@jmruthers/pace-core 0.5.191 → 0.5.193

package/src/rbac/hooks/useResolvedScope.ts

@@ -144,49 +144,74 @@ export function useResolvedScope({
         let appConfig: AppConfig | null = null;
         
         // Try to resolve app config from database (with caching)
+        // Only query if user is authenticated (RLS policies require authentication)
         if (supabase && appName) {
           try {
-            // Check cache first
-            const cached = appConfigCache.get(appName);
-            const now = Date.now();
-            if (cached && (now - cached.timestamp) < CACHE_TTL) {
-              appId = cached.appId;
-              appConfig = cached.appConfig;
+            // Check if user is authenticated before querying (RLS requires auth)
+            // HTTP 406 errors are expected when not authenticated, so we skip the query
+            const { data: session } = await supabase.auth.getSession();
+            if (!session?.session) {
+              // User not authenticated - skip app resolution, will retry after login
+              // This is expected on login pages, so don't log as error
+              log.debug(`Skipping app resolution for "${appName}" - user not authenticated`);
             } else {
-              // Cache miss or expired - fetch from database
-              const { data: app, error } = await supabase
-                .from('rbac_apps')
-                .select('id, name, requires_event, is_active')
-                .eq('name', appName)
-                .eq('is_active', true)
-                .single() as { data: { id: string; name: string; requires_event: boolean; is_active: boolean } | null; error: any };
-              
-              if (error) {
-                // Check if app exists but is inactive
-                const { data: inactiveApp } = await supabase
+              // Check cache first
+              const cached = appConfigCache.get(appName);
+              const now = Date.now();
+              if (cached && (now - cached.timestamp) < CACHE_TTL) {
+                appId = cached.appId;
+                appConfig = cached.appConfig;
+              } else {
+                // Cache miss or expired - fetch from database
+                const { data: app, error } = await supabase
                   .from('rbac_apps')
-                  .select('id, name, is_active')
+                  .select('id, name, requires_event, is_active')
                   .eq('name', appName)
-                  .single() as { data: { id: string; name: string; is_active: boolean } | null };
+                  .eq('is_active', true)
+                  .single() as { data: { id: string; name: string; requires_event: boolean; is_active: boolean } | null; error: any };
                 
-                if (inactiveApp) {
-                  log.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-                  // Don't cache inactive apps - set appId to undefined
-                  appId = undefined;
-                } else {
-                  log.error(`App "${appName}" not found in rbac_apps table`);
-                  // Don't cache missing apps - set appId to undefined
-                  appId = undefined;
+                if (error) {
+                  // HTTP 406 is expected when not authenticated (RLS blocks query)
+                  // Don't log as error if it's a 406 - this is expected behavior
+                  if (error.code === '406' || error.code === 'PGRST116' || error.message?.includes('406')) {
+                    log.debug(`App resolution blocked by RLS for "${appName}" - user may not be authenticated`);
+                    // Don't cache - will retry after authentication
+                    appId = undefined;
+                  } else {
+                    // Check if app exists but is inactive
+                    const { data: inactiveApp } = await supabase
+                      .from('rbac_apps')
+                      .select('id, name, is_active')
+                      .eq('name', appName)
+                      .single() as { data: { id: string; name: string; is_active: boolean } | null };
+                    
+                    if (inactiveApp) {
+                      log.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
+                      // Don't cache inactive apps - set appId to undefined
+                      appId = undefined;
+                    } else {
+                      log.error(`App "${appName}" not found in rbac_apps table`, { error });
+                      // Don't cache missing apps - set appId to undefined
+                      appId = undefined;
+                    }
+                  }
+                } else if (app) {
+                  appId = app.id;
+                  appConfig = { requires_event: app.requires_event ?? false };
+                  // Only cache successful lookups of active apps
+                  appConfigCache.set(appName, { appId, appConfig, timestamp: now });
                 }
-              } else if (app) {
-                appId = app.id;
-                appConfig = { requires_event: app.requires_event ?? false };
-                // Only cache successful lookups of active apps
-                appConfigCache.set(appName, { appId, appConfig, timestamp: now });
               }
             }
           } catch (error) {
-            log.error('Unexpected error resolving app config:', error);
+            // Handle network errors or other unexpected errors gracefully
+            // Don't log 406 errors as they're expected when not authenticated
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            if (!errorMessage.includes('406') && !errorMessage.includes('PGRST116')) {
+              log.error('Unexpected error resolving app config:', error);
+            } else {
+              log.debug('App resolution skipped - authentication required');
+            }
           }
         }
 

package/src/rbac/hooks/useSecureSupabase.ts

@@ -120,7 +120,7 @@ import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
 import { useResolvedScope } from './useResolvedScope';
-import { useSuperAdminBypass } from './useSuperAdminBypass';
+import { useOrganisationSecurity } from '../../hooks/useOrganisationSecurity';
 import { createSecureClient, SecureSupabaseClient } from '../secureClient';
 import type { Database } from '../../types/database';
 import type { SupabaseClient } from '@supabase/supabase-js';
@@ -215,14 +215,9 @@ export function useSecureSupabase(
   const eventLoading = 'eventLoading' in eventsContext ? eventsContext.eventLoading : false;
   
   // Check super admin status for conditional filtering
-  // Use both verified status and metadata hint to avoid race conditions
-  // Strategy: Use verified status if available, otherwise use metadata hint during verification
-  // This prevents creating clients with wrong super admin status before verification completes
-  const { isSuperAdmin: verifiedIsSuperAdmin, isLoading: isVerifyingSuperAdmin } = useSuperAdminBypass();
-  const metadataHint = Boolean(user?.app_metadata?.is_super_admin) || Boolean(user?.user_metadata?.is_super_admin);
-  // If verified as super admin, use that. If verification in progress, use metadata hint optimistically.
-  // Once verification completes and user is not super admin, verifiedIsSuperAdmin will be false.
-  const isSuperAdmin = verifiedIsSuperAdmin || (isVerifyingSuperAdmin && metadataHint);
+  // Use verified status from useOrganisationSecurity which checks the database
+  const { superAdminContext } = useOrganisationSecurity();
+  const isSuperAdmin = superAdminContext.isSuperAdmin;
 
   // Resolve scope to get appId
   const { resolvedScope } = useResolvedScope({

package/src/rbac/secureClient.ts

@@ -152,6 +152,19 @@ export class SecureSupabaseClient {
 
     // Override insert to add organisation context
     query.insert = (values: any) => {
+      // Tables that don't have organisation_id column
+      const tablesWithoutOrganisationId = [
+        'core_organisations', // Organisation table itself - uses 'id' as primary key
+        'rbac_apps', // App configuration table - no organisation scope
+        'rbac_app_pages', // Page configuration table - scoped by app_id, not organisation_id
+        'rbac_global_roles', // Global roles - no organisation scope
+      ];
+      
+      // Skip adding organisation_id for tables that don't have it
+      if (tablesWithoutOrganisationId.includes(tableName)) {
+        return originalInsert(values);
+      }
+      
       // For rbac_user_profiles, only add organisation_id if not super admin
       // Super admins can create users in any org, non-super-admins are restricted
       if (tableName === 'rbac_user_profiles') {
@@ -204,6 +217,24 @@ export class SecureSupabaseClient {
    * - Always apply org filter unless super admin bypasses it
    */
   private addOrganisationFilter(query: any, tableName: string) {
+    // Tables that don't have organisation_id column - RLS policies handle access control
+    const tablesWithoutOrganisationId = [
+      'core_organisations', // Organisation table itself - uses 'id' as primary key
+      'rbac_apps', // App configuration table - no organisation scope
+      'rbac_app_pages', // Page configuration table - scoped by app_id, not organisation_id
+      'rbac_global_roles', // Global roles - no organisation scope
+    ];
+    
+    // Skip organisation filter for tables that don't have organisation_id column
+    if (tablesWithoutOrganisationId.includes(tableName)) {
+      return query; // RLS policies handle access control for these tables
+    }
+
+    // If organisation context is not set, don't add a filter (e.g., super admin without selected org)
+    if (!this.organisationId) {
+      return query;
+    }
+    
     // For rbac_user_profiles, use conditional filtering based on super admin status
     if (tableName === 'rbac_user_profiles') {
       // Super admins: No org filter (see all users via RLS)

package/src/services/EventService.ts

@@ -116,10 +116,6 @@ export class EventService extends BaseService implements IEventService {
     if (user?.id) {
       try {
         this.isSuperAdmin = await isSuperAdmin(user.id as UUID);
-        logger.debug('EventService', 'Updated super admin status', {
-          userId: user.id,
-          isSuperAdmin: this.isSuperAdmin
-        });
       } catch (error) {
         logger.warn('EventService', 'Failed to check super admin status', { error });
         this.isSuperAdmin = false; // Default to false on error
@@ -151,9 +147,10 @@ export class EventService extends BaseService implements IEventService {
 
   // Event state getters
   getEvents(): Event[] {
-    // Return a new array reference so React can detect changes
-    // This ensures useMemo dependencies work correctly
-    return [...this.events];
+    // Return stable array reference - only create new array when events actually change
+    // This prevents unnecessary re-renders when getEvents() is called on every render
+    // The service's notify() mechanism handles change detection
+    return this.events;
   }
 
   getSelectedEvent(): Event | null {
@@ -308,12 +305,6 @@ export class EventService extends BaseService implements IEventService {
   async initialize(): Promise<void> {
     // Only call super.initialize() which will call doInitialize() and fetchEvents()
     // Don't call fetchEvents() again here to avoid double-fetching
-    logger.debug('EventService', 'initialize() called', {
-      isInitializedRef: this.isInitializedRef,
-      hasUser: !!this.user,
-      hasSession: !!this.session,
-      appName: this.appName
-    });
     await super.initialize();
   }
 
@@ -322,23 +313,13 @@ export class EventService extends BaseService implements IEventService {
   }
 
   protected async doInitialize(): Promise<void> {
-    logger.debug('EventService', 'doInitialize() called', {
-      isInitializedRef: this.isInitializedRef,
-      isFetchingRef: this.isFetchingRef,
-      hasUser: !!this.user,
-      hasSession: !!this.session,
-      appName: this.appName
-    });
-    
     // Skip if already initialized
     if (this.isInitializedRef) {
-      logger.debug('EventService', 'Skipping initialization - already initialized');
       return;
     }
     
     // Skip if already fetching
     if (this.isFetchingRef) {
-      logger.debug('EventService', 'Skipping initialization - already fetching');
       return;
     }
     
@@ -355,16 +336,9 @@ export class EventService extends BaseService implements IEventService {
     // For event-required apps, selectedOrganisation may be null (org derived from event)
     // For org-required apps, selectedOrganisation is required
     if (!this.user) {
-      logger.debug('EventService', 'Skipping initialization - missing user');
       return;
     }
     
-    logger.debug('EventService', 'Initializing - fetching events', {
-      userId: this.user.id,
-      organisationId: this.selectedOrganisation?.id || 'derived-from-event',
-      appName: this.appName
-    });
-    
     // Initial setup - fetch events on initialization
     await this.fetchEvents(false);
     
@@ -380,12 +354,6 @@ export class EventService extends BaseService implements IEventService {
     // For event-required apps, selectedOrganisation may be null (org derived from event)
     // For org-required apps, selectedOrganisation is required
     if (!this.user || !this.session || !this.supabaseClient || !this.appName) {
-      logger.debug('EventService', 'Skipping fetchEvents - missing dependencies', {
-        hasUser: !!this.user,
-        hasSession: !!this.session,
-        hasSupabaseClient: !!this.supabaseClient,
-        appName: this.appName
-      });
       // Already false from initialization, just notify
       this.notify();
       return;
@@ -397,7 +365,6 @@ export class EventService extends BaseService implements IEventService {
 
     // Prevent multiple simultaneous fetches
     if (this.isFetchingRef) {
-      logger.debug('EventService', 'Skipping fetchEvents - already fetching');
       return;
     }
 
@@ -431,9 +398,6 @@ export class EventService extends BaseService implements IEventService {
         if (userIsSuperAdmin) {
           // Super admin: Pass null to see all events across all organisations
           organisationIdForRpc = null;
-          logger.debug('EventService', 'Super admin detected - fetching all events', {
-            userId: this.user.id
-          });
         } else {
           // Not super admin: determine org from context based on app type
           if (this.selectedEvent) {
@@ -443,10 +407,6 @@ export class EventService extends BaseService implements IEventService {
             // Event-required app with no selected event yet: pass null to get all accessible events
             // The RPC will filter by event app roles, returning all events the user has access to
             organisationIdForRpc = null;
-            logger.debug('EventService', 'Event-required app: fetching all accessible events (no event selected yet)', {
-              userId: this.user.id,
-              appName: this.appName
-            });
           } else if (this.selectedOrganisation) {
             // Org-required app: use selected organisation
             organisationIdForRpc = this.selectedOrganisation.id;
@@ -476,12 +436,6 @@ export class EventService extends BaseService implements IEventService {
         }
       }
       
-      logger.debug('EventService', 'Fetching events via RPC', {
-        userId: this.user.id,
-        organisationId: organisationIdForRpc,
-        appName: this.appName
-      });
-      
       // Call the RPC function following the established pattern
       // For super admins, pass null for p_organisation_id to see all events
       let { data, error: rpcError } = await this.supabaseClient.rpc('data_user_events_get', {
@@ -490,13 +444,6 @@ export class EventService extends BaseService implements IEventService {
         p_app_name: this.appName
       });
       
-      logger.debug('EventService', 'RPC response received', {
-        hasData: !!data,
-        dataLength: Array.isArray(data) ? data.length : 'not array',
-        hasError: !!rpcError,
-        error: rpcError
-      });
-
       if (rpcError) {
         logger.error('EventService', 'RPC error fetching events:', rpcError);
         throw new Error(rpcError.message || 'Failed to fetch events');

package/src/services/InactivityService.ts

@@ -145,12 +145,31 @@ export class InactivityService extends BaseService implements IInactivityService
     if (this.inactivityTracker) {
       this.inactivityTracker.resetActivity();
     }
+    
+    // Store previous values
+    const prevIsIdle = this._isIdle;
+    const prevShowWarning = this._showWarning;
+    const prevShowInactivityWarning = this._showInactivityWarning;
+    const prevInactivityTimeRemaining = this._inactivityTimeRemaining;
+    const prevTimeRemaining = this._timeRemaining;
+    
+    // Update state
     this._isIdle = false;
     this._showWarning = false;
     this._showInactivityWarning = false;
     this._inactivityTimeRemaining = 0;
     this._timeRemaining = this.idleTimeoutMs;
-    this.notify();
+    
+    // Only notify if values actually changed
+    if (
+      prevIsIdle !== this._isIdle ||
+      prevShowWarning !== this._showWarning ||
+      prevShowInactivityWarning !== this._showInactivityWarning ||
+      prevInactivityTimeRemaining !== this._inactivityTimeRemaining ||
+      prevTimeRemaining !== this._timeRemaining
+    ) {
+      this.notify();
+    }
   }
 
   startTracking(): void {
@@ -275,10 +294,63 @@ export class InactivityService extends BaseService implements IInactivityService
     let idleTimer: NodeJS.Timeout | null = null;
     let warningTimer: NodeJS.Timeout | null = null;
     let lastActivity = Date.now();
-
-    const resetTimers = () => {
-      lastActivity = Date.now();
+    let pollInterval: NodeJS.Timeout | null = null;
+    
+    // Store previous state for comparison
+    let prevIsIdle = false;
+    let prevShowWarning = false;
+    let prevShowInactivityWarning = false;
+    let prevInactivityTimeRemaining = 0;
+    let prevTimeRemaining = this.idleTimeoutMs;
+
+    // Poll every 10 seconds to check for state changes
+    const pollInactivityState = () => {
+      const now = Date.now();
+      const timeSinceActivity = now - lastActivity;
+      const timeUntilIdle = this.idleTimeoutMs - timeSinceActivity;
+      const timeUntilWarning = (this.idleTimeoutMs - this.warnBeforeMs) - timeSinceActivity;
+      
+      // Calculate new state values based on time since last activity
+      const newIsIdle = timeSinceActivity >= (this.idleTimeoutMs - this.warnBeforeMs);
+      const newShowWarning = newIsIdle && timeSinceActivity < this.idleTimeoutMs;
+      const newShowInactivityWarning = newShowWarning;
+      const newInactivityTimeRemaining = newShowWarning 
+        ? Math.ceil((this.idleTimeoutMs - timeSinceActivity) / 1000)
+        : 0;
+      const newTimeRemaining = Math.max(0, timeUntilIdle);
+      
+      // Check if state actually changed
+      const stateChanged = 
+        prevIsIdle !== newIsIdle ||
+        prevShowWarning !== newShowWarning ||
+        prevShowInactivityWarning !== newShowInactivityWarning ||
+        prevInactivityTimeRemaining !== newInactivityTimeRemaining ||
+        prevTimeRemaining !== newTimeRemaining;
+      
+      // Only update and notify if state changed
+      if (stateChanged) {
+        this._isIdle = newIsIdle;
+        this._showWarning = newShowWarning;
+        this._showInactivityWarning = newShowInactivityWarning;
+        this._inactivityTimeRemaining = newInactivityTimeRemaining;
+        this._timeRemaining = newTimeRemaining;
+        
+        // Update previous state
+        prevIsIdle = newIsIdle;
+        prevShowWarning = newShowWarning;
+        prevShowInactivityWarning = newShowInactivityWarning;
+        prevInactivityTimeRemaining = newInactivityTimeRemaining;
+        prevTimeRemaining = newTimeRemaining;
+        
+        this.notify();
+        
+        // Handle idle logout if needed
+        if (newIsIdle && timeSinceActivity >= this.idleTimeoutMs) {
+          this.handleIdleLogout();
+        }
+      }
       
+      // Update timers based on current state
       if (idleTimer) {
         clearTimeout(idleTimer);
         idleTimer = null;
@@ -288,47 +360,58 @@ export class InactivityService extends BaseService implements IInactivityService
         clearTimeout(warningTimer);
         warningTimer = null;
       }
-
-      this._showInactivityWarning = false;
-      this._inactivityTimeRemaining = 0;
-      this._isIdle = false;
-      this._showWarning = false;
-      this.notify();
-    };
-
-    const startIdleTimer = () => {
-      if (idleTimer) {
-        clearTimeout(idleTimer);
+      
+      // Set up timers for next state transitions
+      if (!newIsIdle && timeUntilIdle > 0) {
+        idleTimer = setTimeout(() => {
+          pollInactivityState();
+        }, Math.min(10000, timeUntilIdle));
       }
-
-      idleTimer = setTimeout(() => {
-        this._isIdle = true;
-        this._showWarning = true;
-        this.notify();
-        
-        // Start warning timer
+      
+      if (newShowWarning && timeUntilIdle > 0) {
         warningTimer = setTimeout(() => {
           this.handleIdleLogout();
-        }, this.warnBeforeMs);
-      }, this.idleTimeoutMs - this.warnBeforeMs);
+        }, timeUntilIdle);
+      }
     };
 
-    const startWarningTimer = () => {
+    const resetTimers = () => {
+      // Only update lastActivity - don't notify yet
+      lastActivity = Date.now();
+      
+      // Clear timers
+      if (idleTimer) {
+        clearTimeout(idleTimer);
+        idleTimer = null;
+      }
+      
       if (warningTimer) {
         clearTimeout(warningTimer);
+        warningTimer = null;
       }
-
-      warningTimer = setTimeout(() => {
-        this.handleIdleLogout();
-      }, this.warnBeforeMs);
+      
+      // Reset state values (will be checked on next poll)
+      this._showInactivityWarning = false;
+      this._inactivityTimeRemaining = 0;
+      this._isIdle = false;
+      this._showWarning = false;
+      
+      // Update previous state to match
+      prevIsIdle = false;
+      prevShowWarning = false;
+      prevShowInactivityWarning = false;
+      prevInactivityTimeRemaining = 0;
+      prevTimeRemaining = this.idleTimeoutMs;
+      
+      // Poll will check and notify if needed
     };
 
-    // Activity detection
+    // Activity detection - only updates lastActivity, doesn't notify
     const activityEvents = ['mousedown', 'mousemove', 'keypress', 'scroll', 'touchstart', 'click'];
     
     const handleActivity = () => {
       resetTimers();
-      startIdleTimer();
+      // Don't call notify - polling will handle state updates
     };
 
     // Add event listeners
@@ -336,8 +419,13 @@ export class InactivityService extends BaseService implements IInactivityService
       document.addEventListener(event, handleActivity, true);
     });
 
-    // Start initial timer
-    startIdleTimer();
+    // Start polling every 10 seconds
+    pollInterval = setInterval(() => {
+      pollInactivityState();
+    }, 10000); // 10 seconds
+
+    // Initial poll
+    pollInactivityState();
 
     // Store cleanup function
     this.cleanupHandlers = () => {
@@ -350,6 +438,11 @@ export class InactivityService extends BaseService implements IInactivityService
         clearTimeout(warningTimer);
         warningTimer = null;
       }
+      
+      if (pollInterval) {
+        clearInterval(pollInterval);
+        pollInterval = null;
+      }
 
       activityEvents.forEach(event => {
         document.removeEventListener(event, handleActivity, true);
@@ -364,6 +457,6 @@ export class InactivityService extends BaseService implements IInactivityService
     };
 
     this._isTracking = true;
-    this.notify();
+    this.notify(); // Initial notification only
   }
 }