@striae-org/striae 4.2.0 → 4.3.0

package/app/utils/data/operations/signing-operations.ts

@@ -0,0 +1,225 @@
+import type { User } from 'firebase/auth';
+import type { ConfirmationImportData } from '~/types';
+
+import { fetchDataApi } from '../../api';
+import {
+  AUDIT_EXPORT_SIGNATURE_VERSION,
+  type AuditExportSigningPayload,
+  isValidAuditExportSigningPayload
+} from '../../forensics/audit-export-signature';
+import { CONFIRMATION_SIGNATURE_VERSION } from '../../forensics/confirmation-signature';
+import {
+  type ForensicManifestData,
+  type ForensicManifestSignature,
+  FORENSIC_MANIFEST_VERSION
+} from '../../forensics/SHA256';
+import { canAccessCase, validateUserSession } from '../permissions';
+import type {
+  AuditExportSigningResponse,
+  ConfirmationSigningResponse,
+  ManifestSigningResponse
+} from './types';
+
+/**
+ * Request a server-side signature for a forensic manifest.
+ */
+export const signForensicManifest = async (
+  user: User,
+  caseNumber: string,
+  manifest: ForensicManifestData
+): Promise<ManifestSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Manifest signing denied: ${accessCheck.reason}`);
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-manifest', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        manifest
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      manifestVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign forensic manifest: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.manifestVersion) {
+      throw new Error('Invalid manifest signing response from data worker');
+    }
+
+    if (responseData.manifestVersion !== FORENSIC_MANIFEST_VERSION) {
+      throw new Error(
+        `Unexpected manifest version from signer: ${responseData.manifestVersion}`
+      );
+    }
+
+    return {
+      manifestVersion: responseData.manifestVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error(`Error signing forensic manifest for ${caseNumber}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Request a server-side signature for confirmation export data.
+ */
+export const signConfirmationData = async (
+  user: User,
+  caseNumber: string,
+  confirmationData: ConfirmationImportData
+): Promise<ConfirmationSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Confirmation signing denied: ${accessCheck.reason}`);
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-confirmation', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        confirmationData,
+        signatureVersion: CONFIRMATION_SIGNATURE_VERSION
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      signatureVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign confirmation data: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.signatureVersion) {
+      throw new Error('Invalid confirmation signing response from data worker');
+    }
+
+    if (responseData.signatureVersion !== CONFIRMATION_SIGNATURE_VERSION) {
+      throw new Error(
+        `Unexpected confirmation signature version from signer: ${responseData.signatureVersion}`
+      );
+    }
+
+    return {
+      signatureVersion: responseData.signatureVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error(`Error signing confirmation data for ${caseNumber}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Request a server-side signature for audit export metadata.
+ */
+export const signAuditExportData = async (
+  user: User,
+  auditExport: AuditExportSigningPayload,
+  options: { caseNumber?: string } = {}
+): Promise<AuditExportSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    if (!isValidAuditExportSigningPayload(auditExport)) {
+      throw new Error('Invalid audit export payload for signing');
+    }
+
+    const caseNumber = options.caseNumber;
+    if (caseNumber) {
+      const accessCheck = await canAccessCase(user, caseNumber);
+      if (!accessCheck.allowed) {
+        throw new Error(`Audit export signing denied: ${accessCheck.reason}`);
+      }
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-audit-export', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        auditExport,
+        signatureVersion: AUDIT_EXPORT_SIGNATURE_VERSION
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      signatureVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign audit export data: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.signatureVersion) {
+      throw new Error('Invalid audit export signing response from data worker');
+    }
+
+    if (responseData.signatureVersion !== AUDIT_EXPORT_SIGNATURE_VERSION) {
+      throw new Error(
+        `Unexpected audit export signature version from signer: ${responseData.signatureVersion}`
+      );
+    }
+
+    return {
+      signatureVersion: responseData.signatureVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error('Error signing audit export data:', error);
+    throw error;
+  }
+};

package/app/utils/data/operations/types.ts

@@ -0,0 +1,42 @@
+import type { User } from 'firebase/auth';
+import type { ForensicManifestSignature } from '~/utils/forensics/SHA256';
+
+import type { AnnotationData } from '~/types';
+
+export interface DataAccessResult {
+  allowed: boolean;
+  reason?: string;
+}
+
+export interface FileUpdate {
+  fileId: string;
+  annotations: AnnotationData;
+}
+
+export interface BatchUpdateResult {
+  successful: string[];
+  failed: { fileId: string; error: string }[];
+}
+
+export interface DataOperationOptions {
+  includeTimestamp?: boolean;
+  retryCount?: number;
+  skipValidation?: boolean;
+}
+
+export interface ManifestSigningResponse {
+  manifestVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export interface ConfirmationSigningResponse {
+  signatureVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export interface AuditExportSigningResponse {
+  signatureVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export type DataOperation<T> = (user: User, ...args: unknown[]) => Promise<T>;

package/app/utils/data/operations/validation-operations.ts

@@ -0,0 +1,48 @@
+import type { User } from 'firebase/auth';
+
+import { canAccessCase, validateUserSession } from '../permissions';
+import type { DataAccessResult, DataOperation } from './types';
+
+/**
+ * Validate data access permissions for a user and case.
+ */
+export const validateDataAccess = async (
+  user: User,
+  caseNumber: string
+): Promise<DataAccessResult> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      return { allowed: false, reason: sessionValidation.reason };
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      return { allowed: false, reason: accessCheck.reason };
+    }
+
+    return { allowed: true };
+  } catch (error) {
+    console.error('Error validating data access:', error);
+    return { allowed: false, reason: 'Access validation failed' };
+  }
+};
+
+/**
+ * Higher-order function for consistent data operation patterns.
+ */
+export const withDataOperation = <T>(
+  operation: DataOperation<T>
+) => async (user: User, ...args: unknown[]): Promise<T> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Operation failed: ${sessionValidation.reason}`);
+    }
+
+    return await operation(user, ...args);
+  } catch (error) {
+    console.error('Data operation failed:', error);
+    throw error;
+  }
+};

package/app/utils/forensics/export-verification.ts

@@ -674,6 +674,7 @@ export async function verifyCasePackageIntegrity(
   input: CasePackageIntegrityInput
 ): Promise<CasePackageIntegrityResult> {
   const manifestData = extractForensicManifestData(input.forensicManifest);
+  const verificationPublicKeyPem = input.verificationPublicKeyPem;
 
   if (!manifestData) {
     return {
@@ -694,9 +695,28 @@ export async function verifyCasePackageIntegrity(
     };
   }
 
+  if (!verificationPublicKeyPem) {
+    return {
+      isValid: false,
+      signatureResult: {
+        isValid: false,
+        error: 'Missing verification public key'
+      },
+      integrityResult: {
+        isValid: false,
+        dataValid: false,
+        imageValidation: {},
+        manifestValid: false,
+        errors: ['Missing verification public key'],
+        summary: 'Manifest validation failed'
+      },
+      bundledAuditVerification: null
+    };
+  }
+
   const signatureResult = await verifyForensicManifestSignature(
     input.forensicManifest,
-    input.verificationPublicKeyPem
+    verificationPublicKeyPem
   );
 
   const integrityResult = await validateCaseIntegritySecure(
@@ -706,117 +726,26 @@ export async function verifyCasePackageIntegrity(
   );
 
   const bundledAuditVerification = input.bundledAuditFiles
-    ? await (async () => {
-        const { auditTrailContent, auditSignatureContent } = input.bundledAuditFiles ?? {};
-
-        if (!auditTrailContent && !auditSignatureContent) {
-          return null;
-        }
-
-        if (!auditTrailContent || !auditSignatureContent) {
-          return createVerificationResult(
-            false,
-            'The archive ZIP contains incomplete bundled audit verification files.',
-            'case-zip'
-          );
-        }
-
-        try {
-          const auditTrailExport = JSON.parse(auditTrailContent) as BundledAuditExportFile;
-          const auditSignatureExport = JSON.parse(auditSignatureContent) as {
-            signatureMetadata?: Partial<AuditExportSigningPayload>;
-            signature?: NonNullable<BundledAuditExportFile['metadata']>['signature'];
-          };
-
-          const metadata = auditTrailExport.metadata;
-          if (!metadata?.signature || typeof metadata.hash !== 'string') {
-            return createVerificationResult(
-              false,
-              'The bundled audit export is missing required hash or signature metadata.',
-              'case-zip'
-            );
-          }
-
-          const unsignedAuditExport = auditTrailExport.auditTrail !== undefined
-            ? {
-                metadata: {
-                  exportTimestamp: metadata.exportTimestamp,
-                  exportVersion: metadata.exportVersion,
-                  totalEntries: metadata.totalEntries,
-                  application: metadata.application,
-                  exportType: metadata.exportType,
-                  scopeType: metadata.scopeType,
-                  scopeIdentifier: metadata.scopeIdentifier,
-                },
-                auditTrail: auditTrailExport.auditTrail,
-              }
-            : {
-                metadata: {
-                  exportTimestamp: metadata.exportTimestamp,
-                  exportVersion: metadata.exportVersion,
-                  totalEntries: metadata.totalEntries,
-                  application: metadata.application,
-                  exportType: metadata.exportType,
-                  scopeType: metadata.scopeType,
-                  scopeIdentifier: metadata.scopeIdentifier,
-                },
-                auditEntries: auditTrailExport.auditEntries,
-              };
-
-          const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
-          if (recalculatedHash.toUpperCase() !== metadata.hash.toUpperCase()) {
-            return createVerificationResult(
-              false,
-              'The bundled audit export failed integrity verification.',
-              'case-zip'
-            );
-          }
-
-          const embeddedSignaturePayload: Partial<AuditExportSigningPayload> = metadata.signatureMetadata ?? {
-            signatureVersion: metadata.signatureVersion,
-            exportFormat: 'json',
-            exportType: metadata.exportType,
-            scopeType: metadata.scopeType,
-            scopeIdentifier: metadata.scopeIdentifier,
-            generatedAt: metadata.exportTimestamp,
-            totalEntries: metadata.totalEntries,
-            hash: metadata.hash,
-          };
-
-          const signatureVerification = await verifyAuditExportSignature(
-            embeddedSignaturePayload,
-            metadata.signature,
-            input.verificationPublicKeyPem
-          );
-
-          if (!signatureVerification.isValid) {
-            return createVerificationResult(
-              false,
-              getSignatureFailureMessage(signatureVerification.error, 'export ZIP'),
-              'case-zip'
-            );
+    ? await verifyBundledAuditExport(
+        {
+          file: (path: string) => {
+            const content = path === 'audit/case-audit-trail.json'
+              ? input.bundledAuditFiles?.auditTrailContent
+              : path === 'audit/case-audit-signature.json'
+                ? input.bundledAuditFiles?.auditSignatureContent
+                : undefined;
+
+            if (content === undefined) {
+              return null;
+            }
+
+            return {
+              async: async () => content,
+            };
           }
-
-          if (
-            JSON.stringify(auditSignatureExport.signatureMetadata ?? null) !== JSON.stringify(metadata.signatureMetadata ?? null) ||
-            JSON.stringify(auditSignatureExport.signature ?? null) !== JSON.stringify(metadata.signature ?? null)
-          ) {
-            return createVerificationResult(
-              false,
-              'The bundled audit signature artifact does not match the signed audit export.',
-              'case-zip'
-            );
-          }
-
-          return null;
-        } catch {
-          return createVerificationResult(
-            false,
-            'The bundled audit export could not be parsed for verification.',
-            'case-zip'
-          );
-        }
-      })()
+        },
+        verificationPublicKeyPem
+      )
     : null;
 
   return {

package/functions/api/_shared/firebase-auth.ts

@@ -1,5 +1,3 @@
-import firebaseConfig from '../../../app/config/firebase';
-
 interface FirebaseJwtHeader {
   alg?: string;
   kid?: string;
@@ -31,8 +29,6 @@ const GOOGLE_SECURETOKEN_JWKS_URL =
   'https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com';
 const DEFAULT_JWKS_CACHE_SECONDS = 300;
 const CLOCK_SKEW_SECONDS = 300;
-const FALLBACK_PROJECT_ID =
-  typeof firebaseConfig.projectId === 'string' ? firebaseConfig.projectId.trim() : '';
 
 const textEncoder = new TextEncoder();
 const textDecoder = new TextDecoder();
@@ -156,12 +152,11 @@ async function verifyTokenSignature(
 
 function validateTokenClaims(payload: FirebaseJwtPayload, env: Env): boolean {
   const configuredProjectId = typeof env.PROJECT_ID === 'string' ? env.PROJECT_ID.trim() : '';
-  const allowedProjectIds = new Set([configuredProjectId, FALLBACK_PROJECT_ID].filter(Boolean));
-  if (allowedProjectIds.size === 0) {
+  if (configuredProjectId.length === 0) {
     return false;
   }
 
-  if (typeof payload.aud !== 'string' || !allowedProjectIds.has(payload.aud)) {
+  if (typeof payload.aud !== 'string' || payload.aud !== configuredProjectId) {
     return false;
   }
 

package/functions/api/image/[[path]].ts

@@ -30,44 +30,41 @@ function normalizeWorkerBaseUrl(workerDomain: string): string {
   return `https://${trimmedDomain}`;
 }
 
-function extractProxyPath(url: URL): string | null {
+type ProxyPathResult =
+  | { ok: true; path: string }
+  | { ok: false; reason: 'not-found' | 'bad-encoding' };
+
+function extractProxyPath(url: URL): ProxyPathResult {
   const routePrefix = '/api/image';
   if (!url.pathname.startsWith(routePrefix)) {
-    return null;
+    return { ok: false, reason: 'not-found' };
   }
 
   const remainder = url.pathname.slice(routePrefix.length);
   if (remainder.length === 0) {
-    return '/';
+    return { ok: true, path: '/' };
   }
 
   const normalizedRemainder = remainder.startsWith('/') ? remainder : `/${remainder}`;
   const encodedPath = normalizedRemainder.slice(1);
+  if (encodedPath.length === 0) {
+    return { ok: true, path: normalizedRemainder };
+  }
 
   try {
     const decodedPath = decodeURIComponent(encodedPath);
-    if (decodedPath.length > 0) {
-      return decodedPath.startsWith('/') ? decodedPath : `/${decodedPath}`;
+    if (decodedPath.includes('?') || decodedPath.includes('#')) {
+      return { ok: false, reason: 'bad-encoding' };
     }
+
+    return { ok: true, path: decodedPath.startsWith('/') ? decodedPath : `/${decodedPath}` };
   } catch {
-    // Keep legacy behavior for non-encoded paths.
+    return { ok: false, reason: 'bad-encoding' };
   }
-
-  return normalizedRemainder;
 }
 
 function resolveImageWorkerToken(env: Env): string {
-  const imageToken = typeof env.IMAGES_API_TOKEN === 'string' ? env.IMAGES_API_TOKEN.trim() : '';
-  if (imageToken.length > 0) {
-    return imageToken;
-  }
-
-  const apiToken = typeof env.API_TOKEN === 'string' ? env.API_TOKEN.trim() : '';
-  if (apiToken.length > 0) {
-    return apiToken;
-  }
-
-  return '';
+  return typeof env.IMAGES_API_TOKEN === 'string' ? env.IMAGES_API_TOKEN.trim() : '';
 }
 
 export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Response> => {
@@ -91,11 +88,15 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
   }
 
   const requestUrl = new URL(request.url);
-  const proxyPath = extractProxyPath(requestUrl);
-  if (!proxyPath) {
-    return textResponse('Not Found', 404);
+  const proxyPathResult = extractProxyPath(requestUrl);
+  if (!proxyPathResult.ok) {
+    return proxyPathResult.reason === 'bad-encoding'
+      ? textResponse('Bad Request: malformed image path encoding', 400)
+      : textResponse('Not Found', 404);
   }
 
+  const proxyPath = proxyPathResult.path;
+
   const imageWorkerToken = resolveImageWorkerToken(env);
   if (!env.IMAGES_WORKER_DOMAIN || !imageWorkerToken) {
     return textResponse('Image service not configured', 502);

package/functions/api/pdf/[[path]].ts

@@ -9,6 +9,10 @@ const SUPPORTED_METHODS = new Set(['POST', 'OPTIONS']);
 const PRIMERSHEAR_FORMAT = 'primershear';
 const DEFAULT_FORMAT = 'striae';
 
+interface PdfProxyRequestBody {
+  data: Record<string, unknown>;
+}
+
 function textResponse(message: string, status: number): Response {
   return new Response(message, {
     status,
@@ -48,6 +52,21 @@ function resolveReportFormat(email: string | null, primershearEmails: string): s
   return allowed.includes(email.toLowerCase()) ? PRIMERSHEAR_FORMAT : DEFAULT_FORMAT;
 }
 
+function parsePdfProxyRequestBody(payload: unknown): PdfProxyRequestBody | null {
+  if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+    return null;
+  }
+
+  const record = payload as Record<string, unknown>;
+  if (!record.data || typeof record.data !== 'object' || Array.isArray(record.data)) {
+    return null;
+  }
+
+  return {
+    data: record.data as Record<string, unknown>
+  };
+}
+
 export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Response> => {
   if (!SUPPORTED_METHODS.has(request.method)) {
     return textResponse('Method not allowed', 405);
@@ -103,15 +122,15 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   let upstreamBody: BodyInit;
   try {
-    const payload = await request.json() as Record<string, unknown>;
-    // Inject the server-resolved format, overriding any client-supplied value.
-    if (payload.data && typeof payload.data === 'object') {
-      payload.reportFormat = reportFormat;
-    } else {
-      // Legacy flat payload shape
-      payload.reportFormat = reportFormat;
+    const payload = parsePdfProxyRequestBody(await request.json());
+    if (!payload) {
+      return textResponse('Invalid PDF request body', 400);
     }
-    upstreamBody = JSON.stringify(payload);
+
+    upstreamBody = JSON.stringify({
+      data: payload.data,
+      reportFormat
+    });
     upstreamHeaders.set('Content-Type', 'application/json');
   } catch {
     return textResponse('Invalid request body', 400);