@striae-org/striae 5.4.3 → 5.4.5

package/workers/image-worker/src/router.ts

@@ -0,0 +1,53 @@
+import { handleImageDelete } from './handlers/delete-image';
+import { handleSignedUrlMinting } from './handlers/mint-signed-url';
+import { handleImageServing } from './handlers/serve-image';
+import { handleImageUpload } from './handlers/upload-image';
+import type { CreateImageWorkerResponse, Env } from './types';
+import { parsePathSegments } from './utils/path-utils';
+
+export async function routeImageWorkerRequest(
+  request: Request,
+  env: Env,
+  createJsonResponse: CreateImageWorkerResponse,
+  corsHeaders: Record<string, string>
+): Promise<Response> {
+  const requestUrl = new URL(request.url);
+  const pathSegments = parsePathSegments(requestUrl.pathname);
+  if (!pathSegments) {
+    return createJsonResponse({ error: 'Invalid image path encoding' }, 400);
+  }
+
+  switch (request.method) {
+    case 'POST': {
+      if (pathSegments.length === 0) {
+        return handleImageUpload(request, env, createJsonResponse);
+      }
+
+      if (pathSegments.length === 2 && pathSegments[1] === 'signed-url') {
+        return handleSignedUrlMinting(request, env, pathSegments[0], createJsonResponse);
+      }
+
+      return createJsonResponse({ error: 'Not found' }, 404);
+    }
+
+    case 'GET': {
+      const fileId = pathSegments.length === 1 ? pathSegments[0] : null;
+      if (!fileId) {
+        return createJsonResponse({ error: 'Image ID is required' }, 400);
+      }
+
+      return handleImageServing(request, env, fileId, createJsonResponse, corsHeaders);
+    }
+
+    case 'DELETE': {
+      if (pathSegments.length !== 1) {
+        return createJsonResponse({ error: 'Not found' }, 404);
+      }
+
+      return handleImageDelete(request, env, createJsonResponse);
+    }
+
+    default:
+      return createJsonResponse({ error: 'Method not allowed' }, 405);
+  }
+}

package/workers/image-worker/src/security/key-registry.ts

@@ -0,0 +1,193 @@
+import {
+  decryptBinaryFromStorage,
+  type DataAtRestEnvelope
+} from '../encryption-utils';
+import type {
+  DecryptionTelemetryOutcome,
+  Env,
+  KeyRegistryPayload,
+  PrivateKeyRegistry
+} from '../types';
+
+function normalizePrivateKeyPem(rawValue: string): string {
+  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
+}
+
+function getNonEmptyString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+}
+
+export function requireEncryptionUploadConfig(env: Env): void {
+  if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+    throw new Error('Data-at-rest encryption is not configured for image uploads');
+  }
+}
+
+export function requireEncryptionRetrievalConfig(env: Env): void {
+  const hasLegacyPrivateKey = typeof env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY === 'string' && env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY.trim().length > 0;
+  const hasRegistry = typeof env.DATA_AT_REST_ENCRYPTION_KEYS_JSON === 'string' && env.DATA_AT_REST_ENCRYPTION_KEYS_JSON.trim().length > 0;
+
+  if (!hasLegacyPrivateKey && !hasRegistry) {
+    throw new Error('Data-at-rest decryption registry is not configured for image retrieval');
+  }
+}
+
+function parseDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
+  const keys: Record<string, string> = {};
+  const configuredActiveKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID);
+  const registryJson = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEYS_JSON);
+
+  if (registryJson) {
+    let parsedRegistry: unknown;
+    try {
+      parsedRegistry = JSON.parse(registryJson) as unknown;
+    } catch {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON is not valid JSON');
+    }
+
+    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must be an object');
+    }
+
+    const payload = parsedRegistry as KeyRegistryPayload;
+    if (!payload.keys || typeof payload.keys !== 'object') {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must include a keys object');
+    }
+
+    for (const [keyId, pemValue] of Object.entries(payload.keys as Record<string, unknown>)) {
+      const normalizedKeyId = getNonEmptyString(keyId);
+      const normalizedPem = getNonEmptyString(pemValue);
+      if (!normalizedKeyId || !normalizedPem) {
+        continue;
+      }
+
+      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
+    }
+
+    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
+    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
+
+    if (Object.keys(keys).length === 0) {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON does not contain any usable keys');
+    }
+
+    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
+      throw new Error('DATA_AT_REST active key ID is not present in DATA_AT_REST_ENCRYPTION_KEYS_JSON');
+    }
+
+    return {
+      activeKeyId: resolvedActiveKeyId ?? null,
+      keys
+    };
+  }
+
+  const legacyKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEY_ID);
+  const legacyPrivateKey = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY);
+  if (!legacyKeyId || !legacyPrivateKey) {
+    throw new Error('Data-at-rest decryption key registry is not configured');
+  }
+
+  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
+
+  return {
+    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
+    keys
+  };
+}
+
+function buildPrivateKeyCandidates(
+  recordKeyId: string,
+  registry: PrivateKeyRegistry
+): Array<{ keyId: string; privateKeyPem: string }> {
+  const candidates: Array<{ keyId: string; privateKeyPem: string }> = [];
+  const seen = new Set<string>();
+
+  const appendCandidate = (candidateKeyId: string | null): void => {
+    if (!candidateKeyId || seen.has(candidateKeyId)) {
+      return;
+    }
+
+    const privateKeyPem = registry.keys[candidateKeyId];
+    if (!privateKeyPem) {
+      return;
+    }
+
+    seen.add(candidateKeyId);
+    candidates.push({ keyId: candidateKeyId, privateKeyPem });
+  };
+
+  appendCandidate(getNonEmptyString(recordKeyId));
+  appendCandidate(registry.activeKeyId);
+
+  for (const keyId of Object.keys(registry.keys)) {
+    appendCandidate(keyId);
+  }
+
+  return candidates;
+}
+
+function logFileDecryptionTelemetry(input: {
+  recordKeyId: string;
+  selectedKeyId: string | null;
+  attemptCount: number;
+  outcome: DecryptionTelemetryOutcome;
+  reason?: string;
+}): void {
+  const details = {
+    scope: 'file-at-rest',
+    recordKeyId: input.recordKeyId,
+    selectedKeyId: input.selectedKeyId,
+    attemptCount: input.attemptCount,
+    fallbackUsed: input.outcome === 'fallback-hit',
+    outcome: input.outcome,
+    reason: input.reason ?? null
+  };
+
+  if (input.outcome === 'all-failed') {
+    console.warn('Key registry decryption failed', details);
+    return;
+  }
+
+  console.info('Key registry decryption resolved', details);
+}
+
+export async function decryptBinaryWithRegistry(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  env: Env
+): Promise<ArrayBuffer> {
+  const keyRegistry = parseDataAtRestPrivateKeyRegistry(env);
+  const candidates = buildPrivateKeyCandidates(envelope.keyId, keyRegistry);
+  const primaryKeyId = candidates[0]?.keyId ?? null;
+  let lastError: unknown;
+
+  for (let index = 0; index < candidates.length; index += 1) {
+    const candidate = candidates[index];
+    try {
+      const plaintext = await decryptBinaryFromStorage(ciphertext, envelope, candidate.privateKeyPem);
+      logFileDecryptionTelemetry({
+        recordKeyId: envelope.keyId,
+        selectedKeyId: candidate.keyId,
+        attemptCount: index + 1,
+        outcome: candidate.keyId === primaryKeyId ? 'primary-hit' : 'fallback-hit'
+      });
+      return plaintext;
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  logFileDecryptionTelemetry({
+    recordKeyId: envelope.keyId,
+    selectedKeyId: null,
+    attemptCount: candidates.length,
+    outcome: 'all-failed',
+    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
+  });
+
+  throw new Error(
+    `Failed to decrypt stored file after ${candidates.length} key attempt(s): ${
+      lastError instanceof Error ? lastError.message : 'unknown decryption error'
+    }`
+  );
+}

package/workers/image-worker/src/security/signed-url.ts

@@ -0,0 +1,163 @@
+import type { Env, SignedAccessPayload } from '../types';
+
+const DEFAULT_SIGNED_URL_TTL_SECONDS = 3600;
+const MAX_SIGNED_URL_TTL_SECONDS = 86400;
+
+function base64UrlEncode(input: ArrayBuffer | Uint8Array): string {
+  const bytes = input instanceof Uint8Array ? input : new Uint8Array(input);
+  let binary = '';
+
+  for (let index = 0; index < bytes.length; index += 1) {
+    binary += String.fromCharCode(bytes[index]);
+  }
+
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+
+function base64UrlDecode(input: string): Uint8Array | null {
+  if (!input || /[^A-Za-z0-9_-]/.test(input)) {
+    return null;
+  }
+
+  const paddingLength = (4 - (input.length % 4)) % 4;
+  const padded = input.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat(paddingLength);
+
+  try {
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let index = 0; index < binary.length; index += 1) {
+      bytes[index] = binary.charCodeAt(index);
+    }
+
+    return bytes;
+  } catch {
+    return null;
+  }
+}
+
+export function normalizeSignedUrlTtlSeconds(requestedTtlSeconds: unknown, env: Env): number {
+  const defaultFromEnv = Number.parseInt(env.IMAGE_SIGNED_URL_TTL_SECONDS ?? '', 10);
+  const fallbackTtl = Number.isFinite(defaultFromEnv) && defaultFromEnv > 0
+    ? defaultFromEnv
+    : DEFAULT_SIGNED_URL_TTL_SECONDS;
+  const requested = typeof requestedTtlSeconds === 'number' ? requestedTtlSeconds : fallbackTtl;
+  const normalized = Math.floor(requested);
+
+  if (!Number.isFinite(normalized) || normalized <= 0) {
+    return fallbackTtl;
+  }
+
+  return Math.min(normalized, MAX_SIGNED_URL_TTL_SECONDS);
+}
+
+export function requireSignedUrlConfig(env: Env): void {
+  const resolvedSecret = (env.IMAGE_SIGNED_URL_SECRET || env.IMAGES_API_TOKEN || '').trim();
+  if (resolvedSecret.length === 0) {
+    throw new Error('Signed URL configuration is missing');
+  }
+}
+
+export function parseSignedUrlBaseUrl(raw: string): string {
+  let parsed: URL;
+  try {
+    parsed = new URL(raw.trim());
+  } catch {
+    throw new Error(`IMAGE_SIGNED_URL_BASE_URL is not a valid absolute URL: "${raw}"`);
+  }
+
+  if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+    throw new Error(`IMAGE_SIGNED_URL_BASE_URL must use http or https, got: "${parsed.protocol}"`);
+  }
+
+  if (parsed.search || parsed.hash) {
+    throw new Error(`IMAGE_SIGNED_URL_BASE_URL must not include a query string or fragment: "${raw}"`);
+  }
+
+  return `${parsed.origin}${parsed.pathname}`.replace(/\/+$/g, '');
+}
+
+async function getSignedUrlHmacKey(env: Env): Promise<CryptoKey> {
+  const resolvedSecret = (env.IMAGE_SIGNED_URL_SECRET || env.IMAGES_API_TOKEN || '').trim();
+  const keyBytes = new TextEncoder().encode(resolvedSecret);
+
+  return crypto.subtle.importKey(
+    'raw',
+    keyBytes,
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign', 'verify']
+  );
+}
+
+export async function signSignedAccessPayload(
+  payload: SignedAccessPayload,
+  env: Env
+): Promise<string> {
+  const payloadJson = JSON.stringify(payload);
+  const payloadBase64Url = base64UrlEncode(new TextEncoder().encode(payloadJson));
+  const hmacKey = await getSignedUrlHmacKey(env);
+  const signature = await crypto.subtle.sign('HMAC', hmacKey, new TextEncoder().encode(payloadBase64Url));
+  const signatureBase64Url = base64UrlEncode(signature);
+
+  return `${payloadBase64Url}.${signatureBase64Url}`;
+}
+
+export async function verifySignedAccessToken(
+  token: string,
+  fileId: string,
+  env: Env
+): Promise<boolean> {
+  const tokenParts = token.split('.');
+  if (tokenParts.length !== 2) {
+    return false;
+  }
+
+  const [payloadBase64Url, signatureBase64Url] = tokenParts;
+  if (!payloadBase64Url || !signatureBase64Url) {
+    return false;
+  }
+
+  const signatureBytes = base64UrlDecode(signatureBase64Url);
+  if (!signatureBytes) {
+    return false;
+  }
+
+  const signatureBuffer = new Uint8Array(signatureBytes).buffer;
+  const hmacKey = await getSignedUrlHmacKey(env);
+  const signatureValid = await crypto.subtle.verify(
+    'HMAC',
+    hmacKey,
+    signatureBuffer,
+    new TextEncoder().encode(payloadBase64Url)
+  );
+  if (!signatureValid) {
+    return false;
+  }
+
+  const payloadBytes = base64UrlDecode(payloadBase64Url);
+  if (!payloadBytes) {
+    return false;
+  }
+
+  let payload: SignedAccessPayload;
+  try {
+    payload = JSON.parse(new TextDecoder().decode(payloadBytes)) as SignedAccessPayload;
+  } catch {
+    return false;
+  }
+
+  if (payload.fileId !== fileId) {
+    return false;
+  }
+
+  const nowEpochSeconds = Math.floor(Date.now() / 1000);
+  if (!Number.isInteger(payload.exp) || payload.exp <= nowEpochSeconds) {
+    return false;
+  }
+
+  if (!Number.isInteger(payload.iat) || payload.iat > nowEpochSeconds + 300) {
+    return false;
+  }
+
+  return typeof payload.nonce === 'string' && payload.nonce.length > 0;
+}

package/workers/image-worker/src/types.ts

@@ -0,0 +1,68 @@
+export interface Env {
+  IMAGES_API_TOKEN: string;
+  STRIAE_FILES: R2Bucket;
+  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_PUBLIC_KEY: string;
+  DATA_AT_REST_ENCRYPTION_KEY_ID: string;
+  DATA_AT_REST_ENCRYPTION_KEYS_JSON?: string;
+  DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID?: string;
+  IMAGE_SIGNED_URL_SECRET?: string;
+  IMAGE_SIGNED_URL_TTL_SECONDS?: string;
+  IMAGE_SIGNED_URL_BASE_URL?: string;
+}
+
+export interface KeyRegistryPayload {
+  activeKeyId?: unknown;
+  keys?: unknown;
+}
+
+export interface PrivateKeyRegistry {
+  activeKeyId: string | null;
+  keys: Record<string, string>;
+}
+
+export type DecryptionTelemetryOutcome = 'primary-hit' | 'fallback-hit' | 'all-failed';
+
+export interface UploadResult {
+  id: string;
+  filename: string;
+  uploaded: string;
+}
+
+export interface UploadResponse {
+  success: boolean;
+  errors: Array<{ code: number; message: string }>;
+  messages: string[];
+  result: UploadResult;
+}
+
+export interface SuccessResponse {
+  success: boolean;
+}
+
+export interface ErrorResponse {
+  error: string;
+}
+
+export interface SignedUrlResult {
+  fileId: string;
+  url: string;
+  expiresAt: string;
+  expiresInSeconds: number;
+}
+
+export interface SignedUrlResponse {
+  success: boolean;
+  result: SignedUrlResult;
+}
+
+export type APIResponse = UploadResponse | SuccessResponse | ErrorResponse | SignedUrlResponse;
+
+export interface SignedAccessPayload {
+  fileId: string;
+  iat: number;
+  exp: number;
+  nonce: string;
+}
+
+export type CreateImageWorkerResponse = (data: APIResponse, status?: number) => Response;

package/workers/image-worker/src/utils/content-disposition.ts

@@ -0,0 +1,33 @@
+export function deriveFileKind(contentType: string): string {
+  if (contentType.startsWith('image/')) {
+    return 'image';
+  }
+
+  return 'file';
+}
+
+export function buildSafeContentDisposition(filename: string, fallbackFileId: string): string {
+  const normalizedFilename = filename
+    .normalize('NFKC')
+    .replace(/[\r\n]+/g, ' ')
+    .split('')
+    .filter((character) => {
+      const codePoint = character.charCodeAt(0);
+      return codePoint >= 0x20 && codePoint !== 0x7f;
+    })
+    .join('')
+    .trim();
+
+  const safeFilename = normalizedFilename.length > 0 ? normalizedFilename : fallbackFileId;
+  const asciiFallback = safeFilename
+    .replace(/[^\x20-\x7E]/g, '_')
+    .replace(/["\\]/g, '_')
+    .trim();
+  const asciiFilename = asciiFallback.length > 0 ? asciiFallback : fallbackFileId;
+  const encodedUtf8Filename = encodeURIComponent(safeFilename).replace(
+    /['()*]/g,
+    (character) => `%${character.charCodeAt(0).toString(16).toUpperCase()}`
+  );
+
+  return `inline; filename="${asciiFilename}"; filename*=UTF-8''${encodedUtf8Filename}`;
+}

package/workers/image-worker/src/utils/path-utils.ts

@@ -0,0 +1,50 @@
+export function parseFileId(pathname: string): string | null {
+  const encodedFileId = pathname.startsWith('/') ? pathname.slice(1) : pathname;
+  if (!encodedFileId) {
+    return null;
+  }
+
+  let decodedFileId = '';
+  try {
+    decodedFileId = decodeURIComponent(encodedFileId);
+  } catch {
+    return null;
+  }
+
+  if (!decodedFileId || decodedFileId.includes('/')) {
+    return null;
+  }
+
+  return decodedFileId;
+}
+
+export function parsePathSegments(pathname: string): string[] | null {
+  const normalized = pathname.startsWith('/') ? pathname.slice(1) : pathname;
+  if (!normalized) {
+    return [];
+  }
+
+  const rawSegments = normalized.split('/');
+  const decodedSegments: string[] = [];
+
+  for (const segment of rawSegments) {
+    if (!segment) {
+      return null;
+    }
+
+    let decoded = '';
+    try {
+      decoded = decodeURIComponent(segment);
+    } catch {
+      return null;
+    }
+
+    if (!decoded || decoded.includes('/')) {
+      return null;
+    }
+
+    decodedSegments.push(decoded);
+  }
+
+  return decodedSegments;
+}

package/workers/image-worker/src/utils/storage-metadata.ts

@@ -0,0 +1,27 @@
+import type { DataAtRestEnvelope } from '../encryption-utils';
+
+export function extractEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
+  const metadata = file.customMetadata;
+  if (!metadata) {
+    return null;
+  }
+
+  const { algorithm, encryptionVersion, keyId, dataIv, wrappedKey } = metadata;
+  if (
+    typeof algorithm !== 'string' ||
+    typeof encryptionVersion !== 'string' ||
+    typeof keyId !== 'string' ||
+    typeof dataIv !== 'string' ||
+    typeof wrappedKey !== 'string'
+  ) {
+    return null;
+  }
+
+  return {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  };
+}

package/workers/image-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "IMAGES_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
-  "compatibility_date": "2026-04-02",
+  "compatibility_date": "2026-04-03",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/pdf-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "PDF_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/pdf-worker.ts",
-  "compatibility_date": "2026-04-02",
+  "compatibility_date": "2026-04-03",
   "compatibility_flags": [
     "nodejs_compat"
   ],