@striae-org/striae 5.3.1 → 5.3.2

package/.env.example

@@ -111,6 +111,9 @@ IMAGES_WORKER_DOMAIN=your_images_worker_domain_here
 IMAGE_SIGNED_URL_SECRET=your_image_signed_url_secret_here
 # Optional: defaults to 3600 and max is 86400.
 IMAGE_SIGNED_URL_TTL_SECONDS=3600
+# Optional: override the base URL used in signed URL responses to route delivery through the Pages proxy.
+# Defaults to the image worker's own origin if unset (exposes worker domain to clients).
+IMAGE_SIGNED_URL_BASE_URL=https://${PAGES_CUSTOM_DOMAIN}/api/image
 
 # ================================
 # PDF WORKER ENVIRONMENT VARIABLES

package/app/components/actions/generate-pdf.ts

@@ -64,6 +64,28 @@ const resolvePdfImageUrl = async (selectedImage: string | undefined): Promise<st
     return await blobToDataUrl(imageBlob);
   }
 
+  // Signed image URLs routed through the Pages proxy contain a ?st= token.
+  // Pre-fetch the image client-side and embed as a data URL so the PDF worker's
+  // Puppeteer context doesn't need to make outbound requests for the image.
+  if (selectedImage.startsWith('http://') || selectedImage.startsWith('https://')) {
+    let parsedUrl: URL;
+    try {
+      parsedUrl = new URL(selectedImage);
+    } catch {
+      return selectedImage;
+    }
+
+    if (parsedUrl.searchParams.has('st')) {
+      const imageResponse = await fetch(selectedImage);
+      if (!imageResponse.ok) {
+        throw new Error('Failed to load selected image for PDF generation');
+      }
+
+      const imageBlob = await imageResponse.blob();
+      return await blobToDataUrl(imageBlob);
+    }
+  }
+
   return selectedImage;
 };
 

package/functions/api/image/[[path]].ts

@@ -67,6 +67,14 @@ function resolveImageWorkerToken(env: Env): string {
   return typeof env.IMAGES_API_TOKEN === 'string' ? env.IMAGES_API_TOKEN.trim() : '';
 }
 
+const BASE64URL_SEGMENT = /^[A-Za-z0-9_-]+$/;
+
+function looksLikeSignedToken(value: string): boolean {
+  const parts = value.split('.');
+  if (parts.length !== 2) return false;
+  return parts.every(part => part.length > 0 && BASE64URL_SEGMENT.test(part));
+}
+
 export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Response> => {
   if (!SUPPORTED_METHODS.has(request.method)) {
     return textResponse('Method not allowed', 405);
@@ -84,9 +92,17 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
 
   const requestUrl = new URL(request.url);
 
-  const identity = await verifyFirebaseIdentityFromRequest(request, env);
-  if (!identity) {
-    return textResponse('Unauthorized', 401);
+  const signedToken = requestUrl.searchParams.get('st');
+  const isSignedTokenRequest =
+    request.method === 'GET' &&
+    signedToken !== null &&
+    looksLikeSignedToken(signedToken);
+
+  if (!isSignedTokenRequest) {
+    const identity = await verifyFirebaseIdentityFromRequest(request, env);
+    if (!identity) {
+      return textResponse('Unauthorized', 401);
+    }
   }
 
   const proxyPathResult = extractProxyPath(requestUrl);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.3.1",
+  "version": "5.3.2",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",

package/workers/image-worker/src/image-worker.example.ts

@@ -14,6 +14,7 @@ interface Env {
   DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID?: string;
   IMAGE_SIGNED_URL_SECRET?: string;
   IMAGE_SIGNED_URL_TTL_SECONDS?: string;
+  IMAGE_SIGNED_URL_BASE_URL?: string;
 }
 
 interface KeyRegistryPayload {
@@ -383,6 +384,25 @@ function requireSignedUrlConfig(env: Env): void {
   }
 }
 
+function parseSignedUrlBaseUrl(raw: string): string {
+  let parsed: URL;
+  try {
+    parsed = new URL(raw.trim());
+  } catch {
+    throw new Error(`IMAGE_SIGNED_URL_BASE_URL is not a valid absolute URL: "${raw}"`);
+  }
+
+  if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+    throw new Error(`IMAGE_SIGNED_URL_BASE_URL must use http or https, got: "${parsed.protocol}"`);
+  }
+
+  if (parsed.search || parsed.hash) {
+    throw new Error(`IMAGE_SIGNED_URL_BASE_URL must not include a query string or fragment: "${raw}"`);
+  }
+
+  return `${parsed.origin}${parsed.pathname}`.replace(/\/+$/, '');
+}
+
 async function getSignedUrlHmacKey(env: Env): Promise<CryptoKey> {
   const resolvedSecret = (env.IMAGE_SIGNED_URL_SECRET || env.IMAGES_API_TOKEN || '').trim();
   const keyBytes = new TextEncoder().encode(resolvedSecret);
@@ -592,8 +612,22 @@ async function handleSignedUrlMinting(request: Request, env: Env, fileId: string
   };
 
   const signedToken = await signSignedAccessPayload(payload, env);
-  const signedPath = `/${encodeURIComponent(fileId)}?st=${encodeURIComponent(signedToken)}`;
-  const signedUrl = new URL(signedPath, request.url).toString();
+
+  let baseUrl: string;
+  if (env.IMAGE_SIGNED_URL_BASE_URL) {
+    try {
+      baseUrl = parseSignedUrlBaseUrl(env.IMAGE_SIGNED_URL_BASE_URL);
+    } catch (error) {
+      console.error('Invalid IMAGE_SIGNED_URL_BASE_URL configuration', {
+        reason: error instanceof Error ? error.message : String(error)
+      });
+      return createJsonResponse({ error: 'Signed URL base URL is misconfigured' }, 500);
+    }
+  } else {
+    baseUrl = new URL(request.url).origin;
+  }
+
+  const signedUrl = `${baseUrl}/${encodeURIComponent(fileId)}?st=${encodeURIComponent(signedToken)}`;
 
   return createJsonResponse({
     success: true,