@jmruthers/pace-core 0.6.4 → 0.6.6

package/src/rbac/components/PagePermissionProvider.tsx

@@ -1,279 +0,0 @@
-/**
- * @file Page Permission Provider Component
- * @package @jmruthers/pace-core
- * @module RBAC/Components/PagePermissionProvider
- * @since 2.0.0
- *
- * A context provider that manages page-level permissions across the entire application.
- * This component ensures that all pages are properly protected and provides centralized
- * page permission management.
- *
- * Features:
- * - App-wide page permission management
- * - Strict mode to prevent bypassing
- * - Automatic audit logging
- * - Integration with existing RBAC system
- * - Page permission tracking
- * - Error handling and recovery
- *
- * @example
- * ```tsx
- * // Basic app setup with page permissions
- * <PagePermissionProvider strictMode={true} auditLog={true}>
- *   <App />
- * </PagePermissionProvider>
- * 
- * // With custom configuration
- * <PagePermissionProvider
- *   strictMode={true}
- *   auditLog={true}
- *   onPageAccess={(pageName, operation, allowed) => {
- *     console.log(`Page access: ${pageName} ${operation} - ${allowed ? 'allowed' : 'denied'}`);
- *   }}
- * >
- *   <App />
- * </PagePermissionProvider>
- * ```
- *
- * @security
- * - Enforces page-level permissions across the app
- * - Prevents apps from bypassing permission checks
- * - Automatic audit logging for all page access attempts
- * - Integration with existing RBAC system
- * - Page permission tracking and monitoring
- *
- * @performance
- * - Optimized with useMemo and useCallback
- * - Efficient context updates
- * - Minimal re-renders
- * - Cached permission checks
- *
- * @dependencies
- * - React 19+ - Context and hooks
- * - useUnifiedAuth - Authentication context
- * - RBAC types - Type definitions
- */
-
-import React, { createContext, useContext, useState, useCallback, useMemo, useEffect } from 'react';
-import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
-import { useResolvedScope } from '../hooks/useResolvedScope';
-import { UUID, Scope, Permission } from '../types';
-import { createLogger } from '../../utils/core/logger';
-
-const log = createLogger('PagePermissionProvider');
-
-export interface PagePermissionContextType {
-  /** Check if user has permission for a page */
-  hasPagePermission: (pageName: string, operation: string, pageId?: string, scope?: Scope) => boolean;
-  
-  /** Get all page permissions for current user */
-  getPagePermissions: () => Record<string, string[]>;
-  
-  /** Check if page permission checking is enabled */
-  isEnabled: boolean;
-  
-  /** Check if strict mode is enabled */
-  isStrictMode: boolean;
-  
-  /** Check if audit logging is enabled */
-  isAuditLogEnabled: boolean;
-  
-  /** Get page access history */
-  getPageAccessHistory: () => PageAccessRecord[];
-  
-  /** Clear page access history */
-  clearPageAccessHistory: () => void;
-}
-
-export interface PageAccessRecord {
-  pageName: string;
-  operation: string;
-  userId: UUID;
-  scope: Scope;
-  allowed: boolean;
-  timestamp: string;
-  pageId?: string;
-}
-
-export interface PagePermissionProviderProps {
-  /** Child components */
-  children: React.ReactNode;
-  
-  /** Enable strict mode to prevent bypassing (default: true) */
-  strictMode?: boolean;
-  
-  /** Enable audit logging (default: true) */
-  auditLog?: boolean;
-  
-  /** Callback when page access is attempted */
-  onPageAccess?: (pageName: string, operation: string, allowed: boolean, record: PageAccessRecord) => void;
-  
-  /** Callback when strict mode violation occurs */
-  onStrictModeViolation?: (pageName: string, operation: string, record: PageAccessRecord) => void;
-  
-  /** Maximum number of access records to keep in history */
-  maxHistorySize?: number;
-}
-
-const PagePermissionContext = createContext<PagePermissionContextType | null>(null);
-
-/**
- * PagePermissionProvider - Manages page-level permissions across the app
- * 
- * This provider ensures that all pages are properly protected and provides
- * centralized page permission management with strict enforcement.
- * 
- * @param props - Provider props
- * @returns React element with page permission context
- */
-export function PagePermissionProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onPageAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1000
-}: PagePermissionProviderProps) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const [pageAccessHistory, setPageAccessHistory] = useState<PageAccessRecord[]>([]);
-  const [isEnabled, setIsEnabled] = useState(true);
-
-  // Use useResolvedScope to get proper scope (org derived from event if needed)
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-
-  // Get current scope from resolved scope
-  // For event-required apps: org is derived from event
-  // For org-required apps: org comes from selectedOrganisation
-  const currentScope = resolvedScope;
-
-  // Check if user has permission for a page
-  const hasPagePermission = useCallback((
-    pageName: string, 
-    operation: string, 
-    pageId?: string, 
-    scope?: Scope
-  ): boolean => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    
-    // Use the existing RBAC system to check permissions
-    // This is a synchronous check for the context - actual permission checking
-    // happens in the PagePermissionGuard component using useCan hook
-    const permission = `${operation}:page.${pageName}` as Permission;
-    
-    // Return false by default (secure by default) - let individual PagePermissionGuard
-    // components handle the actual permission checking asynchronously
-    // This context is mainly for tracking and audit purposes
-    return false;
-  }, [isEnabled, user?.id, currentScope]);
-
-  // Get all page permissions for current user
-  const getPagePermissions = useCallback((): Record<string, string[]> => {
-    if (!isEnabled || !user?.id) return {};
-    
-    // For now, return empty object - this will be enhanced with actual permission checking
-    // when we integrate with the existing RBAC system
-    return {};
-  }, [isEnabled, user?.id]);
-
-  // Get page access history
-  const getPageAccessHistory = useCallback((): PageAccessRecord[] => {
-    return [...pageAccessHistory];
-  }, [pageAccessHistory]);
-
-  // Clear page access history
-  const clearPageAccessHistory = useCallback(() => {
-    setPageAccessHistory([]);
-  }, []);
-
-  // Record page access attempt
-  const recordPageAccess = useCallback((
-    pageName: string,
-    operation: string,
-    allowed: boolean,
-    pageId?: string,
-    scope?: Scope
-  ) => {
-    if (!auditLog || !user?.id) return;
-    
-    const record: PageAccessRecord = {
-      pageName,
-      operation,
-      userId: user.id,
-      scope: scope || currentScope || { organisationId: '' },
-      allowed,
-      timestamp: new Date().toISOString(),
-      pageId
-    };
-    
-    setPageAccessHistory(prev => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    
-    if (onPageAccess) {
-      onPageAccess(pageName, operation, allowed, record);
-    }
-    
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(pageName, operation, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onPageAccess, onStrictModeViolation, strictMode]);
-
-  // Context value
-  const contextValue = useMemo((): PagePermissionContextType => ({
-    hasPagePermission,
-    getPagePermissions,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
-  }), [
-    hasPagePermission,
-    getPagePermissions,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
-  ]);
-
-  // Log strict mode violations
-  useEffect(() => {
-    if (strictMode && auditLog) {
-      log.debug('Strict mode enabled - all page access attempts will be logged and enforced');
-    }
-  }, [strictMode, auditLog]);
-
-  return (
-    <PagePermissionContext.Provider value={contextValue}>
-      {children}
-    </PagePermissionContext.Provider>
-  );
-}
-
-/**
- * Hook to use page permission context
- * 
- * @returns Page permission context
- * @throws Error if used outside of PagePermissionProvider
- */
-export function usePagePermissions(): PagePermissionContextType {
-  const context = useContext(PagePermissionContext);
-  
-  if (!context) {
-    throw new Error('usePagePermissions must be used within a PagePermissionProvider');
-  }
-  
-  return context;
-}
-
-export default PagePermissionProvider;

package/src/rbac/components/PermissionEnforcer.tsx

@@ -1,312 +0,0 @@
-/**
- * @file Permission Enforcer Component
- * @package @jmruthers/pace-core
- * @module RBAC/Components/PermissionEnforcer
- * @since 2.0.0
- *
- * A component that enforces permissions and prevents apps from bypassing permission checks.
- * This is a critical security component that provides centralized permission enforcement.
- *
- * Features:
- * - Centralized permission enforcement
- * - Strict mode to prevent bypassing
- * - Automatic audit logging
- * - Integration with existing RBAC system
- * - Multiple permission checking
- * - Clear error messages for unauthorized access
- *
- * @example
- * ```tsx
- * // Basic permission enforcement
- * <PermissionEnforcer
- *   permissions={['read:events', 'update:events']}
- *   operation="event-management"
- *   fallback={<AccessDeniedPage />}
- * >
- *   <EventManagementPage />
- * </PermissionEnforcer>
- * 
- * // Strict mode (prevents bypassing)
- * <PermissionEnforcer
- *   permissions={['admin:system']}
- *   operation="system-administration"
- *   strictMode={true}
- *   fallback={<AccessDeniedPage />}
- * >
- *   <SystemAdminPage />
- * </PermissionEnforcer>
- * 
- * // With custom fallback
- * <PermissionEnforcer
- *   permissions={['update:settings']}
- *   operation="settings-update"
- *   fallback={<div>You don't have permission to update settings</div>}
- * >
- *   <SettingsUpdatePage />
- * </PermissionEnforcer>
- * ```
- *
- * @security
- * - Enforces permissions for all operations
- * - Prevents apps from bypassing permission checks
- * - Automatic audit logging for all permission checks
- * - Integration with existing RBAC system
- * - Clear error messages for unauthorized access
- *
- * @performance
- * - Optimized with useMemo and useCallback
- * - Cached permission checks
- * - Minimal re-renders
- * - Efficient error handling
- *
- * @dependencies
- * - React 19+ - Component framework
- * - useCan hook - Permission checking
- * - useUnifiedAuth - Authentication context
- * - RBAC types - Type definitions
- */
-
-import React, { useMemo, useCallback, useEffect, useState, useRef } from 'react';
-import { useMultiplePermissions } from '../hooks/usePermissions';
-import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
-import { useResolvedScope } from '../hooks/useResolvedScope';
-import { UUID, Permission, Scope } from '../types';
-import { getRBACLogger } from '../config';
-import { createLogger } from '../../utils/core/logger';
-
-const log = createLogger('PermissionEnforcer');
-
-export interface PermissionEnforcerProps {
-  /** Permissions required for access */
-  permissions: Permission[];
-  
-  /** Operation being performed */
-  operation: string;
-  
-  /** Content to render when user has permission */
-  children: React.ReactNode;
-  
-  /** Content to render when user lacks permission */
-  fallback?: React.ReactNode;
-  
-  /** Enable strict mode to prevent bypassing (default: true) */
-  strictMode?: boolean;
-  
-  /** Force audit logging for this operation (default: true) */
-  auditLog?: boolean;
-  
-  /** Custom scope for permission checking */
-  scope?: Scope;
-  
-  /** Callback when access is denied */
-  onDenied?: (permissions: Permission[], operation: string) => void;
-  
-  /** Loading state content */
-  loading?: React.ReactNode;
-  
-  /** Require all permissions (AND) or any permission (OR) */
-  requireAll?: boolean;
-}
-
-/**
- * PermissionEnforcer - Enforces permissions for operations
- * 
- * This component ensures that users can only perform operations they have permission for.
- * It integrates with the existing RBAC system and provides strict enforcement to
- * prevent apps from bypassing permission checks.
- * 
- * @param props - Component props
- * @returns React element with permission enforcement
- */
-export function PermissionEnforcer({
-  permissions,
-  operation,
-  children,
-  fallback = <DefaultAccessDenied />,
-  strictMode = true,
-  auditLog = true,
-  scope,
-  onDenied,
-  loading = <DefaultLoading />,
-  requireAll = true
-}: PermissionEnforcerProps) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState(false);
-  
-  // Use useResolvedScope hook for consistent scope resolution
-  // For event-required apps: selectedOrganisation is null, org derived from event
-  // For org-required apps: selectedOrganisation is available, event optional
-  const { resolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  
-  // Use provided scope if available, otherwise use resolved scope
-  // Extract primitive values to ensure stable reference comparison
-  // This prevents useMultiplePermissions from re-checking when scope object reference changes but values are the same
-  const scopeToUse = scope || resolvedScope;
-  const scopeOrgId = scopeToUse?.organisationId || '';
-  const scopeEventId = scopeToUse?.eventId || undefined;
-  const scopeAppId = scopeToUse?.appId || undefined;
-  
-  // Memoize effectiveScope using primitive values to ensure stable reference
-  // Always create a new scope object from primitive values to prevent reference changes
-  const effectiveScope = useMemo(() => {
-    const newScope: Scope = {};
-    if (scopeOrgId) {
-      newScope.organisationId = scopeOrgId;
-    }
-    if (scopeEventId) {
-      newScope.eventId = scopeEventId;
-    }
-    if (scopeAppId) {
-      newScope.appId = scopeAppId;
-    }
-    return newScope;
-  }, [scopeOrgId, scopeEventId, scopeAppId]);
-  const checkError = scopeError;
-
-  // Check all permissions using useMultiplePermissions hook
-  const { results: permissionResults, isLoading: permissionsLoading, error: permissionsError } = useMultiplePermissions(
-    user?.id || '',
-    effectiveScope || { eventId: selectedEvent?.event_id || undefined },
-    permissions,
-    true // Use cache
-  );
-  
-  const isLoading = scopeLoading || permissionsLoading;
-  const error = checkError || permissionsError;
-
-  // Determine if user has required permissions based on requireAll prop
-  const hasRequiredPermissions = useMemo((): boolean => {
-    if (permissions.length === 0) return true;
-    
-    // If permissionResults is not yet available or empty, deny access
-    if (!permissionResults || Object.keys(permissionResults).length === 0) {
-      return false;
-    }
-    
-    if (requireAll) {
-      // User must have ALL permissions
-      return Object.values(permissionResults).every(result => result === true);
-    } else {
-      // User must have ANY permission (default behavior)
-      return Object.values(permissionResults).some(result => result === true);
-    }
-  }, [permissions, permissionResults, requireAll]);
-
-  // Handle permission check completion
-  useEffect(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      
-      if (!hasRequiredPermissions && onDenied) {
-        onDenied(permissions, operation);
-      }
-    } else if (error) {
-      setHasChecked(true);
-    }
-  }, [hasRequiredPermissions, isLoading, error, permissions, operation, onDenied]);
-
-  // Log permission check attempt for audit
-  // Only log once per unique permission check result to prevent spam
-  // Use the scope primitive values already extracted above
-  const permissionsKey = permissions.join(',');
-  
-  const lastLoggedKeyRef = useRef<string | null>(null);
-  useEffect(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      // Create a stable key based on the permission check result values (not object references)
-      const logKey = `${operation}-${user?.id}-${permissionsKey}-${hasRequiredPermissions}-${scopeOrgId}-${scopeEventId}-${scopeAppId}`;
-      
-      // Only log if this is a new result (different from last logged)
-      if (lastLoggedKeyRef.current !== logKey) {
-        lastLoggedKeyRef.current = logKey;
-        log.debug('Permission check attempt:', {
-          permissions,
-          operation,
-          userId: user?.id,
-          scope: effectiveScope,
-          allowed: hasRequiredPermissions,
-          requireAll,
-          timestamp: new Date().toISOString()
-        });
-      }
-    }
-  }, [auditLog, hasChecked, isLoading, permissionsKey, operation, user?.id, scopeOrgId, scopeEventId, scopeAppId, hasRequiredPermissions]);
-
-  // Handle strict mode violations
-  useEffect(() => {
-    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
-      const logger = getRBACLogger();
-      logger.error(`STRICT MODE VIOLATION: User attempted to perform operation without permission`, {
-        permissions,
-        operation,
-        userId: user?.id,
-        scope: effectiveScope,
-        requireAll,
-        timestamp: new Date().toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, permissions, operation, user?.id, effectiveScope, requireAll]);
-
-  // Show loading state
-  if (isLoading || !hasChecked) {
-    return <>{loading}</>;
-  }
-
-  // Show error state
-  if (checkError) {
-    const logger = getRBACLogger();
-    logger.error(`Permission check failed for operation ${operation}:`, checkError);
-    return <>{fallback}</>;
-  }
-
-  // Show access denied
-  if (!hasRequiredPermissions) {
-    return <>{fallback}</>;
-  }
-
-  // Show protected content
-  return <>{children}</>;
-}
-
-/**
- * Default access denied component
- */
-function DefaultAccessDenied() {
-  return (
-    <div className="flex flex-col items-center justify-center min-h-[200px] p-8 text-center">
-      <div className="mb-4">
-        <svg className="w-16 h-16 text-acc-500 mx-auto" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" />
-        </svg>
-      </div>
-      <h2 className="text-xl font-semibold text-sec-900 mb-2">Access Denied</h2>
-      <p className="text-sec-600 mb-4">You don't have permission to perform this operation.</p>
-      <button 
-        onClick={() => window.history.back()}
-        className="px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors"
-      >
-        Go Back
-      </button>
-    </div>
-  );
-}
-
-/**
- * Default loading component
- */
-function DefaultLoading() {
-  return (
-    <div className="flex items-center justify-center min-h-[200px] p-8">
-      <div className="flex items-center space-x-2">
-        <div className="animate-spin rounded-full size-8 border-b-2 border-main-600"></div>
-        <span className="text-sec-600">Checking permissions...</span>
-      </div>
-    </div>
-  );
-}
-
-export default PermissionEnforcer;