@striae-org/striae 6.1.7 → 7.0.0

package/.env.example

@@ -8,13 +8,6 @@
 # ================================
 ACCOUNT_ID=your_cloudflare_account_id_here
 
-# ================================
-# SHARED AUTHENTICATION & STORAGE
-# ================================
-USER_DB_AUTH=your_custom_user_db_auth_token_here
-R2_KEY_SECRET=your_custom_r2_secret_here
-IMAGES_API_TOKEN=your_cloudflare_images_api_token_here
-
 # ================================
 # FIREBASE AUTH CONFIGURATION
 # ================================
@@ -83,9 +76,7 @@ PAGES_CUSTOM_DOMAIN=your_custom_domain_here
 # ================================
 # USER WORKER ENVIRONMENT VARIABLES  
 # ================================
-# Worker domains can be entered manually or auto-generated as a shared subdomain during scripts/deploy-config.sh.
 USER_WORKER_NAME=your_user_worker_name_here
-USER_WORKER_DOMAIN=your_user_worker_domain_here
 KV_STORE_ID=your_kv_store_id_here
 
 # ================================
@@ -94,20 +85,17 @@ KV_STORE_ID=your_kv_store_id_here
 DATA_WORKER_NAME=your_data_worker_name_here
 DATA_BUCKET_NAME=your_data_bucket_name_here
 FILES_BUCKET_NAME=your_files_bucket_name_here
-DATA_WORKER_DOMAIN=your_data_worker_domain_here
 
 # ================================
 # AUDIT WORKER ENVIRONMENT VARIABLES
 # ================================
 AUDIT_WORKER_NAME=your_audit_worker_name_here
 AUDIT_BUCKET_NAME=your_audit_bucket_name_here
-AUDIT_WORKER_DOMAIN=your_audit_worker_domain_here
 
 # ================================
 # IMAGES WORKER ENVIRONMENT VARIABLES
 # ================================
 IMAGES_WORKER_NAME=your_images_worker_name_here
-IMAGES_WORKER_DOMAIN=your_images_worker_domain_here
 IMAGE_SIGNED_URL_SECRET=your_image_signed_url_secret_here
 # Optional: defaults to 3600 and max is 86400.
 IMAGE_SIGNED_URL_TTL_SECONDS=3600
@@ -119,22 +107,8 @@ IMAGE_SIGNED_URL_BASE_URL=https://${PAGES_CUSTOM_DOMAIN}/api/image
 # PDF WORKER ENVIRONMENT VARIABLES
 # ================================
 PDF_WORKER_NAME=your_pdf_worker_name_here
-PDF_WORKER_DOMAIN=your_pdf_worker_domain_here
-PDF_WORKER_AUTH=your_custom_pdf_worker_auth_token_here
 BROWSER_API_TOKEN=your_cloudflare_browser_rendering_api_token_here
 
-# ================================
-# QUICK MANUAL SETUP CHECKLIST
-# ================================
-# □ Copy this file to .env
-# □ Fill in all Cloudflare credentials
-# □ Generate secure random tokens for custom auth
-# □ Set environment variables in each worker's Cloudflare Dashboard
-# □ Set environment variables in Pages Dashboard
-# □ Configure KV binding in user-worker/wrangler.jsonc
-# □ Configure R2 binding in data-worker/wrangler.jsonc
-# □ Configure R2 binding in audit-worker/wrangler.jsonc
-
 # ================================
 # PRIMERSHEAR PDF FORMAT
 # ================================

package/README.md

@@ -36,7 +36,7 @@ Included:
 - `app/` source (with `app/config-example/`)
 - `functions/`, `public/`
 - Worker package manifests
-- Worker source files needed by the example workers, including nested helper modules, while excluding production worker entry files (`workers/*/src/**/*.ts` excluding `workers/*/src/**/*worker.ts`)
+- Worker source files needed by the workers, including nested helper modules
 - PDF worker example support files limited to `workers/pdf-worker/src/assets/generated-assets.example.ts` and `workers/pdf-worker/src/formats/format-striae.ts` (no extra PDF image assets or custom formats)
 - Worker example Wrangler configs (`workers/*/wrangler.jsonc.example`)
 - Project-level example and build config (`.env.example`, `wrangler.toml.example`, `tsconfig.json`, etc.)
@@ -60,6 +60,5 @@ See `LICENSE`.
 
 ## Support
 
-- Striae Community: [https://community.striae.org](https://community.striae.org)
 - Support page: [https://www.striae.org/support](https://www.striae.org/support)
 - Contact: [info@striae.org](mailto:info@striae.org)

package/app/components/actions/image-manage.ts

@@ -265,61 +265,13 @@ export const getImageUrl = async (
   const defaultAccessReason = accessReason || 'Image viewer access';
 
   try {
-    try {
-      const signedUrlResponse = await createSignedImageUrlApi(user, fileData.id);
-
-      await auditService.logFileAccess(
-        user,
-        fileData.originalFilename || fileData.id,
-        fileData.id,
-        'signed-url',
-        caseNumber,
-        'success',
-        Date.now() - startTime,
-        defaultAccessReason,
-        fileData.originalFilename
-      );
-
-      return {
-        url: signedUrlResponse.result.url,
-        revoke: () => {},
-        urlType: 'signed',
-        expiresAt: signedUrlResponse.result.expiresAt
-      };
-    } catch {
-      // Fallback to direct blob retrieval during migration.
-    }
-
-    const workerResponse = await fetchImageApi(user, `/${encodeURIComponent(fileData.id)}`, {
-      method: 'GET',
-      headers: {
-        'Accept': 'application/octet-stream,image/*'
-      }
-    });
-
-    if (!workerResponse.ok) {
-      await auditService.logFileAccess(
-        user,
-        fileData.originalFilename || fileData.id,
-        fileData.id,
-        'direct-url',
-        caseNumber,
-        'failure',
-        Date.now() - startTime,
-        'Image retrieval failed',
-        fileData.originalFilename
-      );
-      throw new Error('Failed to retrieve image');
-    }
-
-    const blob = await workerResponse.blob();
-    const objectUrl = URL.createObjectURL(blob);
+    const signedUrlResponse = await createSignedImageUrlApi(user, fileData.id);
 
     await auditService.logFileAccess(
       user,
       fileData.originalFilename || fileData.id,
       fileData.id,
-      'direct-url',
+      'signed-url',
       caseNumber,
       'success',
       Date.now() - startTime,
@@ -328,25 +280,23 @@ export const getImageUrl = async (
     );
 
     return {
-      blob,
-      url: objectUrl,
-      revoke: () => URL.revokeObjectURL(objectUrl),
-      urlType: 'blob'
+      url: signedUrlResponse.result.url,
+      revoke: () => {},
+      urlType: 'signed',
+      expiresAt: signedUrlResponse.result.expiresAt
     };
   } catch (error) {
-    if (!(error instanceof Error && error.message.includes('Failed to retrieve image'))) {
-      await auditService.logFileAccess(
-        user,
-        fileData.originalFilename || fileData.id,
-        fileData.id,
-        'direct-url',
-        caseNumber,
-        'failure',
-        Date.now() - startTime,
-        `Unexpected error during ${accessReason || 'image access'}`,
-        fileData.originalFilename
-      );
-    }
+    await auditService.logFileAccess(
+      user,
+      fileData.originalFilename || fileData.id,
+      fileData.id,
+      'signed-url',
+      caseNumber,
+      'failure',
+      Date.now() - startTime,
+      `Unexpected error during ${accessReason || 'image access'}`,
+      fileData.originalFilename
+    );
     throw error;
   }
 };

package/functions/api/audit/[[path]].ts

@@ -18,19 +18,6 @@ function textResponse(message: string, status: number): Response {
   });
 }
 
-function normalizeWorkerBaseUrl(workerDomain: string): string {
-  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
-    throw new Error('Invalid worker domain');
-  }
-
-  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
-  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
-    return trimmedDomain;
-  }
-
-  return `https://${trimmedDomain}`;
-}
-
 function extractProxyPath(url: URL): string | null {
   const routePrefix = '/api/audit';
   if (!url.pathname.startsWith(routePrefix)) {
@@ -86,13 +73,10 @@ export const onRequest = async ({ request, env }: AuditProxyContext): Promise<Re
     return textResponse('Forbidden', 403);
   }
 
-  if (!env.AUDIT_WORKER_DOMAIN || !env.R2_KEY_SECRET) {
+  if (!env.AUDIT_WORKER) {
     return textResponse('Audit service not configured', 502);
   }
 
-  const auditWorkerBaseUrl = normalizeWorkerBaseUrl(env.AUDIT_WORKER_DOMAIN);
-  const upstreamUrl = `${auditWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
-
   let bodyToForward: BodyInit | undefined;
   if (request.method === 'POST') {
     const payload = await request.json().catch(() => null) as Record<string, unknown> | null;
@@ -124,15 +108,16 @@ export const onRequest = async ({ request, env }: AuditProxyContext): Promise<Re
     upstreamHeaders.set('Accept', acceptHeader);
   }
 
-  upstreamHeaders.set('X-Custom-Auth-Key', env.R2_KEY_SECRET);
-
   let upstreamResponse: Response;
   try {
-    upstreamResponse = await fetch(upstreamUrl, {
-      method: request.method,
-      headers: upstreamHeaders,
-      body: bodyToForward
-    });
+    upstreamResponse = await env.AUDIT_WORKER.fetch(
+      `https://worker${proxyPath}${requestUrl.search}`,
+      {
+        method: request.method,
+        headers: upstreamHeaders,
+        body: bodyToForward
+      }
+    );
   } catch {
     return textResponse('Upstream audit service unavailable', 502);
   }

package/functions/api/data/[[path]].ts

@@ -18,19 +18,6 @@ function textResponse(message: string, status: number): Response {
   });
 }
 
-function normalizeWorkerBaseUrl(workerDomain: string): string {
-  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
-    throw new Error('Invalid worker domain');
-  }
-
-  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
-  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
-    return trimmedDomain;
-  }
-
-  return `https://${trimmedDomain}`;
-}
-
 function extractProxyPath(url: URL): string | null {
   const routePrefix = '/api/data';
   if (!url.pathname.startsWith(routePrefix)) {
@@ -95,13 +82,10 @@ export const onRequest = async ({ request, env }: DataProxyContext): Promise<Res
     }
   }
 
-  if (!env.DATA_WORKER_DOMAIN || !env.R2_KEY_SECRET) {
+  if (!env.DATA_WORKER) {
     return textResponse('Data service not configured', 502);
   }
 
-  const dataWorkerBaseUrl = normalizeWorkerBaseUrl(env.DATA_WORKER_DOMAIN);
-  const upstreamUrl = `${dataWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
-
   const upstreamHeaders = new Headers();
   const contentTypeHeader = request.headers.get('Content-Type');
   if (contentTypeHeader) {
@@ -113,17 +97,18 @@ export const onRequest = async ({ request, env }: DataProxyContext): Promise<Res
     upstreamHeaders.set('Accept', acceptHeader);
   }
 
-  upstreamHeaders.set('X-Custom-Auth-Key', env.R2_KEY_SECRET);
-
   const shouldForwardBody = request.method !== 'GET' && request.method !== 'HEAD';
 
   let upstreamResponse: Response;
   try {
-    upstreamResponse = await fetch(upstreamUrl, {
-      method: request.method,
-      headers: upstreamHeaders,
-      body: shouldForwardBody ? request.body : undefined
-    });
+    upstreamResponse = await env.DATA_WORKER.fetch(
+      `https://worker${proxyPath}${requestUrl.search}`,
+      {
+        method: request.method,
+        headers: upstreamHeaders,
+        body: shouldForwardBody ? request.body : undefined
+      }
+    );
   } catch {
     return textResponse('Upstream data service unavailable', 502);
   }

package/functions/api/image/[[path]].ts

@@ -17,19 +17,6 @@ function textResponse(message: string, status: number): Response {
   });
 }
 
-function normalizeWorkerBaseUrl(workerDomain: string): string {
-  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
-    throw new Error('Invalid worker domain');
-  }
-
-  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
-  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
-    return trimmedDomain;
-  }
-
-  return `https://${trimmedDomain}`;
-}
-
 type ProxyPathResult =
   | { ok: true; path: string }
   | { ok: false; reason: 'not-found' | 'bad-encoding' };
@@ -63,10 +50,6 @@ function extractProxyPath(url: URL): ProxyPathResult {
   }
 }
 
-function resolveImageWorkerToken(env: Env): string {
-  return typeof env.IMAGES_API_TOKEN === 'string' ? env.IMAGES_API_TOKEN.trim() : '';
-}
-
 const BASE64URL_SEGMENT = /^[A-Za-z0-9_-]+$/;
 
 function looksLikeSignedToken(value: string): boolean {
@@ -98,7 +81,11 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
     signedToken !== null &&
     looksLikeSignedToken(signedToken);
 
-  if (!isSignedTokenRequest) {
+  if (request.method === 'GET') {
+    if (!isSignedTokenRequest) {
+      return textResponse('Unauthorized', 403);
+    }
+  } else {
     const identity = await verifyFirebaseIdentityFromRequest(request, env);
     if (!identity) {
       return textResponse('Unauthorized', 401);
@@ -114,14 +101,10 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
 
   const proxyPath = proxyPathResult.path;
 
-  const imageWorkerToken = resolveImageWorkerToken(env);
-  if (!env.IMAGES_WORKER_DOMAIN || !imageWorkerToken) {
+  if (!env.IMAGE_WORKER) {
     return textResponse('Image service not configured', 502);
   }
 
-  const imageWorkerBaseUrl = normalizeWorkerBaseUrl(env.IMAGES_WORKER_DOMAIN);
-  const upstreamUrl = `${imageWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
-
   const upstreamHeaders = new Headers();
   const contentTypeHeader = request.headers.get('Content-Type');
   if (contentTypeHeader) {
@@ -133,17 +116,18 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
     upstreamHeaders.set('Accept', acceptHeader);
   }
 
-  upstreamHeaders.set('Authorization', `Bearer ${imageWorkerToken}`);
-
   const shouldForwardBody = request.method !== 'GET' && request.method !== 'HEAD';
 
   let upstreamResponse: Response;
   try {
-    upstreamResponse = await fetch(upstreamUrl, {
-      method: request.method,
-      headers: upstreamHeaders,
-      body: shouldForwardBody ? request.body : undefined
-    });
+    upstreamResponse = await env.IMAGE_WORKER.fetch(
+      `https://worker${proxyPath}${requestUrl.search}`,
+      {
+        method: request.method,
+        headers: upstreamHeaders,
+        body: shouldForwardBody ? request.body : undefined
+      }
+    );
   } catch {
     return textResponse('Upstream image service unavailable', 502);
   }

package/functions/api/pdf/[[path]].ts

@@ -23,19 +23,6 @@ function textResponse(message: string, status: number): Response {
   });
 }
 
-function normalizeWorkerBaseUrl(workerDomain: string): string {
-  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
-    throw new Error('Invalid worker domain');
-  }
-
-  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
-  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
-    return trimmedDomain;
-  }
-
-  return `https://${trimmedDomain}`;
-}
-
 function extractProxyPath(url: URL): string | null {
   const routePrefix = '/api/pdf';
   if (!url.pathname.startsWith(routePrefix)) {
@@ -93,13 +80,10 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
     return textResponse('Not Found', 404);
   }
 
-  if (!env.PDF_WORKER_DOMAIN || !env.PDF_WORKER_AUTH) {
+  if (!env.PDF_WORKER) {
     return textResponse('PDF service not configured', 502);
   }
 
-  const pdfWorkerBaseUrl = normalizeWorkerBaseUrl(env.PDF_WORKER_DOMAIN);
-  const upstreamUrl = `${pdfWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
-
   const upstreamHeaders = new Headers();
   const contentTypeHeader = request.headers.get('Content-Type');
   if (contentTypeHeader) {
@@ -111,8 +95,6 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
     upstreamHeaders.set('Accept', acceptHeader);
   }
 
-  upstreamHeaders.set('X-Custom-Auth-Key', env.PDF_WORKER_AUTH);
-
   // Resolve the report format server-side based on the verified user email.
   // This prevents email lists from ever being exposed in the client bundle.
   const reportFormat = resolveReportFormat(
@@ -138,11 +120,14 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   let upstreamResponse: Response;
   try {
-    upstreamResponse = await fetch(upstreamUrl, {
-      method: request.method,
-      headers: upstreamHeaders,
-      body: upstreamBody
-    });
+    upstreamResponse = await env.PDF_WORKER.fetch(
+      `https://worker${proxyPath}${requestUrl.search}`,
+      {
+        method: request.method,
+        headers: upstreamHeaders,
+        body: upstreamBody
+      }
+    );
   } catch {
     return textResponse('Upstream PDF service unavailable', 502);
   }

package/functions/api/user/[[path]].ts

@@ -29,19 +29,6 @@ function jsonResponse(payload: Record<string, unknown>, status: number = 200): R
   });
 }
 
-function normalizeWorkerBaseUrl(workerDomain: string): string {
-  if (typeof workerDomain !== 'string' || workerDomain.trim().length === 0) {
-    throw new Error('Invalid worker domain');
-  }
-
-  const trimmedDomain = workerDomain.trim().replace(/\/+$/, '');
-  if (trimmedDomain.startsWith('http://') || trimmedDomain.startsWith('https://')) {
-    return trimmedDomain;
-  }
-
-  return `https://${trimmedDomain}`;
-}
-
 function extractProxyPath(url: URL): string | null {
   const routePrefix = '/api/user';
   if (!url.pathname.startsWith(routePrefix)) {
@@ -109,12 +96,10 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
     return textResponse('Not Found', 404);
   }
 
-  if (!env.USER_WORKER_DOMAIN || !env.USER_DB_AUTH) {
+  if (!env.USER_WORKER) {
     return textResponse('User service not configured', 502);
   }
 
-  const userWorkerBaseUrl = normalizeWorkerBaseUrl(env.USER_WORKER_DOMAIN);
-
   const existenceCheckUserId = extractExistenceCheckUserId(proxyPath);
   if (existenceCheckUserId !== null) {
     if (request.method !== 'GET') {
@@ -123,13 +108,12 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
 
     let existenceResponse: Response;
     try {
-      existenceResponse = await fetch(
-        `${userWorkerBaseUrl}/${encodeURIComponent(existenceCheckUserId)}`,
+      existenceResponse = await env.USER_WORKER.fetch(
+        `https://worker/${encodeURIComponent(existenceCheckUserId)}`,
         {
           method: 'GET',
           headers: {
-            'Accept': 'application/json',
-            'X-Custom-Auth-Key': env.USER_DB_AUTH
+            'Accept': 'application/json'
           }
         }
       );
@@ -162,14 +146,15 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
   // This is defense-in-depth — the primary check runs client-side in the login flow.
   if (request.method === 'PUT' && env.REGISTRATION_EMAILS && env.REGISTRATION_EMAILS.trim().length > 0) {
     try {
-      const existenceCheckUrl = `${userWorkerBaseUrl}/${encodeURIComponent(requestedUserId)}`;
-      const existenceResponse = await fetch(existenceCheckUrl, {
-        method: 'GET',
-        headers: {
-          'Accept': 'application/json',
-          'X-Custom-Auth-Key': env.USER_DB_AUTH
+      const existenceResponse = await env.USER_WORKER.fetch(
+        `https://worker/${encodeURIComponent(requestedUserId)}`,
+        {
+          method: 'GET',
+          headers: {
+            'Accept': 'application/json'
+          }
         }
-      });
+      );
 
       if (existenceResponse.status === 404) {
         // User does not exist yet — this is a registration PUT.
@@ -189,8 +174,6 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
     }
   }
 
-  const upstreamUrl = `${userWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
-
   const upstreamHeaders = new Headers();
   const contentTypeHeader = request.headers.get('Content-Type');
   if (contentTypeHeader) {
@@ -202,17 +185,18 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
     upstreamHeaders.set('Accept', acceptHeader);
   }
 
-  upstreamHeaders.set('X-Custom-Auth-Key', env.USER_DB_AUTH);
-
   const shouldForwardBody = request.method !== 'GET' && request.method !== 'HEAD';
 
   let upstreamResponse: Response;
   try {
-    upstreamResponse = await fetch(upstreamUrl, {
-      method: request.method,
-      headers: upstreamHeaders,
-      body: shouldForwardBody ? request.body : undefined
-    });
+    upstreamResponse = await env.USER_WORKER.fetch(
+      `https://worker${proxyPath}${requestUrl.search}`,
+      {
+        method: request.method,
+        headers: upstreamHeaders,
+        body: shouldForwardBody ? request.body : undefined
+      }
+    );
   } catch {
     return textResponse('Upstream user service unavailable', 502);
   }