@jmruthers/pace-core 0.5.188 → 0.5.190

package/src/hooks/useFileDisplay.ts

@@ -135,7 +135,7 @@ export function useFileDisplay(
   const [error, setError] = useState<Error | null>(null);
 
   const fetchFiles = useCallback(async (): Promise<void> => {
-    if (!table_name || !record_id || !organisation_id || !supabase) {
+    if (!table_name || !record_id || !supabase) {
       setFileUrl(null);
       setFileReference(null);
       setFileReferences([]);
@@ -145,14 +145,17 @@ export function useFileDisplay(
       return;
     }
 
-    // Validate UUID format for organisationId to prevent database errors
-    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    if (!uuidRegex.test(organisation_id)) {
-      logger.warn('useFileDisplay', 'Invalid organisationId format (not a valid UUID):', organisation_id);
+    // Validate UUID format for organisationId to prevent database errors (only if provided)
+    if (organisation_id) {
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!uuidRegex.test(organisation_id)) {
+        logger.warn('useFileDisplay', 'Invalid organisationId format (not a valid UUID):', organisation_id);
+      }
     }
 
     // Check cache first
-    const cacheKey = `file_${table_name}_${record_id}_${organisation_id}_${category || 'all'}`;
+    // When organisation_id is undefined, use 'undefined' in cache key to distinguish from explicit null
+    const cacheKey = `file_${table_name}_${record_id}_${organisation_id === undefined ? 'undefined' : (organisation_id ?? 'null')}_${category || 'all'}`;
     if (enableCache) {
       const cached = authenticatedFileCache.get(cacheKey);
       if (cached && Date.now() - cached.timestamp < cached.ttl) {
@@ -166,6 +169,7 @@ export function useFileDisplay(
             const signedUrlResult = await getSignedUrl(supabase, cachedData.fileReference.file_path, {
               appName: 'pace-core',
               orgId: organisation_id,
+              userId: organisation_id ? undefined : record_id,
               expiresIn: 3600
             });
             const regeneratedUrl = signedUrlResult?.url || null;
@@ -202,29 +206,284 @@ export function useFileDisplay(
       const service = createFileReferenceService(supabase);
       let files: FileReference[] = [];
 
-      // CRITICAL: When category is provided, MUST use RPC function, not direct queries
-      // Category is stored in file_metadata JSONB field, not a direct column
-      if (category) {
-        // Single file mode - get files by category using RPC
-        logger.debug('useFileDisplay', 'Using RPC function for category filtering:', {
-          table_name,
-          record_id,
-          category,
-          organisation_id
+      // When organisation_id is undefined (not provided), search both user-scoped (null) and organisation-scoped files
+      // This allows FileDisplay to work without requiring the organisation_id prop
+      // Note: Explicitly passing null or empty string should only search user-scoped files
+      const shouldSearchBothScopes = organisation_id === undefined;
+      
+      if (shouldSearchBothScopes) {
+        // First, try user-scoped files (organisation_id = null)
+        let userScopedFiles: FileReference[] = [];
+        let orgScopedFiles: FileReference[] = [];
+
+        try {
+          if (category) {
+            userScopedFiles = await service.getFilesByCategory(
+              table_name,
+              record_id,
+              category,
+              undefined // Explicitly pass undefined for user-scoped files (service converts to null for RPC)
+            );
+          } else {
+            userScopedFiles = await service.listFileReferences(
+              table_name,
+              record_id,
+              undefined // Explicitly pass undefined for user-scoped files (service converts to null for RPC)
+            );
+          }
+        } catch (err) {
+          logger.warn('useFileDisplay', 'Error querying user-scoped files:', err);
+          userScopedFiles = [];
+        }
+
+        // For organisation-scoped files, we need to query the user's organisations
+        // Get user's organisations from the authenticated session
+        try {
+          const { data: { user }, error: userError } = await supabase.auth.getUser();
+          if (userError) {
+            logger.warn('useFileDisplay', 'Error getting user:', userError);
+          }
+          
+          if (user) {
+            // Query user's active organisation memberships
+            const { data: memberships, error: membershipError } = await supabase
+              .from('organisation_memberships')
+              .select('organisation_id')
+              .eq('user_id', user.id)
+              .or('status.is.null,status.eq.active');
+
+            if (membershipError) {
+              logger.warn('useFileDisplay', 'Error querying organisation memberships:', membershipError);
+            }
+
+            if (memberships && memberships.length > 0) {
+              // Try each organisation the user belongs to
+              const orgIds = memberships.map(m => m.organisation_id).filter(Boolean) as string[];
+              
+              // Query each organisation in parallel
+              const orgQueries = orgIds.map(async (orgId) => {
+                try {
+                  if (category) {
+                    return await service.getFilesByCategory(
+                      table_name,
+                      record_id,
+                      category,
+                      orgId
+                    );
+                  } else {
+                    return await service.listFileReferences(
+                      table_name,
+                      record_id,
+                      orgId
+                    );
+                  }
+                } catch (err) {
+                  // Silently fail for individual org queries - user might not have access
+                  return [];
+                }
+              });
+
+              const orgResults = await Promise.all(orgQueries);
+              orgScopedFiles = orgResults.flat();
+            } else {
+              // When user has no organisation memberships, try querying files with any organisation_id
+              // as a fallback - the file might be organisation-scoped but accessible via RLS
+              // This handles edge cases where RLS allows access but we can't enumerate organisations
+              try {
+                // Try querying without organisation_id filter - let RLS handle security
+                let fallbackQuery = supabase
+                  .from('file_references')
+                  .select('id, table_name, record_id, file_path, file_metadata, organisation_id, app_id, is_public, created_at, updated_at')
+                  .eq('table_name', table_name)
+                  .eq('record_id', record_id)
+                  .order('created_at', { ascending: false });
+
+                if (category) {
+                  fallbackQuery = fallbackQuery.eq('file_metadata->>category', category);
+                }
+
+                const { data: fallbackFiles } = await fallbackQuery;
+                
+                if (fallbackFiles && fallbackFiles.length > 0) {
+                  // Convert to FileReference format
+                  orgScopedFiles = fallbackFiles.map((f: any) => ({
+                    id: f.id,
+                    table_name: f.table_name,
+                    record_id: f.record_id,
+                    file_path: f.file_path,
+                    file_metadata: f.file_metadata || {},
+                    organisation_id: f.organisation_id,
+                    app_id: f.app_id,
+                    is_public: f.is_public ?? false,
+                    created_at: f.created_at,
+                    updated_at: f.updated_at
+                  })) as FileReference[];
+                }
+              } catch (err) {
+                // Silently fail - RLS may block or other error
+              }
+            }
+          }
+        } catch (err) {
+          logger.warn('useFileDisplay', 'Error querying organisation-scoped files:', err);
+          orgScopedFiles = [];
+        }
+
+        // Merge results: prefer organisation-scoped files if both exist, otherwise use user-scoped
+        // Sort by created_at DESC to get most recent first
+        const allFiles = [...userScopedFiles, ...orgScopedFiles];
+        allFiles.sort((a, b) => {
+          const aTime = new Date(a.created_at).getTime();
+          const bTime = new Date(b.created_at).getTime();
+          return bTime - aTime;
         });
-        files = await service.getFilesByCategory(
-          table_name,
-          record_id,
-          category,
-          organisation_id
-        );
+
+        // If we have both types, prefer organisation-scoped (non-null organisation_id)
+        // Otherwise, use whatever we found
+        if (orgScopedFiles.length > 0 && userScopedFiles.length > 0) {
+          // Prefer organisation-scoped files - filter to only those with organisation_id
+          files = allFiles.filter(f => f.organisation_id !== null);
+        } else {
+          // Use all files found (either user-scoped or org-scoped, but not both)
+          files = allFiles;
+        }
+
+        // If no files found through RPC, try a direct query as fallback
+        // This handles cases where RLS policy allows access but RPC security check is too strict
+        // (e.g., pace_person files where user owns the person record but record_id != user_id)
+        if (files.length === 0) {
+          try {
+            let directQuery = supabase
+              .from('file_references')
+              .select('id, table_name, record_id, file_path, file_metadata, organisation_id, app_id, is_public, created_at, updated_at')
+              .eq('table_name', table_name)
+              .eq('record_id', record_id)
+              .order('created_at', { ascending: false });
+
+            // If category is provided, filter by category in metadata
+            if (category) {
+              directQuery = directQuery.eq('file_metadata->>category', category);
+            }
+
+            const { data: directFiles } = await directQuery;
+
+            if (directFiles && directFiles.length > 0) {
+              // Convert to FileReference format
+              files = directFiles.map((f: any) => ({
+                id: f.id,
+                table_name: f.table_name,
+                record_id: f.record_id,
+                file_path: f.file_path,
+                file_metadata: f.file_metadata || {},
+                organisation_id: f.organisation_id,
+                app_id: f.app_id,
+                is_public: f.is_public ?? false,
+                created_at: f.created_at,
+                updated_at: f.updated_at
+              })) as FileReference[];
+            }
+          } catch (err) {
+            // Silently fail - RLS may block or other error
+          }
+        }
       } else {
-        // Multiple files mode - get all files using RPC
-        files = await service.listFileReferences(
-          table_name,
-          record_id,
-          organisation_id
-        );
+        // organisation_id is provided (or explicitly null) - use normal query
+        // CRITICAL: When category is provided, MUST use RPC function, not direct queries
+        // Category is stored in file_metadata JSONB field, not a direct column
+        if (category) {
+          // Single file mode - get files by category using RPC
+          logger.debug('useFileDisplay', 'Using RPC function for category filtering:', {
+            table_name,
+            record_id,
+            category,
+            organisation_id
+          });
+          files = await service.getFilesByCategory(
+            table_name,
+            record_id,
+            category,
+            organisation_id
+          );
+        } else {
+          // Multiple files mode - get all files using RPC
+          files = await service.listFileReferences(
+            table_name,
+            record_id,
+            organisation_id
+          );
+        }
+
+        // Fallback: If no files found and organisation_id is falsy (undefined, null, empty string),
+        // try searching both scopes as a fallback
+        // This handles cases where the prop might be passed as empty string or the check above didn't catch it
+        if (files.length === 0 && (!organisation_id || organisation_id === '')) {
+          // Try the dual-scope search logic
+          let userScopedFiles: FileReference[] = [];
+          let orgScopedFiles: FileReference[] = [];
+
+          try {
+            if (category) {
+              userScopedFiles = await service.getFilesByCategory(
+                table_name,
+                record_id,
+                category,
+                undefined
+              );
+            } else {
+              userScopedFiles = await service.listFileReferences(
+                table_name,
+                record_id,
+                undefined
+              );
+            }
+          } catch (err) {
+            // Silently fail
+          }
+
+          try {
+            const { data: { user } } = await supabase.auth.getUser();
+            if (user) {
+              const { data: memberships } = await supabase
+                .from('organisation_memberships')
+                .select('organisation_id')
+                .eq('user_id', user.id)
+                .or('status.is.null,status.eq.active');
+
+              if (memberships && memberships.length > 0) {
+                const orgIds = memberships.map(m => m.organisation_id).filter(Boolean) as string[];
+                const orgQueries = orgIds.map(async (orgId) => {
+                  try {
+                    if (category) {
+                      return await service.getFilesByCategory(table_name, record_id, category, orgId);
+                    } else {
+                      return await service.listFileReferences(table_name, record_id, orgId);
+                    }
+                  } catch (err) {
+                    return [];
+                  }
+                });
+                const orgResults = await Promise.all(orgQueries);
+                orgScopedFiles = orgResults.flat();
+              }
+            }
+          } catch (err) {
+            // Silently fail
+          }
+
+          // Merge results
+          const allFiles = [...userScopedFiles, ...orgScopedFiles];
+          allFiles.sort((a, b) => {
+            const aTime = new Date(a.created_at).getTime();
+            const bTime = new Date(b.created_at).getTime();
+            return bTime - aTime;
+          });
+
+          if (orgScopedFiles.length > 0 && userScopedFiles.length > 0) {
+            files = allFiles.filter(f => f.organisation_id !== null);
+          } else {
+            files = allFiles;
+          }
+        }
       }
 
       if (files.length === 0) {
@@ -271,6 +530,7 @@ export function useFileDisplay(
           const signedUrlResult = await getSignedUrl(supabase, firstFile.file_path, {
             appName: 'pace-core',
             orgId: organisation_id,
+            userId: organisation_id ? undefined : record_id,
             expiresIn: 3600
           });
           url = signedUrlResult?.url || null;
@@ -283,6 +543,7 @@ export function useFileDisplay(
         const urlMap = await generateFileUrlsBatch(supabase, files, {
               appName: 'pace-core',
               orgId: organisation_id,
+              userId: organisation_id ? undefined : record_id,
               expiresIn: 3600
             });
         setFileUrls(urlMap);
@@ -344,7 +605,7 @@ export function useFileDisplay(
 
   // Fetch files when parameters change
   useEffect(() => {
-    if (table_name && record_id && organisation_id && supabase) {
+    if (table_name && record_id && supabase) {
       fetchFiles();
     } else {
       setFileUrl(null);
@@ -355,14 +616,16 @@ export function useFileDisplay(
       setIsLoading(false);
       setError(null);
     }
-  }, [fetchFiles, table_name, record_id, organisation_id, supabase]);
+    // fetchFiles is memoized; we only need to re-run when parameters change
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [table_name, record_id, organisation_id, supabase]);
 
   const refetch = useCallback(async (): Promise<void> => {
-    if (!table_name || !record_id || !organisation_id || !supabase) return;
+    if (!table_name || !record_id || !supabase) return;
     
     // Clear cache for this file
     if (enableCache) {
-      const cacheKey = `file_${table_name}_${record_id}_${organisation_id}_${category || 'all'}`;
+      const cacheKey = `file_${table_name}_${record_id}_${organisation_id === undefined ? 'undefined' : (organisation_id ?? 'null')}_${category || 'all'}`;
       authenticatedFileCache.delete(cacheKey);
     }
     await fetchFiles();
@@ -415,14 +678,14 @@ export function getFileDisplayCacheStats(): { size: number; keys: string[] } {
 export function invalidateFileDisplayCache(
   table_name: string,
   record_id: string,
-  organisation_id: string,
+  organisation_id: string | null | undefined,
   category?: FileCategory
 ): void {
-  const cacheKey = `file_${table_name}_${record_id}_${organisation_id}_${category || 'all'}`;
+  const cacheKey = `file_${table_name}_${record_id}_${organisation_id === undefined ? 'undefined' : (organisation_id ?? 'null')}_${category || 'all'}`;
   authenticatedFileCache.delete(cacheKey);
   // Also invalidate 'all' category if specific category invalidated
   if (category) {
-    const allCategoryKey = `file_${table_name}_${record_id}_${organisation_id}_all`;
+    const allCategoryKey = `file_${table_name}_${record_id}_${organisation_id === undefined ? 'undefined' : (organisation_id ?? 'null')}_all`;
     authenticatedFileCache.delete(allCategoryKey);
   }
 }

package/src/hooks/useFileReference.ts

@@ -16,6 +16,49 @@ import { createLogger } from '../utils/core/logger';
 
 const log = createLogger('useFileReference');
 
+type UrlRefreshCallback = () => void;
+
+/**
+ * Shared interval manager to avoid spawning multiple intervals for the same file reference
+ */
+const urlRefreshManager = {
+  subscriptions: new Map<string, { callbacks: Set<UrlRefreshCallback>; intervalId: NodeJS.Timeout | null }>(),
+
+  subscribe(key: string, callback: UrlRefreshCallback) {
+    let entry = this.subscriptions.get(key);
+    if (!entry) {
+      entry = { callbacks: new Set(), intervalId: null };
+      this.subscriptions.set(key, entry);
+    }
+
+    entry.callbacks.add(callback);
+
+    if (!entry.intervalId) {
+      entry.intervalId = setInterval(() => {
+        entry?.callbacks.forEach((cb) => cb());
+      }, 55 * 60 * 1000);
+    }
+
+    return () => {
+      this.unsubscribe(key, callback);
+    };
+  },
+
+  unsubscribe(key: string, callback: UrlRefreshCallback) {
+    const entry = this.subscriptions.get(key);
+    if (!entry) return;
+
+    entry.callbacks.delete(callback);
+
+    if (entry.callbacks.size === 0) {
+      if (entry.intervalId) {
+        clearInterval(entry.intervalId);
+      }
+      this.subscriptions.delete(key);
+    }
+  }
+};
+
 export function useFileReference(supabase: SupabaseClient) {
   const [isLoading, setIsLoading] = useState(false);
   const [error, setError] = useState<string | null>(null);
@@ -221,7 +264,7 @@ export function useFileReferenceForRecord(
   const [fileReference, setFileReference] = useState<FileReference | null>(null);
   const [fileReferences, setFileReferences] = useState<FileReference[]>([]);
   const [fileCount, setFileCount] = useState<number>(0);
-  const urlRefreshIntervalRef = useRef<NodeJS.Timeout | null>(null);
+  const refreshSubscriptionRef = useRef<(() => void) | null>(null);
 
   const loadFileReference = useCallback(async () => {
     const reference = await getFileReference(table_name, record_id, organisation_id);
@@ -259,27 +302,29 @@ export function useFileReferenceForRecord(
 
   // Auto-refresh signed URLs before expiration (refresh 5 minutes before 1 hour expiry)
   useEffect(() => {
+    if (refreshSubscriptionRef.current) {
+      refreshSubscriptionRef.current();
+      refreshSubscriptionRef.current = null;
+    }
+
     if (!fileReference || fileReference.is_public) {
       // Only refresh private files (signed URLs expire)
-      if (urlRefreshIntervalRef.current) {
-        clearInterval(urlRefreshIntervalRef.current);
-        urlRefreshIntervalRef.current = null;
-      }
       return;
     }
 
     // Refresh signed URL 5 minutes before expiration (55 minutes into the 1-hour expiry)
-    urlRefreshIntervalRef.current = setInterval(() => {
+    const key = `${fileReference.table_name}:${fileReference.record_id}:${organisation_id}`;
+    refreshSubscriptionRef.current = urlRefreshManager.subscribe(key, () => {
       loadFileUrl();
-    }, 55 * 60 * 1000); // 55 minutes
+    });
 
     return () => {
-      if (urlRefreshIntervalRef.current) {
-        clearInterval(urlRefreshIntervalRef.current);
-        urlRefreshIntervalRef.current = null;
+      if (refreshSubscriptionRef.current) {
+        refreshSubscriptionRef.current();
+        refreshSubscriptionRef.current = null;
       }
     };
-  }, [fileReference, loadFileUrl]);
+  }, [fileReference, loadFileUrl, organisation_id]);
 
   return {
     isLoading,

package/src/hooks/useFileUrl.ts

@@ -17,7 +17,7 @@ const log = createLogger('useFileUrl');
 
 export interface UseFileUrlOptions {
   /** Organisation ID for signed URL generation */
-  organisation_id: string;
+  organisation_id: string | undefined;
   /** Supabase client instance */
   supabase: SupabaseClient;
   /** Whether to auto-load URLs on mount */

package/src/hooks/useInactivityTracker.ts

@@ -156,6 +156,15 @@ export function useInactivityTracker({
   const lastActivityRef = useRef<number>(Date.now());
   const channelRef = useRef<BroadcastChannel | null>(null);
   const throttledResetActivityRef = useRef<((event: Event) => void) | null>(null);
+  const onIdleRef = useRef(onIdle);
+  const onWarningRef = useRef(onWarning);
+  const onActivityRef = useRef(onActivity);
+
+  useEffect(() => {
+    onIdleRef.current = onIdle;
+    onWarningRef.current = onWarning;
+    onActivityRef.current = onActivity;
+  }, [onIdle, onWarning, onActivity]);
 
   // Clear all timers
   const clearTimers = useCallback(() => {
@@ -190,7 +199,7 @@ export function useInactivityTracker({
 
     // Notify activity callback (unless skipped for initial setup)
     if (!skipActivityCallback) {
-      onActivity?.();
+      onActivityRef.current?.();
     }
 
     // Set up warning timer
@@ -198,14 +207,14 @@ export function useInactivityTracker({
     if (warningTime > 0) {
       warningTimeoutRef.current = setTimeout(() => {
         setShowWarning(true);
-        onWarning?.();
+        onWarningRef.current?.();
       }, warningTime);
     }
 
     // Set up idle timeout
     timeoutRef.current = setTimeout(() => {
       setIsIdle(true);
-      onIdle?.();
+      onIdleRef.current?.();
     }, idleTimeoutMs);
 
     // Start countdown interval for time remaining
@@ -234,7 +243,7 @@ export function useInactivityTracker({
     } catch (error) {
       logger.warn('useInactivityTracker', 'Failed to broadcast activity:', error);
     }
-  }, [enabled, idleTimeoutMs, warnBeforeMs, onIdle, onWarning, onActivity, storageKey, clearTimers]);
+  }, [enabled, idleTimeoutMs, warnBeforeMs, storageKey, clearTimers]);
 
   // Start tracking
   const startTracking = useCallback(() => {
@@ -281,12 +290,12 @@ export function useInactivityTracker({
           
           if (remaining <= warnBeforeMs) {
             setShowWarning(true);
-            onWarning?.();
+            onWarningRef.current?.();
           }
           
           if (remaining <= 0) {
             setIsIdle(true);
-            onIdle?.();
+            onIdleRef.current?.();
             return;
           }
         }
@@ -330,7 +339,7 @@ export function useInactivityTracker({
         channelRef.current = null;
       }
     };
-  }, [enabled, isTracking, channelName, storageKey, idleTimeoutMs, warnBeforeMs, onIdle, onWarning, onActivity, resetActivity]);
+  }, [enabled, channelName, storageKey, idleTimeoutMs, warnBeforeMs, resetActivity, clearTimers]);
 
   // Stop tracking
   const stopTracking = useCallback(() => {