@jmruthers/pace-core 0.5.185 → 0.5.187

package/src/rbac/__tests__/rbac-role-isolation.test.ts

@@ -0,0 +1,456 @@
+/**
+ * @file RBAC Role Isolation Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Tests
+ * @since 2.0.0
+ * 
+ * Regression tests for RBAC role isolation security fix.
+ * 
+ * These tests verify that organisation roles (e.g., 'leader', 'member') do NOT
+ * implicitly grant event-app page permissions. Only the user's actual event-app
+ * role (e.g., 'planner', 'event_admin') should determine page permissions.
+ * 
+ * Bug Reference: Organisation role bypasses event-app page permissions
+ * Security Impact: HIGH
+ */
+
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { RBACEngine } from '../engine';
+import { 
+  UUID, 
+  Permission, 
+  Scope, 
+  PermissionCheck
+} from '../types';
+import { rbacCache } from '../cache';
+
+// Mock Supabase client
+const createMockSupabaseClient = () => ({
+  from: vi.fn(() => ({
+    select: vi.fn().mockReturnThis(),
+    eq: vi.fn().mockReturnThis(),
+    neq: vi.fn().mockReturnThis(),
+    in: vi.fn().mockReturnThis(),
+    is: vi.fn().mockReturnThis(),
+    lte: vi.fn().mockReturnThis(),
+    or: vi.fn().mockReturnThis(),
+    limit: vi.fn().mockResolvedValue({ 
+      data: [], 
+      error: null 
+    }),
+    single: vi.fn(),
+    maybeSingle: vi.fn(),
+  })),
+  rpc: vi.fn(),
+});
+
+// Test data matching the bug report scenario
+const testData = {
+  userId: '00000000-0000-0000-0000-000000000001' as UUID,
+  organisationId: '00000000-0000-0000-0000-000000000002' as UUID, // scouts-victoria
+  eventId: 'baloo-bistro-event-123',
+  appId: '00000000-0000-0000-0000-000000000003' as UUID, // BASE app
+  pageId: '00000000-0000-0000-0000-000000000004' as UUID, // configuration page
+  pageName: 'configuration'
+};
+
+describe('RBAC Role Isolation Tests', () => {
+  let engine: RBACEngine;
+  let mockSupabase: any;
+
+  beforeEach(() => {
+    mockSupabase = createMockSupabaseClient();
+    engine = new RBACEngine(mockSupabase as any);
+    rbacCache.clear();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    rbacCache.clear();
+  });
+
+  describe('Organisation Role vs Event-App Role Isolation', () => {
+    /**
+     * Bug Scenario:
+     * - User has organisation role: 'leader' (for scouts-victoria)
+     * - User has event-app role: 'planner' (for BASE app)
+     * - Page permissions: 'event_admin' has full CRUD, 'planner' has only 'read'
+     * - User should NOT get 'update' permission just because they are a 'leader'
+     */
+    it('should deny update permission when user has leader org role but planner event-app role', async () => {
+      // Mock: rbac_check_permission_simplified should return FALSE
+      // because 'planner' only has 'read' permission, not 'update'
+      // The 'leader' org role should NOT grant implicit page permissions
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      // CRITICAL: Permission must be denied
+      expect(result).toBe(false);
+
+      // Verify the RPC was called with correct parameters
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'rbac_check_permission_simplified',
+        expect.objectContaining({
+          p_user_id: testData.userId,
+          p_permission: 'update:page.configuration',
+          p_organisation_id: testData.organisationId,
+          p_event_id: testData.eventId,
+          p_app_id: testData.appId,
+          p_page_id: testData.pageId
+        })
+      );
+    });
+
+    it('should allow read permission when user has planner event-app role', async () => {
+      // Mock: rbac_check_permission_simplified should return TRUE
+      // because 'planner' has 'read' permission
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'read:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      expect(result).toBe(true);
+    });
+
+    it('should deny delete permission when user has planner event-app role', async () => {
+      // 'planner' should NOT have delete permission
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'delete:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      expect(result).toBe(false);
+    });
+
+    it('should deny create permission when user has planner event-app role', async () => {
+      // 'planner' should NOT have create permission
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'create:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('Event Admin Role Permissions', () => {
+    it('should allow full CRUD when user has event_admin role', async () => {
+      // event_admin should have all permissions
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const operations = ['read', 'create', 'update', 'delete'];
+
+      for (const operation of operations) {
+        const permissionCheck: PermissionCheck = {
+          userId: testData.userId,
+          scope,
+          permission: `${operation}:page.configuration` as Permission,
+          pageId: testData.pageId
+        };
+
+        const result = await engine.isPermitted(permissionCheck, securityContext);
+        expect(result).toBe(true);
+      }
+    });
+  });
+
+  describe('Super Admin Bypass', () => {
+    it('should allow all permissions for super_admin regardless of event-app role', async () => {
+      // Super admin bypasses all checks
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'delete:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('Org Admin Bypass', () => {
+    it('should allow org_admin to have all permissions within their organisation', async () => {
+      // org_admin has all permissions within their org (org-level bypass)
+      mockSupabase.rpc.mockResolvedValue({
+        data: true,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('Role Isolation Edge Cases', () => {
+    it('should not leak permissions from organisation role to event-app context', async () => {
+      // Even if user has a high-level org role (like 'leader'), they should NOT
+      // get event-app page permissions unless their event-app role grants it
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      // Test with page name instead of UUID (the bug could manifest differently)
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageName // Using page name
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      expect(result).toBe(false);
+    });
+
+    it('should deny permission when user has no event-app role at all', async () => {
+      // User with org membership but no event-app role should be denied
+      mockSupabase.rpc.mockResolvedValue({
+        data: false,
+        error: null
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      const permissionCheck: PermissionCheck = {
+        userId: testData.userId,
+        scope,
+        permission: 'read:page.configuration' as Permission,
+        pageId: testData.pageId
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle mixed permission checks correctly', async () => {
+      // Test scenario: user has 'planner' role which grants 'read' but not 'update'
+      // First call returns true (read), subsequent calls return false (update, create, delete)
+      const rpcResponses = [
+        { data: true, error: null },  // read: allowed
+        { data: false, error: null }, // update: denied
+        { data: false, error: null }, // create: denied
+        { data: false, error: null }  // delete: denied
+      ];
+
+      let callIndex = 0;
+      mockSupabase.rpc.mockImplementation(() => {
+        const response = rpcResponses[callIndex];
+        callIndex++;
+        return Promise.resolve(response);
+      });
+
+      const scope: Scope = {
+        organisationId: testData.organisationId,
+        eventId: testData.eventId,
+        appId: testData.appId
+      };
+
+      const securityContext = {
+        userId: testData.userId,
+        organisationId: testData.organisationId,
+        timestamp: new Date()
+      };
+
+      // Test read permission (should be allowed for planner)
+      const readResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'read:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(readResult).toBe(true);
+
+      // Test update permission (should be denied for planner)
+      const updateResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'update:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(updateResult).toBe(false);
+
+      // Test create permission (should be denied for planner)
+      const createResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'create:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(createResult).toBe(false);
+
+      // Test delete permission (should be denied for planner)
+      const deleteResult = await engine.isPermitted({
+        userId: testData.userId,
+        scope,
+        permission: 'delete:page.configuration' as Permission,
+        pageId: testData.pageId
+      }, securityContext);
+      expect(deleteResult).toBe(false);
+    });
+  });
+});
+

package/src/rbac/api.test.ts

@@ -45,6 +45,12 @@ vi.mock('./cache', () => ({
   }
 }));
 
+vi.mock('./request-deduplication', () => ({
+  getOrCreateRequest: vi.fn((input, checkFn) => checkFn(input)),
+  clearInFlightRequests: vi.fn(),
+  getInFlightRequestCount: vi.fn(() => 0),
+}));
+
 vi.mock('./config', () => ({
   createRBACConfig: vi.fn(),
   getRBACLogger: vi.fn(() => ({
@@ -120,7 +126,14 @@ describe('RBAC API', () => {
       process.env.NODE_ENV = originalEnv;
 
       expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase, undefined);
-      expect(mockCreateAuditManager).toHaveBeenCalledWith(mockSupabase);
+      expect(mockCreateAuditManager).toHaveBeenCalledWith(
+        mockSupabase, 
+        true, 
+        expect.objectContaining({
+          batchSize: undefined,
+          batchWindow: undefined,
+        })
+      );
       expect(mockSetGlobalAuditManager).toHaveBeenCalledWith(mockAuditManager);
       expect(mockLogger.info).toHaveBeenCalledWith('RBAC system initialized successfully');
     });
@@ -659,7 +672,7 @@ describe('RBAC API', () => {
         });
 
         expect(result).toBe(true);
-        expect(rbacCache.get).toHaveBeenCalledWith(cacheKey);
+        expect(rbacCache.get).toHaveBeenCalledWith(cacheKey, true);
         expect(mockEngine.isPermitted).not.toHaveBeenCalled();
       });
 
@@ -689,10 +702,12 @@ describe('RBAC API', () => {
             organisationId: 'org-456'
           })
         );
-        expect(rbacCache.set).toHaveBeenCalledWith(
-          expect.any(String),
-          true
-        );
+        // Check that cache.set was called - pageId presence makes it a page-level check
+        expect(rbacCache.set).toHaveBeenCalled();
+        const setCall = rbacCache.set.mock.calls[0];
+        expect(setCall[0]).toBeTruthy(); // cache key
+        expect(setCall[1]).toBe(true); // result
+        // setCall[2] is TTL (optional), setCall[3] is useSessionCache (true for page-level)
       });
     });
 

package/src/rbac/api.ts

@@ -27,6 +27,8 @@ import { rbacCache, RBACCache, CACHE_PATTERNS } from './cache';
 import { createRBACConfig, RBACConfig, getRBACLogger } from './config';
 import { SecurityContext } from './security';
 import { createLogger } from '../utils/core/logger';
+import { enablePerformanceMonitoring } from './performance';
+import { getOrCreateRequest } from './request-deduplication';
 
 const log = createLogger('RBACAPI');
 
@@ -72,10 +74,20 @@ export function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<R
   // Pass security config to engine
   globalEngine = createRBACEngine(supabase, securityConfig);
   
-  // Setup audit manager
-  const auditManager = createAuditManager(supabase);
+  // Setup audit manager with batching configuration
+  const useBatchedAudit = config?.audit?.batched !== false && (config?.performance?.enableBatchedAuditLogging !== false);
+  const batchConfig = useBatchedAudit ? {
+    batchWindow: config?.audit?.batchWindow,
+    batchSize: config?.audit?.batchSize,
+  } : undefined;
+  const auditManager = createAuditManager(supabase, useBatchedAudit, batchConfig);
   setGlobalAuditManager(auditManager);
   
+  // Setup performance monitoring if enabled
+  if (config?.performance?.enablePerformanceTracking) {
+    enablePerformanceMonitoring();
+  }
+  
   logger.info('RBAC system initialized successfully');
 }
 
@@ -195,13 +207,16 @@ export async function isPermitted(input: PermissionCheck): Promise<boolean> {
 /**
  * Check if user has a specific permission (cached version)
  * 
+ * Uses request deduplication to share in-flight requests across components
+ * and checks cache before making new requests. Uses session cache for page-level checks.
+ * 
  * @param input - Permission check input
  * @returns Promise resolving to permission result
  */
 export async function isPermittedCached(input: PermissionCheck): Promise<boolean> {
   const { userId, scope, permission, pageId } = input;
   
-  // Check cache first
+  // Check cache first (checks both short-term and session cache)
   const cacheKey = RBACCache.generatePermissionKey({
     userId,
     organisationId: scope.organisationId!,
@@ -211,18 +226,24 @@ export async function isPermittedCached(input: PermissionCheck): Promise<boolean
     pageId,
   });
   
-  const cached = rbacCache.get<boolean>(cacheKey);
+  const cached = rbacCache.get<boolean>(cacheKey, true);
   if (cached !== null) {
     return cached;
   }
 
-  // Check permission
-  const result = await isPermitted(input);
-  
-  // Cache result
-  rbacCache.set(cacheKey, result);
-  
-  return result;
+  // Use request deduplication - if same request is in-flight, share the promise
+  return getOrCreateRequest(input, async (checkInput) => {
+    // Check permission
+    const result = await isPermitted(checkInput);
+    
+    // Determine if this is a page-level check (has pageId or permission contains 'page.')
+    const isPageLevelCheck = !!pageId || permission.includes('page.');
+    
+    // Cache result - use session cache for page-level checks
+    rbacCache.set(cacheKey, result, undefined, isPageLevelCheck);
+    
+    return result;
+  });
 }
 
 /**