feat: implement artifact service with upload/download endpoints (#211)

- Add POST /api/artifacts for uploading binary data to R2
- Add GET /api/artifacts/{id} for downloading stored artifacts
- Fix entry.ts routing to support artifacts endpoint
- Update wrangler.toml to use entry.ts for local development
- Add fallback page for missing ASSETS fetcher in dev mode
- Fix health endpoint routing
- Add basic test suite for artifact service

Author: rgbkrk

src/backend/artifact.ts

@@ -0,0 +1,149 @@
+import { Env } from "./types.ts";
+import { validateAuthPayload } from "./auth";
+
+export default {
+  fetch: async (
+    request: Request,
+    env: Env,
+    _ctx: ExecutionContext
+  ): Promise<Response> => {
+    const url = new URL(request.url);
+    if (!url.pathname.startsWith("/api/artifacts")) {
+      return new Response(
+        JSON.stringify({
+          error: "Not Found",
+        }),
+        { status: 404 }
+      );
+    }
+
+    // Don't process deletes
+    if (request.method === "DELETE") {
+      return new Response(
+        JSON.stringify({
+          error: "Method Not Allowed",
+        }),
+        { status: 405 }
+      );
+    }
+
+    if (url.pathname === "/api/artifacts" && request.method === "POST") {
+      console.log("✅ Handling POST request to /api/artifacts");
+
+      const notebookId = request.headers.get("x-notebook-id");
+      const authToken =
+        request.headers.get("authorization")?.replace("Bearer ", "") ||
+        request.headers.get("x-auth-token");
+      const mimeType =
+        request.headers.get("content-type") || "application/octet-stream";
+
+      if (!authToken) {
+        return new Response(
+          JSON.stringify({
+            error: "Unauthorized",
+          }),
+          { status: 401 }
+        );
+      }
+      try {
+        await validateAuthPayload({ authToken }, env);
+      } catch (error) {
+        return new Response(
+          JSON.stringify({
+            error: "Unauthorized",
+          }),
+          { status: 401 }
+        );
+      }
+      // TODO: Validate the notebook ID
+      // TODO: Validate that the user has permission to add artifacts to this notebook
+      // TODO: Validate that the artifact name is unique within the notebook
+      //
+      // TODO: Compute hash of data on the fly
+      // For now we'll just accept a random UUID as the artifact ID
+      // TODO: Rely on multipart upload for large files
+      const uuidv4 = () =>
+        // @ts-ignore
+        ([1e7] + -1e3 + -4e3 + -8e3 + -1e11).replace(/[018]/g, (c) =>
+          (
+            c ^
+            (crypto.getRandomValues(new Uint8Array(1))[0] & (15 >> (c / 4)))
+          ).toString(16)
+        );
+
+      const artifactId = `${notebookId}/${uuidv4()}`;
+      await env.ARTIFACT_BUCKET.put(artifactId, await request.arrayBuffer(), {
+        httpMetadata: {
+          contentType: mimeType,
+        },
+      });
+
+      return new Response(JSON.stringify({ artifactId }), {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+        },
+      });
+    }
+
+    // TODO: Rely on cookies for authenticating the GET request
+    // primarily so that images can be loaded without a token
+    // _OR_ we set up a way to get presigned URLs that go into the
+    // livestore sync
+
+    // Check for a GET, then assume we're fetching it
+    if (request.method === "GET") {
+      // Extract the full artifact ID from the path after /api/artifacts/
+      const artifactId = url.pathname.replace("/api/artifacts/", "");
+      if (!artifactId) {
+        return new Response(
+          JSON.stringify({
+            error: "Bad Request",
+          }),
+          { status: 400 }
+        );
+      }
+
+      const artifact = await env.ARTIFACT_BUCKET.get(artifactId);
+      if (!artifact) {
+        return new Response(
+          JSON.stringify({
+            error: "Not Found",
+          }),
+          { status: 404 }
+        );
+      }
+
+      const contentType =
+        artifact.httpMetadata?.contentType || "application/octet-stream";
+
+      return new Response(artifact.body, {
+        status: 200,
+        headers: {
+          "Content-Type": contentType,
+        },
+      });
+    }
+
+    // Options and other pre-flight are fine
+    // Since this endpoint is used for images as direct urls...
+    if (request.method === "OPTIONS") {
+      // Handle CORS preflight requests
+      return new Response(null, {
+        status: 204,
+        headers: {
+          "Access-Control-Allow-Origin": "*",
+          "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+          "Access-Control-Allow-Headers": "Content-Type",
+        },
+      });
+    }
+
+    return new Response(
+      JSON.stringify({
+        error: "Unknown Method",
+      }),
+      { status: 405 }
+    );
+  },
+};

src/backend/auth.ts

@@ -0,0 +1,164 @@
+// Validate production environment requirements at startup
+export function validateProductionEnvironment(env: any): void {
+  if (env.DEPLOYMENT_ENV === "production") {
+    if (!env.GOOGLE_CLIENT_ID) {
+      throw new Error(
+        "STARTUP_ERROR: GOOGLE_CLIENT_ID is required when DEPLOYMENT_ENV is production"
+      );
+    }
+    if (!env.GOOGLE_CLIENT_SECRET) {
+      console.warn(
+        "⚠️ GOOGLE_CLIENT_SECRET not set in production - Google OAuth validation may be limited"
+      );
+    }
+    console.log("✅ Production environment validation passed");
+  }
+}
+
+interface AuthPayload {
+  authToken: string;
+}
+
+interface GoogleJWTPayload {
+  iss: string;
+  aud: string;
+  sub: string;
+  email?: string;
+  email_verified?: boolean;
+  name?: string;
+  picture?: string;
+  exp: number;
+  iat: number;
+}
+
+// Validate Google ID token using Google's tokeninfo endpoint
+async function validateGoogleToken(
+  token: string,
+  clientId: string
+): Promise<GoogleJWTPayload | null> {
+  try {
+    // Use Google's tokeninfo endpoint to validate the token
+    const response = await fetch(
+      `https://oauth2.googleapis.com/tokeninfo?id_token=${token}`
+    );
+
+    if (!response.ok) {
+      console.error(
+        "Token validation failed:",
+        response.status,
+        response.statusText
+      );
+      return null;
+    }
+
+    const tokenInfo = (await response.json()) as GoogleJWTPayload;
+
+    // Validate the audience (client ID)
+    if (tokenInfo.aud !== clientId) {
+      console.error("Invalid audience:", tokenInfo.aud, "expected:", clientId);
+      return null;
+    }
+
+    // Validate the issuer
+    if (
+      tokenInfo.iss !== "https://accounts.google.com" &&
+      tokenInfo.iss !== "accounts.google.com"
+    ) {
+      console.error("Invalid issuer:", tokenInfo.iss);
+      return null;
+    }
+
+    // Check expiration (Google's endpoint already validates this, but double-check)
+    const now = Math.floor(Date.now() / 1000);
+    if (tokenInfo.exp < now) {
+      const expirationTime = new Date(tokenInfo.exp * 1000).toISOString();
+      const currentTime = new Date(now * 1000).toISOString();
+      console.error(
+        `Token expired at ${expirationTime}, current time: ${currentTime}`
+      );
+      return null;
+    }
+
+    return tokenInfo;
+  } catch (error) {
+    console.error("Google token validation failed:", error);
+    return null;
+  }
+}
+
+export async function validateAuthPayload(
+  payload: AuthPayload & { runtime?: boolean },
+  env: any
+): Promise<void> {
+  console.log("🔐 Starting auth validation:", {
+    hasPayload: !!payload,
+    hasAuthToken: !!payload?.authToken,
+    isRuntime: payload?.runtime === true,
+    hasGoogleClientId: !!env.GOOGLE_CLIENT_ID,
+    hasEnvAuthToken: !!env.AUTH_TOKEN,
+  });
+
+  if (!payload?.authToken) {
+    console.error("❌ Missing auth token in payload");
+    throw new Error(
+      "MISSING_AUTH_TOKEN: No authentication token provided. Please sign in to continue."
+    );
+  }
+
+  const token = payload.authToken;
+  console.log("🎫 Token info:", {
+    tokenLength: token.length,
+    tokenStart: token.substring(0, 10) + "...",
+    isJWT: token.startsWith("eyJ"),
+  });
+
+  // For runtime agents, always allow service token authentication
+  if (payload.runtime === true) {
+    console.log("🤖 Validating runtime agent token");
+    if (env.AUTH_TOKEN && token === env.AUTH_TOKEN) {
+      console.log("✅ Authenticated runtime agent with service token");
+      return;
+    }
+    console.error("❌ Invalid service token for runtime agent");
+    throw new Error(
+      "INVALID_SERVICE_TOKEN: Runtime agent authentication failed. Check AUTH_TOKEN configuration."
+    );
+  }
+
+  // For regular users, try Google OAuth first if enabled
+  if (env.GOOGLE_CLIENT_ID) {
+    console.log("🔍 Attempting Google OAuth validation");
+    const googlePayload = await validateGoogleToken(
+      token,
+      env.GOOGLE_CLIENT_ID
+    );
+    if (googlePayload) {
+      // Google token is valid
+      console.log(
+        "✅ Authenticated user via Google OAuth:",
+        googlePayload.email
+      );
+      return;
+    }
+    console.log("⚠️ Google OAuth validation failed, trying fallback");
+  }
+
+  // Fallback to simple token validation (for local development)
+  if (env.AUTH_TOKEN && token === env.AUTH_TOKEN) {
+    console.log("✅ Authenticated with fallback token");
+    return;
+  }
+
+  console.error("❌ All authentication methods failed");
+
+  // Provide specific error based on token type
+  if (token.startsWith("eyJ")) {
+    throw new Error(
+      "GOOGLE_TOKEN_INVALID: Google authentication token expired or invalid. Please refresh the page to sign in again."
+    );
+  } else {
+    throw new Error(
+      "INVALID_AUTH_TOKEN: Authentication failed. Please check your credentials and try again."
+    );
+  }
+}