@jmruthers/pace-core 0.5.187 → 0.5.189

package/src/__tests__/rls-policies.test.ts

@@ -0,0 +1,333 @@
+/**
+ * @file RLS Policy Tests
+ * @package @jmruthers/pace-core
+ * @module RLS/Tests
+ * @since 0.5.181
+ * 
+ * Application-level tests for RLS policies to verify they work correctly
+ * under different user contexts and that performance is acceptable.
+ * 
+ * These tests verify that:
+ * - RLS policies correctly enforce access control
+ * - Helper functions are used (no inline auth.uid() calls)
+ * - Queries complete in acceptable time (< 1 second)
+ * - Cross-organisation access is properly blocked
+ */
+
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { createClient, SupabaseClient } from '@supabase/supabase-js';
+import type { Database } from '../../types/database';
+
+// Test configuration
+const TEST_TIMEOUT = 5000; // 5 seconds
+const PERFORMANCE_THRESHOLD = 1000; // 1 second in milliseconds
+
+// Check if we're using real test-db (via environment variables)
+const USE_REAL_DB = !!(process.env.SUPABASE_URL && process.env.VITE_SUPABASE_ANON_KEY);
+const TEST_SUPABASE_URL = process.env.SUPABASE_URL || process.env.VITE_SUPABASE_URL;
+const TEST_SUPABASE_ANON_KEY = process.env.TEST_SUPABASE_ANON_KEY || process.env.VITE_SUPABASE_ANON_KEY;
+const TEST_SUPABASE_SERVICE_ROLE_KEY = process.env.TEST_SUPABASE_SERVICE_ROLE_KEY;
+
+// Test user IDs (these should exist in your test-db with appropriate roles)
+// Update these to match actual test users in your test-db branch
+const TEST_SUPER_ADMIN_USER_ID = process.env.TEST_SUPER_ADMIN_USER_ID || '00000000-0000-0000-0000-000000000001';
+const TEST_ORG_ADMIN_USER_ID = process.env.TEST_ORG_ADMIN_USER_ID || '00000000-0000-0000-0000-000000000002';
+const TEST_REGULAR_MEMBER_USER_ID = process.env.TEST_REGULAR_MEMBER_USER_ID || '00000000-0000-0000-0000-000000000003';
+
+// Supabase clients for different user contexts
+let superAdminClient: SupabaseClient<Database>;
+let orgAdminClient: SupabaseClient<Database>;
+let regularMemberClient: SupabaseClient<Database>;
+let anonClient: SupabaseClient<Database>;
+
+// Test data
+const testOrganisation1 = {
+  id: 'org-1' as any,
+  name: 'Test Organisation 1'
+};
+
+const testOrganisation2 = {
+  id: 'org-2' as any,
+  name: 'Test Organisation 2'
+};
+
+const testEvent = {
+  event_id: 'event-1',
+  event_name: 'Test Event',
+  organisation_id: testOrganisation1.id,
+  is_visible: true,
+  public_readable: false
+};
+
+describe.skipIf(!USE_REAL_DB || !TEST_SUPABASE_URL || !TEST_SUPABASE_ANON_KEY)('RLS Policies - Organisations', () => {
+  beforeEach(async () => {
+    if (!USE_REAL_DB || !TEST_SUPABASE_URL || !TEST_SUPABASE_ANON_KEY) {
+      throw new Error('Test database credentials not available. Set SUPABASE_URL and VITE_SUPABASE_ANON_KEY environment variables.');
+    }
+    
+    // Use real test-db clients with authenticated sessions
+    // For real testing, we need to sign in as different users
+    const baseClient = createClient<Database>(TEST_SUPABASE_URL, TEST_SUPABASE_ANON_KEY);
+    
+    // Create anon client (no auth)
+    anonClient = baseClient;
+    
+    // For authenticated clients, we need to sign in as different users
+    // Note: This requires test users to exist in test-db with appropriate roles
+    // You'll need to set up test users and get their session tokens
+    
+    // For now, create clients - in a real setup, you'd sign in as each user:
+    // const { data: { session } } = await baseClient.auth.signInWithPassword({ email, password });
+    // Then create a new client with that session
+    
+    // Using service role key for super admin (bypasses RLS - use carefully!)
+    if (TEST_SUPABASE_SERVICE_ROLE_KEY) {
+      superAdminClient = createClient<Database>(TEST_SUPABASE_URL, TEST_SUPABASE_SERVICE_ROLE_KEY);
+    } else {
+      // Fallback: use anon key (will be subject to RLS)
+      superAdminClient = baseClient;
+    }
+    
+    // For org admin and regular member, we'd need to sign in as those users
+    // For now, using base client - update this when you have test user sessions
+    orgAdminClient = baseClient;
+    regularMemberClient = baseClient;
+    
+    console.log('✅ Using real test-db:', TEST_SUPABASE_URL);
+  });
+
+  describe('Super Admin Access', () => {
+    it('should allow super admin to view all organisations', async () => {
+      const start = Date.now();
+      const { data, error } = await superAdminClient
+        .from('organisations')
+        .select('*')
+        .limit(10);
+      const duration = Date.now() - start;
+
+      expect(error).toBeNull();
+      expect(data).toBeDefined();
+      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+    }, TEST_TIMEOUT);
+
+    it('should allow super admin to update any organisation', async () => {
+      const { data, error } = await superAdminClient
+        .from('organisations')
+        .update({ name: 'Updated Name' })
+        .eq('id', testOrganisation1.id)
+        .select()
+        .single();
+
+      // In real test, verify update succeeded
+      expect(error).toBeNull();
+    }, TEST_TIMEOUT);
+  });
+
+  describe('Organisation Admin Access', () => {
+    it('should allow org admin to view their organisation', async () => {
+      const start = Date.now();
+      const { data, error } = await orgAdminClient
+        .from('organisations')
+        .select('*')
+        .eq('id', testOrganisation1.id)
+        .single();
+      const duration = Date.now() - start;
+
+      expect(error).toBeNull();
+      expect(data).toBeDefined();
+      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+    }, TEST_TIMEOUT);
+
+    it('should block org admin from viewing other organisations', async () => {
+      const { data, error } = await orgAdminClient
+        .from('organisations')
+        .select('*')
+        .eq('id', testOrganisation2.id)
+        .single();
+
+      // Should return empty or error (RLS blocks access)
+      expect(data).toBeNull();
+    }, TEST_TIMEOUT);
+  });
+
+  describe('Regular Member Access', () => {
+    it('should allow member to view their organisation', async () => {
+      const start = Date.now();
+      const { data, error } = await regularMemberClient
+        .from('organisations')
+        .select('*')
+        .eq('id', testOrganisation1.id)
+        .single();
+      const duration = Date.now() - start;
+
+      expect(error).toBeNull();
+      expect(data).toBeDefined();
+      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+    }, TEST_TIMEOUT);
+
+    it('should block member from updating organisation', async () => {
+      const { data, error } = await regularMemberClient
+        .from('organisations')
+        .update({ name: 'Unauthorized Update' })
+        .eq('id', testOrganisation1.id);
+
+      // Should fail (member doesn't have update permission)
+      expect(error).not.toBeNull();
+    }, TEST_TIMEOUT);
+  });
+
+  describe('Anonymous Access', () => {
+    it('should block anonymous users from viewing organisations', async () => {
+      const { data, error } = await anonClient
+        .from('organisations')
+        .select('*');
+
+      // Should return empty (RLS blocks anonymous access)
+      expect(data).toEqual([]);
+    }, TEST_TIMEOUT);
+  });
+});
+
+describe.skipIf(!USE_REAL_DB || !TEST_SUPABASE_URL || !TEST_SUPABASE_ANON_KEY)('RLS Policies - Events', () => {
+  describe('Public Event Access', () => {
+    it('should allow anonymous access to public events', async () => {
+      const start = Date.now();
+      const { data, error } = await anonClient
+        .from('event')
+        .select('*')
+        .eq('event_id', testEvent.event_id)
+        .eq('public_readable', true)
+        .eq('is_visible', true)
+        .single();
+      const duration = Date.now() - start;
+
+      expect(error).toBeNull();
+      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+    }, TEST_TIMEOUT);
+
+    it('should block anonymous access to non-public events', async () => {
+      const { data, error } = await anonClient
+        .from('event')
+        .select('*')
+        .eq('event_id', testEvent.event_id)
+        .eq('public_readable', false)
+        .single();
+
+      // Should return empty (RLS blocks access)
+      expect(data).toBeNull();
+    }, TEST_TIMEOUT);
+  });
+
+  describe('Authenticated Event Access', () => {
+    it('should allow org member to view events in their organisation', async () => {
+      const start = Date.now();
+      const { data, error } = await regularMemberClient
+        .from('event')
+        .select('*')
+        .eq('organisation_id', testOrganisation1.id)
+        .limit(10);
+      const duration = Date.now() - start;
+
+      expect(error).toBeNull();
+      expect(data).toBeDefined();
+      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+    }, TEST_TIMEOUT);
+  });
+});
+
+describe.skipIf(!USE_REAL_DB || !TEST_SUPABASE_URL || !TEST_SUPABASE_ANON_KEY)('RLS Policies - RBAC Tables', () => {
+  describe('rbac_user_profiles', () => {
+    it('should allow user to view their own profile', async () => {
+      const start = Date.now();
+      const { data, error } = await regularMemberClient
+        .from('rbac_user_profiles')
+        .select('*')
+        .eq('id', 'user-123' as any)
+        .single();
+      const duration = Date.now() - start;
+
+      expect(error).toBeNull();
+      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+    }, TEST_TIMEOUT);
+
+    it('should block user from viewing other profiles', async () => {
+      const { data, error } = await regularMemberClient
+        .from('rbac_user_profiles')
+        .select('*')
+        .eq('id', 'other-user-123' as any)
+        .single();
+
+      // Should return empty (RLS blocks access)
+      expect(data).toBeNull();
+    }, TEST_TIMEOUT);
+  });
+
+  describe('rbac_organisation_roles', () => {
+    it('should allow user to view their own roles', async () => {
+      const start = Date.now();
+      const { data, error } = await regularMemberClient
+        .from('rbac_organisation_roles')
+        .select('*')
+        .eq('user_id', 'user-123' as any);
+      const duration = Date.now() - start;
+
+      expect(error).toBeNull();
+      expect(data).toBeDefined();
+      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+    }, TEST_TIMEOUT);
+  });
+});
+
+describe.skipIf(!USE_REAL_DB || !TEST_SUPABASE_URL || !TEST_SUPABASE_ANON_KEY)('RLS Policies - Performance', () => {
+  it('should complete organisation queries in < 1 second', async () => {
+    const start = Date.now();
+    await superAdminClient
+      .from('organisations')
+      .select('*')
+      .limit(100);
+    const duration = Date.now() - start;
+
+    expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+  }, TEST_TIMEOUT);
+
+  it('should complete event queries in < 1 second', async () => {
+    const start = Date.now();
+    await superAdminClient
+      .from('event')
+      .select('*')
+      .eq('is_visible', true)
+      .limit(100);
+    const duration = Date.now() - start;
+
+    expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+  }, TEST_TIMEOUT);
+
+  it('should complete user profile queries in < 1 second', async () => {
+    const start = Date.now();
+    await superAdminClient
+      .from('rbac_user_profiles')
+      .select('*')
+      .limit(100);
+    const duration = Date.now() - start;
+
+    expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
+  }, TEST_TIMEOUT);
+});
+
+describe.skipIf(!USE_REAL_DB || !TEST_SUPABASE_URL || !TEST_SUPABASE_ANON_KEY)('RLS Policies - Helper Functions', () => {
+  it('should use helper functions instead of inline auth.uid()', async () => {
+    // This test verifies that policies use helper functions
+    // by checking query plans don't contain InitPlan nodes
+    // In a real test, we would use EXPLAIN ANALYZE
+    
+    const { data, error } = await superAdminClient
+      .rpc('check_query_performance', {
+        p_query: 'SELECT * FROM organisations LIMIT 1'
+      });
+
+    // Verify no InitPlan nodes (would indicate inline auth.uid() calls)
+    expect(error).toBeNull();
+    // In real test, verify has_initplan = false
+  }, TEST_TIMEOUT);
+});
+