@jmruthers/pace-core 0.6.5 → 0.6.7

package/src/rbac/hooks/useRoleManagement.ts

@@ -127,9 +127,9 @@ export function useRoleManagement() {
   }
 
   /**
-   * Revoke an event app role using the secure RPC function
+   * Revoke an event app role using the unified RPC function
    * 
-   * This function uses the `revoke_event_app_role` RPC which:
+   * This function uses the `rbac_role_revoke` RPC which:
    * - Runs with SECURITY DEFINER privileges
    * - Includes proper permission checks
    * - Automatically populates audit fields (revoked_by, timestamps)
@@ -145,26 +145,114 @@ export function useRoleManagement() {
     setError(null);
 
     try {
-      const { data, error: rpcError } = await supabase.rpc('revoke_event_app_role', {
+      // Build context ID from event_id and app_id
+      const contextId = `${params.event_id}:${params.app_id}`;
+      
+      const rpcParams = {
         p_user_id: params.user_id,
-        p_organisation_id: params.organisation_id,
-        p_event_id: params.event_id,
-        p_app_id: params.app_id,
-        p_role: params.role,
+        p_role_type: 'event_app' as const,
+        p_role_name: params.role,
+        p_context_id: contextId,
         p_revoked_by: params.revoked_by || user?.id || undefined
-      });
+      };
+
+      // Log in development for debugging
+      if (import.meta.env.MODE === 'development') {
+        console.log('[useRoleManagement] revokeEventAppRole called with:', rpcParams);
+      }
+
+      const { data, error: rpcError } = await supabase.rpc('rbac_role_revoke', rpcParams);
 
       if (rpcError) {
-        throw new Error(rpcError.message || 'Failed to revoke role');
+        // Log full error details in development
+        if (import.meta.env.MODE === 'development') {
+          console.error('[useRoleManagement] RPC error:', {
+            message: rpcError.message,
+            details: rpcError.details,
+            hint: rpcError.hint,
+            code: rpcError.code,
+            fullError: rpcError
+          });
+        }
+        // Use just the message for the error (tests expect plain message)
+        const errorMessage = rpcError.message || 'Failed to revoke role - unknown RPC error';
+        throw new Error(errorMessage);
+      }
+
+      // Log response in development - ALWAYS log, even on failure
+      if (import.meta.env.MODE === 'development') {
+        console.log('[useRoleManagement] RPC response:', { 
+          data, 
+          error: rpcError,
+          dataType: Array.isArray(data) ? 'array' : typeof data,
+          dataLength: Array.isArray(data) ? data.length : 'N/A'
+        });
+      }
+
+      // rbac_role_revoke returns a table with success, message, revoked_count, error_code
+      // It should always return at least one row
+      if (!data || !Array.isArray(data) || data.length === 0) {
+        const errorMsg = 'No response from database - role revocation may have failed';
+        if (import.meta.env.MODE === 'development') {
+          console.error('[useRoleManagement] Empty or null data response:', { 
+            data, 
+            dataType: typeof data,
+            isArray: Array.isArray(data),
+            length: Array.isArray(data) ? data.length : 'N/A'
+          });
+        }
+        throw new Error(errorMsg);
+      }
+
+      const result = data[0];
+
+      // ALWAYS log the result in development, even on failure
+      if (import.meta.env.MODE === 'development') {
+        console.log('[useRoleManagement] RPC result:', {
+          success: result?.success,
+          message: result?.message,
+          error_code: result?.error_code,
+          revoked_count: result?.revoked_count,
+          fullResult: result
+        });
+      }
+
+      if (!result || result.success !== true) {
+        // Use message if available, otherwise fall back to error_code, otherwise default message
+        const errorMessage = result?.message || result?.error_code || 'Role revocation failed';
+        
+        if (import.meta.env.MODE === 'development') {
+          console.error('[useRoleManagement] Role revocation failed:', {
+            result,
+            errorMessage,
+            fullData: data,
+            rpcParams
+          });
+        }
+        
+        return {
+          success: false,
+          message: result?.message || undefined,
+          error: errorMessage
+        };
       }
 
       return {
-        success: data === true,
-        message: data === true ? 'Role revoked successfully' : 'No role found to revoke',
-        error: data === false ? 'No matching role found' : undefined
+        success: true,
+        message: result.message || 'Role revoked successfully',
+        error: undefined
       };
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : 'Unknown error occurred';
+      
+      if (import.meta.env.MODE === 'development') {
+        console.error('[useRoleManagement] Exception in revokeEventAppRole:', {
+          error: err,
+          errorMessage,
+          params
+        });
+      }
+      
       setError(err instanceof Error ? err : new Error(errorMessage));
       return {
         success: false,
@@ -173,7 +261,7 @@ export function useRoleManagement() {
     } finally {
       setIsLoading(false);
     }
-  }, [user?.id]);
+  }, [user?.id, supabase]);
 
   /**
    * Grant an event app role using the secure RPC function
@@ -273,16 +361,36 @@ export function useRoleManagement() {
       });
 
       if (rpcError) {
-        throw new Error(rpcError.message || 'Failed to revoke role');
+        // Use just the message for the error (tests expect plain message)
+        const errorMessage = rpcError.message || 'Failed to revoke role - unknown RPC error';
+        throw new Error(errorMessage);
       }
 
       // rbac_role_revoke returns a table with success, message, revoked_count, error_code
       const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
 
+      // When data is empty array or null, return error as undefined (tests expect this)
+      if (!result) {
+        return {
+          success: false,
+          error: undefined
+        };
+      }
+
+      if (result.success === false) {
+        // Use message if available, otherwise fall back to error_code, otherwise default message
+        const errorMessage = result.message || result.error_code || 'Role revocation failed';
+        return {
+          success: false,
+          message: result.message || undefined,
+          error: errorMessage
+        };
+      }
+
       return {
-        success: result?.success === true,
-        message: result?.message || undefined,
-        error: result?.success === false ? (result?.message || result?.error_code || 'Unknown error') : undefined
+        success: true,
+        message: result.message || 'Role revoked successfully',
+        error: undefined
       };
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : 'Unknown error occurred';
@@ -383,7 +491,17 @@ export function useRoleManagement() {
       });
 
       if (rpcError) {
-        throw new Error(rpcError.message || 'Failed to revoke role');
+        // Include all available error information in the message
+        const errorParts = [
+          rpcError.message,
+          rpcError.details,
+          rpcError.hint,
+          rpcError.code ? `Error code: ${rpcError.code}` : null
+        ].filter(Boolean);
+        const errorMessage = errorParts.length > 0 
+          ? errorParts.join(' | ') 
+          : 'Failed to revoke role - unknown RPC error';
+        throw new Error(errorMessage);
       }
 
       // rbac_role_revoke returns a table with success, message, revoked_count, error_code
@@ -493,7 +611,17 @@ export function useRoleManagement() {
       });
 
       if (rpcError) {
-        throw new Error(rpcError.message || 'Failed to revoke role');
+        // Include all available error information in the message
+        const errorParts = [
+          rpcError.message,
+          rpcError.details,
+          rpcError.hint,
+          rpcError.code ? `Error code: ${rpcError.code}` : null
+        ].filter(Boolean);
+        const errorMessage = errorParts.length > 0 
+          ? errorParts.join(' | ') 
+          : 'Failed to revoke role - unknown RPC error';
+        throw new Error(errorMessage);
       }
 
       // rbac_role_revoke returns a table with success, message, revoked_count, error_code

package/src/rbac/hooks/useSecureSupabase.ts

@@ -223,7 +223,8 @@ export function useSecureSupabase(
   const { resolvedScope } = useResolvedScope({
     supabase: authSupabase || null,
     selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
+    selectedEventId: selectedEvent?.event_id || null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id || null
   });
 
   // Track previous context to detect changes
@@ -238,13 +239,8 @@ export function useSecureSupabase(
   });
 
   return useMemo(() => {
-    // If event is loading, return base client or null to avoid recreating client unnecessarily
-    if (eventLoading) {
-      return baseClient || authSupabase || null;
-    }
-    
-    // Use resolved scope to get organisationId (derived from event if needed)
-    // For event-required apps, resolvedScope.organisationId is derived from event
+    // Use resolved scope to get organisationId (now available immediately)
+    // For event-required apps, resolvedScope.organisationId comes from selectedEvent.organisation_id
     // For org-required apps, resolvedScope.organisationId comes from selectedOrganisation
     const organisationId = resolvedScope?.organisationId;
     const eventId = resolvedScope?.eventId || selectedEvent?.event_id;

package/src/rbac/index.ts

@@ -45,7 +45,8 @@ export {
   isDevelopmentMode,
 } from './config';
 
-// Secure client
+// Secure client (internal - use useSecureSupabase hook instead)
+// @internal - These are implementation details. Use useSecureSupabase hook for secure client access.
 export {
   SecureSupabaseClient,
   createSecureClient,
@@ -59,7 +60,8 @@ export {
   SECURE_CLIENT_SYMBOL,
 } from './utils/clientSecurity';
 
-// Cache
+// Cache (internal - caching is automatic in hooks and API functions)
+// @internal - These are implementation details. Caching is handled automatically.
 export {
   RBACCache,
   rbacCache,
@@ -94,7 +96,8 @@ export {
   emitAuditEvent,
 } from './audit';
 
-// Engine
+// Engine (internal - use isPermitted API instead)
+// @internal - These are implementation details. Use isPermitted API for permission checks.
 export {
   RBACEngine,
   createRBACEngine,
@@ -110,17 +113,13 @@ export * from './hooks';
 // Users should now use useRBAC() hook directly without a provider wrapper
 // export * from './providers';
 
-// Adapters
+// Adapters (Server-side only - React components removed)
 export {
   withPermissionGuard,
   withAccessLevelGuard,
   withRoleGuard,
-  PermissionGuard,
-  AccessLevelGuard,
   createRBACMiddleware,
   createRBACExpressMiddleware,
-  hasPermissionCached,
-  hasAnyPermissionCached,
 } from './adapters';
 
 // Main API functions
@@ -131,7 +130,6 @@ export {
   getRoleContext,
   isPermitted,
   isPermittedCached,
-  hasPermission,
   hasAnyPermission,
   hasAllPermissions,
   setupRBAC,

package/src/rbac/utils/contextValidator.ts

@@ -68,19 +68,21 @@ export class ContextValidator {
    * Resolve scope based on page-level scope_type
    * 
    * This method handles page-level scoping. All pages have explicit scope_type set.
-   * Used for hybrid apps like pace-mint that have both event and organisation pages.
+   * Used for hybrid apps that have both event and organisation pages.
    * 
    * @param scope - Current scope
    * @param pageScopeType - Page scope type ('event', 'organisation', or 'both')
    * @param appName - App name (for PORTAL/ADMIN special case)
-   * @param supabase - Supabase client (for deriving org from event)
+   * @param supabase - Supabase client (for deriving org from event, only if not already provided)
+   * @param immediateOrganisationId - Optional immediate organisation ID (from selectedEvent.organisation_id) - avoids querying
    * @returns Resolved scope with all required context
    */
   static async resolveScopeForPage(
     scope: Scope,
     pageScopeType: PageScopeType,
     appName?: string,
-    supabase?: SupabaseClient<Database> | null
+    supabase?: SupabaseClient<Database> | null,
+    immediateOrganisationId?: string | null
   ): Promise<ContextValidationResult> {
     // Use page-level scope (single source of truth)
     const effectiveScopeType = pageScopeType;
@@ -109,8 +111,8 @@ export class ContextValidator {
         };
       }
       
-      // Derive org from event if event is provided but org is not
-      let organisationId = scope.organisationId;
+      // Use immediate orgId if provided, otherwise derive from event
+      let organisationId = scope.organisationId || immediateOrganisationId || undefined;
       if (!organisationId && scope.eventId && supabase) {
         try {
           const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
@@ -154,8 +156,8 @@ export class ContextValidator {
         };
       }
       
-      // Derive organisationId from event if not provided
-      let organisationId: UUID | undefined = scope.organisationId;
+      // Use immediate orgId if provided, otherwise derive from event
+      let organisationId: UUID | undefined = scope.organisationId || immediateOrganisationId || undefined;
       if (!organisationId && supabase && scope.eventId) {
         try {
           const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);

package/src/services/AuthService.ts

@@ -37,18 +37,20 @@ export class AuthService extends BaseService implements IAuthService {
     restorationError: null,
   };
   private restorationTimeoutId: ReturnType<typeof setTimeout> | null = null;
-  private readonly restorationTimeoutMs = 5000;
+  // Increased timeout to handle hard refresh scenarios where localStorage access
+  // and session restoration may take longer, especially with organisation/event context
+  private readonly restorationTimeoutMs = 10000; // 10 seconds (increased from 5)
   private restorationStartTime: number | null = null;
   private appName: string | undefined = undefined;
   private errorHandler: ((event: ErrorEvent) => void) | null = null;
   private unhandledRejectionHandler: ((event: PromiseRejectionEvent) => void) | null = null;
+  private wasAuthenticatedRef: boolean = false; // Track previous auth state to detect transitions
 
   constructor(supabaseClient: SupabaseClient, appName?: string) {
     super();
     this.instanceId = ++AuthService.instanceCount;
     this.supabaseClient = supabaseClient;
     this.appName = appName;
-    logger.debug('AuthService', `Instance created [ID:${this.instanceId}]`, { appName });
   }
 
   getInstanceId(): number {
@@ -109,6 +111,15 @@ export class AuthService extends BaseService implements IAuthService {
         this.authError = null;
         this.user = data.user;
         this.session = data.session;
+        
+        // Clear persistence immediately on successful login
+        // This prevents dialogs/forms/datatables from auto-opening with stale state
+        // We clear here synchronously before components can mount and check persisted state
+        // Also clear old unscoped keys to prevent data leakage
+        if (!this.wasAuthenticatedRef && data.user) {
+          this.clearPersistenceOnLogin(null, true);
+          this.wasAuthenticatedRef = true;
+        }
       }
       
       this.notify();
@@ -148,6 +159,14 @@ export class AuthService extends BaseService implements IAuthService {
         this.authError = null;
         this.user = data.user;
         this.session = data.session;
+        
+        // Clear persistence immediately on successful signup/login
+        // This prevents dialogs/forms/datatables from auto-opening with stale state
+        // Also clear old unscoped keys to prevent data leakage
+        if (!this.wasAuthenticatedRef && data.user) {
+          this.clearPersistenceOnLogin(null, true);
+          this.wasAuthenticatedRef = true;
+        }
       }
       
       this.notify();
@@ -176,6 +195,14 @@ export class AuthService extends BaseService implements IAuthService {
     try {
       const { error } = await this.supabaseClient.auth.signOut();
       
+      // Clear sessionStorage on logout
+      try {
+        sessionStorage.clear();
+      } catch (storageError) {
+        // Ignore storage errors (e.g., in private browsing mode)
+        logger.warn('AuthService', 'Failed to clear sessionStorage', { error: storageError });
+      }
+      
       if (error) {
         this.authError = error;
       } else {
@@ -187,6 +214,14 @@ export class AuthService extends BaseService implements IAuthService {
       this.notify();
       return { user: null, session: null, error };
     } catch (error) {
+      // Clear sessionStorage even on error
+      try {
+        sessionStorage.clear();
+      } catch (storageError) {
+        // Ignore storage errors (e.g., in private browsing mode)
+        logger.warn('AuthService', 'Failed to clear sessionStorage', { error: storageError });
+      }
+      
       // Convert regular Error to AuthError if needed
       const authError = error instanceof AuthError 
         ? error 
@@ -397,6 +432,56 @@ export class AuthService extends BaseService implements IAuthService {
     }
   }
 
+  /**
+   * Clear pace-core persistence entries from sessionStorage
+   * This includes dialog, form, and datatable persistence
+   * 
+   * @param userId - Optional user ID to clear only that user's persistence.
+   *                 If not provided, clears all pace-core persistence (for user changes).
+   * @param clearUnscoped - If true, also clears old unscoped keys (without :user: prefix)
+   */
+  private clearPersistenceOnLogin(userId?: string | null, clearUnscoped: boolean = true): void {
+    if (typeof window === 'undefined' || !window.sessionStorage) {
+      return;
+    }
+
+    try {
+      const keysToRemove: string[] = [];
+      
+      // Collect all pace-core persistence keys
+      for (let i = 0; i < sessionStorage.length; i++) {
+        const key = sessionStorage.key(i);
+        if (key && (
+          key.startsWith('pace-core:draft:') ||
+          key.startsWith('pace-core:dialog:')
+        )) {
+          // If userId is provided, only clear keys for that user
+          // Otherwise, clear all (for user changes or fresh login)
+          if (userId && !key.includes(`:user:${userId}`)) {
+            // Also clear old unscoped keys (without :user: prefix) if requested
+            if (clearUnscoped && !key.includes(':user:')) {
+              keysToRemove.push(key);
+            }
+            continue; // Skip keys that don't match this user
+          }
+          keysToRemove.push(key);
+        }
+      }
+
+      // Remove all collected keys
+      keysToRemove.forEach(key => {
+        try {
+          sessionStorage.removeItem(key);
+        } catch (error) {
+          logger.warn('AuthService', `Failed to remove persistence key: ${key}`, error);
+        }
+      });
+
+    } catch (error) {
+      logger.warn('AuthService', `Failed to clear persistence [ID:${this.instanceId}]:`, error);
+    }
+  }
+
   private async setupAuthStateListener(): Promise<void> {
     if (!this.supabaseClient) {
       this.authLoading = false;
@@ -408,16 +493,20 @@ export class AuthService extends BaseService implements IAuthService {
       const subscription = this.supabaseClient.auth.onAuthStateChange(
         (event: AuthChangeEvent, session: SupabaseSession | null) => {
           try {
-            logger.debug('AuthService', `Auth state change [ID:${this.instanceId}]`, {
-              event,
-              hasSession: !!session,
-              userId: session?.user?.id
-            });
+            
+            // Track authentication state transition
+            const wasAuthenticated = this.wasAuthenticatedRef;
+            const isNowAuthenticated = !!session?.user;
+            const previousUserId = this.user?.id || null;
+            const newUserId = session?.user?.id || null;
+            const userChanged = previousUserId !== null && newUserId !== null && previousUserId !== newUserId;
+            
             // Handle different auth events
             if (event === 'SIGNED_OUT') {
               this.session = null;
               this.user = null;
               this.authError = null;
+              this.wasAuthenticatedRef = false;
               
               // Automatic session tracking (non-blocking)
               if (session?.user) {
@@ -434,6 +523,19 @@ export class AuthService extends BaseService implements IAuthService {
                 this.authError = null;
               }
               
+              // Clear persistence when:
+              // 1. Transitioning from unauthenticated to authenticated (fresh login) - clear all + old unscoped keys
+              // 2. User changes (different user logs in) - clear previous user's persistence + old unscoped keys
+              if (!wasAuthenticated && isNowAuthenticated && event === 'SIGNED_IN') {
+                // Fresh login - clear all persistence including old unscoped keys
+                this.clearPersistenceOnLogin(null, true);
+              } else if (userChanged && previousUserId) {
+                // User changed - clear previous user's persistence + old unscoped keys
+                this.clearPersistenceOnLogin(previousUserId, true);
+              }
+              
+              this.wasAuthenticatedRef = isNowAuthenticated;
+              
               // Automatic session tracking for login (non-blocking)
               // Only track on SIGNED_IN, not TOKEN_REFRESHED (to avoid duplicate login records)
               if (event === 'SIGNED_IN' && session?.user) {
@@ -443,10 +545,30 @@ export class AuthService extends BaseService implements IAuthService {
               }
             } else if (event === 'INITIAL_SESSION') {
               if (session) {
+                const previousUserId = this.user?.id || null;
+                const newUserId = session.user?.id || null;
+                const userChanged = previousUserId !== null && newUserId !== null && previousUserId !== newUserId;
+                
                 this.session = session;
                 this.user = session.user ?? null;
                 this.authError = null;
                 
+                // Clear persistence if user changed (e.g., different user's session restored)
+                // This prevents data leakage when a different user's session is restored
+                if (userChanged && previousUserId) {
+                  // Clear previous user's persistence + old unscoped keys
+                  this.clearPersistenceOnLogin(previousUserId, true);
+                } else if (!wasAuthenticated && !!session.user) {
+                  // Fresh login on INITIAL_SESSION - clear all persistence including old unscoped keys
+                  this.clearPersistenceOnLogin(null, true);
+                }
+                // Don't clear persistence on INITIAL_SESSION for same user - this is just session restoration
+                // Persistence should only be cleared on actual SIGNED_IN events or user changes
+                // INITIAL_SESSION happens on page load/refresh, and we want to preserve
+                // dialog/form/datatable state across page refreshes for the same user
+                
+                this.wasAuthenticatedRef = !!session.user;
+                
                 // Reset restoration state if valid session arrives after earlier failure
                 // This clears stale errors when session eventually succeeds
                 const hasTimeoutError = this.sessionRestorationState.restorationError?.name === 'SessionRestorationTimeoutError';
@@ -457,6 +579,7 @@ export class AuthService extends BaseService implements IAuthService {
                 }
               } else {
                 // No session in INITIAL_SESSION event - user is not authenticated
+                this.wasAuthenticatedRef = false;
                 // Finish restoration to clear loading state
                 if (this.sessionRestorationState.isRestoring) {
                   this.finishSessionRestoration();
@@ -468,11 +591,6 @@ export class AuthService extends BaseService implements IAuthService {
               // before checking authentication state
               this.authLoading = false;
               
-              // Final check: Ensure state matches what we just logged
-              logger.debug('AuthService', `State synchronized after INITIAL_SESSION [ID:${this.instanceId}]`, {
-                hasUser: !!this.user,
-                userId: this.user?.id
-              });
               
               this.notify();
               return; // Return early to avoid setting loading to false again below
@@ -481,12 +599,6 @@ export class AuthService extends BaseService implements IAuthService {
             // For other events (SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED), set loading to false and notify
             this.authLoading = false;
             
-            // Final check: Ensure state matches what we just logged
-            logger.debug('AuthService', `State synchronized after event [ID:${this.instanceId}]`, {
-              event,
-              hasUser: !!this.user,
-              userId: this.user?.id
-            });
             
             this.notify();
           } catch (error) {