@jmruthers/pace-core 0.6.5 → 0.6.7

package/src/utils/persistence/sensitiveFieldDetection.ts

@@ -0,0 +1,212 @@
+/**
+ * @file Sensitive Field Detection
+ * @package @jmruthers/pace-core
+ * @module Utils/Persistence
+ * @since 1.0.0
+ *
+ * Utilities for detecting and filtering sensitive fields that should not be persisted.
+ * Provides pattern matching and type-based detection for sensitive data.
+ *
+ * Features:
+ * - Pattern-based field name matching
+ * - Input type-based detection
+ * - Safe filtering of sensitive fields from data objects
+ * - Configurable denylist patterns
+ *
+ * Security:
+ * - Defaults to NOT persisting when uncertain
+ * - Comprehensive pattern matching for common sensitive fields
+ * - Type-based detection for password and hidden inputs
+ */
+
+/**
+ * Denylist patterns for sensitive field names (case-insensitive)
+ * Matches any field name containing these patterns
+ */
+const SENSITIVE_FIELD_PATTERNS = [
+  // Authentication and credentials
+  /password/i,
+  /secret/i,
+  /token/i,
+  /key/i,
+  /credential/i,
+  /auth/i,
+  /api[_-]?key/i,
+  /access[_-]?token/i,
+  /refresh[_-]?token/i,
+  /session[_-]?id/i,
+
+  // Payment information
+  /credit[_-]?card/i,
+  /card[_-]?number/i,
+  /cvv/i,
+  /cvc/i,
+  /pin/i,
+  /account[_-]?number/i,
+  /routing[_-]?number/i,
+
+  // Personal identification
+  /ssn/i,
+  /social[_-]?security/i,
+  /tax[_-]?id/i,
+  /driver[_-]?license/i,
+  /passport/i,
+
+  // Medical and health information
+  /medical/i,
+  /health/i,
+  /phi/i, // Protected Health Information
+  /hipaa/i,
+  /diagnosis/i,
+  /prescription/i,
+
+  // Other sensitive data
+  /private[_-]?key/i,
+  /signing[_-]?key/i,
+  /encryption[_-]?key/i,
+];
+
+/**
+ * Sensitive input types that should never be persisted
+ */
+const SENSITIVE_INPUT_TYPES = new Set([
+  'password',
+  'hidden',
+]);
+
+/**
+ * Check if a field name matches sensitive patterns
+ *
+ * @param name - Field name to check
+ * @returns true if field is sensitive
+ */
+function isSensitiveFieldName(name: string): boolean {
+  if (!name || typeof name !== 'string') {
+    return false;
+  }
+
+  const normalizedName = name.trim();
+  if (normalizedName.length === 0) {
+    return false;
+  }
+
+  // Check against denylist patterns
+  return SENSITIVE_FIELD_PATTERNS.some((pattern) => pattern.test(normalizedName));
+}
+
+/**
+ * Check if an input type is sensitive
+ *
+ * @param type - Input type to check
+ * @returns true if input type is sensitive
+ */
+function isSensitiveInputType(type?: string): boolean {
+  if (!type || typeof type !== 'string') {
+    return false;
+  }
+
+  return SENSITIVE_INPUT_TYPES.has(type.toLowerCase().trim());
+}
+
+/**
+ * Check if a field is sensitive based on name and/or type
+ *
+ * @param name - Field name
+ * @param type - Optional input type
+ * @returns true if field should not be persisted
+ *
+ * @example
+ * ```ts
+ * isSensitiveField('password', 'password'); // true
+ * isSensitiveField('email', 'text'); // false
+ * isSensitiveField('api_key', 'text'); // true
+ * ```
+ */
+export function isSensitiveField(name: string, type?: string): boolean {
+  // Check input type first (most reliable)
+  if (isSensitiveInputType(type)) {
+    return true;
+  }
+
+  // Check field name patterns
+  if (isSensitiveFieldName(name)) {
+    return true;
+  }
+
+  // Default to NOT sensitive when uncertain
+  return false;
+}
+
+/**
+ * Filter sensitive fields from a data object
+ *
+ * Creates a new object with only non-sensitive fields.
+ * When uncertain, fields are excluded (safe default).
+ *
+ * @template T - Type of the data object
+ * @param data - Data object to filter
+ * @param fieldNames - Array of field names in the data
+ * @param fieldTypes - Optional map of field names to input types
+ * @returns Filtered data with sensitive fields removed
+ *
+ * @example
+ * ```ts
+ * const data = { name: 'John', password: 'secret123', email: 'john@example.com' };
+ * const filtered = filterSensitiveFields(data, ['name', 'password', 'email'], {
+ *   password: 'password'
+ * });
+ * // Result: { name: 'John', email: 'john@example.com' }
+ * ```
+ */
+export function filterSensitiveFields<T extends Record<string, any>>(
+  data: T,
+  fieldNames: string[],
+  fieldTypes?: Record<string, string>
+): Partial<T> {
+  if (!data || typeof data !== 'object') {
+    return {};
+  }
+
+  const filtered: Partial<T> = {};
+
+  for (const fieldName of fieldNames) {
+    // Skip if field doesn't exist in data
+    if (!(fieldName in data)) {
+      continue;
+    }
+
+    // Get field type if provided
+    const fieldType = fieldTypes?.[fieldName];
+
+    // Check if field is sensitive
+    if (isSensitiveField(fieldName, fieldType)) {
+      // Skip sensitive field
+      continue;
+    }
+
+    // Include non-sensitive field
+    filtered[fieldName as keyof T] = data[fieldName];
+  }
+
+  return filtered;
+}
+
+/**
+ * Get list of sensitive field names from an array of field names
+ *
+ * Useful for logging or debugging which fields were filtered.
+ *
+ * @param fieldNames - Array of field names to check
+ * @param fieldTypes - Optional map of field names to input types
+ * @returns Array of sensitive field names
+ */
+export function getSensitiveFieldNames(
+  fieldNames: string[],
+  fieldTypes?: Record<string, string>
+): string[] {
+  return fieldNames.filter((name) => {
+    const type = fieldTypes?.[name];
+    return isSensitiveField(name, type);
+  });
+}
+

package/src/utils/security/secureStorage.ts

@@ -37,7 +37,7 @@ class SecureStorageImpl {
               false,
               ['encrypt', 'decrypt']
             );
-          } catch (error) {
+          } catch (_error) {
             await this.generateNewKey();
           }
         } else {
@@ -45,7 +45,7 @@ class SecureStorageImpl {
         }
       }
       this.initialized = true;
-    } catch (error) {
+    } catch (_error) {
       this.initialized = true;
     }
   }
@@ -101,7 +101,7 @@ class SecureStorageImpl {
         }
         
         return parsed.value;
-      } catch (error) {
+      } catch (_error) {
         // Silent fail - try plain storage
       }
     }
@@ -120,7 +120,7 @@ class SecureStorageImpl {
       }
       
       return parsed.value || plainData;
-    } catch (error) {
+    } catch (_error) {
       // If parsing fails, return as-is (backward compatibility)
       return plainData;
     }
@@ -163,7 +163,7 @@ class SecureStorageImpl {
       const exportedKey = await window.crypto.subtle.exportKey('raw', this.encryptionKey);
       const keyData = this.arrayBufferToBase64(exportedKey);
       localStorage.setItem('_sec_key', keyData);
-    } catch (error) {
+    } catch (_error) {
       // Silent fail - encryption not available
     }
   }

package/src/utils/storage/README.md

@@ -67,7 +67,7 @@ Enhanced file upload component with progress tracking, previews, and validation.
   onProgress={(progress) => {}}     // Progress callback
 >
   {/* Optional custom upload UI */}
-  <div>Custom upload area</div>
+  <section>Custom upload area</section>
 </FileUpload>
 ```
 

package/src/utils/storage/helpers.ts

@@ -106,7 +106,7 @@ export async function extractFileMetadata(
       const dimensions = await getImageDimensions(file);
       metadata.width = dimensions.width;
       metadata.height = dimensions.height;
-    } catch (error) {
+    } catch (_error) {
       // Non-critical error - image dimensions are optional metadata
       // Using Logger would be better, but this is in a utility function
       // For now, silently continue - dimensions are optional
@@ -116,7 +116,7 @@ export async function extractFileMetadata(
   // Generate file hash if possible
   try {
     metadata.hash = await generateFileHash(file);
-  } catch (error) {
+  } catch (_error) {
     // Non-critical error - file hash is optional metadata
     // Using Logger would be better, but this is in a utility function
     // For now, silently continue - hash is optional
@@ -320,7 +320,7 @@ export function getPublicUrl(
   }
 
   // Normalise path by trimming whitespace and leading slashes
-  let normalisedPath = path.trim().replace(/^\/+/, '');
+  const normalisedPath = path.trim().replace(/^\/+/, '');
 
   if (!normalisedPath) {
     throw new Error('Storage path cannot be empty after normalisation');

package/src/utils/supabase/createBaseClient.ts

@@ -0,0 +1,147 @@
+/**
+ * @file Base Supabase Client Creation Utility
+ * @package @jmruthers/pace-core
+ * @module Utils/Supabase
+ * @since 0.6.6
+ * 
+ * Restricted wrapper for creating the base Supabase client for UnifiedAuthProvider.
+ * This is the ONLY acceptable way to create a Supabase client in consuming apps.
+ * 
+ * @example
+ * ```tsx
+ * // ✅ CORRECT: In main.tsx, App.tsx, or lib/supabase.ts
+ * import { createBaseClient } from '@jmruthers/pace-core';
+ * 
+ * const supabase = createBaseClient(
+ *   import.meta.env.VITE_SUPABASE_URL,
+ *   import.meta.env.VITE_SUPABASE_PUBLISHABLE_KEY
+ * );
+ * 
+ * // Pass to UnifiedAuthProvider
+ * <UnifiedAuthProvider supabaseClient={supabase} ... />
+ * ```
+ */
+
+import { createClient, SupabaseClient } from '@supabase/supabase-js';
+import { Database } from '../../types/database';
+
+/**
+ * Allowed file patterns for base client creation
+ * 
+ * Note: Patterns allow optional query parameters (e.g., ?t=timestamp) and line numbers
+ * that Vite and other bundlers add in stack traces
+ */
+const ALLOWED_FILE_PATTERNS = [
+  /[\/\\]main\.(tsx?|jsx?)(\?|:|\s|$)/i,
+  /[\/\\]App\.(tsx?|jsx?)(\?|:|\s|$)/i,
+  /[\/\\]lib[\/\\]supabase\.(tsx?|jsx?)(\?|:|\s|$)/i,
+  /[\/\\]src[\/\\]supabase\.(tsx?|jsx?)(\?|:|\s|$)/i,
+];
+
+/**
+ * Check if the current file is in an allowed location for base client creation
+ * 
+ * This uses Error.stack to detect the caller's file path.
+ * Only works in development/build time, not at runtime.
+ */
+function isAllowedContext(): boolean {
+  // In production builds, we can't reliably detect the caller
+  // So we allow it but document the restriction
+  if (typeof process !== 'undefined' && process.env.NODE_ENV === 'production') {
+    return true; // Allow in production (documentation/ESLint enforces)
+  }
+
+  try {
+    const stack = new Error().stack;
+    if (!stack) return false;
+
+    // Check if any stack frame matches allowed patterns
+    const stackLines = stack.split('\n');
+    for (const line of stackLines) {
+      for (const pattern of ALLOWED_FILE_PATTERNS) {
+        if (pattern.test(line)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  } catch {
+    // If we can't check, allow it (documentation/ESLint enforces)
+    return true;
+  }
+}
+
+/**
+ * Create a base Supabase client for UnifiedAuthProvider
+ * 
+ * **CRITICAL**: This function can ONLY be called from:
+ * - `src/main.tsx` (or `main.jsx`)
+ * - `src/App.tsx` (or `App.jsx`)
+ * - `src/lib/supabase.ts` (or `supabase.js`)
+ * - `src/supabase.ts` (or `supabase.js`)
+ * 
+ * **DO NOT** use this client directly for queries. Always use `useSecureSupabase()` hook instead.
+ * 
+ * The client is configured with explicit auth options to ensure consistent session persistence:
+ * - `persistSession: true` - Sessions are saved to localStorage and restored on page load/refresh
+ * - `autoRefreshToken: true` - Tokens are automatically refreshed before expiry
+ * - `detectSessionInUrl: true` - Detects and handles OAuth callback URLs
+ * - `flowType: 'pkce'` - Uses PKCE flow for enhanced security
+ * 
+ * This configuration ensures that users remain logged in after hard refresh (Cmd+Shift+R)
+ * and other browser navigation scenarios across all consuming apps.
+ * 
+ * @param supabaseUrl - Supabase project URL
+ * @param supabaseKey - Supabase publishable key or anon key (accepts both legacy anon keys and modern publishable keys)
+ * @returns Supabase client instance with auth configuration
+ * 
+ * @throws {Error} If called from an unauthorized file location (development only)
+ * 
+ * @example
+ * ```tsx
+ * // main.tsx
+ * import { createBaseClient } from '@jmruthers/pace-core';
+ * import { UnifiedAuthProvider } from '@jmruthers/pace-core';
+ * 
+ * const supabase = createBaseClient(
+ *   import.meta.env.VITE_SUPABASE_URL,
+ *   import.meta.env.VITE_SUPABASE_PUBLISHABLE_KEY
+ * );
+ * 
+ * function App() {
+ *   return (
+ *     <UnifiedAuthProvider supabaseClient={supabase} appName="MyApp">
+ *       <YourApp />
+ *     </UnifiedAuthProvider>
+ *   );
+ * }
+ * ```
+ */
+export function createBaseClient(
+  supabaseUrl: string,
+  supabaseKey: string
+): SupabaseClient<Database> {
+  // Check context in development
+  if (!isAllowedContext()) {
+    const error = new Error(
+      'createBaseClient() can only be called from main.tsx, App.tsx, or lib/supabase.ts.\n' +
+      'This is a security requirement to ensure the base client is only created once and passed to UnifiedAuthProvider.\n' +
+      'See: https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/00-pace-core-compliance.md'
+    );
+    console.error('[pace-core Security Error]', error);
+    throw error;
+  }
+
+  // Create and return the base client with explicit auth configuration
+  // These options ensure consistent session persistence across all consuming apps,
+  // especially important for hard refresh (Cmd+Shift+R) scenarios
+  return createClient<Database>(supabaseUrl, supabaseKey, {
+    auth: {
+      autoRefreshToken: true,
+      persistSession: true,
+      detectSessionInUrl: true,
+      flowType: 'pkce'
+    }
+  });
+}
+

package/src/utils/timezone/timezone.test.ts

@@ -247,7 +247,7 @@ describe('Timezone Utilities', () => {
 
     it('returns original date for invalid minutesStep', () => {
       const date = new Date('2024-01-15T10:23:00Z');
-      const result = roundToNearestMinutes(date, 0);
+      roundToNearestMinutes(date, 0);
       expect(date).toBe(date);
     });
 
@@ -296,7 +296,6 @@ describe('Timezone Utilities', () => {
 
     it('handles DST correctly', () => {
       // Test in summer (EDT vs PDT = 3 hours)
-      const summerDate = new Date('2024-07-15T10:00:00Z');
       const result = getTimeZoneDifference('America/New_York', 'America/Los_Angeles');
       // Should be negative (LA behind NY)
       expect(result).toBeLessThan(0);

package/src/utils/timezone/timezone.ts

@@ -32,7 +32,7 @@
  * ```
  */
 
-import { format, parseISO, addMinutes, differenceInHours, isValid } from 'date-fns';
+import { parseISO, addMinutes, differenceInHours, isValid } from 'date-fns';
 import { formatInTimeZone as fnsFormatInTimeZone, toZonedTime as fnsToZonedTime, fromZonedTime as fnsFromZonedTime } from 'date-fns-tz';
 
 /**

package/src/utils/validation/csrf.ts

@@ -54,7 +54,7 @@ class CSRFManager {
       await this.persistTokens();
 
       return token;
-    } catch (error) {
+    } catch (_error) {
       throw new Error('CSRF token generation failed');
     }
   }
@@ -98,7 +98,7 @@ class CSRFManager {
       await this.persistTokens();
 
       return true;
-    } catch (error) {
+    } catch (_error) {
       return false;
     }
   }
@@ -158,7 +158,7 @@ class CSRFManager {
         JSON.stringify(tokensArray),
         { encrypt: true, expiry: this.TOKEN_EXPIRY }
       );
-    } catch (error) {
+    } catch (_error) {
       // Silent fail - tokens will be regenerated if needed
     }
   }
@@ -175,7 +175,7 @@ class CSRFManager {
         // Clean up on load
         await this.cleanupExpiredTokens();
       }
-    } catch (error) {
+    } catch (_error) {
       this.tokenCache.clear();
     }
   }