@jmruthers/pace-core 0.5.183 → 0.5.185

package/src/providers/services/UnifiedAuthProvider.tsx

@@ -8,7 +8,7 @@
  * Note: RBAC functionality is available via useRBAC() hook from '@jmruthers/pace-core/rbac'
  */
 
-import React, { createContext, useContext, useMemo, useCallback, useRef, useEffect, useState } from 'react';
+import React, { createContext, useContext, useMemo, useCallback, useRef, useEffect, useState, useReducer } from 'react';
 import { type SupabaseClient, type User, type Session } from '@supabase/supabase-js';
 import { AuthServiceProvider } from './AuthServiceProvider';
 import { OrganisationServiceProvider } from './OrganisationServiceProvider';
@@ -114,7 +114,7 @@ export interface UnifiedAuthContextType {
   sessionRestorationTimeoutMs: number;
 }
 
-const UnifiedAuthContext = createContext<UnifiedAuthContextType | undefined>(undefined);
+export const UnifiedAuthContext = createContext<UnifiedAuthContextType | undefined>(undefined);
 
 export const useUnifiedAuth = () => {
   const context = useContext(UnifiedAuthContext);
@@ -179,13 +179,15 @@ function UnifiedAuthContextProvider({
     eventService = useEventService();
   } catch (error) {
     // EventService not available - provide fallback implementation
+    // Include subscribe method to match BaseService interface
     eventService = {
       getEvents: () => [],
       getSelectedEvent: () => null,
       isLoading: () => false,
       getError: () => null,
       setSelectedEvent: () => {},
-      refreshEvents: async () => {}
+      refreshEvents: async () => {},
+      subscribe: () => () => {} // No-op subscribe/unsubscribe for fallback
     };
   }
 
@@ -256,6 +258,25 @@ function UnifiedAuthContextProvider({
     }
   }, [isAuth, currentUser?.id, supabase, appName, appId]);
 
+  // Subscribe to service state changes to trigger re-renders
+  // Use useReducer to force updates when services notify
+  const [, forceUpdate] = useReducer(x => x + 1, 0);
+  
+  useEffect(() => {
+    // Subscribe to all service changes
+    const unsubscribeAuth = authService.subscribe(() => forceUpdate());
+    const unsubscribeOrg = organisationService.subscribe(() => forceUpdate());
+    const unsubscribeEvent = eventService.subscribe(() => forceUpdate());
+    const unsubscribeInactivity = inactivityService.subscribe(() => forceUpdate());
+    
+    return () => {
+      unsubscribeAuth();
+      unsubscribeOrg();
+      unsubscribeEvent();
+      unsubscribeInactivity();
+    };
+  }, [authService, organisationService, eventService, inactivityService]);
+
   // Get loading states - these will trigger re-renders when services change
   const authLoading = authService.isLoading();
   const orgLoading = organisationService.isLoading();

package/src/rbac/__tests__/scenarios.user-role.test.tsx

@@ -30,6 +30,7 @@ vi.mock('../../hooks/services/useAuthService', () => ({
     resetPassword: vi.fn(),
     updatePassword: vi.fn(),
     refreshSession: vi.fn(),
+    subscribe: vi.fn(() => () => {}), // Subscribe method that returns unsubscribe function
   }),
 }));
 
@@ -41,6 +42,7 @@ vi.mock('../../hooks/services/useEventService', () => ({
     getError: vi.fn(() => null),
     setSelectedEvent: vi.fn(),
     refreshEvents: vi.fn(),
+    subscribe: vi.fn(() => () => {}), // Subscribe method that returns unsubscribe function
   }),
 }));
 
@@ -56,6 +58,7 @@ vi.mock('../../hooks/services/useInactivityService', () => ({
     startTracking: vi.fn(),
     stopTracking: vi.fn(),
     handleIdleLogout: vi.fn(),
+    subscribe: vi.fn(() => () => {}), // Subscribe method that returns unsubscribe function
   }),
 }));
 

package/src/rbac/compliance/database-validator.ts

@@ -0,0 +1,165 @@
+/**
+ * Database Configuration Validator
+ * @package @jmruthers/pace-core
+ * @module RBAC/Compliance/DatabaseValidator
+ * @since 1.0.0
+ * 
+ * This module provides utilities to validate database configuration for RBAC.
+ */
+
+import { SupabaseClient } from '@supabase/supabase-js';
+import { Database } from '../../types/database';
+
+export interface DatabaseIssue {
+  type: 'app-not-configured' | 'app-name-mismatch' | 'pages-not-configured' | 'permissions-not-configured' | 'rls-not-active' | 'roles-not-configured';
+  message: string;
+  recommendation: string;
+}
+
+export interface DatabaseComplianceResult {
+  appConfigured: boolean;
+  pagesConfigured: boolean;
+  permissionsConfigured: boolean;
+  rlsPoliciesActive: boolean;
+  rolesConfigured: boolean;
+  issues: DatabaseIssue[];
+  recommendations: string[];
+}
+
+/**
+ * Validate database configuration
+ * 
+ * @param supabase - Supabase client
+ * @param appName - Application name to validate
+ * @returns Database compliance result
+ */
+export async function validateDatabaseConfiguration(
+  supabase: SupabaseClient<Database>,
+  appName: string
+): Promise<DatabaseComplianceResult> {
+  const issues: DatabaseIssue[] = [];
+  const recommendations: string[] = [];
+  
+  let appConfigured = false;
+  let pagesConfigured = false;
+  let permissionsConfigured = false;
+  let rlsPoliciesActive = false;
+  let rolesConfigured = false;
+  
+  try {
+    // Check if app exists in rbac_apps
+    const { data: app, error: appError } = await supabase
+      .from('rbac_apps')
+      .select('id, name')
+      .eq('name', appName)
+      .single();
+    
+    if (appError || !app) {
+      issues.push({
+        type: 'app-not-configured',
+        message: `App '${appName}' not found in rbac_apps table.`,
+        recommendation: `Register your app in the rbac_apps table with name '${appName}' (case-sensitive).`
+      });
+    } else {
+      appConfigured = true;
+      
+      // Check if app name matches exactly
+      if (app.name !== appName) {
+        issues.push({
+          type: 'app-name-mismatch',
+          message: `App name mismatch. Database has '${app.name}', but environment variable has '${appName}'.`,
+          recommendation: `Ensure VITE_APP_NAME (or NEXT_PUBLIC_APP_NAME) matches the app name in rbac_apps table exactly (case-sensitive).`
+        });
+      }
+      
+      // Check if pages are configured
+      const { data: pages, error: pagesError } = await supabase
+        .from('rbac_app_pages')
+        .select('id')
+        .eq('app_id', app.id)
+        .limit(1);
+      
+      if (pagesError || !pages || pages.length === 0) {
+        issues.push({
+          type: 'pages-not-configured',
+          message: `No pages found for app '${appName}' in rbac_app_pages table.`,
+          recommendation: 'Register your app pages in the rbac_app_pages table. Each route/page should have an entry.'
+        });
+      } else {
+        pagesConfigured = true;
+        
+        // Check if permissions are configured for pages
+        const { data: permissions, error: permissionsError } = await supabase
+          .from('rbac_page_permissions')
+          .select('id')
+          .in('page_id', pages.map(p => p.id))
+          .limit(1);
+        
+        if (permissionsError || !permissions || permissions.length === 0) {
+          issues.push({
+            type: 'permissions-not-configured',
+            message: `No permissions found for app '${appName}' pages in rbac_page_permissions table.`,
+            recommendation: 'Configure permissions for your app pages in the rbac_page_permissions table. Each page should have permissions for different operations (read, create, update, delete).'
+          });
+        } else {
+          permissionsConfigured = true;
+        }
+      }
+    }
+    
+    // Check if RLS is enabled on RBAC tables (basic check)
+    // Note: This is a simplified check - full RLS validation would require more complex queries
+    try {
+      // Type assertion needed because rbac_check_rls_status may not be in generated types yet
+      const { data: rbacTables, error: rlsError } = await (supabase.rpc as any)('rbac_check_rls_status');
+      
+      if (rlsError) {
+        // RLS check function might not exist, which is okay
+        // We'll assume RLS is active if we can query the tables
+        rlsPoliciesActive = true;
+        recommendations.push('Consider adding an RLS status check function to validate RLS policies are active.');
+      } else {
+        rlsPoliciesActive = true;
+      }
+    } catch (error) {
+      // RLS check function might not exist or be available
+      // We'll assume RLS is active if we can query the tables
+      rlsPoliciesActive = true;
+      recommendations.push('Consider adding an RLS status check function to validate RLS policies are active.');
+    }
+    
+    // Check if organisation roles exist (sample check)
+    const { data: orgRoles, error: rolesError } = await supabase
+      .from('rbac_organisation_roles')
+      .select('id')
+      .limit(1);
+    
+    if (rolesError) {
+      issues.push({
+        type: 'roles-not-configured',
+        message: 'Unable to query rbac_organisation_roles table. RLS might be blocking access or table might not exist.',
+        recommendation: 'Ensure rbac_organisation_roles table exists and RLS policies allow read access for authenticated users.'
+      });
+    } else {
+      rolesConfigured = true;
+    }
+    
+  } catch (error) {
+    issues.push({
+      type: 'app-not-configured',
+      message: `Error validating database configuration: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      recommendation: 'Check your Supabase connection and ensure you have the necessary permissions to query RBAC tables.'
+    });
+  }
+  
+  return {
+    appConfigured,
+    pagesConfigured,
+    permissionsConfigured,
+    rlsPoliciesActive,
+    rolesConfigured,
+    issues,
+    recommendations
+  };
+}
+

package/src/rbac/compliance/index.ts

@@ -0,0 +1,38 @@
+/**
+ * RBAC Compliance Module
+ * @package @jmruthers/pace-core
+ * @module RBAC/Compliance
+ * @since 1.0.0
+ * 
+ * This module provides compliance checking utilities for RBAC/auth setup.
+ */
+
+export {
+  isRBACInitialized,
+  validateRBACSetup,
+  getSetupIssues,
+  type SetupIssue,
+  type ComplianceResult,
+} from './setup-validator';
+
+export {
+  checkRuntimeCompliance,
+  validateAndWarn,
+  type RuntimeComplianceResult,
+} from './runtime-compliance';
+
+export {
+  validateDatabaseConfiguration,
+  type DatabaseComplianceResult,
+  type DatabaseIssue,
+} from './database-validator';
+
+export {
+  getQuickFixes,
+  getCustomAuthCodeFixes,
+  getDuplicateConfigFixes,
+  getUnprotectedPageFixes,
+  getDirectSupabaseAuthFixes,
+  type QuickFix,
+} from './quick-fix-suggestions';
+

package/src/rbac/compliance/quick-fix-suggestions.ts

@@ -0,0 +1,209 @@
+/**
+ * Quick Fix Suggestions for RBAC/Auth Compliance
+ * @package @jmruthers/pace-core
+ * @module RBAC/Compliance/QuickFixSuggestions
+ * @since 1.0.0
+ * 
+ * This module provides auto-suggest fixes for common RBAC/auth compliance issues.
+ */
+
+export interface QuickFix {
+  issue: string;
+  suggestion: string;
+  codeExample?: string;
+  migrationSteps?: string[];
+}
+
+/**
+ * Get quick fix suggestions for custom auth code
+ */
+export function getCustomAuthCodeFixes(customCodeName: string, type: 'hook' | 'component' | 'util'): QuickFix {
+  const fixes: Record<string, QuickFix> = {
+    'useAuth': {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with useUnifiedAuth from pace-core`,
+      codeExample: `// Before
+import { useAuth } from './hooks/useAuth';
+
+// After
+import { useUnifiedAuth } from '@jmruthers/pace-core';`,
+      migrationSteps: [
+        'Remove custom useAuth hook',
+        'Import useUnifiedAuth from @jmruthers/pace-core',
+        'Update all usages to use useUnifiedAuth',
+        'Ensure UnifiedAuthProvider wraps your app'
+      ]
+    },
+    'usePermissions': {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with usePermissions from pace-core`,
+      codeExample: `// Before
+import { usePermissions } from './hooks/usePermissions';
+
+// After
+import { usePermissions } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        'Remove custom usePermissions hook',
+        'Import usePermissions from @jmruthers/pace-core/rbac',
+        'Update all usages - ensure setupRBAC() has been called',
+        'Verify provider hierarchy is correct'
+      ]
+    },
+    'PermissionGuard': {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with PagePermissionGuard from pace-core`,
+      codeExample: `// Before
+import { PermissionGuard } from './components/PermissionGuard';
+
+// After
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        'Remove custom PermissionGuard component',
+        'Import PagePermissionGuard from @jmruthers/pace-core/rbac',
+        'Wrap pages with PagePermissionGuard',
+        'Use pageName and operation props instead of custom permission strings'
+      ]
+    },
+    'checkPermission': {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with isPermitted from pace-core`,
+      codeExample: `// Before
+import { checkPermission } from './utils/permissions';
+
+// After
+import { isPermitted } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        'Remove custom checkPermission utility',
+        'Import isPermitted from @jmruthers/pace-core/rbac',
+        'Update all usages to use isPermitted with proper scope',
+        'Ensure setupRBAC() has been called'
+      ]
+    }
+  };
+  
+  return fixes[customCodeName] || {
+    issue: `Custom ${type} '${customCodeName}' detected`,
+    suggestion: `Use pace-core's equivalent instead. Check @jmruthers/pace-core documentation for the correct import.`,
+    migrationSteps: [
+      `Remove custom ${customCodeName} ${type}`,
+      'Find equivalent in pace-core',
+      'Import from @jmruthers/pace-core or @jmruthers/pace-core/rbac',
+      'Update all usages'
+    ]
+  };
+}
+
+/**
+ * Get quick fix suggestions for duplicate Supabase config
+ */
+export function getDuplicateConfigFixes(): QuickFix {
+  return {
+    issue: 'Multiple Supabase client instantiations found',
+    suggestion: 'Consolidate to a single Supabase client configuration',
+    codeExample: `// Before - Multiple createClient calls
+// src/lib/supabase.ts
+export const supabase = createClient(url, key);
+
+// src/utils/api.ts
+export const supabase = createClient(url, key);
+
+// After - Single configuration
+// src/lib/supabase.ts
+export const supabase = createClient(
+  import.meta.env.VITE_SUPABASE_URL,
+  import.meta.env.VITE_SUPABASE_ANON_KEY
+);
+
+// src/utils/api.ts
+import { supabase } from '../lib/supabase';`,
+    migrationSteps: [
+      'Create a single supabase.ts file in a shared location (e.g., src/lib/supabase.ts)',
+      'Move all Supabase client creation to this file',
+      'Export the client instance',
+      'Update all files to import from the shared location',
+      'Remove duplicate createClient calls'
+    ]
+  };
+}
+
+/**
+ * Get quick fix suggestions for unprotected pages
+ */
+export function getUnprotectedPageFixes(): QuickFix {
+  return {
+    issue: 'Route/page found without PagePermissionGuard',
+    suggestion: 'Wrap all routes with PagePermissionGuard',
+    codeExample: `// Before
+<Route path="/dashboard" element={<Dashboard />} />
+
+// After
+<Route 
+  path="/dashboard" 
+  element={
+    <PagePermissionGuard pageName="dashboard" operation="read">
+      <Dashboard />
+    </PagePermissionGuard>
+  } 
+/>`,
+    migrationSteps: [
+      'Import PagePermissionGuard from @jmruthers/pace-core/rbac',
+      'Wrap each route/page component with PagePermissionGuard',
+      'Set pageName prop to match your page name in rbac_app_pages table',
+      'Set operation prop (read, create, update, or delete)',
+      'Ensure setupRBAC() has been called and providers are set up correctly'
+    ]
+  };
+}
+
+/**
+ * Get quick fix suggestions for direct Supabase auth usage
+ */
+export function getDirectSupabaseAuthFixes(): QuickFix {
+  return {
+    issue: 'Direct Supabase auth usage detected',
+    suggestion: 'Use UnifiedAuthProvider and useUnifiedAuth from pace-core',
+    codeExample: `// Before
+import { createClient } from '@supabase/supabase-js';
+const supabase = createClient(url, key);
+await supabase.auth.signInWithPassword({ email, password });
+
+// After
+import { useUnifiedAuth } from '@jmruthers/pace-core';
+const { signIn } = useUnifiedAuth();
+await signIn({ email, password });`,
+    migrationSteps: [
+      'Remove direct Supabase auth calls',
+      'Import useUnifiedAuth from @jmruthers/pace-core',
+      'Use the auth methods from useUnifiedAuth hook',
+      'Ensure UnifiedAuthProvider wraps your app',
+      'Update all auth-related code to use pace-core hooks'
+    ]
+  };
+}
+
+/**
+ * Get all quick fix suggestions for a compliance issue
+ */
+export function getQuickFixes(issueType: string, details?: Record<string, any>): QuickFix[] {
+  const fixes: QuickFix[] = [];
+  
+  switch (issueType) {
+    case 'custom-auth-code':
+      if (details?.name && details?.type) {
+        fixes.push(getCustomAuthCodeFixes(details.name, details.type));
+      }
+      break;
+    case 'duplicate-config':
+      fixes.push(getDuplicateConfigFixes());
+      break;
+    case 'unprotected-pages':
+      fixes.push(getUnprotectedPageFixes());
+      break;
+    case 'direct-supabase-auth':
+      fixes.push(getDirectSupabaseAuthFixes());
+      break;
+  }
+  
+  return fixes;
+}
+

package/src/rbac/compliance/runtime-compliance.ts

@@ -0,0 +1,77 @@
+/**
+ * Runtime Compliance Checking
+ * @package @jmruthers/pace-core
+ * @module RBAC/Compliance/RuntimeCompliance
+ * @since 1.0.0
+ * 
+ * This module provides runtime compliance checking utilities.
+ */
+
+import { validateRBACSetup, SetupIssue } from './setup-validator';
+import { getRBACLogger } from '../config';
+
+export interface RuntimeComplianceResult {
+  setup: {
+    isCompliant: boolean;
+    issues: SetupIssue[];
+  };
+  warnings: string[];
+  providerContext?: {
+    available: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Check runtime compliance
+ * 
+ * This function checks if the RBAC system is properly set up and logs warnings
+ * to the console if issues are found. This is intended for development-time
+ * validation only.
+ * 
+ * @returns Runtime compliance result
+ */
+export function checkRuntimeCompliance(): RuntimeComplianceResult {
+  const logger = getRBACLogger();
+  const setupValidation = validateRBACSetup();
+  const warnings: string[] = [];
+  
+  if (!setupValidation.isCompliant) {
+    setupValidation.issues.forEach(issue => {
+      const warning = `[RBAC Compliance] ${issue.message}\n  Recommendation: ${issue.recommendation}`;
+      warnings.push(warning);
+      logger.warn(warning);
+    });
+  }
+  
+  // Check for provider context issues
+  const providerContextIssues = setupValidation.issues.filter(
+    issue => issue.type === 'missing-provider-context' || issue.type === 'not-initialized'
+  );
+  
+  const providerContext = providerContextIssues.length > 0 ? {
+    available: false,
+    message: 'UnifiedAuthProvider context may not be available. Ensure your app is wrapped with UnifiedAuthProvider from @jmruthers/pace-core.'
+  } : {
+    available: true
+  };
+  
+  return {
+    setup: setupValidation,
+    warnings,
+    providerContext
+  };
+}
+
+/**
+ * Validate and warn about RBAC setup issues
+ * 
+ * This is a convenience function that checks compliance and logs warnings.
+ * Call this in development mode to get early warnings about setup issues.
+ */
+export function validateAndWarn(): void {
+  if (import.meta.env.MODE === 'development' || import.meta.env.DEV) {
+    checkRuntimeCompliance();
+  }
+}
+