@striae-org/striae 4.1.0 → 4.2.1

package/app/utils/data/operations/file-annotation-operations.ts

@@ -0,0 +1,196 @@
+import type { User } from 'firebase/auth';
+import type { AnnotationData } from '~/types';
+
+import { fetchDataApi } from '../../api';
+import { canAccessCase, canModifyCase, validateUserSession } from '../permissions';
+import { removeFileConfirmationSummary, upsertFileConfirmationSummary } from './confirmation-summary-operations';
+import type { DataOperationOptions } from './types';
+
+/**
+ * Get file annotation data from R2 storage.
+ */
+export const getFileAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string
+): Promise<AnnotationData | null> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Access denied: ${accessCheck.reason}`);
+    }
+
+    if (!fileId || typeof fileId !== 'string') {
+      throw new Error('Invalid file ID provided');
+    }
+
+    const response = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'GET'
+      }
+    );
+
+    if (response.status === 404) {
+      return null;
+    }
+
+    if (!response.ok) {
+      throw new Error(`Failed to fetch file annotations: ${response.status} ${response.statusText}`);
+    }
+
+    return await response.json() as AnnotationData;
+  } catch (error) {
+    console.error(`Error fetching annotations for ${caseNumber}/${fileId}:`, error);
+    return null;
+  }
+};
+
+/**
+ * Save file annotation data to R2 storage.
+ */
+export const saveFileAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string,
+  annotationData: AnnotationData,
+  options: DataOperationOptions = {}
+): Promise<void> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    if (options.skipValidation !== true) {
+      const modifyCheck = await canModifyCase(user, caseNumber);
+      if (!modifyCheck.allowed) {
+        throw new Error(`Modification denied: ${modifyCheck.reason}`);
+      }
+    }
+
+    if (!fileId || typeof fileId !== 'string') {
+      throw new Error('Invalid file ID provided');
+    }
+
+    if (!annotationData || typeof annotationData !== 'object') {
+      throw new Error('Invalid annotation data provided');
+    }
+
+    // Enforce immutability once confirmation data exists on an image.
+    const existingResponse = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'GET'
+      }
+    );
+
+    if (existingResponse.ok) {
+      const existingAnnotations = await existingResponse.json() as AnnotationData;
+      if (existingAnnotations?.confirmationData) {
+        throw new Error('Cannot modify annotations for a confirmed image');
+      }
+    } else if (existingResponse.status !== 404) {
+      throw new Error(`Failed to verify existing annotations: ${existingResponse.status} ${existingResponse.statusText}`);
+    }
+
+    const dataToSave = {
+      ...annotationData,
+      updatedAt: new Date().toISOString()
+    };
+
+    const response = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'PUT',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify(dataToSave)
+      }
+    );
+
+    if (!response.ok) {
+      throw new Error(`Failed to save file annotations: ${response.status} ${response.statusText}`);
+    }
+
+    try {
+      await upsertFileConfirmationSummary(user, caseNumber, fileId, dataToSave);
+    } catch (summaryError) {
+      console.warn(`Failed to update confirmation summary for ${caseNumber}/${fileId}:`, summaryError);
+    }
+  } catch (error) {
+    console.error(`Error saving annotations for ${caseNumber}/${fileId}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Delete file annotation data from R2 storage.
+ */
+export const deleteFileAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string,
+  options: { skipValidation?: boolean } = {}
+): Promise<void> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    if (options.skipValidation !== true) {
+      const modifyCheck = await canModifyCase(user, caseNumber);
+      if (!modifyCheck.allowed) {
+        throw new Error(`Delete denied: ${modifyCheck.reason}`);
+      }
+    }
+
+    const response = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'DELETE'
+      }
+    );
+
+    if (!response.ok && response.status !== 404) {
+      throw new Error(`Failed to delete file annotations: ${response.status} ${response.statusText}`);
+    }
+
+    try {
+      await removeFileConfirmationSummary(user, caseNumber, fileId);
+    } catch (summaryError) {
+      console.warn(`Failed to update confirmation summary after delete for ${caseNumber}/${fileId}:`, summaryError);
+    }
+  } catch (error) {
+    console.error(`Error deleting annotations for ${caseNumber}/${fileId}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Check if a file has annotations.
+ */
+export const fileHasAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string
+): Promise<boolean> => {
+  try {
+    const annotations = await getFileAnnotations(user, caseNumber, fileId);
+    return annotations !== null;
+  } catch (error) {
+    console.error(`Error checking annotations for ${caseNumber}/${fileId}:`, error);
+    return false;
+  }
+};

package/app/utils/data/operations/index.ts

@@ -0,0 +1,7 @@
+export * from './types';
+export * from './confirmation-summary-operations';
+export * from './case-operations';
+export * from './file-annotation-operations';
+export * from './batch-operations';
+export * from './validation-operations';
+export * from './signing-operations';

package/app/utils/data/operations/signing-operations.ts

@@ -0,0 +1,225 @@
+import type { User } from 'firebase/auth';
+import type { ConfirmationImportData } from '~/types';
+
+import { fetchDataApi } from '../../api';
+import {
+  AUDIT_EXPORT_SIGNATURE_VERSION,
+  type AuditExportSigningPayload,
+  isValidAuditExportSigningPayload
+} from '../../forensics/audit-export-signature';
+import { CONFIRMATION_SIGNATURE_VERSION } from '../../forensics/confirmation-signature';
+import {
+  type ForensicManifestData,
+  type ForensicManifestSignature,
+  FORENSIC_MANIFEST_VERSION
+} from '../../forensics/SHA256';
+import { canAccessCase, validateUserSession } from '../permissions';
+import type {
+  AuditExportSigningResponse,
+  ConfirmationSigningResponse,
+  ManifestSigningResponse
+} from './types';
+
+/**
+ * Request a server-side signature for a forensic manifest.
+ */
+export const signForensicManifest = async (
+  user: User,
+  caseNumber: string,
+  manifest: ForensicManifestData
+): Promise<ManifestSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Manifest signing denied: ${accessCheck.reason}`);
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-manifest', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        manifest
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      manifestVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign forensic manifest: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.manifestVersion) {
+      throw new Error('Invalid manifest signing response from data worker');
+    }
+
+    if (responseData.manifestVersion !== FORENSIC_MANIFEST_VERSION) {
+      throw new Error(
+        `Unexpected manifest version from signer: ${responseData.manifestVersion}`
+      );
+    }
+
+    return {
+      manifestVersion: responseData.manifestVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error(`Error signing forensic manifest for ${caseNumber}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Request a server-side signature for confirmation export data.
+ */
+export const signConfirmationData = async (
+  user: User,
+  caseNumber: string,
+  confirmationData: ConfirmationImportData
+): Promise<ConfirmationSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Confirmation signing denied: ${accessCheck.reason}`);
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-confirmation', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        confirmationData,
+        signatureVersion: CONFIRMATION_SIGNATURE_VERSION
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      signatureVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign confirmation data: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.signatureVersion) {
+      throw new Error('Invalid confirmation signing response from data worker');
+    }
+
+    if (responseData.signatureVersion !== CONFIRMATION_SIGNATURE_VERSION) {
+      throw new Error(
+        `Unexpected confirmation signature version from signer: ${responseData.signatureVersion}`
+      );
+    }
+
+    return {
+      signatureVersion: responseData.signatureVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error(`Error signing confirmation data for ${caseNumber}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Request a server-side signature for audit export metadata.
+ */
+export const signAuditExportData = async (
+  user: User,
+  auditExport: AuditExportSigningPayload,
+  options: { caseNumber?: string } = {}
+): Promise<AuditExportSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    if (!isValidAuditExportSigningPayload(auditExport)) {
+      throw new Error('Invalid audit export payload for signing');
+    }
+
+    const caseNumber = options.caseNumber;
+    if (caseNumber) {
+      const accessCheck = await canAccessCase(user, caseNumber);
+      if (!accessCheck.allowed) {
+        throw new Error(`Audit export signing denied: ${accessCheck.reason}`);
+      }
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-audit-export', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        auditExport,
+        signatureVersion: AUDIT_EXPORT_SIGNATURE_VERSION
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      signatureVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign audit export data: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.signatureVersion) {
+      throw new Error('Invalid audit export signing response from data worker');
+    }
+
+    if (responseData.signatureVersion !== AUDIT_EXPORT_SIGNATURE_VERSION) {
+      throw new Error(
+        `Unexpected audit export signature version from signer: ${responseData.signatureVersion}`
+      );
+    }
+
+    return {
+      signatureVersion: responseData.signatureVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error('Error signing audit export data:', error);
+    throw error;
+  }
+};

package/app/utils/data/operations/types.ts

@@ -0,0 +1,42 @@
+import type { User } from 'firebase/auth';
+import type { ForensicManifestSignature } from '~/utils/forensics/SHA256';
+
+import type { AnnotationData } from '~/types';
+
+export interface DataAccessResult {
+  allowed: boolean;
+  reason?: string;
+}
+
+export interface FileUpdate {
+  fileId: string;
+  annotations: AnnotationData;
+}
+
+export interface BatchUpdateResult {
+  successful: string[];
+  failed: { fileId: string; error: string }[];
+}
+
+export interface DataOperationOptions {
+  includeTimestamp?: boolean;
+  retryCount?: number;
+  skipValidation?: boolean;
+}
+
+export interface ManifestSigningResponse {
+  manifestVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export interface ConfirmationSigningResponse {
+  signatureVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export interface AuditExportSigningResponse {
+  signatureVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export type DataOperation<T> = (user: User, ...args: unknown[]) => Promise<T>;

package/app/utils/data/operations/validation-operations.ts

@@ -0,0 +1,48 @@
+import type { User } from 'firebase/auth';
+
+import { canAccessCase, validateUserSession } from '../permissions';
+import type { DataAccessResult, DataOperation } from './types';
+
+/**
+ * Validate data access permissions for a user and case.
+ */
+export const validateDataAccess = async (
+  user: User,
+  caseNumber: string
+): Promise<DataAccessResult> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      return { allowed: false, reason: sessionValidation.reason };
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      return { allowed: false, reason: accessCheck.reason };
+    }
+
+    return { allowed: true };
+  } catch (error) {
+    console.error('Error validating data access:', error);
+    return { allowed: false, reason: 'Access validation failed' };
+  }
+};
+
+/**
+ * Higher-order function for consistent data operation patterns.
+ */
+export const withDataOperation = <T>(
+  operation: DataOperation<T>
+) => async (user: User, ...args: unknown[]): Promise<T> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Operation failed: ${sessionValidation.reason}`);
+    }
+
+    return await operation(user, ...args);
+  } catch (error) {
+    console.error('Data operation failed:', error);
+    throw error;
+  }
+};

package/app/utils/data/permissions.ts

@@ -1,7 +1,7 @@
 import type { User } from 'firebase/auth';
 import type { UserData, ExtendedUserData, UserLimits, ReadOnlyCaseMetadata } from '~/types';
 import paths from '~/config/config.json';
-import { fetchUserApi } from '../api';
+import { fetchDataApi, fetchUserApi } from '../api';
 
 const MAX_CASES_REVIEW = paths.max_cases_review;
 const MAX_FILES_PER_CASE_REVIEW = paths.max_files_per_case_review;
@@ -403,6 +403,21 @@ export const canModifyCase = async (user: User, caseNumber: string): Promise<Per
       return { allowed: false, reason: 'User data not found' };
     }
 
+    const archiveCheckResponse = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/data.json`,
+      {
+        method: 'GET'
+      }
+    );
+
+    if (archiveCheckResponse.ok) {
+      const caseData = await archiveCheckResponse.json() as { archived?: boolean };
+      if (caseData.archived) {
+        return { allowed: false, reason: 'Archived cases are immutable and read-only' };
+      }
+    }
+
     // Check if user owns the case (regular cases)
     if (userData.cases && userData.cases.some(c => c.caseNumber === caseNumber)) {
       // For owned cases, user must be permitted

package/app/utils/forensics/audit-export-signature.ts

@@ -83,7 +83,8 @@ export function createAuditExportSigningPayload(payload: AuditExportSigningPaylo
 
 export async function verifyAuditExportSignature(
   payload: Partial<AuditExportSigningPayload>,
-  signature?: ForensicManifestSignature
+  signature?: ForensicManifestSignature,
+  verificationPublicKeyPem?: string
 ): Promise<ManifestSignatureVerificationResult> {
   if (!signature) {
     return {
@@ -112,6 +113,9 @@ export async function verifyAuditExportSignature(
       noVerificationKeyPrefix: 'No verification key configured for key ID',
       invalidPublicKeyError: 'Audit export signature verification failed: invalid public key',
       verificationFailedError: 'Audit export signature verification failed'
+    },
+    {
+      verificationPublicKeyPem
     }
   );
 }

package/app/utils/forensics/confirmation-signature.ts

@@ -134,6 +134,9 @@ export function createConfirmationSigningPayload(
       exportedByUid: confirmationData.metadata.exportedByUid,
       exportedByName: confirmationData.metadata.exportedByName,
       exportedByCompany: confirmationData.metadata.exportedByCompany,
+      ...(confirmationData.metadata.exportedByBadgeId
+        ? { exportedByBadgeId: confirmationData.metadata.exportedByBadgeId }
+        : {}),
       totalConfirmations: confirmationData.metadata.totalConfirmations,
       version: confirmationData.metadata.version,
       hash: confirmationData.metadata.hash.toUpperCase(),