@jmruthers/pace-core 0.5.189 → 0.5.191

package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts

@@ -69,17 +69,24 @@ describe('useSecureSupabase Hook', () => {
   const mockUseResolvedScope = vi.mocked(useResolvedScope);
   const mockCreateSecureClient = vi.mocked(createSecureClient);
 
-  const originalEnv = import.meta.env;
-
   beforeEach(() => {
     vi.clearAllMocks();
     
-    // Setup environment variables - use the same pattern as other tests
+    // Clear the secure client cache by accessing it through a test helper
+    // The cache is module-level, so we need to ensure it's cleared
+    // We'll use unique org IDs in each test to avoid cache hits
+    
+    // Setup environment variables - mock both import.meta.env and process.env
+    // The getSupabaseConfig function checks both
+    vi.stubEnv('VITE_SUPABASE_URL', 'https://test.supabase.co');
+    vi.stubEnv('VITE_SUPABASE_PUBLISHABLE_KEY', 'test-key');
+    
+    // Also set import.meta.env directly since the function checks it first
     Object.defineProperty(import.meta, 'env', {
       value: {
         VITE_SUPABASE_URL: 'https://test.supabase.co',
-        VITE_SUPABASE_ANON_KEY: 'test-key',
-        ...originalEnv
+        VITE_SUPABASE_PUBLISHABLE_KEY: 'test-key',
+        ...import.meta.env
       },
       writable: true,
       configurable: true
@@ -128,9 +135,11 @@ describe('useSecureSupabase Hook', () => {
 
   afterEach(() => {
     vi.clearAllMocks();
-    // Restore original environment
+    // Restore environment
+    vi.unstubAllEnvs();
+    // Restore import.meta.env
     Object.defineProperty(import.meta, 'env', {
-      value: originalEnv,
+      value: import.meta.env,
       writable: true,
       configurable: true
     });
@@ -138,15 +147,36 @@ describe('useSecureSupabase Hook', () => {
 
   describe('Client Creation', () => {
     it('should create a secure client when context is available', async () => {
+      // Use a unique org ID to avoid cache hits from previous tests
+      const uniqueOrgId = `org-${Date.now()}`;
+      mockUseOrganisations.mockReturnValue({
+        selectedOrganisation: { id: uniqueOrgId },
+        organisations: [],
+        isLoading: false,
+        error: null,
+        selectOrganisation: vi.fn(),
+        refreshOrganisations: vi.fn()
+      } as any);
+
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: {
+          organisationId: uniqueOrgId,
+          eventId: mockEventId,
+          appId: mockAppId
+        },
+        isLoading: false,
+        error: null
+      });
+
       const { result } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(result.current).toBe(mockSupabaseClient);
-      });
+        expect(mockCreateSecureClient).toHaveBeenCalled();
+      }, { timeout: 2000 });
 
-      expect(mockCreateSecureClient).toHaveBeenCalled();
+      expect(result.current).toBe(mockSupabaseClient);
       const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(mockOrgId);
+      expect(call[2]).toBe(uniqueOrgId);
       expect(call[3]).toBe(mockEventId);
       expect(call[4]).toBe(mockAppId);
     });
@@ -179,6 +209,13 @@ describe('useSecureSupabase Hook', () => {
         selectOrganisation: vi.fn(),
         refreshOrganisations: vi.fn()
       } as any);
+      
+      // Mock useResolvedScope to return null scope when organisation is not available
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: false,
+        error: null
+      });
 
       const baseClient = mockSupabaseClient;
       const { result } = renderHook(() => useSecureSupabase(baseClient));
@@ -256,18 +293,39 @@ describe('useSecureSupabase Hook', () => {
     });
 
     it('should create new client when context changes', async () => {
+      const uniqueOrgId1 = `org-${Date.now()}-1`;
+      mockUseOrganisations.mockReturnValue({
+        selectedOrganisation: { id: uniqueOrgId1 },
+        organisations: [],
+        isLoading: false,
+        error: null,
+        selectOrganisation: vi.fn(),
+        refreshOrganisations: vi.fn()
+      } as any);
+
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: {
+          organisationId: uniqueOrgId1,
+          eventId: mockEventId,
+          appId: mockAppId
+        },
+        isLoading: false,
+        error: null
+      });
+
       const { result: result1, rerender: rerender1 } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(result1.current).toBe(mockSupabaseClient);
-      });
+        expect(mockCreateSecureClient).toHaveBeenCalled();
+      }, { timeout: 2000 });
 
       // Clear the mock to count new calls
       mockCreateSecureClient.mockClear();
 
       // Change organisation - this should create a new client with different cache key
+      const uniqueOrgId2 = `org-${Date.now()}-2`;
       mockUseOrganisations.mockReturnValue({
-        selectedOrganisation: { id: 'org-456' },
+        selectedOrganisation: { id: uniqueOrgId2 },
         organisations: [],
         isLoading: false,
         error: null,
@@ -278,7 +336,7 @@ describe('useSecureSupabase Hook', () => {
       // Also update resolved scope to match
       mockUseResolvedScope.mockReturnValue({
         resolvedScope: {
-          organisationId: 'org-456',
+          organisationId: uniqueOrgId2,
           eventId: mockEventId,
           appId: mockAppId
         },
@@ -296,14 +354,9 @@ describe('useSecureSupabase Hook', () => {
 
   describe('Environment Variables', () => {
     it('should fallback to base client when Supabase URL is missing', () => {
-      Object.defineProperty(import.meta, 'env', {
-        value: {
-          VITE_SUPABASE_ANON_KEY: 'test-key',
-          ...originalEnv
-        },
-        writable: true,
-        configurable: true
-      });
+      vi.unstubAllEnvs();
+      vi.stubEnv('VITE_SUPABASE_PUBLISHABLE_KEY', 'test-key');
+      // VITE_SUPABASE_URL is not set
 
       const baseClient = mockSupabaseClient;
       const { result } = renderHook(() => useSecureSupabase(baseClient));
@@ -313,14 +366,9 @@ describe('useSecureSupabase Hook', () => {
     });
 
     it('should fallback to base client when Supabase key is missing', () => {
-      Object.defineProperty(import.meta, 'env', {
-        value: {
-          VITE_SUPABASE_URL: 'https://test.supabase.co',
-          ...originalEnv
-        },
-        writable: true,
-        configurable: true
-      });
+      vi.unstubAllEnvs();
+      vi.stubEnv('VITE_SUPABASE_URL', 'https://test.supabase.co');
+      // VITE_SUPABASE_PUBLISHABLE_KEY is not set
 
       const baseClient = mockSupabaseClient;
       const { result } = renderHook(() => useSecureSupabase(baseClient));
@@ -342,30 +390,54 @@ describe('useSecureSupabase Hook', () => {
       expect(result.current).toBe(baseClient);
     });
 
-    it('should handle missing resolved scope gracefully', () => {
+    it('should handle missing resolved scope gracefully', async () => {
+      // Use unique org ID to avoid cache
+      const uniqueOrgId = `org-${Date.now()}-missing-scope`;
+      mockUseOrganisations.mockReturnValue({
+        selectedOrganisation: { id: uniqueOrgId },
+        organisations: [],
+        isLoading: false,
+        error: null,
+        selectOrganisation: vi.fn(),
+        refreshOrganisations: vi.fn()
+      } as any);
+
+      // When resolvedScope is null but selectedOrganisation exists, 
+      // useSecureSupabase should still create a client using selectedOrganisation.id
+      // This is a fallback behavior when scope resolution fails
       mockUseResolvedScope.mockReturnValue({
         resolvedScope: null,
         isLoading: false,
         error: null
       });
 
-      const { result } = renderHook(() => useSecureSupabase());
+      const baseClient = mockSupabaseClient;
+      const { result } = renderHook(() => useSecureSupabase(baseClient));
 
-      // Should still create client with undefined appId
-      expect(mockCreateSecureClient).toHaveBeenCalled();
-      const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(mockOrgId);
-      expect(call[3]).toBe(mockEventId);
-      expect(call[4]).toBeUndefined();
+      // When resolvedScope is null, should return base client (fallback)
+      expect(result.current).toBe(baseClient);
+      // Should not create secure client when resolvedScope is null
+      expect(mockCreateSecureClient).not.toHaveBeenCalled();
     });
   });
 
   describe('Context Resolution', () => {
     it('should use appId from resolved scope', async () => {
+      const uniqueOrgId = `org-${Date.now()}-custom-app`;
       const customAppId = 'custom-app-123';
+      
+      mockUseOrganisations.mockReturnValue({
+        selectedOrganisation: { id: uniqueOrgId },
+        organisations: [],
+        isLoading: false,
+        error: null,
+        selectOrganisation: vi.fn(),
+        refreshOrganisations: vi.fn()
+      } as any);
+
       mockUseResolvedScope.mockReturnValue({
         resolvedScope: {
-          organisationId: mockOrgId,
+          organisationId: uniqueOrgId,
           eventId: mockEventId,
           appId: customAppId
         },
@@ -377,14 +449,17 @@ describe('useSecureSupabase Hook', () => {
 
       await waitFor(() => {
         expect(mockCreateSecureClient).toHaveBeenCalled();
-        const call = mockCreateSecureClient.mock.calls[0];
-        expect(call[2]).toBe(mockOrgId);
-        expect(call[3]).toBe(mockEventId);
-        expect(call[4]).toBe(customAppId);
-      });
+      }, { timeout: 2000 });
+      
+      const call = mockCreateSecureClient.mock.calls[0];
+      expect(call[2]).toBe(uniqueOrgId);
+      expect(call[3]).toBe(mockEventId);
+      expect(call[4]).toBe(customAppId);
     });
 
     it('should work without event context', async () => {
+      const uniqueOrgId = `org-${Date.now()}-no-event`;
+      
       mockUseEvents.mockReturnValue({
         events: [],
         selectedEvent: null,
@@ -396,9 +471,18 @@ describe('useSecureSupabase Hook', () => {
         eventLoading: false
       } as any);
 
+      mockUseOrganisations.mockReturnValue({
+        selectedOrganisation: { id: uniqueOrgId },
+        organisations: [],
+        isLoading: false,
+        error: null,
+        selectOrganisation: vi.fn(),
+        refreshOrganisations: vi.fn()
+      } as any);
+
       mockUseResolvedScope.mockReturnValue({
         resolvedScope: {
-          organisationId: mockOrgId,
+          organisationId: uniqueOrgId,
           eventId: undefined,
           appId: mockAppId
         },
@@ -410,11 +494,12 @@ describe('useSecureSupabase Hook', () => {
 
       await waitFor(() => {
         expect(mockCreateSecureClient).toHaveBeenCalled();
-        const call = mockCreateSecureClient.mock.calls[0];
-        expect(call[2]).toBe(mockOrgId);
-        expect(call[3]).toBeUndefined();
-        expect(call[4]).toBe(mockAppId);
-      });
+      }, { timeout: 2000 });
+      
+      const call = mockCreateSecureClient.mock.calls[0];
+      expect(call[2]).toBe(uniqueOrgId);
+      expect(call[3]).toBeUndefined();
+      expect(call[4]).toBe(mockAppId);
     });
   });
 
@@ -428,8 +513,15 @@ describe('useSecureSupabase Hook', () => {
         selectOrganisation: vi.fn(),
         refreshOrganisations: vi.fn()
       } as any);
+      
+      // Mock useResolvedScope to return null scope when context is unavailable
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: false,
+        error: null
+      });
 
-      const customBaseClient = { from: vi.fn() } as unknown as SupabaseClient<Database>;
+      const customBaseClient = { from: vi.fn(), auth: { getUser: vi.fn(), getSession: vi.fn() } } as unknown as SupabaseClient<Database>;
       const { result } = renderHook(() => useSecureSupabase(customBaseClient));
 
       expect(result.current).toBe(customBaseClient);

package/src/rbac/hooks/index.ts

@@ -35,3 +35,6 @@ export type {
 
 // Export secure Supabase client hook
 export { useSecureSupabase } from './useSecureSupabase';
+
+// Export super admin bypass hook
+export { useSuperAdminBypass } from './useSuperAdminBypass';

package/src/rbac/hooks/useCan.test.ts

@@ -23,7 +23,8 @@ import { isPermitted, isPermittedCached } from '../api';
 const mockUserId = 'user-123';
 const mockScope = {
   organisationId: 'org-123',
-  eventId: 'event-123'
+  eventId: 'event-123',
+  appId: 'app-123' // Required for page name resolution
 };
 const mockPermission = 'read:users';
 const mockPageId = 'dashboard';
@@ -32,6 +33,13 @@ describe('useCan Hook', () => {
   const mockIsPermitted = vi.mocked(isPermitted);
   const mockIsPermittedCached = vi.mocked(isPermittedCached);
 
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Reset mocks to return resolved promises by default
+    mockIsPermitted.mockResolvedValue(true);
+    mockIsPermittedCached.mockResolvedValue(true);
+  });
+
       describe('Permission Checking', () => {
     it('returns true for allowed permissions', async () => {
       mockIsPermitted.mockResolvedValue(true);
@@ -103,12 +111,16 @@ describe('useCan Hook', () => {
       await waitFor(() => {
         expect(result.current.isLoading).toBe(false);
         expect(result.current.can).toBe(true);
-        expect(mockIsPermittedCached).toHaveBeenCalledWith({
-          userId: mockUserId,
-          scope: mockScope,
-          permission: mockPermission,
-          pageId: mockPageId
-        });
+        expect(mockIsPermittedCached).toHaveBeenCalledWith(
+          {
+            userId: mockUserId,
+            scope: mockScope,
+            permission: mockPermission,
+            pageId: mockPageId
+          },
+          undefined,
+          undefined
+        );
         expect(mockIsPermitted).not.toHaveBeenCalled();
       });
     });
@@ -123,12 +135,16 @@ describe('useCan Hook', () => {
       await waitFor(() => {
         expect(result.current.isLoading).toBe(false);
         expect(result.current.can).toBe(true);
-        expect(mockIsPermitted).toHaveBeenCalledWith({
-          userId: mockUserId,
-          scope: mockScope,
-          permission: mockPermission,
-          pageId: mockPageId
-        });
+        expect(mockIsPermitted).toHaveBeenCalledWith(
+          {
+            userId: mockUserId,
+            scope: mockScope,
+            permission: mockPermission,
+            pageId: mockPageId
+          },
+          undefined,
+          undefined
+        );
         expect(mockIsPermittedCached).not.toHaveBeenCalled();
       });
     });
@@ -158,12 +174,16 @@ describe('useCan Hook', () => {
 
       await waitFor(() => {
         expect(result.current.isLoading).toBe(false);
-        expect(mockIsPermitted).toHaveBeenCalledWith({
-          userId: mockUserId,
-          scope: mockScope,
-          permission: mockPermission,
-          pageId: 'custom-page'
-        });
+        expect(mockIsPermitted).toHaveBeenCalledWith(
+          {
+            userId: mockUserId,
+            scope: mockScope,
+            permission: mockPermission,
+            pageId: 'custom-page'
+          },
+          undefined,
+          undefined
+        );
       });
     });
 
@@ -176,12 +196,16 @@ describe('useCan Hook', () => {
 
       await waitFor(() => {
         expect(result.current.isLoading).toBe(false);
-        expect(mockIsPermitted).toHaveBeenCalledWith({
-          userId: mockUserId,
-          scope: mockScope,
-          permission: mockPermission,
-          pageId: undefined
-        });
+        expect(mockIsPermitted).toHaveBeenCalledWith(
+          {
+            userId: mockUserId,
+            scope: mockScope,
+            permission: mockPermission,
+            pageId: undefined
+          },
+          undefined,
+          undefined
+        );
       });
     });
   });
@@ -214,12 +238,16 @@ describe('useCan Hook', () => {
 
       await waitFor(() => {
         expect(mockIsPermitted).toHaveBeenCalledTimes(2);
-        expect(mockIsPermitted).toHaveBeenLastCalledWith({
-          userId: 'user-456',
-          scope: mockScope,
-          permission: mockPermission,
-          pageId: undefined
-        });
+        expect(mockIsPermitted).toHaveBeenLastCalledWith(
+          {
+            userId: 'user-456',
+            scope: mockScope,
+            permission: mockPermission,
+            pageId: undefined
+          },
+          undefined,
+          undefined
+        );
       });
     });
 
@@ -251,12 +279,16 @@ describe('useCan Hook', () => {
 
       await waitFor(() => {
         expect(mockIsPermitted).toHaveBeenCalledTimes(2);
-        expect(mockIsPermitted).toHaveBeenLastCalledWith({
-          userId: mockUserId,
-          scope: newScope,
-          permission: mockPermission,
-          pageId: undefined
-        });
+        expect(mockIsPermitted).toHaveBeenLastCalledWith(
+          {
+            userId: mockUserId,
+            scope: newScope,
+            permission: mockPermission,
+            pageId: undefined
+          },
+          undefined,
+          undefined
+        );
       });
     });
 
@@ -287,12 +319,16 @@ describe('useCan Hook', () => {
 
       await waitFor(() => {
         expect(mockIsPermitted).toHaveBeenCalledTimes(2);
-        expect(mockIsPermitted).toHaveBeenLastCalledWith({
-          userId: mockUserId,
-          scope: mockScope,
-          permission: 'create:users',
-          pageId: undefined
-        });
+        expect(mockIsPermitted).toHaveBeenLastCalledWith(
+          {
+            userId: mockUserId,
+            scope: mockScope,
+            permission: 'create:users',
+            pageId: undefined
+          },
+          undefined,
+          undefined
+        );
       });
     });
   });
@@ -359,12 +395,16 @@ describe('useCan Hook', () => {
         expect(result.current.error).toBeNull();
       });
 
-      expect(mockIsPermitted).toHaveBeenCalledWith({
+    expect(mockIsPermitted).toHaveBeenCalledWith(
+      {
         userId: mockUserId,
         scope: mockScope,
         permission: 'update:organisations',
         pageId: undefined
-      });
+      },
+      undefined,
+      undefined
+    );
     });
 
     it('denies super admin permissions for regular users', async () => {
@@ -495,12 +535,16 @@ describe('useCan Hook', () => {
         expect(result.current.error).toBeNull();
       });
 
-      expect(mockIsPermittedCached).toHaveBeenCalledWith({
+    expect(mockIsPermittedCached).toHaveBeenCalledWith(
+      {
         userId: mockUserId,
         scope: mockScope,
         permission: mockPermission,
         pageId: mockPageId
-      });
+      },
+      undefined,
+      undefined
+    );
     });
 
     it('handles permission denied with fallback to false', async () => {
@@ -579,12 +623,16 @@ describe('useCan Hook', () => {
       await waitFor(() => {
         expect(result.current.isLoading).toBe(false);
         expect(result.current.can).toBe(false);
-        expect(mockIsPermitted).toHaveBeenCalledWith({
-          userId: mockUserId,
-          scope: mockScope,
-          permission: '',
-          pageId: undefined
-        });
+        expect(mockIsPermitted).toHaveBeenCalledWith(
+          {
+            userId: mockUserId,
+            scope: mockScope,
+            permission: '',
+            pageId: undefined
+          },
+          undefined,
+          undefined
+        );
       });
     });