@jmruthers/pace-core 0.6.1 → 0.6.3

package/src/rbac/engine.ts

@@ -535,22 +535,46 @@ export class RBACEngine {
       return cached;
     }
 
+    const startTime = Date.now();
     const now = new Date().toISOString();
-    const { data, error } = await this.supabase
-      .from('rbac_global_roles')
-      .select('role')
-      .eq('user_id', userId)
-      .eq('role', 'super_admin')
-      .lte('valid_from', now)
-      .or(`valid_to.is.null,valid_to.gte.${now}`)
-      .limit(1) as { data: Array<{ role: string }> | null; error: any };
-
-    const isSuperAdmin = !error && data && data.length > 0;
-    
-    // Cache for 60 seconds
-    rbacCache.set(cacheKey, isSuperAdmin, 60000);
     
-    return Boolean(isSuperAdmin);
+    try {
+      const { data, error } = await this.supabase
+        .from('rbac_global_roles')
+        .select('role')
+        .eq('user_id', userId)
+        .eq('role', 'super_admin')
+        .lte('valid_from', now)
+        .or(`valid_to.is.null,valid_to.gte.${now}`)
+        .limit(1) as { data: Array<{ role: string }> | null; error: any };
+
+      const elapsed = Date.now() - startTime;
+      
+      // Log warning if query takes too long
+      if (elapsed > 2000) {
+        console.warn('[RBACEngine] Super admin check took longer than expected', {
+          userId,
+          elapsedMs: elapsed,
+          error: error?.message,
+        });
+      }
+
+      const isSuperAdmin = !error && data && data.length > 0;
+      
+      // Cache for 60 seconds
+      rbacCache.set(cacheKey, isSuperAdmin, 60000);
+      
+      return Boolean(isSuperAdmin);
+    } catch (err) {
+      const elapsed = Date.now() - startTime;
+      console.error('[RBACEngine] Error checking super admin', {
+        userId,
+        error: err,
+        elapsedMs: elapsed,
+      });
+      // Return false on error (fail secure)
+      return false;
+    }
   }
 
   /**

package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts

@@ -33,14 +33,15 @@ vi.mock('../useResolvedScope', () => ({
 }));
 
 vi.mock('../../secureClient', () => ({
-  createSecureClient: vi.fn()
+  createSecureClient: vi.fn(),
+  fromSupabaseClient: vi.fn()
 }));
 
 import { useUnifiedAuth } from '../../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../../hooks/useOrganisations';
 import { useEvents } from '../../../hooks/useEvents';
 import { useResolvedScope } from '../useResolvedScope';
-import { createSecureClient } from '../../secureClient';
+import { createSecureClient, fromSupabaseClient } from '../../secureClient';
 import type { SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../../../types/database';
 
@@ -68,6 +69,7 @@ describe('useSecureSupabase Hook', () => {
   const mockUseEvents = vi.mocked(useEvents);
   const mockUseResolvedScope = vi.mocked(useResolvedScope);
   const mockCreateSecureClient = vi.mocked(createSecureClient);
+  const mockFromSupabaseClient = vi.mocked(fromSupabaseClient);
 
   beforeEach(() => {
     vi.clearAllMocks();
@@ -131,6 +133,9 @@ describe('useSecureSupabase Hook', () => {
     });
 
     mockCreateSecureClient.mockReturnValue(mockSecureClient as any);
+    // When fromSupabaseClient is used (when baseClient/authSupabase is available),
+    // it should return a secure client that wraps the existing client
+    mockFromSupabaseClient.mockReturnValue(mockSecureClient as any);
   });
 
   afterEach(() => {
@@ -171,14 +176,15 @@ describe('useSecureSupabase Hook', () => {
       const { result } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
 
       expect(result.current).toBe(mockSupabaseClient);
-      const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(uniqueOrgId);
-      expect(call[3]).toBe(mockEventId);
-      expect(call[4]).toBe(mockAppId);
+      const call = mockFromSupabaseClient.mock.calls[0];
+      expect(call[1]).toBe(uniqueOrgId);
+      expect(call[2]).toBe(mockEventId);
+      expect(call[3]).toBe(mockAppId);
     });
 
     it('should return base client when event is loading', () => {
@@ -265,7 +271,8 @@ describe('useSecureSupabase Hook', () => {
         // The cache is working correctly by reusing the client
       } else {
         // Client was created - verify it was called
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }
 
       // Store the first client instance
@@ -316,11 +323,12 @@ describe('useSecureSupabase Hook', () => {
       const { result: result1, rerender: rerender1 } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
 
       // Clear the mock to count new calls
-      mockCreateSecureClient.mockClear();
+      mockFromSupabaseClient.mockClear();
 
       // Change organisation - this should create a new client with different cache key
       const uniqueOrgId2 = `org-${Date.now()}-2`;
@@ -347,7 +355,8 @@ describe('useSecureSupabase Hook', () => {
       rerender1();
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
     });
   });
@@ -448,13 +457,14 @@ describe('useSecureSupabase Hook', () => {
       const { result } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
       
-      const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(uniqueOrgId);
-      expect(call[3]).toBe(mockEventId);
-      expect(call[4]).toBe(customAppId);
+      const call = mockFromSupabaseClient.mock.calls[0];
+      expect(call[1]).toBe(uniqueOrgId);
+      expect(call[2]).toBe(mockEventId);
+      expect(call[3]).toBe(customAppId);
     });
 
     it('should work without event context', async () => {
@@ -493,13 +503,14 @@ describe('useSecureSupabase Hook', () => {
       const { result } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
       
-      const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(uniqueOrgId);
-      expect(call[3]).toBeUndefined();
-      expect(call[4]).toBe(mockAppId);
+      const call = mockFromSupabaseClient.mock.calls[0];
+      expect(call[1]).toBe(uniqueOrgId);
+      expect(call[2]).toBeUndefined();
+      expect(call[3]).toBe(mockAppId);
     });
   });
 

package/src/rbac/hooks/permissions/index.ts

@@ -0,0 +1,7 @@
+export { useAccessLevel } from './useAccessLevel';
+export { useCachedPermissions } from './useCachedPermissions';
+export { useCan } from './useCan';
+export { useHasAllPermissions } from './useHasAllPermissions';
+export { useHasAnyPermission } from './useHasAnyPermission';
+export { useMultiplePermissions } from './useMultiplePermissions';
+export { usePermissions } from './usePermissions';

package/src/rbac/hooks/permissions/useAccessLevel.ts

@@ -0,0 +1,105 @@
+import { useCallback, useEffect, useMemo, useState } from 'react';
+
+import { getAccessLevel } from '../../api';
+import { OrganisationContextRequiredError } from '../../types';
+import type { AccessLevel as AccessLevelType, Scope, UUID } from '../../types';
+import { useAppConfig } from '../../../hooks/useAppConfig';
+
+/**
+ * Hook to get user's access level in a scope
+ *
+ * @param userId - User ID
+ * @param scope - Scope for access level checking
+ * @returns Access level state and methods
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { accessLevel, isLoading, error } = useAccessLevel(userId, scope);
+ *
+ *   if (isLoading) return <div>Loading access level...</div>;
+ *   if (error) return <div>Error: {error.message}</div>;
+ *
+ *   return (
+ *     <div>
+ *       Access Level: {accessLevel}
+ *       {accessLevel >= AccessLevel.ADMIN && <AdminPanel />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+export function useAccessLevel(userId: UUID, scope: Scope): {
+  accessLevel: AccessLevelType;
+  isLoading: boolean;
+  error: Error | null;
+  refetch: () => Promise<void>;
+} {
+  const [accessLevel, setAccessLevel] = useState<AccessLevelType>('viewer');
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState<Error | null>(null);
+
+  // Get appName from context if available (safely handles missing context)
+  let appName: string | undefined;
+  try {
+    const { appName: contextAppName } = useAppConfig();
+    appName = contextAppName;
+  } catch {
+    // Not available, will use undefined
+  }
+
+  const fetchAccessLevel = useCallback(async () => {
+    if (!userId) {
+      setAccessLevel('viewer');
+      setIsLoading(false);
+      return;
+    }
+
+    try {
+      setIsLoading(true);
+      setError(null);
+
+      // Check super admin status first - super admins bypass context requirements
+      // This allows super admins to check their access level without organisation context
+      const { isSuperAdmin: checkSuperAdmin } = await import('../../api');
+      const isSuperAdminUser = await checkSuperAdmin(userId);
+
+      if (isSuperAdminUser) {
+        setAccessLevel('super');
+        setIsLoading(false);
+        return;
+      }
+
+      // Early validation: check if scope has required context
+      // PORTAL/ADMIN apps allow both contexts to be optional
+      if (appName !== 'PORTAL' && appName !== 'ADMIN' && !scope.organisationId && !scope.eventId) {
+        const orgError = new OrganisationContextRequiredError();
+        setError(orgError);
+        setAccessLevel('viewer');
+        setIsLoading(false);
+        return;
+      }
+
+      const level = await getAccessLevel({ userId, scope }, appName);
+      setAccessLevel(level);
+    } catch (err) {
+      const error = err instanceof Error ? err : new Error('Failed to fetch access level');
+      setError(error);
+      setAccessLevel('viewer');
+    } finally {
+      setIsLoading(false);
+    }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId, appName]);
+
+  useEffect(() => {
+    fetchAccessLevel();
+  }, [fetchAccessLevel]);
+
+  // Memoize the return object to prevent unnecessary re-renders
+  return useMemo(() => ({
+    accessLevel,
+    isLoading,
+    error,
+    refetch: fetchAccessLevel
+  }), [accessLevel, isLoading, error, fetchAccessLevel]);
+}

package/src/rbac/hooks/permissions/useCachedPermissions.ts

@@ -0,0 +1,79 @@
+import { useCallback, useEffect, useMemo, useState } from 'react';
+
+import { getPermissionMap } from '../../api';
+import { PermissionMap, Scope, UUID } from '../../types';
+
+/**
+ * Hook to get cached permissions with TTL management
+ *
+ * @param userId - User ID
+ * @param scope - Scope for permission checking
+ * @returns Cached permission state and methods
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { permissions, isLoading, error, invalidateCache } = useCachedPermissions(userId, scope);
+ *
+ *   if (isLoading) return <div>Loading cached permissions...</div>;
+ *   if (error) return <div>Error: {error.message}</div>;
+ *
+ *   return (
+ *     <div>
+ *       {permissions['read:users'] && <UserList />}
+ *       <button onClick={invalidateCache}>Refresh Permissions</button>
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+export function useCachedPermissions(userId: UUID, scope: Scope): {
+  permissions: PermissionMap;
+  isLoading: boolean;
+  error: Error | null;
+  invalidateCache: () => void;
+  refetch: () => Promise<void>;
+} {
+  const [permissions, setPermissions] = useState<PermissionMap>({} as PermissionMap);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState<Error | null>(null);
+
+  const fetchCachedPermissions = useCallback(async () => {
+    if (!userId) {
+      setPermissions({} as PermissionMap);
+      setIsLoading(false);
+      return;
+    }
+
+    try {
+      setIsLoading(true);
+      setError(null);
+
+      const permissionMap = await getPermissionMap({ userId, scope });
+      setPermissions(permissionMap);
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error('Failed to fetch cached permissions'));
+    } finally {
+      setIsLoading(false);
+    }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
+
+  const invalidateCache = useCallback(() => {
+    // This would typically invalidate the cache in the actual implementation
+    // For now, we'll just refetch
+    fetchCachedPermissions();
+  }, [fetchCachedPermissions]);
+
+  useEffect(() => {
+    fetchCachedPermissions();
+  }, [fetchCachedPermissions]);
+
+  // Memoize the return object to prevent unnecessary re-renders
+  return useMemo(() => ({
+    permissions,
+    isLoading,
+    error,
+    invalidateCache,
+    refetch: fetchCachedPermissions
+  }), [permissions, isLoading, error, invalidateCache, fetchCachedPermissions]);
+}