@striae-org/striae 3.2.2 → 3.3.0

package/app/routes/auth/login.tsx

@@ -1,5 +1,5 @@
-import { useState, useEffect } from 'react';
-import { Link, useSearchParams } from 'react-router';
+import { useState, useEffect, useRef } from 'react';
+import { Link, useSearchParams, type MetaFunction } from 'react-router';
 import { auth } from '~/services/firebase';
 import {
     signInWithEmailAndPassword, 
@@ -18,6 +18,7 @@ import { EmailActionHandler } from '~/routes/auth/emailActionHandler';
 import { handleAuthError } from '~/services/firebase/errors';
 import { MFAVerification } from '~/components/auth/mfa-verification';
 import { MFAEnrollment } from '~/components/auth/mfa-enrollment';
+import { Toast } from '~/components/toast/toast';
 import { Icon } from '~/components/icon/icon';
 import styles from './login.module.css';
 import { Striae } from '~/routes/striae/striae';
@@ -28,23 +29,123 @@ import { evaluatePasswordPolicy } from '~/utils/password-policy';
 import { buildActionCodeSettings } from '~/utils/auth-action-settings';
 import { userHasMFA } from '~/utils/mfa';
 
-export const meta = () => {
-  const titleText = 'Striae | Welcome to Striae';
-  const description = 'Login to your Striae account to access your projects and data';
+const APP_CANONICAL_ORIGIN = 'https://app.striae.org';
+const SOCIAL_IMAGE_PATH = '/social-image.png';
+const SOCIAL_IMAGE_ALT = 'Striae forensic annotation and comparison workspace';
+const LOGIN_PATH_ALIASES = new Set(['/auth', '/auth/', '/auth/login', '/auth/login/']);
+
+type AuthMetaContent = {
+  title: string;
+  description: string;
+  robots: string;
+};
+
+const getCanonicalPath = (pathname: string): string => {
+  if (!pathname || LOGIN_PATH_ALIASES.has(pathname)) {
+    return '/';
+  }
+
+  return pathname.startsWith('/') ? pathname : `/${pathname}`;
+};
+
+const getAuthMetaContent = (mode: string | null, hasActionCode: boolean): AuthMetaContent => {
+  if (!mode && !hasActionCode) {
+    return {
+      title: 'Striae | Secure Login for Firearms Examiners',
+      description: 'Sign in to Striae to access your forensic annotation workspace, case files, and comparison tools.',
+      robots: 'index,follow,max-image-preview:large,max-snippet:-1,max-video-preview:-1',
+    };
+  }
+
+  if (mode === 'resetPassword') {
+    return {
+      title: 'Striae | Reset Your Password',
+      description: 'Use this secure page to reset your Striae account password and restore access to your workspace.',
+      robots: 'noindex,nofollow,noarchive',
+    };
+  }
+
+  if (mode === 'verifyEmail') {
+    return {
+      title: 'Striae | Verify Your Email Address',
+      description: 'Confirm your email address to complete Striae account activation and continue securely.',
+      robots: 'noindex,nofollow,noarchive',
+    };
+  }
+
+  if (mode === 'recoverEmail') {
+    return {
+      title: 'Striae | Recover Email Access',
+      description: 'Complete your Striae account email recovery steps securely.',
+      robots: 'noindex,nofollow,noarchive',
+    };
+  }
+
+  return {
+    title: 'Striae | Account Action',
+    description: 'Complete your Striae account action securely.',
+    robots: 'noindex,nofollow,noarchive',
+  };
+};
+
+export const meta: MetaFunction = ({ location }) => {
+  const searchParams = new URLSearchParams(location.search);
+  const mode = searchParams.get('mode');
+  const hasActionCode = Boolean(searchParams.get('oobCode'));
+
+  const canonicalPath = getCanonicalPath(location.pathname);
+  const canonicalHref = `${APP_CANONICAL_ORIGIN}${canonicalPath}`;
+  const socialImageHref = `${APP_CANONICAL_ORIGIN}${SOCIAL_IMAGE_PATH}`;
+  const { title, description, robots } = getAuthMetaContent(mode, hasActionCode);
 
   return [
-    { title: titleText },
+    { title },
     { name: 'description', content: description },
+    { name: 'robots', content: robots },
+    { property: 'og:site_name', content: 'Striae' },
+    { property: 'og:type', content: 'website' },
+    { property: 'og:url', content: canonicalHref },
+    { property: 'og:title', content: title },
+    { property: 'og:description', content: description },
+    { property: 'og:image', content: socialImageHref },
+    { property: 'og:image:secure_url', content: socialImageHref },
+    { property: 'og:image:alt', content: SOCIAL_IMAGE_ALT },
+    { name: 'twitter:card', content: 'summary_large_image' },
+    { name: 'twitter:title', content: title },
+    { name: 'twitter:description', content: description },
+    { name: 'twitter:image', content: socialImageHref },
+    { name: 'twitter:image:alt', content: SOCIAL_IMAGE_ALT },
+    { tagName: 'link', rel: 'canonical', href: canonicalHref },
   ];
 };
 
 const SUPPORTED_EMAIL_ACTION_MODES = new Set(['resetPassword', 'verifyEmail', 'recoverEmail']);
 
+const getUserFirstName = (user: User): string => {
+  const displayName = user.displayName?.trim();
+  if (displayName) {
+    const [firstName] = displayName.split(/\s+/);
+    if (firstName) {
+      return firstName;
+    }
+  }
+
+  const emailPrefix = user.email?.split('@')[0]?.trim();
+  if (emailPrefix) {
+    return emailPrefix;
+  }
+
+  return 'User';
+};
+
 export const Login = () => {
   const [searchParams] = useSearchParams();
+  const shouldShowWelcomeToastRef = useRef(false);
 
   const [error, setError] = useState('');
   const [success, setSuccess] = useState('');
+  const [welcomeToastMessage, setWelcomeToastMessage] = useState('');
+  const [isWelcomeToastVisible, setIsWelcomeToastVisible] = useState(false);
   const [isLogin, setIsLogin] = useState(true);
   const [isLoading, setIsLoading] = useState(false);
   const [isCheckingUser, setIsCheckingUser] = useState(false);
@@ -180,6 +281,12 @@ export const Login = () => {
       
       console.log("User signed in:", currentUser.email);
       setShowMfaEnrollment(false);
+
+      if (shouldShowWelcomeToastRef.current) {
+        setWelcomeToastMessage(`Welcome to Striae, ${getUserFirstName(currentUser)}!`);
+        setIsWelcomeToastVisible(true);
+        shouldShowWelcomeToastRef.current = false;
+      }
       
       // Log successful login audit
       try {
@@ -198,6 +305,8 @@ export const Login = () => {
       setUser(null);
       setShowMfaEnrollment(false);
       setIsCheckingUser(false);
+      setIsWelcomeToastVisible(false);
+      shouldShowWelcomeToastRef.current = false;
     }
   });
 
@@ -339,6 +448,7 @@ export const Login = () => {
       // Don't sign out - let user stay logged in but unverified to see verification screen
     } else {
       // Login
+      shouldShowWelcomeToastRef.current = true;
       try {
         await signInWithEmailAndPassword(auth, email, password);
       } catch (loginError: unknown) {
@@ -356,10 +466,12 @@ export const Login = () => {
           setIsLoading(false);
           return;
         }
+        shouldShowWelcomeToastRef.current = false;
         throw loginError; // Re-throw non-MFA errors
       }
     }
   } catch (err) {
+    shouldShowWelcomeToastRef.current = false;
     const { message } = handleAuthError(err);
     setError(message);
     
@@ -408,6 +520,8 @@ export const Login = () => {
       setShowMfaEnrollment(false);
       setShowMfaVerification(false);
       setMfaResolver(null);
+      setIsWelcomeToastVisible(false);
+      shouldShowWelcomeToastRef.current = false;
     } catch (err) {
       console.error('Sign out error:', err);
     }
@@ -648,6 +762,15 @@ export const Login = () => {
           mandatory={true}
         />
       )}
+
+      {!shouldHandleEmailAction && (
+        <Toast
+          message={welcomeToastMessage}
+          type="success"
+          isVisible={isWelcomeToastVisible}
+          onClose={() => setIsWelcomeToastVisible(false)}
+        />
+      )}
       
     </>
   );

package/app/utils/SHA256.ts

@@ -120,7 +120,8 @@ export function createManifestSigningPayload(
  * Verify manifest signature using configured public key(s).
  */
 export async function verifyForensicManifestSignature(
-  manifest: Partial<SignedForensicManifest>
+  manifest: Partial<SignedForensicManifest>,
+  verificationPublicKeyPem?: string
 ): Promise<ManifestSignatureVerificationResult> {
   if (!manifest.signature) {
     return {
@@ -158,6 +159,9 @@ export async function verifyForensicManifestSignature(
       noVerificationKeyPrefix: 'No verification key configured for key ID',
       invalidPublicKeyError: 'Manifest signature verification failed: invalid public key',
       verificationFailedError: 'Manifest signature verification failed'
+    },
+    {
+      verificationPublicKeyPem
     }
   );
 }

package/app/utils/confirmation-signature.ts

@@ -148,7 +148,8 @@ export function createConfirmationSigningPayload(
 }
 
 export async function verifyConfirmationSignature(
-  confirmationData: Partial<ConfirmationImportData>
+  confirmationData: Partial<ConfirmationImportData>,
+  verificationPublicKeyPem?: string
 ): Promise<ManifestSignatureVerificationResult> {
   const signature = confirmationData.metadata?.signature as ForensicManifestSignature | undefined;
   const signatureVersion = confirmationData.metadata?.signatureVersion;
@@ -188,6 +189,9 @@ export async function verifyConfirmationSignature(
       noVerificationKeyPrefix: 'No verification key configured for key ID',
       invalidPublicKeyError: 'Confirmation signature verification failed: invalid public key',
       verificationFailedError: 'Confirmation signature verification failed'
+    },
+    {
+      verificationPublicKeyPem
     }
   );
 }

package/app/utils/export-verification.ts

@@ -0,0 +1,353 @@
+import { type ConfirmationImportData } from '~/types';
+import {
+  extractForensicManifestData,
+  type SignedForensicManifest,
+  calculateSHA256Secure,
+  validateCaseIntegritySecure,
+  verifyForensicManifestSignature
+} from './SHA256';
+import { verifyConfirmationSignature } from './confirmation-signature';
+
+export interface ExportVerificationResult {
+  isValid: boolean;
+  message: string;
+  exportType?: 'case-zip' | 'confirmation';
+}
+
+const CASE_EXPORT_FILE_REGEX = /_data\.(json|csv)$/i;
+const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
+
+function createVerificationResult(
+  isValid: boolean,
+  message: string,
+  exportType?: ExportVerificationResult['exportType']
+): ExportVerificationResult {
+  return {
+    isValid,
+    message,
+    exportType
+  };
+}
+
+function getSignatureFailureMessage(
+  error: string | undefined,
+  targetLabel: 'export ZIP' | 'confirmation file'
+): string {
+  if (error?.includes('invalid public key')) {
+    return 'The selected PEM file is not a valid public key.';
+  }
+
+  if (error?.includes('Unsupported')) {
+    return `This ${targetLabel} uses an unsupported signature format.`;
+  }
+
+  if (error?.includes('Missing')) {
+    return `This ${targetLabel} is missing required signature information.`;
+  }
+
+  return `The ${targetLabel} signature did not verify with the selected public key.`;
+}
+
+function isConfirmationImportCandidate(candidate: unknown): candidate is Partial<ConfirmationImportData> {
+  if (!candidate || typeof candidate !== 'object') {
+    return false;
+  }
+
+  const confirmationCandidate = candidate as Partial<ConfirmationImportData>;
+  return (
+    !!confirmationCandidate.metadata &&
+    typeof confirmationCandidate.metadata.hash === 'string' &&
+    !!confirmationCandidate.confirmations &&
+    typeof confirmationCandidate.confirmations === 'object'
+  );
+}
+
+/**
+ * Remove forensic warning from content for hash validation.
+ * Supports the warning formats added to JSON and CSV case exports.
+ */
+export function removeForensicWarning(content: string): string {
+  const jsonForensicWarningRegex = /^\/\*\s*CASE\s+DATA\s+WARNING[\s\S]*?\*\/\s*\r?\n*/;
+  const csvForensicWarningRegex = /^"CASE DATA WARNING: This file contains evidence data for forensic examination\. Any modification may compromise the integrity of the evidence\. Handle according to your organization's chain of custody procedures\."(?:\r?\n){2}/;
+
+  let cleaned = content;
+
+  if (jsonForensicWarningRegex.test(content)) {
+    cleaned = content.replace(jsonForensicWarningRegex, '');
+  } else if (csvForensicWarningRegex.test(content)) {
+    cleaned = content.replace(csvForensicWarningRegex, '');
+  } else if (content.startsWith('"CASE DATA WARNING:')) {
+    const match = content.match(/^"[^"]*"(?:\r?\n)+/);
+    if (match) {
+      cleaned = content.substring(match[0].length);
+    }
+  }
+
+  return cleaned.replace(/^\s+/, '');
+}
+
+/**
+ * Validate the stored confirmation hash without exposing expected/actual values.
+ */
+export async function validateConfirmationHash(jsonContent: string, expectedHash: string): Promise<boolean> {
+  try {
+    if (!expectedHash || typeof expectedHash !== 'string') {
+      return false;
+    }
+
+    const data = JSON.parse(jsonContent);
+    const dataWithoutHash = {
+      ...data,
+      metadata: {
+        ...data.metadata,
+        hash: undefined
+      }
+    };
+
+    delete dataWithoutHash.metadata.hash;
+    delete dataWithoutHash.metadata.signature;
+    delete dataWithoutHash.metadata.signatureVersion;
+
+    const contentForHash = JSON.stringify(dataWithoutHash, null, 2);
+    const actualHash = await calculateSHA256Secure(contentForHash);
+
+    return actualHash.toUpperCase() === expectedHash.toUpperCase();
+  } catch {
+    return false;
+  }
+}
+
+async function verifyCaseZipExport(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  const JSZip = (await import('jszip')).default;
+
+  try {
+    const zip = await JSZip.loadAsync(file);
+    const dataFiles = Object.keys(zip.files).filter((name) => CASE_EXPORT_FILE_REGEX.test(name));
+
+    if (dataFiles.length !== 1) {
+      return createVerificationResult(
+        false,
+        'The ZIP file must contain exactly one case export data file.',
+        'case-zip'
+      );
+    }
+
+    const dataContent = await zip.file(dataFiles[0])?.async('text');
+    if (!dataContent) {
+      return createVerificationResult(false, 'The ZIP data file could not be read.', 'case-zip');
+    }
+
+    const manifestContent = await zip.file('FORENSIC_MANIFEST.json')?.async('text');
+    if (!manifestContent) {
+      return createVerificationResult(
+        false,
+        'The ZIP file does not contain FORENSIC_MANIFEST.json.',
+        'case-zip'
+      );
+    }
+
+    const forensicManifest = JSON.parse(manifestContent) as SignedForensicManifest;
+    const manifestData = extractForensicManifestData(forensicManifest);
+
+    if (!manifestData) {
+      return createVerificationResult(false, 'The forensic manifest is malformed.', 'case-zip');
+    }
+
+    const cleanedContent = removeForensicWarning(dataContent);
+    const imageFiles: Record<string, Blob> = {};
+
+    await Promise.all(
+      Object.keys(zip.files).map(async (path) => {
+        if (!path.startsWith('images/') || path.endsWith('/')) {
+          return;
+        }
+
+        const zipEntry = zip.file(path);
+        if (!zipEntry) {
+          return;
+        }
+
+        imageFiles[path.replace('images/', '')] = await zipEntry.async('blob');
+      })
+    );
+
+    const signatureResult = await verifyForensicManifestSignature(forensicManifest, verificationPublicKeyPem);
+    const integrityResult = await validateCaseIntegritySecure(cleanedContent, imageFiles, manifestData);
+
+    if (signatureResult.isValid && integrityResult.isValid) {
+      return createVerificationResult(
+        true,
+        'The export ZIP passed signature and integrity verification.',
+        'case-zip'
+      );
+    }
+
+    if (!signatureResult.isValid && !integrityResult.isValid) {
+      return createVerificationResult(
+        false,
+        'The export ZIP failed signature and integrity verification.',
+        'case-zip'
+      );
+    }
+
+    if (!signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureResult.error, 'export ZIP'),
+        'case-zip'
+      );
+    }
+
+    return createVerificationResult(false, 'The export ZIP failed integrity verification.', 'case-zip');
+  } catch {
+    return createVerificationResult(
+      false,
+      'The ZIP file could not be read as a supported Striae export.',
+      'case-zip'
+    );
+  }
+}
+
+async function verifyConfirmationExport(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  try {
+    const fileContent = await file.text();
+    return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
+  } catch {
+    return createVerificationResult(
+      false,
+      'The JSON file could not be read as a supported Striae confirmation export.',
+      'confirmation'
+    );
+  }
+}
+
+async function verifyConfirmationContent(
+  fileContent: string,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  try {
+    const parsedContent = JSON.parse(fileContent) as unknown;
+
+    if (!isConfirmationImportCandidate(parsedContent)) {
+      return createVerificationResult(
+        false,
+        'The JSON file is not a supported Striae confirmation export.',
+        'confirmation'
+      );
+    }
+
+    const confirmationData = parsedContent as Partial<ConfirmationImportData>;
+    const hashValid = await validateConfirmationHash(fileContent, confirmationData.metadata!.hash);
+    const signatureResult = await verifyConfirmationSignature(confirmationData, verificationPublicKeyPem);
+
+    if (hashValid && signatureResult.isValid) {
+      return createVerificationResult(
+        true,
+        'The confirmation file passed signature and integrity verification.',
+        'confirmation'
+      );
+    }
+
+    if (!signatureResult.isValid && signatureResult.error === 'Confirmation content is malformed') {
+      return createVerificationResult(
+        false,
+        'The JSON file is not a supported Striae confirmation export.',
+        'confirmation'
+      );
+    }
+
+    if (!hashValid && !signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        'The confirmation file failed signature and integrity verification.',
+        'confirmation'
+      );
+    }
+
+    if (!signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureResult.error, 'confirmation file'),
+        'confirmation'
+      );
+    }
+
+    return createVerificationResult(
+      false,
+      'The confirmation file failed integrity verification.',
+      'confirmation'
+    );
+  } catch {
+    return createVerificationResult(
+      false,
+      'The confirmation content could not be read as a supported Striae confirmation export.',
+      'confirmation'
+    );
+  }
+}
+
+async function verifyConfirmationZipExport(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  const JSZip = (await import('jszip')).default;
+
+  try {
+    const zip = await JSZip.loadAsync(file);
+    const confirmationFiles = Object.keys(zip.files).filter((name) => CONFIRMATION_EXPORT_FILE_REGEX.test(name));
+
+    if (confirmationFiles.length !== 1) {
+      return createVerificationResult(
+        false,
+        'The ZIP file is not a supported Striae confirmation export package.'
+      );
+    }
+
+    const confirmationContent = await zip.file(confirmationFiles[0])?.async('text');
+    if (!confirmationContent) {
+      return createVerificationResult(
+        false,
+        'The confirmation JSON file inside the ZIP could not be read.',
+        'confirmation'
+      );
+    }
+
+    return verifyConfirmationContent(confirmationContent, verificationPublicKeyPem);
+  } catch {
+    return createVerificationResult(
+      false,
+      'The ZIP file could not be read as a supported Striae export.'
+    );
+  }
+}
+
+export async function verifyExportFile(
+  file: File,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  const lowerName = file.name.toLowerCase();
+
+  if (lowerName.endsWith('.zip')) {
+    const confirmationZipResult = await verifyConfirmationZipExport(file, verificationPublicKeyPem);
+    if (confirmationZipResult.exportType === 'confirmation' || confirmationZipResult.isValid) {
+      return confirmationZipResult;
+    }
+
+    return verifyCaseZipExport(file, verificationPublicKeyPem);
+  }
+
+  if (lowerName.endsWith('.json')) {
+    return verifyConfirmationExport(file, verificationPublicKeyPem);
+  }
+
+  return createVerificationResult(
+    false,
+    'Select a confirmation JSON/ZIP file or a case export ZIP file.'
+  );
+}