@jmruthers/pace-core 0.5.190 → 0.5.191

package/src/rbac/utils/__tests__/eventContext.unit.test.ts

@@ -0,0 +1,490 @@
+/**
+ * @file Event Context Utilities Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/EventContext/Tests
+ * @since 1.0.0
+ * 
+ * Comprehensive tests for event context utilities in the RBAC system.
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { SupabaseClient } from '@supabase/supabase-js';
+import { Database } from '../../../types/database';
+import { UUID, Scope } from '../../types';
+import {
+  getOrganisationFromEvent,
+  createScopeFromEvent,
+  isEventBasedScope,
+  isValidEventBasedScope,
+  clearAllOrgDerivationCache,
+  clearOrgDerivationCache
+} from '../eventContext';
+
+// Mock Supabase client
+const createMockSupabaseClient = () => {
+  const mockQuery = {
+    select: vi.fn().mockReturnThis(),
+    eq: vi.fn().mockReturnThis(),
+    single: vi.fn()
+  };
+
+  const fromMock = vi.fn().mockReturnValue(mockQuery);
+  
+  return {
+    from: fromMock,
+    query: mockQuery
+  } as unknown as SupabaseClient<Database>;
+};
+
+describe('Event Context Utilities', () => {
+  let mockSupabase: SupabaseClient<Database>;
+  let mockQuery: any;
+
+  beforeEach(() => {
+    // Clear cache before each test
+    clearAllOrgDerivationCache();
+    
+    mockSupabase = createMockSupabaseClient();
+    // Reset mockQuery to get a fresh query builder for each test
+    mockQuery = {
+      select: vi.fn().mockReturnThis(),
+      eq: vi.fn().mockReturnThis(),
+      single: vi.fn()
+    };
+    (mockSupabase.from as any).mockReturnValue(mockQuery);
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    // Clear cache after each test
+    clearAllOrgDerivationCache();
+  });
+
+  describe('getOrganisationFromEvent', () => {
+    it('should return organisation ID when event exists', async () => {
+      const eventId = 'event-123';
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBe(organisationId);
+      expect(mockSupabase.from).toHaveBeenCalledWith('core_events');
+      expect(mockQuery.select).toHaveBeenCalledWith('organisation_id');
+      expect(mockQuery.eq).toHaveBeenCalledWith('event_id', eventId);
+      expect(mockQuery.single).toHaveBeenCalled();
+    });
+
+    it('should return null when event does not exist', async () => {
+      const eventId = 'nonexistent-event';
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: { message: 'Event not found' }
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should return null when data is null', async () => {
+      const eventId = 'event-123';
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should handle database errors gracefully', async () => {
+      const eventId = 'event-123';
+      const dbError = new Error('Database connection failed');
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockRejectedValue(dbError);
+
+      await expect(getOrganisationFromEvent(mockSupabase, eventId))
+        .rejects.toThrow('Database connection failed');
+    });
+
+    it('should handle empty organisation_id', async () => {
+      const eventId = 'event-123';
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: null },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('createScopeFromEvent', () => {
+    it('should create complete scope when event exists', async () => {
+      const eventId = 'event-123';
+      const organisationId = 'org-456';
+      const appId = 'app-789';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId, appId);
+
+      expect(result).toEqual({
+        organisationId,
+        eventId,
+        appId
+      });
+    });
+
+    it('should create scope without appId when not provided', async () => {
+      const eventId = 'event-123';
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId);
+
+      expect(result).toEqual({
+        organisationId,
+        eventId,
+        appId: undefined
+      });
+    });
+
+    it('should return null when event does not exist', async () => {
+      const eventId = 'nonexistent-event';
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: { message: 'Event not found' }
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should return null when organisation lookup fails', async () => {
+      const eventId = 'event-123';
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: null },
+        error: null
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should handle database errors gracefully', async () => {
+      const eventId = 'event-123';
+      const dbError = new Error('Database connection failed');
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockRejectedValue(dbError);
+
+      await expect(createScopeFromEvent(mockSupabase, eventId))
+        .rejects.toThrow('Database connection failed');
+    });
+  });
+
+  describe('isEventBasedScope', () => {
+    it('should return true for event-based scope (no organisationId, has eventId)', () => {
+      const scope: Scope = {
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(true);
+    });
+
+    it('should return false when organisationId is present', () => {
+      const scope: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is missing', () => {
+      const scope: Scope = {
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when both organisationId and eventId are missing', () => {
+      const scope: Scope = {
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is null', () => {
+      const scope: Scope = {
+        eventId: null,
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is undefined', () => {
+      const scope: Scope = {
+        eventId: undefined,
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+  });
+
+  describe('isValidEventBasedScope', () => {
+    it('should return true for valid event-based scope', () => {
+      const scope: Scope = {
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+
+    it('should return false when eventId is missing', () => {
+      const scope: Scope = {
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is null', () => {
+      const scope: Scope = {
+        eventId: null,
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is undefined', () => {
+      const scope: Scope = {
+        eventId: undefined,
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when organisationId is present (not event-based)', () => {
+      const scope: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return true for event-based scope without appId', () => {
+      const scope: Scope = {
+        eventId: 'event-123'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+  });
+
+  describe('Edge Cases and Error Handling', () => {
+    it('should handle malformed event IDs', async () => {
+      const malformedEventId = '';
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: { message: 'Invalid event ID' }
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, malformedEventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should handle very long event IDs', async () => {
+      const longEventId = 'a'.repeat(1000);
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, longEventId);
+
+      expect(result).toBe(organisationId);
+      expect(mockQuery.eq).toHaveBeenCalledWith('event_id', longEventId);
+    });
+
+    it('should handle special characters in event IDs', async () => {
+      const specialEventId = 'event-123!@#$%^&*()';
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, specialEventId);
+
+      expect(result).toBe(organisationId);
+      expect(mockQuery.eq).toHaveBeenCalledWith('event_id', specialEventId);
+    });
+
+    it('should handle concurrent calls to getOrganisationFromEvent', async () => {
+      const eventId1 = 'event-123';
+      const eventId2 = 'event-456';
+      const organisationId1 = 'org-123';
+      const organisationId2 = 'org-456';
+      
+      // Clear cache for these specific events
+      clearOrgDerivationCache(eventId1);
+      clearOrgDerivationCache(eventId2);
+      
+      // Create separate query builders for concurrent calls
+      const mockQuery1 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId1 },
+          error: null
+        })
+      };
+      const mockQuery2 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId2 },
+          error: null
+        })
+      };
+      
+      (mockSupabase.from as any)
+        .mockReturnValueOnce(mockQuery1)
+        .mockReturnValueOnce(mockQuery2);
+
+      const [result1, result2] = await Promise.all([
+        getOrganisationFromEvent(mockSupabase, eventId1),
+        getOrganisationFromEvent(mockSupabase, eventId2)
+      ]);
+
+      expect(result1).toBe(organisationId1);
+      expect(result2).toBe(organisationId2);
+    });
+
+    it('should handle concurrent calls to createScopeFromEvent', async () => {
+      const eventId1 = 'event-123';
+      const eventId2 = 'event-456';
+      const organisationId1 = 'org-123';
+      const organisationId2 = 'org-456';
+      const appId1 = 'app-123';
+      const appId2 = 'app-456';
+      
+      // Clear cache for these specific events
+      clearOrgDerivationCache(eventId1);
+      clearOrgDerivationCache(eventId2);
+      
+      // Create separate query builders for concurrent calls
+      const mockQuery1 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId1 },
+          error: null
+        })
+      };
+      const mockQuery2 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId2 },
+          error: null
+        })
+      };
+      
+      (mockSupabase.from as any)
+        .mockReturnValueOnce(mockQuery1)
+        .mockReturnValueOnce(mockQuery2);
+
+      const [result1, result2] = await Promise.all([
+        createScopeFromEvent(mockSupabase, eventId1, appId1),
+        createScopeFromEvent(mockSupabase, eventId2, appId2)
+      ]);
+
+      expect(result1).toEqual({
+        organisationId: organisationId1,
+        eventId: eventId1,
+        appId: appId1
+      });
+      expect(result2).toEqual({
+        organisationId: organisationId2,
+        eventId: eventId2,
+        appId: appId2
+      });
+    });
+  });
+
+  describe('Type Safety', () => {
+    it('should handle UUID types correctly', () => {
+      const validUUID = '123e4567-e89b-12d3-a456-426614174000';
+      const scope: Scope = {
+        eventId: validUUID,
+        appId: validUUID
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+
+    it('should handle string types correctly', () => {
+      const stringId = 'event-123';
+      const scope: Scope = {
+        eventId: stringId,
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+  });
+});

package/src/rbac/utils/eventContext.ts

@@ -56,7 +56,7 @@ export async function getOrganisationFromEvent(
 
   // Query database
   const { data, error } = await supabase
-    .from('event')
+    .from('core_events')
     .select('organisation_id')
     .eq('event_id', eventId)
     .single() as { data: { organisation_id: string } | null; error: any };
@@ -65,8 +65,11 @@ export async function getOrganisationFromEvent(
 
   if (error || !data) {
     organisationId = null;
-  } else {
+  } else if (data.organisation_id) {
     organisationId = data.organisation_id;
+  } else {
+    // organisation_id is null or undefined
+    organisationId = null;
   }
 
   // Cache the result (with size limit to prevent memory leaks)

package/src/services/AuthService.ts

@@ -299,7 +299,15 @@ export class AuthService extends BaseService implements IAuthService {
   // Lifecycle methods
   async initialize(): Promise<void> {
     await super.initialize();
+    // Set loading to true before starting session restoration
+    // This ensures ProtectedRoute shows loading state while session is being restored
+    this.authLoading = true;
+    this.notify();
+    
+    // Setup auth state listener first - this will receive INITIAL_SESSION event
     await this.setupAuthStateListener();
+    
+    // Then restore session - this will trigger INITIAL_SESSION event if session exists
     await this.restoreSession();
   }
 
@@ -431,17 +439,25 @@ export class AuthService extends BaseService implements IAuthService {
                     this.sessionRestorationState.restorationError ||
                     (hasTimeoutError && session)) {
                   this.finishSessionRestoration();
-                  return;
+                }
+              } else {
+                // No session in INITIAL_SESSION event - user is not authenticated
+                // Finish restoration to clear loading state
+                if (this.sessionRestorationState.isRestoring) {
+                  this.finishSessionRestoration();
                 }
               }
 
-              if (this.sessionRestorationState.isRestoring) {
-                this.finishSessionRestoration();
-                return;
-              }
+              // CRITICAL: Set loading to false AFTER handling INITIAL_SESSION
+              // This ensures ProtectedRoute waits for session restoration to complete
+              // before checking authentication state
+              this.authLoading = false;
+              this.notify();
+              return; // Return early to avoid setting loading to false again below
             }
 
-            // Always set loading to false after any auth state change
+            // For other events (SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED), set loading to false
+            // INITIAL_SESSION is handled above and returns early
             this.authLoading = false;
             this.notify();
           } catch (error) {
@@ -519,8 +535,21 @@ export class AuthService extends BaseService implements IAuthService {
         this.authError = null;
       }
 
-      // Finish successfully even if earlier calls reported an error, to avoid noisy warnings in benign cases
-      this.finishSessionRestoration();
+      // CRITICAL FIX: Don't finish restoration here - wait for INITIAL_SESSION event
+      // The INITIAL_SESSION event should fire when the auth state listener is set up
+      // However, if it doesn't fire within a short delay (e.g., edge case), we'll finish it
+      // This ensures ProtectedRoute waits for the event before checking auth state
+      
+      // Set a short fallback timeout to finish restoration if INITIAL_SESSION doesn't fire
+      // This handles edge cases where the event might be delayed or not fire
+      setTimeout(() => {
+        // Only finish if restoration is still in progress and INITIAL_SESSION hasn't fired
+        // The INITIAL_SESSION handler will have set restorationComplete to true if it fired
+        if (this.sessionRestorationState.isRestoring && !this.sessionRestorationState.restorationComplete) {
+          logger.debug('AuthService', 'INITIAL_SESSION event did not fire, finishing restoration');
+          this.finishSessionRestoration();
+        }
+      }, 100); // 100ms fallback - INITIAL_SESSION should fire immediately when listener is set up
     } catch (error) {
       const restorationError = error instanceof Error
         ? error