@jmruthers/pace-core 0.6.2 → 0.6.3

package/src/rbac/hooks/useResolvedScope.ts

@@ -13,8 +13,6 @@ import { useEffect, useState, useRef, useMemo } from 'react';
 import { SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../../types/database';
 import type { Scope } from '../types';
-import { ContextValidator } from '../utils/contextValidator';
-import type { AppConfig } from '../utils/contextValidator';
 import { getCurrentAppName } from '../../utils/app/appNameResolver';
 import { createLogger } from '../../utils/core/logger';
 
@@ -22,12 +20,12 @@ const log = createLogger('useResolvedScope');
 
 // Cache app config to avoid repeated database queries
 // App config rarely changes during a session, so we can cache it
-const appConfigCache = new Map<string, { appId: string; appConfig: AppConfig; timestamp: number }>();
+const appIdCache = new Map<string, { appId: string; timestamp: number }>();
 const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
 
 // Export function to clear cache (for testing)
 export function clearAppConfigCache(): void {
-  appConfigCache.clear();
+  appIdCache.clear();
 }
 
 export interface UseResolvedScopeOptions {
@@ -138,12 +136,11 @@ export function useResolvedScope({
       setError(null);
       
       try {
-        // Get app name and config
+        // Get app name and resolve appId
         const appName = getCurrentAppName();
         let appId: string | undefined = undefined;
-        let appConfig: AppConfig | null = null;
         
-        // Try to resolve app config from database (with caching)
+        // Try to resolve appId from database (with caching)
         // Only query if user is authenticated (RLS policies require authentication)
         if (supabase && appName) {
           try {
@@ -156,19 +153,18 @@ export function useResolvedScope({
               log.debug(`Skipping app resolution for "${appName}" - user not authenticated`);
             } else {
               // Check cache first
-              const cached = appConfigCache.get(appName);
+              const cached = appIdCache.get(appName);
               const now = Date.now();
               if (cached && (now - cached.timestamp) < CACHE_TTL) {
                 appId = cached.appId;
-                appConfig = cached.appConfig;
               } else {
                 // Cache miss or expired - fetch from database
                 const { data: app, error } = await supabase
                   .from('rbac_apps')
-                  .select('id, name, requires_event, is_active')
+                  .select('id, name, is_active')
                   .eq('name', appName)
                   .eq('is_active', true)
-                  .single() as { data: { id: string; name: string; requires_event: boolean; is_active: boolean } | null; error: any };
+                  .single() as { data: { id: string; name: string; is_active: boolean } | null; error: any };
                 
                 if (error) {
                   // HTTP 406 is expected when not authenticated (RLS blocks query)
@@ -197,9 +193,8 @@ export function useResolvedScope({
                   }
                 } else if (app) {
                   appId = app.id;
-                  appConfig = { requires_event: app.requires_event ?? false };
                   // Only cache successful lookups of active apps
-                  appConfigCache.set(appName, { appId, appConfig, timestamp: now });
+                  appIdCache.set(appName, { appId, timestamp: now });
                 }
               }
             }
@@ -208,7 +203,7 @@ export function useResolvedScope({
             // Don't log 406 errors as they're expected when not authenticated
             const errorMessage = error instanceof Error ? error.message : String(error);
             if (!errorMessage.includes('406') && !errorMessage.includes('PGRST116')) {
-              log.error('Unexpected error resolving app config:', error);
+              log.error('Unexpected error resolving app ID:', error);
             } else {
               log.debug('App resolution skipped - authentication required');
             }
@@ -216,44 +211,44 @@ export function useResolvedScope({
         }
 
         // Build initial scope from available context
-        // For event-required apps: Only use eventId (org will be derived)
-        // For org-required apps: Only use organisationId (event is optional)
+        // Scope is now page-level only - use whatever context is available
+        // Default to organisation scope if both are available (safest default)
         const initialScope: Scope = {
-          organisationId: appConfig?.requires_event ? undefined : (selectedOrganisationId || undefined),
+          organisationId: selectedOrganisationId || undefined,
           eventId: selectedEventId || undefined,
           appId: appId
         };
 
-        // Use ContextValidator to resolve required context
-        // For PORTAL, always allow scope resolution even if appConfig is null
-        const validation = await ContextValidator.resolveRequiredContext(
+        // For PORTAL/ADMIN apps, allow scope without org/event
+        if (appName === 'PORTAL' || appName === 'ADMIN') {
+          if (!cancelled) {
+            const optionalContextScope: Scope = {
+              organisationId: undefined,
+              eventId: undefined,
+              appId: appId || undefined
+            };
+            setResolvedScope(optionalContextScope);
+            setError(null);
+            setIsLoading(false);
+          }
+          return;
+        }
+        
+        // For other apps, default to organisation scope validation (safest default)
+        // Page-level scope will be validated during permission checks
+        // ContextValidator is already imported at the top
+        const { ContextValidator } = await import('../utils/contextValidator');
+        const validation = await ContextValidator.resolveScopeForPage(
           initialScope,
-          appConfig,
+          'organisation', // Default to organisation scope when no page context
           appName || undefined,
           supabase
         );
 
         if (!validation.isValid) {
-          // For PORTAL/ADMIN apps, allow scope without org/event even if validation fails
-          if (appName === 'PORTAL' || appName === 'ADMIN') {
-            if (!cancelled) {
-              // For PORTAL/ADMIN, we need at least an appId. If we don't have it from the query,
-              // we'll set it to undefined and let the component handle it (it can use contextAppId)
-              const optionalContextScope: Scope = {
-                organisationId: undefined,
-                eventId: undefined,
-                appId: appId || undefined // appId might be undefined if query failed, that's OK
-              };
-              setResolvedScope(optionalContextScope);
-              setError(null);
-              setIsLoading(false);
-            }
-            return;
-          }
-          
-          // For event-required apps: if validation fails but we have an eventId, return scope with eventId
+          // If validation fails but we have an eventId, return scope with eventId
           // The organisation will be derived later during permission checks
-          if (appConfig?.requires_event && selectedEventId) {
+          if (selectedEventId) {
             if (!cancelled) {
               const eventScope: Scope = {
                 organisationId: undefined, // Will be derived from event during permission check

package/src/rbac/hooks/useSecureSupabase.ts

@@ -295,13 +295,13 @@ export function useSecureSupabase(
               isSuperAdmin
             )
           : createSecureClient(
-              config.url,
-              config.key,
-              effectiveOrganisationId as any, // organisationId is string | null, UUID is string alias
-              eventId,
-              appId as any, // appId is string | undefined, UUID is string alias
-              isSuperAdmin // Pass super admin status for conditional filtering
-            );
+          config.url,
+          config.key,
+          effectiveOrganisationId as any, // organisationId is string | null, UUID is string alias
+          eventId,
+          appId as any, // appId is string | undefined, UUID is string alias
+          isSuperAdmin // Pass super admin status for conditional filtering
+        );
 
         // Cache the client for reuse
         secureClientCache.set(cacheKey, secureClient);

package/src/rbac/index.ts

@@ -52,6 +52,13 @@ export {
   fromSupabaseClient,
 } from './secureClient';
 
+// Client security utilities
+export {
+  isSecureClient,
+  warnIfInsecureClient,
+  SECURE_CLIENT_SYMBOL,
+} from './utils/clientSecurity';
+
 // Cache
 export {
   RBACCache,

package/src/rbac/secureClient.test.ts

@@ -360,32 +360,36 @@ describe('createSecureClient', () => {
 describe('fromSupabaseClient', () => {
   it('converts existing Supabase client to secure client', () => {
     const mockSupabase = createMockSupabaseClient();
-    expect(() => {
-      fromSupabaseClient(
-        mockSupabase as any,
-        'org-123' as UUID
-      );
-    }).toThrow('fromSupabaseClient is not supported. Use createSecureClient instead.');
+    const secureClient = fromSupabaseClient(
+      mockSupabase as any,
+      'org-123' as UUID
+    );
+    
+    expect(secureClient).toBeInstanceOf(SecureSupabaseClient);
+    expect(secureClient.getOrganisationId()).toBe('org-123');
   });
 
   it('preserves original client configuration', () => {
     const mockSupabase = createMockSupabaseClient();
-    expect(() => {
-      fromSupabaseClient(
-        mockSupabase as any,
-        'org-123' as UUID,
-        'event-456',
-        'app-789' as UUID
-      );
-    }).toThrow('fromSupabaseClient is not supported. Use createSecureClient instead.');
+    const secureClient = fromSupabaseClient(
+      mockSupabase as any,
+      'org-123' as UUID,
+      'event-456',
+      'app-789' as UUID
+    );
+    
+    expect(secureClient).toBeInstanceOf(SecureSupabaseClient);
+    expect(secureClient.getOrganisationId()).toBe('org-123');
+    expect(secureClient.getEventId()).toBe('event-456');
+    expect(secureClient.getAppId()).toBe('app-789');
   });
 
-  it('validates organisation context', () => {
+  it('handles empty organisation context', () => {
     const mockSupabase = createMockSupabaseClient();
+    const secureClient = fromSupabaseClient(mockSupabase as any, '' as UUID);
     
-    expect(() => {
-      fromSupabaseClient(mockSupabase as any, '' as UUID);
-    }).toThrow('fromSupabaseClient is not supported. Use createSecureClient instead.');
+    expect(secureClient).toBeInstanceOf(SecureSupabaseClient);
+    expect(secureClient.getOrganisationId()).toBe('');
   });
 });
 

package/src/rbac/secureClient.ts

@@ -12,6 +12,7 @@ import { createClient, SupabaseClient } from '@supabase/supabase-js';
 import { Database } from '../types/database';
 import { UUID } from './types';
 import { OrganisationContextRequiredError } from './types';
+import { markClientAsSecure } from './utils/clientSecurity';
 
 /**
  * Secure Supabase Client that enforces organisation context
@@ -34,6 +35,10 @@ export class SecureSupabaseClient {
   private appId?: UUID;
   private isSuperAdmin: boolean;
   private usesExistingClient: boolean = false;
+  
+  // Cache for RPC function signatures to avoid repeated database queries
+  // Maps function name -> Set of parameter names it accepts
+  private static rpcSignatureCache = new Map<string, Set<string>>();
 
   /**
    * RPC functions that are safe to call without organisation context.
@@ -91,6 +96,9 @@ export class SecureSupabaseClient {
     // Override functions.invoke to exclude custom headers for Edge Functions
     // Edge Functions may not have CORS configured to accept custom headers
     this.setupEdgeFunctionHandling();
+    
+    // Mark the client as secure
+    markClientAsSecure(this.supabase);
   }
 
   /**
@@ -125,22 +133,42 @@ export class SecureSupabaseClient {
       // Some RPCs are global (not organisation-scoped) but still require auth.uid() from JWT.
       // Allow these even without organisation context.
       this.validateContextForRpc(fn);
+
+      // SYSTEMIC FIX: Use opt-in whitelist approach instead of brittle blacklist.
+      // PostgREST matches RPCs by *exact* parameter signature; sending unexpected params results in:
+      // - HTTP 404 + PGRST202 "Could not find the function ... with parameters ..."
+      //
+      // By default, we don't inject context unless the function is explicitly whitelisted.
+      // This prevents PGRST202 errors and makes the system more maintainable.
+      const acceptedParams = this.getRpcAcceptedParams(fn);
       
-      // Inject context into RPC calls
-      // Only include organisation_id if it's available (super-admins may not have it)
-      // IMPORTANT:
-      // Do NOT overwrite explicitly provided RPC parameters.
+      // Only inject context parameters that:
+      // 1. The function accepts (according to our whitelist)
+      // 2. Are not already explicitly provided
+      // 3. We have values for
+      // IMPORTANT: Do NOT overwrite explicitly provided RPC parameters.
       // Some RPCs legitimately take `p_app_id`/`p_event_id` as the *target* entity,
       // which may differ from the current RBAC scope app/event.
       const safeArgs = (args ?? {}) as Record<string, unknown>;
-      const contextArgs = {
-        ...safeArgs,
-        ...(this.organisationId && safeArgs.p_organisation_id === undefined
-          ? { p_organisation_id: this.organisationId }
-          : {}),
-        ...(this.eventId && safeArgs.p_event_id === undefined ? { p_event_id: this.eventId } : {}),
-        ...(this.appId && safeArgs.p_app_id === undefined ? { p_app_id: this.appId } : {}),
-      };
+      const contextArgs: Record<string, unknown> = { ...safeArgs };
+      
+      if (acceptedParams.has('p_organisation_id') && 
+          this.organisationId && 
+          safeArgs.p_organisation_id === undefined) {
+        contextArgs.p_organisation_id = this.organisationId;
+      }
+      
+      if (acceptedParams.has('p_event_id') && 
+          this.eventId && 
+          safeArgs.p_event_id === undefined) {
+        contextArgs.p_event_id = this.eventId;
+      }
+      
+      if (acceptedParams.has('p_app_id') && 
+          this.appId && 
+          safeArgs.p_app_id === undefined) {
+        contextArgs.p_app_id = this.appId;
+      }
       
       return originalRpc(fn as any, contextArgs, options);
     };
@@ -193,6 +221,8 @@ export class SecureSupabaseClient {
     // Override select to add organisation filter
     query.select = (columns?: string) => {
       const result = originalSelect(columns);
+      // Store table name on query object so we can access it in filter methods
+      (result as any)._tableName = tableName;
       return this.addOrganisationFilter(result, tableName);
     };
 
@@ -326,12 +356,15 @@ export class SecureSupabaseClient {
     // For rbac_user_profiles, use conditional filtering based on super admin status
     if (tableName === 'rbac_user_profiles') {
       // Super admins: No org filter (see all users via RLS)
-      // Non-super-admins: Apply org filter as defense in depth (RLS also filters)
       if (this.isSuperAdmin) {
         return query; // No filter - RLS handles access control
       }
-      // Apply org filter for non-super-admins as additional security layer
-      return query.eq('organisation_id', this.organisationId);
+      
+      // For non-super-admins: Apply org filter, but allow NULL organisation_id
+      // User profiles can have organisation_id = NULL (users not yet assigned to an org)
+      // We use .or() to allow either matching organisation_id OR NULL
+      // RLS policies will still enforce access control
+      return query.or(`organisation_id.eq.${this.organisationId},organisation_id.is.null`);
     }
     
     // For all other tables, apply organisation filter
@@ -455,7 +488,7 @@ export class SecureSupabaseClient {
   getClient(): SupabaseClient<Database> {
     // Return a proxy that intercepts functions.invoke calls to use edge function client
     // This avoids CORS issues with Edge Functions while keeping the main client intact
-    return new Proxy(this.supabase, {
+    const proxiedClient = new Proxy(this.supabase, {
       get: (target, prop) => {
         if (prop === 'functions' && this.edgeFunctionClient) {
           // Return the edge function client's functions for invoke calls
@@ -466,6 +499,60 @@ export class SecureSupabaseClient {
         return (target as any)[prop];
       }
     }) as SupabaseClient<Database>;
+    
+    // Mark the proxied client as secure
+    markClientAsSecure(proxiedClient);
+    
+    return proxiedClient;
+  }
+
+  /**
+   * Get the set of parameter names that an RPC function accepts.
+   * Uses a static whitelist of RPCs that we know accept context parameters.
+   * 
+   * This is an opt-in approach: by default, we don't inject context unless
+   * the function is explicitly whitelisted. This prevents PGRST202 errors from
+   * injecting unexpected parameters.
+   * 
+   * @param fn - The RPC function name
+   * @returns Set of parameter names the function accepts
+   */
+  private getRpcAcceptedParams(fn: string): Set<string> {
+    // Check cache first
+    if (SecureSupabaseClient.rpcSignatureCache.has(fn)) {
+      return SecureSupabaseClient.rpcSignatureCache.get(fn)!;
+    }
+
+    // Whitelist of RPCs that accept context parameters
+    // Format: function name -> Set of parameters it accepts
+    // 
+    // SYSTEMIC FIX: This is an opt-in approach. By default, we don't inject context
+    // unless the function is explicitly whitelisted. This prevents PGRST202 errors
+    // from injecting unexpected parameters.
+    //
+    // To add a new RPC:
+    // 1. Check the function signature in the database: 
+    //    SELECT pg_get_function_identity_arguments(oid) FROM pg_proc WHERE proname = 'function_name';
+    // 2. Add it here with the parameters it accepts
+    const rpcContextWhitelist: Record<string, Set<string>> = {
+      // RPCs that accept all three context parameters
+      'rbac_roles_list': new Set(['p_organisation_id', 'p_event_id', 'p_app_id']),
+      
+      // RPCs that accept only p_organisation_id (not p_app_id or p_event_id)
+      'data_file_reference_by_category_list': new Set(['p_organisation_id']),
+      
+      // Add more RPCs here as we discover them
+      // Format: 'function_name': new Set(['p_organisation_id', 'p_event_id', 'p_app_id']),
+    };
+
+    // Default: empty set (no context injection) unless whitelisted
+    // This is the safe default - prevents PGRST202 errors
+    const acceptedParams = rpcContextWhitelist[fn] || new Set<string>();
+    
+    // Cache the result to avoid repeated lookups
+    SecureSupabaseClient.rpcSignatureCache.set(fn, acceptedParams);
+    
+    return acceptedParams;
   }
 }
 

package/src/rbac/security.ts

@@ -9,8 +9,6 @@
 
 import { UUID, Permission, Scope } from './types';
 import { createLogger } from '../utils/core/logger';
-import { ContextValidator } from './utils/contextValidator';
-import type { AppConfig } from './utils/contextValidator';
 
 const log = createLogger('RBACSecurity');
 
@@ -161,21 +159,6 @@ export class RBACSecurityValidator {
     return true;
   }
 
-  /**
-   * Validate context requirements for security
-   * @param scope - Scope object
-   * @param appConfig - App configuration
-   * @param appName - App name (for PORTAL special case)
-   * @returns True if context is valid, false otherwise
-   */
-  static async validateContextRequirements(
-    scope: Scope,
-    appConfig?: AppConfig | null,
-    appName?: string
-  ): Promise<boolean> {
-    const validation = await ContextValidator.validateScope(scope, appConfig || null, appName);
-    return validation.isValid;
-  }
 
   /**
    * Log security event for monitoring

package/src/rbac/types.ts

@@ -126,6 +126,7 @@ export interface RBACAppPage {
   created_by: UUID | null;
   updated_by: UUID | null;
   app_id: UUID;
+  scope_type: 'event' | 'organisation' | 'both'; // Required - single source of truth for page scoping
 }
 
 export interface RBACApp {