@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/rbac/providers/__tests__/RBACProvider.integration.test.tsx

@@ -1,688 +0,0 @@
-/**
- * @file RBACProvider Integration Tests
- * @package @jmruthers/pace-core
- * @module Providers/RBACProvider
- * @since 1.0.0
- * 
- * Integration tests for RBACProvider covering real provider behavior,
- * organisation context, permission refresh, and event access loading.
- * These tests DO NOT mock useRBAC but test the actual provider implementation.
- */
-
-import { render, screen, waitFor, act, renderHook } from '@testing-library/react';
-import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
-import { RBACProvider, useRBAC } from '../RBACProvider';
-import type { User, Session } from '@supabase/supabase-js';
-import { AccessLevel } from '../../../types/unified';
-
-import { createMockSupabaseClient } from '../../../__tests__/helpers/supabaseMock';
-
-describe('[integration] RBACProvider', () => {
-  let mockSupabase: ReturnType<typeof createMockSupabaseClient>;
-  let mockUser: User;
-  let mockSession: Session;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    
-    mockSupabase = createMockSupabaseClient({
-      data: [{ id: 'app-123' }],
-      error: null
-    });
-    
-    mockUser = {
-      id: 'user-123',
-      email: 'test@example.com',
-      user_metadata: { globalRole: null },
-      app_metadata: {},
-      aud: 'authenticated',
-      created_at: '2024-01-01T00:00:00Z',
-    } as User;
-    
-    mockSession = {
-      access_token: 'token-123',
-      refresh_token: 'refresh-123',
-      expires_at: 1234567890,
-      expires_in: 3600,
-      token_type: 'bearer',
-      user: mockUser,
-    } as Session;
-    
-    // Mock RPC calls
-    mockSupabase.rpc.mockImplementation((functionName) => {
-      if (functionName === 'get_app_config') {
-        return Promise.resolve({
-          data: [{ requires_event: true }],
-          error: null
-        });
-      }
-      if (functionName === 'rbac_permissions_get') {
-        return Promise.resolve({
-          data: [
-            { permission_type: 'event_app_access', role_name: 'planner' },
-            { permission_type: 'organisation_access', role_name: 'org_member' }
-          ],
-          error: null
-        });
-      }
-      return Promise.resolve({ data: null, error: null });
-    });
-  });
-
-  afterEach(() => {
-    vi.clearAllMocks();
-    localStorage.clear();
-  });
-
-  // Test component that uses RBAC
-  const TestComponent = () => {
-    const {
-      permissions,
-      roles,
-      accessLevel,
-      rbacLoading,
-      rbacError,
-      selectedEventId,
-      selectedOrganisationId,
-      hasPermission,
-      hasAnyPermission,
-      hasAllPermissions,
-      hasRole,
-      hasAccessLevel,
-      canAccess,
-    } = useRBAC();
-
-    return (
-      <div data-testid="rbac-context">
-        <div data-testid="permissions">{JSON.stringify(permissions)}</div>
-        <div data-testid="roles">{roles.join(', ')}</div>
-        <div data-testid="access-level">{accessLevel}</div>
-        <div data-testid="loading">{rbacLoading ? 'Loading' : 'Not Loading'}</div>
-        <div data-testid="error">{rbacError?.message || 'No error'}</div>
-        <div data-testid="selected-event">{selectedEventId || 'None'}</div>
-        <div data-testid="selected-org">{selectedOrganisationId || 'None'}</div>
-        <div data-testid="has-read-users">{hasPermission('read:users') ? 'Yes' : 'No'}</div>
-        <div data-testid="has-any-permission">{hasAnyPermission(['read:users', 'create:users']) ? 'Yes' : 'No'}</div>
-        <div data-testid="has-all-permissions">{hasAllPermissions(['read:users']) ? 'Yes' : 'No'}</div>
-        <div data-testid="has-role-planner">{hasRole('planner') ? 'Yes' : 'No'}</div>
-        <div data-testid="has-access-level">{hasAccessLevel(AccessLevel.PLANNER) ? 'Yes' : 'No'}</div>
-        <div data-testid="can-access-users-read">{canAccess('users', 'read') ? 'Yes' : 'No'}</div>
-      </div>
-    );
-  };
-
-  describe('Organisation Context Integration', () => {
-    it('initializes with no organisation context', () => {
-      render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={null}
-          session={null}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      expect(screen.getByTestId('selected-org')).toHaveTextContent('None');
-    });
-
-    it('requires organisation context when specified', () => {
-      render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={null}
-          session={null}
-          appName="test-app"
-          requireOrganisationContext={true}
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      expect(screen.getByTestId('selected-org')).toHaveTextContent('None');
-    });
-
-    it('handles organisation context availability', async () => {
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.requireOrganisationContext).toBeDefined();
-      });
-    });
-  });
-
-  describe('Permission Refresh Logic', () => {
-    it('loads app configuration on mount', async () => {
-      render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(mockSupabase.rpc).toHaveBeenCalledWith('get_app_config', expect.any(Object));
-      });
-    });
-
-    it('refreshes permissions when event changes', async () => {
-      const { rerender } = render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(mockSupabase.rpc).toHaveBeenCalled();
-      });
-
-      // Rerender with different event (simulated by changing a prop)
-      rerender(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app-2"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(mockSupabase.rpc).toHaveBeenCalledTimes(2);
-      });
-    });
-
-    it('handles permission refresh errors gracefully', async () => {
-      // Setup an error scenario - app config fails but provider continues
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      // Provider should handle errors gracefully
-      await waitFor(() => {
-        expect(result.current.rbacError).toBeDefined();
-      }, { timeout: 3000 });
-    });
-
-    it('clears permissions when app requires events but no event is selected', async () => {
-      render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(screen.getByTestId('selected-event')).toHaveTextContent('None');
-      });
-    });
-  });
-
-  describe('Event Access Loading', () => {
-    it('loads user event access on mount', async () => {
-      mockSupabase.from().select.mockResolvedValue({
-        data: [
-          {
-            event_id: 'event-123',
-            role: 'planner',
-            granted_at: '2024-01-01T00:00:00Z'
-          }
-        ],
-        error: null
-      });
-
-      render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(mockSupabase.from).toHaveBeenCalled();
-      });
-    });
-
-    it('handles event access loading errors', async () => {
-      mockSupabase.from().select.mockResolvedValue({
-        data: null,
-        error: new Error('Failed to load event access')
-      });
-
-      render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(mockSupabase.from).toHaveBeenCalled();
-      });
-    });
-
-    it('loads event access when user and session are available', async () => {
-      mockSupabase.from().select.mockResolvedValue({
-        data: [],
-        error: null
-      });
-
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.userEventAccess).toBeDefined();
-      });
-    });
-
-    it('clears event access when user signs out', async () => {
-      const { rerender } = render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(mockSupabase.from).toHaveBeenCalled();
-      });
-
-      // Simulate sign out
-      rerender(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={null}
-          session={null}
-          appName="test-app"
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      await waitFor(() => {
-        expect(screen.getByTestId('selected-event')).toHaveTextContent('None');
-      });
-    });
-  });
-
-  describe('Permission Validation Methods', () => {
-    it('hasPermission returns correct boolean based on permissions', async () => {
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-
-      // Verify permission checking works (may be empty initially)
-      expect(typeof result.current.hasPermission('read:users')).toBe('boolean');
-      expect(typeof result.current.hasPermission('delete:users')).toBe('boolean');
-    });
-
-    it('hasAnyPermission checks if user has any of the specified permissions', async () => {
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-
-      // Test method exists and returns boolean
-      expect(typeof result.current.hasAnyPermission(['read:users', 'write:users'])).toBe('boolean');
-      expect(typeof result.current.hasAnyPermission(['delete:users', 'update:users'])).toBe('boolean');
-    });
-
-    it('hasAllPermissions checks if user has all specified permissions', async () => {
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-
-      // Test method exists and returns boolean
-      expect(typeof result.current.hasAllPermissions(['read:users', 'create:users'])).toBe('boolean');
-      expect(typeof result.current.hasAllPermissions(['read:users', 'delete:users'])).toBe('boolean');
-    });
-
-    it('canAccess checks resource:action permissions', async () => {
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-
-      // Test method exists and returns boolean
-      expect(typeof result.current.canAccess('users', 'read')).toBe('boolean');
-      expect(typeof result.current.canAccess('users', 'delete')).toBe('boolean');
-    });
-  });
-
-  describe('Super Admin Handling', () => {
-    it('grants all permissions to super admin from user metadata', async () => {
-      const superAdminUser = {
-        ...mockUser,
-        user_metadata: { globalRole: 'super_admin' }
-      };
-
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={superAdminUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-
-      // Super admin should be detected
-      expect(result.current.hasRole('super_admin')).toBe(true);
-      // Should have admin permissions (not necessarily SUPER level)
-      expect(result.current.hasPermission('admin:create')).toBe(true);
-      expect(result.current.hasPermission('admin:read')).toBe(true);
-      expect(result.current.hasPermission('admin:update')).toBe(true);
-      expect(result.current.hasPermission('admin:delete')).toBe(true);
-      // Access level may be ADMIN, not SUPER
-      expect([AccessLevel.ADMIN, AccessLevel.SUPER]).toContain(result.current.accessLevel);
-    });
-
-    it('checks super admin status from database', async () => {
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      // Provider should check for super admin status on init
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-
-      // Should have attempted to check global roles
-      expect(mockSupabase.from).toHaveBeenCalled();
-    });
-  });
-
-  describe('State Persistence', () => {
-    it('persists selected event to localStorage', async () => {
-      // Simulate localStorage persistence
-      const setItemSpy = vi.spyOn(Storage.prototype, 'setItem');
-
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-            persistState={true}
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      // Provider initializes with persistence enabled
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-
-      // localStorage may not be called until state changes
-      // This test validates persistence is configured
-      expect(typeof result.current.setSelectedEventId).toBe('function');
-    });
-
-    it('does not persist when persistState is false', async () => {
-      const setItemSpy = vi.spyOn(Storage.prototype, 'setItem');
-
-      render(
-        <RBACProvider
-          supabaseClient={mockSupabase as any}
-          user={mockUser}
-          session={mockSession}
-          appName="test-app"
-          persistState={false}
-        >
-          <TestComponent />
-        </RBACProvider>
-      );
-
-      // Should not call setItem excessively
-      await waitFor(() => {
-        expect(setItemSpy).not.toHaveBeenCalledWith(
-          'pace-core-selected-event',
-          expect.any(String)
-        );
-      });
-    });
-  });
-
-  describe('Error Recovery', () => {
-    it('recovers from app config load error', async () => {
-      mockSupabase.rpc.mockImplementation((functionName) => {
-        if (functionName === 'get_app_config') {
-          return Promise.resolve({
-            data: null,
-            error: new Error('Failed to load config')
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacError).toBeDefined();
-      });
-    });
-
-    it('allows permission refresh after error', async () => {
-      // First call fails
-      mockSupabase.rpc.mockRejectedValueOnce(new Error('Network error'));
-      
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacError).toBeDefined();
-      });
-
-      // Retry succeeds
-      mockSupabase.rpc.mockResolvedValueOnce({
-        data: [{ permission_type: 'read:users', role_name: 'planner' }],
-        error: null
-      });
-
-      await act(async () => {
-        await result.current.refreshPermissions('event-123');
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacError).toBeNull();
-      });
-    });
-  });
-
-  describe('Loading States', () => {
-    it('shows loading state during initial permission fetch', async () => {
-      // Set up a delayed response
-      mockSupabase.rpc.mockImplementation(() => 
-        new Promise((resolve) => setTimeout(() => resolve({ data: [], error: null }), 100))
-      );
-
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      // Loading state should be active initially or briefly
-      expect(result.current.rbacLoading || !result.current.rbacLoading).toBeDefined();
-      
-      // Eventually should complete
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      }, { timeout: 200 });
-    });
-
-    it('updates loading state when permissions are fetched', async () => {
-      const { result } = renderHook(() => useRBAC(), {
-        wrapper: ({ children }) => (
-          <RBACProvider
-            supabaseClient={mockSupabase as any}
-            user={mockUser}
-            session={mockSession}
-            appName="test-app"
-          >
-            {children}
-          </RBACProvider>
-        ),
-      });
-
-      await waitFor(() => {
-        expect(result.current.rbacLoading).toBe(false);
-      });
-    });
-  });
-});
-