@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/rbac/hooks/useRBAC.ts

@@ -4,111 +4,84 @@
  * @module RBAC/Hooks
  * @since 0.3.0
  *
- * A React hook that provides access to the new RBAC (Role-Based Access Control) system.
- * This hook integrates with the database to provide real-time role and permission information.
- *
- * Features:
- * - Real-time role detection (global, organisation, event-app)
- * - Permission checking with database validation
- * - Hierarchical permission resolution
- * - Loading states and error handling
- * - Type-safe permission operations
- * - Automatic context detection
- *
- * @example
- * ```tsx
- * import { useRBAC } from '@jmruthers/pace-core/rbac';
- * 
- * function MyComponent() {
- *   const {
- *     globalRole,
- *     organisationRole,
- *     eventAppRole,
- *     hasPermission,
- *     isSuperAdmin,
- *     isLoading,
- *     error
- *   } = useRBAC();
- * 
- *   if (isLoading) return <div>Loading permissions...</div>;
- *   if (error) return <div>Error: {error.message}</div>;
- * 
- *   return (
- *     <div>
- *       {isSuperAdmin && <AdminPanel />}
- *       {hasPermission('read', 'dashboard') && <Dashboard />}
- *       {hasPermission('create', 'events') && <CreateEventButton />}
- *     </div>
- *   );
- * }
- * ```
- *
- * @accessibility
- * - No direct accessibility concerns (hook)
- * - Enables accessible permission-based UI rendering
- * - Supports screen reader friendly conditional content
- *
- * @security
- * - Database-backed permission validation
- * - Hierarchical permission resolution
- * - Organisation context enforcement
- * - Real-time permission updates
- *
- * @performance
- * - Optimized with useMemo and useCallback
- * - Permission caching
- * - Minimal re-renders
- * - Lazy loading of permissions
- *
- * @dependencies
- * - React 18+ - Hooks and effects
- * - @supabase/supabase-js - Database integration
- * - RBAC types - Type definitions
+ * A React hook that provides access to the RBAC (Role-Based Access Control) system
+ * through the hardened RBAC engine API. The hook defers all permission and role
+ * resolution to the shared engine to ensure consistent security behaviour across
+ * applications.
  */
 
 import { useState, useEffect, useCallback, useMemo } from 'react';
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
-import type { 
-  UserRBACContext, 
-  GlobalRole, 
-  OrganisationRole, 
-  EventAppRole, 
+import {
+  getPermissionMap,
+  getAccessLevel,
+  isPermittedCached,
+  resolveAppContext,
+  getRoleContext,
+} from '../api';
+import { getRBACLogger } from '../config';
+import type {
+  UserRBACContext,
+  GlobalRole,
+  OrganisationRole,
+  EventAppRole,
   Operation,
-  RBACPermission 
+  Permission,
+  Scope,
+  PermissionMap,
+  UUID,
 } from '../types';
 
+function mapAccessLevelToEventRole(level: string | null): EventAppRole | null {
+  switch (level) {
+    case 'viewer':
+      return 'viewer';
+    case 'participant':
+      return 'participant';
+    case 'planner':
+      return 'planner';
+    case 'admin':
+    case 'super':
+      return 'event_admin';
+    default:
+      return null;
+  }
+}
+
 export function useRBAC(pageId?: string): UserRBACContext {
-  const { user, session, supabase, appName } = useUnifiedAuth();
+  const logger = getRBACLogger();
+  const { user, session, appName } = useUnifiedAuth();
   const { selectedOrganisation } = useOrganisations();
-  
-  // Try to get events context, but don't fail if not available
-  let selectedEvent = null;
+
+  let selectedEvent: { event_id: string } | null = null;
   try {
     const eventsContext = useEvents();
     selectedEvent = eventsContext.selectedEvent;
   } catch (error) {
-    // EventProvider not available, continue without event context
-    console.debug('useRBAC: EventProvider not available, continuing without event context');
+    logger.debug('[useRBAC] Event provider not available, continuing without event context', error);
   }
-  
-  // State
+
   const [globalRole, setGlobalRole] = useState<GlobalRole | null>(null);
   const [organisationRole, setOrganisationRole] = useState<OrganisationRole | null>(null);
   const [eventAppRole, setEventAppRole] = useState<EventAppRole | null>(null);
-  const [permissions, setPermissions] = useState<RBACPermission[]>([]);
+  const [permissionMap, setPermissionMap] = useState<PermissionMap>({} as PermissionMap);
+  const [currentScope, setCurrentScope] = useState<Scope | null>(null);
   const [isLoading, setIsLoading] = useState(false);
   const [error, setError] = useState<Error | null>(null);
 
-  // Load RBAC context
+  const resetState = useCallback(() => {
+    setGlobalRole(null);
+    setOrganisationRole(null);
+    setEventAppRole(null);
+    setPermissionMap({} as PermissionMap);
+    setCurrentScope(null);
+  }, []);
+
   const loadRBACContext = useCallback(async () => {
-    if (!user || !session || !supabase || !appName) {
-      console.log('[useRBAC] Missing required dependencies, clearing RBAC state');
-      setGlobalRole(null);
-      setOrganisationRole(null);
-      setEventAppRole(null);
-      setPermissions([]);
+    if (!user || !session) {
+      resetState();
       return;
     }
 
@@ -116,144 +89,125 @@ export function useRBAC(pageId?: string): UserRBACContext {
     setError(null);
 
     try {
-      // First resolve app name to app_id using secure RPC function
-      const { data: appData, error: appError } = await supabase.rpc('util_app_resolve', {
-        p_app_name: appName,
-        p_user_id: user.id
-      });
-
-      if (appError || !appData || appData.length === 0) {
-        console.warn('App not found or inactive:', appName);
-        setIsLoading(false);
-        return;
-      }
-
-      const app = appData[0];
-      if (!app.has_access) {
-        console.warn('User does not have access to app:', appName);
-        setIsLoading(false);
-        return;
+      let appId: UUID | undefined;
+      if (appName) {
+        const resolved = await resolveAppContext({ userId: user.id as UUID, appName });
+        if (!resolved || !resolved.hasAccess) {
+          throw new Error(`User does not have access to app "${appName}"`);
+        }
+        appId = resolved.appId;
       }
 
-      const { data, error: rpcError } = await supabase.rpc('rbac_permissions_get', {
-        p_user_id: user.id,
-        p_app_id: app.app_id,
-        p_event_id: selectedEvent?.event_id || null,
-        p_organisation_id: selectedOrganisation?.id || null
-      });
-
-      if (rpcError) {
-        throw new Error(`Failed to load RBAC permissions: ${rpcError.message}`);
-      }
-
-      if (data) {
-        // Extract roles from permissions based on permission_type
-        const globalPerms = data.filter((p: RBACPermission) => p.permission_type === 'all_permissions');
-        const orgPerms = data.filter((p: RBACPermission) => p.permission_type === 'organisation_access');
-        const eventPerms = data.filter((p: RBACPermission) => p.permission_type === 'event_app_access');
-
-        // Set roles (take the highest permission for each type)
-        setGlobalRole(globalPerms.length > 0 ? 'super_admin' : null);
-        setOrganisationRole(orgPerms.length > 0 ? orgPerms[0].role_name as OrganisationRole : null);
-        setEventAppRole(eventPerms.length > 0 ? eventPerms[0].role_name as EventAppRole : null);
-        setPermissions(data);
-      } else {
-        setPermissions([]);
-      }
+      const scope: Scope = {
+        organisationId: selectedOrganisation?.id,
+        eventId: selectedEvent?.event_id || undefined,
+        appId,
+      };
+      setCurrentScope(scope);
+
+      const [map, roleContext, accessLevel] = await Promise.all([
+        getPermissionMap({ userId: user.id as UUID, scope }),
+        getRoleContext({ userId: user.id as UUID, scope }),
+        getAccessLevel({ userId: user.id as UUID, scope }),
+      ]);
+
+      setPermissionMap(map);
+      setGlobalRole(roleContext.globalRole);
+      setOrganisationRole(roleContext.organisationRole);
+      setEventAppRole(roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel));
     } catch (err) {
-      console.error('RBAC Context Loading Error:', err);
-      setError(err instanceof Error ? err : new Error('Unknown error loading RBAC context'));
-      setPermissions([]);
+      const handledError = err instanceof Error ? err : new Error('Failed to load RBAC context');
+      logger.error('[useRBAC] Error loading RBAC context:', handledError);
+      setError(handledError);
+      resetState();
     } finally {
       setIsLoading(false);
     }
-  }, [user?.id, session, supabase, appName, selectedEvent?.event_id, selectedOrganisation?.id, pageId]);
+  }, [appName, logger, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user]);
 
-  // Permission checking function
-  const hasPermission = useCallback(async (operation: Operation, targetPageId?: string): Promise<boolean> => {
-    if (!user || !session || !supabase || !appName) return false;
+  const hasPermission = useCallback(
+    async (operationOrPermission: Operation | string, targetPageId?: string): Promise<boolean> => {
+      if (!user) {
+        logger.warn('[useRBAC] Permission check attempted without authenticated user context');
+        return false;
+      }
 
-    // Super admin has all permissions
-    if (globalRole === 'super_admin') {
-      return true;
-    }
+      if (!currentScope || !currentScope.organisationId) {
+        logger.error('[useRBAC] Permission check denied due to missing organisation context', {
+          hasScope: !!currentScope,
+          scope: currentScope,
+          userId: user.id,
+          permission: operationOrPermission,
+        });
+        return false;
+      }
 
-    try {
-      // First resolve app name to app_id using secure RPC function
-      const { data: appData, error: appError } = await supabase.rpc('util_app_resolve', {
-        p_app_name: appName,
-        p_user_id: user.id
-      });
+      if (globalRole === 'super_admin' || permissionMap['*']) {
+        logger.info('[useRBAC] Super admin bypass granted', {
+          userId: user.id,
+          permission: operationOrPermission,
+        });
+        return true;
+      }
 
-      if (appError || !appData || appData.length === 0) {
-        console.warn('App not found or inactive:', appName);
-        return false;
+      let permission: Permission;
+      if (operationOrPermission.includes(':')) {
+        permission = operationOrPermission as Permission;
+      } else if (targetPageId || pageId) {
+        permission = `${operationOrPermission}:${targetPageId || pageId}` as Permission;
+      } else {
+        permission = operationOrPermission as Permission;
       }
 
-      const app = appData[0];
-      if (!app.has_access) {
-        console.warn('User does not have access to app:', appName);
+      const cachedValue = permissionMap[permission];
+      if (cachedValue === true) {
+        return true;
+      }
+      if (cachedValue === false) {
         return false;
       }
 
-      const { data, error } = await supabase.rpc('rbac_page_access_check', {
-        p_user_id: user.id,
-        p_app_id: app.app_id,
-        p_page_id: targetPageId || pageId || 'default',
-        p_operation: operation,
-        p_event_id: selectedEvent?.event_id,
-        p_organisation_id: selectedOrganisation?.id
+      return isPermittedCached({
+        userId: user.id as UUID,
+        scope: currentScope,
+        permission,
+        pageId: targetPageId ?? pageId,
       });
+    },
+    [currentScope, globalRole, logger, pageId, permissionMap, user],
+  );
 
-      if (error) {
-        console.error('Permission check failed:', error);
-        return false;
+  const hasGlobalPermission = useCallback(
+    (permission: string): boolean => {
+      if (globalRole === 'super_admin' || permissionMap['*']) {
+        return true;
       }
 
-      return data === true;
-    } catch (err) {
-      console.error('Permission check error:', err);
-      return false;
-    }
-  }, [user, supabase, appName, selectedEvent, selectedOrganisation, pageId, globalRole]);
+      if (permission === 'super_admin') {
+        return globalRole === 'super_admin';
+      }
 
-  // Simple permission check for global roles (synchronous)
-  const hasGlobalPermission = useCallback((permission: string): boolean => {
-    // Super admin has all permissions
-    if (globalRole === 'super_admin') {
-      return true;
-    }
-    
-    // Check specific global roles
-    if (permission === 'super_admin') {
-      return globalRole === 'super_admin';
-    }
-    
-    if (permission === 'org_admin') {
-      return organisationRole === 'org_admin' || globalRole === 'super_admin';
-    }
-    
-    return false;
-  }, [globalRole, organisationRole]);
+      if (permission === 'org_admin') {
+        return organisationRole === 'org_admin';
+      }
 
-  // Computed properties
-  const isSuperAdmin = useMemo(() => globalRole === 'super_admin', [globalRole]);
-  const isOrgAdmin = useMemo(() => organisationRole === 'org_admin', [organisationRole]);
-  const isEventAdmin = useMemo(() => eventAppRole === 'event_admin', [eventAppRole]);
-  const canManageOrganisation = useMemo(() => 
-    isSuperAdmin || isOrgAdmin, [isSuperAdmin, isOrgAdmin]
-  );
-  const canManageEvent = useMemo(() => 
-    isSuperAdmin || isEventAdmin, [isSuperAdmin, isEventAdmin]
+      return permissionMap[permission as Permission] === true;
+    },
+    [globalRole, organisationRole, permissionMap],
   );
 
-  // Load context when dependencies change
+  const isSuperAdmin = useMemo(() => globalRole === 'super_admin' || permissionMap['*'] === true, [globalRole, permissionMap]);
+  const isOrgAdmin = useMemo(() => organisationRole === 'org_admin' || isSuperAdmin, [organisationRole, isSuperAdmin]);
+  const isEventAdmin = useMemo(() => eventAppRole === 'event_admin' || isSuperAdmin, [eventAppRole, isSuperAdmin]);
+  const canManageOrganisation = useMemo(() => isSuperAdmin || organisationRole === 'org_admin', [isSuperAdmin, organisationRole]);
+  const canManageEvent = useMemo(() => isSuperAdmin || eventAppRole === 'event_admin', [isSuperAdmin, eventAppRole]);
+
   useEffect(() => {
     loadRBACContext();
   }, [loadRBACContext]);
 
   return {
-    user, // Add user to the returned context
+    user,
     globalRole,
     organisationRole,
     eventAppRole,
@@ -265,6 +219,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
     canManageOrganisation,
     canManageEvent,
     isLoading,
-    error
+    error,
   };
 }

package/src/rbac/hooks/useResolvedScope.ts

@@ -144,8 +144,17 @@ export function useResolvedScope({
           }
         }
 
+        // Debug logging
+        console.log('[useResolvedScope] Attempting to resolve scope:', {
+          selectedOrganisationId,
+          selectedEventId,
+          appId: appId || 'NOT RESOLVED YET',
+          resolveStep: 'initial'
+        });
+
         // If we have both organisation and event, use them directly
         if (selectedOrganisationId && selectedEventId) {
+          console.log('[useResolvedScope] Resolving with both org and event');
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -159,6 +168,7 @@ export function useResolvedScope({
 
         // If we only have organisation, use it
         if (selectedOrganisationId) {
+          console.log('[useResolvedScope] Resolving with organisation only');
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -173,6 +183,7 @@ export function useResolvedScope({
         // If we only have event, resolve organisation from event
         if (selectedEventId && supabase) {
           try {
+            console.log('[useResolvedScope] Resolving from event:', { selectedEventId, appId });
             const eventScope = await createScopeFromEvent(supabase, selectedEventId, appId);
             if (!eventScope) {
               console.error('[useResolvedScope] Could not resolve organization from event context');
@@ -183,6 +194,7 @@ export function useResolvedScope({
               }
               return;
             }
+            console.log('[useResolvedScope] Resolved from event:', eventScope);
             // Preserve the resolved app ID
             if (!cancelled) {
               setResolvedScope({

package/src/rbac/index.ts

@@ -71,14 +71,15 @@ export {
   createRBACEngine,
 } from './engine';
 
-// Components (NEW - Phase 1 & 2)
+// Components
 export * from './components';
 
-// Hooks - Consolidated from rbac/hooks/
+// Hooks
 export * from './hooks';
 
-// Providers - Consolidated from rbac/providers/
-export * from './providers';
+// Providers - Note: RBACProvider was removed as part of the refactoring
+// Users should now use useRBAC() hook directly without a provider wrapper
+// export * from './providers';
 
 // Adapters
 export {
@@ -97,6 +98,8 @@ export {
 export {
   getAccessLevel,
   getPermissionMap,
+  resolveAppContext,
+  getRoleContext,
   isPermitted,
   isPermittedCached,
   hasPermission,

package/src/rbac/security.ts

@@ -176,7 +176,17 @@ export class RBACSecurityValidator {
    * @param event - Security event details
    */
   static logSecurityEvent(event: {
-    type: 'permission_denied' | 'invalid_input' | 'rate_limit_exceeded' | 'suspicious_activity';
+    type:
+      | 'permission_denied'
+      | 'invalid_input'
+      | 'rate_limit_exceeded'
+      | 'suspicious_activity'
+      | 'network_error'
+      | 'database_error'
+      | 'validation_error'
+      | 'rate_limit_error'
+      | 'authentication_error'
+      | 'unknown_error';
     userId: UUID;
     details: Record<string, any>;
     timestamp?: Date;
@@ -205,10 +215,17 @@ export class RBACSecurityValidator {
       case 'permission_denied':
         return 'low';
       case 'invalid_input':
-        return 'medium';
       case 'rate_limit_exceeded':
+      case 'rate_limit_error':
+      case 'network_error':
         return 'medium';
+      case 'validation_error':
+        return 'high';
+      case 'authentication_error':
+      case 'database_error':
+        return 'critical';
       case 'suspicious_activity':
+      case 'unknown_error':
         return 'high';
       default:
         return 'low';
@@ -243,7 +260,7 @@ export const DEFAULT_SECURITY_CONFIG: RBACSecurityConfig = {
  */
 export interface SecurityContext {
   userId: UUID;
-  organisationId: UUID;
+  organisationId?: UUID; // Optional for operations without organisation context
   ipAddress?: string;
   userAgent?: string;
   timestamp: Date;
@@ -257,6 +274,17 @@ export class RBACSecurityMiddleware {
 
   constructor(config: RBACSecurityConfig = DEFAULT_SECURITY_CONFIG) {
     this.config = config;
+    this._startCleanupInterval();
+  }
+
+  /**
+   * Start periodic cleanup of expired entries
+   */
+  private _startCleanupInterval(): void {
+    // Clear expired entries every 5 minutes
+    setInterval(() => {
+      this.clearExpiredEntries();
+    }, 5 * 60 * 1000);
   }
 
   /**
@@ -271,30 +299,33 @@ export class RBACSecurityMiddleware {
   }> {
     const errors: string[] = [];
 
-    if (!this.config.enableInputValidation) {
-      return { isValid: true, errors: [] };
-    }
-
-    // Validate user ID
+    // Core validations are always enforced regardless of configuration
     if (!RBACSecurityValidator.validateUserId(context.userId)) {
       errors.push('Invalid user ID format');
     }
 
-    // Validate organisation ID
-    if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
+    if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {
       errors.push('Invalid organisation ID format');
     }
 
-    // Validate permission if present
     if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {
       errors.push('Invalid permission format');
     }
 
-    // Validate scope if present
     if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {
       errors.push('Invalid scope format');
     }
 
+    if (this.config.enableInputValidation) {
+      if (context.ipAddress && typeof context.ipAddress !== 'string') {
+        errors.push('Invalid IP address format');
+      }
+
+      if (context.userAgent && typeof context.userAgent !== 'string') {
+        errors.push('Invalid user agent format');
+      }
+    }
+
     // Log suspicious activity
     if (errors.length > 0) {
       RBACSecurityValidator.logSecurityEvent({
@@ -323,18 +354,78 @@ export class RBACSecurityMiddleware {
       return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };
     }
 
-    // TODO: Implement actual rate limiting logic
-    const isAllowed = await RBACSecurityValidator.checkRateLimit(
-      context.userId,
-      'permission_check'
-    );
+    // Implementation: In-memory rate limiting with sliding window
+    // For production, consider using Redis or Supabase Edge Functions
+    const isAllowed = await this._checkRateLimitInternal(context.userId);
+    
+    const remaining = isAllowed ? this.config.maxPermissionChecksPerMinute - this._getRequestCount(context.userId) : 0;
 
     return {
       isAllowed,
-      remaining: this.config.maxPermissionChecksPerMinute,
+      remaining: Math.max(0, remaining),
     };
   }
 
+  /**
+   * In-memory rate limiting cache (sliding window)
+   * Note: For production, this should use Redis or Supabase Edge Functions
+   */
+  private rateLimitCache = new Map<UUID, Array<{ timestamp: number }>>();
+
+  private async _checkRateLimitInternal(userId: UUID): Promise<boolean> {
+    const now = Date.now();
+    const windowMs = 60 * 1000; // 1 minute window
+
+    // Get or create rate limit entries for this user
+    const entries = this.rateLimitCache.get(userId) || [];
+    
+    // Remove entries outside the time window
+    const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);
+    
+    // Check if user exceeded rate limit
+    const requestCount = validEntries.length;
+    const isAllowed = requestCount < this.config.maxPermissionChecksPerMinute;
+    
+    // If allowed, add current request
+    if (isAllowed) {
+      validEntries.push({ timestamp: now });
+    }
+    
+    // Update cache
+    this.rateLimitCache.set(userId, validEntries);
+    
+    return isAllowed;
+  }
+
+  private _getRequestCount(userId: UUID): number {
+    const now = Date.now();
+    const windowMs = 60 * 1000; // 1 minute window
+    
+    const entries = this.rateLimitCache.get(userId) || [];
+    const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);
+    
+    return validEntries.length;
+  }
+
+  /**
+   * Clear old rate limit entries to prevent memory leaks
+   * Should be called periodically (e.g., every 5 minutes)
+   */
+  private clearExpiredEntries(): void {
+    const now = Date.now();
+    const windowMs = 60 * 1000; // 1 minute window
+    
+    for (const [userId, entries] of this.rateLimitCache.entries()) {
+      const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);
+      
+      if (validEntries.length === 0) {
+        this.rateLimitCache.delete(userId);
+      } else {
+        this.rateLimitCache.set(userId, validEntries);
+      }
+    }
+  }
+
   /**
    * Sanitize input data
    * @param input - Input to sanitize