@striae-org/striae 4.1.0 → 4.2.1

package/app/utils/forensics/export-verification.ts

@@ -1,22 +1,74 @@
 import { type ConfirmationImportData } from '~/types';
 import {
   extractForensicManifestData,
+  type ManifestSignatureVerificationResult,
   type SignedForensicManifest,
   calculateSHA256Secure,
   validateCaseIntegritySecure,
   verifyForensicManifestSignature
 } from './SHA256';
+import {
+  type AuditExportSigningPayload,
+  verifyAuditExportSignature
+} from './audit-export-signature';
 import { verifyConfirmationSignature } from './confirmation-signature';
 
 export interface ExportVerificationResult {
   isValid: boolean;
   message: string;
-  exportType?: 'case-zip' | 'confirmation';
+  exportType?: 'case-zip' | 'confirmation' | 'audit-json';
 }
 
 const CASE_EXPORT_FILE_REGEX = /_data\.(json|csv)$/i;
 const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
 
+interface BundledAuditExportFile {
+  metadata?: {
+    exportTimestamp?: string;
+    exportVersion?: string;
+    totalEntries?: number;
+    application?: string;
+    exportType?: 'entries' | 'trail' | 'report';
+    scopeType?: 'case' | 'user';
+    scopeIdentifier?: string;
+    hash?: string;
+    signatureVersion?: string;
+    signatureMetadata?: Partial<AuditExportSigningPayload>;
+    signature?: {
+      algorithm: string;
+      keyId: string;
+      signedAt: string;
+      value: string;
+    };
+  };
+  auditTrail?: unknown;
+  auditEntries?: unknown;
+}
+
+interface StandaloneAuditExportFile extends BundledAuditExportFile {
+  metadata?: BundledAuditExportFile['metadata'] & {
+    integrityNote?: string;
+  };
+}
+
+export interface CasePackageIntegrityInput {
+  cleanedContent: string;
+  imageFiles: Record<string, Blob>;
+  forensicManifest: SignedForensicManifest;
+  verificationPublicKeyPem?: string;
+  bundledAuditFiles?: {
+    auditTrailContent?: string;
+    auditSignatureContent?: string;
+  };
+}
+
+export interface CasePackageIntegrityResult {
+  isValid: boolean;
+  signatureResult: ManifestSignatureVerificationResult;
+  integrityResult: Awaited<ReturnType<typeof validateCaseIntegritySecure>>;
+  bundledAuditVerification: ExportVerificationResult | null;
+}
+
 function createVerificationResult(
   isValid: boolean,
   message: string,
@@ -31,7 +83,7 @@ function createVerificationResult(
 
 function getSignatureFailureMessage(
   error: string | undefined,
-  targetLabel: 'export ZIP' | 'confirmation file'
+  targetLabel: 'export ZIP' | 'confirmation file' | 'audit export'
 ): string {
   if (error?.includes('invalid public key')) {
     return 'The selected PEM file is not a valid public key.';
@@ -62,6 +114,249 @@ function isConfirmationImportCandidate(candidate: unknown): candidate is Partial
   );
 }
 
+function isAuditExportCandidate(candidate: unknown): candidate is StandaloneAuditExportFile {
+  if (!candidate || typeof candidate !== 'object') {
+    return false;
+  }
+
+  const auditCandidate = candidate as StandaloneAuditExportFile;
+  const metadata = auditCandidate.metadata;
+
+  if (!metadata || typeof metadata !== 'object') {
+    return false;
+  }
+
+  return (
+    typeof metadata.exportTimestamp === 'string' &&
+    typeof metadata.exportType === 'string' &&
+    typeof metadata.scopeType === 'string' &&
+    typeof metadata.scopeIdentifier === 'string' &&
+    typeof metadata.hash === 'string' &&
+    !!metadata.signature &&
+    (auditCandidate.auditTrail !== undefined || auditCandidate.auditEntries !== undefined)
+  );
+}
+
+async function verifyAuditExportContent(
+  fileContent: string,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  try {
+    const parsedContent = JSON.parse(fileContent) as unknown;
+
+    if (!isAuditExportCandidate(parsedContent)) {
+      return createVerificationResult(
+        false,
+        'The JSON file is not a supported Striae audit export.',
+        'audit-json'
+      );
+    }
+
+    const auditExport = parsedContent as StandaloneAuditExportFile;
+    const metadata = auditExport.metadata!;
+
+    const unsignedAuditExport = auditExport.auditTrail !== undefined
+      ? {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditTrail: auditExport.auditTrail,
+        }
+      : {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditEntries: auditExport.auditEntries,
+        };
+
+    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+    const hashValid = recalculatedHash.toUpperCase() === metadata.hash!.toUpperCase();
+
+    const signaturePayload: Partial<AuditExportSigningPayload> = {
+      signatureVersion: metadata.signatureVersion,
+      exportFormat: 'json',
+      exportType: metadata.exportType,
+      scopeType: metadata.scopeType,
+      scopeIdentifier: metadata.scopeIdentifier,
+      generatedAt: metadata.exportTimestamp,
+      totalEntries: metadata.totalEntries,
+      hash: metadata.hash,
+    };
+
+    const signatureResult = await verifyAuditExportSignature(
+      signaturePayload,
+      metadata.signature,
+      verificationPublicKeyPem
+    );
+
+    if (hashValid && signatureResult.isValid) {
+      return createVerificationResult(
+        true,
+        'The audit export passed signature and integrity verification.',
+        'audit-json'
+      );
+    }
+
+    if (!hashValid && !signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        'The audit export failed signature and integrity verification.',
+        'audit-json'
+      );
+    }
+
+    if (!signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureResult.error, 'audit export'),
+        'audit-json'
+      );
+    }
+
+    return createVerificationResult(
+      false,
+      'The audit export failed integrity verification.',
+      'audit-json'
+    );
+  } catch {
+    return createVerificationResult(
+      false,
+      'The JSON file could not be read as a supported Striae audit export.',
+      'audit-json'
+    );
+  }
+}
+
+export async function verifyBundledAuditExport(
+  zip: {
+    file: (path: string) => { async: (type: 'text') => Promise<string> } | null;
+  },
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult | null> {
+  const auditTrailContent = await zip.file('audit/case-audit-trail.json')?.async('text');
+  const auditSignatureContent = await zip.file('audit/case-audit-signature.json')?.async('text');
+
+  if (!auditTrailContent && !auditSignatureContent) {
+    return null;
+  }
+
+  if (!auditTrailContent || !auditSignatureContent) {
+    return createVerificationResult(
+      false,
+      'The archive ZIP contains incomplete bundled audit verification files.',
+      'case-zip'
+    );
+  }
+
+  try {
+    const auditTrailExport = JSON.parse(auditTrailContent) as BundledAuditExportFile;
+    const auditSignatureExport = JSON.parse(auditSignatureContent) as {
+      signatureMetadata?: Partial<AuditExportSigningPayload>;
+      signature?: NonNullable<BundledAuditExportFile['metadata']>['signature'];
+    };
+
+    const metadata = auditTrailExport.metadata;
+    if (!metadata?.signature || typeof metadata.hash !== 'string') {
+      return createVerificationResult(
+        false,
+        'The bundled audit export is missing required hash or signature metadata.',
+        'case-zip'
+      );
+    }
+
+    const unsignedAuditExport = auditTrailExport.auditTrail !== undefined
+      ? {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditTrail: auditTrailExport.auditTrail,
+        }
+      : {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditEntries: auditTrailExport.auditEntries,
+        };
+
+    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+    if (recalculatedHash.toUpperCase() !== metadata.hash.toUpperCase()) {
+      return createVerificationResult(
+        false,
+        'The bundled audit export failed integrity verification.',
+        'case-zip'
+      );
+    }
+
+    const embeddedSignaturePayload: Partial<AuditExportSigningPayload> = metadata.signatureMetadata ?? {
+      signatureVersion: metadata.signatureVersion,
+      exportFormat: 'json',
+      exportType: metadata.exportType,
+      scopeType: metadata.scopeType,
+      scopeIdentifier: metadata.scopeIdentifier,
+      generatedAt: metadata.exportTimestamp,
+      totalEntries: metadata.totalEntries,
+      hash: metadata.hash,
+    };
+
+    const signatureVerification = await verifyAuditExportSignature(
+      embeddedSignaturePayload,
+      metadata.signature,
+      verificationPublicKeyPem
+    );
+
+    if (!signatureVerification.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureVerification.error, 'export ZIP'),
+        'case-zip'
+      );
+    }
+
+    if (
+      JSON.stringify(auditSignatureExport.signatureMetadata ?? null) !== JSON.stringify(metadata.signatureMetadata ?? null) ||
+      JSON.stringify(auditSignatureExport.signature ?? null) !== JSON.stringify(metadata.signature ?? null)
+    ) {
+      return createVerificationResult(
+        false,
+        'The bundled audit signature artifact does not match the signed audit export.',
+        'case-zip'
+      );
+    }
+
+    return null;
+  } catch {
+    return createVerificationResult(
+      false,
+      'The bundled audit export could not be parsed for verification.',
+      'case-zip'
+    );
+  }
+}
+
 /**
  * Remove forensic warning from content for hash validation.
  * Supports the warning formats added to JSON and CSV case exports.
@@ -174,8 +469,26 @@ async function verifyCaseZipExport(
       })
     );
 
-    const signatureResult = await verifyForensicManifestSignature(forensicManifest, verificationPublicKeyPem);
-    const integrityResult = await validateCaseIntegritySecure(cleanedContent, imageFiles, manifestData);
+    const bundledAuditFiles = {
+      auditTrailContent: await zip.file('audit/case-audit-trail.json')?.async('text'),
+      auditSignatureContent: await zip.file('audit/case-audit-signature.json')?.async('text')
+    };
+
+    const casePackageResult = await verifyCasePackageIntegrity({
+      cleanedContent,
+      imageFiles,
+      forensicManifest,
+      verificationPublicKeyPem,
+      bundledAuditFiles
+    });
+
+    const signatureResult = casePackageResult.signatureResult;
+    const integrityResult = casePackageResult.integrityResult;
+    const bundledAuditVerification = casePackageResult.bundledAuditVerification;
+
+    if (bundledAuditVerification) {
+      return bundledAuditVerification;
+    }
 
     if (signatureResult.isValid && integrityResult.isValid) {
       return createVerificationResult(
@@ -211,22 +524,6 @@ async function verifyCaseZipExport(
   }
 }
 
-async function verifyConfirmationExport(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  try {
-    const fileContent = await file.text();
-    return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
-  } catch {
-    return createVerificationResult(
-      false,
-      'The JSON file could not be read as a supported Striae confirmation export.',
-      'confirmation'
-    );
-  }
-}
-
 async function verifyConfirmationContent(
   fileContent: string,
   verificationPublicKeyPem: string
@@ -343,11 +640,118 @@ export async function verifyExportFile(
   }
 
   if (lowerName.endsWith('.json')) {
-    return verifyConfirmationExport(file, verificationPublicKeyPem);
+    try {
+      const fileContent = await file.text();
+      const parsedContent = JSON.parse(fileContent) as unknown;
+
+      if (isConfirmationImportCandidate(parsedContent)) {
+        return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
+      }
+
+      if (isAuditExportCandidate(parsedContent)) {
+        return verifyAuditExportContent(fileContent, verificationPublicKeyPem);
+      }
+
+      return createVerificationResult(
+        false,
+        'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
+      );
+    } catch {
+      return createVerificationResult(
+        false,
+        'The JSON file could not be read as a supported Striae confirmation or audit export.'
+      );
+    }
   }
 
   return createVerificationResult(
     false,
-    'Select a confirmation JSON/ZIP file or a case export ZIP file.'
+    'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
+  );
+}
+
+export async function verifyCasePackageIntegrity(
+  input: CasePackageIntegrityInput
+): Promise<CasePackageIntegrityResult> {
+  const manifestData = extractForensicManifestData(input.forensicManifest);
+  const verificationPublicKeyPem = input.verificationPublicKeyPem;
+
+  if (!manifestData) {
+    return {
+      isValid: false,
+      signatureResult: {
+        isValid: false,
+        error: 'Forensic manifest structure is invalid'
+      },
+      integrityResult: {
+        isValid: false,
+        dataValid: false,
+        imageValidation: {},
+        manifestValid: false,
+        errors: ['Forensic manifest structure is invalid'],
+        summary: 'Manifest validation failed'
+      },
+      bundledAuditVerification: null
+    };
+  }
+
+  if (!verificationPublicKeyPem) {
+    return {
+      isValid: false,
+      signatureResult: {
+        isValid: false,
+        error: 'Missing verification public key'
+      },
+      integrityResult: {
+        isValid: false,
+        dataValid: false,
+        imageValidation: {},
+        manifestValid: false,
+        errors: ['Missing verification public key'],
+        summary: 'Manifest validation failed'
+      },
+      bundledAuditVerification: null
+    };
+  }
+
+  const signatureResult = await verifyForensicManifestSignature(
+    input.forensicManifest,
+    verificationPublicKeyPem
+  );
+
+  const integrityResult = await validateCaseIntegritySecure(
+    input.cleanedContent,
+    input.imageFiles,
+    manifestData
   );
+
+  const bundledAuditVerification = input.bundledAuditFiles
+    ? await verifyBundledAuditExport(
+        {
+          file: (path: string) => {
+            const content = path === 'audit/case-audit-trail.json'
+              ? input.bundledAuditFiles?.auditTrailContent
+              : path === 'audit/case-audit-signature.json'
+                ? input.bundledAuditFiles?.auditSignatureContent
+                : undefined;
+
+            if (content === undefined) {
+              return null;
+            }
+
+            return {
+              async: async () => content,
+            };
+          }
+        },
+        verificationPublicKeyPem
+      )
+    : null;
+
+  return {
+    isValid: signatureResult.isValid && integrityResult.isValid && !bundledAuditVerification,
+    signatureResult,
+    integrityResult,
+    bundledAuditVerification
+  };
 }

package/functions/api/_shared/firebase-auth.ts

@@ -1,5 +1,3 @@
-import firebaseConfig from '../../../app/config/firebase';
-
 interface FirebaseJwtHeader {
   alg?: string;
   kid?: string;
@@ -31,8 +29,6 @@ const GOOGLE_SECURETOKEN_JWKS_URL =
   'https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com';
 const DEFAULT_JWKS_CACHE_SECONDS = 300;
 const CLOCK_SKEW_SECONDS = 300;
-const FALLBACK_PROJECT_ID =
-  typeof firebaseConfig.projectId === 'string' ? firebaseConfig.projectId.trim() : '';
 
 const textEncoder = new TextEncoder();
 const textDecoder = new TextDecoder();
@@ -156,12 +152,11 @@ async function verifyTokenSignature(
 
 function validateTokenClaims(payload: FirebaseJwtPayload, env: Env): boolean {
   const configuredProjectId = typeof env.PROJECT_ID === 'string' ? env.PROJECT_ID.trim() : '';
-  const allowedProjectIds = new Set([configuredProjectId, FALLBACK_PROJECT_ID].filter(Boolean));
-  if (allowedProjectIds.size === 0) {
+  if (configuredProjectId.length === 0) {
     return false;
   }
 
-  if (typeof payload.aud !== 'string' || !allowedProjectIds.has(payload.aud)) {
+  if (typeof payload.aud !== 'string' || payload.aud !== configuredProjectId) {
     return false;
   }
 

package/functions/api/image/[[path]].ts

@@ -30,44 +30,37 @@ function normalizeWorkerBaseUrl(workerDomain: string): string {
   return `https://${trimmedDomain}`;
 }
 
-function extractProxyPath(url: URL): string | null {
+type ProxyPathResult =
+  | { ok: true; path: string }
+  | { ok: false; reason: 'not-found' | 'bad-encoding' };
+
+function extractProxyPath(url: URL): ProxyPathResult {
   const routePrefix = '/api/image';
   if (!url.pathname.startsWith(routePrefix)) {
-    return null;
+    return { ok: false, reason: 'not-found' };
   }
 
   const remainder = url.pathname.slice(routePrefix.length);
   if (remainder.length === 0) {
-    return '/';
+    return { ok: true, path: '/' };
   }
 
   const normalizedRemainder = remainder.startsWith('/') ? remainder : `/${remainder}`;
   const encodedPath = normalizedRemainder.slice(1);
+  if (encodedPath.length === 0) {
+    return { ok: true, path: normalizedRemainder };
+  }
 
   try {
     const decodedPath = decodeURIComponent(encodedPath);
-    if (decodedPath.length > 0) {
-      return decodedPath.startsWith('/') ? decodedPath : `/${decodedPath}`;
-    }
+    return { ok: true, path: decodedPath.startsWith('/') ? decodedPath : `/${decodedPath}` };
   } catch {
-    // Keep legacy behavior for non-encoded paths.
+    return { ok: false, reason: 'bad-encoding' };
   }
-
-  return normalizedRemainder;
 }
 
 function resolveImageWorkerToken(env: Env): string {
-  const imageToken = typeof env.IMAGES_API_TOKEN === 'string' ? env.IMAGES_API_TOKEN.trim() : '';
-  if (imageToken.length > 0) {
-    return imageToken;
-  }
-
-  const apiToken = typeof env.API_TOKEN === 'string' ? env.API_TOKEN.trim() : '';
-  if (apiToken.length > 0) {
-    return apiToken;
-  }
-
-  return '';
+  return typeof env.IMAGES_API_TOKEN === 'string' ? env.IMAGES_API_TOKEN.trim() : '';
 }
 
 export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Response> => {
@@ -91,11 +84,15 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
   }
 
   const requestUrl = new URL(request.url);
-  const proxyPath = extractProxyPath(requestUrl);
-  if (!proxyPath) {
-    return textResponse('Not Found', 404);
+  const proxyPathResult = extractProxyPath(requestUrl);
+  if (!proxyPathResult.ok) {
+    return proxyPathResult.reason === 'bad-encoding'
+      ? textResponse('Bad Request: malformed image path encoding', 400)
+      : textResponse('Not Found', 404);
   }
 
+  const proxyPath = proxyPathResult.path;
+
   const imageWorkerToken = resolveImageWorkerToken(env);
   if (!env.IMAGES_WORKER_DOMAIN || !imageWorkerToken) {
     return textResponse('Image service not configured', 502);

package/functions/api/pdf/[[path]].ts

@@ -9,6 +9,10 @@ const SUPPORTED_METHODS = new Set(['POST', 'OPTIONS']);
 const PRIMERSHEAR_FORMAT = 'primershear';
 const DEFAULT_FORMAT = 'striae';
 
+interface PdfProxyRequestBody {
+  data: Record<string, unknown>;
+}
+
 function textResponse(message: string, status: number): Response {
   return new Response(message, {
     status,
@@ -48,6 +52,21 @@ function resolveReportFormat(email: string | null, primershearEmails: string): s
   return allowed.includes(email.toLowerCase()) ? PRIMERSHEAR_FORMAT : DEFAULT_FORMAT;
 }
 
+function parsePdfProxyRequestBody(payload: unknown): PdfProxyRequestBody | null {
+  if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+    return null;
+  }
+
+  const record = payload as Record<string, unknown>;
+  if (!record.data || typeof record.data !== 'object' || Array.isArray(record.data)) {
+    return null;
+  }
+
+  return {
+    data: record.data as Record<string, unknown>
+  };
+}
+
 export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Response> => {
   if (!SUPPORTED_METHODS.has(request.method)) {
     return textResponse('Method not allowed', 405);
@@ -103,15 +122,15 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   let upstreamBody: BodyInit;
   try {
-    const payload = await request.json() as Record<string, unknown>;
-    // Inject the server-resolved format, overriding any client-supplied value.
-    if (payload.data && typeof payload.data === 'object') {
-      payload.reportFormat = reportFormat;
-    } else {
-      // Legacy flat payload shape
-      payload.reportFormat = reportFormat;
+    const payload = parsePdfProxyRequestBody(await request.json());
+    if (!payload) {
+      return textResponse('Invalid PDF request body', 400);
     }
-    upstreamBody = JSON.stringify(payload);
+
+    upstreamBody = JSON.stringify({
+      data: payload.data,
+      reportFormat
+    });
     upstreamHeaders.set('Content-Type', 'application/json');
   } catch {
     return textResponse('Invalid request body', 400);