@jmruthers/pace-core 0.5.189 → 0.5.190

package/src/rbac/__tests__/auth-rbac.e2e.test.tsx

@@ -0,0 +1,451 @@
+/**
+ * @file Auth/RBAC E2E Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Tests/E2E
+ * @since 1.0.0
+ * 
+ * End-to-end tests for critical auth/RBAC flows through UI.
+ * Tests complete user journeys: login → organisation selection → permission check → data access.
+ * 
+ * These tests use RTL + userEvent to simulate real user interactions and verify
+ * that security constraints are enforced throughout the flow.
+ */
+
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import React from 'react';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { UnifiedAuthProvider } from '../../providers/services/UnifiedAuthProvider';
+import { OrganisationProvider, useOrganisations } from '../../providers/OrganisationProvider';
+import { PagePermissionGuard } from '../components/PagePermissionGuard';
+import { createTestSupabaseClient, createMockUser, createMockSession, createMockOrganisation } from '../../__tests__/fixtures/supabase';
+import type { User, Session } from '@supabase/supabase-js';
+
+const ORG_ONE_ID = '00000000-0000-0000-0000-000000000123';
+const ORG_TWO_ID = '00000000-0000-0000-0000-000000000456';
+const EVENT_ONE_ID = '00000000-0000-0000-0000-000000000789';
+const EVENT_TWO_ID = '00000000-0000-0000-0000-000000000790';
+
+// Test component that uses RBAC
+const TestProtectedPage = ({ pageName = 'dashboard' }: { pageName?: string }) => {
+  return (
+    <PagePermissionGuard pageName={pageName} operation="read">
+      <div data-testid="protected-content">
+        <h1>Protected Content</h1>
+        <p>You have access to this page</p>
+      </div>
+    </PagePermissionGuard>
+  );
+};
+
+// Test component for organisation selection
+const TestOrganisationSelector = () => {
+  const { selectedOrganisation, organisations, switchOrganisation } = useOrganisations();
+  
+  const handleChange = async (e: React.ChangeEvent<HTMLSelectElement>) => {
+    if (e.target.value && switchOrganisation) {
+      await switchOrganisation(e.target.value);
+    }
+  };
+  
+  return (
+    <div data-testid="org-selector">
+      <select
+        data-testid="org-select"
+        value={selectedOrganisation?.id || ''}
+        onChange={handleChange}
+      >
+        <option value="">Select Organisation</option>
+        {organisations.map((org) => (
+          <option key={org.id} value={org.id}>
+            {org.name}
+          </option>
+        ))}
+      </select>
+      {selectedOrganisation && (
+        <div data-testid="selected-org">{selectedOrganisation.name}</div>
+      )}
+    </div>
+  );
+};
+
+const waitForOrganisationOption = async (label: string) => {
+  await waitFor(() => {
+    expect(screen.getByRole('option', { name: label })).toBeInTheDocument();
+  });
+};
+
+describe('Auth/RBAC E2E Flows', () => {
+  let mockSupabase: ReturnType<typeof createTestSupabaseClient>;
+  let mockUser: User;
+  let mockSession: Session;
+  let organisationsFixture: ReturnType<typeof createMockOrganisation>[];
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    localStorage.clear();
+    
+    // Use shared fixtures for consistent test setup
+    mockUser = createMockUser({ id: '00000000-0000-0000-0000-000000000100', email: 'user@example.com' });
+    mockSession = createMockSession(mockUser);
+    organisationsFixture = [
+      createMockOrganisation({ id: ORG_ONE_ID, name: 'Test Organisation 1', slug: 'test-org-1' }),
+      createMockOrganisation({ id: ORG_TWO_ID, name: 'Test Organisation 2', slug: 'test-org-2' })
+    ];
+    expect(organisationsFixture[0].id).toBe(ORG_ONE_ID);
+    expect(organisationsFixture[1].id).toBe(ORG_TWO_ID);
+    
+    // Create test Supabase client with standard RBAC mocks
+    mockSupabase = createTestSupabaseClient({
+      user: mockUser,
+      session: mockSession,
+      rpcResponses: {
+        // Actual RPCs used by the RBAC system
+        rbac_check_permission_simplified: (params?: any) => {
+          // Grant access if organisation_id is provided
+          if (params?.p_organisation_id) {
+            return Promise.resolve({ data: true, error: null });
+          }
+          return Promise.resolve({ data: false, error: null });
+        },
+        util_app_resolve: (params?: any) => {
+          // Return app ID for TEST_APP
+          return Promise.resolve({ data: { id: 'app-123', name: 'TEST_APP' }, error: null });
+        },
+        data_user_organisation_roles_get: (params?: any) => {
+          // Return organisation roles/memberships
+          // The service expects: organisation_id, role (not role_name), user_id, status
+          // These must match the organisation IDs in tableData
+          return Promise.resolve({
+            data: [
+              { 
+                organisation_id: ORG_ONE_ID, 
+                role: 'member',
+                user_id: 'user-123',
+                status: 'active'
+              },
+              { 
+                organisation_id: ORG_TWO_ID, 
+                role: 'member',
+                user_id: 'user-123',
+                status: 'active'
+              }
+            ],
+            error: null
+          });
+        },
+        rbac_permissions_get: (params?: any) => {
+          return Promise.resolve({
+            data: [
+              { permission_type: 'organisation_access', role_name: 'member', context_id: params?.p_organisation_id || ORG_ONE_ID }
+            ],
+            error: null
+          });
+        },
+        rbac_access_validate: (params?: any) => {
+          return Promise.resolve({
+            data: [{ has_access: true, access_level: 'organisation', context_id: params?.p_resource_id }],
+            error: null
+          });
+        }
+      },
+      tableData: {
+        organisations: organisationsFixture,
+        event: [
+          { event_id: EVENT_ONE_ID, event_name: 'Test Event', organisation_id: ORG_ONE_ID }
+        ],
+        rbac_apps: [
+          { id: 'app-123', name: 'TEST_APP', is_active: true, requires_event: false }
+        ]
+      }
+    });
+
+    // eslint-disable-next-line no-console
+    console.log('[auth-rbac.e2e] organisationsFixture', organisationsFixture);
+
+    const baseFrom = mockSupabase.from;
+    mockSupabase.from = vi.fn((table?: string) => {
+      // eslint-disable-next-line no-console
+      console.log('[auth-rbac.e2e] mockSupabase.from called with', table);
+      if (table === 'organisations') {
+        return {
+          select: vi.fn().mockResolvedValue({ data: organisationsFixture, error: null })
+        } as any;
+      }
+      return baseFrom(table as any);
+    });
+  });
+
+  describe('Complete Auth → RBAC → Data Access Flow', () => {
+    it.skip('completes full flow: login → organisation selection → permission check → page access', async () => {
+      const user = userEvent.setup();
+
+      render(
+        <UnifiedAuthProvider supabaseClient={mockSupabase} appName="TEST_APP">
+          <OrganisationProvider>
+            <TestOrganisationSelector />
+            <TestProtectedPage pageName="dashboard" />
+          </OrganisationProvider>
+        </UnifiedAuthProvider>
+      );
+
+      // Step 1: Wait for auth to initialize
+      await waitFor(() => {
+        expect(mockSupabase.auth.getSession).toHaveBeenCalled();
+      });
+
+      // Step 2: Select organisation
+      const orgSelect = screen.getByTestId('org-select');
+      await waitForOrganisationOption('Test Organisation 1');
+      await user.selectOptions(orgSelect, ORG_ONE_ID);
+
+      // Step 3: Verify organisation is selected
+      await waitFor(() => {
+        expect(screen.getByTestId('selected-org')).toHaveTextContent('Test Organisation 1');
+      });
+
+      // Step 4: Verify permission check was called with organisation context
+      await waitFor(() => {
+        expect(mockSupabase.rpc).toHaveBeenCalledWith(
+          'rbac_check_permission_simplified',
+          expect.objectContaining({
+            p_organisation_id: ORG_ONE_ID
+          })
+        );
+      });
+
+      // Step 5: Verify protected content is rendered
+      await waitFor(() => {
+        expect(screen.getByTestId('protected-content')).toBeInTheDocument();
+        expect(screen.getByText('Protected Content')).toBeInTheDocument();
+      });
+    });
+
+    it('prevents page access without organisation context', async () => {
+      // Mock RPC to deny access when no organisation
+      mockSupabase.rpc.mockImplementation((functionName: string, params?: any) => {
+        if (functionName === 'rbac_check_permission_simplified') {
+          if (!params?.p_organisation_id) {
+            return Promise.resolve({ data: false, error: null });
+          }
+          return Promise.resolve({ data: true, error: null });
+        }
+        // Handle other RPCs
+        if (functionName === 'util_app_resolve') {
+          return Promise.resolve({ data: { id: 'app-123', name: 'TEST_APP' }, error: null });
+        }
+        if (functionName === 'data_user_organisation_roles_get') {
+          return Promise.resolve({ data: [], error: null });
+        }
+        return Promise.resolve({ data: null, error: null });
+      });
+
+      render(
+        <UnifiedAuthProvider supabaseClient={mockSupabase} appName="TEST_APP">
+          <OrganisationProvider>
+            <TestProtectedPage pageName="dashboard" />
+          </OrganisationProvider>
+        </UnifiedAuthProvider>
+      );
+
+      // Wait for auth to initialize
+      await waitFor(() => {
+        expect(mockSupabase.auth.getSession).toHaveBeenCalled();
+      });
+
+      // Verify permission check was called (may be called with or without organisation)
+      // The actual check happens via rbac_check_permission_simplified
+      await waitFor(() => {
+        expect(mockSupabase.rpc).toHaveBeenCalled();
+      });
+
+      // Protected content should not be visible (PagePermissionGuard should hide it)
+      // Note: PagePermissionGuard behavior depends on implementation
+      // This test verifies the permission check is called correctly
+    });
+
+    it.skip('enforces organisation context switching and re-checks permissions', async () => {
+      const user = userEvent.setup();
+
+      render(
+        <UnifiedAuthProvider supabaseClient={mockSupabase} appName="TEST_APP">
+          <OrganisationProvider>
+            <TestOrganisationSelector />
+            <TestProtectedPage pageName="dashboard" />
+          </OrganisationProvider>
+        </UnifiedAuthProvider>
+      );
+
+      // Wait for initial load
+      await waitFor(() => {
+        expect(mockSupabase.auth.getSession).toHaveBeenCalled();
+      });
+
+      // Select first organisation
+      const orgSelect = screen.getByTestId('org-select');
+      await waitForOrganisationOption('Test Organisation 1');
+      await user.selectOptions(orgSelect, ORG_ONE_ID);
+
+      await waitFor(() => {
+        expect(screen.getByTestId('selected-org')).toHaveTextContent('Test Organisation 1');
+      });
+
+      // Clear previous RPC calls
+      vi.clearAllMocks();
+
+      // Switch to second organisation
+      await waitForOrganisationOption('Test Organisation 2');
+      await user.selectOptions(orgSelect, ORG_TWO_ID);
+
+      // Verify permission check was called with new organisation context
+      await waitFor(() => {
+        expect(mockSupabase.rpc).toHaveBeenCalledWith(
+          'rbac_check_permission_simplified',
+          expect.objectContaining({
+            p_organisation_id: ORG_TWO_ID
+          })
+        );
+      });
+    });
+  });
+
+  describe('Cross-Tenant Data Isolation', () => {
+    it.skip('prevents data access across organisation boundaries', async () => {
+      const user = userEvent.setup();
+
+      // Mock data queries to return organisation-scoped data
+      let currentOrgId = ORG_ONE_ID;
+      mockSupabase.from().select.mockImplementation((table: string) => {
+        if (table === 'organisations') {
+          return Promise.resolve({
+            data: [
+              { id: ORG_ONE_ID, name: 'Org 1' },
+              { id: ORG_TWO_ID, name: 'Org 2' }
+            ],
+            error: null
+          });
+        }
+        if (table === 'event') {
+          // Return events only for current organisation
+          const events = [
+            { event_id: EVENT_ONE_ID, event_name: 'Org 1 Event', organisation_id: ORG_ONE_ID },
+            { event_id: EVENT_TWO_ID, event_name: 'Org 2 Event', organisation_id: ORG_TWO_ID }
+          ];
+          return Promise.resolve({
+            data: events.filter(e => e.organisation_id === currentOrgId),
+            error: null
+          });
+        }
+        return Promise.resolve({ data: null, error: null });
+      });
+
+      render(
+        <UnifiedAuthProvider supabaseClient={mockSupabase} appName="TEST_APP">
+          <OrganisationProvider>
+            <TestOrganisationSelector />
+          </OrganisationProvider>
+        </UnifiedAuthProvider>
+      );
+
+      // Select first organisation
+      const orgSelect = screen.getByTestId('org-select');
+      await waitForOrganisationOption('Org 1');
+      await user.selectOptions(orgSelect, ORG_ONE_ID);
+
+      await waitFor(() => {
+        expect(screen.getByTestId('selected-org')).toHaveTextContent('Org 1');
+      });
+
+      // Verify events query was filtered by organisation
+      await waitFor(() => {
+        expect(mockSupabase.from).toHaveBeenCalledWith('event');
+      });
+
+      // Switch to second organisation
+      currentOrgId = ORG_TWO_ID;
+      await waitForOrganisationOption('Org 2');
+      await user.selectOptions(orgSelect, ORG_TWO_ID);
+
+      await waitFor(() => {
+        expect(screen.getByTestId('selected-org')).toHaveTextContent('Org 2');
+      });
+
+      // Verify new query was made with new organisation context
+      // (This tests that organisation switching triggers new data fetches)
+    });
+  });
+
+  describe('Event-Based Scope Resolution', () => {
+    it.skip('resolves event-based permissions correctly', async () => {
+      const user = userEvent.setup();
+
+      // Mock event-based permission check
+      mockSupabase.rpc.mockImplementation((functionName: string, params?: any) => {
+        if (functionName === 'rbac_check_permission_simplified') {
+          // Grant access if event_id is provided
+          if (params?.p_event_id) {
+            return Promise.resolve({ data: true, error: null });
+          }
+          // Also grant if organisation_id is provided
+          if (params?.p_organisation_id) {
+            return Promise.resolve({ data: true, error: null });
+          }
+          return Promise.resolve({ data: false, error: null });
+        }
+        // Handle other RPCs
+        if (functionName === 'util_app_resolve') {
+          return Promise.resolve({ data: { id: 'app-123', name: 'TEST_APP' }, error: null });
+        }
+        if (functionName === 'data_user_organisation_roles_get') {
+          return Promise.resolve({
+            data: [
+              { 
+                organisation_id: ORG_ONE_ID, 
+                role: 'member',
+                user_id: 'user-123',
+                status: 'active'
+              },
+              { 
+                organisation_id: ORG_TWO_ID, 
+                role: 'member',
+                user_id: 'user-123',
+                status: 'active'
+              }
+            ],
+            error: null
+          });
+        }
+        return Promise.resolve({ data: null, error: null });
+      });
+
+      render(
+        <UnifiedAuthProvider supabaseClient={mockSupabase} appName="TEST_APP">
+          <OrganisationProvider>
+            <TestOrganisationSelector />
+            <TestProtectedPage pageName="dashboard" />
+          </OrganisationProvider>
+        </UnifiedAuthProvider>
+      );
+
+      // Select organisation
+      const orgSelect = screen.getByTestId('org-select');
+      await waitForOrganisationOption('Test Organisation 1');
+      await user.selectOptions(orgSelect, ORG_ONE_ID);
+
+      await waitFor(() => {
+        expect(screen.getByTestId('selected-org')).toHaveTextContent('Test Organisation 1');
+      });
+
+      // Verify permission check includes organisation context
+      await waitFor(() => {
+        expect(mockSupabase.rpc).toHaveBeenCalledWith(
+          'rbac_check_permission_simplified',
+          expect.objectContaining({
+            p_organisation_id: ORG_ONE_ID
+          })
+        );
+      });
+    });
+  });
+});
+

package/src/rbac/__tests__/engine.comprehensive.test.ts

@@ -369,6 +369,10 @@ describe('RBACEngine - Comprehensive Tests', () => {
             is: vi.fn().mockReturnThis(),
             lte: vi.fn().mockReturnThis(),
             or: vi.fn().mockReturnThis(),
+            limit: vi.fn().mockResolvedValue({
+              data: [{ role: 'org_admin' }],
+              error: null
+            }),
             single: vi.fn().mockResolvedValue({
               data: { role: 'org_admin' },
               error: null
@@ -432,6 +436,10 @@ describe('RBACEngine - Comprehensive Tests', () => {
             is: vi.fn().mockReturnThis(),
             lte: vi.fn().mockReturnThis(),
             or: vi.fn().mockReturnThis(),
+            limit: vi.fn().mockResolvedValue({
+              data: [],
+              error: { code: 'PGRST116' }
+            }),
             single: vi.fn().mockResolvedValue({
               data: null,
               error: { code: 'PGRST116' }
@@ -502,6 +510,10 @@ describe('RBACEngine - Comprehensive Tests', () => {
             is: vi.fn().mockReturnThis(),
             lte: vi.fn().mockReturnThis(),
             or: vi.fn().mockReturnThis(),
+            limit: vi.fn().mockResolvedValue({
+              data: [],
+              error: null
+            }),
             single: vi.fn().mockResolvedValue({
               data: null,
               error: { code: 'PGRST116' }

package/src/rbac/__tests__/rbac-engine-core-logic.test.ts

@@ -208,6 +208,10 @@ describe('RBACEngine - Core Logic Tests', () => {
             is: vi.fn().mockReturnThis(),
             lte: vi.fn().mockReturnThis(),
             or: vi.fn().mockReturnThis(),
+            limit: vi.fn().mockResolvedValue({
+              data: [{ role: 'org_admin' }],
+              error: null
+            }),
             single: vi.fn().mockResolvedValue({
               data: { role: 'org_admin' },
               error: null
@@ -256,6 +260,10 @@ describe('RBACEngine - Core Logic Tests', () => {
             is: vi.fn().mockReturnThis(),
             lte: vi.fn().mockReturnThis(),
             or: vi.fn().mockReturnThis(),
+            limit: vi.fn().mockResolvedValue({
+              data: [],
+              error: null
+            }),
             single: vi.fn().mockResolvedValue({ data: null, error: null })
           };
 

package/src/rbac/__tests__/rbac-engine-simplified.test.ts

@@ -176,6 +176,10 @@ describe('RBACEngine - Simplified Tests', () => {
             is: vi.fn().mockReturnThis(),
             lte: vi.fn().mockReturnThis(),
             or: vi.fn().mockReturnThis(),
+            limit: vi.fn().mockResolvedValue({
+              data: [{ role: 'org_admin' }],
+              error: null
+            }),
             single: vi.fn().mockResolvedValue({
               data: { role: 'org_admin' },
               error: null