@striae-org/striae 3.2.2 → 4.0.0

package/functions/api/_shared/firebase-auth.ts

@@ -0,0 +1,255 @@
+import firebaseConfig from '../../../app/config/firebase';
+
+interface FirebaseJwtHeader {
+  alg?: string;
+  kid?: string;
+  typ?: string;
+}
+
+interface FirebaseJwtPayload {
+  aud?: string;
+  iss?: string;
+  sub?: string;
+  user_id?: string;
+  email?: string;
+  email_verified?: boolean;
+  iat?: number;
+  exp?: number;
+}
+
+interface GoogleJwksResponse {
+  keys?: Array<JsonWebKey & { kid?: string; kty?: string }>;
+}
+
+export interface VerifiedFirebaseIdentity {
+  uid: string;
+  email: string | null;
+  emailVerified: boolean;
+}
+
+const GOOGLE_SECURETOKEN_JWKS_URL =
+  'https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com';
+const DEFAULT_JWKS_CACHE_SECONDS = 300;
+const CLOCK_SKEW_SECONDS = 300;
+const FALLBACK_PROJECT_ID =
+  typeof firebaseConfig.projectId === 'string' ? firebaseConfig.projectId.trim() : '';
+
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+
+let cachedJwks: GoogleJwksResponse | null = null;
+let cachedJwksExpiresAt = 0;
+
+function base64UrlToBytes(value: string): Uint8Array {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const paddingLength = normalized.length % 4 === 0 ? 0 : 4 - (normalized.length % 4);
+  const padded = normalized + '='.repeat(paddingLength);
+  const binary = atob(padded);
+
+  const bytes = new Uint8Array(binary.length);
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes;
+}
+
+function decodeJsonSegment<T>(segment: string): T | null {
+  try {
+    const decoded = textDecoder.decode(base64UrlToBytes(segment));
+    return JSON.parse(decoded) as T;
+  } catch {
+    return null;
+  }
+}
+
+function resolveJwksCacheSeconds(cacheControl: string | null): number {
+  if (!cacheControl) {
+    return DEFAULT_JWKS_CACHE_SECONDS;
+  }
+
+  const maxAgeMatch = cacheControl.match(/max-age=(\d+)/i);
+  if (!maxAgeMatch) {
+    return DEFAULT_JWKS_CACHE_SECONDS;
+  }
+
+  const parsed = Number.parseInt(maxAgeMatch[1], 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : DEFAULT_JWKS_CACHE_SECONDS;
+}
+
+async function getSecureTokenJwks(): Promise<GoogleJwksResponse | null> {
+  if (cachedJwks && Date.now() < cachedJwksExpiresAt) {
+    return cachedJwks;
+  }
+
+  let response: Response;
+  try {
+    response = await fetch(GOOGLE_SECURETOKEN_JWKS_URL, { method: 'GET' });
+  } catch {
+    return null;
+  }
+
+  if (!response.ok) {
+    return null;
+  }
+
+  const payload = await response.json().catch(() => null) as GoogleJwksResponse | null;
+  if (!payload?.keys || !Array.isArray(payload.keys) || payload.keys.length === 0) {
+    return null;
+  }
+
+  const cacheSeconds = resolveJwksCacheSeconds(response.headers.get('Cache-Control'));
+  cachedJwks = payload;
+  cachedJwksExpiresAt = Date.now() + cacheSeconds * 1000;
+
+  return payload;
+}
+
+async function verifyTokenSignature(
+  headerSegment: string,
+  payloadSegment: string,
+  signatureSegment: string,
+  jwtHeader: FirebaseJwtHeader
+): Promise<boolean> {
+  if (jwtHeader.alg !== 'RS256' || typeof jwtHeader.kid !== 'string' || jwtHeader.kid.length === 0) {
+    return false;
+  }
+
+  const jwks = await getSecureTokenJwks();
+  const verificationJwk = jwks?.keys?.find(
+    (candidate) => candidate.kid === jwtHeader.kid && candidate.kty === 'RSA'
+  );
+  if (!verificationJwk) {
+    return false;
+  }
+
+  let cryptoKey: CryptoKey;
+  try {
+    cryptoKey = await crypto.subtle.importKey(
+      'jwk',
+      verificationJwk,
+      {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: 'SHA-256'
+      },
+      false,
+      ['verify']
+    );
+  } catch {
+    return false;
+  }
+
+  const signedContent = new Uint8Array(textEncoder.encode(`${headerSegment}.${payloadSegment}`));
+  const signatureBytes = new Uint8Array(base64UrlToBytes(signatureSegment));
+
+  try {
+    return await crypto.subtle.verify(
+      { name: 'RSASSA-PKCS1-v1_5' },
+      cryptoKey,
+      signatureBytes,
+      signedContent
+    );
+  } catch {
+    return false;
+  }
+}
+
+function validateTokenClaims(payload: FirebaseJwtPayload, env: Env): boolean {
+  const configuredProjectId = typeof env.PROJECT_ID === 'string' ? env.PROJECT_ID.trim() : '';
+  const allowedProjectIds = new Set([configuredProjectId, FALLBACK_PROJECT_ID].filter(Boolean));
+  if (allowedProjectIds.size === 0) {
+    return false;
+  }
+
+  if (typeof payload.aud !== 'string' || !allowedProjectIds.has(payload.aud)) {
+    return false;
+  }
+
+  const nowSeconds = Math.floor(Date.now() / 1000);
+  const expectedIssuer = `https://securetoken.google.com/${payload.aud}`;
+
+  if (payload.iss !== expectedIssuer) {
+    return false;
+  }
+
+  if (typeof payload.sub !== 'string' || payload.sub.trim().length === 0) {
+    return false;
+  }
+
+  if (typeof payload.exp !== 'number' || payload.exp < nowSeconds - CLOCK_SKEW_SECONDS) {
+    return false;
+  }
+
+  if (typeof payload.iat !== 'number' || payload.iat > nowSeconds + CLOCK_SKEW_SECONDS) {
+    return false;
+  }
+
+  return true;
+}
+
+function extractBearerToken(request: Request): string | null {
+  const authorizationHeader = request.headers.get('Authorization');
+  if (!authorizationHeader) {
+    return null;
+  }
+
+  const [scheme, token] = authorizationHeader.split(' ');
+  if (scheme !== 'Bearer' || !token) {
+    return null;
+  }
+
+  const normalizedToken = token.trim();
+  return normalizedToken.length > 0 ? normalizedToken : null;
+}
+
+export async function verifyFirebaseIdentityFromRequest(
+  request: Request,
+  env: Env
+): Promise<VerifiedFirebaseIdentity | null> {
+  const idToken = extractBearerToken(request);
+  if (!idToken) {
+    return null;
+  }
+
+  const tokenSegments = idToken.split('.');
+  if (tokenSegments.length !== 3) {
+    return null;
+  }
+
+  const [headerSegment, payloadSegment, signatureSegment] = tokenSegments;
+  const jwtHeader = decodeJsonSegment<FirebaseJwtHeader>(headerSegment);
+  const jwtPayload = decodeJsonSegment<FirebaseJwtPayload>(payloadSegment);
+
+  if (!jwtHeader || !jwtPayload) {
+    return null;
+  }
+
+  const signatureValid = await verifyTokenSignature(
+    headerSegment,
+    payloadSegment,
+    signatureSegment,
+    jwtHeader
+  );
+  if (!signatureValid) {
+    return null;
+  }
+
+  if (!validateTokenClaims(jwtPayload, env)) {
+    return null;
+  }
+
+  const uid =
+    (typeof jwtPayload.user_id === 'string' && jwtPayload.user_id.trim().length > 0
+      ? jwtPayload.user_id
+      : jwtPayload.sub) ||
+    null;
+  if (!uid) {
+    return null;
+  }
+
+  return {
+    uid,
+    email: typeof jwtPayload.email === 'string' ? jwtPayload.email : null,
+    emailVerified: jwtPayload.email_verified === true
+  };
+}

package/functions/api/audit/[[path]].ts

@@ -0,0 +1,150 @@
+import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+
+interface AuditProxyContext {
+  request: Request;
+  env: Env;
+}
+
+const SUPPORTED_METHODS = new Set(['GET', 'POST', 'OPTIONS']);
+const AUDIT_PATH_PREFIX = '/audit/';
+
+function textResponse(message: string, status: number): Response {
+  return new Response(message, {
+    status,
+    headers: {
+      'Cache-Control': 'no-store',
+      'Content-Type': 'text/plain; charset=utf-8'
+    }
+  });
+}
+
+function normalizeWorkerBaseUrl(workerDomain: string): string {
+  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
+    throw new Error('Invalid worker domain');
+  }
+
+  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
+  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
+    return trimmedDomain;
+  }
+
+  return `https://${trimmedDomain}`;
+}
+
+function extractProxyPath(url: URL): string | null {
+  const routePrefix = '/api/audit';
+  if (!url.pathname.startsWith(routePrefix)) {
+    return null;
+  }
+
+  const remainder = url.pathname.slice(routePrefix.length);
+  return remainder.length > 0 ? remainder : '/';
+}
+
+function extractRequestedUserId(url: URL): string | null {
+  const userId = url.searchParams.get('userId');
+  if (!userId) {
+    return null;
+  }
+
+  const normalizedUserId = userId.trim();
+  return normalizedUserId.length > 0 ? normalizedUserId : null;
+}
+
+export const onRequest = async ({ request, env }: AuditProxyContext): Promise<Response> => {
+  if (!SUPPORTED_METHODS.has(request.method)) {
+    return textResponse('Method not allowed', 405);
+  }
+
+  if (request.method === 'OPTIONS') {
+    return new Response(null, {
+      status: 204,
+      headers: {
+        'Allow': 'GET, POST, OPTIONS',
+        'Cache-Control': 'no-store'
+      }
+    });
+  }
+
+  const identity = await verifyFirebaseIdentityFromRequest(request, env);
+  if (!identity) {
+    return textResponse('Unauthorized', 401);
+  }
+
+  const requestUrl = new URL(request.url);
+  const proxyPath = extractProxyPath(requestUrl);
+  if (!proxyPath || !proxyPath.startsWith(AUDIT_PATH_PREFIX)) {
+    return textResponse('Not Found', 404);
+  }
+
+  const requestedUserId = extractRequestedUserId(requestUrl);
+  if (!requestedUserId) {
+    return textResponse('Missing user identifier', 400);
+  }
+
+  if (requestedUserId !== identity.uid) {
+    return textResponse('Forbidden', 403);
+  }
+
+  if (!env.AUDIT_WORKER_DOMAIN || !env.R2_KEY_SECRET) {
+    return textResponse('Audit service not configured', 502);
+  }
+
+  const auditWorkerBaseUrl = normalizeWorkerBaseUrl(env.AUDIT_WORKER_DOMAIN);
+  const upstreamUrl = `${auditWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
+
+  let bodyToForward: BodyInit | undefined;
+  if (request.method === 'POST') {
+    const payload = await request.json().catch(() => null) as Record<string, unknown> | null;
+    if (!payload || typeof payload !== 'object') {
+      return textResponse('Invalid audit payload', 400);
+    }
+
+    const payloadUserId = typeof payload.userId === 'string' ? payload.userId.trim() : '';
+    if (payloadUserId.length > 0 && payloadUserId !== identity.uid) {
+      return textResponse('Forbidden', 403);
+    }
+
+    payload.userId = identity.uid;
+    bodyToForward = JSON.stringify(payload);
+  }
+
+  const upstreamHeaders = new Headers();
+  const contentTypeHeader = request.headers.get('Content-Type');
+  if (contentTypeHeader) {
+    upstreamHeaders.set('Content-Type', contentTypeHeader);
+  }
+
+  if (request.method === 'POST' && !upstreamHeaders.has('Content-Type')) {
+    upstreamHeaders.set('Content-Type', 'application/json');
+  }
+
+  const acceptHeader = request.headers.get('Accept');
+  if (acceptHeader) {
+    upstreamHeaders.set('Accept', acceptHeader);
+  }
+
+  upstreamHeaders.set('X-Custom-Auth-Key', env.R2_KEY_SECRET);
+
+  let upstreamResponse: Response;
+  try {
+    upstreamResponse = await fetch(upstreamUrl, {
+      method: request.method,
+      headers: upstreamHeaders,
+      body: bodyToForward
+    });
+  } catch {
+    return textResponse('Upstream audit service unavailable', 502);
+  }
+
+  const responseHeaders = new Headers(upstreamResponse.headers);
+  if (!responseHeaders.has('Cache-Control')) {
+    responseHeaders.set('Cache-Control', 'no-store');
+  }
+
+  return new Response(upstreamResponse.body, {
+    status: upstreamResponse.status,
+    statusText: upstreamResponse.statusText,
+    headers: responseHeaders
+  });
+};

package/functions/api/data/[[path]].ts

@@ -0,0 +1,141 @@
+import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+
+interface DataProxyContext {
+  request: Request;
+  env: Env;
+}
+
+const SUPPORTED_METHODS = new Set(['GET', 'PUT', 'DELETE', 'POST', 'OPTIONS']);
+const UNSCOPED_PATH_PREFIXES = ['/api/forensic/'];
+
+function textResponse(message: string, status: number): Response {
+  return new Response(message, {
+    status,
+    headers: {
+      'Cache-Control': 'no-store',
+      'Content-Type': 'text/plain; charset=utf-8'
+    }
+  });
+}
+
+function normalizeWorkerBaseUrl(workerDomain: string): string {
+  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
+    throw new Error('Invalid worker domain');
+  }
+
+  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
+  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
+    return trimmedDomain;
+  }
+
+  return `https://${trimmedDomain}`;
+}
+
+function extractProxyPath(url: URL): string | null {
+  const routePrefix = '/api/data';
+  if (!url.pathname.startsWith(routePrefix)) {
+    return null;
+  }
+
+  const remainder = url.pathname.slice(routePrefix.length);
+  return remainder.length > 0 ? remainder : '/';
+}
+
+function extractUserIdFromProxyPath(proxyPath: string): string | null {
+  const firstSegment = proxyPath.split('/').filter(Boolean)[0];
+  if (!firstSegment) {
+    return null;
+  }
+
+  try {
+    return decodeURIComponent(firstSegment);
+  } catch {
+    return null;
+  }
+}
+
+function isUnscopedProxyPath(proxyPath: string): boolean {
+  return UNSCOPED_PATH_PREFIXES.some((prefix) => proxyPath.startsWith(prefix));
+}
+
+export const onRequest = async ({ request, env }: DataProxyContext): Promise<Response> => {
+  if (!SUPPORTED_METHODS.has(request.method)) {
+    return textResponse('Method not allowed', 405);
+  }
+
+  if (request.method === 'OPTIONS') {
+    return new Response(null, {
+      status: 204,
+      headers: {
+        'Allow': 'GET, PUT, DELETE, POST, OPTIONS',
+        'Cache-Control': 'no-store'
+      }
+    });
+  }
+
+  const identity = await verifyFirebaseIdentityFromRequest(request, env);
+  if (!identity) {
+    return textResponse('Unauthorized', 401);
+  }
+
+  const requestUrl = new URL(request.url);
+  const proxyPath = extractProxyPath(requestUrl);
+  if (!proxyPath) {
+    return textResponse('Not Found', 404);
+  }
+
+  if (!isUnscopedProxyPath(proxyPath)) {
+    const requestedUserId = extractUserIdFromProxyPath(proxyPath);
+    if (!requestedUserId) {
+      return textResponse('Missing user identifier', 400);
+    }
+
+    if (requestedUserId !== identity.uid) {
+      return textResponse('Forbidden', 403);
+    }
+  }
+
+  if (!env.DATA_WORKER_DOMAIN || !env.R2_KEY_SECRET) {
+    return textResponse('Data service not configured', 502);
+  }
+
+  const dataWorkerBaseUrl = normalizeWorkerBaseUrl(env.DATA_WORKER_DOMAIN);
+  const upstreamUrl = `${dataWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
+
+  const upstreamHeaders = new Headers();
+  const contentTypeHeader = request.headers.get('Content-Type');
+  if (contentTypeHeader) {
+    upstreamHeaders.set('Content-Type', contentTypeHeader);
+  }
+
+  const acceptHeader = request.headers.get('Accept');
+  if (acceptHeader) {
+    upstreamHeaders.set('Accept', acceptHeader);
+  }
+
+  upstreamHeaders.set('X-Custom-Auth-Key', env.R2_KEY_SECRET);
+
+  const shouldForwardBody = request.method !== 'GET' && request.method !== 'HEAD';
+
+  let upstreamResponse: Response;
+  try {
+    upstreamResponse = await fetch(upstreamUrl, {
+      method: request.method,
+      headers: upstreamHeaders,
+      body: shouldForwardBody ? request.body : undefined
+    });
+  } catch {
+    return textResponse('Upstream data service unavailable', 502);
+  }
+
+  const responseHeaders = new Headers(upstreamResponse.headers);
+  if (!responseHeaders.has('Cache-Control')) {
+    responseHeaders.set('Cache-Control', 'no-store');
+  }
+
+  return new Response(upstreamResponse.body, {
+    status: upstreamResponse.status,
+    statusText: upstreamResponse.statusText,
+    headers: responseHeaders
+  });
+};

package/functions/api/image/[[path]].ts

@@ -0,0 +1,127 @@
+import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+
+interface ImageProxyContext {
+  request: Request;
+  env: Env;
+}
+
+const SUPPORTED_METHODS = new Set(['GET', 'POST', 'DELETE', 'OPTIONS']);
+
+function textResponse(message: string, status: number): Response {
+  return new Response(message, {
+    status,
+    headers: {
+      'Cache-Control': 'no-store',
+      'Content-Type': 'text/plain; charset=utf-8'
+    }
+  });
+}
+
+function normalizeWorkerBaseUrl(workerDomain: string): string {
+  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
+    throw new Error('Invalid worker domain');
+  }
+
+  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
+  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
+    return trimmedDomain;
+  }
+
+  return `https://${trimmedDomain}`;
+}
+
+function extractProxyPath(url: URL): string | null {
+  const routePrefix = '/api/image';
+  if (!url.pathname.startsWith(routePrefix)) {
+    return null;
+  }
+
+  const remainder = url.pathname.slice(routePrefix.length);
+  return remainder.length > 0 ? remainder : '/';
+}
+
+function resolveImageWorkerToken(env: Env): string {
+  const imageToken = typeof env.IMAGES_API_TOKEN === 'string' ? env.IMAGES_API_TOKEN.trim() : '';
+  if (imageToken.length > 0) {
+    return imageToken;
+  }
+
+  const apiToken = typeof env.API_TOKEN === 'string' ? env.API_TOKEN.trim() : '';
+  if (apiToken.length > 0) {
+    return apiToken;
+  }
+
+  return '';
+}
+
+export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Response> => {
+  if (!SUPPORTED_METHODS.has(request.method)) {
+    return textResponse('Method not allowed', 405);
+  }
+
+  if (request.method === 'OPTIONS') {
+    return new Response(null, {
+      status: 204,
+      headers: {
+        'Allow': 'GET, POST, DELETE, OPTIONS',
+        'Cache-Control': 'no-store'
+      }
+    });
+  }
+
+  const identity = await verifyFirebaseIdentityFromRequest(request, env);
+  if (!identity) {
+    return textResponse('Unauthorized', 401);
+  }
+
+  const requestUrl = new URL(request.url);
+  const proxyPath = extractProxyPath(requestUrl);
+  if (!proxyPath) {
+    return textResponse('Not Found', 404);
+  }
+
+  const imageWorkerToken = resolveImageWorkerToken(env);
+  if (!env.IMAGES_WORKER_DOMAIN || !imageWorkerToken) {
+    return textResponse('Image service not configured', 502);
+  }
+
+  const imageWorkerBaseUrl = normalizeWorkerBaseUrl(env.IMAGES_WORKER_DOMAIN);
+  const upstreamUrl = `${imageWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
+
+  const upstreamHeaders = new Headers();
+  const contentTypeHeader = request.headers.get('Content-Type');
+  if (contentTypeHeader) {
+    upstreamHeaders.set('Content-Type', contentTypeHeader);
+  }
+
+  const acceptHeader = request.headers.get('Accept');
+  if (acceptHeader) {
+    upstreamHeaders.set('Accept', acceptHeader);
+  }
+
+  upstreamHeaders.set('Authorization', `Bearer ${imageWorkerToken}`);
+
+  const shouldForwardBody = request.method !== 'GET' && request.method !== 'HEAD';
+
+  let upstreamResponse: Response;
+  try {
+    upstreamResponse = await fetch(upstreamUrl, {
+      method: request.method,
+      headers: upstreamHeaders,
+      body: shouldForwardBody ? request.body : undefined
+    });
+  } catch {
+    return textResponse('Upstream image service unavailable', 502);
+  }
+
+  const responseHeaders = new Headers(upstreamResponse.headers);
+  if (!responseHeaders.has('Cache-Control')) {
+    responseHeaders.set('Cache-Control', 'no-store');
+  }
+
+  return new Response(upstreamResponse.body, {
+    status: upstreamResponse.status,
+    statusText: upstreamResponse.statusText,
+    headers: responseHeaders
+  });
+};