@jmruthers/pace-core 0.5.189 → 0.5.190

package/src/rbac/api.ts

@@ -29,6 +29,8 @@ import { SecurityContext } from './security';
 import { createLogger } from '../utils/core/logger';
 import { enablePerformanceMonitoring } from './performance';
 import { getOrCreateRequest } from './request-deduplication';
+import { ContextValidator } from './utils/contextValidator';
+import type { AppConfig } from './utils/contextValidator';
 
 const log = createLogger('RBACAPI');
 
@@ -108,6 +110,8 @@ function getEngine(): RBACEngine {
  * Get user's access level in a scope
  * 
  * @param input - Access level input
+ * @param appConfig - Optional app configuration
+ * @param appName - Optional app name
  * @returns Promise resolving to access level
  * 
  * @example
@@ -118,18 +122,55 @@ function getEngine(): RBACEngine {
  * });
  * ```
  */
-export async function getAccessLevel(input: {
-  userId: UUID;
-  scope: Scope;
-}): Promise<AccessLevel> {
+export async function getAccessLevel(
+  input: {
+    userId: UUID;
+    scope: Scope;
+  },
+  appConfig?: AppConfig | null,
+  appName?: string
+): Promise<AccessLevel> {
   const engine = getEngine();
-  return engine.getAccessLevel(input);
+  
+  // Check super admin status first - super admins bypass context requirements
+  const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);
+  if (isSuperAdminUser) {
+    return 'super';
+  }
+  
+  // Fetch app config if not provided
+  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
+  let resolvedAppName = appName;
+  
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
+  }
+  
+  // Validate context using ContextValidator
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine['supabase']
+  );
+  
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  
+  // Use resolved scope
+  return engine.getAccessLevel({
+    ...input,
+    scope: validation.resolvedScope
+  });
 }
 
 /**
  * Get user's permission map for a scope
  * 
  * @param input - Permission map input
+ * @param appConfig - Optional app configuration
+ * @param appName - Optional app name
  * @returns Promise resolving to permission map
  * 
  * @example
@@ -144,12 +185,41 @@ export async function getAccessLevel(input: {
  * });
  * ```
  */
-export async function getPermissionMap(input: {
-  userId: UUID;
-  scope: Scope;
-}): Promise<PermissionMap> {
+export async function getPermissionMap(
+  input: {
+    userId: UUID;
+    scope: Scope;
+  },
+  appConfig?: AppConfig | null,
+  appName?: string
+): Promise<PermissionMap> {
   const engine = getEngine();
-  return engine.getPermissionMap(input);
+  
+  // Fetch app config if not provided
+  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
+  let resolvedAppName = appName;
+  
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
+  }
+  
+  // Validate context using ContextValidator
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine['supabase']
+  );
+  
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  
+  // Use resolved scope
+  return engine.getPermissionMap({
+    ...input,
+    scope: validation.resolvedScope
+  });
 }
 
 export async function resolveAppContext(input: {
@@ -160,18 +230,49 @@ export async function resolveAppContext(input: {
   return engine.resolveAppContext(input);
 }
 
-export async function getRoleContext(input: {
-  userId: UUID;
-  scope: Scope;
-}): Promise<RBACRoleContext> {
+export async function getRoleContext(
+  input: {
+    userId: UUID;
+    scope: Scope;
+  },
+  appConfig?: AppConfig | null,
+  appName?: string
+): Promise<RBACRoleContext> {
   const engine = getEngine();
-  return engine.getRoleContext(input);
+  
+  // Fetch app config if not provided
+  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
+  let resolvedAppName = appName;
+  
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
+  }
+  
+  // Validate context using ContextValidator
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine['supabase']
+  );
+  
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  
+  // Use resolved scope
+  return engine.getRoleContext({
+    ...input,
+    scope: validation.resolvedScope
+  });
 }
 
 /**
  * Check if user has a specific permission
  * 
  * @param input - Permission check input
+ * @param appConfig - Optional app configuration (if not provided, will be fetched)
+ * @param appName - Optional app name (for PORTAL/ADMIN special case and config lookup)
  * @returns Promise resolving to permission result
  * 
  * @example
@@ -184,24 +285,68 @@ export async function getRoleContext(input: {
  * });
  * ```
  */
-export async function isPermitted(input: PermissionCheck): Promise<boolean> {
+export async function isPermitted(
+  input: PermissionCheck,
+  appConfig?: AppConfig | null,
+  appName?: string
+): Promise<boolean> {
   const engine = getEngine();
   
-  // Validate organisation context is required
-  if (!input.scope.organisationId) {
-    throw new OrganisationContextRequiredError();
+  // Fetch app config if not provided and we have appId
+  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
+  let resolvedAppName = appName;
+  
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
   }
   
-  // Create security context from input
-  // OrganisationId is required - it can always be derived from event context in event-based apps
+  // If we have appId but no appName, try to get it from the database
+  if (!resolvedAppName && input.scope.appId) {
+    try {
+      const { data } = await engine['supabase']
+        .from('rbac_apps')
+        .select('name')
+        .eq('id', input.scope.appId)
+        .eq('is_active', true)
+        .single() as { data: { name: string } | null };
+      if (data) {
+        resolvedAppName = data.name;
+      }
+    } catch (err) {
+      // Ignore errors - appName is optional
+    }
+  }
+  
+  // Validate context using ContextValidator
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine['supabase']
+  );
+  
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  
+  // Use resolved scope for permission check
+  const validatedScope = validation.resolvedScope;
+  
+  // Create security context from validated scope
   const securityContext: SecurityContext = {
     userId: input.userId,
-    organisationId: input.scope.organisationId, // Required - no fallback
+    organisationId: validatedScope.organisationId || null,
     timestamp: new Date(),
     // Optional fields can be omitted
   };
   
-  return engine.isPermitted(input, securityContext);
+  // Create new input with validated scope
+  const validatedInput: PermissionCheck = {
+    ...input,
+    scope: validatedScope
+  };
+  
+  return engine.isPermitted(validatedInput, securityContext);
 }
 
 /**
@@ -211,15 +356,21 @@ export async function isPermitted(input: PermissionCheck): Promise<boolean> {
  * and checks cache before making new requests. Uses session cache for page-level checks.
  * 
  * @param input - Permission check input
+ * @param appConfig - Optional app configuration
+ * @param appName - Optional app name
  * @returns Promise resolving to permission result
  */
-export async function isPermittedCached(input: PermissionCheck): Promise<boolean> {
+export async function isPermittedCached(
+  input: PermissionCheck,
+  appConfig?: AppConfig | null,
+  appName?: string
+): Promise<boolean> {
   const { userId, scope, permission, pageId } = input;
   
   // Check cache first (checks both short-term and session cache)
   const cacheKey = RBACCache.generatePermissionKey({
     userId,
-    organisationId: scope.organisationId!,
+    organisationId: scope.organisationId,
     eventId: scope.eventId,
     appId: scope.appId,
     permission,
@@ -233,8 +384,8 @@ export async function isPermittedCached(input: PermissionCheck): Promise<boolean
 
   // Use request deduplication - if same request is in-flight, share the promise
   return getOrCreateRequest(input, async (checkInput) => {
-    // Check permission
-    const result = await isPermitted(checkInput);
+    // Check permission with context validation
+    const result = await isPermitted(checkInput, appConfig, appName);
     
     // Determine if this is a page-level check (has pageId or permission contains 'page.')
     const isPageLevelCheck = !!pageId || permission.includes('page.');
@@ -329,33 +480,86 @@ export async function isSuperAdmin(userId: UUID): Promise<boolean> {
  * @param appId - App ID
  * @returns Promise resolving to app configuration
  */
-export async function getAppConfig(appId: UUID): Promise<{ requires_event: boolean } | null> {
-  // This function requires a Supabase client to be provided
-  // Callers should pass the client as a parameter
-  log.warn('getAppConfig called without Supabase client - returning null');
-  return null;
+export async function getAppConfig(appId: UUID): Promise<AppConfig | null> {
+  try {
+    const engine = getEngine();
+    return getAppConfigWithClient(engine['supabase'], appId);
+  } catch (err) {
+    // RBAC not initialized - return null gracefully
+    if (err instanceof RBACNotInitializedError) {
+      return null;
+    }
+    throw err;
+  }
 }
 
-export async function getAppConfigWithClient(client: SupabaseClient, appId: UUID): Promise<{ requires_event: boolean } | null> {
+export async function getAppConfigWithClient(client: SupabaseClient | null | undefined, appId: UUID): Promise<AppConfig | null> {
+  // Return null if client is not available
+  if (!client) {
+    return null;
+  }
+  
+  // Cache key for app config - cache for 5 minutes (app config rarely changes)
+  const cacheKey = `app_config:${appId}`;
+  
+  // Check cache first
+  const cached = rbacCache.get<AppConfig>(cacheKey, true);
+  if (cached !== null) {
+    return cached;
+  }
+  
   try {
     const { data, error } = await client
       .from('rbac_apps')
-      .select('requires_event')
+      .select('requires_event, name')
       .eq('id', appId)
       .eq('is_active', true)
-      .single() as { data: { requires_event: boolean } | null; error: any };
+      .single() as { data: { requires_event: boolean; name: string } | null; error: any };
 
     if (error || !data) {
       return null;
     }
 
-    return { requires_event: data.requires_event };
+    const appConfig: AppConfig = { requires_event: data.requires_event ?? false };
+    
+    // Cache the result for 5 minutes (300000ms) with session cache enabled
+    // App config rarely changes, so we can cache it longer
+    rbacCache.set(cacheKey, appConfig, 5 * 60 * 1000, true);
+    
+    return appConfig;
   } catch (err) {
     log.error('Error fetching app config:', err);
     return null;
   }
 }
 
+/**
+ * Get app configuration by app name
+ * 
+ * @param appName - App name
+ * @returns Promise resolving to app configuration
+ */
+export async function getAppConfigByName(appName: string): Promise<AppConfig | null> {
+  const engine = getEngine();
+  try {
+    const { data, error } = await engine['supabase']
+      .from('rbac_apps')
+      .select('requires_event, name')
+      .eq('name', appName)
+      .eq('is_active', true)
+      .single() as { data: { requires_event: boolean; name: string } | null; error: any };
+
+    if (error || !data) {
+      return null;
+    }
+
+    return { requires_event: data.requires_event ?? false };
+  } catch (err) {
+    log.error('Error fetching app config by name:', err);
+    return null;
+  }
+}
+
 /**
  * Check if user is organisation admin
  * 

package/src/rbac/cache-invalidation.ts

@@ -178,22 +178,36 @@ export class RBACCacheInvalidationManager {
     });
   }
 
+  /**
+   * Cleanup subscriptions only (not all callbacks)
+   * Used internally to cleanup before setting up new subscriptions
+   */
+  private cleanupSubscriptions(): void {
+    this.channels.forEach(channel => {
+      try {
+        if (channel && typeof channel.unsubscribe === 'function') {
+          channel.unsubscribe();
+        }
+      } catch (error) {
+        log.warn('Failed to unsubscribe from channel:', error);
+      }
+    });
+    this.channels = [];
+  }
+
   /**
    * Setup realtime subscriptions for automatic cache invalidation
-   * Prevents duplicate subscriptions by checking if already set up
+   * Always cleans up existing subscriptions before setting up new ones to prevent duplicates
    */
   private setupRealtimeSubscriptions(): void {
+    // Always cleanup existing subscriptions first to prevent duplicates
+    this.cleanupSubscriptions();
+    
     // Check if realtime is available (skip in test environments)
     if (!this.supabase.channel || typeof this.supabase.channel !== 'function') {
       log.debug('Realtime not available, skipping subscriptions');
       return;
     }
-    
-    // Prevent duplicate subscriptions - if channels already exist, skip setup
-    if (this.channels.length > 0) {
-      log.debug('Realtime subscriptions already set up, skipping duplicate setup');
-      return;
-    }
 
     // Subscribe to organisation role changes
     const orgRolesChannel = this.supabase

package/src/rbac/compliance/quick-fix-suggestions.ts

@@ -111,7 +111,7 @@ export const supabase = createClient(url, key);
 // src/lib/supabase.ts
 export const supabase = createClient(
   import.meta.env.VITE_SUPABASE_URL,
-  import.meta.env.VITE_SUPABASE_ANON_KEY
+  import.meta.env.VITE_SUPABASE_PUBLISHABLE_KEY
 );
 
 // src/utils/api.ts

package/src/rbac/components/NavigationGuard.tsx

@@ -67,8 +67,8 @@
 import React, { useMemo, useCallback, useEffect, useState } from 'react';
 import { useMultiplePermissions } from '../hooks/usePermissions';
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
+import { useResolvedScope } from '../hooks/useResolvedScope';
 import { UUID, Permission, Scope } from '../types';
-import { createScopeFromEvent } from '../utils/eventContext';
 import { NavigationItem } from './NavigationProvider';
 import { getRBACLogger } from '../config';
 
@@ -124,66 +124,28 @@ export function NavigationGuard({
 }: NavigationGuardProps) {
   const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
   const [hasChecked, setHasChecked] = useState(false);
-  const [checkError, setCheckError] = useState<Error | null>(null);
-  const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);
-
-  // Resolve scope - either use provided scope or resolve from context
-  useEffect(() => {
-    const resolveScope = async () => {
-      if (scope) {
-        setResolvedScope(scope);
-        return;
-      }
-
-      // If we have both organisation and event, use them directly
-      if (selectedOrganisation && selectedEvent) {
-        setResolvedScope({
-          organisationId: selectedOrganisation.id,
-          eventId: selectedEvent.event_id,
-          appId: undefined
-        });
-        return;
-      }
-
-      // If we only have organisation, use it
-      if (selectedOrganisation) {
-        setResolvedScope({
-          organisationId: selectedOrganisation.id,
-          eventId: selectedEvent?.event_id || undefined,
-          appId: undefined
-        });
-        return;
-      }
-
-      // If we only have event, resolve organisation from event
-      if (selectedEvent && supabase) {
-        try {
-          const eventScope = await createScopeFromEvent(supabase, selectedEvent.event_id);
-          if (!eventScope) {
-            setCheckError(new Error('Could not resolve organization from event context'));
-            return;
-          }
-          setResolvedScope(eventScope);
-        } catch (error) {
-          setCheckError(error as Error);
-        }
-        return;
-      }
-
-      // No context available
-      setCheckError(new Error('Either organisation context or event context is required for navigation permission checking'));
-    };
-
-    resolveScope();
-  }, [scope, selectedOrganisation, selectedEvent, supabase]);
+  
+  // Use useResolvedScope hook for consistent scope resolution
+  const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
+    supabase,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: selectedEvent?.event_id || null
+  });
+  
+  // Use provided scope if available, otherwise use resolved scope
+  const effectiveScope = scope || hookResolvedScope;
+  const checkError = scopeError;
 
   // Check all permissions using useMultiplePermissions hook
-  const { results: permissionResults, isLoading, error } = useMultiplePermissions(
+  const { results: permissionResults, isLoading: permissionsLoading, error: permissionsError } = useMultiplePermissions(
     user?.id || '',
-    resolvedScope || { eventId: selectedEvent?.event_id || undefined },
+    effectiveScope || { eventId: selectedEvent?.event_id || undefined },
     navigationItem.permissions || [],
     true // Use cache
   );
+  
+  const isLoading = scopeLoading || permissionsLoading;
+  const error = checkError || permissionsError;
 
   // Determine if user has required permissions based on requireAll prop
   const hasRequiredPermissions = useMemo((): boolean => {
@@ -202,13 +164,11 @@ export function NavigationGuard({
   useEffect(() => {
     if (!isLoading && !error) {
       setHasChecked(true);
-      setCheckError(null);
       
       if (!hasRequiredPermissions && onDenied) {
         onDenied(navigationItem);
       }
     } else if (error) {
-      setCheckError(error);
       setHasChecked(true);
     }
   }, [hasRequiredPermissions, isLoading, error, navigationItem, onDenied]);
@@ -221,13 +181,13 @@ export function NavigationGuard({
         navigationItem: navigationItem.id,
         permissions: navigationItem.permissions,
         userId: user?.id,
-        scope: resolvedScope,
+        scope: effectiveScope,
         allowed: hasRequiredPermissions,
         requireAll,
         timestamp: new Date().toISOString()
       });
     }
-  }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
+  }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, effectiveScope, hasRequiredPermissions, requireAll]);
 
   // Handle strict mode violations
   useEffect(() => {
@@ -237,15 +197,15 @@ export function NavigationGuard({
         navigationItem: navigationItem.id,
         permissions: navigationItem.permissions,
         userId: user?.id,
-        scope: resolvedScope,
+        scope: effectiveScope,
         requireAll,
         timestamp: new Date().toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, navigationItem, user?.id, resolvedScope, requireAll]);
+  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, navigationItem, user?.id, effectiveScope, requireAll]);
 
   // Show loading state
-  if (isLoading || !resolvedScope || !hasChecked) {
+  if (isLoading || !effectiveScope || !hasChecked) {
     return <>{loading}</>;
   }
 
@@ -288,7 +248,7 @@ function DefaultLoading() {
   return (
     <div className="flex items-center justify-center p-2">
       <div className="flex items-center space-x-2">
-        <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-main-600"></div>
+        <div className="animate-spin rounded-full size-4 border-b-2 border-main-600"></div>
         <span className="text-sm text-sec-600">Checking...</span>
       </div>
     </div>