@striae-org/striae 5.1.0 → 5.2.0

package/.env.example

@@ -47,7 +47,6 @@ PAGES_CUSTOM_DOMAIN=your_custom_domain_here
 KEYS_WORKER_NAME=your_keys_worker_name_here
 KEYS_WORKER_DOMAIN=your_keys_worker_domain_here
 KEYS_AUTH=your_custom_keys_auth_token_here
-ACCOUNT_HASH=your_cloudflare_images_account_hash_here
 
 # ================================
 # USER WORKER ENVIRONMENT VARIABLES  
@@ -55,6 +54,17 @@ ACCOUNT_HASH=your_cloudflare_images_account_hash_here
 USER_WORKER_NAME=your_user_worker_name_here
 USER_WORKER_DOMAIN=your_user_worker_domain_here
 KV_STORE_ID=your_kv_store_id_here
+USER_KV_ENCRYPTION_PRIVATE_KEY=your_user_kv_encryption_private_key_here
+USER_KV_ENCRYPTION_KEY_ID=your_user_kv_encryption_key_id_here
+USER_KV_ENCRYPTION_PUBLIC_KEY=your_user_kv_encryption_public_key_here
+# Optional write toggle for USER_DB mutation endpoints.
+# true (default): require USER_KV_ENCRYPTION_PUBLIC_KEY and USER_KV_ENCRYPTION_KEY_ID for encrypt-on-write.
+# false: allow read-only deployments using private key material (legacy key or key registry) without write-path keys.
+USER_KV_WRITE_ENDPOINTS_ENABLED=true
+# Optional key registry for rotation-safe USER_DB reads.
+# JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
+USER_KV_ENCRYPTION_KEYS_JSON='{"activeKeyId":"your_user_kv_active_encryption_key_id_here","keys":{"your_user_kv_active_encryption_key_id_here":"your_user_kv_encryption_private_key_here"}}'
+USER_KV_ENCRYPTION_ACTIVE_KEY_ID=your_user_kv_active_encryption_key_id_here
 
 # ================================
 # DATA WORKER ENVIRONMENT VARIABLES
@@ -70,11 +80,18 @@ MANIFEST_SIGNING_PUBLIC_KEY=your_manifest_signing_public_key_here
 EXPORT_ENCRYPTION_PRIVATE_KEY=your_export_encryption_private_key_here
 EXPORT_ENCRYPTION_KEY_ID=your_export_encryption_key_id_here
 EXPORT_ENCRYPTION_PUBLIC_KEY=your_export_encryption_public_key_here
+# Optional key registry for export decrypt compatibility.
+# JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
+EXPORT_ENCRYPTION_KEYS_JSON='{"activeKeyId":"your_export_encryption_active_key_id_here","keys":{"your_export_encryption_active_key_id_here":"your_export_encryption_private_key_here"}}'
+EXPORT_ENCRYPTION_ACTIVE_KEY_ID=your_export_encryption_active_key_id_here
 DATA_AT_REST_ENCRYPTION_ENABLED=true
 DATA_AT_REST_ENCRYPTION_PRIVATE_KEY=your_data_at_rest_encryption_private_key_here
 DATA_AT_REST_ENCRYPTION_KEY_ID=your_data_at_rest_encryption_key_id_here
 DATA_AT_REST_ENCRYPTION_PUBLIC_KEY=your_data_at_rest_encryption_public_key_here
-
+# Optional key registry for data/files/audit decryption compatibility.
+# JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
+DATA_AT_REST_ENCRYPTION_KEYS_JSON='{"activeKeyId":"your_data_at_rest_active_encryption_key_id_here","keys":{"your_data_at_rest_active_encryption_key_id_here":"your_data_at_rest_encryption_private_key_here"}}'
+DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID=your_data_at_rest_active_encryption_key_id_here
 
 # ================================
 # AUDIT WORKER ENVIRONMENT VARIABLES
@@ -88,6 +105,9 @@ AUDIT_WORKER_DOMAIN=your_audit_worker_domain_here
 # ================================
 IMAGES_WORKER_NAME=your_images_worker_name_here
 IMAGES_WORKER_DOMAIN=your_images_worker_domain_here
+IMAGE_SIGNED_URL_SECRET=your_image_signed_url_secret_here
+# Optional: defaults to 3600 and max is 86400.
+IMAGE_SIGNED_URL_TTL_SECONDS=3600
 
 # ================================
 # PDF WORKER ENVIRONMENT VARIABLES

package/app/components/actions/case-export/download-handlers.ts

@@ -965,7 +965,24 @@ For questions about this export, contact your Striae system administrator.
  */
 async function fetchImageAsBlob(user: User, fileData: FileData, caseNumber: string): Promise<Blob | null> {
   try {
-    const { blob, revoke } = await getImageUrl(user, fileData, caseNumber, 'Export Package');
+    const imageAccess = await getImageUrl(user, fileData, caseNumber, 'Export Package');
+    const { blob, revoke, url } = imageAccess;
+
+    if (!blob) {
+      const signedResponse = await fetch(url, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/octet-stream,image/*'
+        }
+      });
+
+      if (!signedResponse.ok) {
+        throw new Error(`Signed URL fetch failed with status ${signedResponse.status}`);
+      }
+
+      return await signedResponse.blob();
+    }
+
     try {
       return blob;
     } finally {

package/app/components/actions/case-manage.ts

@@ -685,7 +685,23 @@ const getVerificationPublicSigningKey = (preferredKeyId?: string): { keyId: stri
 
 const fetchImageAsBlob = async (user: User, fileData: FileData, caseNumber: string): Promise<Blob | null> => {
   try {
-    const { blob, revoke } = await getImageUrl(user, fileData, caseNumber, 'Archive Package');
+    const imageAccess = await getImageUrl(user, fileData, caseNumber, 'Archive Package');
+    const { blob, revoke, url } = imageAccess;
+
+    if (!blob) {
+      const signedResponse = await fetch(url, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/octet-stream,image/*'
+        }
+      });
+
+      if (!signedResponse.ok) {
+        throw new Error(`Signed URL fetch failed with status ${signedResponse.status}`);
+      }
+
+      return await signedResponse.blob();
+    }
 
     try {
       return blob;

package/app/components/actions/generate-pdf.ts

@@ -6,6 +6,7 @@ import { fetchPdfApi } from '~/utils/api';
 interface GeneratePDFParams {
   user: User;
   selectedImage: string | undefined;
+  sourceImageId?: string;
   selectedFilename: string | undefined;
   userCompany: string;
   userFirstName: string;
@@ -44,6 +45,10 @@ const resolvePdfImageUrl = async (selectedImage: string | undefined): Promise<st
     return selectedImage;
   }
 
+  if (selectedImage.startsWith('/')) {
+    return new URL(selectedImage, window.location.origin).toString();
+  }
+
   if (selectedImage.startsWith('data:')) {
     return selectedImage;
   }
@@ -64,6 +69,7 @@ const resolvePdfImageUrl = async (selectedImage: string | undefined): Promise<st
 export const generatePDF = async ({
   user,
   selectedImage,
+  sourceImageId,
   selectedFilename,
   userCompany,
   userFirstName,
@@ -187,7 +193,7 @@ export const generatePDF = async ({
           processingTime,
           blob.size,
           [],
-          selectedImage, // Source file ID
+          sourceImageId, // Source file ID
           selectedFilename // Source original filename
         );
       } catch (auditError) {
@@ -215,7 +221,7 @@ export const generatePDF = async ({
           processingTime,
           0, // No file size for failed generation
           [errorText || 'PDF generation failed'],
-          selectedImage, // Source file ID
+          sourceImageId, // Source file ID
           selectedFilename // Source original filename
         );
       } catch (auditError) {
@@ -242,7 +248,7 @@ export const generatePDF = async ({
         processingTime,
         0, // No file size for failed generation
         [error instanceof Error ? error.message : 'Unknown error generating PDF'],
-        selectedImage, // Source file ID
+        sourceImageId, // Source file ID
         selectedFilename // Source original filename
       );
     } catch (auditError) {

package/app/components/actions/image-manage.ts

@@ -1,7 +1,7 @@
 import type { User } from 'firebase/auth';
-import { fetchImageApi, uploadImageApi } from '~/utils/api';
+import { createSignedImageUrlApi, fetchImageApi, uploadImageApi } from '~/utils/api';
 import { canUploadFile, getCaseData, updateCaseData, deleteFileAnnotations } from '~/utils/data';
-import type { CaseData, FileData, ImageUploadResponse } from '~/types';
+import type { CaseData, FileData, ImageAccessResult, ImageUploadResponse } from '~/types';
 import { auditService } from '~/services/audit';
 
 export interface DeleteFileResult {
@@ -255,20 +255,49 @@ export const deleteFile = async (
   }
 };
 
-export const getImageUrl = async (user: User, fileData: FileData, caseNumber: string, accessReason?: string): Promise<{ blob: Blob; url: string; revoke: () => void }> => {
+export const getImageUrl = async (
+  user: User,
+  fileData: FileData,
+  caseNumber: string,
+  accessReason?: string
+): Promise<ImageAccessResult> => {
   const startTime = Date.now();
   const defaultAccessReason = accessReason || 'Image viewer access';
-  
+
   try {
+    try {
+      const signedUrlResponse = await createSignedImageUrlApi(user, fileData.id);
+
+      await auditService.logFileAccess(
+        user,
+        fileData.originalFilename || fileData.id,
+        fileData.id,
+        'signed-url',
+        caseNumber,
+        'success',
+        Date.now() - startTime,
+        defaultAccessReason,
+        fileData.originalFilename
+      );
+
+      return {
+        url: signedUrlResponse.result.url,
+        revoke: () => {},
+        urlType: 'signed',
+        expiresAt: signedUrlResponse.result.expiresAt
+      };
+    } catch {
+      // Fallback to direct blob retrieval during migration.
+    }
+
     const workerResponse = await fetchImageApi(user, `/${encodeURIComponent(fileData.id)}`, {
       method: 'GET',
       headers: {
         'Accept': 'application/octet-stream,image/*'
       }
     });
-    
+
     if (!workerResponse.ok) {
-      // Log failed image access
       await auditService.logFileAccess(
         user,
         fileData.originalFilename || fileData.id,
@@ -285,8 +314,7 @@ export const getImageUrl = async (user: User, fileData: FileData, caseNumber: st
 
     const blob = await workerResponse.blob();
     const objectUrl = URL.createObjectURL(blob);
-    
-    // Log successful image access
+
     await auditService.logFileAccess(
       user,
       fileData.originalFilename || fileData.id,
@@ -298,10 +326,14 @@ export const getImageUrl = async (user: User, fileData: FileData, caseNumber: st
       defaultAccessReason,
       fileData.originalFilename
     );
-    
-    return { blob, url: objectUrl, revoke: () => URL.revokeObjectURL(objectUrl) };
+
+    return {
+      blob,
+      url: objectUrl,
+      revoke: () => URL.revokeObjectURL(objectUrl),
+      urlType: 'blob'
+    };
   } catch (error) {
-    // Log any unexpected errors if not already logged
     if (!(error instanceof Error && error.message.includes('Failed to retrieve image'))) {
       await auditService.logFileAccess(
         user,

package/app/routes/striae/striae.tsx

@@ -241,6 +241,7 @@ export const Striae = ({ user }: StriaePage) => {
     await generatePDF({
       user,
       selectedImage,
+      sourceImageId: imageId,
       selectedFilename,
       userCompany,
       userFirstName,

package/app/types/file.ts

@@ -12,8 +12,6 @@ export interface FileUploadResponse {
     id: string;
     filename: string;
     uploaded: string;
-    requireSignedURLs: boolean;
-    variants: string[];
   };
   errors: Array<{
     code: number;
@@ -27,4 +25,22 @@ export interface ImageUploadResponse {
   result: FileUploadResponse['result'];
   errors: FileUploadResponse['errors'];
   messages: FileUploadResponse['messages'];
+}
+
+export interface SignedImageUrlResponse {
+  success: boolean;
+  result: {
+    fileId: string;
+    url: string;
+    expiresAt: string;
+    expiresInSeconds: number;
+  };
+}
+
+export interface ImageAccessResult {
+  url: string;
+  revoke: () => void;
+  blob?: Blob;
+  urlType: 'signed' | 'blob';
+  expiresAt?: string;
 }

package/app/utils/api/image-api-client.ts

@@ -1,5 +1,5 @@
 import type { User } from 'firebase/auth';
-import { type ImageUploadResponse } from '~/types';
+import { type ImageUploadResponse, type SignedImageUrlResponse } from '~/types';
 
 const IMAGE_API_BASE = '/api/image';
 
@@ -93,6 +93,54 @@ function parseUploadResponse(payload: string): ImageUploadResponse {
   return parsed;
 }
 
+function parseSignedUrlResponse(payload: string): SignedImageUrlResponse {
+  const parsed = JSON.parse(payload) as SignedImageUrlResponse;
+  if (!parsed.success || !parsed.result?.url || !parsed.result?.fileId || !parsed.result?.expiresAt) {
+    throw new Error('Signed URL response is invalid');
+  }
+
+  return parsed;
+}
+
+export async function createSignedImageUrlApi(
+  user: User,
+  fileId: string,
+  expiresInSeconds?: number
+): Promise<SignedImageUrlResponse> {
+  const response = await fetchImageApi(user, `/${encodeURIComponent(fileId)}/signed-url`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Accept': 'application/json'
+    },
+    body: JSON.stringify(
+      typeof expiresInSeconds === 'number'
+        ? { expiresInSeconds }
+        : {}
+    )
+  });
+
+  if (!response.ok) {
+    throw new Error(`Signed URL request failed with status ${response.status}`);
+  }
+
+  const parsed = parseSignedUrlResponse(await response.text());
+  const rawUrl = parsed.result.url;
+  let normalizedUrl = rawUrl;
+
+  if (rawUrl.startsWith('/')) {
+    normalizedUrl = new URL(rawUrl, window.location.origin).toString();
+  }
+
+  return {
+    ...parsed,
+    result: {
+      ...parsed.result,
+      url: normalizedUrl
+    }
+  };
+}
+
 export async function uploadImageApi(
   user: User,
   file: File,

package/app/utils/data/permissions.ts

@@ -42,8 +42,10 @@ export const getUserData = async (user: User): Promise<UserData | null> => {
     if (response.status === 404) {
       return null; // User not found
     }
-    
-    throw new Error('Failed to fetch user data');
+
+    const responseBody = await response.text().catch(() => '');
+    const detail = responseBody ? `: ${responseBody}` : '';
+    throw new Error(`Failed to fetch user data (${response.status} ${response.statusText})${detail}`);
   } catch (error) {
     console.error('Error fetching user data:', error);
     throw error;

package/functions/api/image/[[path]].ts

@@ -82,12 +82,13 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
     });
   }
 
+  const requestUrl = new URL(request.url);
+
   const identity = await verifyFirebaseIdentityFromRequest(request, env);
   if (!identity) {
     return textResponse('Unauthorized', 401);
   }
 
-  const requestUrl = new URL(request.url);
   const proxyPathResult = extractProxyPath(requestUrl);
   if (!proxyPathResult.ok) {
     return proxyPathResult.reason === 'bad-encoding'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.1.0",
+  "version": "5.2.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -54,7 +54,7 @@
     "workers/*/src/*.example.ts",
     "workers/*/src/*.example.js",
     "workers/*/src/*.ts",
-    "workers/pdf-worker/scripts/*.js",    
+    "workers/pdf-worker/scripts/*.js",
     "!workers/*/src/*worker.ts",
     "workers/pdf-worker/src/assets/generated-assets.example.ts",
     "workers/pdf-worker/src/formats/format-striae.ts",
@@ -67,7 +67,7 @@
     "vite.config.ts",
     "worker-configuration.d.ts",
     "wrangler.toml.example",
-    "LICENSE"    
+    "LICENSE"
   ],
   "sideEffects": false,
   "type": "module",
@@ -106,7 +106,7 @@
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
     "deploy-workers:keys": "cd workers/keys-worker && npm run deploy",
     "deploy-workers:pdf": "cd workers/pdf-worker && npm run deploy",
-    "deploy-workers:user": "cd workers/user-worker && npm run deploy"    
+    "deploy-workers:user": "cd workers/user-worker && npm run deploy"
   },
   "dependencies": {
     "@react-router/cloudflare": "^7.13.2",