@striae-org/striae 5.2.1 → 5.3.0

package/workers/user-worker/src/user-worker.example.ts

@@ -1,126 +1,14 @@
+import { authenticate, requireUserKvReadConfig, requireUserKvWriteConfig } from './auth';
+import { USER_CASES_SEGMENT } from './config';
 import {
-  decryptJsonFromUserKv,
-  encryptJsonForUserKv,
-  tryParseEncryptedRecord,
-  type UserKvEncryptedRecord,
-  validateEncryptedRecord
-} from './encryption-utils';
-
-interface Env {
-  USER_DB_AUTH: string;
-  USER_DB: KVNamespace;
-  R2_KEY_SECRET: string;
-  IMAGES_API_TOKEN: string;
-  DATA_WORKER_DOMAIN?: string;
-  IMAGES_WORKER_DOMAIN?: string;
-  PROJECT_ID: string;
-  FIREBASE_SERVICE_ACCOUNT_EMAIL: string;
-  FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY: string;
-  USER_KV_ENCRYPTION_PRIVATE_KEY: string;
-  USER_KV_ENCRYPTION_PUBLIC_KEY: string;
-  USER_KV_ENCRYPTION_KEY_ID: string;
-  USER_KV_ENCRYPTION_KEYS_JSON?: string;
-  USER_KV_ENCRYPTION_ACTIVE_KEY_ID?: string;
-}
-
-interface KeyRegistryPayload {
-  activeKeyId?: unknown;
-  keys?: unknown;
-}
-
-interface PrivateKeyRegistry {
-  activeKeyId: string | null;
-  keys: Record<string, string>;
-}
-
-type DecryptionTelemetryOutcome = 'primary-hit' | 'fallback-hit' | 'all-failed';
-
-interface UserData {
-  uid: string;
-  email: string;
-  firstName: string;
-  lastName: string;
-  company: string;
-  badgeId?: string;
-  permitted: boolean;
-  cases: CaseItem[];
-  readOnlyCases?: ReadOnlyCaseItem[];
-  createdAt?: string;
-  updatedAt?: string;
-}
-
-function isLegacyUserData(value: unknown): value is UserData {
-  if (!value || typeof value !== 'object') {
-    return false;
-  }
-
-  const candidate = value as Partial<UserData>;
-  return (
-    typeof candidate.uid === 'string' &&
-    typeof candidate.email === 'string' &&
-    typeof candidate.firstName === 'string' &&
-    typeof candidate.lastName === 'string' &&
-    typeof candidate.company === 'string' &&
-    typeof candidate.permitted === 'boolean' &&
-    Array.isArray(candidate.cases)
-  );
-}
-
-interface CaseItem {
-  caseNumber: string;
-  caseName?: string;
-  [key: string]: unknown;
-}
-
-interface ReadOnlyCaseItem {
-  caseNumber: string;
-  caseName?: string;
-  [key: string]: unknown;
-}
-
-interface UserRequestData {
-  email?: string;
-  firstName?: string;
-  lastName?: string;
-  company?: string;
-  badgeId?: string;
-  permitted?: boolean;
-  readOnlyCases?: ReadOnlyCaseItem[];
-}
-
-interface AddCasesRequest {
-  cases: CaseItem[];
-}
-
-interface DeleteCasesRequest {
-  casesToDelete: string[];
-}
-
-interface CaseData {
-  files?: Array<{ id: string; [key: string]: unknown }>;
-  [key: string]: unknown;
-}
-
-interface AccountDeletionProgressEvent {
-  event: 'start' | 'case-start' | 'case-complete' | 'complete' | 'error';
-  totalCases: number;
-  completedCases: number;
-  currentCaseNumber?: string;
-  success?: boolean;
-  message?: string;
-}
-
-interface GoogleOAuthTokenResponse {
-  access_token?: string;
-  error?: string;
-  error_description?: string;
-}
-
-interface FirebaseDeleteAccountErrorResponse {
-  error?: {
-    message?: string;
-  };
-}
+  handleAddCases,
+  handleAddUser,
+  handleDeleteCases,
+  handleDeleteUser,
+  handleDeleteUserWithProgress,
+  handleGetUser
+} from './handlers/user-routes';
+import type { Env } from './types';
 
 const corsHeaders: Record<string, string> = {
   'Access-Control-Allow-Origin': 'PAGES_CUSTOM_DOMAIN',
@@ -129,842 +17,6 @@ const corsHeaders: Record<string, string> = {
   'Content-Type': 'application/json'
 };
 
-// Worker URLs - configure these for deployment
-const DEFAULT_DATA_WORKER_BASE_URL = 'DATA_WORKER_DOMAIN';
-const DEFAULT_IMAGE_WORKER_BASE_URL = 'IMAGES_WORKER_DOMAIN';
-
-const GOOGLE_OAUTH_TOKEN_URL = 'https://oauth2.googleapis.com/token';
-const FIREBASE_IDENTITY_TOOLKIT_BASE_URL = 'https://identitytoolkit.googleapis.com/v1/projects';
-const GOOGLE_IDENTITY_TOOLKIT_SCOPE = 'https://www.googleapis.com/auth/identitytoolkit';
-const textEncoder = new TextEncoder();
-
-async function authenticate(request: Request, env: Env): Promise<void> {
-  const authKey = request.headers.get('X-Custom-Auth-Key');
-  if (authKey !== env.USER_DB_AUTH) throw new Error('Unauthorized');
-}
-
-function normalizeWorkerBaseUrl(workerDomain: string): string {
-  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
-  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
-    return trimmedDomain;
-  }
-
-  return `https://${trimmedDomain}`;
-}
-
-function resolveDataWorkerBaseUrl(env: Env): string {
-  const configuredDomain = typeof env.DATA_WORKER_DOMAIN === 'string' ? env.DATA_WORKER_DOMAIN.trim() : '';
-  if (configuredDomain.length > 0) {
-    return normalizeWorkerBaseUrl(configuredDomain);
-  }
-
-  return normalizeWorkerBaseUrl(DEFAULT_DATA_WORKER_BASE_URL);
-}
-
-function resolveImageWorkerBaseUrl(env: Env): string {
-  const configuredDomain = typeof env.IMAGES_WORKER_DOMAIN === 'string' ? env.IMAGES_WORKER_DOMAIN.trim() : '';
-  if (configuredDomain.length > 0) {
-    return normalizeWorkerBaseUrl(configuredDomain);
-  }
-
-  return normalizeWorkerBaseUrl(DEFAULT_IMAGE_WORKER_BASE_URL);
-}
-
-function requireUserKvReadConfig(env: Env): void {
-  const hasLegacyPrivateKey = typeof env.USER_KV_ENCRYPTION_PRIVATE_KEY === 'string' && env.USER_KV_ENCRYPTION_PRIVATE_KEY.trim().length > 0;
-  const hasRegistryPrivateKeys = typeof env.USER_KV_ENCRYPTION_KEYS_JSON === 'string' && env.USER_KV_ENCRYPTION_KEYS_JSON.trim().length > 0;
-
-  if (!hasLegacyPrivateKey && !hasRegistryPrivateKeys) {
-    throw new Error('User KV encryption is not fully configured');
-  }
-}
-
-function requireUserKvWriteConfig(env: Env): void {
-  const hasLegacyPrivateKey = typeof env.USER_KV_ENCRYPTION_PRIVATE_KEY === 'string' && env.USER_KV_ENCRYPTION_PRIVATE_KEY.trim().length > 0;
-  const hasRegistryPrivateKeys = typeof env.USER_KV_ENCRYPTION_KEYS_JSON === 'string' && env.USER_KV_ENCRYPTION_KEYS_JSON.trim().length > 0;
-
-  if (
-    !env.USER_KV_ENCRYPTION_PUBLIC_KEY ||
-    !env.USER_KV_ENCRYPTION_KEY_ID ||
-    (!hasLegacyPrivateKey && !hasRegistryPrivateKeys)
-  ) {
-    throw new Error('User KV encryption is not fully configured');
-  }
-}
-
-function normalizePrivateKeyPem(rawValue: string): string {
-  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
-}
-
-function getNonEmptyString(value: unknown): string | null {
-  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
-}
-
-function parseUserKvPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  const keys: Record<string, string> = {};
-  const configuredActiveKeyId = getNonEmptyString(env.USER_KV_ENCRYPTION_ACTIVE_KEY_ID);
-
-  if (getNonEmptyString(env.USER_KV_ENCRYPTION_KEYS_JSON)) {
-    let parsedRegistry: unknown;
-    try {
-      parsedRegistry = JSON.parse(env.USER_KV_ENCRYPTION_KEYS_JSON as string) as unknown;
-    } catch {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON is not valid JSON');
-    }
-
-    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON must be an object');
-    }
-
-    const payload = parsedRegistry as KeyRegistryPayload;
-    if (!payload.keys || typeof payload.keys !== 'object') {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON must include a keys object');
-    }
-
-    for (const [keyId, pemValue] of Object.entries(payload.keys as Record<string, unknown>)) {
-      const normalizedKeyId = getNonEmptyString(keyId);
-      const normalizedPem = getNonEmptyString(pemValue);
-      if (!normalizedKeyId || !normalizedPem) {
-        continue;
-      }
-
-      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
-    }
-
-    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
-    const activeKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
-
-    if (Object.keys(keys).length === 0) {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON does not contain any usable keys');
-    }
-
-    if (activeKeyId && !keys[activeKeyId]) {
-      throw new Error('USER_KV active key ID is not present in USER_KV_ENCRYPTION_KEYS_JSON');
-    }
-
-    return {
-      activeKeyId: activeKeyId ?? null,
-      keys
-    };
-  }
-
-  const legacyKeyId = getNonEmptyString(env.USER_KV_ENCRYPTION_KEY_ID);
-  const legacyPrivateKey = getNonEmptyString(env.USER_KV_ENCRYPTION_PRIVATE_KEY);
-  if (!legacyKeyId || !legacyPrivateKey) {
-    throw new Error('User KV encryption private key registry is not configured');
-  }
-
-  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
-
-  return {
-    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
-    keys
-  };
-}
-
-function buildPrivateKeyCandidates(
-  recordKeyId: string,
-  registry: PrivateKeyRegistry
-): Array<{ keyId: string; privateKeyPem: string }> {
-  const candidates: Array<{ keyId: string; privateKeyPem: string }> = [];
-  const seen = new Set<string>();
-
-  const appendCandidate = (candidateKeyId: string | null): void => {
-    if (!candidateKeyId || seen.has(candidateKeyId)) {
-      return;
-    }
-
-    const privateKeyPem = registry.keys[candidateKeyId];
-    if (!privateKeyPem) {
-      return;
-    }
-
-    seen.add(candidateKeyId);
-    candidates.push({ keyId: candidateKeyId, privateKeyPem });
-  };
-
-  appendCandidate(getNonEmptyString(recordKeyId));
-  appendCandidate(registry.activeKeyId);
-
-  for (const keyId of Object.keys(registry.keys)) {
-    appendCandidate(keyId);
-  }
-
-  return candidates;
-}
-
-function logUserKvDecryptionTelemetry(input: {
-  recordKeyId: string;
-  selectedKeyId: string | null;
-  attemptCount: number;
-  outcome: DecryptionTelemetryOutcome;
-  reason?: string;
-}): void {
-  const details = {
-    scope: 'user-kv',
-    recordKeyId: input.recordKeyId,
-    selectedKeyId: input.selectedKeyId,
-    attemptCount: input.attemptCount,
-    fallbackUsed: input.outcome === 'fallback-hit',
-    outcome: input.outcome,
-    reason: input.reason ?? null
-  };
-
-  if (input.outcome === 'all-failed') {
-    console.warn('Key registry decryption failed', details);
-    return;
-  }
-
-  console.info('Key registry decryption resolved', details);
-}
-
-async function decryptUserKvRecord(
-  encryptedRecord: UserKvEncryptedRecord,
-  registry: PrivateKeyRegistry
-): Promise<string> {
-  const candidates = buildPrivateKeyCandidates(encryptedRecord.keyId, registry);
-  const primaryKeyId = candidates[0]?.keyId ?? null;
-  let lastError: unknown;
-
-  for (let index = 0; index < candidates.length; index += 1) {
-    const candidate = candidates[index];
-    try {
-      const decryptedJson = await decryptJsonFromUserKv(encryptedRecord, candidate.privateKeyPem);
-      logUserKvDecryptionTelemetry({
-        recordKeyId: encryptedRecord.keyId,
-        selectedKeyId: candidate.keyId,
-        attemptCount: index + 1,
-        outcome: candidate.keyId === primaryKeyId ? 'primary-hit' : 'fallback-hit'
-      });
-      return decryptedJson;
-    } catch (error) {
-      lastError = error;
-    }
-  }
-
-  logUserKvDecryptionTelemetry({
-    recordKeyId: encryptedRecord.keyId,
-    selectedKeyId: null,
-    attemptCount: candidates.length,
-    outcome: 'all-failed',
-    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
-  });
-
-  throw new Error(
-    `Failed to decrypt user KV record after ${candidates.length} key attempt(s): ${
-      lastError instanceof Error ? lastError.message : 'unknown decryption error'
-    }`
-  );
-}
-
-async function readUserRecord(env: Env, userUid: string): Promise<UserData | null> {
-  const storedValue = await env.USER_DB.get(userUid);
-  if (storedValue === null) {
-    return null;
-  }
-
-  const encryptedRecord = tryParseEncryptedRecord(storedValue);
-  if (encryptedRecord) {
-    validateEncryptedRecord(encryptedRecord);
-    const keyRegistry = parseUserKvPrivateKeyRegistry(env);
-    const decryptedJson = await decryptUserKvRecord(encryptedRecord, keyRegistry);
-    return JSON.parse(decryptedJson) as UserData;
-  }
-
-  // Legacy support: accept existing plaintext records and opportunistically
-  // rewrite them as encrypted records during the first successful read.
-  let parsedLegacyRecord: unknown;
-  try {
-    parsedLegacyRecord = JSON.parse(storedValue) as unknown;
-  } catch {
-    throw new Error('User KV record is not encrypted');
-  }
-
-  if (!isLegacyUserData(parsedLegacyRecord)) {
-    throw new Error('User KV record is not encrypted');
-  }
-
-  const legacyUserData = parsedLegacyRecord;
-
-  if (legacyUserData.uid !== userUid) {
-    throw new Error('User KV record UID mismatch');
-  }
-
-  try {
-    await writeUserRecord(env, userUid, legacyUserData);
-    console.info('Migrated plaintext USER_DB record to encrypted format', {
-      scope: 'user-kv',
-      uid: userUid
-    });
-  } catch (error) {
-    console.warn('Failed to migrate plaintext USER_DB record during read', {
-      scope: 'user-kv',
-      uid: userUid,
-      reason: error instanceof Error ? error.message : 'unknown migration error'
-    });
-  }
-
-  return legacyUserData;
-}
-
-async function writeUserRecord(env: Env, userUid: string, userData: UserData): Promise<void> {
-  const encryptedPayload = await encryptJsonForUserKv(
-    JSON.stringify(userData),
-    env.USER_KV_ENCRYPTION_PUBLIC_KEY,
-    env.USER_KV_ENCRYPTION_KEY_ID
-  );
-
-  await env.USER_DB.put(userUid, encryptedPayload);
-}
-
-function base64UrlEncode(value: string | Uint8Array): string {
-  const bytes = typeof value === 'string' ? textEncoder.encode(value) : value;
-  let binary = '';
-
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-
-  return btoa(binary)
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=+$/g, '');
-}
-
-function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
-  const normalizedKey = privateKey
-    .trim()
-    .replace(/^['"]|['"]$/g, '')
-    .replace(/\\n/g, '\n');
-
-  const pemBody = normalizedKey
-    .replace('-----BEGIN PRIVATE KEY-----', '')
-    .replace('-----END PRIVATE KEY-----', '')
-    .replace(/\s+/g, '');
-
-  if (!pemBody) {
-    throw new Error('Firebase service account private key is invalid');
-  }
-
-  const binary = atob(pemBody);
-  const bytes = new Uint8Array(binary.length);
-
-  for (let index = 0; index < binary.length; index += 1) {
-    bytes[index] = binary.charCodeAt(index);
-  }
-
-  return bytes.buffer;
-}
-
-async function buildServiceAccountAssertion(env: Env): Promise<string> {
-  const issuedAt = Math.floor(Date.now() / 1000);
-  const header = {
-    alg: 'RS256',
-    typ: 'JWT'
-  };
-  const payload = {
-    iss: env.FIREBASE_SERVICE_ACCOUNT_EMAIL,
-    scope: GOOGLE_IDENTITY_TOOLKIT_SCOPE,
-    aud: GOOGLE_OAUTH_TOKEN_URL,
-    iat: issuedAt,
-    exp: issuedAt + 3600
-  };
-  const unsignedToken = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
-
-  let signingKey: CryptoKey;
-
-  try {
-    signingKey = await crypto.subtle.importKey(
-      'pkcs8',
-      parsePkcs8PrivateKey(env.FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY),
-      {
-        name: 'RSASSA-PKCS1-v1_5',
-        hash: 'SHA-256'
-      },
-      false,
-      ['sign']
-    );
-  } catch {
-    throw new Error('Invalid Firebase service account private key format. Use the service account JSON private_key value (PKCS8) and keep newline markers as \\n.');
-  }
-
-  const signature = await crypto.subtle.sign(
-    { name: 'RSASSA-PKCS1-v1_5' },
-    signingKey,
-    textEncoder.encode(unsignedToken)
-  );
-
-  return `${unsignedToken}.${base64UrlEncode(new Uint8Array(signature))}`;
-}
-
-async function getGoogleAccessToken(env: Env): Promise<string> {
-  const assertion = await buildServiceAccountAssertion(env);
-  const body = new URLSearchParams({
-    grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-    assertion
-  });
-
-  const tokenResponse = await fetch(GOOGLE_OAUTH_TOKEN_URL, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded'
-    },
-    body
-  });
-
-  const tokenData = await tokenResponse.json().catch(() => ({})) as GoogleOAuthTokenResponse;
-  if (!tokenResponse.ok || !tokenData.access_token) {
-    const errorReason = tokenData.error_description || tokenData.error || `HTTP ${tokenResponse.status}`;
-    throw new Error(`Failed to authorize Firebase admin deletion: ${errorReason}`);
-  }
-
-  return tokenData.access_token;
-}
-
-async function deleteFirebaseAuthUser(env: Env, userUid: string): Promise<void> {
-  if (!env.PROJECT_ID || !env.FIREBASE_SERVICE_ACCOUNT_EMAIL || !env.FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY) {
-    throw new Error('Firebase Auth deletion is not configured in User Worker secrets');
-  }
-
-  const accessToken = await getGoogleAccessToken(env);
-  const deleteResponse = await fetch(
-    `${FIREBASE_IDENTITY_TOOLKIT_BASE_URL}/${encodeURIComponent(env.PROJECT_ID)}/accounts:delete`,
-    {
-      method: 'POST',
-      headers: {
-        'Authorization': `Bearer ${accessToken}`,
-        'Content-Type': 'application/json'
-      },
-      body: JSON.stringify({ localId: userUid })
-    }
-  );
-
-  if (deleteResponse.ok) {
-    return;
-  }
-
-  const deleteErrorPayload = await deleteResponse.json().catch(() => ({})) as FirebaseDeleteAccountErrorResponse;
-  const deleteErrorMessage = deleteErrorPayload.error?.message || '';
-
-  if (deleteErrorMessage.includes('USER_NOT_FOUND')) {
-    return;
-  }
-
-  throw new Error(deleteErrorMessage ? `Firebase Auth deletion failed: ${deleteErrorMessage}` : `Firebase Auth deletion failed with status ${deleteResponse.status}`);
-}
-
-async function handleGetUser(env: Env, userUid: string): Promise<Response> {
-  try {
-    const userData = await readUserRecord(env, userUid);
-    if (userData === null) {
-      return new Response('User not found', { 
-        status: 404, 
-        headers: corsHeaders 
-      });
-    }
-    return new Response(JSON.stringify(userData), { 
-      status: 200, 
-      headers: corsHeaders 
-    });
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : 'Unknown user data read error';
-    console.error('Failed to get user data:', { uid: userUid, reason: errorMessage });
-
-    return new Response('Failed to get user data', {
-      status: 500,
-      headers: corsHeaders
-    });
-  }
-}
-
-async function handleAddUser(request: Request, env: Env, userUid: string): Promise<Response> {
-  try {
-    const requestData: UserRequestData = await request.json();
-    const { email, firstName, lastName, company, badgeId, permitted } = requestData;
-    const normalizedBadgeId = typeof badgeId === 'string' ? badgeId.trim() : undefined;
-    
-    // Check for existing user
-    const existingUser = await readUserRecord(env, userUid);
-    
-    let userData: UserData;
-    if (existingUser !== null) {
-      // Update existing user, preserving cases
-      userData = {
-        ...existingUser,
-        // Preserve all existing fields
-        email: email || existingUser.email,
-        firstName: firstName || existingUser.firstName,
-        lastName: lastName || existingUser.lastName,
-        company: company || existingUser.company,
-        badgeId: normalizedBadgeId !== undefined ? normalizedBadgeId : (existingUser.badgeId ?? ''),
-        permitted: permitted !== undefined ? permitted : existingUser.permitted,
-        updatedAt: new Date().toISOString()
-      };
-      if (requestData.readOnlyCases !== undefined) {
-        userData.readOnlyCases = requestData.readOnlyCases;
-      }
-    } else {
-      // Create new user
-      userData = {
-        uid: userUid,
-        email: email || '',
-        firstName: firstName || '',
-        lastName: lastName || '',
-        company: company || '',
-        badgeId: normalizedBadgeId ?? '',
-        permitted: permitted !== undefined ? permitted : true,
-        cases: [],
-        createdAt: new Date().toISOString()
-      };
-      if (requestData.readOnlyCases !== undefined) {
-        userData.readOnlyCases = requestData.readOnlyCases;
-      }
-    }
-
-    // Store value in KV
-    await writeUserRecord(env, userUid, userData);
-
-    return new Response(JSON.stringify(userData), {
-      status: existingUser !== null ? 200 : 201,
-      headers: corsHeaders
-    });
-  } catch {
-    return new Response('Failed to save user data', { 
-      status: 500, 
-      headers: corsHeaders 
-    });
-  }
-}
-
-// Function to delete a single case (similar to case-manage.ts deleteCase)
-async function deleteSingleCase(env: Env, userUid: string, caseNumber: string): Promise<void> {
-  const dataApiKey = env.R2_KEY_SECRET;
-  const imageApiKey = env.IMAGES_API_TOKEN;
-
-  const dataWorkerBaseUrl = resolveDataWorkerBaseUrl(env);
-  const imageWorkerBaseUrl = resolveImageWorkerBaseUrl(env);
-  const encodedUserId = encodeURIComponent(userUid);
-  const encodedCaseNumber = encodeURIComponent(caseNumber);
-
-  const caseResponse = await fetch(`${dataWorkerBaseUrl}/${encodedUserId}/${encodedCaseNumber}/data.json`, {
-    headers: { 'X-Custom-Auth-Key': dataApiKey }
-  });
-
-  if (caseResponse.status === 404) {
-    return;
-  }
-
-  if (!caseResponse.ok) {
-    throw new Error(`Failed to load case data for deletion (${caseNumber}): ${caseResponse.status}`);
-  }
-
-  const caseData = await caseResponse.json() as CaseData;
-  const deletionErrors: string[] = [];
-
-  // Delete all files associated with this case
-  if (caseData.files && caseData.files.length > 0) {
-    for (const file of caseData.files) {
-      const encodedFileId = encodeURIComponent(file.id);
-
-      try {
-        const imageDeleteResponse = await fetch(`${imageWorkerBaseUrl}/${encodedFileId}`, {
-          method: 'DELETE',
-          headers: {
-            'Authorization': `Bearer ${imageApiKey}`
-          }
-        });
-
-        if (!imageDeleteResponse.ok && imageDeleteResponse.status !== 404) {
-          deletionErrors.push(`image ${file.id} delete failed (${imageDeleteResponse.status})`);
-        }
-      } catch (error) {
-        const message = error instanceof Error ? error.message : 'unknown image delete error';
-        deletionErrors.push(`image ${file.id} delete threw (${message})`);
-      }
-
-      try {
-        const notesDeleteResponse = await fetch(
-          `${dataWorkerBaseUrl}/${encodedUserId}/${encodedCaseNumber}/${encodedFileId}/data.json`,
-          {
-            method: 'DELETE',
-            headers: { 'X-Custom-Auth-Key': dataApiKey }
-          }
-        );
-
-        if (!notesDeleteResponse.ok && notesDeleteResponse.status !== 404) {
-          deletionErrors.push(`annotation ${file.id} delete failed (${notesDeleteResponse.status})`);
-        }
-      } catch (error) {
-        const message = error instanceof Error ? error.message : 'unknown annotation delete error';
-        deletionErrors.push(`annotation ${file.id} delete threw (${message})`);
-      }
-    }
-  }
-
-  // Delete case data file
-  try {
-    const caseDeleteResponse = await fetch(
-      `${dataWorkerBaseUrl}/${encodedUserId}/${encodedCaseNumber}/data.json`,
-      {
-        method: 'DELETE',
-        headers: { 'X-Custom-Auth-Key': dataApiKey }
-      }
-    );
-
-    if (!caseDeleteResponse.ok && caseDeleteResponse.status !== 404) {
-      deletionErrors.push(`case ${caseNumber} delete failed (${caseDeleteResponse.status})`);
-    }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : 'unknown case delete error';
-    deletionErrors.push(`case ${caseNumber} delete threw (${message})`);
-  }
-
-  if (deletionErrors.length > 0) {
-    throw new Error(`Case cleanup incomplete for ${caseNumber}: ${deletionErrors.join('; ')}`);
-  }
-}
-
-async function deleteUserConfirmationSummary(env: Env, userUid: string): Promise<void> {
-  const dataApiKey = env.R2_KEY_SECRET;
-  const dataWorkerBaseUrl = resolveDataWorkerBaseUrl(env);
-  const encodedUserId = encodeURIComponent(userUid);
-  const confirmationSummaryPath = `${dataWorkerBaseUrl}/${encodedUserId}/meta/confirmation-status.json`;
-
-  const response = await fetch(confirmationSummaryPath, {
-    method: 'DELETE',
-    headers: { 'X-Custom-Auth-Key': dataApiKey }
-  });
-
-  if (!response.ok && response.status !== 404) {
-    throw new Error(`Failed to delete confirmation summary metadata: ${response.status}`);
-  }
-}
-
-async function executeUserDeletion(
-  env: Env,
-  userUid: string,
-  reportProgress?: (progress: AccountDeletionProgressEvent) => void
-): Promise<{ success: boolean; message: string; totalCases: number; completedCases: number }> {
-  const userData = await readUserRecord(env, userUid);
-  if (userData === null) {
-    throw new Error('User not found');
-  }
-
-  const ownedCases = (userData.cases || []).map((caseItem) => caseItem.caseNumber);
-  const readOnlyCases = (userData.readOnlyCases || []).map((caseItem) => caseItem.caseNumber);
-  const allCaseNumbers = Array.from(new Set([...ownedCases, ...readOnlyCases]));
-  const totalCases = allCaseNumbers.length;
-  let completedCases = 0;
-  const caseCleanupErrors: string[] = [];
-
-  reportProgress?.({
-    event: 'start',
-    totalCases,
-    completedCases
-  });
-
-  for (const caseNumber of allCaseNumbers) {
-    reportProgress?.({
-      event: 'case-start',
-      totalCases,
-      completedCases,
-      currentCaseNumber: caseNumber
-    });
-
-    let caseDeletionError: string | null = null;
-    try {
-      await deleteSingleCase(env, userUid, caseNumber);
-    } catch (error) {
-      caseDeletionError = error instanceof Error ? error.message : `Case cleanup failed for ${caseNumber}`;
-      caseCleanupErrors.push(caseDeletionError);
-      console.error(`Case cleanup error for ${caseNumber}:`, error);
-    }
-
-    completedCases += 1;
-
-    reportProgress?.({
-      event: 'case-complete',
-      totalCases,
-      completedCases,
-      currentCaseNumber: caseNumber,
-      success: caseDeletionError === null,
-      message: caseDeletionError || undefined
-    });
-  }
-
-  if (caseCleanupErrors.length > 0) {
-    throw new Error(`Failed to fully delete all case data: ${caseCleanupErrors.join(' | ')}`);
-  }
-
-  await deleteUserConfirmationSummary(env, userUid);
-  await deleteFirebaseAuthUser(env, userUid);
-
-  // Delete the user account from the database
-  await env.USER_DB.delete(userUid);
-
-  return {
-    success: true,
-    message: 'Account successfully deleted',
-    totalCases,
-    completedCases
-  };
-}
-
-async function handleDeleteUser(env: Env, userUid: string): Promise<Response> {
-  try {
-    const result = await executeUserDeletion(env, userUid);
-    
-    return new Response(JSON.stringify({
-      success: result.success,
-      message: result.message
-    }), {
-      status: 200,
-      headers: corsHeaders
-    });
-  } catch (error) {
-    console.error('Delete user error:', error);
-    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-
-    if (errorMessage === 'User not found') {
-      return new Response('User not found', {
-        status: 404,
-        headers: corsHeaders
-      });
-    }
-    
-    return new Response(JSON.stringify({
-      success: false,
-      message: 'Failed to delete user account'
-    }), { 
-      status: 500, 
-      headers: corsHeaders 
-    });
-  }
-}
-
-function handleDeleteUserWithProgress(env: Env, userUid: string): Response {
-  const sseHeaders: Record<string, string> = {
-    ...corsHeaders,
-    'Content-Type': 'text/event-stream',
-    'Cache-Control': 'no-cache, no-transform',
-    'Connection': 'keep-alive'
-  };
-
-  const encoder = new TextEncoder();
-
-  const stream = new ReadableStream<Uint8Array>({
-    async start(controller) {
-      const sendEvent = (payload: AccountDeletionProgressEvent) => {
-        controller.enqueue(encoder.encode(`event: ${payload.event}\ndata: ${JSON.stringify(payload)}\n\n`));
-      };
-
-      try {
-        const result = await executeUserDeletion(env, userUid, sendEvent);
-        sendEvent({
-          event: 'complete',
-          totalCases: result.totalCases,
-          completedCases: result.completedCases,
-          success: result.success,
-          message: result.message
-        });
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : 'Failed to delete user account';
-
-        sendEvent({
-          event: 'error',
-          totalCases: 0,
-          completedCases: 0,
-          success: false,
-          message: errorMessage
-        });
-      } finally {
-        controller.close();
-      }
-    }
-  });
-
-  return new Response(stream, {
-    status: 200,
-    headers: sseHeaders
-  });
-}
-
-async function handleAddCases(request: Request, env: Env, userUid: string): Promise<Response> {
-  try {
-    const { cases = [] }: AddCasesRequest = await request.json();
-    
-    // Get current user data
-    const userData = await readUserRecord(env, userUid);
-    if (!userData) {
-      return new Response('User not found', { 
-        status: 404, 
-        headers: corsHeaders 
-      });
-    }
-
-    // Update cases
-    const existingCases = userData.cases || [];
-    
-    // Filter out duplicates
-    const newCases = cases.filter(newCase => 
-      !existingCases.some(existingCase => 
-        existingCase.caseNumber === newCase.caseNumber
-      )
-    );
-
-    // Update user data
-    userData.cases = [...existingCases, ...newCases];
-    userData.updatedAt = new Date().toISOString();
-
-    // Save to KV
-    await writeUserRecord(env, userUid, userData);
-
-    return new Response(JSON.stringify(userData), {
-      status: 200,
-      headers: corsHeaders
-    });
-  } catch {
-    return new Response('Failed to add cases', { 
-      status: 500, 
-      headers: corsHeaders 
-    });
-  }
-}
-
-async function handleDeleteCases(request: Request, env: Env, userUid: string): Promise<Response> {
-  try {
-    const { casesToDelete }: DeleteCasesRequest = await request.json();
-    
-    // Get current user data
-    const userData = await readUserRecord(env, userUid);
-    if (!userData) {
-      return new Response('User not found', { 
-        status: 404, 
-        headers: corsHeaders 
-      });
-    }
-
-    // Update user data
-    userData.cases = userData.cases.filter(c => 
-      !casesToDelete.includes(c.caseNumber)
-    );
-    userData.updatedAt = new Date().toISOString();
-
-    // Save to KV
-    await writeUserRecord(env, userUid, userData);
-
-    return new Response(JSON.stringify(userData), {
-      status: 200,
-      headers: corsHeaders
-    });
-  } catch {
-    return new Response('Failed to delete cases', { 
-      status: 500, 
-      headers: corsHeaders 
-    });
-  }
-}
-
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
     if (request.method === 'OPTIONS') {
@@ -984,7 +36,7 @@ export default {
       const url = new URL(request.url);
       const parts = url.pathname.split('/');
       const userUid = parts[1];
-      const isCasesEndpoint = parts[2] === 'cases';
+      const isCasesEndpoint = parts[2] === USER_CASES_SEGMENT;
       
       if (!userUid) {
         return new Response('Not Found', { status: 404 });
@@ -993,8 +45,8 @@ export default {
       // Handle regular cases endpoint
       if (isCasesEndpoint) {
         switch (request.method) {
-          case 'PUT': return handleAddCases(request, env, userUid);
-          case 'DELETE': return handleDeleteCases(request, env, userUid);
+          case 'PUT': return handleAddCases(request, env, userUid, corsHeaders);
+          case 'DELETE': return handleDeleteCases(request, env, userUid, corsHeaders);
           default: return new Response('Method not allowed', {
             status: 405,
             headers: corsHeaders
@@ -1007,9 +59,11 @@ export default {
       const streamProgress = url.searchParams.get('stream') === 'true' || acceptsEventStream;
 
       switch (request.method) {
-        case 'GET': return handleGetUser(env, userUid);
-        case 'PUT': return handleAddUser(request, env, userUid);
-        case 'DELETE': return streamProgress ? handleDeleteUserWithProgress(env, userUid) : handleDeleteUser(env, userUid);
+        case 'GET': return handleGetUser(env, userUid, corsHeaders);
+        case 'PUT': return handleAddUser(request, env, userUid, corsHeaders);
+        case 'DELETE': return streamProgress
+          ? handleDeleteUserWithProgress(env, userUid, corsHeaders)
+          : handleDeleteUser(env, userUid, corsHeaders);
         default: return new Response('Method not allowed', {
           status: 405,
           headers: corsHeaders