@striae-org/striae 5.0.0 → 5.1.0

package/workers/image-worker/src/encryption-utils.ts

@@ -0,0 +1,217 @@
+export function base64UrlDecode(value: string): Uint8Array {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  const decoded = atob(normalized + padding);
+  const bytes = new Uint8Array(decoded.length);
+
+  for (let i = 0; i < decoded.length; i += 1) {
+    bytes[i] = decoded.charCodeAt(i);
+  }
+
+  return bytes;
+}
+
+export function base64UrlEncode(value: Uint8Array): string {
+  let binary = '';
+  const chunkSize = 8192;
+
+  for (let i = 0; i < value.length; i += chunkSize) {
+    const chunk = value.subarray(i, Math.min(i + chunkSize, value.length));
+    for (let j = 0; j < chunk.length; j += 1) {
+      binary += String.fromCharCode(chunk[j]);
+    }
+  }
+
+  return btoa(binary)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
+
+export interface DataAtRestEnvelope {
+  algorithm: string;
+  encryptionVersion: string;
+  keyId: string;
+  dataIv: string;
+  wrappedKey: string;
+}
+
+interface EncryptBinaryAtRestResult {
+  ciphertext: Uint8Array;
+  envelope: DataAtRestEnvelope;
+}
+
+function parseSpkiPublicKey(publicKey: string): ArrayBuffer {
+  const normalizedKey = publicKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PUBLIC KEY-----', '')
+    .replace('-----END PUBLIC KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption public key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
+  const normalizedKey = privateKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PRIVATE KEY-----', '')
+    .replace('-----END PRIVATE KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption private key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+async function importRsaOaepPrivateKey(privateKeyPem: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'pkcs8',
+    parsePkcs8PrivateKey(privateKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['decrypt']
+  );
+}
+
+async function importRsaOaepPublicKey(publicKeyPem: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'spki',
+    parseSpkiPublicKey(publicKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['encrypt']
+  );
+}
+
+async function createAesGcmKey(usages: KeyUsage[]): Promise<CryptoKey> {
+  return crypto.subtle.generateKey(
+    {
+      name: 'AES-GCM',
+      length: 256
+    },
+    true,
+    usages
+  ) as Promise<CryptoKey>;
+}
+
+async function wrapAesKey(aesKey: CryptoKey, publicKeyPem: string): Promise<string> {
+  const rsaPublicKey = await importRsaOaepPublicKey(publicKeyPem);
+  const rawAesKey = await crypto.subtle.exportKey('raw', aesKey);
+  const wrappedKey = await crypto.subtle.encrypt(
+    { name: 'RSA-OAEP' },
+    rsaPublicKey,
+    rawAesKey as BufferSource
+  );
+
+  return base64UrlEncode(new Uint8Array(wrappedKey));
+}
+
+async function unwrapAesKey(wrappedKeyBase64: string, privateKeyPem: string): Promise<CryptoKey> {
+  const rsaPrivateKey = await importRsaOaepPrivateKey(privateKeyPem);
+  const wrappedKeyBytes = base64UrlDecode(wrappedKeyBase64);
+
+  const rawAesKey = await crypto.subtle.decrypt(
+    { name: 'RSA-OAEP' },
+    rsaPrivateKey,
+    wrappedKeyBytes as BufferSource
+  );
+
+  return crypto.subtle.importKey(
+    'raw',
+    rawAesKey,
+    { name: 'AES-GCM' },
+    false,
+    ['encrypt', 'decrypt']
+  );
+}
+
+export function validateEnvelope(envelope: DataAtRestEnvelope): void {
+  if (envelope.algorithm !== DATA_AT_REST_ENCRYPTION_ALGORITHM) {
+    throw new Error('Unsupported data-at-rest encryption algorithm');
+  }
+
+  if (envelope.encryptionVersion !== DATA_AT_REST_ENCRYPTION_VERSION) {
+    throw new Error('Unsupported data-at-rest encryption version');
+  }
+}
+
+export async function encryptBinaryForStorage(
+  plaintextBytes: ArrayBuffer,
+  publicKeyPem: string,
+  keyId: string
+): Promise<EncryptBinaryAtRestResult> {
+  const aesKey = await createAesGcmKey(['encrypt', 'decrypt']);
+  const wrappedKey = await wrapAesKey(aesKey, publicKeyPem);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    plaintextBytes as BufferSource
+  );
+
+  return {
+    ciphertext: new Uint8Array(encryptedBuffer),
+    envelope: {
+      algorithm: DATA_AT_REST_ENCRYPTION_ALGORITHM,
+      encryptionVersion: DATA_AT_REST_ENCRYPTION_VERSION,
+      keyId,
+      dataIv: base64UrlEncode(iv),
+      wrappedKey
+    }
+  };
+}
+
+export async function decryptBinaryFromStorage(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  privateKeyPem: string
+): Promise<ArrayBuffer> {
+  validateEnvelope(envelope);
+
+  const aesKey = await unwrapAesKey(envelope.wrappedKey, privateKeyPem);
+  const iv = base64UrlDecode(envelope.dataIv);
+
+  return crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+}

package/workers/image-worker/src/image-worker.example.ts

@@ -1,179 +1,248 @@
+import {
+  decryptBinaryFromStorage,
+  encryptBinaryForStorage,
+  type DataAtRestEnvelope
+} from './encryption-utils';
+
 interface Env {
-  API_TOKEN: string;
-  ACCOUNT_ID: string;
-  HMAC_KEY: string;
+  IMAGES_API_TOKEN: string;
+  STRIAE_FILES: R2Bucket;
+  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY: string;
+  DATA_AT_REST_ENCRYPTION_PUBLIC_KEY: string;
+  DATA_AT_REST_ENCRYPTION_KEY_ID: string;
+}
+
+interface UploadResult {
+  id: string;
+  filename: string;
+  uploaded: string;
+  requireSignedURLs: boolean;
+  variants: string[];
 }
 
-interface CloudflareImagesResponse {
+interface UploadResponse {
+  success: boolean;
+  errors: Array<{ code: number; message: string }>;
+  messages: string[];
+  result: UploadResult;
+}
+
+interface SuccessResponse {
   success: boolean;
-  errors?: Array<{
-    code: number;
-    message: string;
-  }>;
-  messages?: string[];
-  result?: {
-    id: string;
-    filename: string;
-    uploaded: string;
-    requireSignedURLs: boolean;
-    variants: string[];
-  };
 }
 
 interface ErrorResponse {
   error: string;
 }
 
-type APIResponse = CloudflareImagesResponse | ErrorResponse | string;
+type APIResponse = UploadResponse | SuccessResponse | ErrorResponse;
 
-const API_BASE = "https://api.cloudflare.com/client/v4/accounts";
-
-/**
- * CORS headers to allow requests from the Striae app
- */
 const corsHeaders: Record<string, string> = {
   'Access-Control-Allow-Origin': 'PAGES_CUSTOM_DOMAIN',
   'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
-  'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Custom-Auth-Key',
-  'Content-Type': 'application/json'
+  'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Custom-Auth-Key'
 };
 
-const createResponse = (data: APIResponse, status: number = 200): Response => new Response(
-  typeof data === 'string' ? data : JSON.stringify(data), 
-  { status, headers: corsHeaders }
+const createJsonResponse = (data: APIResponse, status: number = 200): Response => new Response(
+  JSON.stringify(data),
+  {
+    status,
+    headers: {
+      ...corsHeaders,
+      'Content-Type': 'application/json'
+    }
+  }
 );
 
-const hasValidToken = (request: Request, env: Env): boolean => {
-  const authHeader = request.headers.get("Authorization");
-  const expectedToken = `Bearer ${env.API_TOKEN}`;
+function hasValidToken(request: Request, env: Env): boolean {
+  const authHeader = request.headers.get('Authorization');
+  const expectedToken = `Bearer ${env.IMAGES_API_TOKEN}`;
   return authHeader === expectedToken;
-};
+}
 
-/**
- * Handle image upload requests
- */
-async function handleImageUpload(request: Request, env: Env): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createResponse({ error: 'Unauthorized' }, 403);
+function requireEncryptionUploadConfig(env: Env): void {
+  if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+    throw new Error('Data-at-rest encryption is not configured for image uploads');
   }
+}
 
-  const formData = await request.formData();
-  const endpoint = `${API_BASE}/${env.ACCOUNT_ID}/images/v1`;
+function requireEncryptionRetrievalConfig(env: Env): void {
+  if (!env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY) {
+    throw new Error('Data-at-rest decryption is not configured for image retrieval');
+  }
+}
 
-  // Add requireSignedURLs to form data
-  formData.append('requireSignedURLs', 'true');
+function parseFileId(pathname: string): string | null {
+  const encodedFileId = pathname.startsWith('/') ? pathname.slice(1) : pathname;
+  if (!encodedFileId) {
+    return null;
+  }
 
-  const response = await fetch(endpoint, {
-    method: 'POST',
-    headers: {
-      'Authorization': `Bearer ${env.API_TOKEN}`,
-    },
-    body: formData
-  });
-  
-  const data: CloudflareImagesResponse = await response.json();
-  return createResponse(data, response.status);
+  let decodedFileId = '';
+  try {
+    decodedFileId = decodeURIComponent(encodedFileId);
+  } catch {
+    return null;
+  }
+
+  if (!decodedFileId || decodedFileId.includes('/')) {
+    return null;
+  }
+
+  return decodedFileId;
 }
 
-/**
- * Handle image delete requests
- */
-async function handleImageDelete(request: Request, env: Env): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createResponse({ error: 'Unauthorized' }, 403);
+function extractEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
+  const metadata = file.customMetadata;
+  if (!metadata) {
+    return null;
   }
 
-  const url = new URL(request.url);
-  const imageId = url.pathname.split('/').pop();
-  
-  if (!imageId) {
-    return createResponse({ error: 'Image ID is required' }, 400);
+  const { algorithm, encryptionVersion, keyId, dataIv, wrappedKey } = metadata;
+  if (
+    typeof algorithm !== 'string' ||
+    typeof encryptionVersion !== 'string' ||
+    typeof keyId !== 'string' ||
+    typeof dataIv !== 'string' ||
+    typeof wrappedKey !== 'string'
+  ) {
+    return null;
   }
-  
-  const endpoint = `${API_BASE}/${env.ACCOUNT_ID}/images/v1/${imageId}`;
-  const response = await fetch(endpoint, {
-    method: 'DELETE',
-    headers: {
-      'Authorization': `Bearer ${env.API_TOKEN}`,
-    }
-  });
-  
-  const data: CloudflareImagesResponse = await response.json();
-  return createResponse(data, response.status);
+
+  return {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  };
 }
 
-/**
- * Handle Signed URL generation
- */
-const EXPIRATION = 60 * 60; // 1 hour
-
-const bufferToHex = (buffer: ArrayBuffer): string =>
-  [...new Uint8Array(buffer)].map(x => x.toString(16).padStart(2, '0')).join('');
-
-async function generateSignedUrl(url: URL, env: Env): Promise<Response> {
-  const encoder = new TextEncoder();
-  const secretKeyData = encoder.encode(env.HMAC_KEY);
-  const key = await crypto.subtle.importKey(
-    'raw',
-    secretKeyData,
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign']
-  );
+function deriveFileKind(contentType: string): string {
+  if (contentType.startsWith('image/')) {
+    return 'image';
+  }
+
+  return 'file';
+}
+
+async function handleImageUpload(request: Request, env: Env): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  requireEncryptionUploadConfig(env);
+
+  const formData = await request.formData();
+  const fileValue = formData.get('file');
+  if (!(fileValue instanceof Blob)) {
+    return createJsonResponse({ error: 'Missing file upload payload' }, 400);
+  }
 
-  // Add expiration
-  const expiry = Math.floor(Date.now() / 1000) + EXPIRATION;
-  url.searchParams.set('exp', expiry.toString());
+  const fileBlob = fileValue;
+  const uploadedAt = new Date().toISOString();
+  const filename = fileValue instanceof File && fileValue.name ? fileValue.name : 'upload.bin';
+  const contentType = fileBlob.type || 'application/octet-stream';
+  const fileId = crypto.randomUUID().replace(/-/g, '');
+  const plaintextBytes = await fileBlob.arrayBuffer();
 
-  const stringToSign = url.pathname + '?' + url.searchParams.toString();
-  const mac = await crypto.subtle.sign('HMAC', key, encoder.encode(stringToSign));
-  const sig = bufferToHex(mac);
+  const encryptedPayload = await encryptBinaryForStorage(
+    plaintextBytes,
+    env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+    env.DATA_AT_REST_ENCRYPTION_KEY_ID
+  );
 
-  // Add signature
-  url.searchParams.set('sig', sig);
+  await env.STRIAE_FILES.put(fileId, encryptedPayload.ciphertext, {
+    customMetadata: {
+      algorithm: encryptedPayload.envelope.algorithm,
+      encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+      keyId: encryptedPayload.envelope.keyId,
+      dataIv: encryptedPayload.envelope.dataIv,
+      wrappedKey: encryptedPayload.envelope.wrappedKey,
+      contentType,
+      originalFilename: filename,
+      byteLength: String(fileBlob.size),
+      createdAt: uploadedAt,
+      fileKind: deriveFileKind(contentType)
+    }
+  });
 
-  // Return the modified URL with signature and expiration
-  return new Response(url.toString(), {
-    headers: corsHeaders
+  return createJsonResponse({
+    success: true,
+    errors: [],
+    messages: [],
+    result: {
+      id: fileId,
+      filename,
+      uploaded: uploadedAt,
+      requireSignedURLs: false,
+      variants: []
+    }
   });
 }
 
-async function handleImageServing(request: Request, env: Env): Promise<Response> {
+async function handleImageDelete(request: Request, env: Env): Promise<Response> {
   if (!hasValidToken(request, env)) {
-    return createResponse({ error: 'Unauthorized' }, 403);
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  const fileId = parseFileId(new URL(request.url).pathname);
+  if (!fileId) {
+    return createJsonResponse({ error: 'Image ID is required' }, 400);
   }
 
-  const url = new URL(request.url);
-  const encodedPath = url.pathname.slice(1);
-  if (!encodedPath) {
-    return createResponse({ error: 'Image delivery URL is required' }, 400);
+  const existing = await env.STRIAE_FILES.head(fileId);
+  if (!existing) {
+    return createJsonResponse({ error: 'File not found' }, 404);
   }
 
-  let decodedPath: string;
+  await env.STRIAE_FILES.delete(fileId);
+  return createJsonResponse({ success: true });
+}
 
-  try {
-    decodedPath = decodeURIComponent(encodedPath);
-  } catch {
-    return createResponse({ error: 'Image delivery URL must be URL-encoded' }, 400);
+async function handleImageServing(request: Request, env: Env): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
   }
 
-  let imageDeliveryURL: URL;
-  try {
-    imageDeliveryURL = new URL(decodedPath);
-  } catch {
-    return createResponse({ error: 'Image delivery URL is invalid' }, 400);
+  requireEncryptionRetrievalConfig(env);
+
+  const fileId = parseFileId(new URL(request.url).pathname);
+  if (!fileId) {
+    return createJsonResponse({ error: 'Image ID is required' }, 400);
   }
 
-  if (imageDeliveryURL.protocol !== 'https:' || imageDeliveryURL.hostname !== 'imagedelivery.net') {
-    return createResponse({ error: 'Image delivery URL must target imagedelivery.net over HTTPS' }, 400);
+  const file = await env.STRIAE_FILES.get(fileId);
+  if (!file) {
+    return createJsonResponse({ error: 'File not found' }, 404);
   }
-  
-  return generateSignedUrl(imageDeliveryURL, env);
+
+  const envelope = extractEnvelope(file);
+  if (!envelope) {
+    return createJsonResponse({ error: 'Missing data-at-rest envelope metadata' }, 500);
+  }
+
+  const encryptedData = await file.arrayBuffer();
+  const plaintext = await decryptBinaryFromStorage(
+    encryptedData,
+    envelope,
+    env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY
+  );
+
+  const contentType = file.customMetadata?.contentType || 'application/octet-stream';
+  const filename = file.customMetadata?.originalFilename || fileId;
+
+  return new Response(plaintext, {
+    status: 200,
+    headers: {
+      ...corsHeaders,
+      'Cache-Control': 'no-store',
+      'Content-Type': contentType,
+      'Content-Disposition': `inline; filename="${filename.replace(/"/g, '')}"`
+    }
+  });
 }
 
-/**
- * Main worker functions
- */
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
     if (request.method === 'OPTIONS') {
@@ -189,11 +258,11 @@ export default {
         case 'DELETE':
           return handleImageDelete(request, env);
         default:
-          return createResponse({ error: 'Method not allowed' }, 405);
+          return createJsonResponse({ error: 'Method not allowed' }, 405);
       }
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-      return createResponse({ error: errorMessage }, 500);
+      return createJsonResponse({ error: errorMessage }, 500);
     }
   }
 };

package/workers/image-worker/wrangler.jsonc.example

@@ -11,5 +11,12 @@
 	"enabled": true
   },
 
+  "r2_buckets": [
+    {
+      "binding": "STRIAE_FILES",
+      "bucket_name": "FILES_BUCKET_NAME"
+    }
+  ],
+
   "placement": { "mode": "smart" }
 }

package/workers/keys-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/pdf-worker/package.json

@@ -6,13 +6,10 @@
 		"generate:assets": "node scripts/generate-assets.js",
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/user-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {