npm - @jmruthers/pace-core - Versions diffs - 0.5.191 → 0.6.1 - Mend

@jmruthers/pace-core 0.5.191 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (380) hide show

package/src/services/EventService.ts CHANGED Viewed

@@ -116,10 +116,6 @@ export class EventService extends BaseService implements IEventService {
     if (user?.id) {
       try {
         this.isSuperAdmin = await isSuperAdmin(user.id as UUID);
-        logger.debug('EventService', 'Updated super admin status', {
-          userId: user.id,
-          isSuperAdmin: this.isSuperAdmin
-        });
       } catch (error) {
         logger.warn('EventService', 'Failed to check super admin status', { error });
         this.isSuperAdmin = false; // Default to false on error
@@ -151,9 +147,10 @@ export class EventService extends BaseService implements IEventService {
   // Event state getters
   getEvents(): Event[] {
-    // Return a new array reference so React can detect changes
-    // This ensures useMemo dependencies work correctly
-    return [...this.events];
+    // Return stable array reference - only create new array when events actually change
+    // This prevents unnecessary re-renders when getEvents() is called on every render
+    // The service's notify() mechanism handles change detection
+    return this.events;
   }
   getSelectedEvent(): Event | null {
@@ -308,12 +305,6 @@ export class EventService extends BaseService implements IEventService {
   async initialize(): Promise<void> {
     // Only call super.initialize() which will call doInitialize() and fetchEvents()
     // Don't call fetchEvents() again here to avoid double-fetching
-    logger.debug('EventService', 'initialize() called', {
-      isInitializedRef: this.isInitializedRef,
-      hasUser: !!this.user,
-      hasSession: !!this.session,
-      appName: this.appName
-    });
     await super.initialize();
   }
@@ -322,23 +313,13 @@ export class EventService extends BaseService implements IEventService {
   }
   protected async doInitialize(): Promise<void> {
-    logger.debug('EventService', 'doInitialize() called', {
-      isInitializedRef: this.isInitializedRef,
-      isFetchingRef: this.isFetchingRef,
-      hasUser: !!this.user,
-      hasSession: !!this.session,
-      appName: this.appName
-    });
     // Skip if already initialized
     if (this.isInitializedRef) {
-      logger.debug('EventService', 'Skipping initialization - already initialized');
       return;
     }
     // Skip if already fetching
     if (this.isFetchingRef) {
-      logger.debug('EventService', 'Skipping initialization - already fetching');
       return;
     }
@@ -355,16 +336,9 @@ export class EventService extends BaseService implements IEventService {
     // For event-required apps, selectedOrganisation may be null (org derived from event)
     // For org-required apps, selectedOrganisation is required
     if (!this.user) {
-      logger.debug('EventService', 'Skipping initialization - missing user');
       return;
     }
-    logger.debug('EventService', 'Initializing - fetching events', {
-      userId: this.user.id,
-      organisationId: this.selectedOrganisation?.id || 'derived-from-event',
-      appName: this.appName
-    });
     // Initial setup - fetch events on initialization
     await this.fetchEvents(false);
@@ -380,12 +354,6 @@ export class EventService extends BaseService implements IEventService {
     // For event-required apps, selectedOrganisation may be null (org derived from event)
     // For org-required apps, selectedOrganisation is required
     if (!this.user || !this.session || !this.supabaseClient || !this.appName) {
-      logger.debug('EventService', 'Skipping fetchEvents - missing dependencies', {
-        hasUser: !!this.user,
-        hasSession: !!this.session,
-        hasSupabaseClient: !!this.supabaseClient,
-        appName: this.appName
-      });
       // Already false from initialization, just notify
       this.notify();
       return;
@@ -397,7 +365,6 @@ export class EventService extends BaseService implements IEventService {
     // Prevent multiple simultaneous fetches
     if (this.isFetchingRef) {
-      logger.debug('EventService', 'Skipping fetchEvents - already fetching');
       return;
     }
@@ -431,9 +398,6 @@ export class EventService extends BaseService implements IEventService {
         if (userIsSuperAdmin) {
           // Super admin: Pass null to see all events across all organisations
           organisationIdForRpc = null;
-          logger.debug('EventService', 'Super admin detected - fetching all events', {
-            userId: this.user.id
-          });
         } else {
           // Not super admin: determine org from context based on app type
           if (this.selectedEvent) {
@@ -443,10 +407,6 @@ export class EventService extends BaseService implements IEventService {
             // Event-required app with no selected event yet: pass null to get all accessible events
             // The RPC will filter by event app roles, returning all events the user has access to
             organisationIdForRpc = null;
-            logger.debug('EventService', 'Event-required app: fetching all accessible events (no event selected yet)', {
-              userId: this.user.id,
-              appName: this.appName
-            });
           } else if (this.selectedOrganisation) {
             // Org-required app: use selected organisation
             organisationIdForRpc = this.selectedOrganisation.id;
@@ -476,12 +436,6 @@ export class EventService extends BaseService implements IEventService {
         }
       }
-      logger.debug('EventService', 'Fetching events via RPC', {
-        userId: this.user.id,
-        organisationId: organisationIdForRpc,
-        appName: this.appName
-      });
       // Call the RPC function following the established pattern
       // For super admins, pass null for p_organisation_id to see all events
       let { data, error: rpcError } = await this.supabaseClient.rpc('data_user_events_get', {
@@ -490,13 +444,6 @@ export class EventService extends BaseService implements IEventService {
         p_app_name: this.appName
       });
-      logger.debug('EventService', 'RPC response received', {
-        hasData: !!data,
-        dataLength: Array.isArray(data) ? data.length : 'not array',
-        hasError: !!rpcError,
-        error: rpcError
-      });
       if (rpcError) {
         logger.error('EventService', 'RPC error fetching events:', rpcError);
         throw new Error(rpcError.message || 'Failed to fetch events');

package/src/services/InactivityService.ts CHANGED Viewed

@@ -145,12 +145,31 @@ export class InactivityService extends BaseService implements IInactivityService
     if (this.inactivityTracker) {
       this.inactivityTracker.resetActivity();
     }
+    // Store previous values
+    const prevIsIdle = this._isIdle;
+    const prevShowWarning = this._showWarning;
+    const prevShowInactivityWarning = this._showInactivityWarning;
+    const prevInactivityTimeRemaining = this._inactivityTimeRemaining;
+    const prevTimeRemaining = this._timeRemaining;
+    // Update state
     this._isIdle = false;
     this._showWarning = false;
     this._showInactivityWarning = false;
     this._inactivityTimeRemaining = 0;
     this._timeRemaining = this.idleTimeoutMs;
-    this.notify();
+    // Only notify if values actually changed
+    if (
+      prevIsIdle !== this._isIdle ||
+      prevShowWarning !== this._showWarning ||
+      prevShowInactivityWarning !== this._showInactivityWarning ||
+      prevInactivityTimeRemaining !== this._inactivityTimeRemaining ||
+      prevTimeRemaining !== this._timeRemaining
+    ) {
+      this.notify();
+    }
   }
   startTracking(): void {
@@ -275,10 +294,63 @@ export class InactivityService extends BaseService implements IInactivityService
     let idleTimer: NodeJS.Timeout | null = null;
     let warningTimer: NodeJS.Timeout | null = null;
     let lastActivity = Date.now();
-    const resetTimers = () => {
-      lastActivity = Date.now();
+    let pollInterval: NodeJS.Timeout | null = null;
+    // Store previous state for comparison
+    let prevIsIdle = false;
+    let prevShowWarning = false;
+    let prevShowInactivityWarning = false;
+    let prevInactivityTimeRemaining = 0;
+    let prevTimeRemaining = this.idleTimeoutMs;
+    // Poll every 10 seconds to check for state changes
+    const pollInactivityState = () => {
+      const now = Date.now();
+      const timeSinceActivity = now - lastActivity;
+      const timeUntilIdle = this.idleTimeoutMs - timeSinceActivity;
+      const timeUntilWarning = (this.idleTimeoutMs - this.warnBeforeMs) - timeSinceActivity;
+      // Calculate new state values based on time since last activity
+      const newIsIdle = timeSinceActivity >= (this.idleTimeoutMs - this.warnBeforeMs);
+      const newShowWarning = newIsIdle && timeSinceActivity < this.idleTimeoutMs;
+      const newShowInactivityWarning = newShowWarning;
+      const newInactivityTimeRemaining = newShowWarning
+        ? Math.ceil((this.idleTimeoutMs - timeSinceActivity) / 1000)
+        : 0;
+      const newTimeRemaining = Math.max(0, timeUntilIdle);
+      // Check if state actually changed
+      const stateChanged =
+        prevIsIdle !== newIsIdle ||
+        prevShowWarning !== newShowWarning ||
+        prevShowInactivityWarning !== newShowInactivityWarning ||
+        prevInactivityTimeRemaining !== newInactivityTimeRemaining ||
+        prevTimeRemaining !== newTimeRemaining;
+      // Only update and notify if state changed
+      if (stateChanged) {
+        this._isIdle = newIsIdle;
+        this._showWarning = newShowWarning;
+        this._showInactivityWarning = newShowInactivityWarning;
+        this._inactivityTimeRemaining = newInactivityTimeRemaining;
+        this._timeRemaining = newTimeRemaining;
+        // Update previous state
+        prevIsIdle = newIsIdle;
+        prevShowWarning = newShowWarning;
+        prevShowInactivityWarning = newShowInactivityWarning;
+        prevInactivityTimeRemaining = newInactivityTimeRemaining;
+        prevTimeRemaining = newTimeRemaining;
+        this.notify();
+        // Handle idle logout if needed
+        if (newIsIdle && timeSinceActivity >= this.idleTimeoutMs) {
+          this.handleIdleLogout();
+        }
+      }
+      // Update timers based on current state
       if (idleTimer) {
         clearTimeout(idleTimer);
         idleTimer = null;
@@ -288,47 +360,58 @@ export class InactivityService extends BaseService implements IInactivityService
         clearTimeout(warningTimer);
         warningTimer = null;
       }
-      this._showInactivityWarning = false;
-      this._inactivityTimeRemaining = 0;
-      this._isIdle = false;
-      this._showWarning = false;
-      this.notify();
-    };
-    const startIdleTimer = () => {
-      if (idleTimer) {
-        clearTimeout(idleTimer);
+      // Set up timers for next state transitions
+      if (!newIsIdle && timeUntilIdle > 0) {
+        idleTimer = setTimeout(() => {
+          pollInactivityState();
+        }, Math.min(10000, timeUntilIdle));
       }
-      idleTimer = setTimeout(() => {
-        this._isIdle = true;
-        this._showWarning = true;
-        this.notify();
-        // Start warning timer
+      if (newShowWarning && timeUntilIdle > 0) {
         warningTimer = setTimeout(() => {
           this.handleIdleLogout();
-        }, this.warnBeforeMs);
-      }, this.idleTimeoutMs - this.warnBeforeMs);
+        }, timeUntilIdle);
+      }
     };
-    const startWarningTimer = () => {
+    const resetTimers = () => {
+      // Only update lastActivity - don't notify yet
+      lastActivity = Date.now();
+      // Clear timers
+      if (idleTimer) {
+        clearTimeout(idleTimer);
+        idleTimer = null;
+      }
       if (warningTimer) {
         clearTimeout(warningTimer);
+        warningTimer = null;
       }
-      warningTimer = setTimeout(() => {
-        this.handleIdleLogout();
-      }, this.warnBeforeMs);
+      // Reset state values (will be checked on next poll)
+      this._showInactivityWarning = false;
+      this._inactivityTimeRemaining = 0;
+      this._isIdle = false;
+      this._showWarning = false;
+      // Update previous state to match
+      prevIsIdle = false;
+      prevShowWarning = false;
+      prevShowInactivityWarning = false;
+      prevInactivityTimeRemaining = 0;
+      prevTimeRemaining = this.idleTimeoutMs;
+      // Poll will check and notify if needed
     };
-    // Activity detection
+    // Activity detection - only updates lastActivity, doesn't notify
     const activityEvents = ['mousedown', 'mousemove', 'keypress', 'scroll', 'touchstart', 'click'];
     const handleActivity = () => {
       resetTimers();
-      startIdleTimer();
+      // Don't call notify - polling will handle state updates
     };
     // Add event listeners
@@ -336,8 +419,13 @@ export class InactivityService extends BaseService implements IInactivityService
       document.addEventListener(event, handleActivity, true);
     });
-    // Start initial timer
-    startIdleTimer();
+    // Start polling every 10 seconds
+    pollInterval = setInterval(() => {
+      pollInactivityState();
+    }, 10000); // 10 seconds
+    // Initial poll
+    pollInactivityState();
     // Store cleanup function
     this.cleanupHandlers = () => {
@@ -350,6 +438,11 @@ export class InactivityService extends BaseService implements IInactivityService
         clearTimeout(warningTimer);
         warningTimer = null;
       }
+      if (pollInterval) {
+        clearInterval(pollInterval);
+        pollInterval = null;
+      }
       activityEvents.forEach(event => {
         document.removeEventListener(event, handleActivity, true);
@@ -364,6 +457,6 @@ export class InactivityService extends BaseService implements IInactivityService
     };
     this._isTracking = true;
-    this.notify();
+    this.notify(); // Initial notification only
   }
 }

package/src/services/OrganisationService.ts CHANGED Viewed

@@ -20,6 +20,8 @@ import type {
 import { setOrganisationContext } from '../utils/context/organisationContext';
 import { logger } from '../utils/core/logger';
 import { assertUserId, assertOrganisationId } from '../types/core';
+import { isSuperAdmin } from '../rbac/api';
+import type { UUID } from '../rbac/types';
 // Type for RPC response from data_user_organisation_roles_get
 interface OrganisationRoleRpcResponse {
@@ -46,6 +48,7 @@ export class OrganisationService extends BaseService implements IOrganisationSer
   private _roleMapState: Map<string, string> = new Map();
   private _isLoading = false;
   private _error: Error | null = null;
+  private _isSuperAdmin: boolean = false; // Cache super admin status
   private _isContextReady = false;
   private retryCount = 0;
@@ -81,17 +84,21 @@ export class OrganisationService extends BaseService implements IOrganisationSer
   // Additional methods for testing
   setSelectedOrganisation(organisation: Organisation | null): void {
     // SECURITY: Validate organisation is in user's accessible organisations (only if orgs are loaded)
+    // Exception: Super admins can set any organisation (they have global access)
     if (organisation && this._organisations.length > 0) {
-      const isValidOrg = this._organisations.some(org => org.id === organisation.id);
-      if (!isValidOrg) {
-        logger.warn('OrganisationService', 'Attempted to set invalid organisation - not in user\'s accessible organisations', {
-          organisationId: organisation.id,
-          organisationName: organisation.name,
-          accessibleOrgIds: this._organisations.map(o => o.id)
-        });
-        // Don't set invalid organisation - this prevents security issues
-        // If organisations haven't loaded yet, validation will happen in loadUserOrganisations()
-        return;
+      // Only validate if user is not a super admin (use cached status)
+      if (!this._isSuperAdmin) {
+        const isValidOrg = this._organisations.some(org => org.id === organisation.id);
+        if (!isValidOrg) {
+          logger.warn('OrganisationService', 'Attempted to set invalid organisation - not in user\'s accessible organisations', {
+            organisationId: organisation.id,
+            organisationName: organisation.name,
+            accessibleOrgIds: this._organisations.map(o => o.id)
+          });
+          // Don't set invalid organisation - this prevents security issues
+          // If organisations haven't loaded yet, validation will happen in loadUserOrganisations()
+          return;
+        }
       }
     }
@@ -140,6 +147,11 @@ export class OrganisationService extends BaseService implements IOrganisationSer
     const wasAuthenticated = !!(this.user && this.session);
     const isAuthenticated = !!(user && session);
+    // Reset super admin cache when user changes
+    if (this.user?.id !== user?.id) {
+      this._isSuperAdmin = false;
+    }
     this.user = user;
     this.session = session;
@@ -460,11 +472,47 @@ export class OrganisationService extends BaseService implements IOrganisationSer
         throw membershipError;
       }
+      // Check if user is super admin - super admins don't need organisation memberships
+      let userIsSuperAdmin = false;
+      if (this.user?.id) {
+        try {
+          userIsSuperAdmin = await isSuperAdmin(this.user.id as UUID);
+          this._isSuperAdmin = userIsSuperAdmin; // Cache the result
+        } catch (error) {
+          logger.warn('OrganisationService', 'Failed to check super admin status', { error });
+          // Continue with normal flow if check fails
+          this._isSuperAdmin = false;
+        }
+      } else {
+        this._isSuperAdmin = false;
+      }
+      // Super admins can proceed without organisation memberships
       if (!memberships || memberships.length === 0) {
+        if (userIsSuperAdmin) {
+          // Super admin without org memberships - allow empty state
+          this._organisations = [];
+          this._userMemberships = [];
+          this._isLoading = false;
+          this._error = null;
+          this._isContextReady = true;
+          this.notify();
+          return;
+        }
         throw new Error('User has no active organisation memberships') as OrganisationSecurityError;
       }
       if (!organisations || organisations.length === 0) {
+        if (userIsSuperAdmin) {
+          // Super admin without orgs - allow empty state
+          this._organisations = [];
+          this._userMemberships = [];
+          this._isLoading = false;
+          this._error = null;
+          this._isContextReady = true;
+          this.notify();
+          return;
+        }
         throw new Error('No organisations found in role data') as OrganisationSecurityError;
       }
@@ -481,6 +529,16 @@ export class OrganisationService extends BaseService implements IOrganisationSer
       // Filter to active organisations only
       if (activeOrgs.length === 0) {
+        if (userIsSuperAdmin) {
+          // Super admin without active orgs - allow empty state
+          this._organisations = [];
+          this._userMemberships = [];
+          this._isLoading = false;
+          this._error = null;
+          this._isContextReady = true;
+          this.notify();
+          return;
+        }
         throw new Error('User has no access to active organisations') as OrganisationSecurityError;
       }

package/src/utils/security/secureDataAccess.test.ts CHANGED Viewed

@@ -21,15 +21,25 @@ const mockSupabaseClient = {
 let mockQueryBuilder: any;
 const createMockQueryBuilder = (customData?: any, customError?: any) => {
+  // Create spy functions that return this for chaining
+  const selectSpy = vi.fn(function(this: any) { return this; });
+  const eqSpy = vi.fn(function(this: any) { return this; });
+  const orderSpy = vi.fn(function(this: any) { return this; });
+  const limitSpy = vi.fn(function(this: any) { return this; });
+  const rangeSpy = vi.fn(function(this: any) { return this; });
+  const insertSpy = vi.fn(function(this: any) { return this; });
+  const updateSpy = vi.fn(function(this: any) { return this; });
+  const deleteSpy = vi.fn(function(this: any) { return this; });
   const builder: any = {
-    select: vi.fn(function(this: any) { return this; }),
-    eq: vi.fn(function(this: any) { return this; }),
-    order: vi.fn(function(this: any) { return this; }),
-    limit: vi.fn(function(this: any) { return this; }),
-    range: vi.fn(function(this: any) { return this; }),
-    insert: vi.fn(function(this: any) { return this; }),
-    update: vi.fn(function(this: any) { return this; }),
-    delete: vi.fn(function(this: any) { return this; }),
+    select: selectSpy,
+    eq: eqSpy,
+    order: orderSpy,
+    limit: limitSpy,
+    range: rangeSpy,
+    insert: insertSpy,
+    update: updateSpy,
+    delete: deleteSpy,
     single: vi.fn().mockImplementation(() => {
       const data = customData !== undefined ? customData : { id: 'test-123' };
       const error = customError !== undefined ? customError : null;
@@ -56,7 +66,7 @@ const createMockQueryBuilder = (customData?: any, customError?: any) => {
 describe('secureDataAccess', () => {
   let secureDataAccess: ReturnType<typeof createSecureDataAccess>;
   const mockOrganisationId = 'org-123';
-  const mockTable = 'pace_person'; // Use a table that has organisation_id column
+  const mockTable = 'core_events'; // Use a table that has organisation_id column (pace_person doesn't have it)
   const mockSelect = 'id, name, organisation_id';
   beforeEach(() => {
@@ -332,10 +342,10 @@ describe('secureDataAccess', () => {
           const mockFilters = { id: '1' };
           const mockResult = { id: '1', name: 'Updated Item', organisation_id: mockOrganisationId };
-          mockQueryBuilder.update = vi.fn().mockReturnThis();
-          mockQueryBuilder.eq = vi.fn().mockReturnThis();
-          mockQueryBuilder.select = vi.fn().mockReturnThis();
+          // Create a fresh mock query builder with proper chaining
+          mockQueryBuilder = createMockQueryBuilder(mockResult);
           mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: mockResult, error: null });
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
           const result = await secureDataAccess.secureUpdate(mockTable, mockData, mockFilters, mockOrganisationId);
@@ -366,9 +376,13 @@ describe('secureDataAccess', () => {
         it('should delete data with organisation filter', async () => {
           const mockFilters = { id: '1' };
-          mockQueryBuilder.delete = vi.fn().mockReturnThis();
-          mockQueryBuilder.eq = vi.fn().mockReturnThis();
-          mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: null, error: null });
+          // Create a fresh mock query builder with proper chaining
+          mockQueryBuilder = createMockQueryBuilder();
+          // Make the query builder thenable and resolve successfully
+          mockQueryBuilder.then = function(resolve: any) {
+            return Promise.resolve({ data: null, error: null }).then(resolve);
+          };
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
           const result = await secureDataAccess.secureDelete(mockTable, mockFilters, mockOrganisationId);
@@ -687,12 +701,9 @@ describe('secureDataAccess', () => {
       };
       const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
-          // Create a new mock with the expected data
-          mockQueryBuilder = createMockQueryBuilder(mockData);
-          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
       // Create a new mock with the expected data
-          mockQueryBuilder = createMockQueryBuilder(mockData);
-          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+      mockQueryBuilder = createMockQueryBuilder(mockData);
+      mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
       const options: SecureQueryOptions = {
         table: mockTable,

package/src/utils/security/secureDataAccess.ts CHANGED Viewed

@@ -99,9 +99,10 @@ export const createSecureDataAccess = (
       // SECURITY: Phase 2 additions - complete organisation table mapping
       'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',
       // SECURITY: Emergency additions for Phase 1 fixes
-      'cake_meal', 'cake_mealtype', 'core_person', 'pace_person',
-      // NOTE: core_member, medi_profile, core_contact, core_consent, core_identification, core_qualification
-      // are now person-scoped (not organisation-scoped) - removed from this list
+      'cake_meal', 'cake_mealtype',
+      // NOTE: core_person, pace_person, core_member, medi_profile, core_contact, core_consent,
+      // core_identification, core_qualification are now person-scoped (not organisation-scoped)
+      // and do NOT have organisation_id columns - removed from this list
       // SECURITY: Phase 3A additions - medical and personal data
       // NOTE: medi_condition, medi_diet, medi_action_plan, medi_profile_versions are now person-scoped
       // (via medi_profile) - removed from this list