@striae-org/striae 3.2.2 → 4.0.0

package/app/utils/image-api-client.ts

@@ -0,0 +1,130 @@
+import type { User } from 'firebase/auth';
+import { type ImageUploadResponse } from '~/types';
+
+const IMAGE_API_BASE = '/api/image';
+
+function normalizePath(path: string): string {
+  if (!path) {
+    return '/';
+  }
+
+  return path.startsWith('/') ? path : `/${path}`;
+}
+
+export async function fetchImageApi(
+  user: User,
+  path: string,
+  init: RequestInit = {}
+): Promise<Response> {
+  const normalizedPath = normalizePath(path);
+  const userWithOptionalToken = user as User & { getIdToken?: () => Promise<string> };
+
+  if (typeof userWithOptionalToken.getIdToken !== 'function') {
+    throw new Error('Unable to authenticate request: missing Firebase token provider');
+  }
+
+  let idToken: string;
+  try {
+    idToken = await userWithOptionalToken.getIdToken();
+  } catch {
+    throw new Error('Unable to authenticate request: failed to retrieve Firebase token');
+  }
+
+  if (!idToken) {
+    throw new Error('Unable to authenticate request: empty Firebase token');
+  }
+
+  const headers = new Headers(init.headers);
+  headers.set('Authorization', `Bearer ${idToken}`);
+
+  return fetch(`${IMAGE_API_BASE}${normalizedPath}`, {
+    ...init,
+    headers
+  });
+}
+
+interface XhrUploadResult {
+  status: number;
+  responseText: string;
+}
+
+function uploadWithXhr(
+  targetUrl: string,
+  authorizationValue: string,
+  file: File,
+  onProgress?: (progress: number) => void
+): Promise<XhrUploadResult> {
+  return new Promise((resolve, reject) => {
+    const xhr = new XMLHttpRequest();
+    const formData = new FormData();
+    formData.append('file', file);
+
+    xhr.upload.addEventListener('progress', (event) => {
+      if (event.lengthComputable && onProgress) {
+        const progress = Math.round((event.loaded / event.total) * 100);
+        onProgress(progress);
+      }
+    });
+
+    xhr.addEventListener('load', () => {
+      resolve({
+        status: xhr.status,
+        responseText: xhr.responseText
+      });
+    });
+
+    xhr.addEventListener('error', () => {
+      reject(new Error('Upload failed'));
+    });
+
+    xhr.open('POST', targetUrl);
+    xhr.setRequestHeader('Authorization', authorizationValue);
+    xhr.send(formData);
+  });
+}
+
+function parseUploadResponse(payload: string): ImageUploadResponse {
+  const parsed = JSON.parse(payload) as ImageUploadResponse;
+  if (!parsed.success || !parsed.result?.id) {
+    const errorMessage = parsed.errors?.map((entry) => entry.message).join(', ') || 'Upload failed';
+    throw new Error(errorMessage);
+  }
+
+  return parsed;
+}
+
+export async function uploadImageApi(
+  user: User,
+  file: File,
+  onProgress?: (progress: number) => void
+): Promise<ImageUploadResponse> {
+  const userWithOptionalToken = user as User & { getIdToken?: () => Promise<string> };
+
+  if (typeof userWithOptionalToken.getIdToken !== 'function') {
+    throw new Error('Unable to authenticate upload: missing Firebase token provider');
+  }
+
+  let idToken: string;
+  try {
+    idToken = await userWithOptionalToken.getIdToken();
+  } catch {
+    throw new Error('Unable to authenticate upload: failed to retrieve Firebase token');
+  }
+
+  if (!idToken) {
+    throw new Error('Unable to authenticate upload: empty Firebase token');
+  }
+
+  const proxyUploadResult = await uploadWithXhr(
+    `${IMAGE_API_BASE}/`,
+    `Bearer ${idToken}`,
+    file,
+    onProgress
+  );
+
+  if (proxyUploadResult.status < 200 || proxyUploadResult.status >= 300) {
+    throw new Error(`Upload failed with status ${proxyUploadResult.status}`);
+  }
+
+  return parseUploadResponse(proxyUploadResult.responseText);
+}

package/app/utils/pdf-api-client.ts

@@ -0,0 +1,43 @@
+import type { User } from 'firebase/auth';
+
+const PDF_API_BASE = '/api/pdf';
+
+function normalizePath(path: string): string {
+  if (!path) {
+    return '/';
+  }
+
+  return path.startsWith('/') ? path : `/${path}`;
+}
+
+export async function fetchPdfApi(
+  user: User,
+  path: string,
+  init: RequestInit = {}
+): Promise<Response> {
+  const normalizedPath = normalizePath(path);
+  const userWithOptionalToken = user as User & { getIdToken?: () => Promise<string> };
+
+  if (typeof userWithOptionalToken.getIdToken !== 'function') {
+    throw new Error('Unable to authenticate request: missing Firebase token provider');
+  }
+
+  let idToken: string;
+  try {
+    idToken = await userWithOptionalToken.getIdToken();
+  } catch {
+    throw new Error('Unable to authenticate request: failed to retrieve Firebase token');
+  }
+
+  if (!idToken) {
+    throw new Error('Unable to authenticate request: empty Firebase token');
+  }
+
+  const headers = new Headers(init.headers);
+  headers.set('Authorization', `Bearer ${idToken}`);
+
+  return fetch(`${PDF_API_BASE}${normalizedPath}`, {
+    ...init,
+    headers
+  });
+}

package/app/utils/permissions.ts

@@ -1,9 +1,8 @@
 import type { User } from 'firebase/auth';
 import type { UserData, ExtendedUserData, UserLimits, ReadOnlyCaseMetadata } from '~/types';
 import paths from '~/config/config.json';
-import { getUserApiKey } from './auth';
+import { fetchUserApi } from './user-api-client';
 
-const USER_WORKER_URL = paths.user_worker_url;
 const MAX_CASES_REVIEW = paths.max_cases_review;
 const MAX_FILES_PER_CASE_REVIEW = paths.max_files_per_case_review;
 
@@ -32,12 +31,8 @@ export interface CaseMetadata {
  */
 export const getUserData = async (user: User): Promise<UserData | null> => {
   try {
-    const apiKey = await getUserApiKey();
-    const response = await fetch(`${USER_WORKER_URL}/${encodeURIComponent(user.uid)}`, {
+    const response = await fetchUserApi(user, `/${encodeURIComponent(user.uid)}`, {
       method: 'GET',
-      headers: {
-        'X-Custom-Auth-Key': apiKey
-      }
     });
 
     if (response.ok) {
@@ -121,12 +116,10 @@ export const createUser = async (
       createdAt: new Date().toISOString()
     };
 
-    const apiKey = await getUserApiKey();
-    const response = await fetch(`${USER_WORKER_URL}/${encodeURIComponent(user.uid)}`, {
+    const response = await fetchUserApi(user, `/${encodeURIComponent(user.uid)}`, {
       method: 'PUT',
       headers: {
-        'Content-Type': 'application/json',
-        'X-Custom-Auth-Key': apiKey
+        'Content-Type': 'application/json'
       },
       body: JSON.stringify(userData)
     });
@@ -280,12 +273,10 @@ export const updateUserData = async (user: User, updates: Partial<UserData>): Pr
     };
 
     // Perform the update with API key management
-    const apiKey = await getUserApiKey();
-    const response = await fetch(`${USER_WORKER_URL}/${encodeURIComponent(user.uid)}`, {
+    const response = await fetchUserApi(user, `/${encodeURIComponent(user.uid)}`, {
       method: 'PUT',
       headers: {
-        'Content-Type': 'application/json',
-        'X-Custom-Auth-Key': apiKey
+        'Content-Type': 'application/json'
       },
       body: JSON.stringify(updatedUserData)
     });
@@ -489,12 +480,10 @@ export const addUserCase = async (user: User, caseData: CaseMetadata): Promise<v
     }
 
     // Use the dedicated /cases endpoint to add the case
-    const apiKey = await getUserApiKey();
-    const response = await fetch(`${USER_WORKER_URL}/${encodeURIComponent(user.uid)}/cases`, {
+    const response = await fetchUserApi(user, `/${encodeURIComponent(user.uid)}/cases`, {
       method: 'PUT',
       headers: {
-        'Content-Type': 'application/json',
-        'X-Custom-Auth-Key': apiKey
+        'Content-Type': 'application/json'
       },
       body: JSON.stringify({
         cases: [caseData]
@@ -536,12 +525,10 @@ export const removeUserCase = async (user: User, caseNumber: string): Promise<vo
     }
 
     // Use the dedicated /cases DELETE endpoint to remove the case
-    const apiKey = await getUserApiKey();
-    const response = await fetch(`${USER_WORKER_URL}/${encodeURIComponent(user.uid)}/cases`, {
+    const response = await fetchUserApi(user, `/${encodeURIComponent(user.uid)}/cases`, {
       method: 'DELETE',
       headers: {
-        'Content-Type': 'application/json',
-        'X-Custom-Auth-Key': apiKey
+        'Content-Type': 'application/json'
       },
       body: JSON.stringify({
         casesToDelete: [caseNumber]

package/app/utils/signature-utils.ts

@@ -20,6 +20,15 @@ export interface SignatureVerificationMessages {
   verificationFailedError?: string;
 }
 
+export interface SignatureVerificationOptions {
+  verificationPublicKeyPem?: string;
+}
+
+export interface PublicSigningKeyDetails {
+  keyId: string | null;
+  publicKeyPem: string | null;
+}
+
 type ManifestSigningConfig = {
   manifest_signing_public_keys?: Record<string, string>;
   manifest_signing_public_key?: string;
@@ -30,6 +39,63 @@ function normalizePemPublicKey(pem: string): string {
   return pem.replace(/\\n/g, '\n').trim();
 }
 
+function normalizePemOrNull(pem: unknown): string | null {
+  if (typeof pem !== 'string' || pem.trim().length === 0) {
+    return null;
+  }
+
+  return normalizePemPublicKey(pem);
+}
+
+function sanitizeKeyIdForFileName(keyId: string): string {
+  return keyId.trim().replace(/[^a-z0-9_-]+/gi, '-');
+}
+
+export function createPublicSigningKeyFileName(keyId?: string | null): string {
+  if (typeof keyId === 'string' && keyId.trim().length > 0) {
+    return `striae-public-signing-key-${sanitizeKeyIdForFileName(keyId)}.pem`;
+  }
+
+  return 'striae-public-signing-key.pem';
+}
+
+export function getCurrentPublicSigningKeyDetails(): PublicSigningKeyDetails {
+  const config = paths as unknown as ManifestSigningConfig;
+  const configuredKeyId =
+    typeof config.manifest_signing_key_id === 'string' && config.manifest_signing_key_id.trim().length > 0
+      ? config.manifest_signing_key_id
+      : null;
+
+  if (configuredKeyId) {
+    const configuredKey = getVerificationPublicKey(configuredKeyId);
+    if (configuredKey) {
+      return {
+        keyId: configuredKeyId,
+        publicKeyPem: configuredKey
+      };
+    }
+  }
+
+  const keyMap = config.manifest_signing_public_keys;
+  if (keyMap && typeof keyMap === 'object') {
+    const firstConfiguredEntry = Object.entries(keyMap).find(
+      ([, value]) => typeof value === 'string' && value.trim().length > 0
+    );
+
+    if (firstConfiguredEntry) {
+      return {
+        keyId: firstConfiguredEntry[0],
+        publicKeyPem: normalizePemPublicKey(firstConfiguredEntry[1])
+      };
+    }
+  }
+
+  return {
+    keyId: null,
+    publicKeyPem: normalizePemOrNull(config.manifest_signing_public_key)
+  };
+}
+
 function publicKeyPemToArrayBuffer(publicKeyPem: string, invalidPublicKeyError: string): ArrayBuffer {
   const normalized = normalizePemPublicKey(publicKeyPem);
   const pemBody = normalized
@@ -71,7 +137,7 @@ export function getVerificationPublicKey(keyId: string): string | null {
   if (keyMap && typeof keyMap === 'object') {
     const mappedKey = keyMap[keyId];
     if (typeof mappedKey === 'string' && mappedKey.trim().length > 0) {
-      return mappedKey;
+      return normalizePemPublicKey(mappedKey);
     }
   }
 
@@ -81,7 +147,7 @@ export function getVerificationPublicKey(keyId: string): string | null {
     typeof config.manifest_signing_public_key === 'string' &&
     config.manifest_signing_public_key.trim().length > 0
   ) {
-    return config.manifest_signing_public_key;
+    return normalizePemPublicKey(config.manifest_signing_public_key);
   }
 
   return null;
@@ -91,7 +157,8 @@ export async function verifySignaturePayload(
   payload: string,
   signature: SignatureEnvelope,
   expectedAlgorithm: string,
-  messages: SignatureVerificationMessages = {}
+  messages: SignatureVerificationMessages = {},
+  options: SignatureVerificationOptions = {}
 ): Promise<SignatureVerificationResult> {
   if (signature.algorithm !== expectedAlgorithm) {
     return {
@@ -108,7 +175,10 @@ export async function verifySignaturePayload(
     };
   }
 
-  const publicKeyPem = getVerificationPublicKey(signature.keyId);
+  const publicKeyPem =
+    typeof options.verificationPublicKeyPem === 'string' && options.verificationPublicKeyPem.trim().length > 0
+      ? options.verificationPublicKeyPem
+      : getVerificationPublicKey(signature.keyId);
   if (!publicKeyPem) {
     return {
       isValid: false,

package/app/utils/user-api-client.ts

@@ -0,0 +1,90 @@
+import type { User } from 'firebase/auth';
+
+const USER_API_BASE = '/api/user';
+const USER_EXISTS_API_BASE = '/api/user/exists';
+
+function normalizePath(path: string): string {
+  if (!path) {
+    return '/';
+  }
+
+  return path.startsWith('/') ? path : `/${path}`;
+}
+
+export async function fetchUserApi(
+  user: User,
+  path: string,
+  init: RequestInit = {}
+): Promise<Response> {
+  const normalizedPath = normalizePath(path);
+  const userWithOptionalToken = user as User & { getIdToken?: () => Promise<string> };
+
+  if (typeof userWithOptionalToken.getIdToken !== 'function') {
+    throw new Error('Unable to authenticate request: missing Firebase token provider');
+  }
+
+  let idToken: string;
+  try {
+    idToken = await userWithOptionalToken.getIdToken();
+  } catch {
+    throw new Error('Unable to authenticate request: failed to retrieve Firebase token');
+  }
+
+  if (!idToken) {
+    throw new Error('Unable to authenticate request: empty Firebase token');
+  }
+
+  const headers = new Headers(init.headers);
+  headers.set('Authorization', `Bearer ${idToken}`);
+
+  return fetch(`${USER_API_BASE}${normalizedPath}`, {
+    ...init,
+    headers
+  });
+}
+
+export async function checkUserExistsApi(user: User, targetUid: string): Promise<boolean> {
+  const encodedTargetUid = encodeURIComponent(targetUid);
+  const userWithOptionalToken = user as User & { getIdToken?: () => Promise<string> };
+
+  if (typeof userWithOptionalToken.getIdToken !== 'function') {
+    throw new Error('Unable to authenticate request: missing Firebase token provider');
+  }
+
+  let idToken: string;
+  try {
+    idToken = await userWithOptionalToken.getIdToken();
+  } catch {
+    throw new Error('Unable to authenticate request: failed to retrieve Firebase token');
+  }
+
+  if (!idToken) {
+    throw new Error('Unable to authenticate request: empty Firebase token');
+  }
+
+  const proxyResponse = await fetch(`${USER_EXISTS_API_BASE}/${encodedTargetUid}`, {
+    method: 'GET',
+    headers: {
+      'Authorization': `Bearer ${idToken}`,
+      'Accept': 'application/json'
+    }
+  });
+
+  if (proxyResponse.status === 404) {
+    return false;
+  }
+
+  if (!proxyResponse.ok) {
+    throw new Error(`Failed to verify user existence: ${proxyResponse.status}`);
+  }
+
+  const responseData = await proxyResponse.json().catch(() => null) as {
+    exists?: boolean;
+  } | null;
+
+  if (typeof responseData?.exists === 'boolean') {
+    return responseData.exists;
+  }
+
+  return true;
+}