@jmruthers/pace-core 0.5.193 → 0.6.2

package/src/hooks/useSecureDataAccess.ts

@@ -1,666 +0,0 @@
-/**
- * @file useSecureDataAccess Hook
- * @package @jmruthers/pace-core
- * @module Hooks/useSecureDataAccess
- * @since 0.4.0
- *
- * Hook for secure database operations with mandatory organisation context.
- * Ensures all data access is properly scoped to the user's current organisation.
- *
- * @example
- * ```tsx
- * function DataComponent() {
- *   const { secureQuery, secureInsert, secureUpdate, secureDelete } = useSecureDataAccess();
- *   
- *   const loadData = async () => {
- *     try {
- *       // Automatically includes organisation_id filter
- *       const events = await secureQuery('core_events', '*', { is_visible: true });
- *       console.log('Organisation events:', events);
- *     } catch (error) {
- *       console.error('Failed to load data:', error);
- *     }
- *   };
- *   
- *   const createEvent = async (eventData) => {
- *     try {
- *       // Automatically sets organisation_id
- *       const newEvent = await secureInsert('core_events', eventData);
- *       console.log('Created event:', newEvent);
- *     } catch (error) {
- *       console.error('Failed to create event:', error);
- *     }
- *   };
- *   
- *   return (
- *     <div>
- *       <button onClick={loadData}>Load Data</button>
- *       <button onClick={() => createEvent({ event_name: 'New Event' })}>
- *         Create Event
- *       </button>
- *     </div>
- *   );
- * }
- * ```
- *
- * @security
- * - All queries automatically include organisation_id filter
- * - Validates organisation context before any operation
- * - Prevents data leaks between organisations
- * - Error handling for security violations
- * - Type-safe database operations
- */
-
-import { useCallback, useState, useContext } from 'react';
-import { useUnifiedAuth } from '../providers';
-import { useOrganisations } from './useOrganisations';
-import { EventServiceContext } from '../providers/services/EventServiceProvider';
-import { setOrganisationContext } from '../utils/context/organisationContext';
-import { logger } from '../utils/core/logger';
-import type { Permission } from '../rbac/types';
-import type { OrganisationSecurityError } from '../types/organisation';
-import { useOrganisationSecurity } from './useOrganisationSecurity';
-import { useResolvedScope } from '../rbac/hooks/useResolvedScope';
-
-export interface SecureDataAccessReturn {
-  /** Execute a secure query with organisation filtering */
-  secureQuery: <T = any>(
-    table: string,
-    columns: string,
-    filters?: Record<string, any>,
-    options?: {
-      orderBy?: string;
-      ascending?: boolean;
-      limit?: number;
-      offset?: number;
-    }
-  ) => Promise<T[]>;
-  
-  /** Execute a secure insert with organisation context */
-  secureInsert: <T = any>(
-    table: string,
-    data: Record<string, any>
-  ) => Promise<T>;
-  
-  /** Execute a secure update with organisation filtering */
-  secureUpdate: <T = any>(
-    table: string,
-    data: Record<string, any>,
-    filters: Record<string, any>
-  ) => Promise<T[]>;
-  
-  /** Execute a secure delete with organisation filtering */
-  secureDelete: (
-    table: string,
-    filters: Record<string, any>
-  ) => Promise<void>;
-  
-  /** Execute a secure RPC call with organisation context */
-  secureRpc: <T = any>(
-    functionName: string,
-    params?: Record<string, any>
-  ) => Promise<T>;
-  
-  /** Get current organisation ID */
-  getCurrentOrganisationId: () => string;
-  
-  /** Validate organisation context */
-  validateContext: () => void;
-  
-  // NEW: Phase 1 - Enhanced Security Features
-  /** Check if data access is allowed for a table and operation */
-  isDataAccessAllowed: (table: string, operation: string) => boolean;
-  
-  /** Get all data access permissions for current user */
-  getDataAccessPermissions: () => Record<string, string[]>;
-  
-  /** Check if strict mode is enabled */
-  isStrictMode: boolean;
-  
-  /** Check if audit logging is enabled */
-  isAuditLogEnabled: boolean;
-  
-  /** Get data access history */
-  getDataAccessHistory: () => DataAccessRecord[];
-  
-  /** Clear data access history */
-  clearDataAccessHistory: () => void;
-  
-  /** Validate data access attempt */
-  validateDataAccess: (table: string, operation: string) => boolean;
-}
-
-export interface DataAccessRecord {
-  table: string;
-  operation: string;
-  userId: string;
-  organisationId: string;
-  allowed: boolean;
-  timestamp: string;
-  query?: string;
-  filters?: Record<string, any>;
-}
-
-/**
- * Hook for secure data access with automatic organisation filtering
- * 
- * All database operations automatically include organisation context:
- * - Queries filter by organisation_id
- * - Inserts include organisation_id
- * - Updates/deletes are scoped to organisation
- * - RPC calls include organisation_id parameter
- */
-export function useSecureDataAccess(): SecureDataAccessReturn {
-  const { supabase, user, session, selectedOrganisation, selectedEvent } = useUnifiedAuth();
-  
-  // Get selected event for event-scoped RPC calls
-  // Use useContext directly to safely check if EventServiceProvider is available
-  const eventServiceContext = useContext(EventServiceContext);
-  const eventFromContext = eventServiceContext?.eventService?.getSelectedEvent() || null;
-  const effectiveSelectedEvent = selectedEvent || eventFromContext;
-  const { superAdminContext } = useOrganisationSecurity();
-  const isSuperAdmin = superAdminContext.isSuperAdmin;
-
-  // Use resolved scope to get organisationId (derived from event if needed)
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: effectiveSelectedEvent?.event_id || null
-  });
-
-  const validateContext = useCallback((): void => {
-    if (!supabase) {
-      throw new Error('No Supabase client available') as OrganisationSecurityError;
-    }
-    if (!user || !session) {
-      throw new Error('User must be authenticated with valid session') as OrganisationSecurityError;
-    }
-    
-    if (isSuperAdmin) {
-      return;
-    }
-    
-    if (!resolvedScope?.organisationId) {
-      throw new Error('Organisation context is required for data access') as OrganisationSecurityError;
-    }
-  }, [supabase, user, session, resolvedScope, isSuperAdmin]);
-
-  const getCurrentOrganisationId = useCallback((): string => {
-    if (isSuperAdmin) {
-      // For super admins, try to get org from resolved scope or selectedOrganisation
-      return resolvedScope?.organisationId || selectedOrganisation?.id || '';
-    }
-
-    validateContext();
-    return resolvedScope?.organisationId || '';
-  }, [validateContext, resolvedScope, selectedOrganisation, isSuperAdmin]);
-
-  // Set organisation context in database session
-  const setOrganisationContextInSession = useCallback(async (organisationId?: string): Promise<void> => {
-    if (!supabase || !organisationId) {
-      return;
-    }
-
-    await setOrganisationContext(supabase, organisationId);
-  }, [supabase]);
-
-  const secureQuery = useCallback(async <T = any>(
-    table: string,
-    columns: string,
-    filters: Record<string, any> = {},
-    options: {
-      orderBy?: string;
-      ascending?: boolean;
-      limit?: number;
-      offset?: number;
-    } = {}
-  ): Promise<T[]> => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
-
-    // Set organisation context in database session
-    await setOrganisationContextInSession(organisationId);
-
-    // Build query with organisation filter
-    let query = supabase!
-      .from(table)
-      .select(columns);
-
-    // Add organisation filter only if table has organisation_id column
-    // Defense in depth strategy:
-    // - RLS policies are the primary security layer (cannot be bypassed)
-    // - Application-level filtering adds an additional layer of protection
-    const tablesWithOrganisation = [
-      'core_events',  'organisation_settings',
-      'rbac_event_app_roles', 'rbac_organisation_roles',
-      // SECURITY: Phase 2 additions - complete organisation table mapping
-      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',
-      // SECURITY: Emergency additions for Phase 1 fixes
-      'cake_meal', 'cake_mealtype', 'core_person',
-      // NOTE: core_member, medi_profile, core_contact, core_consent, core_identification, core_qualification
-      // are now person-scoped (not organisation-scoped) - removed from this list
-      // SECURITY: Phase 3A additions - medical and personal data
-      // NOTE: medi_condition, medi_diet, medi_action_plan, medi_profile_versions are now person-scoped
-      // (via medi_profile) - removed from this list
-      // core_identification_type remains organisation-scoped (lookup table)
-      'core_identification_type',
-      'form_responses', 'form_response_values', 'forms',
-      // SECURITY: Phase 3B additions - remaining critical tables
-      'invoice', 'line_item', 'credit_balance', 'payment_method',
-      'form_contexts', 'form_field_config', 'form_fields',
-      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', 
-      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', 
-      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions',
-      // rbac_user_profiles has organisation_id but uses conditional filtering
-      'rbac_user_profiles'
-    ];
-    
-    // Apply organisation filtering based on table and super admin status
-    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
-      // For rbac_user_profiles: Super admins see all (no filter), non-super-admins get filtered (defense in depth)
-      // For other tables: Always apply filter
-      if (table === 'rbac_user_profiles' && isSuperAdmin) {
-        // Super admin: No org filter - RLS handles access control
-        // This allows super admins to see all users across all organisations
-      } else {
-        // Non-super-admin OR other tables: Apply org filter as defense in depth
-        query = query.eq('organisation_id', organisationId);
-      }
-    }
-
-    // Apply additional filters
-    Object.entries(filters).forEach(([key, value]) => {
-      if (value !== undefined && value !== null) {
-        // Handle qualified column names (e.g., 'users.role')
-        const columnName = key.includes('.') ? key.split('.').pop()! : key;
-        query = query.eq(columnName, value);
-      }
-    });
-
-    // Apply options
-    if (options.orderBy) {
-      // Only use the column name, not a qualified name
-      const orderByColumn = options.orderBy.split('.').pop();
-      if (orderByColumn) {
-        query = query.order(orderByColumn, { ascending: options.ascending ?? true });
-      }
-    }
-    
-    if (options.limit) {
-      query = query.limit(options.limit);
-    }
-    
-    if (options.offset) {
-      query = query.range(options.offset, options.offset + (options.limit || 100) - 1);
-    }
-
-    const { data, error } = await query;
-    
-    if (error) {
-      logger.error('useSecureDataAccess', 'Query failed', { table, columns, filters, error });
-      // NEW: Phase 1 - Record failed data access attempt
-      recordDataAccess(table, 'read', false, `SELECT ${columns} FROM ${table}`, filters);
-      throw error;
-    }
-
-    // NEW: Phase 1 - Record successful data access attempt
-    recordDataAccess(table, 'read', true, `SELECT ${columns} FROM ${table}`, filters);
-
-    return (data as T[]) || [];
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-
-  const secureInsert = useCallback(async <T = any>(
-    table: string,
-    data: Record<string, any>
-  ): Promise<T> => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
-
-    // Set organisation context in database session
-    await setOrganisationContextInSession(organisationId);
-
-    // Ensure organisation_id is set
-    const secureData = bypassOrganisationFilter
-      ? { ...data }
-      : {
-          ...data,
-          organisation_id: organisationId
-        };
-
-    const { data: insertData, error } = await supabase!
-      .from(table)
-      .insert(secureData)
-      .select()
-      .single();
-
-    if (error) {
-      logger.error('useSecureDataAccess', 'Insert failed', { table, data: secureData, error });
-      throw error;
-    }
-
-    return insertData as T;
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-
-  const secureUpdate = useCallback(async <T = any>(
-    table: string,
-    data: Record<string, any>,
-    filters: Record<string, any>
-  ): Promise<T[]> => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
-
-    // Set organisation context in database session
-    await setOrganisationContextInSession(organisationId);
-
-    // Filter out organisation_id from data to prevent manipulation
-    const { organisation_id, ...secureData } = data;
-    
-    // Build update query with organisation filter
-    let query = supabase!
-      .from(table)
-      .update(secureData);
-
-    // Add organisation filter only if table has organisation_id column
-    const tablesWithOrganisation = [
-      'core_events',  'organisation_settings',
-      'rbac_event_app_roles', 'rbac_organisation_roles',
-      // SECURITY: Phase 2 additions - complete organisation table mapping
-      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',
-      // SECURITY: Emergency additions for Phase 1 fixes
-      'cake_meal', 'cake_mealtype', 'core_person', 'core_member'
-    ];
-    
-    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
-      query = query.eq('organisation_id', organisationId);
-    }
-
-    // Apply filters
-    Object.entries(filters).forEach(([key, value]) => {
-      if (value !== undefined && value !== null) {
-        query = query.eq(key, value);
-      }
-    });
-
-    const { data: updateData, error } = await query.select();
-
-    if (error) {
-      logger.error('useSecureDataAccess', 'Update failed', { table, data: secureData, filters, error });
-      throw error;
-    }
-
-    return (updateData as T[]) || [];
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-
-  const secureDelete = useCallback(async (
-    table: string,
-    filters: Record<string, any>
-  ): Promise<void> => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
-
-    // Set organisation context in database session
-    await setOrganisationContextInSession(organisationId);
-
-    // Build delete query with organisation filter
-    let query = supabase!
-      .from(table)
-      .delete();
-
-    // Add organisation filter only if table has organisation_id column
-    const tablesWithOrganisation = [
-      'core_events',  'organisation_settings',
-      'rbac_event_app_roles', 'rbac_organisation_roles',
-      // SECURITY: Phase 2 additions - complete organisation table mapping
-      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',
-      // SECURITY: Emergency additions for Phase 1 fixes
-      'cake_meal', 'cake_mealtype', 'core_person', 'core_member',
-      // SECURITY: Phase 3A additions - medical and personal data
-      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',
-      'core_consent', 'core_contact', 'core_identification', 'core_identification_type', 'core_qualification',
-      'form_responses', 'form_response_values', 'forms',
-      // SECURITY: Phase 3B additions - remaining critical tables
-      'invoice', 'line_item', 'credit_balance', 'payment_method',
-      'form_contexts', 'form_field_config', 'form_fields',
-      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', 
-      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', 
-      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'
-    ];
-    
-    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
-      query = query.eq('organisation_id', organisationId);
-    }
-
-    // Apply filters
-    Object.entries(filters).forEach(([key, value]) => {
-      if (value !== undefined && value !== null) {
-        query = query.eq(key, value);
-      }
-    });
-
-    const { error } = await query;
-
-    if (error) {
-      logger.error('useSecureDataAccess', 'Delete failed', { table, filters, error });
-      throw error;
-    }
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-
-  const secureRpc = useCallback(async <T = any>(
-    functionName: string,
-    params: Record<string, any> = {}
-  ): Promise<T> => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
-
-    // Set organisation context in database session
-    await setOrganisationContextInSession(organisationId);
-
-    // Include organisation_id in RPC parameters
-    // Some functions use p_organisation_id instead of organisation_id (to avoid conflicts with RETURNS TABLE columns)
-    const functionsWithPOrganisationId = [
-      'data_cake_diners_list',
-      'data_cake_mealplans_list'
-    ];
-    
-    const paramName = functionsWithPOrganisationId.includes(functionName) 
-      ? 'p_organisation_id' 
-      : 'organisation_id';
-    
-    // Functions that need p_event_id for event-app role permission checks
-    // Note: Even org-scoped functions (like items, packages, suppliers) need event_id
-    //       for permission checks when users have event-app roles
-    const functionsNeedingEventId = [
-      'data_cake_items_list',
-      'data_cake_packages_list',
-      'data_cake_suppliers_list',
-      'data_cake_diettypes_list',
-      'data_cake_mealtypes_list',
-      'data_cake_diners_list',
-      'data_cake_mealplans_list',
-      'data_cake_dishes_list',
-      'data_cake_recipes_list',
-      'data_cake_meals_list',
-      'data_cake_units_list',
-      'data_cake_orders_list',
-      'app_cake_item_create',
-      'app_cake_item_update',
-      'app_cake_package_create',
-      'app_cake_package_update',
-      'app_cake_supplier_create',
-      'app_cake_supplier_update',
-      'app_cake_supplier_delete',
-      'app_cake_meal_create',
-      'app_cake_meal_update',
-      'app_cake_meal_delete',
-      'app_cake_unit_create',
-      'app_cake_unit_update',
-      'app_cake_unit_delete',
-      'app_cake_delivery_upsert'
-    ];
-    
-    // Build secureParams with correct parameter order
-    // For functions that require p_event_id as first parameter, ensure it's first
-    const secureParams: Record<string, any> = {};
-    
-    // Functions where p_event_id is the FIRST required parameter (no default)
-    const functionsWithEventIdFirst = [
-      'data_cake_meals_list',
-      'data_cake_units_list'
-    ];
-    
-    // Add p_user_id explicitly for functions that need it (even though it has a default)
-    // This ensures parameter matching works correctly
-    if (user?.id) {
-      secureParams.p_user_id = user.id;
-    }
-    
-    // Add organisation_id parameter when needed
-    if (!bypassOrganisationFilter && organisationId) {
-      secureParams[paramName] = organisationId;
-    } else if (organisationId && !(paramName in params)) {
-      // Default to the current organisation if caller didn't specify one
-      secureParams[paramName] = organisationId;
-    }
-    
-    // Add p_event_id if function needs it and event is selected
-    // CRITICAL: This must be added AFTER organisation_id but BEFORE caller params
-    // to ensure it's not overwritten. For data_cake_items_list, p_event_id is the 3rd param.
-    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {
-      secureParams.p_event_id = selectedEvent.event_id;
-    }
-    
-    // Add any other params passed by caller (limit, offset, etc.)
-    // NOTE: This will NOT overwrite p_event_id if caller passes it, but we want to ensure
-    // our value takes precedence if event is selected
-    Object.assign(secureParams, params);
-    
-    // Ensure p_event_id is set if needed (after Object.assign, so it overrides caller params)
-    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {
-      secureParams.p_event_id = selectedEvent.event_id;
-    }
-
-    const { data, error } = await supabase!.rpc(functionName, secureParams);
-
-    if (error) {
-      logger.error('useSecureDataAccess', 'RPC failed', { functionName, params: secureParams, error });
-      throw error;
-    }
-
-    return data as T;
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id, isSuperAdmin]);
-
-  // NEW: Phase 1 - Enhanced Security Features
-  const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);
-  const [isStrictMode] = useState(true); // Always enabled in Phase 1
-  const [isAuditLogEnabled] = useState(true); // Always enabled in Phase 1
-
-  // Check if data access is allowed for a table and operation
-  const isDataAccessAllowed = useCallback((table: string, operation: string): boolean => {
-    if (!user?.id) return false;
-    
-    // Use the existing RBAC system to check data access permissions
-    // This is a synchronous check for the context - actual permission checking
-    // happens in the secure data operations using the RBAC engine
-    const permission = `${operation}:data.${table}` as Permission;
-    
-    // For now, we'll return true and let the secure data operations
-    // handle the actual permission checking asynchronously
-    // This context is mainly for tracking and audit purposes
-    return true;
-  }, [user?.id]);
-
-  // Get all data access permissions for current user
-  const getDataAccessPermissions = useCallback((): Record<string, string[]> => {
-    if (!user?.id) return {};
-    
-    // For now, return empty object - this will be enhanced with actual permission checking
-    // when we integrate with the existing RBAC system
-    return {};
-  }, [user?.id]);
-
-  // Get data access history
-  const getDataAccessHistory = useCallback((): DataAccessRecord[] => {
-    return [...dataAccessHistory];
-  }, [dataAccessHistory]);
-
-  // Clear data access history
-  const clearDataAccessHistory = useCallback(() => {
-    setDataAccessHistory([]);
-  }, []);
-
-  // Validate data access attempt
-  const validateDataAccess = useCallback((table: string, operation: string): boolean => {
-    if (!user?.id) return false;
-    
-    // Validate organisation context
-    try {
-      validateContext();
-    } catch (error) {
-      logger.error('useSecureDataAccess', 'Organisation context validation failed', { table, operation, error });
-      return false;
-    }
-    
-    return isDataAccessAllowed(table, operation);
-  }, [user?.id, validateContext, isDataAccessAllowed]);
-
-  // Record data access attempt
-  const recordDataAccess = useCallback((
-    table: string,
-    operation: string,
-    allowed: boolean,
-    query?: string,
-    filters?: Record<string, any>
-  ) => {
-    if (!isAuditLogEnabled || !user?.id) return;
-    const auditOrganisationId = getCurrentOrganisationId() || 'super-admin-bypass';
-
-    const record: DataAccessRecord = {
-      table,
-      operation,
-      userId: user.id,
-      organisationId: auditOrganisationId,
-      allowed,
-      timestamp: new Date().toISOString(),
-      query,
-      filters
-    };
-    
-    setDataAccessHistory(prev => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, 1000); // Keep last 1000 records
-    });
-    
-    if (isStrictMode && !allowed) {
-      logger.error('useSecureDataAccess', 'STRICT MODE VIOLATION: User attempted data access without permission', {
-        table,
-        operation,
-        userId: user.id,
-        organisationId: auditOrganisationId,
-        timestamp: new Date().toISOString()
-      });
-    }
-  }, [isAuditLogEnabled, isStrictMode, user?.id, getCurrentOrganisationId]);
-
-  return {
-    secureQuery,
-    secureInsert,
-    secureUpdate,
-    secureDelete,
-    secureRpc,
-    getCurrentOrganisationId,
-    validateContext,
-    // NEW: Phase 1 - Enhanced Security Features
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isStrictMode,
-    isAuditLogEnabled,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  };
-}