@striae-org/striae 5.3.0 → 5.3.2

package/.env.example

@@ -111,6 +111,9 @@ IMAGES_WORKER_DOMAIN=your_images_worker_domain_here
 IMAGE_SIGNED_URL_SECRET=your_image_signed_url_secret_here
 # Optional: defaults to 3600 and max is 86400.
 IMAGE_SIGNED_URL_TTL_SECONDS=3600
+# Optional: override the base URL used in signed URL responses to route delivery through the Pages proxy.
+# Defaults to the image worker's own origin if unset (exposes worker domain to clients).
+IMAGE_SIGNED_URL_BASE_URL=https://${PAGES_CUSTOM_DOMAIN}/api/image
 
 # ================================
 # PDF WORKER ENVIRONMENT VARIABLES

package/app/components/actions/case-export/core-export.ts

@@ -133,6 +133,9 @@ export async function exportCaseData(
         archiveReason: caseData.archiveReason,
         exportDate: new Date().toISOString(),
         ...userMetadata,
+        ...(options.designatedReviewerEmail?.trim()
+          ? { designatedReviewerEmail: options.designatedReviewerEmail.trim() }
+          : {}),
         striaeExportSchemaVersion: '1.0',
         totalFiles: files.length
       },

package/app/components/actions/case-export/download-handlers.ts

@@ -81,7 +81,7 @@ export async function downloadCaseAsZip(
     onProgress?.(10);
     
     // Get case data
-    const exportData = await exportCaseData(user, caseNumber);
+    const exportData = await exportCaseData(user, caseNumber, options);
     onProgress?.(30);
     
     // Create ZIP

package/app/components/actions/case-import/confirmation-import.ts

@@ -39,6 +39,41 @@ function isEncryptionManifest(value: unknown): value is EncryptionManifest {
   );
 }
 
+/**
+ * Validates that an encryption manifest is well-formed for a confirmation import.
+ * Confirmation packages must not contain encrypted images — this is a structural
+ * invariant. Fails closed with a clear message before decryptExportBatch is called.
+ */
+function validateConfirmationEncryptionManifest(manifest: EncryptionManifest): void {
+  if (
+    !manifest.encryptionVersion ||
+    !manifest.algorithm ||
+    !manifest.keyId ||
+    !manifest.wrappedKey ||
+    !manifest.dataIv
+  ) {
+    throw new Error(
+      'Malformed encryption manifest: one or more required fields (encryptionVersion, algorithm, keyId, wrappedKey, dataIv) are missing.'
+    );
+  }
+
+  // Confirmation packages must never carry image payloads. Reject any manifest
+  // that references encrypted images — this indicates a wrong package type or
+  // a tampered/malformed file.
+  const candidate = manifest as unknown as Record<string, unknown>;
+  const encryptedImages = candidate['encryptedImages'];
+  if (
+    encryptedImages !== undefined &&
+    (typeof encryptedImages !== 'object' ||
+      Object.keys(encryptedImages as object).length > 0)
+  ) {
+    throw new Error(
+      'Invalid confirmation package: this manifest contains encrypted image references. ' +
+      'Confirmation packages must not include image data. The file may be a case export or may have been tampered with.'
+    );
+  }
+}
+
 /**
  * Import confirmation data from JSON file
  */
@@ -75,31 +110,36 @@ export async function importConfirmationData(
     const verificationPublicKeyPem = packageData.verificationPublicKeyPem;
     const confirmationFileName = packageData.confirmationFileName;
 
-    // Handle encrypted confirmation data
-    if (packageData.isEncrypted && packageData.encryptionManifest && packageData.encryptedDataBase64) {
-      onProgress?.('Decrypting confirmation data', 15, 'Decrypting exported confirmation...');
+    // All confirmation imports are encrypted — fail closed if manifest is missing
+    if (!packageData.encryptionManifest || !packageData.encryptedDataBase64) {
+      throw new Error(
+        'This confirmation package is not encrypted. Only encrypted confirmation packages exported from Striae can be imported.'
+      );
+    }
 
-      try {
-        if (!isEncryptionManifest(packageData.encryptionManifest)) {
-          throw new Error('Invalid encryption manifest format.');
-        }
+    if (!isEncryptionManifest(packageData.encryptionManifest)) {
+      throw new Error('Invalid encryption manifest format.');
+    }
 
-        const decryptResult = await decryptExportBatch(
-          user,
-          packageData.encryptionManifest,
-          packageData.encryptedDataBase64,
-          {} // No image hashes for confirmation-only exports
-        );
+    // Enforce confirmation-specific manifest shape before attempting decryption
+    validateConfirmationEncryptionManifest(packageData.encryptionManifest);
 
-        // Parse decrypted plaintext as confirmation data
-        const decryptedJsonString = decryptResult.plaintext;
-        confirmationData = JSON.parse(decryptedJsonString) as ConfirmationImportData;
-        confirmationJsonContent = decryptedJsonString;
-      } catch (error) {
-        throw new Error(
-          `Failed to decrypt confirmation data: ${error instanceof Error ? error.message : 'Unknown decryption error'}`
-        );
-      }
+    onProgress?.('Decrypting confirmation data', 15, 'Decrypting exported confirmation...');
+    try {
+      const decryptResult = await decryptExportBatch(
+        user,
+        packageData.encryptionManifest,
+        packageData.encryptedDataBase64,
+        {}
+      );
+
+      const decryptedJsonString = decryptResult.plaintext;
+      confirmationData = JSON.parse(decryptedJsonString) as ConfirmationImportData;
+      confirmationJsonContent = decryptedJsonString;
+    } catch (error) {
+      throw new Error(
+        `Failed to decrypt confirmation data: ${error instanceof Error ? error.message : 'Unknown decryption error'}`
+      );
     }
 
     confirmationDataForAudit = confirmationData;

package/app/components/actions/case-import/confirmation-package.ts

@@ -1,4 +1,22 @@
-import { type ConfirmationImportData } from '~/types';
+import type { User } from 'firebase/auth';
+import { type ConfirmationImportData, type ConfirmationImportPreview } from '~/types';
+import type { EncryptionManifest } from '~/utils/forensics/export-encryption';
+import { decryptExportBatch } from '~/utils/data/operations/signing-operations';
+
+function isEncryptionManifest(value: unknown): value is EncryptionManifest {
+  if (!value || typeof value !== 'object') {
+    return false;
+  }
+  const candidate = value as Partial<EncryptionManifest>;
+  return (
+    typeof candidate.encryptionVersion === 'string' &&
+    typeof candidate.algorithm === 'string' &&
+    typeof candidate.keyId === 'string' &&
+    typeof candidate.wrappedKey === 'string' &&
+    typeof candidate.dataIv === 'string' &&
+    Array.isArray(candidate.encryptedImages)
+  );
+}
 
 const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
 const ENCRYPTION_MANIFEST_FILE_NAME = 'encryption_manifest.json';
@@ -145,6 +163,55 @@ async function extractConfirmationPackageFromZip(file: File): Promise<Confirmati
   };
 }
 
+export async function previewConfirmationImport(
+  file: File,
+  user: User
+): Promise<ConfirmationImportPreview> {
+  const pkg = await extractConfirmationImportPackage(file);
+
+  if (!pkg.isEncrypted || !pkg.encryptedDataBase64) {
+    throw new Error(
+      'Confirmation imports require an encrypted confirmation ZIP package exported from Striae.'
+    );
+  }
+
+  if (!isEncryptionManifest(pkg.encryptionManifest)) {
+    throw new Error('Encrypted confirmation manifest is missing required fields.');
+  }
+
+  let parsed: ConfirmationImportData;
+  try {
+    const decryptResult = await decryptExportBatch(
+      user,
+      pkg.encryptionManifest,
+      pkg.encryptedDataBase64,
+      {}
+    );
+    parsed = JSON.parse(decryptResult.plaintext) as ConfirmationImportData;
+  } catch (error) {
+    throw new Error(
+      `Failed to decrypt confirmation package for preview: ${
+        error instanceof Error ? error.message : 'Unknown error'
+      }`
+    );
+  }
+
+  const meta = parsed.metadata;
+  if (!meta?.caseNumber) {
+    throw new Error('Decrypted confirmation data is missing required case number.');
+  }
+
+  return {
+    caseNumber: meta.caseNumber,
+    exportedBy: meta.exportedBy ?? '',
+    exportedByName: meta.exportedByName ?? '',
+    exportedByCompany: meta.exportedByCompany ?? '',
+    exportedByBadgeId: meta.exportedByBadgeId,
+    exportDate: meta.exportDate ?? new Date().toISOString(),
+    totalConfirmations: meta.totalConfirmations ?? 0
+  };
+}
+
 export async function extractConfirmationImportPackage(file: File): Promise<ConfirmationImportPackage> {
   const lowerName = file.name.toLowerCase();
 

package/app/components/actions/case-import/index.ts

@@ -34,7 +34,7 @@ export { importAnnotations } from './annotation-import';
 
 // Confirmation import
 export { importConfirmationData } from './confirmation-import';
-export { extractConfirmationImportPackage } from './confirmation-package';
+export { extractConfirmationImportPackage, previewConfirmationImport } from './confirmation-package';
 
 // Main orchestrator
 export { importCaseForReview } from './orchestrator';

package/app/components/actions/case-import/orchestrator.ts

@@ -207,7 +207,6 @@ export async function importCaseForReview(
     // Step 1: Parse ZIP file
     const {
       caseData: initialCaseData,
-      imageFiles: initialImageFiles,
       imageIdMapping,
       isArchivedExport,
       bundledAuditFiles,
@@ -217,71 +216,65 @@ export async function importCaseForReview(
       encryptionManifest,
       encryptedDataBase64,
       encryptedImages,
-      isEncrypted
-    } = await parseImportZip(zipFile, user);
+      dataFileName
+    } = await parseImportZip(zipFile);
 
-    // Step 1.2: Handle decryption if export is encrypted
+    // Step 1.2: Decrypt export — all imports are encrypted (fail closed if manifest is missing)
     let caseData = initialCaseData;
     let cleanedContent = initialCleanedContent || '';
-    let imageFiles = initialImageFiles;
+    let imageFiles: { [filename: string]: Blob } = {};
     let resolvedBundledAuditFiles = bundledAuditFiles;
-    let decryptedImageBlobMap: { [filename: string]: Blob } | undefined;
 
-    if (isEncrypted && isEncryptionManifest(encryptionManifest) && encryptedDataBase64) {
-      onProgress?.('Decrypting export', 11, 'Decrypting case data and images...');
-      
-      try {
-        // Call decrypt endpoint on data-worker
-        const decryptResult = await decryptExportBatch(
-          user,
-          encryptionManifest,
-          encryptedDataBase64,
-          encryptedImages ?? {}
-        );
+    if (!isEncryptionManifest(encryptionManifest) || !encryptedDataBase64) {
+      throw new Error(
+        'This case package is not encrypted. Only encrypted case packages exported from Striae can be imported.'
+      );
+    }
 
-        // Decrypted data is plaintext JSON
-        cleanedContent = decryptResult.plaintext;
-        const parsedCaseData = JSON.parse(cleanedContent) as unknown;
-        caseData = parsedCaseData as CaseExportData;
+    onProgress?.('Decrypting export', 11, 'Decrypting case data and images...');
+    try {
+      const decryptResult = await decryptExportBatch(
+        user,
+        encryptionManifest,
+        encryptedDataBase64,
+        encryptedImages ?? {}
+      );
 
-        const decryptedFiles = decryptResult.decryptedImages;
-        const decryptedAuditTrailBlob = decryptedFiles['audit/case-audit-trail.json'];
-        const decryptedAuditSignatureBlob = decryptedFiles['audit/case-audit-signature.json'];
+      cleanedContent = decryptResult.plaintext;
+      const parsedCaseData = JSON.parse(cleanedContent) as unknown;
+      caseData = parsedCaseData as CaseExportData;
 
-        if (decryptedAuditTrailBlob || decryptedAuditSignatureBlob) {
-          resolvedBundledAuditFiles = {
-            ...(resolvedBundledAuditFiles ?? {}),
-            auditTrailContent: decryptedAuditTrailBlob
-              ? await decryptedAuditTrailBlob.text()
-              : resolvedBundledAuditFiles?.auditTrailContent,
-            auditSignatureContent: decryptedAuditSignatureBlob
-              ? await decryptedAuditSignatureBlob.text()
-              : resolvedBundledAuditFiles?.auditSignatureContent
-          };
-        }
+      const decryptedFiles = decryptResult.decryptedImages;
+      const decryptedAuditTrailBlob = decryptedFiles['audit/case-audit-trail.json'];
+      const decryptedAuditSignatureBlob = decryptedFiles['audit/case-audit-signature.json'];
 
-        decryptedImageBlobMap = Object.fromEntries(
-          Object.entries(decryptedFiles).filter(([filename]) => !filename.startsWith('audit/'))
-        );
+      if (decryptedAuditTrailBlob || decryptedAuditSignatureBlob) {
+        resolvedBundledAuditFiles = {
+          ...(resolvedBundledAuditFiles ?? {}),
+          auditTrailContent: decryptedAuditTrailBlob
+            ? await decryptedAuditTrailBlob.text()
+            : resolvedBundledAuditFiles?.auditTrailContent,
+          auditSignatureContent: decryptedAuditSignatureBlob
+            ? await decryptedAuditSignatureBlob.text()
+            : resolvedBundledAuditFiles?.auditSignatureContent
+        };
+      }
 
-        // Update imageFiles with decrypted images only
-        imageFiles = { ...imageFiles, ...decryptedImageBlobMap };
+      const decryptedImageBlobMap = Object.fromEntries(
+        Object.entries(decryptedFiles).filter(([filename]) => !filename.startsWith('audit/'))
+      );
+      imageFiles = decryptedImageBlobMap;
 
-        onProgress?.('Decryption successful', 13, `Decrypted case data and ${Object.keys(decryptedImageBlobMap).length} images`);
-      } catch (decryptError) {
-        throw new Error(
-          `Failed to decrypt export: ${decryptError instanceof Error ? decryptError.message : 'Unknown error'}. ` +
-          'Ensure your Striae instance has export encryption configured.'
-        );
-      }
+      onProgress?.('Decryption successful', 13, `Decrypted case data and ${Object.keys(decryptedImageBlobMap).length} images`);
+    } catch (decryptError) {
+      throw new Error(
+        `Failed to decrypt export: ${decryptError instanceof Error ? decryptError.message : 'Unknown error'}. ` +
+        'Ensure your Striae instance has export encryption configured.'
+      );
     }
 
-    if (isEncrypted) {
-      await validateCaseExporterUidForImport(caseData, user);
-      exporterUidValidationPassed = true;
-    } else {
-      exporterUidValidationPassed = true;
-    }
+    await validateCaseExporterUidForImport(caseData, user);
+    exporterUidValidationPassed = true;
 
     // Now validate case number and format
     if (!caseData.metadata?.caseNumber) {
@@ -292,6 +285,38 @@ export async function importCaseForReview(
       throw new Error(`Invalid case number format: ${caseData.metadata.caseNumber}`);
     }
 
+    // Validate that the data file name matches the decrypted case number — fail closed if it doesn't.
+    // Guards against corrupt archives and cases where parseImportZip returned a mismatched file.
+    if (dataFileName) {
+      const dataFileLeaf = dataFileName.split('/').filter(Boolean).pop()?.toLowerCase() ?? '';
+      const expectedDataFile = `${caseData.metadata.caseNumber.toLowerCase()}_data.json`;
+      if (dataFileLeaf !== expectedDataFile) {
+        throw new Error(
+          `Data file name does not match case number. ` +
+          `Expected "${expectedDataFile}", found "${dataFileLeaf}". ` +
+          'The archive may be corrupt or tampered.'
+        );
+      }
+    }
+
+    // Enforce designated reviewer before any writes occur.
+    // This mirrors previewCaseImport enforcement and cannot be bypassed by
+    // skipping preview or submitting a modified client request.
+    const designatedReviewerEmail = caseData.metadata.designatedReviewerEmail;
+    if (designatedReviewerEmail) {
+      if (!user.email) {
+        throw new Error(
+          'Your account does not have an email address. This case export is restricted to a designated reviewer and cannot be imported.'
+        );
+      }
+      if (user.email.toLowerCase() !== designatedReviewerEmail.toLowerCase()) {
+        throw new Error(
+          `This case export is restricted to the designated reviewer (${designatedReviewerEmail}). ` +
+          'You are not authorized to import this case.'
+        );
+      }
+    }
+
     const resolvedIsArchivedExport =
       isArchivedExport ||
       caseData.metadata.archived === true ||