@jmruthers/pace-core 0.6.1 → 0.6.3

package/src/rbac/utils/__tests__/contextValidator.test.ts

@@ -1,12 +1,10 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import type { SupabaseClient } from '@supabase/supabase-js';
-import { ContextValidator, type AppConfig } from '../contextValidator';
+import { ContextValidator, type PageScopeType } from '../contextValidator';
 import { EventContextRequiredError, OrganisationContextRequiredError, type Scope } from '../../types';
 import type { Database } from '../../../types/database';
 
 describe('ContextValidator', () => {
-  const eventRequiredConfig: AppConfig = { requires_event: true };
-  const orgRequiredConfig: AppConfig = { requires_event: false };
   const scopeWithOrg: Scope = { organisationId: 'org-1', eventId: 'event-1', appId: 'app-1' };
 
   const createSupabaseMock = () => ({}) as SupabaseClient<Database>;
@@ -19,132 +17,112 @@ describe('ContextValidator', () => {
     vi.clearAllMocks();
   });
 
-  describe('validateScope', () => {
-    it('treats PORTAL and ADMIN apps as always valid', async () => {
-      const baseScope: Scope = { appId: 'portal-app' };
-      const result = await ContextValidator.validateScope(baseScope, eventRequiredConfig, 'PORTAL');
-
-      expect(result).toEqual({
-        isValid: true,
-        resolvedScope: { organisationId: undefined, eventId: undefined, appId: 'portal-app' },
-        error: null
-      });
-    });
+  describe('deriveOrgFromEvent', () => {
+    it('derives organisation ID from event ID', async () => {
+      const supabase = createSupabaseMock();
+      // Mock the underlying function
+      const { getOrganisationFromEvent } = await import('../eventContext');
+      vi.spyOn(await import('../eventContext'), 'getOrganisationFromEvent').mockResolvedValue('derived-org' as any);
 
-    it('requires organisation context when no app config exists', async () => {
-      const baseScope: Scope = { eventId: 'event-1' };
-      const result = await ContextValidator.validateScope(baseScope, null);
+      const result = await ContextValidator.deriveOrgFromEvent(supabase, 'event-1');
 
-      expect(result.isValid).toBe(false);
-      expect(result.error).toBeInstanceOf(OrganisationContextRequiredError);
+      expect(result).toBe('derived-org');
     });
+  });
 
-    it('requires event context for event-based apps', async () => {
-      const baseScope: Scope = { organisationId: 'org-1' };
-      const result = await ContextValidator.validateScope(baseScope, eventRequiredConfig);
+  describe('resolveScopeForPage', () => {
+    it('handles event scope - requires event context', async () => {
+      const scope: Scope = { organisationId: 'org-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'event');
 
       expect(result.isValid).toBe(false);
       expect(result.error).toBeInstanceOf(EventContextRequiredError);
     });
 
-    it('accepts scopes that satisfy event-based requirements', async () => {
-      const result = await ContextValidator.validateScope({ eventId: 'event-1' }, eventRequiredConfig);
+    it('handles event scope - derives org from event when event provided', async () => {
+      const supabase = createSupabaseMock();
+      vi.spyOn(ContextValidator, 'deriveOrgFromEvent').mockResolvedValue('derived-org');
+
+      const scope: Scope = { eventId: 'event-1', appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'event', undefined, supabase);
 
       expect(result.isValid).toBe(true);
+      expect(result.resolvedScope?.organisationId).toBe('derived-org');
       expect(result.resolvedScope?.eventId).toBe('event-1');
     });
 
-    it('enforces organisation requirements for org-based apps', async () => {
-      const result = await ContextValidator.validateScope({ eventId: 'event-1' }, orgRequiredConfig);
+    it('handles organisation scope - requires organisation context', async () => {
+      const scope: Scope = { eventId: 'event-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'organisation');
 
       expect(result.isValid).toBe(false);
       expect(result.error).toBeInstanceOf(OrganisationContextRequiredError);
     });
-  });
 
-  describe('resolveRequiredContext', () => {
-    it('passes through scope for optional contexts', async () => {
-      const baseScope: Scope = { appId: 'admin-app' };
-      const result = await ContextValidator.resolveRequiredContext(baseScope, eventRequiredConfig, 'ADMIN');
+    it('handles organisation scope - accepts organisation context', async () => {
+      const scope: Scope = { organisationId: 'org-1', eventId: 'event-1', appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'organisation');
 
-      expect(result).toEqual({
-        isValid: true,
-        resolvedScope: { organisationId: undefined, eventId: undefined, appId: 'admin-app' },
-        error: null
-      });
+      expect(result.isValid).toBe(true);
+      expect(result.resolvedScope).toEqual(scope);
     });
 
-    it('returns organisation error when no app config and org is missing', async () => {
-      const result = await ContextValidator.resolveRequiredContext({ eventId: 'event-1' }, null);
+    it('handles both scope - requires at least one context', async () => {
+      const scope: Scope = { appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'both');
 
       expect(result.isValid).toBe(false);
-      expect(result.error).toBeInstanceOf(OrganisationContextRequiredError);
+      expect(result.error?.message).toContain('either organisation or event context');
     });
 
-    it('derives organisation id for event-required apps when missing', async () => {
-      const supabase = createSupabaseMock();
-      const deriveSpy = vi.spyOn(ContextValidator, 'deriveOrgFromEvent').mockResolvedValue('derived-org');
-
-      const result = await ContextValidator.resolveRequiredContext({ eventId: 'event-1' }, eventRequiredConfig, undefined, supabase);
+    it('handles both scope - accepts organisation context', async () => {
+      const scope: Scope = { organisationId: 'org-1', appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'both');
 
-      expect(deriveSpy).toHaveBeenCalledWith(supabase, 'event-1');
-      expect(result).toEqual({
-        isValid: true,
-        resolvedScope: { organisationId: 'derived-org', eventId: 'event-1', appId: undefined },
-        error: null
-      });
+      expect(result.isValid).toBe(true);
+      expect(result.resolvedScope?.organisationId).toBe('org-1');
     });
 
-    it('surfaces derivation failures when supabase is unavailable', async () => {
-      const result = await ContextValidator.resolveRequiredContext({ eventId: 'event-1' }, eventRequiredConfig, undefined, null);
+    it('handles both scope - accepts event context', async () => {
+      const scope: Scope = { eventId: 'event-1', appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'both');
 
-      expect(result.isValid).toBe(false);
-      expect(result.error?.message).toContain('supabase client not available');
+      expect(result.isValid).toBe(true);
+      expect(result.resolvedScope?.eventId).toBe('event-1');
     });
 
-    it('returns derivation error messages when fetch fails', async () => {
+    it('handles both scope - derives org from event when event provided', async () => {
       const supabase = createSupabaseMock();
-      vi.spyOn(ContextValidator, 'deriveOrgFromEvent').mockRejectedValue(new Error('network down'));
+      vi.spyOn(ContextValidator, 'deriveOrgFromEvent').mockResolvedValue('derived-org');
 
-      const result = await ContextValidator.resolveRequiredContext({ eventId: 'event-1' }, eventRequiredConfig, undefined, supabase);
+      const scope: Scope = { eventId: 'event-1', appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'both', undefined, supabase);
 
-      expect(result.isValid).toBe(false);
-      expect(result.error).toBeInstanceOf(Error);
-      expect(result.error?.message).toContain('network down');
-    });
-
-    it('enforces organisation requirement for org-based apps', async () => {
-      const result = await ContextValidator.resolveRequiredContext({ eventId: 'event-1' }, orgRequiredConfig);
-
-      expect(result.isValid).toBe(false);
-      expect(result.error).toBeInstanceOf(OrganisationContextRequiredError);
+      expect(result.isValid).toBe(true);
+      expect(result.resolvedScope?.organisationId).toBe('derived-org');
+      expect(result.resolvedScope?.eventId).toBe('event-1');
     });
 
-    it('returns valid result when org context is present', async () => {
-      const result = await ContextValidator.resolveRequiredContext(scopeWithOrg, orgRequiredConfig);
+    it('handles event scope - returns error when org derivation fails', async () => {
+      const supabase = createSupabaseMock();
+      vi.spyOn(ContextValidator, 'deriveOrgFromEvent').mockResolvedValue(null);
 
-      expect(result).toEqual({ isValid: true, resolvedScope: scopeWithOrg, error: null });
-    });
-  });
+      const scope: Scope = { eventId: 'event-1', appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'event', undefined, supabase);
 
-  describe('isContextReady', () => {
-    it('is always ready for PORTAL/ADMIN apps', () => {
-      expect(ContextValidator.isContextReady({}, eventRequiredConfig, 'PORTAL')).toBe(true);
+      expect(result.isValid).toBe(false);
+      expect(result.error?.message).toContain('Could not resolve organisation from event context');
     });
 
-    it('checks event selection for event-required apps', () => {
-      expect(ContextValidator.isContextReady({}, eventRequiredConfig, undefined, true)).toBe(true);
-      expect(ContextValidator.isContextReady({}, eventRequiredConfig, undefined, false)).toBe(false);
-    });
+    it('handles event scope - returns error when org derivation throws', async () => {
+      const supabase = createSupabaseMock();
+      vi.spyOn(ContextValidator, 'deriveOrgFromEvent').mockRejectedValue(new Error('network error'));
 
-    it('checks organisation selection for org-required apps', () => {
-      expect(ContextValidator.isContextReady({}, orgRequiredConfig, undefined, false, true)).toBe(true);
-      expect(ContextValidator.isContextReady({}, orgRequiredConfig, undefined, false, false)).toBe(false);
-    });
+      const scope: Scope = { eventId: 'event-1', appId: 'app-1' };
+      const result = await ContextValidator.resolveScopeForPage(scope, 'event', undefined, supabase);
 
-    it('defaults to organisation requirement when no config', () => {
-      expect(ContextValidator.isContextReady({}, null, undefined, false, true)).toBe(true);
-      expect(ContextValidator.isContextReady({}, null, undefined, false, false)).toBe(false);
+      expect(result.isValid).toBe(false);
+      expect(result.error?.message).toContain('network error');
     });
   });
 });

package/src/rbac/utils/clientSecurity.ts

@@ -0,0 +1,93 @@
+/**
+ * Client Security Detection Utilities
+ * @package @jmruthers/pace-core
+ * @module RBAC/Utils/ClientSecurity
+ * @since 1.0.0
+ * 
+ * Utilities to detect and warn about insecure Supabase client usage.
+ */
+
+import type { SupabaseClient } from '@supabase/supabase-js';
+import { Database } from '../../types/database';
+
+/**
+ * Symbol to mark secure clients
+ * This is attached to clients created by SecureSupabaseClient
+ */
+export const SECURE_CLIENT_SYMBOL = Symbol('pace-core-secure-client');
+
+/**
+ * Check if a Supabase client is a secure client (created via useSecureSupabase or createSecureClient)
+ * 
+ * @param client - The Supabase client to check
+ * @returns true if the client is secure, false otherwise
+ * 
+ * @example
+ * ```tsx
+ * import { isSecureClient } from '@jmruthers/pace-core/rbac/utils/clientSecurity';
+ * 
+ * const supabase = useSecureSupabase();
+ * if (isSecureClient(supabase)) {
+ *   // Client is secure, safe to use
+ * }
+ * ```
+ */
+export function isSecureClient(client: SupabaseClient<Database> | null | undefined): boolean {
+  if (!client) return false;
+  
+  // Check for the secure client symbol
+  return (client as any)[SECURE_CLIENT_SYMBOL] === true;
+}
+
+/**
+ * Warn about insecure client usage in development
+ * 
+ * @param client - The client being used
+ * @param context - Context about where the client is being used (for better error messages)
+ * 
+ * @example
+ * ```tsx
+ * import { warnIfInsecureClient } from '@jmruthers/pace-core/rbac/utils/clientSecurity';
+ * 
+ * const supabase = createClient(...); // Wrong!
+ * warnIfInsecureClient(supabase, 'MyComponent');
+ * ```
+ */
+export function warnIfInsecureClient(
+  client: SupabaseClient<Database> | null | undefined,
+  context?: string
+): void {
+  // Only warn in development
+  if (typeof process !== 'undefined' && process.env.NODE_ENV === 'production') {
+    return;
+  }
+  
+  if (!client) return;
+  
+  if (!isSecureClient(client)) {
+    const contextMsg = context ? ` in ${context}` : '';
+    console.warn(
+      `[pace-core Security Warning] Non-secure Supabase client detected${contextMsg}.\n` +
+      `You are using a Supabase client created with createClient() instead of useSecureSupabase().\n` +
+      `This bypasses organisation context enforcement and RLS policies, which can lead to:\n` +
+      `- Cross-organisation data access\n` +
+      `- Security vulnerabilities\n` +
+      `- Data leakage between organisations\n\n` +
+      `Fix: Replace with:\n` +
+      `  import { useSecureSupabase } from '@jmruthers/pace-core/rbac';\n` +
+      `  const supabase = useSecureSupabase();\n\n` +
+      `See: https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/rbac/getting-started.md`
+    );
+  }
+}
+
+/**
+ * Mark a client as secure (internal use only)
+ * This is called by SecureSupabaseClient to mark clients as secure
+ * 
+ * @internal
+ */
+export function markClientAsSecure(client: SupabaseClient<Database>): void {
+  (client as any)[SECURE_CLIENT_SYMBOL] = true;
+}
+

package/src/rbac/utils/contextValidator.ts

@@ -22,9 +22,11 @@ import { createLogger } from '../../utils/core/logger';
 
 const log = createLogger('ContextValidator');
 
-export interface AppConfig {
-  requires_event: boolean;
-}
+/**
+ * Page scope type - determines what context is required for a page
+ * This is the single source of truth for page scoping.
+ */
+export type PageScopeType = 'event' | 'organisation' | 'both';
 
 /**
  * Check if an app allows optional contexts (both organisation and event optional)
@@ -47,130 +49,79 @@ export interface ContextValidationResult {
  * Validates and resolves RBAC scope based on app configuration requirements.
  */
 export class ContextValidator {
+
   /**
-   * Validate scope against app requirements
+   * Derive organisation ID from event ID
    * 
-   * @param scope - Current scope
-   * @param appConfig - App configuration (requires_event flag)
-   * @param appName - App name (for PORTAL/ADMIN special case)
-   * @returns Validation result with resolved scope
+   * @param supabase - Supabase client
+   * @param eventId - Event ID
+   * @returns Organisation ID or null
    */
-  static async validateScope(
-    scope: Scope,
-    appConfig: AppConfig | null,
-    appName?: string
-  ): Promise<ContextValidationResult> {
-    // PORTAL/ADMIN special case: both contexts optional
-    if (allowsOptionalContexts(appName)) {
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-
-    // If no app config, default to requiring org context
-    if (!appConfig) {
-      if (!scope.organisationId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new OrganisationContextRequiredError()
-        };
-      }
-      return {
-        isValid: true,
-        resolvedScope: scope,
-        error: null
-      };
-    }
-
-    // Event-required apps: must have eventId, derive org from event
-    if (appConfig.requires_event) {
-      if (!scope.eventId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new EventContextRequiredError()
-        };
-      }
-
-      // If org is not provided, we'll need to derive it from event
-      // But for validation, we just check that eventId exists
-      // The actual derivation happens in resolveRequiredContext
-      return {
-        isValid: true,
-        resolvedScope: scope,
-        error: null
-      };
-    }
-
-    // Org-required apps: must have organisationId, eventId optional
-    if (!scope.organisationId) {
-      return {
-        isValid: false,
-        resolvedScope: null,
-        error: new OrganisationContextRequiredError()
-      };
-    }
-
-    return {
-      isValid: true,
-      resolvedScope: scope,
-      error: null
-    };
+  static async deriveOrgFromEvent(
+    supabase: SupabaseClient<Database>,
+    eventId: string
+  ): Promise<UUID | null> {
+    return getOrganisationFromEvent(supabase, eventId);
   }
 
   /**
-   * Resolve required context and derive missing values
+   * Resolve scope based on page-level scope_type
+   * 
+   * This method handles page-level scoping. All pages have explicit scope_type set.
+   * Used for hybrid apps like pace-mint that have both event and organisation pages.
    * 
    * @param scope - Current scope
-   * @param appConfig - App configuration
+   * @param pageScopeType - Page scope type ('event', 'organisation', or 'both')
    * @param appName - App name (for PORTAL/ADMIN special case)
    * @param supabase - Supabase client (for deriving org from event)
    * @returns Resolved scope with all required context
    */
-  static async resolveRequiredContext(
+  static async resolveScopeForPage(
     scope: Scope,
-    appConfig: AppConfig | null,
+    pageScopeType: PageScopeType,
     appName?: string,
     supabase?: SupabaseClient<Database> | null
   ): Promise<ContextValidationResult> {
-    // PORTAL/ADMIN special case: both contexts optional
-    if (allowsOptionalContexts(appName)) {
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-
-    // If no app config, default to requiring org context
-    if (!appConfig) {
-      if (!scope.organisationId) {
+    // Use page-level scope (single source of truth)
+    const effectiveScopeType = pageScopeType;
+    
+    // Handle 'both' scope - requires both contexts available, but can use either
+    if (effectiveScopeType === 'both') {
+      // For 'both' pages, we need at least one context (org or event)
+      // Both will be checked during permission evaluation
+      if (!scope.organisationId && !scope.eventId) {
         return {
           isValid: false,
           resolvedScope: null,
-          error: new OrganisationContextRequiredError()
+          error: new Error('Page requires either organisation or event context')
         };
       }
+      
+      // Derive org from event if event is provided but org is not
+      let organisationId = scope.organisationId;
+      if (!organisationId && scope.eventId && supabase) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || undefined;
+        } catch (error) {
+          log.warn('Failed to derive org from event for both-scope page:', error);
+          // Continue without org - permission check will handle it
+        }
+      }
+      
       return {
         isValid: true,
-        resolvedScope: scope,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
         error: null
       };
     }
-
-    // Event-required apps: must have eventId, derive org from event
-    if (appConfig.requires_event) {
+    
+    // Handle 'event' scope - requires event context
+    if (effectiveScopeType === 'event') {
       if (!scope.eventId) {
         return {
           isValid: false,
@@ -178,7 +129,7 @@ export class ContextValidator {
           error: new EventContextRequiredError()
         };
       }
-
+      
       // Derive organisationId from event if not provided
       let organisationId: UUID | undefined = scope.organisationId;
       if (!organisationId && supabase && scope.eventId) {
@@ -200,14 +151,8 @@ export class ContextValidator {
             error: error instanceof Error ? error : new Error('Failed to derive organisation from event')
           };
         }
-      } else if (!organisationId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new Error('Event context requires organisationId but it could not be derived (supabase client not available)')
-        };
       }
-
+      
       return {
         isValid: true,
         resolvedScope: {
@@ -218,71 +163,35 @@ export class ContextValidator {
         error: null
       };
     }
-
-    // Org-required apps: must have organisationId, eventId optional
-    if (!scope.organisationId) {
+    
+    // Handle 'organisation' scope - requires organisation context
+    if (effectiveScopeType === 'organisation') {
+      if (!scope.organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      
       return {
-        isValid: false,
-        resolvedScope: null,
-        error: new OrganisationContextRequiredError()
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId, // Event is optional for org-scoped pages
+          appId: scope.appId
+        },
+        error: null
       };
     }
-
+    
+    // Fallback (should not happen)
     return {
-      isValid: true,
-      resolvedScope: scope,
-      error: null
+      isValid: false,
+      resolvedScope: null,
+      error: new Error('Invalid scope type')
     };
   }
 
-  /**
-   * Derive organisation ID from event ID
-   * 
-   * @param supabase - Supabase client
-   * @param eventId - Event ID
-   * @returns Organisation ID or null
-   */
-  static async deriveOrgFromEvent(
-    supabase: SupabaseClient<Database>,
-    eventId: string
-  ): Promise<UUID | null> {
-    return getOrganisationFromEvent(supabase, eventId);
-  }
-
-  /**
-   * Check if context is ready for permission checks
-   * 
-   * @param scope - Current scope
-   * @param appConfig - App configuration
-   * @param appName - App name
-   * @param hasSelectedEvent - Whether event is selected
-   * @param hasSelectedOrganisation - Whether organisation is selected
-   * @returns True if context is ready
-   */
-  static isContextReady(
-    scope: Scope,
-    appConfig: AppConfig | null,
-    appName?: string,
-    hasSelectedEvent?: boolean,
-    hasSelectedOrganisation?: boolean
-  ): boolean {
-    // PORTAL/ADMIN special case: context is always ready
-    if (allowsOptionalContexts(appName)) {
-      return true;
-    }
-
-    // If no app config, default to requiring org context
-    if (!appConfig) {
-      return !!hasSelectedOrganisation || !!scope.organisationId;
-    }
-
-    // Event-required apps: need event context
-    if (appConfig.requires_event) {
-      return !!hasSelectedEvent || !!scope.eventId;
-    }
-
-    // Org-required apps: need org context
-    return !!hasSelectedOrganisation || !!scope.organisationId;
-  }
 }