@jmruthers/pace-core 0.6.2 → 0.6.3

package/dist/{chunk-XWQCNGTQ.js → chunk-YDQHOZNA.js}

@@ -2,30 +2,66 @@ import {
   useAppConfig,
   useEvents,
   useOrganisationSecurity
-} from "./chunk-MMZ7JXPU.js";
+} from "./chunk-6Z7LTB3D.js";
 import {
   useOrganisations,
   useUnifiedAuth
-} from "./chunk-EHMR7VYL.js";
+} from "./chunk-DWUBLJJM.js";
 import {
-  ContextValidator,
-  OrganisationContextRequiredError,
   getAccessLevel,
+  getPageScopeType,
   getPermissionMap,
   getRBACLogger,
   getRoleContext,
   isPermitted,
   isPermittedCached,
   resolveAppContext
-} from "./chunk-24UVZUZG.js";
+} from "./chunk-RWEBCB47.js";
+import {
+  ContextValidator,
+  OrganisationContextRequiredError
+} from "./chunk-QRPVRXYT.js";
 import {
   getCurrentAppName
-} from "./chunk-F2IMUDXZ.js";
+} from "./chunk-M7MPQISP.js";
 import {
   createLogger,
   logger
 } from "./chunk-PWLANIRT.js";
 
+// src/rbac/utils/clientSecurity.ts
+var SECURE_CLIENT_SYMBOL = Symbol("pace-core-secure-client");
+function isSecureClient(client) {
+  if (!client) return false;
+  return client[SECURE_CLIENT_SYMBOL] === true;
+}
+function warnIfInsecureClient(client, context) {
+  if (typeof process !== "undefined" && true) {
+    return;
+  }
+  if (!client) return;
+  if (!isSecureClient(client)) {
+    const contextMsg = context ? ` in ${context}` : "";
+    console.warn(
+      `[pace-core Security Warning] Non-secure Supabase client detected${contextMsg}.
+You are using a Supabase client created with createClient() instead of useSecureSupabase().
+This bypasses organisation context enforcement and RLS policies, which can lead to:
+- Cross-organisation data access
+- Security vulnerabilities
+- Data leakage between organisations
+
+Fix: Replace with:
+  import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+  const supabase = useSecureSupabase();
+
+See: https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/rbac/getting-started.md`
+    );
+  }
+}
+function markClientAsSecure(client) {
+  client[SECURE_CLIENT_SYMBOL] = true;
+}
+
 // src/rbac/secureClient.ts
 import { createClient } from "@supabase/supabase-js";
 var _SecureSupabaseClient = class _SecureSupabaseClient {
@@ -54,6 +90,7 @@ var _SecureSupabaseClient = class _SecureSupabaseClient {
     }
     this.setupContextInjection();
     this.setupEdgeFunctionHandling();
+    markClientAsSecure(this.supabase);
   }
   /**
    * Setup context injection for all database operations
@@ -69,13 +106,18 @@ var _SecureSupabaseClient = class _SecureSupabaseClient {
     const originalRpc = this.supabase.rpc.bind(this.supabase);
     this.supabase.rpc = (fn, args, options) => {
       this.validateContextForRpc(fn);
+      const acceptedParams = this.getRpcAcceptedParams(fn);
       const safeArgs = args ?? {};
-      const contextArgs = {
-        ...safeArgs,
-        ...this.organisationId && safeArgs.p_organisation_id === void 0 ? { p_organisation_id: this.organisationId } : {},
-        ...this.eventId && safeArgs.p_event_id === void 0 ? { p_event_id: this.eventId } : {},
-        ...this.appId && safeArgs.p_app_id === void 0 ? { p_app_id: this.appId } : {}
-      };
+      const contextArgs = { ...safeArgs };
+      if (acceptedParams.has("p_organisation_id") && this.organisationId && safeArgs.p_organisation_id === void 0) {
+        contextArgs.p_organisation_id = this.organisationId;
+      }
+      if (acceptedParams.has("p_event_id") && this.eventId && safeArgs.p_event_id === void 0) {
+        contextArgs.p_event_id = this.eventId;
+      }
+      if (acceptedParams.has("p_app_id") && this.appId && safeArgs.p_app_id === void 0) {
+        contextArgs.p_app_id = this.appId;
+      }
       return originalRpc(fn, contextArgs, options);
     };
   }
@@ -113,6 +155,7 @@ var _SecureSupabaseClient = class _SecureSupabaseClient {
     const originalDelete = query.delete.bind(query);
     query.select = (columns) => {
       const result = originalSelect(columns);
+      result._tableName = tableName;
       return this.addOrganisationFilter(result, tableName);
     };
     query.insert = (values) => {
@@ -227,7 +270,7 @@ var _SecureSupabaseClient = class _SecureSupabaseClient {
       if (this.isSuperAdmin) {
         return query;
       }
-      return query.eq("organisation_id", this.organisationId);
+      return query.or(`organisation_id.eq.${this.organisationId},organisation_id.is.null`);
     }
     if (this.isSuperAdmin) {
       return query.eq("organisation_id", this.organisationId);
@@ -323,7 +366,7 @@ var _SecureSupabaseClient = class _SecureSupabaseClient {
    * @internal
    */
   getClient() {
-    return new Proxy(this.supabase, {
+    const proxiedClient = new Proxy(this.supabase, {
       get: (target, prop) => {
         if (prop === "functions" && this.edgeFunctionClient) {
           return this.edgeFunctionClient.functions;
@@ -331,8 +374,40 @@ var _SecureSupabaseClient = class _SecureSupabaseClient {
         return target[prop];
       }
     });
+    markClientAsSecure(proxiedClient);
+    return proxiedClient;
+  }
+  /**
+   * Get the set of parameter names that an RPC function accepts.
+   * Uses a static whitelist of RPCs that we know accept context parameters.
+   * 
+   * This is an opt-in approach: by default, we don't inject context unless
+   * the function is explicitly whitelisted. This prevents PGRST202 errors from
+   * injecting unexpected parameters.
+   * 
+   * @param fn - The RPC function name
+   * @returns Set of parameter names the function accepts
+   */
+  getRpcAcceptedParams(fn) {
+    if (_SecureSupabaseClient.rpcSignatureCache.has(fn)) {
+      return _SecureSupabaseClient.rpcSignatureCache.get(fn);
+    }
+    const rpcContextWhitelist = {
+      // RPCs that accept all three context parameters
+      "rbac_roles_list": /* @__PURE__ */ new Set(["p_organisation_id", "p_event_id", "p_app_id"]),
+      // RPCs that accept only p_organisation_id (not p_app_id or p_event_id)
+      "data_file_reference_by_category_list": /* @__PURE__ */ new Set(["p_organisation_id"])
+      // Add more RPCs here as we discover them
+      // Format: 'function_name': new Set(['p_organisation_id', 'p_event_id', 'p_app_id']),
+    };
+    const acceptedParams = rpcContextWhitelist[fn] || /* @__PURE__ */ new Set();
+    _SecureSupabaseClient.rpcSignatureCache.set(fn, acceptedParams);
+    return acceptedParams;
   }
 };
+// Cache for RPC function signatures to avoid repeated database queries
+// Maps function name -> Set of parameter names it accepts
+_SecureSupabaseClient.rpcSignatureCache = /* @__PURE__ */ new Map();
 /**
  * RPC functions that are safe to call without organisation context.
  *
@@ -357,7 +432,7 @@ function fromSupabaseClient(client, organisationId, eventId, appId, isSuperAdmin
 // src/rbac/hooks/useResolvedScope.ts
 import { useEffect, useState, useRef, useMemo } from "react";
 var log = createLogger("useResolvedScope");
-var appConfigCache = /* @__PURE__ */ new Map();
+var appIdCache = /* @__PURE__ */ new Map();
 var CACHE_TTL = 5 * 60 * 1e3;
 function useResolvedScope({
   supabase,
@@ -408,20 +483,18 @@ function useResolvedScope({
       try {
         const appName2 = getCurrentAppName();
         let appId = void 0;
-        let appConfig = null;
         if (supabase && appName2) {
           try {
             const { data: session } = await supabase.auth.getSession();
             if (!session?.session) {
               log.debug(`Skipping app resolution for "${appName2}" - user not authenticated`);
             } else {
-              const cached = appConfigCache.get(appName2);
+              const cached = appIdCache.get(appName2);
               const now = Date.now();
               if (cached && now - cached.timestamp < CACHE_TTL) {
                 appId = cached.appId;
-                appConfig = cached.appConfig;
               } else {
-                const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, requires_event, is_active").eq("name", appName2).eq("is_active", true).single();
+                const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).eq("is_active", true).single();
                 if (error2) {
                   if (error2.code === "406" || error2.code === "PGRST116" || error2.message?.includes("406")) {
                     log.debug(`App resolution blocked by RLS for "${appName2}" - user may not be authenticated`);
@@ -438,47 +511,47 @@ function useResolvedScope({
                   }
                 } else if (app) {
                   appId = app.id;
-                  appConfig = { requires_event: app.requires_event ?? false };
-                  appConfigCache.set(appName2, { appId, appConfig, timestamp: now });
+                  appIdCache.set(appName2, { appId, timestamp: now });
                 }
               }
             }
           } catch (error2) {
             const errorMessage = error2 instanceof Error ? error2.message : String(error2);
             if (!errorMessage.includes("406") && !errorMessage.includes("PGRST116")) {
-              log.error("Unexpected error resolving app config:", error2);
+              log.error("Unexpected error resolving app ID:", error2);
             } else {
               log.debug("App resolution skipped - authentication required");
             }
           }
         }
         const initialScope = {
-          organisationId: appConfig?.requires_event ? void 0 : selectedOrganisationId || void 0,
+          organisationId: selectedOrganisationId || void 0,
           eventId: selectedEventId || void 0,
           appId
         };
-        const validation = await ContextValidator.resolveRequiredContext(
+        if (appName2 === "PORTAL" || appName2 === "ADMIN") {
+          if (!cancelled) {
+            const optionalContextScope = {
+              organisationId: void 0,
+              eventId: void 0,
+              appId: appId || void 0
+            };
+            setResolvedScope(optionalContextScope);
+            setError(null);
+            setIsLoading(false);
+          }
+          return;
+        }
+        const { ContextValidator: ContextValidator2 } = await import("./contextValidator-3JNZKUTX.js");
+        const validation = await ContextValidator2.resolveScopeForPage(
           initialScope,
-          appConfig,
+          "organisation",
+          // Default to organisation scope when no page context
           appName2 || void 0,
           supabase
         );
         if (!validation.isValid) {
-          if (appName2 === "PORTAL" || appName2 === "ADMIN") {
-            if (!cancelled) {
-              const optionalContextScope = {
-                organisationId: void 0,
-                eventId: void 0,
-                appId: appId || void 0
-                // appId might be undefined if query failed, that's OK
-              };
-              setResolvedScope(optionalContextScope);
-              setError(null);
-              setIsLoading(false);
-            }
-            return;
-          }
-          if (appConfig?.requires_event && selectedEventId) {
+          if (selectedEventId) {
             if (!cancelled) {
               const eventScope = {
                 organisationId: void 0,
@@ -565,7 +638,6 @@ function useRBAC(pageId) {
     session,
     supabase,
     appName,
-    appConfig,
     appId: contextAppId,
     selectedOrganisation,
     isContextReady: orgContextReady,
@@ -594,20 +666,15 @@ function useRBAC(pageId) {
       return;
     }
     const initialScope = {
-      organisationId: appConfig?.requires_event ? selectedEvent?.organisation_id || selectedOrganisation?.id : selectedOrganisation?.id,
+      organisationId: selectedEvent?.organisation_id || selectedOrganisation?.id || void 0,
       eventId: selectedEvent?.event_id || void 0,
       appId: void 0
     };
-    const contextReady = ContextValidator.isContextReady(
-      initialScope,
-      appConfig,
-      appName,
-      !!selectedEvent,
-      !!selectedOrganisation
-    );
-    if (appName !== "PORTAL" && appName !== "ADMIN" && !contextReady) {
-      setIsLoading(true);
-      return;
+    if (appName !== "PORTAL" && appName !== "ADMIN") {
+      if (!selectedOrganisation && !selectedEvent) {
+        setIsLoading(true);
+        return;
+      }
     }
     setIsLoading(true);
     setError(null);
@@ -618,11 +685,6 @@ function useRBAC(pageId) {
           const resolved = await resolveAppContext({ userId: user.id, appName });
           if (!resolved) {
             if (appName === "PORTAL" || appName === "ADMIN") {
-              try {
-                const { getAppConfigByName } = await import("./api-MVVQZLJI.js");
-                await getAppConfigByName(appName);
-              } catch (err) {
-              }
             } else {
               throw new Error(`User does not have access to app "${appName}"`);
             }
@@ -652,9 +714,20 @@ function useRBAC(pageId) {
         ...initialScope,
         appId: appId || contextAppId
       };
-      const validation = await ContextValidator.resolveRequiredContext(
+      let pageScopeType = "organisation";
+      if (pageId && scope.appId) {
+        try {
+          pageScopeType = await getPageScopeType(pageId, scope.appId, appName);
+        } catch (error2) {
+          logger2.warn("[useRBAC] Failed to get page scope type, defaulting to organisation", {
+            pageId,
+            error: error2 instanceof Error ? error2.message : String(error2)
+          });
+        }
+      }
+      const validation = await ContextValidator.resolveScopeForPage(
         scope,
-        appConfig,
+        pageScopeType,
         appName,
         supabase || null
       );
@@ -664,9 +737,9 @@ function useRBAC(pageId) {
       const resolvedScope = validation.resolvedScope;
       setCurrentScope(resolvedScope);
       const [map, roleContext, accessLevel] = await Promise.all([
-        getPermissionMap({ userId: user.id, scope: resolvedScope }, appConfig, appName),
-        getRoleContext({ userId: user.id, scope: resolvedScope }, appConfig, appName),
-        getAccessLevel({ userId: user.id, scope: resolvedScope }, appConfig, appName)
+        getPermissionMap({ userId: user.id, scope: resolvedScope }),
+        getRoleContext({ userId: user.id, scope: resolvedScope }),
+        getAccessLevel({ userId: user.id, scope: resolvedScope })
       ]);
       setPermissionMap(map);
       setGlobalRole(roleContext.globalRole);
@@ -688,7 +761,7 @@ function useRBAC(pageId) {
     } finally {
       setIsLoading(false);
     }
-  }, [appName, logger2, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user, eventLoading, appConfig, orgContextReady, orgLoading]);
+  }, [appName, logger2, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user, eventLoading, orgContextReady, orgLoading]);
   const hasGlobalPermission = useCallback(
     (permission) => {
       if (globalRole === "super_admin" || permissionMap["*"]) {
@@ -711,7 +784,7 @@ function useRBAC(pageId) {
   const canManageEvent = useMemo2(() => isSuperAdmin || eventAppRole === "event_admin", [isSuperAdmin, eventAppRole]);
   useEffect2(() => {
     loadRBACContext();
-  }, [loadRBACContext, appName, appConfig, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
+  }, [loadRBACContext, appName, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
   return {
     user,
     globalRole,
@@ -749,7 +822,7 @@ function useAccessLevel(userId, scope) {
     try {
       setIsLoading(true);
       setError(null);
-      const { isSuperAdmin: checkSuperAdmin } = await import("./api-MVVQZLJI.js");
+      const { isSuperAdmin: checkSuperAdmin } = await import("./api-IAGWF3ZG.js");
       const isSuperAdminUser = await checkSuperAdmin(userId);
       if (isSuperAdminUser) {
         setAccessLevel("super");
@@ -763,7 +836,7 @@ function useAccessLevel(userId, scope) {
         setIsLoading(false);
         return;
       }
-      const level = await getAccessLevel({ userId, scope }, null, appName);
+      const level = await getAccessLevel({ userId, scope }, appName);
       setAccessLevel(level);
     } catch (err) {
       const error2 = err instanceof Error ? err : new Error("Failed to fetch access level");
@@ -838,14 +911,26 @@ function scopeEqual(a, b) {
 
 // src/rbac/hooks/permissions/useCan.ts
 function useCan(userId, scope, permission, pageId, useCache = true, precomputedSuperAdmin = null, appName) {
-  const [can, setCan] = useState5(false);
-  const [isLoading, setIsLoading] = useState5(true);
-  const [error, setError] = useState5(null);
   const [isSuperAdmin, setIsSuperAdmin] = useState5(precomputedSuperAdmin ?? null);
+  const initialCan = precomputedSuperAdmin === true ? true : false;
+  const initialIsLoading = precomputedSuperAdmin === true ? false : true;
+  const [can, setCan] = useState5(initialCan);
+  const [isLoading, setIsLoading] = useState5(initialIsLoading);
+  const [error, setError] = useState5(null);
   const isValidScope = scope && typeof scope === "object";
   const organisationId = isValidScope ? scope.organisationId : void 0;
   const eventId = isValidScope ? scope.eventId : void 0;
   const appId = isValidScope ? scope.appId : void 0;
+  useEffect5(() => {
+    if (precomputedSuperAdmin === true && isSuperAdmin !== true) {
+      setIsSuperAdmin(true);
+      setCan(true);
+      setIsLoading(false);
+      setError(null);
+    } else if (precomputedSuperAdmin === false && isSuperAdmin !== false) {
+      setIsSuperAdmin(false);
+    }
+  }, [precomputedSuperAdmin, isSuperAdmin]);
   useEffect5(() => {
     if (precomputedSuperAdmin === null) {
       if (!userId) {
@@ -856,7 +941,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
       const checkSuperAdmin = async () => {
         const startTime = Date.now();
         try {
-          const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-MVVQZLJI.js");
+          const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-IAGWF3ZG.js");
           const timeoutWarning = setTimeout(() => {
             if (!cancelled) {
               console.warn("[useCan] Super admin check taking longer than 5 seconds", {
@@ -876,6 +961,11 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
               });
             }
             setIsSuperAdmin(isSuper);
+            if (isSuper) {
+              setCan(true);
+              setIsLoading(false);
+              setError(null);
+            }
           }
         } catch (err) {
           if (!cancelled) {
@@ -893,8 +983,6 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
       return () => {
         cancelled = true;
       };
-    } else {
-      setIsSuperAdmin(precomputedSuperAdmin);
     }
   }, [userId, precomputedSuperAdmin]);
   useEffect5(() => {
@@ -920,6 +1008,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
   const lastPermissionRef = useRef2(null);
   const lastPageIdRef = useRef2(null);
   const lastUseCacheRef = useRef2(null);
+  const lastIsSuperAdminRef = useRef2(null);
   const stableScope = useMemo5(() => {
     if (!isValidScope) {
       return null;
@@ -933,7 +1022,9 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
   const prevScopeRef = useRef2(null);
   useEffect5(() => {
     const scopeChanged = !scopeEqual(prevScopeRef.current, stableScope);
-    if (lastUserIdRef.current !== userId || scopeChanged || lastPermissionRef.current !== permission || lastPageIdRef.current !== pageId || lastUseCacheRef.current !== useCache) {
+    const isSuperAdminChanged = lastIsSuperAdminRef.current !== isSuperAdmin;
+    if (lastUserIdRef.current !== userId || scopeChanged || lastPermissionRef.current !== permission || lastPageIdRef.current !== pageId || lastUseCacheRef.current !== useCache || isSuperAdminChanged) {
+      lastIsSuperAdminRef.current = isSuperAdmin;
       lastUserIdRef.current = userId;
       prevScopeRef.current = stableScope;
       lastPermissionRef.current = permission;
@@ -987,7 +1078,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
             ...eventId ? { eventId } : {},
             ...appId ? { appId } : {}
           };
-          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, void 0, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, void 0, appName, isSuperAdmin === false ? false : null);
+          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, isSuperAdmin === false ? false : null);
           setCan(result);
         } catch (err) {
           const logger2 = getRBACLogger();
@@ -1030,7 +1121,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
         ...eventId ? { eventId } : {},
         ...appId ? { appId } : {}
       };
-      const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, void 0, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, void 0, appName, null);
+      const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, null);
       setCan(result);
     } catch (err) {
       setError(err instanceof Error ? err : new Error("Failed to check permission"));
@@ -1064,7 +1155,7 @@ function useHasAllPermissions(userId, scope, permissions, useCache = true) {
       setError(null);
       let hasAllPermissions = true;
       for (const permission of permissions) {
-        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission }, null, void 0, null);
+        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
         if (!result) {
           hasAllPermissions = false;
           break;
@@ -1106,7 +1197,7 @@ function useHasAnyPermission(userId, scope, permissions, useCache = true) {
       setError(null);
       let hasAnyPermission = false;
       for (const permission of permissions) {
-        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission }, null, void 0, null);
+        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
         if (result) {
           hasAnyPermission = true;
           break;
@@ -1148,7 +1239,7 @@ function useMultiplePermissions(userId, scope, permissions, useCache = true) {
       setError(null);
       const permissionResults = {};
       for (const permission of permissions) {
-        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission }, null, void 0, null);
+        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
         permissionResults[permission] = result;
       }
       setResults(permissionResults);
@@ -1831,6 +1922,9 @@ function useSecureSupabase(baseClient) {
 }
 
 export {
+  SECURE_CLIENT_SYMBOL,
+  isSecureClient,
+  warnIfInsecureClient,
   SecureSupabaseClient,
   createSecureClient,
   fromSupabaseClient,
@@ -1848,4 +1942,4 @@ export {
   useRoleManagement,
   useSecureSupabase
 };
-//# sourceMappingURL=chunk-XWQCNGTQ.js.map
+//# sourceMappingURL=chunk-YDQHOZNA.js.map