@jmruthers/pace-core 0.5.190 → 0.5.193

package/src/rbac/hooks/useResolvedScope.ts

@@ -144,49 +144,74 @@ export function useResolvedScope({
         let appConfig: AppConfig | null = null;
         
         // Try to resolve app config from database (with caching)
+        // Only query if user is authenticated (RLS policies require authentication)
         if (supabase && appName) {
           try {
-            // Check cache first
-            const cached = appConfigCache.get(appName);
-            const now = Date.now();
-            if (cached && (now - cached.timestamp) < CACHE_TTL) {
-              appId = cached.appId;
-              appConfig = cached.appConfig;
+            // Check if user is authenticated before querying (RLS requires auth)
+            // HTTP 406 errors are expected when not authenticated, so we skip the query
+            const { data: session } = await supabase.auth.getSession();
+            if (!session?.session) {
+              // User not authenticated - skip app resolution, will retry after login
+              // This is expected on login pages, so don't log as error
+              log.debug(`Skipping app resolution for "${appName}" - user not authenticated`);
             } else {
-              // Cache miss or expired - fetch from database
-              const { data: app, error } = await supabase
-                .from('rbac_apps')
-                .select('id, name, requires_event, is_active')
-                .eq('name', appName)
-                .eq('is_active', true)
-                .single() as { data: { id: string; name: string; requires_event: boolean; is_active: boolean } | null; error: any };
-              
-              if (error) {
-                // Check if app exists but is inactive
-                const { data: inactiveApp } = await supabase
+              // Check cache first
+              const cached = appConfigCache.get(appName);
+              const now = Date.now();
+              if (cached && (now - cached.timestamp) < CACHE_TTL) {
+                appId = cached.appId;
+                appConfig = cached.appConfig;
+              } else {
+                // Cache miss or expired - fetch from database
+                const { data: app, error } = await supabase
                   .from('rbac_apps')
-                  .select('id, name, is_active')
+                  .select('id, name, requires_event, is_active')
                   .eq('name', appName)
-                  .single() as { data: { id: string; name: string; is_active: boolean } | null };
+                  .eq('is_active', true)
+                  .single() as { data: { id: string; name: string; requires_event: boolean; is_active: boolean } | null; error: any };
                 
-                if (inactiveApp) {
-                  log.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-                  // Don't cache inactive apps - set appId to undefined
-                  appId = undefined;
-                } else {
-                  log.error(`App "${appName}" not found in rbac_apps table`);
-                  // Don't cache missing apps - set appId to undefined
-                  appId = undefined;
+                if (error) {
+                  // HTTP 406 is expected when not authenticated (RLS blocks query)
+                  // Don't log as error if it's a 406 - this is expected behavior
+                  if (error.code === '406' || error.code === 'PGRST116' || error.message?.includes('406')) {
+                    log.debug(`App resolution blocked by RLS for "${appName}" - user may not be authenticated`);
+                    // Don't cache - will retry after authentication
+                    appId = undefined;
+                  } else {
+                    // Check if app exists but is inactive
+                    const { data: inactiveApp } = await supabase
+                      .from('rbac_apps')
+                      .select('id, name, is_active')
+                      .eq('name', appName)
+                      .single() as { data: { id: string; name: string; is_active: boolean } | null };
+                    
+                    if (inactiveApp) {
+                      log.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
+                      // Don't cache inactive apps - set appId to undefined
+                      appId = undefined;
+                    } else {
+                      log.error(`App "${appName}" not found in rbac_apps table`, { error });
+                      // Don't cache missing apps - set appId to undefined
+                      appId = undefined;
+                    }
+                  }
+                } else if (app) {
+                  appId = app.id;
+                  appConfig = { requires_event: app.requires_event ?? false };
+                  // Only cache successful lookups of active apps
+                  appConfigCache.set(appName, { appId, appConfig, timestamp: now });
                 }
-              } else if (app) {
-                appId = app.id;
-                appConfig = { requires_event: app.requires_event ?? false };
-                // Only cache successful lookups of active apps
-                appConfigCache.set(appName, { appId, appConfig, timestamp: now });
               }
             }
           } catch (error) {
-            log.error('Unexpected error resolving app config:', error);
+            // Handle network errors or other unexpected errors gracefully
+            // Don't log 406 errors as they're expected when not authenticated
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            if (!errorMessage.includes('406') && !errorMessage.includes('PGRST116')) {
+              log.error('Unexpected error resolving app config:', error);
+            } else {
+              log.debug('App resolution skipped - authentication required');
+            }
           }
         }
 

package/src/rbac/hooks/useSecureSupabase.ts

@@ -120,7 +120,7 @@ import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
 import { useResolvedScope } from './useResolvedScope';
-import { useSuperAdminBypass } from './useSuperAdminBypass';
+import { useOrganisationSecurity } from '../../hooks/useOrganisationSecurity';
 import { createSecureClient, SecureSupabaseClient } from '../secureClient';
 import type { Database } from '../../types/database';
 import type { SupabaseClient } from '@supabase/supabase-js';
@@ -215,14 +215,9 @@ export function useSecureSupabase(
   const eventLoading = 'eventLoading' in eventsContext ? eventsContext.eventLoading : false;
   
   // Check super admin status for conditional filtering
-  // Use both verified status and metadata hint to avoid race conditions
-  // Strategy: Use verified status if available, otherwise use metadata hint during verification
-  // This prevents creating clients with wrong super admin status before verification completes
-  const { isSuperAdmin: verifiedIsSuperAdmin, isLoading: isVerifyingSuperAdmin } = useSuperAdminBypass();
-  const metadataHint = Boolean(user?.app_metadata?.is_super_admin) || Boolean(user?.user_metadata?.is_super_admin);
-  // If verified as super admin, use that. If verification in progress, use metadata hint optimistically.
-  // Once verification completes and user is not super admin, verifiedIsSuperAdmin will be false.
-  const isSuperAdmin = verifiedIsSuperAdmin || (isVerifyingSuperAdmin && metadataHint);
+  // Use verified status from useOrganisationSecurity which checks the database
+  const { superAdminContext } = useOrganisationSecurity();
+  const isSuperAdmin = superAdminContext.isSuperAdmin;
 
   // Resolve scope to get appId
   const { resolvedScope } = useResolvedScope({

package/src/rbac/secureClient.ts

@@ -152,6 +152,19 @@ export class SecureSupabaseClient {
 
     // Override insert to add organisation context
     query.insert = (values: any) => {
+      // Tables that don't have organisation_id column
+      const tablesWithoutOrganisationId = [
+        'core_organisations', // Organisation table itself - uses 'id' as primary key
+        'rbac_apps', // App configuration table - no organisation scope
+        'rbac_app_pages', // Page configuration table - scoped by app_id, not organisation_id
+        'rbac_global_roles', // Global roles - no organisation scope
+      ];
+      
+      // Skip adding organisation_id for tables that don't have it
+      if (tablesWithoutOrganisationId.includes(tableName)) {
+        return originalInsert(values);
+      }
+      
       // For rbac_user_profiles, only add organisation_id if not super admin
       // Super admins can create users in any org, non-super-admins are restricted
       if (tableName === 'rbac_user_profiles') {
@@ -204,6 +217,24 @@ export class SecureSupabaseClient {
    * - Always apply org filter unless super admin bypasses it
    */
   private addOrganisationFilter(query: any, tableName: string) {
+    // Tables that don't have organisation_id column - RLS policies handle access control
+    const tablesWithoutOrganisationId = [
+      'core_organisations', // Organisation table itself - uses 'id' as primary key
+      'rbac_apps', // App configuration table - no organisation scope
+      'rbac_app_pages', // Page configuration table - scoped by app_id, not organisation_id
+      'rbac_global_roles', // Global roles - no organisation scope
+    ];
+    
+    // Skip organisation filter for tables that don't have organisation_id column
+    if (tablesWithoutOrganisationId.includes(tableName)) {
+      return query; // RLS policies handle access control for these tables
+    }
+
+    // If organisation context is not set, don't add a filter (e.g., super admin without selected org)
+    if (!this.organisationId) {
+      return query;
+    }
+    
     // For rbac_user_profiles, use conditional filtering based on super admin status
     if (tableName === 'rbac_user_profiles') {
       // Super admins: No org filter (see all users via RLS)

package/src/rbac/utils/__tests__/eventContext.test.ts

@@ -41,7 +41,7 @@ describe('Event Context Utilities', () => {
     // Clear cache before each test to prevent test interference
     clearAllOrgDerivationCache();
     mockSupabase = createMockSupabaseClient();
-    mockQuery = mockSupabase.from('event');
+    mockQuery = mockSupabase.from('core_events');
   });
 
   afterEach(() => {
@@ -63,7 +63,7 @@ describe('Event Context Utilities', () => {
       const result = await getOrganisationFromEvent(mockSupabase, eventId);
 
       expect(result).toBe(organisationId);
-      expect(mockSupabase.from).toHaveBeenCalledWith('event');
+      expect(mockSupabase.from).toHaveBeenCalledWith('core_events');
       expect(mockQuery.select).toHaveBeenCalledWith('organisation_id');
       expect(mockQuery.eq).toHaveBeenCalledWith('event_id', eventId);
       expect(mockQuery.single).toHaveBeenCalled();

package/src/rbac/utils/__tests__/eventContext.unit.test.ts

@@ -0,0 +1,490 @@
+/**
+ * @file Event Context Utilities Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/EventContext/Tests
+ * @since 1.0.0
+ * 
+ * Comprehensive tests for event context utilities in the RBAC system.
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { SupabaseClient } from '@supabase/supabase-js';
+import { Database } from '../../../types/database';
+import { UUID, Scope } from '../../types';
+import {
+  getOrganisationFromEvent,
+  createScopeFromEvent,
+  isEventBasedScope,
+  isValidEventBasedScope,
+  clearAllOrgDerivationCache,
+  clearOrgDerivationCache
+} from '../eventContext';
+
+// Mock Supabase client
+const createMockSupabaseClient = () => {
+  const mockQuery = {
+    select: vi.fn().mockReturnThis(),
+    eq: vi.fn().mockReturnThis(),
+    single: vi.fn()
+  };
+
+  const fromMock = vi.fn().mockReturnValue(mockQuery);
+  
+  return {
+    from: fromMock,
+    query: mockQuery
+  } as unknown as SupabaseClient<Database>;
+};
+
+describe('Event Context Utilities', () => {
+  let mockSupabase: SupabaseClient<Database>;
+  let mockQuery: any;
+
+  beforeEach(() => {
+    // Clear cache before each test
+    clearAllOrgDerivationCache();
+    
+    mockSupabase = createMockSupabaseClient();
+    // Reset mockQuery to get a fresh query builder for each test
+    mockQuery = {
+      select: vi.fn().mockReturnThis(),
+      eq: vi.fn().mockReturnThis(),
+      single: vi.fn()
+    };
+    (mockSupabase.from as any).mockReturnValue(mockQuery);
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    // Clear cache after each test
+    clearAllOrgDerivationCache();
+  });
+
+  describe('getOrganisationFromEvent', () => {
+    it('should return organisation ID when event exists', async () => {
+      const eventId = 'event-123';
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBe(organisationId);
+      expect(mockSupabase.from).toHaveBeenCalledWith('core_events');
+      expect(mockQuery.select).toHaveBeenCalledWith('organisation_id');
+      expect(mockQuery.eq).toHaveBeenCalledWith('event_id', eventId);
+      expect(mockQuery.single).toHaveBeenCalled();
+    });
+
+    it('should return null when event does not exist', async () => {
+      const eventId = 'nonexistent-event';
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: { message: 'Event not found' }
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should return null when data is null', async () => {
+      const eventId = 'event-123';
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should handle database errors gracefully', async () => {
+      const eventId = 'event-123';
+      const dbError = new Error('Database connection failed');
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockRejectedValue(dbError);
+
+      await expect(getOrganisationFromEvent(mockSupabase, eventId))
+        .rejects.toThrow('Database connection failed');
+    });
+
+    it('should handle empty organisation_id', async () => {
+      const eventId = 'event-123';
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: null },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('createScopeFromEvent', () => {
+    it('should create complete scope when event exists', async () => {
+      const eventId = 'event-123';
+      const organisationId = 'org-456';
+      const appId = 'app-789';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId, appId);
+
+      expect(result).toEqual({
+        organisationId,
+        eventId,
+        appId
+      });
+    });
+
+    it('should create scope without appId when not provided', async () => {
+      const eventId = 'event-123';
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId);
+
+      expect(result).toEqual({
+        organisationId,
+        eventId,
+        appId: undefined
+      });
+    });
+
+    it('should return null when event does not exist', async () => {
+      const eventId = 'nonexistent-event';
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: { message: 'Event not found' }
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should return null when organisation lookup fails', async () => {
+      const eventId = 'event-123';
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: null },
+        error: null
+      });
+
+      const result = await createScopeFromEvent(mockSupabase, eventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should handle database errors gracefully', async () => {
+      const eventId = 'event-123';
+      const dbError = new Error('Database connection failed');
+      
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
+      
+      mockQuery.single.mockRejectedValue(dbError);
+
+      await expect(createScopeFromEvent(mockSupabase, eventId))
+        .rejects.toThrow('Database connection failed');
+    });
+  });
+
+  describe('isEventBasedScope', () => {
+    it('should return true for event-based scope (no organisationId, has eventId)', () => {
+      const scope: Scope = {
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(true);
+    });
+
+    it('should return false when organisationId is present', () => {
+      const scope: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is missing', () => {
+      const scope: Scope = {
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when both organisationId and eventId are missing', () => {
+      const scope: Scope = {
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is null', () => {
+      const scope: Scope = {
+        eventId: null,
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is undefined', () => {
+      const scope: Scope = {
+        eventId: undefined,
+        appId: 'app-456'
+      };
+
+      expect(isEventBasedScope(scope)).toBe(false);
+    });
+  });
+
+  describe('isValidEventBasedScope', () => {
+    it('should return true for valid event-based scope', () => {
+      const scope: Scope = {
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+
+    it('should return false when eventId is missing', () => {
+      const scope: Scope = {
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is null', () => {
+      const scope: Scope = {
+        eventId: null,
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when eventId is undefined', () => {
+      const scope: Scope = {
+        eventId: undefined,
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return false when organisationId is present (not event-based)', () => {
+      const scope: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(false);
+    });
+
+    it('should return true for event-based scope without appId', () => {
+      const scope: Scope = {
+        eventId: 'event-123'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+  });
+
+  describe('Edge Cases and Error Handling', () => {
+    it('should handle malformed event IDs', async () => {
+      const malformedEventId = '';
+      
+      mockQuery.single.mockResolvedValue({
+        data: null,
+        error: { message: 'Invalid event ID' }
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, malformedEventId);
+
+      expect(result).toBeNull();
+    });
+
+    it('should handle very long event IDs', async () => {
+      const longEventId = 'a'.repeat(1000);
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, longEventId);
+
+      expect(result).toBe(organisationId);
+      expect(mockQuery.eq).toHaveBeenCalledWith('event_id', longEventId);
+    });
+
+    it('should handle special characters in event IDs', async () => {
+      const specialEventId = 'event-123!@#$%^&*()';
+      const organisationId = 'org-456';
+      
+      mockQuery.single.mockResolvedValue({
+        data: { organisation_id: organisationId },
+        error: null
+      });
+
+      const result = await getOrganisationFromEvent(mockSupabase, specialEventId);
+
+      expect(result).toBe(organisationId);
+      expect(mockQuery.eq).toHaveBeenCalledWith('event_id', specialEventId);
+    });
+
+    it('should handle concurrent calls to getOrganisationFromEvent', async () => {
+      const eventId1 = 'event-123';
+      const eventId2 = 'event-456';
+      const organisationId1 = 'org-123';
+      const organisationId2 = 'org-456';
+      
+      // Clear cache for these specific events
+      clearOrgDerivationCache(eventId1);
+      clearOrgDerivationCache(eventId2);
+      
+      // Create separate query builders for concurrent calls
+      const mockQuery1 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId1 },
+          error: null
+        })
+      };
+      const mockQuery2 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId2 },
+          error: null
+        })
+      };
+      
+      (mockSupabase.from as any)
+        .mockReturnValueOnce(mockQuery1)
+        .mockReturnValueOnce(mockQuery2);
+
+      const [result1, result2] = await Promise.all([
+        getOrganisationFromEvent(mockSupabase, eventId1),
+        getOrganisationFromEvent(mockSupabase, eventId2)
+      ]);
+
+      expect(result1).toBe(organisationId1);
+      expect(result2).toBe(organisationId2);
+    });
+
+    it('should handle concurrent calls to createScopeFromEvent', async () => {
+      const eventId1 = 'event-123';
+      const eventId2 = 'event-456';
+      const organisationId1 = 'org-123';
+      const organisationId2 = 'org-456';
+      const appId1 = 'app-123';
+      const appId2 = 'app-456';
+      
+      // Clear cache for these specific events
+      clearOrgDerivationCache(eventId1);
+      clearOrgDerivationCache(eventId2);
+      
+      // Create separate query builders for concurrent calls
+      const mockQuery1 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId1 },
+          error: null
+        })
+      };
+      const mockQuery2 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { organisation_id: organisationId2 },
+          error: null
+        })
+      };
+      
+      (mockSupabase.from as any)
+        .mockReturnValueOnce(mockQuery1)
+        .mockReturnValueOnce(mockQuery2);
+
+      const [result1, result2] = await Promise.all([
+        createScopeFromEvent(mockSupabase, eventId1, appId1),
+        createScopeFromEvent(mockSupabase, eventId2, appId2)
+      ]);
+
+      expect(result1).toEqual({
+        organisationId: organisationId1,
+        eventId: eventId1,
+        appId: appId1
+      });
+      expect(result2).toEqual({
+        organisationId: organisationId2,
+        eventId: eventId2,
+        appId: appId2
+      });
+    });
+  });
+
+  describe('Type Safety', () => {
+    it('should handle UUID types correctly', () => {
+      const validUUID = '123e4567-e89b-12d3-a456-426614174000';
+      const scope: Scope = {
+        eventId: validUUID,
+        appId: validUUID
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+
+    it('should handle string types correctly', () => {
+      const stringId = 'event-123';
+      const scope: Scope = {
+        eventId: stringId,
+        appId: 'app-456'
+      };
+
+      expect(isValidEventBasedScope(scope)).toBe(true);
+    });
+  });
+});