@striae-org/striae 5.5.0 → 5.5.2

package/app/components/sidebar/notes/notes.module.css

@@ -688,6 +688,76 @@ textarea:focus {
   justify-content: flex-end;
 }
 
+.modalButtons .saveButton,
+.modalButtons .cancelButton {
+  min-height: 42px;
+  margin: 0;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+}
+
+.classDetailsModalButtons .classDetailsModalAction {
+  min-height: 42px;
+  margin: 0;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+}
+
+.unsavedChangesModal {
+  max-width: 520px;
+}
+
+.unsavedChangesModal .modalTitle {
+  margin-top: 0;
+}
+
+.unsavedChangesMessage {
+  margin: 0.75rem;
+  color: #495057;
+  line-height: 1.5;
+}
+
+.unsavedChangesActions {
+  display: flex;
+  flex-direction: column;
+  gap: 0.75rem;
+}
+
+.unsavedChangesPrimaryRow {
+  display: grid;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+  gap: 0.75rem;
+}
+
+.unsavedChangesPrimaryAction {
+  width: 100%;
+  margin: 0;
+}
+
+.unsavedChangesPrimaryRow .cancelButton,
+.unsavedChangesPrimaryRow .saveButton {
+  width: 100%;
+  margin: 0;
+}
+
+.secondaryButton {
+  width: 100%;
+  padding: 0.75rem;
+  border: 1.5px solid #ced4da;
+  border-radius: 6px;
+  background: white;
+  color: #495057;
+  font-weight: 500;
+  cursor: pointer;
+  transition: all 0.2s;
+}
+
+.secondaryButton:hover {
+  background-color: #f8f9fa;
+}
+
 .cancelButton {
   width: 30%;
   padding: 0.75rem;
@@ -705,6 +775,13 @@ textarea:focus {
   background-color: #bd2130;
 }
 
+.cancelButton:disabled,
+.saveButton:disabled,
+.secondaryButton:disabled {
+  opacity: 0.65;
+  cursor: not-allowed;
+}
+
 .saveButton {
   width: 100%;
   padding: 0.75rem;

package/app/components/user/user.module.css

@@ -156,7 +156,7 @@
 .sectionLabel {
   display: block;
   font-weight: 600;
-  color: var(--textBody);
+  color: var(--textTitle);
   margin-bottom: var(--spaceS);
 }
 

package/app/routes/auth/login.example.tsx

@@ -94,14 +94,26 @@ export const Login = () => {
     setIsClient(true);
   }, []);
 
-  // Email validation with regex
-  const validateRegistrationEmail = (email: string): { valid: boolean } => {
+  // Email validation with regex and registration gateway allowlist check
+  const validateRegistrationEmail = async (email: string): Promise<{ valid: boolean; message?: string }> => {
     const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
-    
+
     if (!emailRegex.test(email)) {
       return { valid: false };
     }
 
+    try {
+      const response = await fetch(`/api/auth/can-register?email=${encodeURIComponent(email)}`);
+      if (response.status === 403) {
+        return {
+          valid: false,
+          message: 'Registration is limited to Striae membership. You may join at https://join.striae.org.'
+        };
+      }
+    } catch {
+      // Fail open on network error — server-side PUT guard provides defense-in-depth
+    }
+
     return { valid: true };
   };
 
@@ -282,9 +294,9 @@ export const Login = () => {
 
   try {
     if (!isLogin) {
-      const emailValidation = validateRegistrationEmail(email);
+      const emailValidation = await validateRegistrationEmail(email);
       if (!emailValidation.valid) {
-        setError('Please enter a valid email address');
+        setError(emailValidation.message ?? 'Please enter a valid email address');
         setIsLoading(false);
         return;
       }

package/functions/api/_shared/registration-allowlist.ts

@@ -0,0 +1,38 @@
+/**
+ * Checks whether the given email is permitted to register based on the
+ * REGISTRATION_EMAILS secret (a comma-separated list of allowed entries).
+ *
+ * Each entry may be:
+ *   - An exact email address:  user@example.com
+ *   - A domain wildcard:       @example.com  (matches any email from that domain)
+ *
+ * If registrationEmails is empty or unset, all registrations are allowed
+ * (backward-compatible — deploys without a members.emails file are unrestricted).
+ */
+export function isEmailAllowed(email: string, registrationEmails: string): boolean {
+  if (!registrationEmails || registrationEmails.trim().length === 0) {
+    return true;
+  }
+
+  const normalizedEmail = email.toLowerCase().trim();
+  const entries = registrationEmails
+    .split(',')
+    .map(e => e.trim().toLowerCase())
+    .filter(Boolean);
+
+  for (const entry of entries) {
+    if (entry.startsWith('@')) {
+      // Domain wildcard: @example.com matches user@example.com
+      if (normalizedEmail.endsWith(entry)) {
+        return true;
+      }
+    } else {
+      // Exact email match
+      if (normalizedEmail === entry) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}

package/functions/api/auth/can-register.ts

@@ -0,0 +1,59 @@
+import { isEmailAllowed } from '../_shared/registration-allowlist';
+
+interface CanRegisterContext {
+  request: Request;
+  env: Env;
+}
+
+const SUPPORTED_METHODS = new Set(['GET', 'OPTIONS']);
+
+function jsonResponse(payload: Record<string, unknown>, status: number = 200): Response {
+  return new Response(JSON.stringify(payload), {
+    status,
+    headers: {
+      'Cache-Control': 'no-store',
+      'Content-Type': 'application/json; charset=utf-8'
+    }
+  });
+}
+
+function textResponse(message: string, status: number): Response {
+  return new Response(message, {
+    status,
+    headers: {
+      'Cache-Control': 'no-store',
+      'Content-Type': 'text/plain; charset=utf-8'
+    }
+  });
+}
+
+export const onRequest = async ({ request, env }: CanRegisterContext): Promise<Response> => {
+  if (!SUPPORTED_METHODS.has(request.method)) {
+    return textResponse('Method not allowed', 405);
+  }
+
+  if (request.method === 'OPTIONS') {
+    return new Response(null, {
+      status: 204,
+      headers: {
+        'Allow': 'GET, OPTIONS',
+        'Cache-Control': 'no-store'
+      }
+    });
+  }
+
+  const url = new URL(request.url);
+  const email = url.searchParams.get('email');
+
+  if (!email || email.trim().length === 0) {
+    return textResponse('Missing required parameter: email', 400);
+  }
+
+  const registrationEmails = env.REGISTRATION_EMAILS ?? '';
+
+  if (isEmailAllowed(email, registrationEmails)) {
+    return jsonResponse({ allowed: true });
+  }
+
+  return jsonResponse({ allowed: false }, 403);
+};

package/functions/api/user/[[path]].ts

@@ -1,4 +1,5 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+import { isEmailAllowed } from '../_shared/registration-allowlist';
 
 interface UserProxyContext {
   request: Request;
@@ -155,6 +156,39 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
   if (requestedUserId !== identity.uid) {
     return textResponse('Forbidden', 403);
   }
+
+  // Registration gateway: for PUT requests, check if this is a new user creation.
+  // If REGISTRATION_EMAILS is set and the user record does not yet exist, enforce the allowlist.
+  // This is defense-in-depth — the primary check runs client-side in the login flow.
+  if (request.method === 'PUT' && env.REGISTRATION_EMAILS && env.REGISTRATION_EMAILS.trim().length > 0) {
+    try {
+      const existenceCheckUrl = `${userWorkerBaseUrl}/${encodeURIComponent(requestedUserId)}`;
+      const existenceResponse = await fetch(existenceCheckUrl, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/json',
+          'X-Custom-Auth-Key': env.USER_DB_AUTH
+        }
+      });
+
+      if (existenceResponse.status === 404) {
+        // User does not exist yet — this is a registration PUT.
+        // Enforce the email allowlist.
+        if (!isEmailAllowed(identity.email ?? '', env.REGISTRATION_EMAILS)) {
+          return textResponse('Registration is not permitted for this email address', 403);
+        }
+      } else if (!existenceResponse.ok) {
+        // Existence check failed (non-404, non-2xx response).
+        // Fail closed: reject the registration to prevent allowlist bypass during errors.
+        return textResponse('Unable to verify registration eligibility', 502);
+      }
+      // If user already exists (200), proceed normally.
+    } catch {
+      // Fail closed: on network error with allowlist active, reject the request.
+      return textResponse('Unable to verify registration eligibility', 502);
+    }
+  }
+
   const upstreamUrl = `${userWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
 
   const upstreamHeaders = new Headers();

package/members.emails.example

@@ -0,0 +1,11 @@
+# Registration gateway - authorized email addresses
+# One entry per line. Lines starting with # are ignored.
+# This file is untracked. Run: npm run deploy-members to push changes.
+#
+# Supported formats:
+#   Exact email:   analyst@organization.com
+#   Domain wildcard: @organization.com  (allows all emails from that domain)
+#
+# Examples:
+# analyst@organization.com
+# @striae.org

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.5.0",
+  "version": "5.5.2",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -52,11 +52,12 @@
     "workers/pdf-worker/src/formats/format-striae.ts",
     ".env.example",
     "primershear.emails.example",
+    "members.emails.example",
     "firebase.json",
     "tsconfig.json",
     "vite.config.ts",
     "/worker-configuration.d.ts",
-    "wrangler.toml.example",
+    "wrangler.toml.example",    
     "LICENSE"
   ],
   "sideEffects": false,
@@ -90,9 +91,10 @@
     "install-workers": "bash ./scripts/install-workers.sh",
     "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:pdf && npm run deploy-workers:user",
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
-    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh --production-only",
+    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
-    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh --production-only",
+    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh",
+    "deploy-members": "bash ./scripts/deploy-members-emails.sh",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
@@ -101,12 +103,12 @@
   },
   "dependencies": {
     "@react-router/cloudflare": "^7.14.0",
-    "firebase": "^12.11.0",
+    "firebase": "^12.12.0",
     "isbot": "^5.1.37",
     "jszip": "^3.10.1",
     "qrcode": "^1.5.4",
-    "react": "^19.2.4",
-    "react-dom": "^19.2.4",
+    "react": "^19.2.5",
+    "react-dom": "^19.2.5",
     "react-router": "^7.14.0"
   },
   "devDependencies": {
@@ -123,17 +125,15 @@
     "eslint-plugin-jsx-a11y": "^6.10.2",
     "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^7.0.1",
-    "firebase-admin": "^13.7.0",
+    "firebase-admin": "^13.8.0",
     "modern-normalize": "^3.0.1",
     "typescript": "^5.9.3",
     "vite": "^7.3.2",
     "vite-tsconfig-paths": "^6.1.1",
-    "wrangler": "^4.81.0"
+    "wrangler": "^4.81.1"
   },
   "overrides": {
-    "@tootallnate/once": "3.0.1",
-    "tar": "7.5.11",
-    "undici": "7.24.1"
+    "@tootallnate/once": "3.0.1"
   },
   "engines": {
     "node": ">=20.19.0"

package/scripts/deploy-all.sh

@@ -127,8 +127,8 @@ echo ""
 # Step 5: Deploy Pages Secrets
 echo -e "${PURPLE}Step 5/6: Deploying Pages Secrets${NC}"
 echo "----------------------------------"
-echo -e "${YELLOW}🔐 Deploying Pages environment variables to production only...${NC}"
-if ! bash "$SCRIPT_DIR/deploy-pages-secrets.sh" --production-only; then
+echo -e "${YELLOW}🔐 Deploying Pages environment variables...${NC}"
+if ! bash "$SCRIPT_DIR/deploy-pages-secrets.sh"; then
     echo -e "${RED}❌ Pages secrets deployment failed!${NC}"
     exit 1
 fi

package/scripts/deploy-members-emails.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# ============================================
+# MEMBERS EMAIL LIST DEPLOYMENT SCRIPT
+# ============================================
+# Reads members.emails, updates REGISTRATION_EMAILS in .env,
+# then deploys that secret directly to Cloudflare Pages (production).
+
+set -e
+set -o pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}👥 Members Email List Deployment${NC}"
+echo "=================================="
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$PROJECT_ROOT"
+
+trap 'echo -e "\n${RED}❌ deploy-members-emails.sh failed near line ${LINENO}${NC}"' ERR
+
+# ── Read emails file ──────────────────────────────────────────────────────────
+
+EMAILS_FILE="$PROJECT_ROOT/members.emails"
+
+if [ ! -f "$EMAILS_FILE" ]; then
+    echo -e "${RED}❌ members.emails not found at: $EMAILS_FILE${NC}"
+    echo -e "${YELLOW}   Create it with one email address or @domain.com wildcard per line.${NC}"
+    echo -e "${YELLOW}   See members.emails.example for the format.${NC}"
+    exit 1
+fi
+
+# Strip comment lines and blank lines, then join with commas
+# Use || true to avoid failure if paste gets no input (handles empty file gracefully)
+REGISTRATION_EMAILS=$(grep -v '^[[:space:]]*#' "$EMAILS_FILE" | grep -v '^[[:space:]]*$' | paste -sd ',' - || true)
+
+if [ -z "$REGISTRATION_EMAILS" ]; then
+    echo -e "${YELLOW}⚠️  members.emails contains no active entries.${NC}"
+    echo -e "${YELLOW}   The secret will be set to an empty string, disabling the gateway (open registration).${NC}"
+fi
+
+ENTRY_COUNT=$(echo "$REGISTRATION_EMAILS" | tr ',' '\n' | grep -c '[^[:space:]]' || true)
+echo -e "${GREEN}✅ Loaded $ENTRY_COUNT entry(ies) from members.emails${NC}"
+
+# ── Update .env ───────────────────────────────────────────────────────────────
+
+ENV_FILE="$PROJECT_ROOT/.env"
+
+if [ ! -f "$ENV_FILE" ]; then
+    echo -e "${RED}❌ .env not found. Run deploy-config first.${NC}"
+    exit 1
+fi
+
+# Replace the REGISTRATION_EMAILS= line in .env (handles both empty and populated values)
+if grep -q '^REGISTRATION_EMAILS=' "$ENV_FILE"; then
+    # Use a temp file to avoid sed -i portability issues across macOS/Linux
+    local_tmp=$(mktemp)
+    sed "s|^REGISTRATION_EMAILS=.*|REGISTRATION_EMAILS=${REGISTRATION_EMAILS}|" "$ENV_FILE" > "$local_tmp"
+    mv "$local_tmp" "$ENV_FILE"
+    echo -e "${GREEN}✅ Updated REGISTRATION_EMAILS in .env${NC}"
+else
+    echo "" >> "$ENV_FILE"
+    echo "REGISTRATION_EMAILS=${REGISTRATION_EMAILS}" >> "$ENV_FILE"
+    echo -e "${GREEN}✅ Appended REGISTRATION_EMAILS to .env${NC}"
+fi
+
+# ── Deploy to Cloudflare Pages ────────────────────────────────────────────────
+
+if ! command -v wrangler > /dev/null 2>&1; then
+    echo -e "${RED}❌ wrangler is not installed or not in PATH${NC}"
+    exit 1
+fi
+
+source "$ENV_FILE"
+
+PAGES_PROJECT_NAME=$(echo "$PAGES_PROJECT_NAME" | tr -d '\r')
+if [ -z "$PAGES_PROJECT_NAME" ]; then
+    echo -e "${RED}❌ PAGES_PROJECT_NAME is missing from .env${NC}"
+    exit 1
+fi
+
+echo -e "${YELLOW}  Setting REGISTRATION_EMAILS for production...${NC}"
+printf '%s' "$REGISTRATION_EMAILS" | wrangler pages secret put REGISTRATION_EMAILS \
+    --project-name "$PAGES_PROJECT_NAME"
+
+echo -e "${GREEN}✅ REGISTRATION_EMAILS deployed to production${NC}"
+
+# Deploy Pages so the new secret takes effect immediately
+echo -e "\n${YELLOW}🚀 Building and deploying Pages to activate new secret...${NC}"
+
+if ! npm run deploy-pages; then
+    echo -e "${RED}❌ Pages deployment failed${NC}"
+    exit 1
+fi
+echo -e "${GREEN}✅ Pages deployment complete${NC}"
+
+echo -e "\n${GREEN}🎉 Members email list deployment complete!${NC}"

package/scripts/deploy-pages-secrets.sh

@@ -24,46 +24,6 @@ cd "$PROJECT_ROOT"
 
 trap 'echo -e "\n${RED}❌ deploy-pages-secrets.sh failed near line ${LINENO}${NC}"' ERR
 
-show_help=false
-deploy_production=true
-deploy_preview=true
-
-for arg in "$@"; do
-    case "$arg" in
-        -h|--help)
-            show_help=true
-            ;;
-        --production-only)
-            deploy_production=true
-            deploy_preview=false
-            ;;
-        --preview-only)
-            deploy_production=false
-            deploy_preview=true
-            ;;
-        *)
-            echo -e "${RED}❌ Unknown option: $arg${NC}"
-            echo "Use --help to see supported options."
-            exit 1
-            ;;
-    esac
-done
-
-if [ "$show_help" = "true" ]; then
-    echo "Usage: bash ./scripts/deploy-pages-secrets.sh [--production-only|--preview-only]"
-    echo ""
-    echo "Options:"
-    echo "  --production-only  Deploy secrets only to the production Pages environment"
-    echo "  --preview-only     Deploy secrets only to the preview Pages environment"
-    echo "  -h, --help         Show this help message"
-    exit 0
-fi
-
-if [ "$deploy_production" != "true" ] && [ "$deploy_preview" != "true" ]; then
-    echo -e "${RED}❌ No target environment selected${NC}"
-    exit 1
-fi
-
 require_command() {
     local cmd=$1
     if ! command -v "$cmd" > /dev/null 2>&1; then
@@ -145,40 +105,29 @@ get_optional_value() {
     printf '%s' "$value"
 }
 
-set_pages_secret() {
-    local secret_name=$1
-    local secret_value=$2
-    local pages_env=$3
-
-    echo -e "${YELLOW}  Setting $secret_name for $pages_env...${NC}"
-
-    if [ "$pages_env" = "production" ]; then
-        printf '%s' "$secret_value" | wrangler pages secret put "$secret_name" --project-name "$PAGES_PROJECT_NAME"
-        return 0
-    fi
-
-    printf '%s' "$secret_value" | wrangler pages secret put "$secret_name" --project-name "$PAGES_PROJECT_NAME" --env "$pages_env"
-}
-
-deploy_pages_environment_secrets() {
-    local pages_env=$1
+deploy_pages_secrets() {
     local secret
     local secret_value
 
-    echo -e "\n${BLUE}🔧 Deploying Pages secrets to $pages_env...${NC}"
+    echo -e "\n${BLUE}🔧 Deploying Pages secrets to production...${NC}"
 
     for secret in "${required_pages_secrets[@]}"; do
         secret_value=$(get_required_value "$secret")
-        set_pages_secret "$secret" "$secret_value" "$pages_env"
+        echo -e "${YELLOW}  Setting $secret...${NC}"
+        printf '%s' "$secret_value" | wrangler pages secret put "$secret" --project-name "$PAGES_PROJECT_NAME"
     done
 
     local optional_primershear_emails
     optional_primershear_emails=$(get_optional_value "PRIMERSHEAR_EMAILS")
-    if [ -n "$optional_primershear_emails" ]; then
-        set_pages_secret "PRIMERSHEAR_EMAILS" "$optional_primershear_emails" "$pages_env"
-    fi
+    echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS...${NC}"
+    printf '%s' "$optional_primershear_emails" | wrangler pages secret put "PRIMERSHEAR_EMAILS" --project-name "$PAGES_PROJECT_NAME"
 
-    echo -e "${GREEN}✅ Pages secrets deployed to $pages_env${NC}"
+    local optional_registration_emails
+    optional_registration_emails=$(get_optional_value "REGISTRATION_EMAILS")
+    echo -e "${YELLOW}  Setting REGISTRATION_EMAILS...${NC}"
+    printf '%s' "$optional_registration_emails" | wrangler pages secret put "REGISTRATION_EMAILS" --project-name "$PAGES_PROJECT_NAME"
+
+    echo -e "${GREEN}✅ Pages secrets deployed to production${NC}"
 }
 
 require_command wrangler
@@ -220,12 +169,6 @@ for secret in "${required_pages_secrets[@]}"; do
 done
 echo -e "${GREEN}✅ Required Pages secret values found${NC}"
 
-if [ "$deploy_production" = "true" ]; then
-    deploy_pages_environment_secrets "production"
-fi
-
-if [ "$deploy_preview" = "true" ]; then
-    deploy_pages_environment_secrets "preview"
-fi
+deploy_pages_secrets
 
 echo -e "\n${GREEN}🎉 Pages secrets deployment completed!${NC}"