@jmruthers/pace-core 0.6.1 → 0.6.2

package/src/hooks/useSecureDataAccess.test.ts

@@ -1,559 +0,0 @@
-/**
- * @file Secure Data Access Hook Tests
- * @package @jmruthers/pace-core
- * @module Hooks/useSecureDataAccess
- * @since 0.4.0
- * 
- * Comprehensive tests for the useSecureDataAccess hook covering all critical functionality.
- */
-
-import { renderHook, waitFor } from '@testing-library/react';
-import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
-import { useSecureDataAccess } from './useSecureDataAccess';
-import { useUnifiedAuth } from '../providers';
-import { useOrganisations } from './useOrganisations';
-import { setOrganisationContext } from '../utils/context/organisationContext';
-import { createMockSupabaseClient, createMockQueryBuilderWithData } from '../__tests__/helpers/supabaseMock';
-import { useResolvedScope } from '../rbac/hooks/useResolvedScope';
-import { useOrganisationSecurity } from './useOrganisationSecurity';
-
-// Mock the providers
-vi.mock('../providers', () => ({
-  useUnifiedAuth: vi.fn()
-}));
-
-vi.mock('./useOrganisations', () => ({
-  useOrganisations: vi.fn()
-}));
-
-// Mock the organisation context utility
-vi.mock('../utils/context/organisationContext', () => ({
-  setOrganisationContext: vi.fn()
-}));
-
-// Mock useResolvedScope
-vi.mock('../rbac/hooks/useResolvedScope', () => ({
-  useResolvedScope: vi.fn()
-}));
-
-// Mock useOrganisationSecurity
-vi.mock('./useOrganisationSecurity', () => ({
-  useOrganisationSecurity: vi.fn()
-}));
-
-
-describe('useSecureDataAccess', () => {
-  const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
-  const mockUseOrganisations = vi.mocked(useOrganisations);
-  const mockSetOrganisationContext = vi.mocked(setOrganisationContext);
-  const mockUseResolvedScope = vi.mocked(useResolvedScope);
-  const mockUseOrganisationSecurity = vi.mocked(useOrganisationSecurity);
-
-  const mockUser = {
-    id: 'user-123',
-    email: 'test@example.com'
-  };
-
-  const mockSession = {
-    access_token: 'token-123',
-    refresh_token: 'refresh-123'
-  };
-
-  // Create proper thenable mock query builder
-  const mockQueryBuilder = createMockQueryBuilderWithData([{ id: 'record-123' }]);
-  const mockSupabase = createMockSupabaseClient([{ id: 'record-123' }]);
-  
-
-  const mockSelectedOrganisation = {
-    id: 'org-123',
-    name: 'Test Organisation'
-  };
-
-  let freshMockQueryBuilder: any;
-  let freshMockSupabase: any;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    
-    // Create a new query builder that we can track
-    freshMockQueryBuilder = createMockQueryBuilderWithData([{ id: 'record-123' }]);
-    
-    // Create Supabase client mock that returns our tracked builder
-    freshMockSupabase = {
-      from: vi.fn().mockReturnValue(freshMockQueryBuilder),
-      rpc: vi.fn().mockResolvedValue({ data: { result: 'success' }, error: null }),
-      auth: {
-        getUser: vi.fn().mockResolvedValue({ data: { user: null }, error: null }),
-        getSession: vi.fn().mockResolvedValue({ data: { session: null }, error: null }),
-        signIn: vi.fn().mockResolvedValue({ data: { user: null, session: null }, error: null }),
-        signOut: vi.fn().mockResolvedValue({ error: null }),
-        onAuthStateChange: vi.fn().mockReturnValue({ data: { subscription: { unsubscribe: vi.fn() } } })
-      }
-    };
-    
-    mockUseUnifiedAuth.mockReturnValue({
-      user: mockUser,
-      session: mockSession,
-      supabase: freshMockSupabase,
-      isAuthenticated: true,
-      signOut: vi.fn(),
-      // Add other required properties
-    } as any);
-
-    mockUseOrganisations.mockReturnValue({
-      selectedOrganisation: mockSelectedOrganisation,
-      getUserRole: vi.fn().mockReturnValue('member'),
-      validateOrganisationAccess: vi.fn().mockResolvedValue(true),
-      ensureOrganisationContext: vi.fn().mockReturnValue(mockSelectedOrganisation),
-      // Add other required properties
-    } as any);
-    
-    // Mock useResolvedScope to return resolved scope with organisationId
-    mockUseResolvedScope.mockReturnValue({
-      resolvedScope: {
-        organisationId: 'org-123',
-        eventId: undefined,
-        appId: undefined,
-      },
-      isLoading: false,
-      error: null,
-    });
-    
-    // Mock useOrganisationSecurity to return not super admin
-    mockUseOrganisationSecurity.mockReturnValue({
-      superAdminContext: { isSuperAdmin: false, hasGlobalAccess: false, canManageAllOrganisations: false },
-      validateOrganisationAccess: vi.fn(),
-      hasMinimumRole: vi.fn(),
-      canAccessChildOrganisations: vi.fn(),
-      checkPermission: vi.fn(),
-      getPermissions: vi.fn(),
-      logOrganisationAccess: vi.fn(),
-      canManageOrganisation: vi.fn(),
-    } as any);
-  });
-
-    describe('Hook Initialization', () => {
-    it('initializes with required dependencies', () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      expect(result.current).toBeDefined();
-      expect(result.current.secureQuery).toBeInstanceOf(Function);
-      expect(result.current.secureInsert).toBeInstanceOf(Function);
-      expect(result.current.secureUpdate).toBeInstanceOf(Function);
-      expect(result.current.secureDelete).toBeInstanceOf(Function);
-      expect(result.current.secureRpc).toBeInstanceOf(Function);
-      expect(result.current.getCurrentOrganisationId()).toBe('org-123');
-    });
-
-    it('depends on useUnifiedAuth hook', () => {
-      renderHook(() => useSecureDataAccess());
-      expect(mockUseUnifiedAuth).toHaveBeenCalled();
-    });
-
-    it('depends on useResolvedScope hook', () => {
-      renderHook(() => useSecureDataAccess());
-      // useSecureDataAccess now uses useResolvedScope instead of useOrganisations
-      expect(mockUseResolvedScope).toHaveBeenCalled();
-    });
-  });
-
-  describe('Secure Query Operations', () => {
-    it('executes secure query with organisation filtering', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureQuery('core_events', '*', { active: true });
-      
-      expect(freshMockSupabase.from).toHaveBeenCalledWith('core_events');
-      expect(freshMockQueryBuilder.select).toHaveBeenCalledWith('*');
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', 'org-123');
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('active', true);
-    });
-
-    it('executes secure query with custom filters', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureQuery('users', '*', { active: true });
-      
-      expect(freshMockSupabase.from).toHaveBeenCalledWith('users');
-      expect(freshMockQueryBuilder.select).toHaveBeenCalledWith('*');
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('active', true);
-    });
-
-    it('executes secure query with ordering', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureQuery('users', '*', {}, {
-        orderBy: 'created_at',
-        ascending: false
-      });
-      
-      expect(freshMockQueryBuilder.select).toHaveBeenCalledWith('*');
-    });
-
-    it('executes secure query with pagination', async () => {
-      const paginatedData = Array.from({ length: 10 }, (_, i) => ({ id: `record-${i + 20}` }));
-      
-      // Ensure range() returns a thenable that resolves with paginated data
-      // and that all chain methods (eq, select, etc.) maintain the range function
-      freshMockQueryBuilder.range = vi.fn().mockImplementation(function(min: number, max: number) {
-        const rangedBuilder = Object.assign({}, this, {
-          then: vi.fn().mockImplementation((resolve) => {
-            resolve({ data: paginatedData, error: null });
-          }),
-          catch: vi.fn(),
-          finally: vi.fn(),
-          range: freshMockQueryBuilder.range // Maintain range for further chaining if needed
-        });
-        return rangedBuilder;
-      });
-
-      // Ensure eq() returns this which has range()
-      freshMockQueryBuilder.eq = vi.fn().mockReturnThis();
-      freshMockQueryBuilder.select = vi.fn().mockReturnThis();
-      freshMockQueryBuilder.limit = vi.fn().mockReturnThis();
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureQuery('users', '*', {}, {
-        limit: 10,
-        offset: 20
-      });
-      
-      expect(freshMockQueryBuilder.select).toHaveBeenCalledWith('*');
-      expect(freshMockQueryBuilder.range).toHaveBeenCalledWith(20, 29); // offset to (offset + limit - 1)
-      expect(data).toEqual(paginatedData);
-    });
-
-    it('handles query errors gracefully', async () => {
-      // Create a query builder that rejects
-      const errorBuilder = createMockQueryBuilderWithData([], new Error('Query failed'));
-      freshMockSupabase.from.mockReturnValue(errorBuilder);
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await expect(result.current.secureQuery('users', '*')).rejects.toThrow('Query failed');
-    });
-  });
-
-  describe('Secure Insert Operations', () => {
-    it('executes secure insert with organisation context', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureInsert('users', { name: 'Test User' });
-      
-      expect(freshMockSupabase.from).toHaveBeenCalledWith('users');
-      expect(freshMockQueryBuilder.insert).toHaveBeenCalledWith({
-        name: 'Test User',
-        organisation_id: 'org-123'
-      });
-    });
-
-    it('handles insert errors gracefully', async () => {
-      // Create a query builder that rejects on single()
-      const errorBuilder = createMockQueryBuilderWithData(null, new Error('Insert failed'));
-      freshMockSupabase.from.mockReturnValue(errorBuilder);
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await expect(result.current.secureInsert('users', { name: 'Test User' })).rejects.toThrow('Insert failed');
-    });
-
-    it('prevents organisation_id override', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureInsert('users', { 
-        name: 'Test User',
-        organisation_id: 'malicious-org-id'
-      });
-      
-      expect(freshMockQueryBuilder.insert).toHaveBeenCalledWith({
-        name: 'Test User',
-        organisation_id: 'org-123' // Should override malicious value
-      });
-    });
-  });
-
-  describe('Secure Update Operations', () => {
-    it('executes secure update with organisation filtering', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureUpdate('core_events', { event_name: 'Updated Event' }, { id: 'event-123' });
-      
-      expect(freshMockSupabase.from).toHaveBeenCalledWith('core_events');
-      expect(freshMockQueryBuilder.update).toHaveBeenCalledWith({ event_name: 'Updated Event' });
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('id', 'event-123');
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', 'org-123');
-    });
-
-    it('handles update errors gracefully', async () => {
-      // Create a query builder that rejects
-      const errorBuilder = createMockQueryBuilderWithData([], new Error('Update failed'));
-      freshMockSupabase.from.mockReturnValue(errorBuilder);
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await expect(result.current.secureUpdate('users', { name: 'Updated User' }, { id: 'user-123' })).rejects.toThrow('Update failed');
-    });
-
-    it('prevents organisation_id updates', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureUpdate('users', { 
-        name: 'Updated User',
-        organisation_id: 'malicious-org-id'
-      }, { id: 'user-123' });
-      
-      expect(freshMockQueryBuilder.update).toHaveBeenCalledWith({
-        name: 'Updated User'
-        // organisation_id should be filtered out
-      });
-    });
-  });
-
-  describe('Secure Delete Operations', () => {
-    it('executes secure delete with organisation filtering', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await result.current.secureDelete('core_events', { id: 'event-123' });
-      
-      expect(freshMockSupabase.from).toHaveBeenCalledWith('core_events');
-      expect(freshMockQueryBuilder.delete).toHaveBeenCalled();
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('id', 'event-123');
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', 'org-123');
-    });
-
-    it('handles delete errors gracefully', async () => {
-      // Create a query builder that rejects
-      const errorBuilder = createMockQueryBuilderWithData([], new Error('Delete failed'));
-      freshMockSupabase.from.mockReturnValue(errorBuilder);
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await expect(result.current.secureDelete('users', { id: 'user-123' })).rejects.toThrow('Delete failed');
-    });
-  });
-
-  describe('Secure RPC Operations', () => {
-    it('executes secure RPC with organisation context', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      const data = await result.current.secureRpc('get_user_data', { user_id: 'user-123' });
-      
-      expect(freshMockSupabase.rpc).toHaveBeenCalledWith('get_user_data', {
-        user_id: 'user-123',
-        p_user_id: 'user-123',
-        organisation_id: 'org-123'
-      });
-    });
-
-    it('handles RPC errors gracefully', async () => {
-      // Mock error response - the RPC should reject with an error
-      freshMockSupabase.rpc.mockRejectedValue(new Error('RPC failed'));
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await expect(result.current.secureRpc('get_user_data')).rejects.toThrow('RPC failed');
-    });
-  });
-
-  describe('Organisation Context Management', () => {
-    it('sets organisation context before operations', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await result.current.secureQuery('users', '*');
-      
-      expect(mockSetOrganisationContext).toHaveBeenCalledWith(freshMockSupabase, 'org-123');
-    });
-
-    it('handles missing organisation context', () => {
-      mockUseUnifiedAuth.mockReturnValue({
-        user: mockUser,
-        session: mockSession,
-        supabase: freshMockSupabase,
-        isAuthenticated: true,
-        signOut: vi.fn(),
-        selectedOrganisation: null,
-        selectedEvent: null,
-      } as any);
-      
-      // Mock useResolvedScope to return null scope when no context available
-      mockUseResolvedScope.mockReturnValue({
-        resolvedScope: null,
-        isLoading: false,
-        error: null,
-      });
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      expect(() => result.current.getCurrentOrganisationId()).toThrow('Organisation context is required for data access');
-    });
-
-    it('validates organisation access before operations', async () => {
-      // The hook uses useResolvedScope to get organisationId, which is already mocked in beforeEach
-      // The validation happens in validateContext which checks resolvedScope.organisationId
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      // Use 'event' table which is in the tablesWithOrganisation list
-      await result.current.secureQuery('core_events', '*');
-      
-      // Verify that the query was executed with organisation filter
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', 'org-123');
-    });
-  });
-
-  describe('Error Handling', () => {
-    it('handles missing user context', () => {
-      mockUseUnifiedAuth.mockReturnValue({
-        user: null,
-        session: null,
-        supabase: null,
-        isAuthenticated: false,
-        signOut: vi.fn(),
-        // Add other required properties
-      } as any);
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      expect(() => result.current.getCurrentOrganisationId()).toThrow('No Supabase client available');
-    });
-
-    it('handles missing supabase client', () => {
-      mockUseUnifiedAuth.mockReturnValue({
-        user: mockUser,
-        session: mockSession,
-        supabase: null,
-        isAuthenticated: true,
-        signOut: vi.fn(),
-        // Add other required properties
-      } as any);
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      expect(() => result.current.getCurrentOrganisationId()).toThrow('No Supabase client available');
-    });
-
-    it('handles organisation access validation failures', async () => {
-      // Mock useResolvedScope to return null scope to simulate missing context
-      mockUseResolvedScope.mockReturnValue({
-        resolvedScope: null,
-        isLoading: false,
-        error: null,
-      });
-
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await expect(result.current.secureQuery('users', '*')).rejects.toThrow('Organisation context is required for data access');
-    });
-  });
-
-  describe('Security Features', () => {
-    it('prevents data leaks between organisations', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await result.current.secureQuery('core_events', '*');
-      
-      // Verify organisation_id filter is always applied
-      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', 'org-123');
-    });
-
-    it('prevents organisation_id manipulation in inserts', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await result.current.secureInsert('users', { 
-        name: 'Test User',
-        organisation_id: 'malicious-org-id'
-      });
-      
-      expect(freshMockQueryBuilder.insert).toHaveBeenCalledWith({
-        name: 'Test User',
-        organisation_id: 'org-123' // Should override malicious value
-      });
-    });
-
-    it('prevents organisation_id manipulation in updates', async () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      await result.current.secureUpdate('users', { 
-        name: 'Updated User',
-        organisation_id: 'malicious-org-id'
-      }, { id: 'user-123' });
-      
-      expect(freshMockQueryBuilder.update).toHaveBeenCalledWith({
-        name: 'Updated User'
-        // organisation_id should be filtered out
-      });
-    });
-  });
-
-  describe('Performance', () => {
-    it('memoizes results to prevent unnecessary re-renders', () => {
-      const { result, rerender } = renderHook(() => useSecureDataAccess());
-      const initialSecureQuery = result.current.secureQuery;
-      const initialGetCurrentOrganisationId = result.current.getCurrentOrganisationId;
-      
-      // Re-render with same props
-      rerender();
-      
-      // Should not cause additional renders due to memoization
-      expect(result.current.secureQuery).toBe(initialSecureQuery);
-      expect(result.current.getCurrentOrganisationId).toBe(initialGetCurrentOrganisationId);
-    });
-
-    it('handles organisation changes efficiently', () => {
-      const { result, rerender } = renderHook(() => useSecureDataAccess());
-
-      expect(result.current.getCurrentOrganisationId()).toBe('org-123');
-
-      // Change organisation
-      const newOrganisation = { id: 'org-456', name: 'New Organisation' };
-      mockUseUnifiedAuth.mockReturnValue({
-        user: mockUser,
-        session: mockSession,
-        supabase: freshMockSupabase,
-        isAuthenticated: true,
-        signOut: vi.fn(),
-        selectedOrganisation: newOrganisation,
-      } as any);
-      
-      // Update useResolvedScope mock to return new organisation
-      mockUseResolvedScope.mockReturnValue({
-        resolvedScope: {
-          organisationId: 'org-456',
-          eventId: undefined,
-          appId: undefined,
-        },
-        isLoading: false,
-        error: null,
-      });
-
-      rerender();
-
-      expect(result.current.getCurrentOrganisationId()).toBe('org-456');
-    });
-  });
-
-  describe('Integration with Providers', () => {
-    it('integrates with useUnifiedAuth hook correctly', () => {
-      renderHook(() => useSecureDataAccess());
-      expect(mockUseUnifiedAuth).toHaveBeenCalled();
-    });
-
-    it('integrates with useResolvedScope hook correctly', () => {
-      renderHook(() => useSecureDataAccess());
-      // useSecureDataAccess now uses useResolvedScope instead of useOrganisations
-      expect(mockUseResolvedScope).toHaveBeenCalled();
-    });
-
-    it('uses organisation context from provider', () => {
-      const { result } = renderHook(() => useSecureDataAccess());
-
-      expect(result.current.getCurrentOrganisationId()).toBe('org-123');
-    });
-
-    it('validates organisation access through provider', () => {
-      // This test is removed as validateOrganisationAccess is not used in useSecureDataAccess
-      // The hook only calls ensureOrganisationContext during operations
-      expect(true).toBe(true);
-    });
-  });
-});