@jmruthers/pace-core 0.6.4 → 0.6.6

package/src/rbac/hooks/useResolvedScope.test.ts

@@ -117,7 +117,11 @@ describe('useResolvedScope Hook', () => {
       );
 
       expect(result.current.isLoading).toBe(true);
-      expect(result.current.resolvedScope).toBeNull();
+      // Scope is now returned immediately if org/event IDs are available (for performance)
+      // Only appId resolution happens asynchronously
+      expect(result.current.resolvedScope).not.toBeNull();
+      expect(result.current.resolvedScope?.organisationId).toBe('org-123');
+      expect(result.current.resolvedScope?.eventId).toBe('event-123');
 
       // Wait for async app ID resolution to complete
       await waitFor(
@@ -127,18 +131,9 @@ describe('useResolvedScope Hook', () => {
         { timeout: 2000 }
       );
 
-      // The stable scope ref is updated in a useEffect that depends on resolvedScope state
-      // The return value checks stableScope.organisationId, so we need to wait for the ref update
-      // Force a re-render to pick up the ref change (refs don't trigger re-renders)
-      rerender();
-
-      await waitFor(
-        () => {
-          expect(result.current.resolvedScope).not.toBeNull();
-          expect(result.current.resolvedScope?.organisationId).toBe('org-123');
-        },
-        { timeout: 2000, interval: 10 }
-      );
+      // Scope should still be available after loading completes
+      expect(result.current.resolvedScope).not.toBeNull();
+      expect(result.current.resolvedScope?.organisationId).toBe('org-123');
 
       // Verify the mock was called (it should be called to fetch app ID)
       // Note: With caching, this might not be called on every test run
@@ -310,11 +305,19 @@ describe('useResolvedScope Hook', () => {
         { timeout: 2000 }
       );
 
-      expect(result.current.resolvedScope).toBeNull();
-      expect(result.current.error).toBeInstanceOf(Error);
-      expect(result.current.error?.message).toBe(
-        'Organisation context is required for this operation'
-      );
+      // Hook can return scope with just appId if appId is resolved (for non-PORTAL/ADMIN apps)
+      // Or null if appId is not resolved and no org/event context is available
+      // The hook no longer throws errors - it just returns null scope
+      if (result.current.resolvedScope) {
+        // If scope is returned, it should only have appId (no org/event context)
+        expect(result.current.resolvedScope.organisationId).toBeUndefined();
+        expect(result.current.resolvedScope.eventId).toBeUndefined();
+        expect(result.current.resolvedScope.appId).toBeDefined();
+      } else {
+        // If no scope is returned, there should be no error (hook doesn't throw errors)
+        expect(result.current.resolvedScope).toBeNull();
+      }
+      expect(result.current.error).toBeNull();
     });
   });
 
@@ -942,8 +945,19 @@ describe('useResolvedScope Hook', () => {
         { timeout: 2000 }
       );
 
-      expect(result.current.resolvedScope).toBeNull();
-      expect(result.current.error).toBeInstanceOf(Error);
+      // Hook can return scope with just appId if appId is resolved (for non-PORTAL/ADMIN apps)
+      // Empty string org ID is treated as no org context, but appId can still be in scope
+      if (result.current.resolvedScope) {
+        // If scope is returned, it should only have appId (no org/event context)
+        expect(result.current.resolvedScope.organisationId).toBeUndefined();
+        expect(result.current.resolvedScope.eventId).toBeUndefined();
+        expect(result.current.resolvedScope.appId).toBeDefined();
+      } else {
+        // If no scope is returned, there should be no error (hook doesn't throw errors)
+        expect(result.current.resolvedScope).toBeNull();
+      }
+      // Hook no longer throws errors - it just returns null scope or scope with appId
+      expect(result.current.error).toBeNull();
     });
 
     it('handles empty string event ID', async () => {
@@ -1030,6 +1044,7 @@ describe('useResolvedScope Hook', () => {
           supabase: mockSupabase,
           selectedOrganisationId: null,
           selectedEventId: 'event-123',
+          selectedEventOrganisationId: 'org-456', // Pass org ID from event explicitly
         })
       );
 
@@ -1040,25 +1055,21 @@ describe('useResolvedScope Hook', () => {
         { timeout: 3000 }
       );
 
-      // Check for errors - organisation context is required even when deriving from event
-      // The hook requires organisation context for event-required apps
-      if (result.current.error) {
-        // Expected: Organisation context is required
-        expect(result.current.error.message).toContain('Organisation context is required');
-        // Test expects this to work, but it's actually the correct behavior to require org context
-        return;
-      }
-
-      // If no error (shouldn't happen with current implementation), verify scope
+      // Hook now requires selectedEventOrganisationId to be passed explicitly
+      // It no longer derives org from event automatically
       if (result.current.resolvedScope) {
-        // Should use resolved app ID (app-123) over event scope app ID
-        expect(result.current.resolvedScope.organisationId).toBeDefined();
+        // Should use org ID from selectedEventOrganisationId
+        expect(result.current.resolvedScope.organisationId).toBe('org-456');
         expect(result.current.resolvedScope.eventId).toBe('event-123');
         // AppId will be set when app lookup succeeds (needed for appConfig)
         if (result.current.resolvedScope.appId) {
           expect(result.current.resolvedScope.appId).toBeDefined();
         }
+      } else {
+        // If no scope, it means no valid context (shouldn't happen with org-456 passed)
+        expect(result.current.resolvedScope).not.toBeNull();
       }
+      expect(result.current.error).toBeNull();
     });
 
     it('uses event scope app ID when app ID not resolved from database', async () => {
@@ -1117,6 +1128,7 @@ describe('useResolvedScope Hook', () => {
           supabase: mockSupabase,
           selectedOrganisationId: null,
           selectedEventId: 'event-123',
+          selectedEventOrganisationId: 'org-456', // Pass org ID from event explicitly
         })
       );
 
@@ -1127,27 +1139,21 @@ describe('useResolvedScope Hook', () => {
         { timeout: 5000 }
       );
 
-      // Check for errors - organisation context is required even when deriving from event
-      // The hook requires organisation context for event-required apps
-      if (result.current.error) {
-        // Expected: Organisation context is required
-        expect(result.current.error.message).toContain('Organisation context is required');
-        // Test expects this to work, but it's actually the correct behavior to require org context
-        return;
-      }
-
-      // If no error (shouldn't happen with current implementation), verify scope
+      // Hook now requires selectedEventOrganisationId to be passed explicitly
+      // It no longer derives org from event automatically
       if (result.current.resolvedScope) {
-        // Scope should resolve successfully with org derived from event
-        // Note: When app lookup succeeds, appId will be set. The original test expectation
-        // of undefined appId doesn't match the implementation behavior when appConfig is needed.
-        expect(result.current.resolvedScope.organisationId).toBeDefined();
+        // Scope should resolve successfully with org from selectedEventOrganisationId
+        expect(result.current.resolvedScope.organisationId).toBe('org-456');
         expect(result.current.resolvedScope.eventId).toBe('event-123');
         // AppId will be set when app lookup succeeds (needed for appConfig)
         if (result.current.resolvedScope.appId) {
           expect(result.current.resolvedScope.appId).toBeDefined();
         }
+      } else {
+        // If no scope, it means no valid context (shouldn't happen with org-456 passed)
+        expect(result.current.resolvedScope).not.toBeNull();
       }
+      expect(result.current.error).toBeNull();
     });
   });
 
@@ -1166,7 +1172,11 @@ describe('useResolvedScope Hook', () => {
       );
 
       expect(result.current.isLoading).toBe(true);
-      expect(result.current.resolvedScope).toBeNull();
+      // Scope is now returned immediately if org/event IDs are available (for performance)
+      // Only appId resolution happens asynchronously
+      expect(result.current.resolvedScope).not.toBeNull();
+      expect(result.current.resolvedScope?.organisationId).toBe('org-123');
+      expect(result.current.resolvedScope?.eventId).toBe('event-123');
       expect(result.current.error).toBeNull();
     });
 

package/src/rbac/hooks/useResolvedScope.ts

@@ -9,7 +9,7 @@
  * consistent scope resolution logic.
  */
 
-import { useEffect, useState, useRef, useMemo } from 'react';
+import { useEffect, useState, useMemo } from 'react';
 import { SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../../types/database';
 import type { Scope } from '../types';
@@ -35,6 +35,8 @@ export interface UseResolvedScopeOptions {
   selectedOrganisationId: string | null;
   /** Selected event ID */
   selectedEventId: string | null;
+  /** Selected event organisation ID (from selectedEvent.organisation_id) - allows immediate context without querying */
+  selectedEventOrganisationId?: string | null;
 }
 
 export interface UseResolvedScopeReturn {
@@ -73,72 +75,42 @@ export interface UseResolvedScopeReturn {
 export function useResolvedScope({
   supabase,
   selectedOrganisationId,
-  selectedEventId
+  selectedEventId,
+  selectedEventOrganisationId
 }: UseResolvedScopeOptions): UseResolvedScopeReturn {
-  const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState<Error | null>(null);
-  
-  // Use a ref to track the stable scope and only update it when it actually changes
-  const stableScopeRef = useRef<{ organisationId: string; appId: string; eventId: string | undefined }>({ 
-    organisationId: '', 
-    appId: '', 
-    eventId: undefined 
-  });
+  // Get immediate context (synchronous) - allows secure client creation immediately
+  const immediateOrganisationId = selectedEventOrganisationId || selectedOrganisationId || undefined;
+  const immediateEventId = selectedEventId || undefined;
   
-  // Update stable scope ref in useEffect to avoid updates during render
-  // For PORTAL, allow scopes without organisationId
-  useEffect(() => {
-    if (resolvedScope) {
-      const newScope = {
-        organisationId: resolvedScope.organisationId || '',
-        appId: resolvedScope.appId || '',
-        eventId: resolvedScope.eventId
-      };
-      
-      // Only update if the scope has actually changed
-      if (stableScopeRef.current.organisationId !== newScope.organisationId ||
-          stableScopeRef.current.eventId !== newScope.eventId ||
-          stableScopeRef.current.appId !== newScope.appId) {
-        stableScopeRef.current = {
-          organisationId: newScope.organisationId,
-          appId: newScope.appId,
-          eventId: newScope.eventId
-        };
-      }
-    } else {
-      // Reset to empty scope when no resolved scope
-      stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
-    }
-  }, [resolvedScope]);
+  const [appId, setAppId] = useState<string | undefined>(undefined);
+  const [isResolvingAppId, setIsResolvingAppId] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
   
   // Get app name to check if it's PORTAL (needed for return logic)
   const appName = getCurrentAppName();
   
-  const stableScope = stableScopeRef.current;
-  
+  // Resolve appId in background (non-blocking)
   useEffect(() => {
     let cancelled = false;
     
-    const resolveScope = async () => {
-      // OPTIMIZATION: If all inputs are null/undefined, immediately return empty scope
-      // This indicates pre-filtered mode where we don't need to resolve scope
+    const resolveAppId = async () => {
+      // OPTIMIZATION: If all inputs are null/undefined, skip appId resolution
       if (!supabase && !selectedOrganisationId && !selectedEventId) {
         if (!cancelled) {
-          setResolvedScope(null);
-          setIsLoading(false);
+          setAppId(undefined);
+          setIsResolvingAppId(false);
           setError(null);
         }
         return;
       }
       
-      setIsLoading(true);
+      setIsResolvingAppId(true);
       setError(null);
       
       try {
         // Get app name and resolve appId
         const appName = getCurrentAppName();
-        let appId: string | undefined = undefined;
+        let resolvedAppId: string | undefined = undefined;
         
         // Try to resolve appId from database (with caching)
         // Only query if user is authenticated (RLS policies require authentication)
@@ -156,7 +128,7 @@ export function useResolvedScope({
               const cached = appIdCache.get(appName);
               const now = Date.now();
               if (cached && (now - cached.timestamp) < CACHE_TTL) {
-                appId = cached.appId;
+                resolvedAppId = cached.appId;
               } else {
                 // Cache miss or expired - fetch from database
                 const { data: app, error } = await supabase
@@ -172,7 +144,7 @@ export function useResolvedScope({
                   if (error.code === '406' || error.code === 'PGRST116' || error.message?.includes('406')) {
                     log.debug(`App resolution blocked by RLS for "${appName}" - user may not be authenticated`);
                     // Don't cache - will retry after authentication
-                    appId = undefined;
+                    resolvedAppId = undefined;
                   } else {
                     // Check if app exists but is inactive
                     const { data: inactiveApp } = await supabase
@@ -184,17 +156,17 @@ export function useResolvedScope({
                     if (inactiveApp) {
                       log.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
                       // Don't cache inactive apps - set appId to undefined
-                      appId = undefined;
+                      resolvedAppId = undefined;
                     } else {
                       log.error(`App "${appName}" not found in rbac_apps table`, { error });
                       // Don't cache missing apps - set appId to undefined
-                      appId = undefined;
+                      resolvedAppId = undefined;
                     }
                   }
                 } else if (app) {
-                  appId = app.id;
+                  resolvedAppId = app.id;
                   // Only cache successful lookups of active apps
-                  appIdCache.set(appName, { appId, timestamp: now });
+                  appIdCache.set(appName, { appId: resolvedAppId, timestamp: now });
                 }
               }
             }
@@ -210,119 +182,65 @@ export function useResolvedScope({
           }
         }
 
-        // Build initial scope from available context
-        // Scope is now page-level only - use whatever context is available
-        // Default to organisation scope if both are available (safest default)
-        const initialScope: Scope = {
-          organisationId: selectedOrganisationId || undefined,
-          eventId: selectedEventId || undefined,
-          appId: appId
-        };
-
-        // For PORTAL/ADMIN apps, allow scope without org/event
-        if (appName === 'PORTAL' || appName === 'ADMIN') {
-          if (!cancelled) {
-            const optionalContextScope: Scope = {
-              organisationId: undefined,
-              eventId: undefined,
-              appId: appId || undefined
-            };
-            setResolvedScope(optionalContextScope);
-            setError(null);
-            setIsLoading(false);
-          }
-          return;
-        }
-        
-        // For other apps, default to organisation scope validation (safest default)
-        // Page-level scope will be validated during permission checks
-        // ContextValidator is already imported at the top
-        const { ContextValidator } = await import('../utils/contextValidator');
-        const validation = await ContextValidator.resolveScopeForPage(
-          initialScope,
-          'organisation', // Default to organisation scope when no page context
-          appName || undefined,
-          supabase
-        );
-
-        if (!validation.isValid) {
-          // If validation fails but we have an eventId, return scope with eventId
-          // The organisation will be derived later during permission checks
-          if (selectedEventId) {
-            if (!cancelled) {
-              const eventScope: Scope = {
-                organisationId: undefined, // Will be derived from event during permission check
-                eventId: selectedEventId,
-                appId: appId || undefined
-              };
-              setResolvedScope(eventScope);
-              setError(null); // Don't set error - let permission check handle derivation
-              setIsLoading(false);
-            }
-            return;
-          }
-          
-          if (!cancelled) {
-            setResolvedScope(null);
-            setError(validation.error || new Error('Context validation failed'));
-            setIsLoading(false);
-          }
-          return;
-        }
-
-        // Set resolved scope
+        // Update appId state when resolved
         if (!cancelled) {
-          setResolvedScope(validation.resolvedScope);
+          setAppId(resolvedAppId);
+          setIsResolvingAppId(false);
           setError(null);
-          setIsLoading(false);
         }
       } catch (err) {
         if (!cancelled) {
           setError(err as Error);
-          setIsLoading(false);
+          setIsResolvingAppId(false);
         }
       }
     };
 
-    resolveScope();
+    resolveAppId();
     
     return () => {
       cancelled = true;
     };
-  }, [selectedOrganisationId, selectedEventId, supabase]);
-  
-  // Return scope if it has appId (for PORTAL/ADMIN) or organisationId (for other apps)
-  // For PORTAL/ADMIN, always return a scope (even if empty) so components can use contextAppId
-  const allowsOptionalContexts = appName === 'PORTAL' || appName === 'ADMIN';
-  const hasValidScope = allowsOptionalContexts
-    ? true // PORTAL/ADMIN always have valid scope (even without org/event/appId)
-    : (stableScope.appId || stableScope.organisationId);
+  }, [supabase, selectedOrganisationId, selectedEventId]);
   
-  // CRITICAL FIX: Memoize finalScope to prevent creating new object references on every render
-  // This prevents infinite loops in useCan and other hooks that depend on scope equality
-  const finalScope: Scope | null = useMemo(() => {
-    if (!hasValidScope) {
-      return allowsOptionalContexts ? {} : null;
+  // Build scope immediately with synchronous context + async appId
+  // This allows secure client creation immediately while appId resolves
+  const immediateScope: Scope | null = useMemo(() => {
+    // For PORTAL/ADMIN apps, allow scope without org/event
+    if (appName === 'PORTAL' || appName === 'ADMIN') {
+      return {
+        organisationId: undefined,
+        eventId: undefined,
+        appId: appId || undefined
+      };
     }
     
-    // Build scope object only with defined values to ensure stable reference
+    // Build scope with immediate context
     const scope: Scope = {};
-    if (stableScope.organisationId) {
-      scope.organisationId = stableScope.organisationId;
+    if (immediateOrganisationId) {
+      scope.organisationId = immediateOrganisationId;
     }
-    if (stableScope.eventId) {
-      scope.eventId = stableScope.eventId;
+    if (immediateEventId) {
+      scope.eventId = immediateEventId;
     }
-    if (stableScope.appId) {
-      scope.appId = stableScope.appId;
+    if (appId) {
+      scope.appId = appId;
+    }
+    
+    // For non-PORTAL/ADMIN apps, require at least orgId or appId
+    if (!scope.organisationId && !scope.appId) {
+      return null;
     }
     
     return scope;
-  }, [hasValidScope, allowsOptionalContexts, stableScope.organisationId, stableScope.eventId, stableScope.appId]);
+  }, [immediateOrganisationId, immediateEventId, appId, appName]);
   
+  // Return scope immediately - appId resolves in background
+  // Navigation and permissions will wait for appId (correct behavior)
+  // But secure client can be created immediately, allowing data queries to run
   return {
-    resolvedScope: finalScope,
-    isLoading,
+    resolvedScope: immediateScope,
+    isLoading: isResolvingAppId, // Only true while appId resolves
     error
   };
 }