@jmruthers/pace-core 0.6.5 → 0.6.7

package/src/rbac/hooks/useResolvedScope.ts

@@ -9,7 +9,7 @@
  * consistent scope resolution logic.
  */
 
-import { useEffect, useState, useRef, useMemo } from 'react';
+import { useEffect, useState, useMemo } from 'react';
 import { SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../../types/database';
 import type { Scope } from '../types';
@@ -35,6 +35,8 @@ export interface UseResolvedScopeOptions {
   selectedOrganisationId: string | null;
   /** Selected event ID */
   selectedEventId: string | null;
+  /** Selected event organisation ID (from selectedEvent.organisation_id) - allows immediate context without querying */
+  selectedEventOrganisationId?: string | null;
 }
 
 export interface UseResolvedScopeReturn {
@@ -73,72 +75,42 @@ export interface UseResolvedScopeReturn {
 export function useResolvedScope({
   supabase,
   selectedOrganisationId,
-  selectedEventId
+  selectedEventId,
+  selectedEventOrganisationId
 }: UseResolvedScopeOptions): UseResolvedScopeReturn {
-  const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState<Error | null>(null);
-  
-  // Use a ref to track the stable scope and only update it when it actually changes
-  const stableScopeRef = useRef<{ organisationId: string; appId: string; eventId: string | undefined }>({ 
-    organisationId: '', 
-    appId: '', 
-    eventId: undefined 
-  });
+  // Get immediate context (synchronous) - allows secure client creation immediately
+  const immediateOrganisationId = selectedEventOrganisationId || selectedOrganisationId || undefined;
+  const immediateEventId = selectedEventId || undefined;
   
-  // Update stable scope ref in useEffect to avoid updates during render
-  // For PORTAL, allow scopes without organisationId
-  useEffect(() => {
-    if (resolvedScope) {
-      const newScope = {
-        organisationId: resolvedScope.organisationId || '',
-        appId: resolvedScope.appId || '',
-        eventId: resolvedScope.eventId
-      };
-      
-      // Only update if the scope has actually changed
-      if (stableScopeRef.current.organisationId !== newScope.organisationId ||
-          stableScopeRef.current.eventId !== newScope.eventId ||
-          stableScopeRef.current.appId !== newScope.appId) {
-        stableScopeRef.current = {
-          organisationId: newScope.organisationId,
-          appId: newScope.appId,
-          eventId: newScope.eventId
-        };
-      }
-    } else {
-      // Reset to empty scope when no resolved scope
-      stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
-    }
-  }, [resolvedScope]);
+  const [appId, setAppId] = useState<string | undefined>(undefined);
+  const [isResolvingAppId, setIsResolvingAppId] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
   
   // Get app name to check if it's PORTAL (needed for return logic)
   const appName = getCurrentAppName();
   
-  const stableScope = stableScopeRef.current;
-  
+  // Resolve appId in background (non-blocking)
   useEffect(() => {
     let cancelled = false;
     
-    const resolveScope = async () => {
-      // OPTIMIZATION: If all inputs are null/undefined, immediately return empty scope
-      // This indicates pre-filtered mode where we don't need to resolve scope
+    const resolveAppId = async () => {
+      // OPTIMIZATION: If all inputs are null/undefined, skip appId resolution
       if (!supabase && !selectedOrganisationId && !selectedEventId) {
         if (!cancelled) {
-          setResolvedScope(null);
-          setIsLoading(false);
+          setAppId(undefined);
+          setIsResolvingAppId(false);
           setError(null);
         }
         return;
       }
       
-      setIsLoading(true);
+      setIsResolvingAppId(true);
       setError(null);
       
       try {
         // Get app name and resolve appId
         const appName = getCurrentAppName();
-        let appId: string | undefined = undefined;
+        let resolvedAppId: string | undefined = undefined;
         
         // Try to resolve appId from database (with caching)
         // Only query if user is authenticated (RLS policies require authentication)
@@ -156,7 +128,7 @@ export function useResolvedScope({
               const cached = appIdCache.get(appName);
               const now = Date.now();
               if (cached && (now - cached.timestamp) < CACHE_TTL) {
-                appId = cached.appId;
+                resolvedAppId = cached.appId;
               } else {
                 // Cache miss or expired - fetch from database
                 const { data: app, error } = await supabase
@@ -172,7 +144,7 @@ export function useResolvedScope({
                   if (error.code === '406' || error.code === 'PGRST116' || error.message?.includes('406')) {
                     log.debug(`App resolution blocked by RLS for "${appName}" - user may not be authenticated`);
                     // Don't cache - will retry after authentication
-                    appId = undefined;
+                    resolvedAppId = undefined;
                   } else {
                     // Check if app exists but is inactive
                     const { data: inactiveApp } = await supabase
@@ -184,17 +156,17 @@ export function useResolvedScope({
                     if (inactiveApp) {
                       log.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
                       // Don't cache inactive apps - set appId to undefined
-                      appId = undefined;
+                      resolvedAppId = undefined;
                     } else {
                       log.error(`App "${appName}" not found in rbac_apps table`, { error });
                       // Don't cache missing apps - set appId to undefined
-                      appId = undefined;
+                      resolvedAppId = undefined;
                     }
                   }
                 } else if (app) {
-                  appId = app.id;
+                  resolvedAppId = app.id;
                   // Only cache successful lookups of active apps
-                  appIdCache.set(appName, { appId, timestamp: now });
+                  appIdCache.set(appName, { appId: resolvedAppId, timestamp: now });
                 }
               }
             }
@@ -210,119 +182,65 @@ export function useResolvedScope({
           }
         }
 
-        // Build initial scope from available context
-        // Scope is now page-level only - use whatever context is available
-        // Default to organisation scope if both are available (safest default)
-        const initialScope: Scope = {
-          organisationId: selectedOrganisationId || undefined,
-          eventId: selectedEventId || undefined,
-          appId: appId
-        };
-
-        // For PORTAL/ADMIN apps, allow scope without org/event
-        if (appName === 'PORTAL' || appName === 'ADMIN') {
-          if (!cancelled) {
-            const optionalContextScope: Scope = {
-              organisationId: undefined,
-              eventId: undefined,
-              appId: appId || undefined
-            };
-            setResolvedScope(optionalContextScope);
-            setError(null);
-            setIsLoading(false);
-          }
-          return;
-        }
-        
-        // For other apps, default to organisation scope validation (safest default)
-        // Page-level scope will be validated during permission checks
-        // ContextValidator is already imported at the top
-        const { ContextValidator } = await import('../utils/contextValidator');
-        const validation = await ContextValidator.resolveScopeForPage(
-          initialScope,
-          'organisation', // Default to organisation scope when no page context
-          appName || undefined,
-          supabase
-        );
-
-        if (!validation.isValid) {
-          // If validation fails but we have an eventId, return scope with eventId
-          // The organisation will be derived later during permission checks
-          if (selectedEventId) {
-            if (!cancelled) {
-              const eventScope: Scope = {
-                organisationId: undefined, // Will be derived from event during permission check
-                eventId: selectedEventId,
-                appId: appId || undefined
-              };
-              setResolvedScope(eventScope);
-              setError(null); // Don't set error - let permission check handle derivation
-              setIsLoading(false);
-            }
-            return;
-          }
-          
-          if (!cancelled) {
-            setResolvedScope(null);
-            setError(validation.error || new Error('Context validation failed'));
-            setIsLoading(false);
-          }
-          return;
-        }
-
-        // Set resolved scope
+        // Update appId state when resolved
         if (!cancelled) {
-          setResolvedScope(validation.resolvedScope);
+          setAppId(resolvedAppId);
+          setIsResolvingAppId(false);
           setError(null);
-          setIsLoading(false);
         }
       } catch (err) {
         if (!cancelled) {
           setError(err as Error);
-          setIsLoading(false);
+          setIsResolvingAppId(false);
         }
       }
     };
 
-    resolveScope();
+    resolveAppId();
     
     return () => {
       cancelled = true;
     };
-  }, [selectedOrganisationId, selectedEventId, supabase]);
-  
-  // Return scope if it has appId (for PORTAL/ADMIN) or organisationId (for other apps)
-  // For PORTAL/ADMIN, always return a scope (even if empty) so components can use contextAppId
-  const allowsOptionalContexts = appName === 'PORTAL' || appName === 'ADMIN';
-  const hasValidScope = allowsOptionalContexts
-    ? true // PORTAL/ADMIN always have valid scope (even without org/event/appId)
-    : (stableScope.appId || stableScope.organisationId);
+  }, [supabase, selectedOrganisationId, selectedEventId]);
   
-  // CRITICAL FIX: Memoize finalScope to prevent creating new object references on every render
-  // This prevents infinite loops in useCan and other hooks that depend on scope equality
-  const finalScope: Scope | null = useMemo(() => {
-    if (!hasValidScope) {
-      return allowsOptionalContexts ? {} : null;
+  // Build scope immediately with synchronous context + async appId
+  // This allows secure client creation immediately while appId resolves
+  const immediateScope: Scope | null = useMemo(() => {
+    // For PORTAL/ADMIN apps, allow scope without org/event
+    if (appName === 'PORTAL' || appName === 'ADMIN') {
+      return {
+        organisationId: undefined,
+        eventId: undefined,
+        appId: appId || undefined
+      };
     }
     
-    // Build scope object only with defined values to ensure stable reference
+    // Build scope with immediate context
     const scope: Scope = {};
-    if (stableScope.organisationId) {
-      scope.organisationId = stableScope.organisationId;
+    if (immediateOrganisationId) {
+      scope.organisationId = immediateOrganisationId;
     }
-    if (stableScope.eventId) {
-      scope.eventId = stableScope.eventId;
+    if (immediateEventId) {
+      scope.eventId = immediateEventId;
     }
-    if (stableScope.appId) {
-      scope.appId = stableScope.appId;
+    if (appId) {
+      scope.appId = appId;
+    }
+    
+    // For non-PORTAL/ADMIN apps, require at least orgId or appId
+    if (!scope.organisationId && !scope.appId) {
+      return null;
     }
     
     return scope;
-  }, [hasValidScope, allowsOptionalContexts, stableScope.organisationId, stableScope.eventId, stableScope.appId]);
+  }, [immediateOrganisationId, immediateEventId, appId, appName]);
   
+  // Return scope immediately - appId resolves in background
+  // Navigation and permissions will wait for appId (correct behavior)
+  // But secure client can be created immediately, allowing data queries to run
   return {
-    resolvedScope: finalScope,
-    isLoading,
+    resolvedScope: immediateScope,
+    isLoading: isResolvingAppId, // Only true while appId resolves
     error
   };
 }

package/src/rbac/hooks/useResourcePermissions.test.ts

@@ -11,6 +11,7 @@ import { renderHook, waitFor } from '@testing-library/react';
 import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { useResourcePermissions } from './useResourcePermissions';
 import type { Scope } from '../types';
+import { isSuperAdmin } from '../api';
 
 // Mock dependencies
 vi.mock('../../providers/services/UnifiedAuthProvider', () => ({
@@ -33,6 +34,12 @@ vi.mock('./usePermissions', () => ({
   useCan: vi.fn(),
 }));
 
+vi.mock('../api', () => ({
+  isSuperAdmin: vi.fn(),
+}));
+
+const mockIsSuperAdmin = vi.mocked(isSuperAdmin);
+
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
@@ -89,11 +96,14 @@ describe('useResourcePermissions Hook', () => {
     } as any);
 
     mockUseResolvedScope.mockReturnValue({
-      resolvedScope: mockScope,
+      resolvedScope: mockScope, // Use correct property name from UseResolvedScopeReturn interface
       isLoading: false,
       error: null,
     });
 
+    // Mock isSuperAdmin to resolve immediately (prevents isLoading from being true due to super admin check)
+    mockIsSuperAdmin.mockResolvedValue(false);
+
     // Default useCan mocks - all permissions allowed
     mockUseCan.mockReturnValue({
       can: true,
@@ -117,9 +127,16 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.canRead).toBeTypeOf('function');
     });
 
-    it('returns scope object', () => {
+    it('returns scope object', async () => {
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // The hook returns resolvedScope if available, otherwise fallback scope
+      // Since mockScope has appId, it should be returned as-is
       expect(result.current.scope).toEqual(mockScope);
     });
 
@@ -130,24 +147,42 @@ describe('useResourcePermissions Hook', () => {
         supabase: mockSupabase,
         selectedOrganisationId: 'org-123',
         selectedEventId: 'event-123',
+        selectedEventOrganisationId: null, // Mock event doesn't have organisation_id, so it becomes null
       });
     });
 
-    it('calls useCan for each permission type', () => {
+    it('calls useCan for each permission type', async () => {
       renderHook(() => useResourcePermissions('contacts'));
 
-      expect(mockUseCan).toHaveBeenCalledTimes(4); // create, update, delete, read
-      // When appId is available in scope, permission strings include page. prefix
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(mockUseCan).toHaveBeenCalled();
+      });
+
+      // The hook calls useCan for each permission type (create, update, delete, read)
+      // Note: It may be called multiple times due to re-renders during super admin check,
+      // so we verify that all four permission types are checked rather than exact call count
+      const calls = mockUseCan.mock.calls;
+      expect(calls.length).toBeGreaterThanOrEqual(4);
+      
+      // When appId is available in resolvedScope, permission strings include page. prefix
       // and resource name is passed as pageId to enable page permission checks
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
-        mockScope,
+        mockScope, // resolvedScope is used when available
         'create:page.contacts',
-        'contacts', // pageId is resource name when appId is available
+        'contacts', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (resolved after async check)
         undefined // appName
       );
+      
+      // Verify all four permission types are checked
+      const permissions = calls.map(call => call[2]); // permission is the 3rd argument
+      expect(permissions).toContain('create:page.contacts');
+      expect(permissions).toContain('update:page.contacts');
+      expect(permissions).toContain('delete:page.contacts');
+      expect(permissions).toContain('read:page.contacts');
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
@@ -192,9 +227,10 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.canCreate('contacts')).toBe(true);
     });
 
-    it('returns false when user cannot create resource', () => {
+    it('returns false when user cannot create resource', async () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:page.contacts') {
+        // When appId is available in resolvedScope, permission format is 'create:page.contacts'
+        if (permission === 'create:page.contacts' || permission === 'create:contacts') {
           return {
             can: false,
             isLoading: false,
@@ -212,6 +248,11 @@ describe('useResourcePermissions Hook', () => {
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.canCreate('contacts')).toBe(false);
       expect(result.current.canUpdate('contacts')).toBe(true);
       expect(result.current.canDelete('contacts')).toBe(true);
@@ -233,9 +274,10 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.canRead('contacts')).toBe(true);
     });
 
-    it('checks read permissions when enableRead is true', () => {
+    it('checks read permissions when enableRead is true', async () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:page.contacts') {
+        // When appId is available in resolvedScope, permission format is 'read:page.contacts'
+        if (permission === 'read:page.contacts' || permission === 'read:contacts') {
           return {
             can: true,
             isLoading: false,
@@ -255,12 +297,18 @@ describe('useResourcePermissions Hook', () => {
         useResourcePermissions('contacts', { enableRead: true })
       );
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.canRead('contacts')).toBe(true);
     });
 
-    it('returns false for read when permission is denied and enableRead is true', () => {
+    it('returns false for read when permission is denied and enableRead is true', async () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:page.contacts') {
+        // When appId is available in resolvedScope, permission format is 'read:page.contacts'
+        if (permission === 'read:page.contacts' || permission === 'read:contacts') {
           return {
             can: false,
             isLoading: false,
@@ -280,6 +328,11 @@ describe('useResourcePermissions Hook', () => {
         useResourcePermissions('contacts', { enableRead: true })
       );
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.canRead('contacts')).toBe(false);
     });
   });
@@ -399,7 +452,7 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Missing User Context', () => {
-    it('handles missing user gracefully', () => {
+    it('handles missing user gracefully', async () => {
       mockUseUnifiedAuth.mockReturnValue({
         user: null,
         supabase: mockSupabase,
@@ -407,15 +460,20 @@ describe('useResourcePermissions Hook', () => {
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete (will be false when user is null)
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       // When user is null, userId is empty string, but scope and permissions are still checked
-      // Since mockScope has appId, permission strings include page. prefix and pageId will be the resource name ('contacts')
+      // Since resolvedScope (mockScope) has appId, permission strings include page. prefix
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
-        mockScope,
+        mockScope, // resolvedScope is used when available
         'create:page.contacts',
-        'contacts', // pageId is resource name when appId is available in scope
+        'contacts', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (false when user is null)
         undefined // appName
       );
       expect(mockUseCan).toHaveBeenCalledWith(
@@ -454,11 +512,11 @@ describe('useResourcePermissions Hook', () => {
         throw new Error('Event provider not available');
       });
 
-      mockUseResolvedScope.mockReturnValue({
-        resolvedScope: mockScope,
-        isLoading: false,
-        error: null,
-      });
+    mockUseResolvedScope.mockReturnValue({
+      resolvedScope: mockScope,
+      isLoading: false, // Scope is resolved
+      error: null,
+    });
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
@@ -528,12 +586,20 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.isLoading).toBe(true);
     });
 
-    it('excludes read loading state when enableRead is false', () => {
+    it('excludes read loading state when enableRead is false', async () => {
+      // Ensure scope is resolved (not loading) - this prevents scopeLoading from contributing to isLoading
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: mockScope, // Use correct property name
+        isLoading: false,
+        error: null,
+      });
+      
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:page.contacts') {
+        // Read permission check should not contribute to isLoading when enableRead is false
+        if (permission === 'read:page.contacts' || permission === 'read:contacts') {
           return {
             can: false,
-            isLoading: true,
+            isLoading: true, // Read is loading, but should be excluded
             error: null,
             refetch: vi.fn(),
           } as any;
@@ -546,9 +612,12 @@ describe('useResourcePermissions Hook', () => {
         } as any;
       });
 
-      const { result } = renderHook(() => useResourcePermissions('contacts'));
+      const { result } = renderHook(() => useResourcePermissions('contacts', { enableRead: false }));
 
-      expect(result.current.isLoading).toBe(false);
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
     });
   });
 
@@ -566,10 +635,11 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.error).toEqual(scopeError);
     });
 
-    it('aggregates errors from permission checks', () => {
+    it('aggregates errors from permission checks', async () => {
       const permissionError = new Error('Permission check failed');
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:page.contacts') {
+        // When appId is available in resolvedScope, permission format is 'create:page.contacts'
+        if (permission === 'create:page.contacts' || permission === 'create:contacts') {
           return {
             can: false,
             isLoading: false,
@@ -587,6 +657,11 @@ describe('useResourcePermissions Hook', () => {
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.error).toEqual(permissionError);
     });
 
@@ -630,17 +705,22 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Options', () => {
-    it('respects enableRead option', () => {
+    it('respects enableRead option', async () => {
       renderHook(() => useResourcePermissions('contacts', { enableRead: true }));
 
-      // Should still call useCan for read permission with page. prefix when appId is available
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(mockUseCan).toHaveBeenCalled();
+      });
+
+      // Should call useCan for read permission with page. prefix when appId is available in resolvedScope
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
         'read:page.contacts',
-        'contacts', // pageId is resource name when appId is available
+        'contacts', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (resolved after async check)
         undefined // appName
       );
     });
@@ -654,16 +734,22 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Different Resources', () => {
-    it('works with different resource names', () => {
+    it('works with different resource names', async () => {
       renderHook(() => useResourcePermissions('risks'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(mockUseCan).toHaveBeenCalled();
+      });
+
+      // When appId is available in resolvedScope, permission format includes page. prefix
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
         'create:page.risks',
-        'risks', // pageId is resource name when appId is available
+        'risks', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (resolved after async check)
         undefined // appName
       );
       expect(mockUseCan).toHaveBeenCalledWith(