@striae-org/striae 4.3.4 → 5.1.0

package/workers/image-worker/src/image-worker.example.ts

@@ -1,179 +1,248 @@
+import {
+  decryptBinaryFromStorage,
+  encryptBinaryForStorage,
+  type DataAtRestEnvelope
+} from './encryption-utils';
+
 interface Env {
-  API_TOKEN: string;
-  ACCOUNT_ID: string;
-  HMAC_KEY: string;
+  IMAGES_API_TOKEN: string;
+  STRIAE_FILES: R2Bucket;
+  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY: string;
+  DATA_AT_REST_ENCRYPTION_PUBLIC_KEY: string;
+  DATA_AT_REST_ENCRYPTION_KEY_ID: string;
+}
+
+interface UploadResult {
+  id: string;
+  filename: string;
+  uploaded: string;
+  requireSignedURLs: boolean;
+  variants: string[];
 }
 
-interface CloudflareImagesResponse {
+interface UploadResponse {
+  success: boolean;
+  errors: Array<{ code: number; message: string }>;
+  messages: string[];
+  result: UploadResult;
+}
+
+interface SuccessResponse {
   success: boolean;
-  errors?: Array<{
-    code: number;
-    message: string;
-  }>;
-  messages?: string[];
-  result?: {
-    id: string;
-    filename: string;
-    uploaded: string;
-    requireSignedURLs: boolean;
-    variants: string[];
-  };
 }
 
 interface ErrorResponse {
   error: string;
 }
 
-type APIResponse = CloudflareImagesResponse | ErrorResponse | string;
+type APIResponse = UploadResponse | SuccessResponse | ErrorResponse;
 
-const API_BASE = "https://api.cloudflare.com/client/v4/accounts";
-
-/**
- * CORS headers to allow requests from the Striae app
- */
 const corsHeaders: Record<string, string> = {
   'Access-Control-Allow-Origin': 'PAGES_CUSTOM_DOMAIN',
   'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
-  'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Custom-Auth-Key',
-  'Content-Type': 'application/json'
+  'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Custom-Auth-Key'
 };
 
-const createResponse = (data: APIResponse, status: number = 200): Response => new Response(
-  typeof data === 'string' ? data : JSON.stringify(data), 
-  { status, headers: corsHeaders }
+const createJsonResponse = (data: APIResponse, status: number = 200): Response => new Response(
+  JSON.stringify(data),
+  {
+    status,
+    headers: {
+      ...corsHeaders,
+      'Content-Type': 'application/json'
+    }
+  }
 );
 
-const hasValidToken = (request: Request, env: Env): boolean => {
-  const authHeader = request.headers.get("Authorization");
-  const expectedToken = `Bearer ${env.API_TOKEN}`;
+function hasValidToken(request: Request, env: Env): boolean {
+  const authHeader = request.headers.get('Authorization');
+  const expectedToken = `Bearer ${env.IMAGES_API_TOKEN}`;
   return authHeader === expectedToken;
-};
+}
 
-/**
- * Handle image upload requests
- */
-async function handleImageUpload(request: Request, env: Env): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createResponse({ error: 'Unauthorized' }, 403);
+function requireEncryptionUploadConfig(env: Env): void {
+  if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+    throw new Error('Data-at-rest encryption is not configured for image uploads');
   }
+}
 
-  const formData = await request.formData();
-  const endpoint = `${API_BASE}/${env.ACCOUNT_ID}/images/v1`;
+function requireEncryptionRetrievalConfig(env: Env): void {
+  if (!env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY) {
+    throw new Error('Data-at-rest decryption is not configured for image retrieval');
+  }
+}
 
-  // Add requireSignedURLs to form data
-  formData.append('requireSignedURLs', 'true');
+function parseFileId(pathname: string): string | null {
+  const encodedFileId = pathname.startsWith('/') ? pathname.slice(1) : pathname;
+  if (!encodedFileId) {
+    return null;
+  }
 
-  const response = await fetch(endpoint, {
-    method: 'POST',
-    headers: {
-      'Authorization': `Bearer ${env.API_TOKEN}`,
-    },
-    body: formData
-  });
-  
-  const data: CloudflareImagesResponse = await response.json();
-  return createResponse(data, response.status);
+  let decodedFileId = '';
+  try {
+    decodedFileId = decodeURIComponent(encodedFileId);
+  } catch {
+    return null;
+  }
+
+  if (!decodedFileId || decodedFileId.includes('/')) {
+    return null;
+  }
+
+  return decodedFileId;
 }
 
-/**
- * Handle image delete requests
- */
-async function handleImageDelete(request: Request, env: Env): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createResponse({ error: 'Unauthorized' }, 403);
+function extractEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
+  const metadata = file.customMetadata;
+  if (!metadata) {
+    return null;
   }
 
-  const url = new URL(request.url);
-  const imageId = url.pathname.split('/').pop();
-  
-  if (!imageId) {
-    return createResponse({ error: 'Image ID is required' }, 400);
+  const { algorithm, encryptionVersion, keyId, dataIv, wrappedKey } = metadata;
+  if (
+    typeof algorithm !== 'string' ||
+    typeof encryptionVersion !== 'string' ||
+    typeof keyId !== 'string' ||
+    typeof dataIv !== 'string' ||
+    typeof wrappedKey !== 'string'
+  ) {
+    return null;
   }
-  
-  const endpoint = `${API_BASE}/${env.ACCOUNT_ID}/images/v1/${imageId}`;
-  const response = await fetch(endpoint, {
-    method: 'DELETE',
-    headers: {
-      'Authorization': `Bearer ${env.API_TOKEN}`,
-    }
-  });
-  
-  const data: CloudflareImagesResponse = await response.json();
-  return createResponse(data, response.status);
+
+  return {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  };
 }
 
-/**
- * Handle Signed URL generation
- */
-const EXPIRATION = 60 * 60; // 1 hour
-
-const bufferToHex = (buffer: ArrayBuffer): string =>
-  [...new Uint8Array(buffer)].map(x => x.toString(16).padStart(2, '0')).join('');
-
-async function generateSignedUrl(url: URL, env: Env): Promise<Response> {
-  const encoder = new TextEncoder();
-  const secretKeyData = encoder.encode(env.HMAC_KEY);
-  const key = await crypto.subtle.importKey(
-    'raw',
-    secretKeyData,
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+function deriveFileKind(contentType: string): string {
+  if (contentType.startsWith('image/')) {
+    return 'image';
+  }
+
+  return 'file';
+}
+
+async function handleImageUpload(request: Request, env: Env): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  requireEncryptionUploadConfig(env);
+
+  const formData = await request.formData();
+  const fileValue = formData.get('file');
+  if (!(fileValue instanceof Blob)) {
+    return createJsonResponse({ error: 'Missing file upload payload' }, 400);
+  }
 
-  // Add expiration
-  const expiry = Math.floor(Date.now() / 1000) + EXPIRATION;
-  url.searchParams.set('exp', expiry.toString());
+  const fileBlob = fileValue;
+  const uploadedAt = new Date().toISOString();
+  const filename = fileValue instanceof File && fileValue.name ? fileValue.name : 'upload.bin';
+  const contentType = fileBlob.type || 'application/octet-stream';
+  const fileId = crypto.randomUUID().replace(/-/g, '');
+  const plaintextBytes = await fileBlob.arrayBuffer();
 
-  const stringToSign = url.pathname + '?' + url.searchParams.toString();
-  const mac = await crypto.subtle.sign('HMAC', key, encoder.encode(stringToSign));
-  const sig = bufferToHex(mac);
+  const encryptedPayload = await encryptBinaryForStorage(
+    plaintextBytes,
+    env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+    env.DATA_AT_REST_ENCRYPTION_KEY_ID
+  );
 
-  // Add signature
-  url.searchParams.set('sig', sig);
+  await env.STRIAE_FILES.put(fileId, encryptedPayload.ciphertext, {
+    customMetadata: {
+      algorithm: encryptedPayload.envelope.algorithm,
+      encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+      keyId: encryptedPayload.envelope.keyId,
+      dataIv: encryptedPayload.envelope.dataIv,
+      wrappedKey: encryptedPayload.envelope.wrappedKey,
+      contentType,
+      originalFilename: filename,
+      byteLength: String(fileBlob.size),
+      createdAt: uploadedAt,
+      fileKind: deriveFileKind(contentType)
+    }
+  });
 
-  // Return the modified URL with signature and expiration
-  return new Response(url.toString(), {
-    headers: corsHeaders
+  return createJsonResponse({
+    success: true,
+    errors: [],
+    messages: [],
+    result: {
+      id: fileId,
+      filename,
+      uploaded: uploadedAt,
+      requireSignedURLs: false,
+      variants: []
+    }
   });
 }
 
-async function handleImageServing(request: Request, env: Env): Promise<Response> {
+async function handleImageDelete(request: Request, env: Env): Promise<Response> {
   if (!hasValidToken(request, env)) {
-    return createResponse({ error: 'Unauthorized' }, 403);
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  const fileId = parseFileId(new URL(request.url).pathname);
+  if (!fileId) {
+    return createJsonResponse({ error: 'Image ID is required' }, 400);
   }
 
-  const url = new URL(request.url);
-  const encodedPath = url.pathname.slice(1);
-  if (!encodedPath) {
-    return createResponse({ error: 'Image delivery URL is required' }, 400);
+  const existing = await env.STRIAE_FILES.head(fileId);
+  if (!existing) {
+    return createJsonResponse({ error: 'File not found' }, 404);
   }
 
-  let decodedPath: string;
+  await env.STRIAE_FILES.delete(fileId);
+  return createJsonResponse({ success: true });
+}
 
-  try {
-    decodedPath = decodeURIComponent(encodedPath);
-  } catch {
-    return createResponse({ error: 'Image delivery URL must be URL-encoded' }, 400);
+async function handleImageServing(request: Request, env: Env): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
   }
 
-  let imageDeliveryURL: URL;
-  try {
-    imageDeliveryURL = new URL(decodedPath);
-  } catch {
-    return createResponse({ error: 'Image delivery URL is invalid' }, 400);
+  requireEncryptionRetrievalConfig(env);
+
+  const fileId = parseFileId(new URL(request.url).pathname);
+  if (!fileId) {
+    return createJsonResponse({ error: 'Image ID is required' }, 400);
   }
 
-  if (imageDeliveryURL.protocol !== 'https:' || imageDeliveryURL.hostname !== 'imagedelivery.net') {
-    return createResponse({ error: 'Image delivery URL must target imagedelivery.net over HTTPS' }, 400);
+  const file = await env.STRIAE_FILES.get(fileId);
+  if (!file) {
+    return createJsonResponse({ error: 'File not found' }, 404);
   }
-  
-  return generateSignedUrl(imageDeliveryURL, env);
+
+  const envelope = extractEnvelope(file);
+  if (!envelope) {
+    return createJsonResponse({ error: 'Missing data-at-rest envelope metadata' }, 500);
+  }
+
+  const encryptedData = await file.arrayBuffer();
+  const plaintext = await decryptBinaryFromStorage(
+    encryptedData,
+    envelope,
+    env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY
+  );
+
+  const contentType = file.customMetadata?.contentType || 'application/octet-stream';
+  const filename = file.customMetadata?.originalFilename || fileId;
+
+  return new Response(plaintext, {
+    status: 200,
+    headers: {
+      ...corsHeaders,
+      'Cache-Control': 'no-store',
+      'Content-Type': contentType,
+      'Content-Disposition': `inline; filename="${filename.replace(/"/g, '')}"`
+    }
+  });
 }
 
-/**
- * Main worker functions
- */
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
     if (request.method === 'OPTIONS') {
@@ -189,11 +258,11 @@ export default {
         case 'DELETE':
           return handleImageDelete(request, env);
         default:
-          return createResponse({ error: 'Method not allowed' }, 405);
+          return createJsonResponse({ error: 'Method not allowed' }, 405);
       }
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-      return createResponse({ error: errorMessage }, 500);
+      return createJsonResponse({ error: errorMessage }, 500);
     }
   }
 };

package/workers/image-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "IMAGES_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 
@@ -11,5 +11,12 @@
 	"enabled": true
   },
 
+  "r2_buckets": [
+    {
+      "binding": "STRIAE_FILES",
+      "bucket_name": "FILES_BUCKET_NAME"
+    }
+  ],
+
   "placement": { "mode": "smart" }
 }

package/workers/keys-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/keys-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "KEYS_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/keys.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/pdf-worker/package.json

@@ -6,13 +6,10 @@
 		"generate:assets": "node scripts/generate-assets.js",
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/pdf-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "PDF_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/pdf-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/user-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/user-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "USER_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/user-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/wrangler.toml.example

@@ -1,6 +1,6 @@
 #:schema node_modules/wrangler/config-schema.json
 name = "PAGES_PROJECT_NAME"
-compatibility_date = "2026-03-23"
+compatibility_date = "2026-03-24"
 compatibility_flags = ["nodejs_compat"]
 pages_build_output_dir = "./build/client"