@jmruthers/pace-core 0.6.5 → 0.6.7

package/src/rbac/components/SecureDataProvider.tsx

@@ -1,339 +0,0 @@
-/**
- * @file Secure Data Provider Component
- * @package @jmruthers/pace-core
- * @module RBAC/Components/SecureDataProvider
- * @since 2.0.0
- *
- * A context provider that prevents apps from accessing Supabase directly and ensures
- * all data access goes through the secure RBAC system. This is a critical security
- * component that enforces data access control.
- *
- * Features:
- * - Prevents direct Supabase client access
- * - Enforces secure data access patterns
- * - Automatic organisation context injection
- * - RLS policy enforcement
- * - Audit logging for all data access
- * - Integration with existing RBAC system
- *
- * @example
- * ```tsx
- * // Basic app setup with secure data access
- * <SecureDataProvider strictMode={true} auditLog={true}>
- *   <App />
- * </SecureDataProvider>
- * 
- * // With custom configuration
- * <SecureDataProvider
- *   strictMode={true}
- *   auditLog={true}
- *   onDataAccess={(table, operation, allowed) => {
- *     console.log(`Data access: ${table} ${operation} - ${allowed ? 'allowed' : 'denied'}`);
- *   }}
- * >
- *   <App />
- * </SecureDataProvider>
- * ```
- *
- * @security
- * - Prevents direct Supabase client access
- * - Enforces secure data access patterns
- * - Automatic organisation context injection
- * - RLS policy enforcement
- * - Audit logging for all data access
- * - Integration with existing RBAC system
- *
- * @performance
- * - Optimized with useMemo and useCallback
- * - Efficient context updates
- * - Minimal re-renders
- * - Cached permission checks
- *
- * @dependencies
- * - React 19+ - Context and hooks
- * - useUnifiedAuth - Authentication context
- * - useSecureSupabase - Secure Supabase client hook
- * - RBAC types - Type definitions
- */
-
-import React, { createContext, useContext, useState, useCallback, useMemo, useEffect } from 'react';
-import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
-import { useSecureSupabase } from '../hooks/useSecureSupabase';
-import { useOrganisationSecurity } from '../../hooks/useOrganisationSecurity';
-import { useResolvedScope } from '../hooks/useResolvedScope';
-import { UUID, Scope, Permission } from '../types';
-import { getRBACLogger } from '../config';
-
-export interface DataAccessRecord {
-  table: string;
-  operation: string;
-  userId: UUID;
-  scope: Scope;
-  allowed: boolean;
-  timestamp: string;
-  query?: string;
-  filters?: Record<string, any>;
-}
-
-export interface SecureDataContextType {
-  /** Check if data access is allowed for a table and operation */
-  isDataAccessAllowed: (table: string, operation: string, scope?: Scope) => boolean;
-  
-  /** Get all data access permissions for current user */
-  getDataAccessPermissions: () => Record<string, string[]>;
-  
-  /** Check if secure data access is enabled */
-  isEnabled: boolean;
-  
-  /** Check if strict mode is enabled */
-  isStrictMode: boolean;
-  
-  /** Check if audit logging is enabled */
-  isAuditLogEnabled: boolean;
-  
-  /** Get data access history */
-  getDataAccessHistory: () => DataAccessRecord[];
-  
-  /** Clear data access history */
-  clearDataAccessHistory: () => void;
-  
-  /** Validate data access attempt */
-  validateDataAccess: (table: string, operation: string, scope?: Scope) => boolean;
-}
-
-export interface SecureDataProviderProps {
-  /** Child components */
-  children: React.ReactNode;
-  
-  /** Enable strict mode to prevent bypassing (default: true) */
-  strictMode?: boolean;
-  
-  /** Enable audit logging (default: true) */
-  auditLog?: boolean;
-  
-  /** Callback when data access is attempted */
-  onDataAccess?: (table: string, operation: string, allowed: boolean, record: DataAccessRecord) => void;
-  
-  /** Callback when strict mode violation occurs */
-  onStrictModeViolation?: (table: string, operation: string, record: DataAccessRecord) => void;
-  
-  /** Maximum number of access records to keep in history */
-  maxHistorySize?: number;
-  
-  /** Enable RLS enforcement (default: true) */
-  enforceRLS?: boolean;
-}
-
-const SecureDataContext = createContext<SecureDataContextType | null>(null);
-
-/**
- * SecureDataProvider - Prevents direct Supabase access and enforces secure data patterns
- * 
- * This provider ensures that all data access goes through the secure RBAC system
- * and prevents apps from bypassing data access controls.
- * 
- * @param props - Provider props
- * @returns React element with secure data context
- */
-export function SecureDataProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onDataAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1000,
-  enforceRLS = true
-}: SecureDataProviderProps) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const secureSupabase = useSecureSupabase(supabase);
-  const { superAdminContext } = useOrganisationSecurity();
-  const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);
-  const [isEnabled, setIsEnabled] = useState(true);
-
-  // Use useResolvedScope to get proper scope (org derived from event if needed)
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  
-  // Validate context - similar to useSecureDataAccess.validateContext
-  const validateContext = useCallback((): void => {
-    if (!secureSupabase) {
-      throw new Error('No Supabase client available');
-    }
-    if (!user) {
-      throw new Error('User must be authenticated');
-    }
-    if (!superAdminContext.isSuperAdmin && !resolvedScope?.organisationId) {
-      throw new Error('Organisation context is required for data access');
-    }
-  }, [secureSupabase, user, superAdminContext.isSuperAdmin, resolvedScope?.organisationId]);
-
-  // Get current scope from resolved scope
-  // For event-required apps: org is derived from event
-  // For org-required apps: org comes from selectedOrganisation
-  const currentScope = resolvedScope;
-
-  // Check if data access is allowed for a table and operation
-  const isDataAccessAllowed = useCallback((
-    table: string, 
-    operation: string, 
-    scope?: Scope
-  ): boolean => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    
-    // Use the existing RBAC system to check data access permissions
-    // This is a synchronous check for the context - actual permission checking
-    // happens using the RBAC engine via useSecureSupabase
-    const permission = `${operation}:data.${table}` as Permission;
-    
-    // For now, we'll return true and let the RBAC system
-    // handle the actual permission checking asynchronously
-    // This context is mainly for tracking and audit purposes
-    return true;
-  }, [isEnabled, user?.id, currentScope]);
-
-  // Get all data access permissions for current user
-  const getDataAccessPermissions = useCallback((): Record<string, string[]> => {
-    if (!isEnabled || !user?.id) return {};
-    
-    // For now, return empty object - this will be enhanced with actual permission checking
-    // when we integrate with the existing RBAC system
-    return {};
-  }, [isEnabled, user?.id]);
-
-  // Get data access history
-  const getDataAccessHistory = useCallback((): DataAccessRecord[] => {
-    return [...dataAccessHistory];
-  }, [dataAccessHistory]);
-
-  // Clear data access history
-  const clearDataAccessHistory = useCallback(() => {
-    setDataAccessHistory([]);
-  }, []);
-
-  // Validate data access attempt
-  const validateDataAccess = useCallback((
-    table: string,
-    operation: string,
-    scope?: Scope
-  ): boolean => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    
-    // Validate organisation context
-    try {
-      validateContext();
-    } catch (error) {
-      const logger = getRBACLogger();
-      logger.error('Organisation context validation failed:', error);
-      return false;
-    }
-    
-    return isDataAccessAllowed(table, operation, effectiveScope);
-  }, [isEnabled, user?.id, currentScope, validateContext, isDataAccessAllowed]);
-
-  // Record data access attempt
-  const recordDataAccess = useCallback((
-    table: string,
-    operation: string,
-    allowed: boolean,
-    query?: string,
-    filters?: Record<string, any>,
-    scope?: Scope
-  ) => {
-    if (!auditLog || !user?.id) return;
-    
-    const record: DataAccessRecord = {
-      table,
-      operation,
-      userId: user.id,
-      scope: scope || currentScope || { organisationId: '' },
-      allowed,
-      timestamp: new Date().toISOString(),
-      query,
-      filters
-    };
-    
-    setDataAccessHistory(prev => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    
-    if (onDataAccess) {
-      onDataAccess(table, operation, allowed, record);
-    }
-    
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(table, operation, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onDataAccess, onStrictModeViolation, strictMode]);
-
-  // Context value
-  const contextValue = useMemo((): SecureDataContextType => ({
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  }), [
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  ]);
-
-  // Log strict mode violations
-  useEffect(() => {
-    if (strictMode && auditLog) {
-      const logger = getRBACLogger();
-      logger.debug('Strict mode enabled - all data access attempts will be logged and enforced');
-    }
-  }, [strictMode, auditLog]);
-
-  // Log RLS enforcement
-  useEffect(() => {
-    if (enforceRLS && auditLog) {
-      const logger = getRBACLogger();
-    }
-  }, [enforceRLS, auditLog]);
-
-  return (
-    <SecureDataContext.Provider value={contextValue}>
-      {children}
-    </SecureDataContext.Provider>
-  );
-}
-
-/**
- * Hook to use secure data context
- * 
- * @returns Secure data context
- * @throws Error if used outside of SecureDataProvider
- */
-export function useSecureData(): SecureDataContextType {
-  const context = useContext(SecureDataContext);
-  
-  if (!context) {
-    throw new Error('useSecureData must be used within a SecureDataProvider');
-  }
-  
-  return context;
-}
-
-export default SecureDataProvider;