@striae-org/striae 5.2.0 → 5.3.0

package/workers/user-worker/src/handlers/user-routes.ts

@@ -0,0 +1,242 @@
+import { executeUserDeletion } from '../cleanup/account-deletion';
+import { readUserRecord, writeUserRecord } from '../storage/user-records';
+import type {
+  AddCasesRequest,
+  AccountDeletionProgressEvent,
+  DeleteCasesRequest,
+  Env,
+  ResponseHeaders,
+  UserData,
+  UserRequestData
+} from '../types';
+
+function createJsonResponse(data: unknown, headers: ResponseHeaders, status: number = 200): Response {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers
+  });
+}
+
+export async function handleGetUser(
+  env: Env,
+  userUid: string,
+  corsHeaders: ResponseHeaders
+): Promise<Response> {
+  try {
+    const userData = await readUserRecord(env, userUid);
+    if (userData === null) {
+      return new Response('User not found', {
+        status: 404,
+        headers: corsHeaders
+      });
+    }
+
+    return createJsonResponse(userData, corsHeaders);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Unknown user data read error';
+    console.error('Failed to get user data:', { uid: userUid, reason: errorMessage });
+
+    return new Response('Failed to get user data', {
+      status: 500,
+      headers: corsHeaders
+    });
+  }
+}
+
+export async function handleAddUser(
+  request: Request,
+  env: Env,
+  userUid: string,
+  corsHeaders: ResponseHeaders
+): Promise<Response> {
+  try {
+    const requestData: UserRequestData = await request.json();
+    const { email, firstName, lastName, company, badgeId, permitted } = requestData;
+    const normalizedBadgeId = typeof badgeId === 'string' ? badgeId.trim() : undefined;
+    const existingUser = await readUserRecord(env, userUid);
+
+    let userData: UserData;
+    if (existingUser !== null) {
+      userData = {
+        ...existingUser,
+        email: email || existingUser.email,
+        firstName: firstName || existingUser.firstName,
+        lastName: lastName || existingUser.lastName,
+        company: company || existingUser.company,
+        badgeId: normalizedBadgeId !== undefined ? normalizedBadgeId : (existingUser.badgeId ?? ''),
+        permitted: permitted !== undefined ? permitted : existingUser.permitted,
+        updatedAt: new Date().toISOString()
+      };
+      if (requestData.readOnlyCases !== undefined) {
+        userData.readOnlyCases = requestData.readOnlyCases;
+      }
+    } else {
+      userData = {
+        uid: userUid,
+        email: email || '',
+        firstName: firstName || '',
+        lastName: lastName || '',
+        company: company || '',
+        badgeId: normalizedBadgeId ?? '',
+        permitted: permitted !== undefined ? permitted : true,
+        cases: [],
+        createdAt: new Date().toISOString()
+      };
+      if (requestData.readOnlyCases !== undefined) {
+        userData.readOnlyCases = requestData.readOnlyCases;
+      }
+    }
+
+    await writeUserRecord(env, userUid, userData);
+
+    return createJsonResponse(userData, corsHeaders, existingUser !== null ? 200 : 201);
+  } catch {
+    return new Response('Failed to save user data', {
+      status: 500,
+      headers: corsHeaders
+    });
+  }
+}
+
+export async function handleDeleteUser(
+  env: Env,
+  userUid: string,
+  corsHeaders: ResponseHeaders
+): Promise<Response> {
+  try {
+    const result = await executeUserDeletion(env, userUid);
+
+    return createJsonResponse({
+      success: result.success,
+      message: result.message
+    }, corsHeaders);
+  } catch (error) {
+    console.error('Delete user error:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+
+    if (errorMessage === 'User not found') {
+      return new Response('User not found', {
+        status: 404,
+        headers: corsHeaders
+      });
+    }
+
+    return createJsonResponse({
+      success: false,
+      message: 'Failed to delete user account'
+    }, corsHeaders, 500);
+  }
+}
+
+export function handleDeleteUserWithProgress(
+  env: Env,
+  userUid: string,
+  corsHeaders: ResponseHeaders
+): Response {
+  const sseHeaders: ResponseHeaders = {
+    ...corsHeaders,
+    'Content-Type': 'text/event-stream',
+    'Cache-Control': 'no-cache, no-transform',
+    Connection: 'keep-alive'
+  };
+
+  const encoder = new TextEncoder();
+  const stream = new ReadableStream<Uint8Array>({
+    async start(controller) {
+      const sendEvent = (payload: AccountDeletionProgressEvent): void => {
+        controller.enqueue(encoder.encode(`event: ${payload.event}\ndata: ${JSON.stringify(payload)}\n\n`));
+      };
+
+      try {
+        const result = await executeUserDeletion(env, userUid, sendEvent);
+        sendEvent({
+          event: 'complete',
+          totalCases: result.totalCases,
+          completedCases: result.completedCases,
+          success: result.success,
+          message: result.message
+        });
+      } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : 'Failed to delete user account';
+
+        sendEvent({
+          event: 'error',
+          totalCases: 0,
+          completedCases: 0,
+          success: false,
+          message: errorMessage
+        });
+      } finally {
+        controller.close();
+      }
+    }
+  });
+
+  return new Response(stream, {
+    status: 200,
+    headers: sseHeaders
+  });
+}
+
+export async function handleAddCases(
+  request: Request,
+  env: Env,
+  userUid: string,
+  corsHeaders: ResponseHeaders
+): Promise<Response> {
+  try {
+    const { cases = [] }: AddCasesRequest = await request.json();
+    const userData = await readUserRecord(env, userUid);
+    if (!userData) {
+      return new Response('User not found', {
+        status: 404,
+        headers: corsHeaders
+      });
+    }
+
+    const existingCases = userData.cases || [];
+    const newCases = cases.filter((newCase) =>
+      !existingCases.some((existingCase) => existingCase.caseNumber === newCase.caseNumber)
+    );
+
+    userData.cases = [...existingCases, ...newCases];
+    userData.updatedAt = new Date().toISOString();
+    await writeUserRecord(env, userUid, userData);
+
+    return createJsonResponse(userData, corsHeaders);
+  } catch {
+    return new Response('Failed to add cases', {
+      status: 500,
+      headers: corsHeaders
+    });
+  }
+}
+
+export async function handleDeleteCases(
+  request: Request,
+  env: Env,
+  userUid: string,
+  corsHeaders: ResponseHeaders
+): Promise<Response> {
+  try {
+    const { casesToDelete }: DeleteCasesRequest = await request.json();
+    const userData = await readUserRecord(env, userUid);
+    if (!userData) {
+      return new Response('User not found', {
+        status: 404,
+        headers: corsHeaders
+      });
+    }
+
+    userData.cases = userData.cases.filter((caseItem) => !casesToDelete.includes(caseItem.caseNumber));
+    userData.updatedAt = new Date().toISOString();
+    await writeUserRecord(env, userUid, userData);
+
+    return createJsonResponse(userData, corsHeaders);
+  } catch {
+    return new Response('Failed to delete cases', {
+      status: 500,
+      headers: corsHeaders
+    });
+  }
+}

package/workers/user-worker/src/registry/user-kv.ts

@@ -0,0 +1,172 @@
+import { decryptJsonFromUserKv, type UserKvEncryptedRecord } from '../encryption-utils';
+import type {
+  DecryptionTelemetryOutcome,
+  Env,
+  KeyRegistryPayload,
+  PrivateKeyRegistry
+} from '../types';
+
+function normalizePrivateKeyPem(rawValue: string): string {
+  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
+}
+
+function getNonEmptyString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+}
+
+export function parseUserKvPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
+  const keys: Record<string, string> = {};
+  const configuredActiveKeyId = getNonEmptyString(env.USER_KV_ENCRYPTION_ACTIVE_KEY_ID);
+
+  if (getNonEmptyString(env.USER_KV_ENCRYPTION_KEYS_JSON)) {
+    let parsedRegistry: unknown;
+    try {
+      parsedRegistry = JSON.parse(env.USER_KV_ENCRYPTION_KEYS_JSON as string) as unknown;
+    } catch {
+      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON is not valid JSON');
+    }
+
+    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
+      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON must be an object');
+    }
+
+    const payload = parsedRegistry as KeyRegistryPayload;
+    if (!payload.keys || typeof payload.keys !== 'object') {
+      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON must include a keys object');
+    }
+
+    for (const [keyId, pemValue] of Object.entries(payload.keys as Record<string, unknown>)) {
+      const normalizedKeyId = getNonEmptyString(keyId);
+      const normalizedPem = getNonEmptyString(pemValue);
+      if (!normalizedKeyId || !normalizedPem) {
+        continue;
+      }
+
+      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
+    }
+
+    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
+    const activeKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
+
+    if (Object.keys(keys).length === 0) {
+      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON does not contain any usable keys');
+    }
+
+    if (activeKeyId && !keys[activeKeyId]) {
+      throw new Error('USER_KV active key ID is not present in USER_KV_ENCRYPTION_KEYS_JSON');
+    }
+
+    return {
+      activeKeyId: activeKeyId ?? null,
+      keys
+    };
+  }
+
+  const legacyKeyId = getNonEmptyString(env.USER_KV_ENCRYPTION_KEY_ID);
+  const legacyPrivateKey = getNonEmptyString(env.USER_KV_ENCRYPTION_PRIVATE_KEY);
+  if (!legacyKeyId || !legacyPrivateKey) {
+    throw new Error('User KV encryption private key registry is not configured');
+  }
+
+  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
+
+  return {
+    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
+    keys
+  };
+}
+
+function buildPrivateKeyCandidates(
+  recordKeyId: string,
+  registry: PrivateKeyRegistry
+): Array<{ keyId: string; privateKeyPem: string }> {
+  const candidates: Array<{ keyId: string; privateKeyPem: string }> = [];
+  const seen = new Set<string>();
+
+  const appendCandidate = (candidateKeyId: string | null): void => {
+    if (!candidateKeyId || seen.has(candidateKeyId)) {
+      return;
+    }
+
+    const privateKeyPem = registry.keys[candidateKeyId];
+    if (!privateKeyPem) {
+      return;
+    }
+
+    seen.add(candidateKeyId);
+    candidates.push({ keyId: candidateKeyId, privateKeyPem });
+  };
+
+  appendCandidate(getNonEmptyString(recordKeyId));
+  appendCandidate(registry.activeKeyId);
+
+  for (const keyId of Object.keys(registry.keys)) {
+    appendCandidate(keyId);
+  }
+
+  return candidates;
+}
+
+function logUserKvDecryptionTelemetry(input: {
+  recordKeyId: string;
+  selectedKeyId: string | null;
+  attemptCount: number;
+  outcome: DecryptionTelemetryOutcome;
+  reason?: string;
+}): void {
+  const details = {
+    scope: 'user-kv',
+    recordKeyId: input.recordKeyId,
+    selectedKeyId: input.selectedKeyId,
+    attemptCount: input.attemptCount,
+    fallbackUsed: input.outcome === 'fallback-hit',
+    outcome: input.outcome,
+    reason: input.reason ?? null
+  };
+
+  if (input.outcome === 'all-failed') {
+    console.warn('Key registry decryption failed', details);
+    return;
+  }
+
+  console.info('Key registry decryption resolved', details);
+}
+
+export async function decryptUserKvRecord(
+  encryptedRecord: UserKvEncryptedRecord,
+  registry: PrivateKeyRegistry
+): Promise<string> {
+  const candidates = buildPrivateKeyCandidates(encryptedRecord.keyId, registry);
+  const primaryKeyId = candidates[0]?.keyId ?? null;
+  let lastError: unknown;
+
+  for (let index = 0; index < candidates.length; index += 1) {
+    const candidate = candidates[index];
+    try {
+      const decryptedJson = await decryptJsonFromUserKv(encryptedRecord, candidate.privateKeyPem);
+      logUserKvDecryptionTelemetry({
+        recordKeyId: encryptedRecord.keyId,
+        selectedKeyId: candidate.keyId,
+        attemptCount: index + 1,
+        outcome: candidate.keyId === primaryKeyId ? 'primary-hit' : 'fallback-hit'
+      });
+      return decryptedJson;
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  logUserKvDecryptionTelemetry({
+    recordKeyId: encryptedRecord.keyId,
+    selectedKeyId: null,
+    attemptCount: candidates.length,
+    outcome: 'all-failed',
+    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
+  });
+
+  throw new Error(
+    `Failed to decrypt user KV record after ${candidates.length} key attempt(s): ${
+      lastError instanceof Error ? lastError.message : 'unknown decryption error'
+    }`
+  );
+}

package/workers/user-worker/src/storage/user-records.ts

@@ -0,0 +1,34 @@
+import {
+  encryptJsonForUserKv,
+  tryParseEncryptedRecord,
+  validateEncryptedRecord
+} from '../encryption-utils';
+import { decryptUserKvRecord, parseUserKvPrivateKeyRegistry } from '../registry/user-kv';
+import type { Env, UserData } from '../types';
+
+export async function readUserRecord(env: Env, userUid: string): Promise<UserData | null> {
+  const storedValue = await env.USER_DB.get(userUid);
+  if (storedValue === null) {
+    return null;
+  }
+
+  const encryptedRecord = tryParseEncryptedRecord(storedValue);
+  if (!encryptedRecord) {
+    throw new Error('User KV record is not encrypted');
+  }
+
+  validateEncryptedRecord(encryptedRecord);
+  const keyRegistry = parseUserKvPrivateKeyRegistry(env);
+  const decryptedJson = await decryptUserKvRecord(encryptedRecord, keyRegistry);
+  return JSON.parse(decryptedJson) as UserData;
+}
+
+export async function writeUserRecord(env: Env, userUid: string, userData: UserData): Promise<void> {
+  const encryptedPayload = await encryptJsonForUserKv(
+    JSON.stringify(userData),
+    env.USER_KV_ENCRYPTION_PUBLIC_KEY,
+    env.USER_KV_ENCRYPTION_KEY_ID
+  );
+
+  await env.USER_DB.put(userUid, encryptedPayload);
+}

package/workers/user-worker/src/types.ts

@@ -0,0 +1,106 @@
+export interface Env {
+  USER_DB_AUTH: string;
+  USER_DB: KVNamespace;
+  STRIAE_DATA: R2Bucket;
+  STRIAE_FILES: R2Bucket;
+  R2_KEY_SECRET: string;
+  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_KEY_ID?: string;
+  DATA_AT_REST_ENCRYPTION_KEYS_JSON?: string;
+  DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID?: string;
+  PROJECT_ID: string;
+  FIREBASE_SERVICE_ACCOUNT_EMAIL: string;
+  FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY: string;
+  USER_KV_ENCRYPTION_PRIVATE_KEY: string;
+  USER_KV_ENCRYPTION_PUBLIC_KEY: string;
+  USER_KV_ENCRYPTION_KEY_ID: string;
+  USER_KV_ENCRYPTION_KEYS_JSON?: string;
+  USER_KV_ENCRYPTION_ACTIVE_KEY_ID?: string;
+}
+
+export interface KeyRegistryPayload {
+  activeKeyId?: unknown;
+  keys?: unknown;
+}
+
+export interface PrivateKeyRegistry {
+  activeKeyId: string | null;
+  keys: Record<string, string>;
+}
+
+export type DecryptionTelemetryOutcome = 'primary-hit' | 'fallback-hit' | 'all-failed';
+
+export interface CaseItem {
+  caseNumber: string;
+  caseName?: string;
+  [key: string]: unknown;
+}
+
+export interface ReadOnlyCaseItem {
+  caseNumber: string;
+  caseName?: string;
+  [key: string]: unknown;
+}
+
+export interface UserData {
+  uid: string;
+  email: string;
+  firstName: string;
+  lastName: string;
+  company: string;
+  badgeId?: string;
+  permitted: boolean;
+  cases: CaseItem[];
+  readOnlyCases?: ReadOnlyCaseItem[];
+  createdAt?: string;
+  updatedAt?: string;
+}
+
+export interface StoredCaseFileData {
+  id: string;
+}
+
+export interface StoredCaseData {
+  files?: StoredCaseFileData[];
+}
+
+export interface UserRequestData {
+  email?: string;
+  firstName?: string;
+  lastName?: string;
+  company?: string;
+  badgeId?: string;
+  permitted?: boolean;
+  readOnlyCases?: ReadOnlyCaseItem[];
+}
+
+export interface AddCasesRequest {
+  cases: CaseItem[];
+}
+
+export interface DeleteCasesRequest {
+  casesToDelete: string[];
+}
+
+export interface AccountDeletionProgressEvent {
+  event: 'start' | 'case-start' | 'case-complete' | 'complete' | 'error';
+  totalCases: number;
+  completedCases: number;
+  currentCaseNumber?: string;
+  success?: boolean;
+  message?: string;
+}
+
+export interface GoogleOAuthTokenResponse {
+  access_token?: string;
+  error?: string;
+  error_description?: string;
+}
+
+export interface FirebaseDeleteAccountErrorResponse {
+  error?: {
+    message?: string;
+  };
+}
+
+export type ResponseHeaders = Record<string, string>;