feat(06-01): create signing utility library (token, audit, embed)
- token.ts: createSigningToken() + verifySigningToken() using jose HS256 - audit.ts: logAuditEvent() inserts typed audit events with server timestamp - embed-signature.ts: embedSignatureInPdf() embeds PNG sigs, returns SHA-256 hash - added SIGNING_JWT_SECRET to .env.local (random 32-char base64 secret)
This commit is contained in:
Chandler Copeland
21
teressa-copeland-homes/src/lib/signing/audit.ts
Normal file
21
teressa-copeland-homes/src/lib/signing/audit.ts
Normal file
@@ -0,0 +1,21 @@
|
||||
import { db } from '@/lib/db';
|
||||
import { auditEvents, auditEventTypeEnum } from '@/lib/db/schema';
|
||||
|
||||
type AuditEventType = typeof auditEventTypeEnum.enumValues[number];
|
||||
|
||||
export async function logAuditEvent(opts: {
|
||||
documentId: string;
|
||||
eventType: AuditEventType;
|
||||
ipAddress?: string;
|
||||
userAgent?: string;
|
||||
metadata?: Record<string, unknown>;
|
||||
}): Promise<void> {
|
||||
await db.insert(auditEvents).values({
|
||||
documentId: opts.documentId,
|
||||
eventType: opts.eventType,
|
||||
ipAddress: opts.ipAddress ?? null,
|
||||
userAgent: opts.userAgent ?? null,
|
||||
metadata: opts.metadata ?? null,
|
||||
// createdAt is defaultNow() — server-side only, never from client
|
||||
});
|
||||
}
|
||||
54
teressa-copeland-homes/src/lib/signing/embed-signature.ts
Normal file
54
teressa-copeland-homes/src/lib/signing/embed-signature.ts
Normal file
@@ -0,0 +1,54 @@
|
||||
import { PDFDocument } from '@cantoo/pdf-lib';
|
||||
import { readFile, writeFile, rename } from 'node:fs/promises';
|
||||
import { createHash } from 'node:crypto';
|
||||
import { createReadStream } from 'node:fs';
|
||||
|
||||
export interface SignatureToEmbed {
|
||||
fieldId: string;
|
||||
dataURL: string; // 'data:image/png;base64,...' from signature_pad or typed canvas
|
||||
x: number; // PDF user space (bottom-left origin, points) — from signatureFields
|
||||
y: number;
|
||||
width: number;
|
||||
height: number;
|
||||
page: number; // 1-indexed
|
||||
}
|
||||
|
||||
export async function embedSignatureInPdf(
|
||||
preparedPdfPath: string, // absolute path — ALWAYS use doc.preparedFilePath, NOT filePath
|
||||
signedPdfPath: string, // absolute path to write signed output (uploads/clients/{id}/{uuid}_signed.pdf)
|
||||
signatures: SignatureToEmbed[]
|
||||
): Promise<string> { // returns SHA-256 hex digest (LEGAL-02)
|
||||
const pdfBytes = await readFile(preparedPdfPath);
|
||||
const pdfDoc = await PDFDocument.load(pdfBytes);
|
||||
const pages = pdfDoc.getPages();
|
||||
|
||||
for (const sig of signatures) {
|
||||
const page = pages[sig.page - 1];
|
||||
if (!page) continue;
|
||||
const pngImage = await pdfDoc.embedPng(sig.dataURL); // accepts base64 DataURL directly
|
||||
page.drawImage(pngImage, {
|
||||
x: sig.x,
|
||||
y: sig.y,
|
||||
width: sig.width,
|
||||
height: sig.height,
|
||||
});
|
||||
}
|
||||
|
||||
const modifiedBytes = await pdfDoc.save();
|
||||
const tmpPath = `${signedPdfPath}.tmp`;
|
||||
await writeFile(tmpPath, modifiedBytes);
|
||||
await rename(tmpPath, signedPdfPath); // atomic rename prevents corruption on partial write
|
||||
|
||||
// LEGAL-02: SHA-256 hash of final signed PDF — computed from disk after rename
|
||||
return hashFile(signedPdfPath);
|
||||
}
|
||||
|
||||
function hashFile(filePath: string): Promise<string> {
|
||||
return new Promise((resolve, reject) => {
|
||||
const hash = createHash('sha256');
|
||||
createReadStream(filePath)
|
||||
.on('data', (chunk) => hash.update(chunk))
|
||||
.on('end', () => resolve(hash.digest('hex')))
|
||||
.on('error', reject);
|
||||
});
|
||||
}
|
||||
32
teressa-copeland-homes/src/lib/signing/token.ts
Normal file
32
teressa-copeland-homes/src/lib/signing/token.ts
Normal file
@@ -0,0 +1,32 @@
|
||||
import { SignJWT, jwtVerify } from 'jose';
|
||||
import { db } from '@/lib/db';
|
||||
import { signingTokens } from '@/lib/db/schema';
|
||||
|
||||
const getSecret = () => new TextEncoder().encode(process.env.SIGNING_JWT_SECRET!);
|
||||
|
||||
export async function createSigningToken(documentId: string): Promise<{ token: string; jti: string; expiresAt: Date }> {
|
||||
const jti = crypto.randomUUID();
|
||||
const expiresAt = new Date(Date.now() + 72 * 60 * 60 * 1000); // 72 hours
|
||||
|
||||
const token = await new SignJWT({ documentId, purpose: 'sign' })
|
||||
.setProtectedHeader({ alg: 'HS256' })
|
||||
.setIssuedAt()
|
||||
.setExpirationTime('72h')
|
||||
.setJti(jti)
|
||||
.sign(getSecret());
|
||||
|
||||
// Store token metadata for one-time-use enforcement
|
||||
await db.insert(signingTokens).values({
|
||||
jti,
|
||||
documentId,
|
||||
expiresAt,
|
||||
});
|
||||
|
||||
return { token, jti, expiresAt };
|
||||
}
|
||||
|
||||
export async function verifySigningToken(token: string): Promise<{ documentId: string; jti: string; exp: number }> {
|
||||
// Throws JWTExpired or JWTInvalid on failure — caller handles
|
||||
const { payload } = await jwtVerify(token, getSecret());
|
||||
return payload as { documentId: string; jti: string; exp: number };
|
||||
}
|
||||
Reference in New Issue
Block a user