@striae-org/striae 5.4.3 → 5.4.5

package/app/utils/auth/auth-action-settings.ts

@@ -39,7 +39,7 @@ export const getSafeContinuePath = (continueUrl: string | null | undefined): str
     }
 
     const safePath = `${parsedUrl.pathname}${parsedUrl.search}${parsedUrl.hash}`;
-    return safePath.startsWith('/') ? safePath : DEFAULT_CONTINUE_PATH;
+    return normalizeContinuePath(safePath);
   } catch {
     return DEFAULT_CONTINUE_PATH;
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.4.3",
+  "version": "5.4.5",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -100,18 +100,18 @@
     "deploy-workers:user": "cd workers/user-worker && npm run deploy"
   },
   "dependencies": {
-    "@react-router/cloudflare": "^7.13.2",
+    "@react-router/cloudflare": "^7.14.0",
     "firebase": "^12.11.0",
     "isbot": "^5.1.37",
     "jszip": "^3.10.1",
     "qrcode": "^1.5.4",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
-    "react-router": "^7.13.2"
+    "react-router": "^7.14.0"
   },
   "devDependencies": {
-    "@react-router/dev": "^7.13.2",
-    "@react-router/fs-routes": "^7.13.2",
+    "@react-router/dev": "^7.14.0",
+    "@react-router/fs-routes": "^7.14.0",
     "@types/qrcode": "^1.5.6",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
@@ -139,4 +139,4 @@
     "node": ">=20.0.0"
   },
   "packageManager": "npm@11.11.0"
-}
+}

package/scripts/enable-totp-mfa.mjs

@@ -41,7 +41,7 @@ try {
         {
           state: 'ENABLED',
           totpProviderConfig: {
-            adjacentIntervals: 5,
+            adjacentIntervals: 0,
           },
         },
       ],
@@ -49,7 +49,7 @@ try {
   });
 
   console.log('✅ TOTP MFA provider enabled successfully.');
-  console.log('   adjacentIntervals: 5 (allows ±2.5 minutes clock skew)');
+  console.log('   adjacentIntervals: 0 (accepts only the current TOTP interval; no adjacent interval tolerance)');
 } catch (err) {
   console.error('\n❌ Failed to enable TOTP MFA provider:');
   console.error(err?.message ?? err);

package/workers/audit-worker/wrangler.jsonc.example

@@ -7,7 +7,7 @@
   "name": "AUDIT_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
-  "compatibility_date": "2026-04-02",
+  "compatibility_date": "2026-04-03",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/data-worker/wrangler.jsonc.example

@@ -5,7 +5,7 @@
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
-  "compatibility_date": "2026-04-02",
+  "compatibility_date": "2026-04-03",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/src/auth.ts

@@ -0,0 +1,7 @@
+import type { Env } from './types';
+
+export function hasValidToken(request: Request, env: Env): boolean {
+  const authHeader = request.headers.get('Authorization');
+  const expectedToken = `Bearer ${env.IMAGES_API_TOKEN}`;
+  return authHeader === expectedToken;
+}

package/workers/image-worker/src/handlers/delete-image.ts

@@ -0,0 +1,26 @@
+import { hasValidToken } from '../auth';
+import type { CreateImageWorkerResponse, Env } from '../types';
+import { parseFileId } from '../utils/path-utils';
+
+export async function handleImageDelete(
+  request: Request,
+  env: Env,
+  createJsonResponse: CreateImageWorkerResponse
+): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  const fileId = parseFileId(new URL(request.url).pathname);
+  if (!fileId) {
+    return createJsonResponse({ error: 'Image ID is required' }, 400);
+  }
+
+  const existing = await env.STRIAE_FILES.head(fileId);
+  if (!existing) {
+    return createJsonResponse({ error: 'File not found' }, 404);
+  }
+
+  await env.STRIAE_FILES.delete(fileId);
+  return createJsonResponse({ success: true });
+}

package/workers/image-worker/src/handlers/mint-signed-url.ts

@@ -0,0 +1,83 @@
+import { hasValidToken } from '../auth';
+import {
+  normalizeSignedUrlTtlSeconds,
+  parseSignedUrlBaseUrl,
+  requireSignedUrlConfig,
+  signSignedAccessPayload
+} from '../security/signed-url';
+import type {
+  CreateImageWorkerResponse,
+  Env,
+  SignedAccessPayload
+} from '../types';
+
+interface SignedUrlMintRequestBody {
+  expiresInSeconds?: unknown;
+}
+
+export async function handleSignedUrlMinting(
+  request: Request,
+  env: Env,
+  fileId: string,
+  createJsonResponse: CreateImageWorkerResponse
+): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  requireSignedUrlConfig(env);
+
+  const existing = await env.STRIAE_FILES.head(fileId);
+  if (!existing) {
+    return createJsonResponse({ error: 'File not found' }, 404);
+  }
+
+  let requestedExpiresInSeconds: number | undefined;
+  const contentType = request.headers.get('Content-Type') || '';
+  if (contentType.includes('application/json')) {
+    const requestBody = await request.json().catch(() => null);
+    if (requestBody && typeof requestBody === 'object') {
+      const expiresInSeconds = (requestBody as SignedUrlMintRequestBody).expiresInSeconds;
+      if (typeof expiresInSeconds === 'number') {
+        requestedExpiresInSeconds = expiresInSeconds;
+      }
+    }
+  }
+
+  const nowEpochSeconds = Math.floor(Date.now() / 1000);
+  const ttlSeconds = normalizeSignedUrlTtlSeconds(requestedExpiresInSeconds, env);
+  const payload: SignedAccessPayload = {
+    fileId,
+    iat: nowEpochSeconds,
+    exp: nowEpochSeconds + ttlSeconds,
+    nonce: crypto.randomUUID().replace(/-/g, '')
+  };
+
+  const signedToken = await signSignedAccessPayload(payload, env);
+
+  let baseUrl: string;
+  if (env.IMAGE_SIGNED_URL_BASE_URL) {
+    try {
+      baseUrl = parseSignedUrlBaseUrl(env.IMAGE_SIGNED_URL_BASE_URL);
+    } catch (error) {
+      console.error('Invalid IMAGE_SIGNED_URL_BASE_URL configuration', {
+        reason: error instanceof Error ? error.message : String(error)
+      });
+      return createJsonResponse({ error: 'Signed URL base URL is misconfigured' }, 500);
+    }
+  } else {
+    baseUrl = new URL(request.url).origin;
+  }
+
+  const signedUrl = `${baseUrl}/${encodeURIComponent(fileId)}?st=${encodeURIComponent(signedToken)}`;
+
+  return createJsonResponse({
+    success: true,
+    result: {
+      fileId,
+      url: signedUrl,
+      expiresAt: new Date(payload.exp * 1000).toISOString(),
+      expiresInSeconds: ttlSeconds
+    }
+  });
+}

package/workers/image-worker/src/handlers/serve-image.ts

@@ -0,0 +1,65 @@
+import { hasValidToken } from '../auth';
+import {
+  decryptBinaryWithRegistry,
+  requireEncryptionRetrievalConfig
+} from '../security/key-registry';
+import { requireSignedUrlConfig, verifySignedAccessToken } from '../security/signed-url';
+import type { CreateImageWorkerResponse, Env } from '../types';
+import { buildSafeContentDisposition } from '../utils/content-disposition';
+import { extractEnvelope } from '../utils/storage-metadata';
+
+export async function handleImageServing(
+  request: Request,
+  env: Env,
+  fileId: string,
+  createJsonResponse: CreateImageWorkerResponse,
+  corsHeaders: Record<string, string>
+): Promise<Response> {
+  const requestUrl = new URL(request.url);
+  const hasSignedToken = requestUrl.searchParams.has('st');
+  const signedToken = requestUrl.searchParams.get('st');
+
+  if (hasSignedToken) {
+    requireSignedUrlConfig(env);
+
+    if (!signedToken || signedToken.trim().length === 0) {
+      return createJsonResponse({ error: 'Invalid or expired signed URL token' }, 403);
+    }
+
+    const tokenValid = await verifySignedAccessToken(signedToken, fileId, env);
+    if (!tokenValid) {
+      return createJsonResponse({ error: 'Invalid or expired signed URL token' }, 403);
+    }
+  } else if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  requireEncryptionRetrievalConfig(env);
+
+  const file = await env.STRIAE_FILES.get(fileId);
+  if (!file) {
+    return createJsonResponse({ error: 'File not found' }, 404);
+  }
+
+  const envelope = extractEnvelope(file);
+  if (!envelope) {
+    return createJsonResponse({ error: 'Missing data-at-rest envelope metadata' }, 500);
+  }
+
+  const encryptedData = await file.arrayBuffer();
+  const plaintext = await decryptBinaryWithRegistry(encryptedData, envelope, env);
+
+  const contentType = file.customMetadata?.contentType || 'application/octet-stream';
+  const filename = file.customMetadata?.originalFilename || fileId;
+  const contentDisposition = buildSafeContentDisposition(filename, fileId);
+
+  return new Response(plaintext, {
+    status: 200,
+    headers: {
+      ...corsHeaders,
+      'Cache-Control': 'no-store',
+      'Content-Type': contentType,
+      'Content-Disposition': contentDisposition
+    }
+  });
+}

package/workers/image-worker/src/handlers/upload-image.ts

@@ -0,0 +1,62 @@
+import { hasValidToken } from '../auth';
+import { encryptBinaryForStorage } from '../encryption-utils';
+import { requireEncryptionUploadConfig } from '../security/key-registry';
+import type { CreateImageWorkerResponse, Env } from '../types';
+import { deriveFileKind } from '../utils/content-disposition';
+
+export async function handleImageUpload(
+  request: Request,
+  env: Env,
+  createJsonResponse: CreateImageWorkerResponse
+): Promise<Response> {
+  if (!hasValidToken(request, env)) {
+    return createJsonResponse({ error: 'Unauthorized' }, 403);
+  }
+
+  requireEncryptionUploadConfig(env);
+
+  const formData = await request.formData();
+  const fileValue = formData.get('file');
+  if (!(fileValue instanceof Blob)) {
+    return createJsonResponse({ error: 'Missing file upload payload' }, 400);
+  }
+
+  const fileBlob = fileValue;
+  const uploadedAt = new Date().toISOString();
+  const filename = fileValue instanceof File && fileValue.name ? fileValue.name : 'upload.bin';
+  const contentType = fileBlob.type || 'application/octet-stream';
+  const fileId = crypto.randomUUID().replace(/-/g, '');
+  const plaintextBytes = await fileBlob.arrayBuffer();
+
+  const encryptedPayload = await encryptBinaryForStorage(
+    plaintextBytes,
+    env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+    env.DATA_AT_REST_ENCRYPTION_KEY_ID
+  );
+
+  await env.STRIAE_FILES.put(fileId, encryptedPayload.ciphertext, {
+    customMetadata: {
+      algorithm: encryptedPayload.envelope.algorithm,
+      encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+      keyId: encryptedPayload.envelope.keyId,
+      dataIv: encryptedPayload.envelope.dataIv,
+      wrappedKey: encryptedPayload.envelope.wrappedKey,
+      contentType,
+      originalFilename: filename,
+      byteLength: String(fileBlob.size),
+      createdAt: uploadedAt,
+      fileKind: deriveFileKind(contentType)
+    }
+  });
+
+  return createJsonResponse({
+    success: true,
+    errors: [],
+    messages: [],
+    result: {
+      id: fileId,
+      filename,
+      uploaded: uploadedAt
+    }
+  });
+}