@striae-org/striae 3.2.1 → 3.3.0

package/app/services/audit/builders/index.ts

@@ -0,0 +1,40 @@
+export { buildValidationAuditEntry } from './audit-entry-builder';
+
+export {
+  buildCaseExportAuditParams,
+  buildCaseImportAuditParams,
+  buildConfirmationCreationAuditParams,
+  buildConfirmationExportAuditParams,
+  buildConfirmationImportAuditParams
+} from './audit-event-builders-workflow';
+
+export {
+  buildCaseCreationAuditParams,
+  buildCaseDeletionAuditParams,
+  buildCaseRenameAuditParams,
+  buildFileAccessAuditParams,
+  buildFileDeletionAuditParams,
+  buildFileUploadAuditParams,
+  buildPDFGenerationAuditParams
+} from './audit-event-builders-case-file';
+
+export {
+  buildAnnotationCreateAuditParams,
+  buildAnnotationDeleteAuditParams,
+  buildAnnotationEditAuditParams
+} from './audit-event-builders-annotation';
+
+export {
+  buildAccountDeletionAuditParams,
+  buildEmailVerificationAuditParams,
+  buildEmailVerificationByEmailAuditParams,
+  buildMarkEmailVerificationSuccessfulAuditParams,
+  buildMfaAuthenticationAuditParams,
+  buildMfaEnrollmentAuditParams,
+  buildPasswordResetAuditParams,
+  buildSecurityViolationAuditParams,
+  buildUserLoginAuditParams,
+  buildUserLogoutAuditParams,
+  buildUserProfileUpdateAuditParams,
+  buildUserRegistrationAuditParams
+} from './audit-event-builders-user-security';

package/app/services/audit/index.ts

@@ -0,0 +1,2 @@
+export { AuditService, auditService } from './audit.service';
+export { AuditExportService, auditExportService } from './audit-export.service';

package/app/types/case.ts

@@ -1,5 +1,5 @@
-import { FileData } from './file';
-import { AnnotationData, ConfirmationData } from './annotations';
+import { type FileData } from './file';
+import { type AnnotationData, type ConfirmationData } from './annotations';
 
 // Case-related types and interfaces
 

package/app/types/exceljs-bare.d.ts

@@ -1,6 +1,8 @@
+import type * as ExcelJSModule from 'exceljs';
+
 declare global {
   interface Window {
-    ExcelJS?: typeof import('exceljs');
+    ExcelJS?: typeof ExcelJSModule;
   }
 }
 

package/app/types/user.ts

@@ -1,6 +1,6 @@
 // User-related types and interfaces
 
-import { ReadOnlyCaseMetadata } from './import';
+import { type ReadOnlyCaseMetadata } from './import';
 
 export interface UserData {
   uid: string;

package/app/utils/SHA256.ts

@@ -120,7 +120,8 @@ export function createManifestSigningPayload(
  * Verify manifest signature using configured public key(s).
  */
 export async function verifyForensicManifestSignature(
-  manifest: Partial<SignedForensicManifest>
+  manifest: Partial<SignedForensicManifest>,
+  verificationPublicKeyPem?: string
 ): Promise<ManifestSignatureVerificationResult> {
   if (!manifest.signature) {
     return {
@@ -158,6 +159,9 @@ export async function verifyForensicManifestSignature(
       noVerificationKeyPrefix: 'No verification key configured for key ID',
       invalidPublicKeyError: 'Manifest signature verification failed: invalid public key',
       verificationFailedError: 'Manifest signature verification failed'
+    },
+    {
+      verificationPublicKeyPem
     }
   );
 }

package/app/utils/audit-export-signature.ts

@@ -1,7 +1,7 @@
 import {
-  ForensicManifestSignature,
+  type ForensicManifestSignature,
   FORENSIC_MANIFEST_SIGNATURE_ALGORITHM,
-  ManifestSignatureVerificationResult
+  type ManifestSignatureVerificationResult
 } from './SHA256';
 import { verifySignaturePayload } from './signature-utils';
 

package/app/utils/confirmation-signature.ts

@@ -1,8 +1,8 @@
-import { ConfirmationImportData } from '~/types';
+import { type ConfirmationImportData } from '~/types';
 import {
-  ForensicManifestSignature,
+  type ForensicManifestSignature,
   FORENSIC_MANIFEST_SIGNATURE_ALGORITHM,
-  ManifestSignatureVerificationResult
+  type ManifestSignatureVerificationResult
 } from './SHA256';
 import { verifySignaturePayload } from './signature-utils';
 
@@ -148,7 +148,8 @@ export function createConfirmationSigningPayload(
 }
 
 export async function verifyConfirmationSignature(
-  confirmationData: Partial<ConfirmationImportData>
+  confirmationData: Partial<ConfirmationImportData>,
+  verificationPublicKeyPem?: string
 ): Promise<ManifestSignatureVerificationResult> {
   const signature = confirmationData.metadata?.signature as ForensicManifestSignature | undefined;
   const signatureVersion = confirmationData.metadata?.signatureVersion;
@@ -188,6 +189,9 @@ export async function verifyConfirmationSignature(
       noVerificationKeyPrefix: 'No verification key configured for key ID',
       invalidPublicKeyError: 'Confirmation signature verification failed: invalid public key',
       verificationFailedError: 'Confirmation signature verification failed'
+    },
+    {
+      verificationPublicKeyPem
     }
   );
 }

package/app/utils/data-operations.ts

@@ -4,20 +4,20 @@
  * for all interactions with the data worker microservice
  */
 
-import { User } from 'firebase/auth';
-import { CaseData, AnnotationData, ConfirmationImportData } from '~/types';
+import type { User } from 'firebase/auth';
+import { type CaseData, type AnnotationData, type ConfirmationImportData } from '~/types';
 import paths from '~/config/config.json';
 import { getDataApiKey } from './auth';
 import { validateUserSession, canAccessCase, canModifyCase } from './permissions';
 import {
-  ForensicManifestData,
-  ForensicManifestSignature,
+  type ForensicManifestData,
+  type ForensicManifestSignature,
   FORENSIC_MANIFEST_VERSION
 } from './SHA256';
 import { CONFIRMATION_SIGNATURE_VERSION } from './confirmation-signature';
 import {
   AUDIT_EXPORT_SIGNATURE_VERSION,
-  AuditExportSigningPayload,
+  type AuditExportSigningPayload,
   isValidAuditExportSigningPayload
 } from './audit-export-signature';
 

package/app/utils/export-verification.ts

@@ -0,0 +1,353 @@
+import { type ConfirmationImportData } from '~/types';
+import {
+  extractForensicManifestData,
+  type SignedForensicManifest,
+  calculateSHA256Secure,
+  validateCaseIntegritySecure,
+  verifyForensicManifestSignature
+} from './SHA256';
+import { verifyConfirmationSignature } from './confirmation-signature';
+
+export interface ExportVerificationResult {
+  isValid: boolean;
+  message: string;
+  exportType?: 'case-zip' | 'confirmation';
+}
+
+const CASE_EXPORT_FILE_REGEX = /_data\.(json|csv)$/i;
+const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
+
+function createVerificationResult(
+  isValid: boolean,
+  message: string,
+  exportType?: ExportVerificationResult['exportType']
+): ExportVerificationResult {
+  return {
+    isValid,
+    message,
+    exportType
+  };
+}
+
+function getSignatureFailureMessage(
+  error: string | undefined,
+  targetLabel: 'export ZIP' | 'confirmation file'
+): string {
+  if (error?.includes('invalid public key')) {
+    return 'The selected PEM file is not a valid public key.';
+  }
+
+  if (error?.includes('Unsupported')) {
+    return `This ${targetLabel} uses an unsupported signature format.`;
+  }
+
+  if (error?.includes('Missing')) {
+    return `This ${targetLabel} is missing required signature information.`;
+  }
+
+  return `The ${targetLabel} signature did not verify with the selected public key.`;
+}
+
+function isConfirmationImportCandidate(candidate: unknown): candidate is Partial<ConfirmationImportData> {
+  if (!candidate || typeof candidate !== 'object') {
+    return false;
+  }
+
+  const confirmationCandidate = candidate as Partial<ConfirmationImportData>;
+  return (
+    !!confirmationCandidate.metadata &&
+    typeof confirmationCandidate.metadata.hash === 'string' &&
+    !!confirmationCandidate.confirmations &&
+    typeof confirmationCandidate.confirmations === 'object'
+  );
+}
+
+/**
+ * Remove forensic warning from content for hash validation.
+ * Supports the warning formats added to JSON and CSV case exports.
+ */
+export function removeForensicWarning(content: string): string {
+  const jsonForensicWarningRegex = /^\/\*\s*CASE\s+DATA\s+WARNING[\s\S]*?\*\/\s*\r?\n*/;
+  const csvForensicWarningRegex = /^"CASE DATA WARNING: This file contains evidence data for forensic examination\. Any modification may compromise the integrity of the evidence\. Handle according to your organization's chain of custody procedures\."(?:\r?\n){2}/;
+
+  let cleaned = content;
+
+  if (jsonForensicWarningRegex.test(content)) {
+    cleaned = content.replace(jsonForensicWarningRegex, '');
+  } else if (csvForensicWarningRegex.test(content)) {
+    cleaned = content.replace(csvForensicWarningRegex, '');
+  } else if (content.startsWith('"CASE DATA WARNING:')) {
+    const match = content.match(/^"[^"]*"(?:\r?\n)+/);
+    if (match) {
+      cleaned = content.substring(match[0].length);
+    }
+  }
+
+  return cleaned.replace(/^\s+/, '');
+}
+
+/**
+ * Validate the stored confirmation hash without exposing expected/actual values.
+ */
+export async function validateConfirmationHash(jsonContent: string, expectedHash: string): Promise<boolean> {
+  try {
+    if (!expectedHash || typeof expectedHash !== 'string') {
+      return false;
+    }
+
+    const data = JSON.parse(jsonContent);
+    const dataWithoutHash = {
+      ...data,
+      metadata: {
+        ...data.metadata,
+        hash: undefined
+      }
+    };
+
+    delete dataWithoutHash.metadata.hash;
+    delete dataWithoutHash.metadata.signature;
+    delete dataWithoutHash.metadata.signatureVersion;
+
+    const contentForHash = JSON.stringify(dataWithoutHash, null, 2);
+    const actualHash = await calculateSHA256Secure(contentForHash);
+
+    return actualHash.toUpperCase() === expectedHash.toUpperCase();
+  } catch {
+    return false;
+  }
+}
+
+async function verifyCaseZipExport(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  const JSZip = (await import('jszip')).default;
+
+  try {
+    const zip = await JSZip.loadAsync(file);
+    const dataFiles = Object.keys(zip.files).filter((name) => CASE_EXPORT_FILE_REGEX.test(name));
+
+    if (dataFiles.length !== 1) {
+      return createVerificationResult(
+        false,
+        'The ZIP file must contain exactly one case export data file.',
+        'case-zip'
+      );
+    }
+
+    const dataContent = await zip.file(dataFiles[0])?.async('text');
+    if (!dataContent) {
+      return createVerificationResult(false, 'The ZIP data file could not be read.', 'case-zip');
+    }
+
+    const manifestContent = await zip.file('FORENSIC_MANIFEST.json')?.async('text');
+    if (!manifestContent) {
+      return createVerificationResult(
+        false,
+        'The ZIP file does not contain FORENSIC_MANIFEST.json.',
+        'case-zip'
+      );
+    }
+
+    const forensicManifest = JSON.parse(manifestContent) as SignedForensicManifest;
+    const manifestData = extractForensicManifestData(forensicManifest);
+
+    if (!manifestData) {
+      return createVerificationResult(false, 'The forensic manifest is malformed.', 'case-zip');
+    }
+
+    const cleanedContent = removeForensicWarning(dataContent);
+    const imageFiles: Record<string, Blob> = {};
+
+    await Promise.all(
+      Object.keys(zip.files).map(async (path) => {
+        if (!path.startsWith('images/') || path.endsWith('/')) {
+          return;
+        }
+
+        const zipEntry = zip.file(path);
+        if (!zipEntry) {
+          return;
+        }
+
+        imageFiles[path.replace('images/', '')] = await zipEntry.async('blob');
+      })
+    );
+
+    const signatureResult = await verifyForensicManifestSignature(forensicManifest, verificationPublicKeyPem);
+    const integrityResult = await validateCaseIntegritySecure(cleanedContent, imageFiles, manifestData);
+
+    if (signatureResult.isValid && integrityResult.isValid) {
+      return createVerificationResult(
+        true,
+        'The export ZIP passed signature and integrity verification.',
+        'case-zip'
+      );
+    }
+
+    if (!signatureResult.isValid && !integrityResult.isValid) {
+      return createVerificationResult(
+        false,
+        'The export ZIP failed signature and integrity verification.',
+        'case-zip'
+      );
+    }
+
+    if (!signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureResult.error, 'export ZIP'),
+        'case-zip'
+      );
+    }
+
+    return createVerificationResult(false, 'The export ZIP failed integrity verification.', 'case-zip');
+  } catch {
+    return createVerificationResult(
+      false,
+      'The ZIP file could not be read as a supported Striae export.',
+      'case-zip'
+    );
+  }
+}
+
+async function verifyConfirmationExport(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  try {
+    const fileContent = await file.text();
+    return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
+  } catch {
+    return createVerificationResult(
+      false,
+      'The JSON file could not be read as a supported Striae confirmation export.',
+      'confirmation'
+    );
+  }
+}
+
+async function verifyConfirmationContent(
+  fileContent: string,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  try {
+    const parsedContent = JSON.parse(fileContent) as unknown;
+
+    if (!isConfirmationImportCandidate(parsedContent)) {
+      return createVerificationResult(
+        false,
+        'The JSON file is not a supported Striae confirmation export.',
+        'confirmation'
+      );
+    }
+
+    const confirmationData = parsedContent as Partial<ConfirmationImportData>;
+    const hashValid = await validateConfirmationHash(fileContent, confirmationData.metadata!.hash);
+    const signatureResult = await verifyConfirmationSignature(confirmationData, verificationPublicKeyPem);
+
+    if (hashValid && signatureResult.isValid) {
+      return createVerificationResult(
+        true,
+        'The confirmation file passed signature and integrity verification.',
+        'confirmation'
+      );
+    }
+
+    if (!signatureResult.isValid && signatureResult.error === 'Confirmation content is malformed') {
+      return createVerificationResult(
+        false,
+        'The JSON file is not a supported Striae confirmation export.',
+        'confirmation'
+      );
+    }
+
+    if (!hashValid && !signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        'The confirmation file failed signature and integrity verification.',
+        'confirmation'
+      );
+    }
+
+    if (!signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureResult.error, 'confirmation file'),
+        'confirmation'
+      );
+    }
+
+    return createVerificationResult(
+      false,
+      'The confirmation file failed integrity verification.',
+      'confirmation'
+    );
+  } catch {
+    return createVerificationResult(
+      false,
+      'The confirmation content could not be read as a supported Striae confirmation export.',
+      'confirmation'
+    );
+  }
+}
+
+async function verifyConfirmationZipExport(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  const JSZip = (await import('jszip')).default;
+
+  try {
+    const zip = await JSZip.loadAsync(file);
+    const confirmationFiles = Object.keys(zip.files).filter((name) => CONFIRMATION_EXPORT_FILE_REGEX.test(name));
+
+    if (confirmationFiles.length !== 1) {
+      return createVerificationResult(
+        false,
+        'The ZIP file is not a supported Striae confirmation export package.'
+      );
+    }
+
+    const confirmationContent = await zip.file(confirmationFiles[0])?.async('text');
+    if (!confirmationContent) {
+      return createVerificationResult(
+        false,
+        'The confirmation JSON file inside the ZIP could not be read.',
+        'confirmation'
+      );
+    }
+
+    return verifyConfirmationContent(confirmationContent, verificationPublicKeyPem);
+  } catch {
+    return createVerificationResult(
+      false,
+      'The ZIP file could not be read as a supported Striae export.'
+    );
+  }
+}
+
+export async function verifyExportFile(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  const lowerName = file.name.toLowerCase();
+
+  if (lowerName.endsWith('.zip')) {
+    const confirmationZipResult = await verifyConfirmationZipExport(file, verificationPublicKeyPem);
+    if (confirmationZipResult.exportType === 'confirmation' || confirmationZipResult.isValid) {
+      return confirmationZipResult;
+    }
+
+    return verifyCaseZipExport(file, verificationPublicKeyPem);
+  }
+
+  if (lowerName.endsWith('.json')) {
+    return verifyConfirmationExport(file, verificationPublicKeyPem);
+  }
+
+  return createVerificationResult(
+    false,
+    'Select a confirmation JSON/ZIP file or a case export ZIP file.'
+  );
+}

package/app/utils/mfa-phone.ts

@@ -1,5 +1,5 @@
 import type { MultiFactorInfo } from 'firebase/auth';
-import { getValidationError } from '~/services/firebase-errors';
+import { getValidationError } from '~/services/firebase/errors';
 
 export interface PhoneValidationResult {
   isValid: boolean;

package/app/utils/mfa.ts

@@ -1,7 +1,7 @@
 // MFA Configuration Helper
 // This file contains utilities and documentation for managing MFA in your Firebase project
 
-import { multiFactor, User } from 'firebase/auth';
+import { multiFactor, type User } from 'firebase/auth';
 
 /**
  * Check if a user has MFA enrolled

package/app/utils/permissions.ts

@@ -1,5 +1,5 @@
-import { User } from 'firebase/auth';
-import { UserData, ExtendedUserData, UserLimits, ReadOnlyCaseMetadata } from '~/types';
+import type { User } from 'firebase/auth';
+import type { UserData, ExtendedUserData, UserLimits, ReadOnlyCaseMetadata } from '~/types';
 import paths from '~/config/config.json';
 import { getUserApiKey } from './auth';
 

package/app/utils/signature-utils.ts

@@ -20,6 +20,15 @@ export interface SignatureVerificationMessages {
   verificationFailedError?: string;
 }
 
+export interface SignatureVerificationOptions {
+  verificationPublicKeyPem?: string;
+}
+
+export interface PublicSigningKeyDetails {
+  keyId: string | null;
+  publicKeyPem: string | null;
+}
+
 type ManifestSigningConfig = {
   manifest_signing_public_keys?: Record<string, string>;
   manifest_signing_public_key?: string;
@@ -30,6 +39,63 @@ function normalizePemPublicKey(pem: string): string {
   return pem.replace(/\\n/g, '\n').trim();
 }
 
+function normalizePemOrNull(pem: unknown): string | null {
+  if (typeof pem !== 'string' || pem.trim().length === 0) {
+    return null;
+  }
+
+  return normalizePemPublicKey(pem);
+}
+
+function sanitizeKeyIdForFileName(keyId: string): string {
+  return keyId.trim().replace(/[^a-z0-9_-]+/gi, '-');
+}
+
+export function createPublicSigningKeyFileName(keyId?: string | null): string {
+  if (typeof keyId === 'string' && keyId.trim().length > 0) {
+    return `striae-public-signing-key-${sanitizeKeyIdForFileName(keyId)}.pem`;
+  }
+
+  return 'striae-public-signing-key.pem';
+}
+
+export function getCurrentPublicSigningKeyDetails(): PublicSigningKeyDetails {
+  const config = paths as unknown as ManifestSigningConfig;
+  const configuredKeyId =
+    typeof config.manifest_signing_key_id === 'string' && config.manifest_signing_key_id.trim().length > 0
+      ? config.manifest_signing_key_id
+      : null;
+
+  if (configuredKeyId) {
+    const configuredKey = getVerificationPublicKey(configuredKeyId);
+    if (configuredKey) {
+      return {
+        keyId: configuredKeyId,
+        publicKeyPem: configuredKey
+      };
+    }
+  }
+
+  const keyMap = config.manifest_signing_public_keys;
+  if (keyMap && typeof keyMap === 'object') {
+    const firstConfiguredEntry = Object.entries(keyMap).find(
+      ([, value]) => typeof value === 'string' && value.trim().length > 0
+    );
+
+    if (firstConfiguredEntry) {
+      return {
+        keyId: firstConfiguredEntry[0],
+        publicKeyPem: normalizePemPublicKey(firstConfiguredEntry[1])
+      };
+    }
+  }
+
+  return {
+    keyId: null,
+    publicKeyPem: normalizePemOrNull(config.manifest_signing_public_key)
+  };
+}
+
 function publicKeyPemToArrayBuffer(publicKeyPem: string, invalidPublicKeyError: string): ArrayBuffer {
   const normalized = normalizePemPublicKey(publicKeyPem);
   const pemBody = normalized
@@ -71,7 +137,7 @@ export function getVerificationPublicKey(keyId: string): string | null {
   if (keyMap && typeof keyMap === 'object') {
     const mappedKey = keyMap[keyId];
     if (typeof mappedKey === 'string' && mappedKey.trim().length > 0) {
-      return mappedKey;
+      return normalizePemPublicKey(mappedKey);
     }
   }
 
@@ -81,7 +147,7 @@ export function getVerificationPublicKey(keyId: string): string | null {
     typeof config.manifest_signing_public_key === 'string' &&
     config.manifest_signing_public_key.trim().length > 0
   ) {
-    return config.manifest_signing_public_key;
+    return normalizePemPublicKey(config.manifest_signing_public_key);
   }
 
   return null;
@@ -91,7 +157,8 @@ export async function verifySignaturePayload(
   payload: string,
   signature: SignatureEnvelope,
   expectedAlgorithm: string,
-  messages: SignatureVerificationMessages = {}
+  messages: SignatureVerificationMessages = {},
+  options: SignatureVerificationOptions = {}
 ): Promise<SignatureVerificationResult> {
   if (signature.algorithm !== expectedAlgorithm) {
     return {
@@ -108,7 +175,10 @@ export async function verifySignaturePayload(
     };
   }
 
-  const publicKeyPem = getVerificationPublicKey(signature.keyId);
+  const publicKeyPem =
+    typeof options.verificationPublicKeyPem === 'string' && options.verificationPublicKeyPem.trim().length > 0
+      ? options.verificationPublicKeyPem
+      : getVerificationPublicKey(signature.keyId);
   if (!publicKeyPem) {
     return {
       isValid: false,