npm - @striae-org/striae - Versions diffs - 5.4.2 → 5.4.4 - Mend

@striae-org/striae 5.4.2 → 5.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/workers/data-worker/wrangler.jsonc.example CHANGED Viewed

@@ -5,7 +5,7 @@
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
-  "compatibility_date": "2026-03-31",
+  "compatibility_date": "2026-04-02",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/image-worker/package.json CHANGED Viewed

@@ -9,7 +9,7 @@
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"wrangler": "^4.78.0"
+		"wrangler": "^4.80.0"
 	},
 	"overrides": {
 		"undici": "7.24.1",

package/workers/image-worker/src/auth.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { Env } from './types';
+export function hasValidToken(request: Request, env: Env): boolean {
+  const authHeader = request.headers.get('Authorization');
+  const expectedToken = `Bearer ${env.IMAGES_API_TOKEN}`;
+  return authHeader === expectedToken;
+}

package/workers/image-worker/src/handlers/delete-image.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { hasValidToken } from '../auth';
+import type { CreateImageWorkerResponse, Env } from '../types';
+import { parseFileId } from '../utils/path-utils';
+export async function handleImageDelete(
+  request: Request,
+  env: Env,
+  createJsonResponse: CreateImageWorkerResponse
+): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+  const fileId = parseFileId(new URL(request.url).pathname);
+  if (!fileId) {
+    return createJsonResponse({ error: 'Image ID is required' }, 400);
+  }
+  const existing = await env.STRIAE_FILES.head(fileId);
+  if (!existing) {
+    return createJsonResponse({ error: 'File not found' }, 404);
+  }
+  await env.STRIAE_FILES.delete(fileId);
+  return createJsonResponse({ success: true });
+}

package/workers/image-worker/src/handlers/mint-signed-url.ts ADDED Viewed

@@ -0,0 +1,83 @@
+import { hasValidToken } from '../auth';
+import {
+  normalizeSignedUrlTtlSeconds,
+  parseSignedUrlBaseUrl,
+  requireSignedUrlConfig,
+  signSignedAccessPayload
+} from '../security/signed-url';
+import type {
+  CreateImageWorkerResponse,
+  Env,
+  SignedAccessPayload
+} from '../types';
+interface SignedUrlMintRequestBody {
+  expiresInSeconds?: unknown;
+}
+export async function handleSignedUrlMinting(
+  request: Request,
+  env: Env,
+  fileId: string,
+  createJsonResponse: CreateImageWorkerResponse
+): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+  requireSignedUrlConfig(env);
+  const existing = await env.STRIAE_FILES.head(fileId);
+  if (!existing) {
+    return createJsonResponse({ error: 'File not found' }, 404);
+  }
+  let requestedExpiresInSeconds: number | undefined;
+  const contentType = request.headers.get('Content-Type') || '';
+  if (contentType.includes('application/json')) {
+    const requestBody = await request.json().catch(() => null);
+    if (requestBody && typeof requestBody === 'object') {
+      const expiresInSeconds = (requestBody as SignedUrlMintRequestBody).expiresInSeconds;
+      if (typeof expiresInSeconds === 'number') {
+        requestedExpiresInSeconds = expiresInSeconds;
+      }
+    }
+  }
+  const nowEpochSeconds = Math.floor(Date.now() / 1000);
+  const ttlSeconds = normalizeSignedUrlTtlSeconds(requestedExpiresInSeconds, env);
+  const payload: SignedAccessPayload = {
+    fileId,
+    iat: nowEpochSeconds,
+    exp: nowEpochSeconds + ttlSeconds,
+    nonce: crypto.randomUUID().replace(/-/g, '')
+  };
+  const signedToken = await signSignedAccessPayload(payload, env);
+  let baseUrl: string;
+  if (env.IMAGE_SIGNED_URL_BASE_URL) {
+    try {
+      baseUrl = parseSignedUrlBaseUrl(env.IMAGE_SIGNED_URL_BASE_URL);
+    } catch (error) {
+      console.error('Invalid IMAGE_SIGNED_URL_BASE_URL configuration', {
+        reason: error instanceof Error ? error.message : String(error)
+      });
+      return createJsonResponse({ error: 'Signed URL base URL is misconfigured' }, 500);
+    }
+  } else {
+    baseUrl = new URL(request.url).origin;
+  }
+  const signedUrl = `${baseUrl}/${encodeURIComponent(fileId)}?st=${encodeURIComponent(signedToken)}`;
+  return createJsonResponse({
+    success: true,
+    result: {
+      fileId,
+      url: signedUrl,
+      expiresAt: new Date(payload.exp * 1000).toISOString(),
+      expiresInSeconds: ttlSeconds
+    }
+  });
+}

package/workers/image-worker/src/handlers/serve-image.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { hasValidToken } from '../auth';
+import {
+  decryptBinaryWithRegistry,
+  requireEncryptionRetrievalConfig
+} from '../security/key-registry';
+import { requireSignedUrlConfig, verifySignedAccessToken } from '../security/signed-url';
+import type { CreateImageWorkerResponse, Env } from '../types';
+import { buildSafeContentDisposition } from '../utils/content-disposition';
+import { extractEnvelope } from '../utils/storage-metadata';
+export async function handleImageServing(
+  request: Request,
+  env: Env,
+  fileId: string,
+  createJsonResponse: CreateImageWorkerResponse,
+  corsHeaders: Record<string, string>
+): Promise<Response> {
+  const requestUrl = new URL(request.url);
+  const hasSignedToken = requestUrl.searchParams.has('st');
+  const signedToken = requestUrl.searchParams.get('st');
+  if (hasSignedToken) {
+    requireSignedUrlConfig(env);
+    if (!signedToken || signedToken.trim().length === 0) {
+      return createJsonResponse({ error: 'Invalid or expired signed URL token' }, 403);
+    }
+    const tokenValid = await verifySignedAccessToken(signedToken, fileId, env);
+    if (!tokenValid) {
+      return createJsonResponse({ error: 'Invalid or expired signed URL token' }, 403);
+    }
+  } else if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+  requireEncryptionRetrievalConfig(env);
+  const file = await env.STRIAE_FILES.get(fileId);
+  if (!file) {
+    return createJsonResponse({ error: 'File not found' }, 404);
+  }
+  const envelope = extractEnvelope(file);
+  if (!envelope) {
+    return createJsonResponse({ error: 'Missing data-at-rest envelope metadata' }, 500);
+  }
+  const encryptedData = await file.arrayBuffer();
+  const plaintext = await decryptBinaryWithRegistry(encryptedData, envelope, env);
+  const contentType = file.customMetadata?.contentType || 'application/octet-stream';
+  const filename = file.customMetadata?.originalFilename || fileId;
+  const contentDisposition = buildSafeContentDisposition(filename, fileId);
+  return new Response(plaintext, {
+    status: 200,
+    headers: {
+      ...corsHeaders,
+      'Cache-Control': 'no-store',
+      'Content-Type': contentType,
+      'Content-Disposition': contentDisposition
+    }
+  });
+}

package/workers/image-worker/src/handlers/upload-image.ts ADDED Viewed

@@ -0,0 +1,62 @@
+import { hasValidToken } from '../auth';
+import { encryptBinaryForStorage } from '../encryption-utils';
+import { requireEncryptionUploadConfig } from '../security/key-registry';
+import type { CreateImageWorkerResponse, Env } from '../types';
+import { deriveFileKind } from '../utils/content-disposition';
+export async function handleImageUpload(
+  request: Request,
+  env: Env,
+  createJsonResponse: CreateImageWorkerResponse
+): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+  requireEncryptionUploadConfig(env);
+  const formData = await request.formData();
+  const fileValue = formData.get('file');
+  if (!(fileValue instanceof Blob)) {
+    return createJsonResponse({ error: 'Missing file upload payload' }, 400);
+  }
+  const fileBlob = fileValue;
+  const uploadedAt = new Date().toISOString();
+  const filename = fileValue instanceof File && fileValue.name ? fileValue.name : 'upload.bin';
+  const contentType = fileBlob.type || 'application/octet-stream';
+  const fileId = crypto.randomUUID().replace(/-/g, '');
+  const plaintextBytes = await fileBlob.arrayBuffer();
+  const encryptedPayload = await encryptBinaryForStorage(
+    plaintextBytes,
+    env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+    env.DATA_AT_REST_ENCRYPTION_KEY_ID
+  );
+  await env.STRIAE_FILES.put(fileId, encryptedPayload.ciphertext, {
+    customMetadata: {
+      algorithm: encryptedPayload.envelope.algorithm,
+      encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+      keyId: encryptedPayload.envelope.keyId,
+      dataIv: encryptedPayload.envelope.dataIv,
+      wrappedKey: encryptedPayload.envelope.wrappedKey,
+      contentType,
+      originalFilename: filename,
+      byteLength: String(fileBlob.size),
+      createdAt: uploadedAt,
+      fileKind: deriveFileKind(contentType)
+    }
+  });
+  return createJsonResponse({
+    success: true,
+    errors: [],
+    messages: [],
+    result: {
+      id: fileId,
+      filename,
+      uploaded: uploadedAt
+    }
+  });
+}