@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/rbac/errors.ts

@@ -0,0 +1,156 @@
+import {
+  RBACError,
+  PermissionDeniedError,
+  OrganisationContextRequiredError,
+  InvalidScopeError,
+  MissingUserContextError,
+} from './types';
+
+export enum RBACErrorCategory {
+  NETWORK = 'network_error',
+  DATABASE = 'database_error',
+  VALIDATION = 'validation_error',
+  RATE_LIMIT = 'rate_limit_error',
+  AUTHENTICATION = 'authentication_error',
+  AUTHORIZATION = 'authorization_error',
+  UNKNOWN = 'unknown_error',
+}
+
+const RATE_LIMIT_STATUS_CODES = new Set([429]);
+const AUTH_STATUS_CODES = new Set([401]);
+const AUTHZ_STATUS_CODES = new Set([403]);
+
+function normalize(value: unknown): string {
+  if (!value) {
+    return '';
+  }
+  if (typeof value === 'string') {
+    return value.toLowerCase();
+  }
+  if (value instanceof Error && typeof value.message === 'string') {
+    return value.message.toLowerCase();
+  }
+  return String(value).toLowerCase();
+}
+
+export function categorizeError(error: unknown): RBACErrorCategory {
+  if (error instanceof PermissionDeniedError) {
+    return RBACErrorCategory.AUTHORIZATION;
+  }
+
+  if (error instanceof OrganisationContextRequiredError || error instanceof InvalidScopeError) {
+    return RBACErrorCategory.VALIDATION;
+  }
+
+  if (error instanceof MissingUserContextError) {
+    return RBACErrorCategory.AUTHENTICATION;
+  }
+
+  if (error instanceof RBACError) {
+    switch (error.code) {
+      case 'PERMISSION_DENIED':
+        return RBACErrorCategory.AUTHORIZATION;
+      case 'ORGANISATION_CONTEXT_REQUIRED':
+      case 'INVALID_SCOPE':
+        return RBACErrorCategory.VALIDATION;
+      case 'MISSING_USER_CONTEXT':
+        return RBACErrorCategory.AUTHENTICATION;
+      default:
+        break;
+    }
+  }
+
+  if (error && typeof error === 'object') {
+    const status = (error as { status?: number }).status;
+    if (typeof status === 'number') {
+      if (RATE_LIMIT_STATUS_CODES.has(status)) {
+        return RBACErrorCategory.RATE_LIMIT;
+      }
+      if (AUTH_STATUS_CODES.has(status)) {
+        return RBACErrorCategory.AUTHENTICATION;
+      }
+      if (AUTHZ_STATUS_CODES.has(status)) {
+        return RBACErrorCategory.AUTHORIZATION;
+      }
+      if (status >= 500) {
+        return RBACErrorCategory.DATABASE;
+      }
+    }
+
+    const codeValue = normalize((error as { code?: string }).code);
+    if (codeValue) {
+      if (codeValue.includes('network')) {
+        return RBACErrorCategory.NETWORK;
+      }
+      if (codeValue.includes('postgres') || codeValue.includes('database') || codeValue.includes('db')) {
+        return RBACErrorCategory.DATABASE;
+      }
+      if (codeValue.includes('rate')) {
+        return RBACErrorCategory.RATE_LIMIT;
+      }
+      if (codeValue.includes('auth')) {
+        return RBACErrorCategory.AUTHENTICATION;
+      }
+      if (codeValue.includes('permission')) {
+        return RBACErrorCategory.AUTHORIZATION;
+      }
+      if (codeValue.includes('scope') || codeValue.includes('invalid')) {
+        return RBACErrorCategory.VALIDATION;
+      }
+    }
+  }
+
+  const message = normalize(error);
+  if (message.includes('timeout') || message.includes('network') || message.includes('fetch')) {
+    return RBACErrorCategory.NETWORK;
+  }
+  if (message.includes('postgres') || message.includes('database') || message.includes('connection')) {
+    return RBACErrorCategory.DATABASE;
+  }
+  if (message.includes('rate limit') || message.includes('too many requests')) {
+    return RBACErrorCategory.RATE_LIMIT;
+  }
+  if (message.includes('permission') || message.includes('forbidden')) {
+    return RBACErrorCategory.AUTHORIZATION;
+  }
+  if (message.includes('auth') || message.includes('token') || message.includes('session')) {
+    return RBACErrorCategory.AUTHENTICATION;
+  }
+  if (message.includes('invalid') || message.includes('scope') || message.includes('validation')) {
+    return RBACErrorCategory.VALIDATION;
+  }
+
+  return RBACErrorCategory.UNKNOWN;
+}
+
+export type SecurityEventType =
+  | 'permission_denied'
+  | 'invalid_input'
+  | 'rate_limit_exceeded'
+  | 'suspicious_activity'
+  | 'network_error'
+  | 'database_error'
+  | 'validation_error'
+  | 'rate_limit_error'
+  | 'authentication_error'
+  | 'unknown_error';
+
+export function mapErrorCategoryToSecurityEventType(category: RBACErrorCategory): SecurityEventType {
+  switch (category) {
+    case RBACErrorCategory.AUTHORIZATION:
+      return 'permission_denied';
+    case RBACErrorCategory.NETWORK:
+      return 'network_error';
+    case RBACErrorCategory.DATABASE:
+      return 'database_error';
+    case RBACErrorCategory.VALIDATION:
+      return 'validation_error';
+    case RBACErrorCategory.RATE_LIMIT:
+      return 'rate_limit_error';
+    case RBACErrorCategory.AUTHENTICATION:
+      return 'authentication_error';
+    case RBACErrorCategory.UNKNOWN:
+    default:
+      return 'unknown_error';
+  }
+}

package/src/rbac/hooks/usePermissions.ts

@@ -47,7 +47,7 @@ import {
  * ```
  */
 export function usePermissions(userId: UUID, scope: Scope) {
-  const [permissions, setPermissions] = useState<PermissionMap>({});
+  const [permissions, setPermissions] = useState<PermissionMap>({} as PermissionMap);
   const [isLoading, setIsLoading] = useState(true);
   const [error, setError] = useState<Error | null>(null);
   const isFetchingRef = useRef(false);
@@ -60,7 +60,7 @@ export function usePermissions(userId: UUID, scope: Scope) {
       }
 
       if (!userId) {
-        setPermissions({});
+        setPermissions({} as PermissionMap);
         setIsLoading(false);
         return;
       }
@@ -68,7 +68,7 @@ export function usePermissions(userId: UUID, scope: Scope) {
       // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)
       // Return empty permissions and loading true for invalid scopes to prevent premature access denied
       if (!scope.organisationId || scope.organisationId.trim() === '') {
-        setPermissions({});
+        setPermissions({} as PermissionMap);
         setIsLoading(true);
         setError(null);
         return;
@@ -93,15 +93,24 @@ export function usePermissions(userId: UUID, scope: Scope) {
   }, [userId, scope.organisationId, scope.eventId, scope.appId]);
 
   const hasPermission = useCallback((permission: Permission): boolean => {
-    return !!permissions[permission];
+    if (permissions['*']) {
+      return true;
+    }
+    return permissions[permission] === true;
   }, [permissions]);
 
   const hasAnyPermission = useCallback((permissionList: Permission[]): boolean => {
-    return permissionList.some(p => !!permissions[p]);
+    if (permissions['*']) {
+      return true;
+    }
+    return permissionList.some(p => permissions[p] === true);
   }, [permissions]);
 
   const hasAllPermissions = useCallback((permissionList: Permission[]): boolean => {
-    return permissionList.every(p => !!permissions[p]);
+    if (permissions['*']) {
+      return true;
+    }
+    return permissionList.every(p => permissions[p] === true);
   }, [permissions]);
 
   const refetch = useCallback(async () => {
@@ -111,14 +120,14 @@ export function usePermissions(userId: UUID, scope: Scope) {
     }
 
     if (!userId) {
-      setPermissions({});
+      setPermissions({} as PermissionMap);
       setIsLoading(false);
       return;
     }
 
     // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)
     if (!scope.organisationId || scope.organisationId.trim() === '') {
-      setPermissions({});
+      setPermissions({} as PermissionMap);
       setIsLoading(true);
       setError(null);
       return;
@@ -220,6 +229,7 @@ export function useCan(
         // Don't check permissions if scope is invalid (e.g., organisationId is empty)
         // Return can: false and loading: true for invalid scopes to prevent premature access denied
         if (!scope.organisationId || scope.organisationId.trim() === '') {
+          console.log('[useCan] Invalid scope - organisationId is empty:', { scope, permission, pageId });
           setCan(false);
           setIsLoading(true);
           return;
@@ -229,12 +239,24 @@ export function useCan(
           setIsLoading(true);
           setError(null);
           
+          console.log('[useCan] Checking permission:', { 
+            userId, 
+            organisationId: scope.organisationId, 
+            eventId: scope.eventId, 
+            appId: scope.appId,
+            permission, 
+            pageId 
+          });
+          
           const result = useCache 
             ? await isPermittedCached({ userId, scope, permission, pageId })
             : await isPermitted({ userId, scope, permission, pageId });
           
+          console.log('[useCan] Permission check result:', { permission, result, pageId });
+          
           setCan(result);
         } catch (err) {
+          console.error('[useCan] Permission check error:', { permission, error: err });
           setError(err instanceof Error ? err : new Error('Failed to check permission'));
           setCan(false);
         } finally {
@@ -646,13 +668,13 @@ export function useCachedPermissions(userId: UUID, scope: Scope): {
   invalidateCache: () => void;
   refetch: () => Promise<void>;
 } {
-  const [permissions, setPermissions] = useState<PermissionMap>({});
+  const [permissions, setPermissions] = useState<PermissionMap>({} as PermissionMap);
   const [isLoading, setIsLoading] = useState(true);
   const [error, setError] = useState<Error | null>(null);
 
   const fetchCachedPermissions = useCallback(async () => {
     if (!userId) {
-      setPermissions({});
+      setPermissions({} as PermissionMap);
       setIsLoading(false);
       return;
     }