@striae-org/striae 5.0.0 → 5.1.1

package/.env.example

@@ -47,7 +47,6 @@ PAGES_CUSTOM_DOMAIN=your_custom_domain_here
 KEYS_WORKER_NAME=your_keys_worker_name_here
 KEYS_WORKER_DOMAIN=your_keys_worker_domain_here
 KEYS_AUTH=your_custom_keys_auth_token_here
-ACCOUNT_HASH=your_cloudflare_images_account_hash_here
 
 # ================================
 # USER WORKER ENVIRONMENT VARIABLES  
@@ -61,6 +60,7 @@ KV_STORE_ID=your_kv_store_id_here
 # ================================
 DATA_WORKER_NAME=your_data_worker_name_here
 DATA_BUCKET_NAME=your_data_bucket_name_here
+FILES_BUCKET_NAME=your_files_bucket_name_here
 DATA_WORKER_DOMAIN=your_data_worker_domain_here
 # Auto-generated by scripts/deploy-config.sh when placeholders are detected.
 MANIFEST_SIGNING_PRIVATE_KEY=your_manifest_signing_private_key_here
@@ -69,6 +69,9 @@ MANIFEST_SIGNING_PUBLIC_KEY=your_manifest_signing_public_key_here
 EXPORT_ENCRYPTION_PRIVATE_KEY=your_export_encryption_private_key_here
 EXPORT_ENCRYPTION_KEY_ID=your_export_encryption_key_id_here
 EXPORT_ENCRYPTION_PUBLIC_KEY=your_export_encryption_public_key_here
+DATA_AT_REST_ENCRYPTION_PRIVATE_KEY=your_data_at_rest_encryption_private_key_here
+DATA_AT_REST_ENCRYPTION_KEY_ID=your_data_at_rest_encryption_key_id_here
+DATA_AT_REST_ENCRYPTION_PUBLIC_KEY=your_data_at_rest_encryption_public_key_here
 
 
 # ================================
@@ -83,8 +86,9 @@ AUDIT_WORKER_DOMAIN=your_audit_worker_domain_here
 # ================================
 IMAGES_WORKER_NAME=your_images_worker_name_here
 IMAGES_WORKER_DOMAIN=your_images_worker_domain_here
-API_TOKEN=your_cloudflare_images_api_token_here
-HMAC_KEY=your_cloudflare_images_hmac_key_here
+IMAGE_SIGNED_URL_SECRET=your_image_signed_url_secret_here
+# Optional: defaults to 3600 and max is 86400.
+IMAGE_SIGNED_URL_TTL_SECONDS=3600
 
 # ================================
 # PDF WORKER ENVIRONMENT VARIABLES

package/app/components/actions/case-export/download-handlers.ts

@@ -965,13 +965,29 @@ For questions about this export, contact your Striae system administrator.
  */
 async function fetchImageAsBlob(user: User, fileData: FileData, caseNumber: string): Promise<Blob | null> {
   try {
-    const imageUrl = await getImageUrl(user, fileData, caseNumber, 'Export Package');
-    if (!imageUrl) return null;
-    
-    const response = await fetch(imageUrl);
-    if (!response.ok) return null;
-    
-    return await response.blob();
+    const imageAccess = await getImageUrl(user, fileData, caseNumber, 'Export Package');
+    const { blob, revoke, url } = imageAccess;
+
+    if (!blob) {
+      const signedResponse = await fetch(url, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/octet-stream,image/*'
+        }
+      });
+
+      if (!signedResponse.ok) {
+        throw new Error(`Signed URL fetch failed with status ${signedResponse.status}`);
+      }
+
+      return await signedResponse.blob();
+    }
+
+    try {
+      return blob;
+    } finally {
+      revoke();
+    }
   } catch (error) {
     console.error('Failed to fetch image blob:', error);
     return null;

package/app/components/actions/case-manage.ts

@@ -12,6 +12,7 @@ import {
   duplicateCaseData,
   deleteFileAnnotations,
   signForensicManifest,
+  moveCaseConfirmationSummary,
   removeCaseConfirmationSummary
 } from '~/utils/data';
 import { type CaseData, type ReadOnlyCaseData, type FileData, type AuditTrail, type CaseExportData, type ValidationAuditEntry } from '~/types';
@@ -392,7 +393,10 @@ export const renameCase = async (
     // 4) Delete R2 case data with old case number
     await deleteCaseData(user, oldCaseNumber);
 
-    // 5) Delete old case number in user's KV entry
+    // 5) Move confirmation summary metadata to the new case number
+    await moveCaseConfirmationSummary(user, oldCaseNumber, newCaseNumber);
+
+    // 6) Delete old case number in user's KV entry
     await removeUserCase(user, oldCaseNumber);
 
     // Log successful case rename under the original case number context
@@ -681,18 +685,29 @@ const getVerificationPublicSigningKey = (preferredKeyId?: string): { keyId: stri
 
 const fetchImageAsBlob = async (user: User, fileData: FileData, caseNumber: string): Promise<Blob | null> => {
   try {
-    const imageUrl = await getImageUrl(user, fileData, caseNumber, 'Archive Package');
+    const imageAccess = await getImageUrl(user, fileData, caseNumber, 'Archive Package');
+    const { blob, revoke, url } = imageAccess;
+
+    if (!blob) {
+      const signedResponse = await fetch(url, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/octet-stream,image/*'
+        }
+      });
 
-    if (!imageUrl) {
-      return null;
-    }
+      if (!signedResponse.ok) {
+        throw new Error(`Signed URL fetch failed with status ${signedResponse.status}`);
+      }
 
-    const response = await fetch(imageUrl);
-    if (!response.ok) {
-      return null;
+      return await signedResponse.blob();
     }
 
-    return await response.blob();
+    try {
+      return blob;
+    } finally {
+      revoke();
+    }
   } catch (error) {
     console.error('Failed to fetch image for archive package:', error);
     return null;

package/app/components/actions/generate-pdf.ts

@@ -6,6 +6,7 @@ import { fetchPdfApi } from '~/utils/api';
 interface GeneratePDFParams {
   user: User;
   selectedImage: string | undefined;
+  sourceImageId?: string;
   selectedFilename: string | undefined;
   userCompany: string;
   userFirstName: string;
@@ -21,9 +22,54 @@ interface GeneratePDFParams {
   setToastDuration?: (duration: number) => void;
 }
 
+const CLEAR_IMAGE_SENTINEL = '/clear.jpg';
+
+const blobToDataUrl = async (blob: Blob): Promise<string> => {
+  return await new Promise<string>((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onloadend = () => {
+      if (typeof reader.result === 'string') {
+        resolve(reader.result);
+        return;
+      }
+
+      reject(new Error('Failed to read image blob as data URL'));
+    };
+    reader.onerror = () => reject(new Error('Failed to convert image for PDF rendering'));
+    reader.readAsDataURL(blob);
+  });
+};
+
+const resolvePdfImageUrl = async (selectedImage: string | undefined): Promise<string | undefined> => {
+  if (!selectedImage || selectedImage === CLEAR_IMAGE_SENTINEL) {
+    return selectedImage;
+  }
+
+  if (selectedImage.startsWith('/')) {
+    return new URL(selectedImage, window.location.origin).toString();
+  }
+
+  if (selectedImage.startsWith('data:')) {
+    return selectedImage;
+  }
+
+  if (selectedImage.startsWith('blob:')) {
+    const imageResponse = await fetch(selectedImage);
+    if (!imageResponse.ok) {
+      throw new Error('Failed to load selected image for PDF generation');
+    }
+
+    const imageBlob = await imageResponse.blob();
+    return await blobToDataUrl(imageBlob);
+  }
+
+  return selectedImage;
+};
+
 export const generatePDF = async ({
   user,
   selectedImage,
+  sourceImageId,
   selectedFilename,
   userCompany,
   userFirstName,
@@ -61,8 +107,10 @@ export const generatePDF = async ({
       notesUpdatedFormatted = `${(updatedDate.getMonth() + 1).toString().padStart(2, '0')}/${updatedDate.getDate().toString().padStart(2, '0')}/${updatedDate.getFullYear()}`;
     }
 
+    const resolvedImageUrl = await resolvePdfImageUrl(selectedImage);
+
     const pdfData = {
-      imageUrl: selectedImage,
+      imageUrl: resolvedImageUrl,
       filename: selectedFilename,
       userCompany: userCompany,
       firstName: userFirstName,
@@ -145,7 +193,7 @@ export const generatePDF = async ({
           processingTime,
           blob.size,
           [],
-          selectedImage, // Source file ID
+          sourceImageId, // Source file ID
           selectedFilename // Source original filename
         );
       } catch (auditError) {
@@ -173,7 +221,7 @@ export const generatePDF = async ({
           processingTime,
           0, // No file size for failed generation
           [errorText || 'PDF generation failed'],
-          selectedImage, // Source file ID
+          sourceImageId, // Source file ID
           selectedFilename // Source original filename
         );
       } catch (auditError) {
@@ -200,7 +248,7 @@ export const generatePDF = async ({
         processingTime,
         0, // No file size for failed generation
         [error instanceof Error ? error.message : 'Unknown error generating PDF'],
-        selectedImage, // Source file ID
+        sourceImageId, // Source file ID
         selectedFilename // Source original filename
       );
     } catch (auditError) {

package/app/components/actions/image-manage.ts

@@ -1,10 +1,7 @@
 import type { User } from 'firebase/auth';
-import { 
-  getAccountHash 
-} from '~/utils/auth';
-import { fetchImageApi, uploadImageApi } from '~/utils/api';
+import { createSignedImageUrlApi, fetchImageApi, uploadImageApi } from '~/utils/api';
 import { canUploadFile, getCaseData, updateCaseData, deleteFileAnnotations } from '~/utils/data';
-import type { CaseData, FileData, ImageUploadResponse } from '~/types';
+import type { CaseData, FileData, ImageAccessResult, ImageUploadResponse } from '~/types';
 import { auditService } from '~/services/audit';
 
 export interface DeleteFileResult {
@@ -258,88 +255,91 @@ export const deleteFile = async (
   }
 };
 
-const DEFAULT_VARIANT = 'striae';
-interface ImageDeliveryConfig {
-  accountHash: string;
-}
-
-const getImageConfig = async (): Promise<ImageDeliveryConfig> => {
-  const accountHash = await getAccountHash();
-  return { accountHash };
-};
-
-
-export const getImageUrl = async (user: User, fileData: FileData, caseNumber: string, accessReason?: string): Promise<string> => {
+export const getImageUrl = async (
+  user: User,
+  fileData: FileData,
+  caseNumber: string,
+  accessReason?: string
+): Promise<ImageAccessResult> => {
   const startTime = Date.now();
   const defaultAccessReason = accessReason || 'Image viewer access';
-  
+
   try {
-    const { accountHash } = await getImageConfig();
-    const imageDeliveryUrl = `https://imagedelivery.net/${accountHash}/${fileData.id}/${DEFAULT_VARIANT}`;
-    const encodedImageDeliveryUrl = encodeURIComponent(imageDeliveryUrl);
+    try {
+      const signedUrlResponse = await createSignedImageUrlApi(user, fileData.id);
 
-    const workerResponse = await fetchImageApi(user, `/${encodedImageDeliveryUrl}`, {
-      method: 'GET',
-      headers: {
-        'Accept': 'text/plain'
-      }
-    });
-    
-    if (!workerResponse.ok) {
-      // Log failed image access
       await auditService.logFileAccess(
         user,
         fileData.originalFilename || fileData.id,
         fileData.id,
         'signed-url',
         caseNumber,
-        'failure',
+        'success',
         Date.now() - startTime,
-        'Image URL generation failed',
+        defaultAccessReason,
         fileData.originalFilename
       );
-      throw new Error('Failed to get signed image URL');
+
+      return {
+        url: signedUrlResponse.result.url,
+        revoke: () => {},
+        urlType: 'signed',
+        expiresAt: signedUrlResponse.result.expiresAt
+      };
+    } catch {
+      // Fallback to direct blob retrieval during migration.
     }
-    
-    const signedUrl = await workerResponse.text();
-    if (!signedUrl.includes('sig=') || !signedUrl.includes('exp=')) {
-      // Log invalid URL response
+
+    const workerResponse = await fetchImageApi(user, `/${encodeURIComponent(fileData.id)}`, {
+      method: 'GET',
+      headers: {
+        'Accept': 'application/octet-stream,image/*'
+      }
+    });
+
+    if (!workerResponse.ok) {
       await auditService.logFileAccess(
         user,
         fileData.originalFilename || fileData.id,
         fileData.id,
-        'signed-url',
+        'direct-url',
         caseNumber,
         'failure',
         Date.now() - startTime,
-        'Invalid signed URL returned',
+        'Image retrieval failed',
         fileData.originalFilename
       );
-      throw new Error('Invalid signed URL returned');
+      throw new Error('Failed to retrieve image');
     }
-    
-    // Log successful image access
+
+    const blob = await workerResponse.blob();
+    const objectUrl = URL.createObjectURL(blob);
+
     await auditService.logFileAccess(
       user,
       fileData.originalFilename || fileData.id,
       fileData.id,
-      'signed-url',
+      'direct-url',
       caseNumber,
       'success',
       Date.now() - startTime,
       defaultAccessReason,
       fileData.originalFilename
     );
-    
-    return signedUrl;
+
+    return {
+      blob,
+      url: objectUrl,
+      revoke: () => URL.revokeObjectURL(objectUrl),
+      urlType: 'blob'
+    };
   } catch (error) {
-    // Log any unexpected errors if not already logged
-    if (!(error instanceof Error && error.message.includes('Failed to get signed image URL'))) {
+    if (!(error instanceof Error && error.message.includes('Failed to retrieve image'))) {
       await auditService.logFileAccess(
         user,
         fileData.originalFilename || fileData.id,
         fileData.id,
-        'signed-url',
+        'direct-url',
         caseNumber,
         'failure',
         Date.now() - startTime,

package/app/routes/striae/hooks/use-striae-reset-helpers.ts

@@ -26,6 +26,7 @@ interface UseStriaeResetHelpersProps {
   setShowNotes: Dispatch<SetStateAction<boolean>>;
   setIsAuditTrailOpen: Dispatch<SetStateAction<boolean>>;
   setIsRenameCaseModalOpen: Dispatch<SetStateAction<boolean>>;
+  onRevokeImage?: () => void;
 }
 
 export const useStriaeResetHelpers = ({
@@ -45,8 +46,10 @@ export const useStriaeResetHelpers = ({
   setShowNotes,
   setIsAuditTrailOpen,
   setIsRenameCaseModalOpen,
+  onRevokeImage,
 }: UseStriaeResetHelpersProps) => {
   const clearSelectedImageState = useCallback(() => {
+    onRevokeImage?.();
     setSelectedImage('/clear.jpg');
     setSelectedFilename(undefined);
     setImageId(undefined);
@@ -54,6 +57,7 @@ export const useStriaeResetHelpers = ({
     setError(undefined);
     setImageLoaded(false);
   }, [
+    onRevokeImage,
     setSelectedImage,
     setSelectedFilename,
     setImageId,

package/app/routes/striae/striae.tsx

@@ -1,5 +1,5 @@
 import type { User } from 'firebase/auth';
-import { useState, useEffect } from 'react';
+import { useState, useEffect, useRef, useCallback } from 'react';
 import { SidebarContainer } from '~/components/sidebar/sidebar-container';
 import { Navbar } from '~/components/navbar/navbar';
 import { RenameCaseModal } from '~/components/navbar/case-modals/rename-case-modal';
@@ -47,6 +47,7 @@ export const Striae = ({ user }: StriaePage) => {
   const [imageId, setImageId] = useState<string>();
   const [error, setError] = useState<string>();
   const [imageLoaded, setImageLoaded] = useState(false);
+  const currentRevokeRef = useRef<(() => void) | null>(null);
 
   // User states
   const [userCompany, setUserCompany] = useState<string>('');
@@ -98,6 +99,11 @@ export const Striae = ({ user }: StriaePage) => {
     archiveReason?: string;
   }>({ archived: false });
 
+  const handleRevokeImage = useCallback(() => {
+    currentRevokeRef.current?.();
+    currentRevokeRef.current = null;
+  }, []);
+
   const {
     clearSelectedImageState,
     clearCaseContextState,
@@ -119,6 +125,7 @@ export const Striae = ({ user }: StriaePage) => {
     setShowNotes,
     setIsAuditTrailOpen,
     setIsRenameCaseModalOpen,
+    onRevokeImage: handleRevokeImage,
   });
 
 
@@ -234,6 +241,7 @@ export const Striae = ({ user }: StriaePage) => {
     await generatePDF({
       user,
       selectedImage,
+      sourceImageId: imageId,
       selectedFilename,
       userCompany,
       userFirstName,
@@ -574,6 +582,8 @@ export const Striae = ({ user }: StriaePage) => {
   useEffect(() => {
     // Cleanup function to clear image when component unmounts
     return () => {
+      currentRevokeRef.current?.();
+      currentRevokeRef.current = null;
       setSelectedImage(undefined);
       setSelectedFilename(undefined);
       setError(undefined);
@@ -645,14 +655,16 @@ export const Striae = ({ user }: StriaePage) => {
 
   try {
       setError(undefined);
+      currentRevokeRef.current?.();
+      currentRevokeRef.current = null;
       setSelectedImage(undefined);
       setSelectedFilename(undefined);
       setImageLoaded(false);
     
-    const signedUrl = await getImageUrl(user, file, currentCase);
-    if (!signedUrl) throw new Error('No URL returned');
+    const { url, revoke } = await getImageUrl(user, file, currentCase);
+    currentRevokeRef.current = revoke;
 
-    setSelectedImage(signedUrl);
+    setSelectedImage(url);
       setSelectedFilename(file.originalFilename);
       setImageId(file.id); 
       setImageLoaded(true);

package/app/types/file.ts

@@ -12,8 +12,6 @@ export interface FileUploadResponse {
     id: string;
     filename: string;
     uploaded: string;
-    requireSignedURLs: boolean;
-    variants: string[];
   };
   errors: Array<{
     code: number;
@@ -27,4 +25,22 @@ export interface ImageUploadResponse {
   result: FileUploadResponse['result'];
   errors: FileUploadResponse['errors'];
   messages: FileUploadResponse['messages'];
+}
+
+export interface SignedImageUrlResponse {
+  success: boolean;
+  result: {
+    fileId: string;
+    url: string;
+    expiresAt: string;
+    expiresInSeconds: number;
+  };
+}
+
+export interface ImageAccessResult {
+  url: string;
+  revoke: () => void;
+  blob?: Blob;
+  urlType: 'signed' | 'blob';
+  expiresAt?: string;
 }

package/app/utils/api/image-api-client.ts

@@ -1,5 +1,5 @@
 import type { User } from 'firebase/auth';
-import { type ImageUploadResponse } from '~/types';
+import { type ImageUploadResponse, type SignedImageUrlResponse } from '~/types';
 
 const IMAGE_API_BASE = '/api/image';
 
@@ -93,6 +93,54 @@ function parseUploadResponse(payload: string): ImageUploadResponse {
   return parsed;
 }
 
+function parseSignedUrlResponse(payload: string): SignedImageUrlResponse {
+  const parsed = JSON.parse(payload) as SignedImageUrlResponse;
+  if (!parsed.success || !parsed.result?.url || !parsed.result?.fileId || !parsed.result?.expiresAt) {
+    throw new Error('Signed URL response is invalid');
+  }
+
+  return parsed;
+}
+
+export async function createSignedImageUrlApi(
+  user: User,
+  fileId: string,
+  expiresInSeconds?: number
+): Promise<SignedImageUrlResponse> {
+  const response = await fetchImageApi(user, `/${encodeURIComponent(fileId)}/signed-url`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Accept': 'application/json'
+    },
+    body: JSON.stringify(
+      typeof expiresInSeconds === 'number'
+        ? { expiresInSeconds }
+        : {}
+    )
+  });
+
+  if (!response.ok) {
+    throw new Error(`Signed URL request failed with status ${response.status}`);
+  }
+
+  const parsed = parseSignedUrlResponse(await response.text());
+  const rawUrl = parsed.result.url;
+  let normalizedUrl = rawUrl;
+
+  if (rawUrl.startsWith('/')) {
+    normalizedUrl = new URL(rawUrl, window.location.origin).toString();
+  }
+
+  return {
+    ...parsed,
+    result: {
+      ...parsed.result,
+      url: normalizedUrl
+    }
+  };
+}
+
 export async function uploadImageApi(
   user: User,
   file: File,

package/app/utils/data/operations/case-operations.ts

@@ -43,7 +43,19 @@ export const getCaseData = async (
     }
 
     if (!response.ok) {
-      throw new Error(`Failed to fetch case data: ${response.status} ${response.statusText}`);
+      let errorDetails = '';
+
+      try {
+        const errorPayload = await response.json() as { error?: unknown };
+        if (typeof errorPayload?.error === 'string' && errorPayload.error.trim().length > 0) {
+          errorDetails = errorPayload.error.trim();
+        }
+      } catch {
+        // Ignore parse errors and fall back to status text only.
+      }
+
+      const baseMessage = `Failed to fetch case data: ${response.status} ${response.statusText}`;
+      throw new Error(errorDetails ? `${baseMessage} - ${errorDetails}` : baseMessage);
     }
 
     const caseData = await response.json() as CaseData;

package/app/utils/data/operations/confirmation-summary-operations.ts

@@ -86,7 +86,19 @@ export const getConfirmationSummaryDocument = async (
   });
 
   if (!response.ok) {
-    throw new Error(`Failed to fetch confirmation summary: ${response.status} ${response.statusText}`);
+    let errorDetails = '';
+
+    try {
+      const errorPayload = await response.json() as { error?: unknown };
+      if (typeof errorPayload?.error === 'string' && errorPayload.error.trim().length > 0) {
+        errorDetails = errorPayload.error.trim();
+      }
+    } catch {
+      // Ignore parse errors and fall back to status text only.
+    }
+
+    const baseMessage = `Failed to fetch confirmation summary: ${response.status} ${response.statusText}`;
+    throw new Error(errorDetails ? `${baseMessage} - ${errorDetails}` : baseMessage);
   }
 
   const payload = await response.json().catch(() => null) as unknown;
@@ -299,3 +311,28 @@ export const removeCaseConfirmationSummary = async (
 
   await saveConfirmationSummaryDocument(user, summary);
 };
+
+export const moveCaseConfirmationSummary = async (
+  user: User,
+  fromCaseNumber: string,
+  toCaseNumber: string
+): Promise<void> => {
+  if (fromCaseNumber === toCaseNumber) {
+    return;
+  }
+
+  const summary = await getConfirmationSummaryDocument(user);
+  const existingCaseSummary = summary.cases[fromCaseNumber];
+  if (!existingCaseSummary) {
+    return;
+  }
+
+  delete summary.cases[fromCaseNumber];
+  summary.cases[toCaseNumber] = {
+    ...existingCaseSummary,
+    updatedAt: getIsoNow(),
+  };
+  summary.updatedAt = getIsoNow();
+
+  await saveConfirmationSummaryDocument(user, summary);
+};

package/app/utils/data/operations/file-annotation-operations.ts

@@ -42,7 +42,19 @@ export const getFileAnnotations = async (
     }
 
     if (!response.ok) {
-      throw new Error(`Failed to fetch file annotations: ${response.status} ${response.statusText}`);
+      let errorDetails = '';
+
+      try {
+        const errorPayload = await response.json() as { error?: unknown };
+        if (typeof errorPayload?.error === 'string' && errorPayload.error.trim().length > 0) {
+          errorDetails = errorPayload.error.trim();
+        }
+      } catch {
+        // Ignore parse errors and fall back to status text only.
+      }
+
+      const baseMessage = `Failed to fetch file annotations: ${response.status} ${response.statusText}`;
+      throw new Error(errorDetails ? `${baseMessage} - ${errorDetails}` : baseMessage);
     }
 
     return await response.json() as AnnotationData;

package/functions/api/image/[[path]].ts

@@ -82,12 +82,13 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
     });
   }
 
+  const requestUrl = new URL(request.url);
+
   const identity = await verifyFirebaseIdentityFromRequest(request, env);
   if (!identity) {
     return textResponse('Unauthorized', 401);
   }
 
-  const requestUrl = new URL(request.url);
   const proxyPathResult = extractProxyPath(requestUrl);
   if (!proxyPathResult.ok) {
     return proxyPathResult.reason === 'bad-encoding'