator, 'userAgent', {
+      value: 'TestAgent/1.0',
+      configurable: true
+    });
+    Object.defineProperty(window.navigator, 'language', {
+      value: 'en-GB',
+      configurable: true
+    });
+    Object.defineProperty(window.navigator, 'platform', {
+      value: 'MacIntel',
+      configurable: true
+    });
+    Object.defineProperty(window, 'screen', {
+      value: { width: 1920, height: 1080, colorDepth: 24 },
+      configurable: true
+    });
+
+    intlSpy = vi.spyOn(Intl, 'DateTimeFormat').mockImplementation(() => ({
+      resolvedOptions: () => ({ timeZone: 'UTC' })
+    }) as Intl.DateTimeFormat);
+
+    createElementSpy = vi.spyOn(document, 'createElement').mockImplementation(tagName => {
+      if (tagName === 'canvas') {
+        const ctx2d = {
+          textBaseline: '',
+          font: '',
+          fillStyle: '',
+          fillRect: vi.fn(),
+          fillText: vi.fn()
+        } as unknown as CanvasRenderingContext2D;
+
+        const debugInfo = {
+          UNMASKED_VENDOR_WEBGL: 'vendorConst',
+          UNMASKED_RENDERER_WEBGL: 'rendererConst'
+        };
+
+        const gl = {
+          getExtension: vi.fn(() => debugInfo),
+          getParameter: vi.fn((param: string) =>
+            param === debugInfo.UNMASKED_VENDOR_WEBGL ? 'ExampleVendor' : 'ExampleRenderer'
+          )
+        } as unknown as WebGLRenderingContext;
+
+        return {
+          getContext: (type: string) => {
+            if (type === '2d') return ctx2d;
+            if (type === 'webgl' || type === 'experimental-webgl') return gl;
+            return null;
+          },
+          toDataURL: () => 'data:image/png;base64,fingerprint'
+        } as unknown as HTMLCanvasElement;
+      }
+      return originalCreateElement(tagName);
+    });
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    createElementSpy.mockRestore();
+    intlSpy.mockRestore();
+  });
+
+  it('captures deterministic device details and persists the fingerprint payload', () => {
+    const fingerprint = generateDeviceFingerprint();
+
+    expect(fingerprint.components).toMatchObject({
+      language: 'en-GB',
+      platform: 'MacIntel',
+      screen: '1920x1080x24',
+      timezone: 'UTC'
+    });
+    // userAgent is a hashed value, length depends on the hash
+    expect(fingerprint.components.userAgent).toBeTruthy();
+    expect(typeof fingerprint.components.userAgent).toBe('string');
+    expect(fingerprint.entropy).toBeGreaterThan(0);
+
+    expect(setItemMock).toHaveBeenCalledTimes(1);
+    const [storageKey, storedValue] = setItemMock.mock.calls[0];
+    expect(storageKey).toBe('device_fingerprint');
+    expect(JSON.parse(storedValue)).toMatchObject({ hash: fingerprint.hash, components: fingerprint.components });
+  });
+
+  it('falls back gracefully when fingerprinting fails', () => {
+    // Mock all potential failure points to ensure fallback is triggered
+    createElementSpy.mockImplementation(() => {
+      throw new Error('canvas unavailable');
+    });
+    
+    // Also mock navigator properties to throw to ensure complete failure
+    const originalUserAgent = Object.getOwnPropertyDescriptor(window.navigator, 'userAgent');
+    Object.defineProperty(window.navigator, 'userAgent', {
+      get: () => { throw new Error('userAgent unavailable'); },
+      configurable: true
+    });
+
+    const fallback = generateDeviceFingerprint();
+
+    expect(fallback.hash).toMatch(/^fallback_/);
+    expect(fallback.entropy).toBe(1);
+    expect(setItemMock).not.toHaveBeenCalled();
+    
+    // Restore original userAgent
+    if (originalUserAgent) {
+      Object.defineProperty(window.navigator, 'userAgent', originalUserAgent);
+    }
+  });
+
+  it('validates stored fingerprints with age and confidence thresholds', () => {
+    const baseComponents = {
+      userAgent: 'ua',
+      language: 'lang',
+      platform: 'platform',
+      screen: 'screen',
+      timezone: 'tz'
+    } as DeviceFingerprint['components'];
+
+    const stored: DeviceFingerprint = {
+      hash: 'stored',
+      timestamp: Date.now(),
+      components: baseComponents,
+      entropy: 3
+    };
+
+    const current: DeviceFingerprint = {
+      hash: 'current',
+      timestamp: Date.now(),
+      components: { ...baseComponents, screen: 'screen', timezone: 'tz', platform: 'platform-modified' },
+      entropy: 3
+    };
+
+    const freshResult = validateDeviceFingerprint(stored, current);
+    expect(freshResult.isValid).toBe(true);
+    expect(freshResult.confidence).toBe(80);
+    expect(freshResult.reasons).toEqual(['Component mismatch: platform']);
+
+    const staleResult = validateDeviceFingerprint(
+      { ...stored, timestamp: Date.now() - 31 * 24 * 60 * 60 * 1000 },
+      current
+    );
+    expect(staleResult.isValid).toBe(false);
+    expect(staleResult.reasons).toContain('Fingerprint too old');
+
+    const divergent = validateDeviceFingerprint(stored, {
+      ...current,
+      components: { ...baseComponents, language: 'other', platform: 'alt', screen: 'another' }
+    });
+    expect(divergent.isValid).toBe(false);
+    expect(divergent.reasons).toContain('Device signature changed significantly');
+  });
+});

package/src/utils/validation/__tests__/validationUtils.test.ts

@@ -0,0 +1,72 @@
+import { describe, expect, it, vi } from 'vitest';
+import { z } from 'zod';
+import { validateUserInput, generateCSPHeader, RateLimiter } from '../sanitization';
+
+// validateUserInput is re-exported from validationUtils but implemented via sanitizeFormData
+import { validateUserInput as validateAndSanitize } from '../validationUtils';
+
+describe('validation utilities', () => {
+  const profileSchema = z.object({
+    name: z.string().min(1, 'Name is required'),
+    bio: z.string().min(1)
+  });
+
+  it('sanitizes inputs according to field-specific rules before validation', () => {
+    const payload = {
+      name: '   <script>alert(1)</script>  ',
+      bio: 'Hello <em>World</em> <strong>safe</strong>'
+    };
+
+    const result = validateAndSanitize(profileSchema, payload, {
+      name: { allowHtml: false, maxLength: 50 },
+      bio: { allowHtml: true, allowedTags: ['strong'] }
+    });
+
+    expect(result.success).toBe(true);
+    expect(result.data).toEqual({
+      name: '&lt;script&gt;alert(1)&lt;&#x2F;script&gt;',
+      bio: 'Hello World <strong>safe</strong>'
+    });
+  });
+
+  it('returns descriptive errors when validation fails even after sanitization', () => {
+    const result = validateAndSanitize(profileSchema, { name: '   ', bio: '' });
+
+    expect(result.success).toBe(false);
+    // Zod's default error message format
+    expect(result.error).toMatch(/name|required|character/i);
+  });
+
+  it('generates CSP headers with custom overrides while retaining defaults', () => {
+    const header = generateCSPHeader({
+      img: "img-src 'self' https://cdn.example.com",
+      connect: "connect-src 'self' https://api.example.com"
+    });
+
+    expect(header).toContain("default-src 'self'");
+    expect(header).toContain("img-src 'self' https://cdn.example.com");
+    expect(header).toContain("connect-src 'self' https://api.example.com");
+    expect(header).toContain("frame-src 'none'");
+  });
+
+  it('enforces rate limits and resets windows correctly', () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(0);
+
+    const limiter = new RateLimiter(2, 1000);
+    expect(limiter.isAllowed('user-1')).toBe(true);
+    expect(limiter.isAllowed('user-1')).toBe(true);
+    expect(limiter.isAllowed('user-1')).toBe(false);
+    expect(limiter.getRemainingAttempts('user-1')).toBe(0);
+
+    // Advance time past the reset window (need to go past the resetTime)
+    vi.advanceTimersByTime(1001);
+    expect(limiter.isAllowed('user-1')).toBe(true);
+    expect(limiter.getRemainingAttempts('user-1')).toBe(1);
+
+    limiter.reset('user-1');
+    expect(limiter.getRemainingAttempts('user-1')).toBe(2);
+
+    vi.useRealTimers();
+  });
+});