@striae-org/striae 5.2.1 → 5.3.0

package/workers/user-worker/src/cleanup/account-deletion.ts

@@ -0,0 +1,337 @@
+import { decryptJsonFromStorage, type DataAtRestEnvelope } from '../encryption-utils';
+import { deleteFirebaseAuthUser } from '../firebase/admin';
+import { readUserRecord } from '../storage/user-records';
+import type {
+  AccountDeletionProgressEvent,
+  Env,
+  KeyRegistryPayload,
+  PrivateKeyRegistry,
+  StoredCaseData
+} from '../types';
+
+function getNonEmptyString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+}
+
+function normalizePrivateKeyPem(rawValue: string): string {
+  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
+}
+
+function parseDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
+  const keys: Record<string, string> = {};
+  const configuredActiveKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID);
+  const registryJson = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEYS_JSON);
+
+  if (registryJson) {
+    let parsedRegistry: unknown;
+
+    try {
+      parsedRegistry = JSON.parse(registryJson) as unknown;
+    } catch {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON is not valid JSON');
+    }
+
+    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must be an object');
+    }
+
+    const payload = parsedRegistry as KeyRegistryPayload;
+    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
+    const rawKeys = payload.keys && typeof payload.keys === 'object'
+      ? payload.keys as Record<string, unknown>
+      : parsedRegistry as Record<string, unknown>;
+
+    for (const [keyId, pemValue] of Object.entries(rawKeys)) {
+      if (keyId === 'activeKeyId' || keyId === 'keys') {
+        continue;
+      }
+
+      const normalizedKeyId = getNonEmptyString(keyId);
+      const normalizedPem = getNonEmptyString(pemValue);
+
+      if (!normalizedKeyId || !normalizedPem) {
+        continue;
+      }
+
+      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
+    }
+
+    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
+
+    if (Object.keys(keys).length === 0) {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON does not contain any usable keys');
+    }
+
+    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
+      throw new Error('DATA_AT_REST_ENCRYPTION active key ID is not present in registry');
+    }
+
+    return {
+      activeKeyId: resolvedActiveKeyId ?? null,
+      keys
+    };
+  }
+
+  const legacyKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEY_ID);
+  const legacyPrivateKey = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY);
+
+  if (!legacyKeyId || !legacyPrivateKey) {
+    throw new Error('Data-at-rest decryption key registry is not configured');
+  }
+
+  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
+
+  return {
+    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
+    keys
+  };
+}
+
+function buildPrivateKeyCandidates(
+  recordKeyId: string | null,
+  registry: PrivateKeyRegistry
+): Array<{ keyId: string; privateKeyPem: string }> {
+  const candidates: Array<{ keyId: string; privateKeyPem: string }> = [];
+  const seen = new Set<string>();
+
+  const appendCandidate = (candidateKeyId: string | null): void => {
+    if (!candidateKeyId || seen.has(candidateKeyId)) {
+      return;
+    }
+
+    const privateKeyPem = registry.keys[candidateKeyId];
+    if (!privateKeyPem) {
+      return;
+    }
+
+    seen.add(candidateKeyId);
+    candidates.push({ keyId: candidateKeyId, privateKeyPem });
+  };
+
+  appendCandidate(recordKeyId);
+  appendCandidate(registry.activeKeyId);
+
+  for (const keyId of Object.keys(registry.keys)) {
+    appendCandidate(keyId);
+  }
+
+  return candidates;
+}
+
+function extractDataAtRestEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
+  const metadata = file.customMetadata;
+
+  if (!metadata) {
+    return null;
+  }
+
+  const algorithm = getNonEmptyString(metadata.algorithm);
+  const encryptionVersion = getNonEmptyString(metadata.encryptionVersion);
+  const keyId = getNonEmptyString(metadata.keyId);
+  const dataIv = getNonEmptyString(metadata.dataIv);
+  const wrappedKey = getNonEmptyString(metadata.wrappedKey);
+
+  if (!algorithm || !encryptionVersion || !keyId || !dataIv || !wrappedKey) {
+    return null;
+  }
+
+  return {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  };
+}
+
+async function decryptCaseDataWithRegistry(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  env: Env
+): Promise<string> {
+  const keyRegistry = parseDataAtRestPrivateKeyRegistry(env);
+  const candidates = buildPrivateKeyCandidates(getNonEmptyString(envelope.keyId), keyRegistry);
+  let lastError: unknown;
+
+  for (const candidate of candidates) {
+    try {
+      return await decryptJsonFromStorage(ciphertext, envelope, candidate.privateKeyPem);
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  throw new Error(
+    `Failed to decrypt case data after ${candidates.length} key attempt(s): ${
+      lastError instanceof Error ? lastError.message : 'unknown decryption error'
+    }`
+  );
+}
+
+function extractFileIdsFromCaseData(caseData: StoredCaseData): string[] {
+  if (!Array.isArray(caseData.files)) {
+    return [];
+  }
+
+  return caseData.files
+    .map((file) => getNonEmptyString(file?.id))
+    .filter((fileId): fileId is string => fileId !== null);
+}
+
+async function readCaseFileIds(env: Env, caseDataKey: string): Promise<string[]> {
+  const file = await env.STRIAE_DATA.get(caseDataKey);
+  if (!file) {
+    return [];
+  }
+
+  const atRestEnvelope = extractDataAtRestEnvelope(file);
+  const fileText = atRestEnvelope
+    ? await decryptCaseDataWithRegistry(await file.arrayBuffer(), atRestEnvelope, env)
+    : await file.text();
+
+  const parsed = JSON.parse(fileText) as StoredCaseData;
+  return extractFileIdsFromCaseData(parsed);
+}
+
+async function deleteSingleCase(env: Env, userUid: string, caseNumber: string): Promise<void> {
+  const encodedUserId = encodeURIComponent(userUid);
+  const encodedCaseNumber = encodeURIComponent(caseNumber);
+  const casePrefix = `${encodedUserId}/${encodedCaseNumber}/`;
+  const caseDataKey = `${casePrefix}data.json`;
+  const deletionErrors: string[] = [];
+  const dataKeys: string[] = [];
+  const fileIds = new Set<string>();
+  let dataCursor: string | undefined;
+
+  do {
+    const listed = await env.STRIAE_DATA.list({ prefix: casePrefix, cursor: dataCursor, limit: 1000 });
+
+    for (const obj of listed.objects) {
+      dataKeys.push(obj.key);
+
+      const segments = obj.key.split('/');
+      if (segments.length === 4 && segments[3] === 'data.json') {
+        try {
+          fileIds.add(decodeURIComponent(segments[2]));
+        } catch {
+          fileIds.add(segments[2]);
+        }
+      }
+    }
+
+    dataCursor = listed.truncated ? listed.cursor : undefined;
+  } while (dataCursor !== undefined);
+
+  if (dataKeys.includes(caseDataKey)) {
+    try {
+      for (const fileId of await readCaseFileIds(env, caseDataKey)) {
+        fileIds.add(fileId);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'unknown case data read error';
+      throw new Error(`Failed to read case file references for ${caseNumber}: ${message}`);
+    }
+  }
+
+  for (const fileId of fileIds) {
+    try {
+      await env.STRIAE_FILES.delete(fileId);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'unknown file delete error';
+      deletionErrors.push(`file ${fileId} delete threw (${message})`);
+    }
+  }
+
+  if (dataKeys.length > 0) {
+    try {
+      await env.STRIAE_DATA.delete(dataKeys);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'unknown data delete error';
+      deletionErrors.push(`case data delete threw (${message})`);
+    }
+  }
+
+  if (deletionErrors.length > 0) {
+    throw new Error(`Case cleanup incomplete for ${caseNumber}: ${deletionErrors.join('; ')}`);
+  }
+}
+
+async function deleteUserConfirmationSummary(env: Env, userUid: string): Promise<void> {
+  const encodedUserId = encodeURIComponent(userUid);
+  const key = `${encodedUserId}/meta/confirmation-status.json`;
+
+  try {
+    await env.STRIAE_DATA.delete(key);
+  } catch (error) {
+    throw new Error(`Failed to delete confirmation summary metadata: ${error instanceof Error ? error.message : 'unknown error'}`);
+  }
+}
+
+export async function executeUserDeletion(
+  env: Env,
+  userUid: string,
+  reportProgress?: (progress: AccountDeletionProgressEvent) => void
+): Promise<{ success: boolean; message: string; totalCases: number; completedCases: number }> {
+  const userData = await readUserRecord(env, userUid);
+  if (userData === null) {
+    throw new Error('User not found');
+  }
+
+  const ownedCases = (userData.cases || []).map((caseItem) => caseItem.caseNumber);
+  const readOnlyCases = (userData.readOnlyCases || []).map((caseItem) => caseItem.caseNumber);
+  const allCaseNumbers = Array.from(new Set([...ownedCases, ...readOnlyCases]));
+  const totalCases = allCaseNumbers.length;
+  let completedCases = 0;
+  const caseCleanupErrors: string[] = [];
+
+  reportProgress?.({
+    event: 'start',
+    totalCases,
+    completedCases
+  });
+
+  for (const caseNumber of allCaseNumbers) {
+    reportProgress?.({
+      event: 'case-start',
+      totalCases,
+      completedCases,
+      currentCaseNumber: caseNumber
+    });
+
+    let caseDeletionError: string | null = null;
+    try {
+      await deleteSingleCase(env, userUid, caseNumber);
+    } catch (error) {
+      caseDeletionError = error instanceof Error ? error.message : `Case cleanup failed for ${caseNumber}`;
+      caseCleanupErrors.push(caseDeletionError);
+      console.error(`Case cleanup error for ${caseNumber}:`, error);
+    }
+
+    completedCases += 1;
+
+    reportProgress?.({
+      event: 'case-complete',
+      totalCases,
+      completedCases,
+      currentCaseNumber: caseNumber,
+      success: caseDeletionError === null,
+      message: caseDeletionError || undefined
+    });
+  }
+
+  if (caseCleanupErrors.length > 0) {
+    throw new Error(`Failed to fully delete all case data: ${caseCleanupErrors.join(' | ')}`);
+  }
+
+  await deleteUserConfirmationSummary(env, userUid);
+
+  await deleteFirebaseAuthUser(env, userUid);
+  await env.USER_DB.delete(userUid);
+
+  return {
+    success: true,
+    message: 'Account successfully deleted',
+    totalCases,
+    completedCases
+  };
+}

package/workers/user-worker/src/config.ts

@@ -0,0 +1,4 @@
+export const USER_CASES_SEGMENT = 'cases';
+export const GOOGLE_OAUTH_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+export const FIREBASE_IDENTITY_TOOLKIT_BASE_URL = 'https://identitytoolkit.googleapis.com/v1/projects';
+export const GOOGLE_IDENTITY_TOOLKIT_SCOPE = 'https://www.googleapis.com/auth/identitytoolkit';

package/workers/user-worker/src/encryption-utils.ts

@@ -7,6 +7,14 @@ export interface UserKvEncryptedRecord {
   ciphertext: string;
 }
 
+export interface DataAtRestEnvelope {
+  algorithm: string;
+  encryptionVersion: string;
+  keyId: string;
+  dataIv: string;
+  wrappedKey: string;
+}
+
 const USER_KV_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
 const USER_KV_ENCRYPTION_VERSION = '1.0';
 
@@ -242,3 +250,20 @@ export async function decryptJsonFromUserKv(
 
   return new TextDecoder().decode(plaintext);
 }
+
+export async function decryptJsonFromStorage(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  privateKeyPem: string
+): Promise<string> {
+  const aesKey = await unwrapAesKey(envelope.wrappedKey, privateKeyPem);
+  const iv = base64UrlDecode(envelope.dataIv);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  return new TextDecoder().decode(plaintext);
+}

package/workers/user-worker/src/firebase/admin.ts

@@ -0,0 +1,152 @@
+import {
+  FIREBASE_IDENTITY_TOOLKIT_BASE_URL,
+  GOOGLE_IDENTITY_TOOLKIT_SCOPE,
+  GOOGLE_OAUTH_TOKEN_URL
+} from '../config';
+import type {
+  Env,
+  FirebaseDeleteAccountErrorResponse,
+  GoogleOAuthTokenResponse
+} from '../types';
+
+const textEncoder = new TextEncoder();
+
+function base64UrlEncode(value: string | Uint8Array): string {
+  const bytes = typeof value === 'string' ? textEncoder.encode(value) : value;
+  let binary = '';
+
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+
+  return btoa(binary)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
+  const normalizedKey = privateKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PRIVATE KEY-----', '')
+    .replace('-----END PRIVATE KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Firebase service account private key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+async function buildServiceAccountAssertion(env: Env): Promise<string> {
+  const issuedAt = Math.floor(Date.now() / 1000);
+  const header = {
+    alg: 'RS256',
+    typ: 'JWT'
+  };
+  const payload = {
+    iss: env.FIREBASE_SERVICE_ACCOUNT_EMAIL,
+    scope: GOOGLE_IDENTITY_TOOLKIT_SCOPE,
+    aud: GOOGLE_OAUTH_TOKEN_URL,
+    iat: issuedAt,
+    exp: issuedAt + 3600
+  };
+  const unsignedToken = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
+
+  let signingKey: CryptoKey;
+
+  try {
+    signingKey = await crypto.subtle.importKey(
+      'pkcs8',
+      parsePkcs8PrivateKey(env.FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY),
+      {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: 'SHA-256'
+      },
+      false,
+      ['sign']
+    );
+  } catch {
+    throw new Error('Invalid Firebase service account private key format. Use the service account JSON private_key value (PKCS8) and keep newline markers as \\n.');
+  }
+
+  const signature = await crypto.subtle.sign(
+    { name: 'RSASSA-PKCS1-v1_5' },
+    signingKey,
+    textEncoder.encode(unsignedToken)
+  );
+
+  return `${unsignedToken}.${base64UrlEncode(new Uint8Array(signature))}`;
+}
+
+async function getGoogleAccessToken(env: Env): Promise<string> {
+  const assertion = await buildServiceAccountAssertion(env);
+  const body = new URLSearchParams({
+    grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+    assertion
+  });
+
+  const tokenResponse = await fetch(GOOGLE_OAUTH_TOKEN_URL, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded'
+    },
+    body
+  });
+
+  const tokenData = await tokenResponse.json().catch(() => ({})) as GoogleOAuthTokenResponse;
+  if (!tokenResponse.ok || !tokenData.access_token) {
+    const errorReason = tokenData.error_description || tokenData.error || `HTTP ${tokenResponse.status}`;
+    throw new Error(`Failed to authorize Firebase admin deletion: ${errorReason}`);
+  }
+
+  return tokenData.access_token;
+}
+
+export async function deleteFirebaseAuthUser(env: Env, userUid: string): Promise<void> {
+  if (!env.PROJECT_ID || !env.FIREBASE_SERVICE_ACCOUNT_EMAIL || !env.FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY) {
+    throw new Error('Firebase Auth deletion is not configured in User Worker secrets');
+  }
+
+  const accessToken = await getGoogleAccessToken(env);
+  const deleteResponse = await fetch(
+    `${FIREBASE_IDENTITY_TOOLKIT_BASE_URL}/${encodeURIComponent(env.PROJECT_ID)}/accounts:delete`,
+    {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({ localId: userUid })
+    }
+  );
+
+  if (deleteResponse.ok) {
+    return;
+  }
+
+  const deleteErrorPayload = await deleteResponse.json().catch(() => ({})) as FirebaseDeleteAccountErrorResponse;
+  const deleteErrorMessage = deleteErrorPayload.error?.message || '';
+
+  if (deleteErrorMessage.includes('USER_NOT_FOUND')) {
+    return;
+  }
+
+  throw new Error(
+    deleteErrorMessage
+      ? `Firebase Auth deletion failed: ${deleteErrorMessage}`
+      : `Firebase Auth deletion failed with status ${deleteResponse.status}`
+  );
+}