nodebb-plugin-pdf-secure 1.0.1

package/.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:github.com)"
+    ]
+  }
+}

package/.gitattributes

@@ -0,0 +1,22 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Custom for Visual Studio
+*.cs     diff=csharp
+*.sln    merge=union
+*.csproj merge=union
+*.vbproj merge=union
+*.fsproj merge=union
+*.dbproj merge=union
+
+# Standard to msysgit
+*.doc	 diff=astextplain
+*.DOC	 diff=astextplain
+*.docx diff=astextplain
+*.DOCX diff=astextplain
+*.dot  diff=astextplain
+*.DOT  diff=astextplain
+*.pdf  diff=astextplain
+*.PDF	 diff=astextplain
+*.rtf	 diff=astextplain
+*.RTF	 diff=astextplain

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 NodeBB Inc. <sales@nodebb.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,17 @@
+# Quickstart Plugin for NodeBB
+
+A starter kit for quickly creating NodeBB plugins. Comes with a pre-setup SCSS file, server side JS script with an `static:app.load` hook, and a client-side script. Most plugins need at least one of the above, so this ought to save you some time. For a full list of hooks have a look at our [wiki page](https://github.com/NodeBB/NodeBB/wiki/Hooks), and for more information about creating plugins please visit our [documentation portal](https://docs.nodebb.org/).
+
+Fork this or copy it, and using your favourite text editor find and replace all instances of `nodebb-plugin-quickstart` with `nodebb-plugin-your-plugins-name`. Change the author's name in the LICENSE and package.json files.
+
+## Hello World
+
+Really simple, just edit `public/lib/main.js` and paste in `console.log('hello world');`, and that's it!
+
+## Installation
+
+    npm install nodebb-plugin-quickstart
+
+## Screenshots
+
+Don't forget to add screenshots!

package/commitlint.config.js

@@ -0,0 +1,26 @@
+'use strict';
+
+module.exports = {
+	extends: ['@commitlint/config-angular'],
+	rules: {
+		'header-max-length': [1, 'always', 72],
+		'type-enum': [
+			2,
+			'always',
+			[
+				'breaking',
+				'build',
+				'chore',
+				'ci',
+				'docs',
+				'feat',
+				'fix',
+				'perf',
+				'refactor',
+				'revert',
+				'style',
+				'test',
+			],
+		],
+	},
+};

package/eslint.config.mjs

@@ -0,0 +1,10 @@
+'use strict';
+
+import serverConfig from 'eslint-config-nodebb';
+import publicConfig from 'eslint-config-nodebb/public';
+
+export default [
+	...publicConfig,
+	...serverConfig,
+];
+

package/languages/de/pdf-secure.json

@@ -0,0 +1,7 @@
+{
+	"view-pdf": "PDF anzeigen",
+	"premium-upgrade": "Upgrade auf Premium, um das vollständige Dokument anzuzeigen.",
+	"loading": "PDF wird geladen...",
+	"access-denied": "Zugriff verweigert",
+	"login-required": "Sie müssen angemeldet sein, um diese PDF anzuzeigen."
+}

package/languages/en-GB/pdf-secure.json

@@ -0,0 +1,7 @@
+{
+	"view-pdf": "View PDF",
+	"premium-upgrade": "Upgrade to Premium to view the full document.",
+	"loading": "Loading PDF...",
+	"access-denied": "Access denied",
+	"login-required": "You must be logged in to view this PDF."
+}

package/languages/en-US/pdf-secure.json

@@ -0,0 +1,7 @@
+{
+	"view-pdf": "View PDF",
+	"premium-upgrade": "Upgrade to Premium to view the full document.",
+	"loading": "Loading PDF...",
+	"access-denied": "Access denied",
+	"login-required": "You must be logged in to view this PDF."
+}

package/lib/controllers.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const nonceStore = require('./nonce-store');
+const pdfHandler = require('./pdf-handler');
+
+const Controllers = module.exports;
+
+Controllers.renderAdminPage = function (req, res) {
+	res.render('admin/plugins/pdf-secure', {
+		title: 'PDF Secure Viewer',
+	});
+};
+
+Controllers.servePdfBinary = async function (req, res) {
+	const { nonce } = req.query;
+	if (!nonce) {
+		return res.status(400).json({ error: 'Missing nonce' });
+	}
+
+	if (!req.uid) {
+		return res.status(401).json({ error: 'Not authenticated' });
+	}
+
+	const data = nonceStore.validate(nonce, req.uid);
+	if (!data) {
+		return res.status(403).json({ error: 'Invalid or expired nonce' });
+	}
+
+	try {
+		let pdfBuffer;
+		if (data.isPremium) {
+			pdfBuffer = await pdfHandler.getFullPdf(data.file);
+		} else {
+			pdfBuffer = await pdfHandler.getSinglePagePdf(data.file);
+		}
+
+		res.set({
+			'Content-Type': 'application/octet-stream',
+			'Cache-Control': 'no-store, no-cache, must-revalidate, private',
+			'X-Content-Type-Options': 'nosniff',
+			'Content-Disposition': 'inline',
+		});
+
+		return res.send(pdfBuffer);
+	} catch (err) {
+		if (err.message === 'File not found') {
+			return res.status(404).json({ error: 'PDF not found' });
+		}
+		return res.status(500).json({ error: 'Internal error' });
+	}
+};

package/lib/nonce-store.js

@@ -0,0 +1,52 @@
+'use strict';
+
+const { v4: uuidv4 } = require('uuid');
+
+const store = new Map();
+const NONCE_TTL = 30 * 1000; // 30 seconds
+const CLEANUP_INTERVAL = 60 * 1000; // 60 seconds
+
+// Periodic cleanup of expired nonces
+setInterval(() => {
+	const now = Date.now();
+	for (const [nonce, data] of store.entries()) {
+		if (now - data.createdAt > NONCE_TTL) {
+			store.delete(nonce);
+		}
+	}
+}, CLEANUP_INTERVAL).unref();
+
+const NonceStore = module.exports;
+
+NonceStore.generate = function (uid, file, isPremium) {
+	const nonce = uuidv4();
+	store.set(nonce, {
+		uid: uid,
+		file: file,
+		isPremium: isPremium,
+		createdAt: Date.now(),
+	});
+	return nonce;
+};
+
+NonceStore.validate = function (nonce, uid) {
+	const data = store.get(nonce);
+	if (!data) {
+		return null;
+	}
+
+	// Delete immediately (single-use)
+	store.delete(nonce);
+
+	// Check UID match
+	if (data.uid !== uid) {
+		return null;
+	}
+
+	// Check TTL
+	if (Date.now() - data.createdAt > NONCE_TTL) {
+		return null;
+	}
+
+	return data;
+};

package/lib/pdf-handler.js

@@ -0,0 +1,89 @@
+'use strict';
+
+const path = require('path');
+const fs = require('fs');
+const { PDFDocument } = require('pdf-lib');
+const nconf = require.main.require('nconf');
+
+const singlePageCache = new Map();
+const CACHE_TTL = 60 * 60 * 1000; // 1 hour
+
+// Periodic cleanup of expired cache entries
+setInterval(() => {
+	const now = Date.now();
+	for (const [key, entry] of singlePageCache.entries()) {
+		if (now - entry.createdAt > CACHE_TTL) {
+			singlePageCache.delete(key);
+		}
+	}
+}, 10 * 60 * 1000).unref(); // cleanup every 10 minutes
+
+const PdfHandler = module.exports;
+
+PdfHandler.resolveFilePath = function (filename) {
+	// Sanitize: only allow basename (prevent directory traversal)
+	const safeName = path.basename(filename);
+	if (!safeName || safeName !== filename || safeName.includes('..')) {
+		return null;
+	}
+
+	const uploadPath = nconf.get('upload_path') || path.join(nconf.get('base_dir'), 'public', 'uploads');
+	const filePath = path.join(uploadPath, 'files', safeName);
+
+	// Verify the resolved path is still within the upload directory
+	const resolvedPath = path.resolve(filePath);
+	const resolvedUploadDir = path.resolve(path.join(uploadPath, 'files'));
+	if (!resolvedPath.startsWith(resolvedUploadDir)) {
+		return null;
+	}
+
+	return filePath;
+};
+
+PdfHandler.getFullPdf = async function (filename) {
+	const filePath = PdfHandler.resolveFilePath(filename);
+	if (!filePath) {
+		throw new Error('Invalid filename');
+	}
+
+	if (!fs.existsSync(filePath)) {
+		throw new Error('File not found');
+	}
+
+	return fs.promises.readFile(filePath);
+};
+
+PdfHandler.getSinglePagePdf = async function (filename) {
+	// Check cache first
+	const cached = singlePageCache.get(filename);
+	if (cached && (Date.now() - cached.createdAt < CACHE_TTL)) {
+		return cached.buffer;
+	}
+
+	const filePath = PdfHandler.resolveFilePath(filename);
+	if (!filePath) {
+		throw new Error('Invalid filename');
+	}
+
+	if (!fs.existsSync(filePath)) {
+		throw new Error('File not found');
+	}
+
+	const existingPdfBytes = await fs.promises.readFile(filePath);
+	const srcDoc = await PDFDocument.load(existingPdfBytes);
+
+	const newDoc = await PDFDocument.create();
+	const [copiedPage] = await newDoc.copyPages(srcDoc, [0]);
+	newDoc.addPage(copiedPage);
+
+	const pdfBytes = await newDoc.save();
+	const buffer = Buffer.from(pdfBytes);
+
+	// Cache the result
+	singlePageCache.set(filename, {
+		buffer: buffer,
+		createdAt: Date.now(),
+	});
+
+	return buffer;
+};

package/library.js

@@ -0,0 +1,72 @@
+'use strict';
+
+const meta = require.main.require('./src/meta');
+const groups = require.main.require('./src/groups');
+const routeHelpers = require.main.require('./src/routes/helpers');
+
+const controllers = require('./lib/controllers');
+const nonceStore = require('./lib/nonce-store');
+
+const plugin = {};
+
+plugin.init = async (params) => {
+	const { router, middleware } = params;
+
+	// PDF direct access blocker middleware
+	// Intercepts requests to uploaded PDF files and returns 403
+	router.get('/assets/uploads/files/:filename', (req, res, next) => {
+		if (req.params.filename && req.params.filename.toLowerCase().endsWith('.pdf')) {
+			return res.status(403).json({ error: 'Direct PDF access is not allowed. Use the secure viewer.' });
+		}
+		next();
+	});
+
+	// PDF binary endpoint (nonce-validated)
+	router.get('/api/v3/plugins/pdf-secure/pdf-data', middleware.ensureLoggedIn, controllers.servePdfBinary);
+
+	// Admin page route
+	routeHelpers.setupAdminPageRoute(router, '/admin/plugins/pdf-secure', controllers.renderAdminPage);
+};
+
+plugin.addRoutes = async ({ router, middleware, helpers }) => {
+	// Nonce generation endpoint
+	routeHelpers.setupApiRoute(router, 'get', '/pdf-secure/nonce', [middleware.ensureLoggedIn], async (req, res) => {
+		const { file } = req.query;
+		if (!file) {
+			return helpers.formatApiResponse(400, res, new Error('Missing file parameter'));
+		}
+
+		// Sanitize filename
+		const path = require('path');
+		const safeName = path.basename(file);
+		if (!safeName || !safeName.toLowerCase().endsWith('.pdf')) {
+			return helpers.formatApiResponse(400, res, new Error('Invalid file'));
+		}
+
+		// Get premium group name from settings (default: 'Premium')
+		const settings = await meta.settings.get('pdf-secure');
+		const premiumGroup = settings.premiumGroup || 'Premium';
+
+		// Check if user is in premium group
+		const isPremium = await groups.isMember(req.uid, premiumGroup);
+
+		const nonce = nonceStore.generate(req.uid, safeName, isPremium);
+
+		helpers.formatApiResponse(200, res, {
+			nonce: nonce,
+			isPremium: isPremium,
+		});
+	});
+};
+
+plugin.addAdminNavigation = (header) => {
+	header.plugins.push({
+		route: '/plugins/pdf-secure',
+		icon: 'fa-file-pdf-o',
+		name: 'PDF Secure Viewer',
+	});
+
+	return header;
+};
+
+module.exports = plugin;

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "nodebb-plugin-pdf-secure",
+  "version": "1.0.1",
+  "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
+  "main": "library.js",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nodebb/nodebb-plugin-pdf-secure"
+  },
+  "scripts": {
+    "lint": "eslint ."
+  },
+  "keywords": [
+    "nodebb",
+    "plugin",
+    "pdf",
+    "secure",
+    "viewer"
+  ],
+  "husky": {
+    "hooks": {
+      "pre-commit": "lint-staged",
+      "commit-msg": "commitlint -E HUSKY_GIT_PARAMS"
+    }
+  },
+  "lint-staged": {
+    "*.js": [
+      "eslint --fix",
+      "git add"
+    ]
+  },
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/nodebb/nodebb-plugin-pdf-secure/issues"
+  },
+  "readmeFilename": "README.md",
+  "nbbpm": {
+    "compatibility": "^3.2.0"
+  },
+  "dependencies": {
+    "pdf-lib": "^1.17.1",
+    "uuid": "^11.1.0"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "20.4.1",
+    "@commitlint/config-angular": "20.4.1",
+    "eslint": "9.39.2",
+    "eslint-config-nodebb": "1.1.11",
+    "husky": "9.1.7",
+    "lint-staged": "16.2.7",
+    "pdfjs-dist": "^4.9.155"
+  }
+}

package/plugin.json

@@ -0,0 +1,20 @@
+{
+	"id": "nodebb-plugin-pdf-secure",
+	"url": "https://github.com/NodeBB/nodebb-plugin-pdf-secure",
+	"library": "./library.js",
+	"hooks": [
+		{ "hook": "static:app.load", "method": "init" },
+		{ "hook": "static:api.routes", "method": "addRoutes" },
+		{ "hook": "filter:admin.header.build", "method": "addAdminNavigation" }
+	],
+	"staticDirs": {
+		"static": "./static"
+	},
+	"less": [
+		"static/style.less"
+	],
+	"scripts": [
+		"static/lib/main.js"
+	],
+	"templates": "./static/templates"
+}

package/renovate.json

@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "config:recommended"
+  ]
+}

package/static/lib/main.js

@@ -0,0 +1,108 @@
+'use strict';
+
+(async () => {
+	const hooks = await app.require('hooks');
+
+	hooks.on('action:ajaxify.end', () => {
+		interceptPdfLinks();
+	});
+
+	function interceptPdfLinks() {
+		const postContents = document.querySelectorAll('[component="post/content"]');
+		postContents.forEach((content) => {
+			const pdfLinks = content.querySelectorAll('a[href$=".pdf"], a[href$=".PDF"]');
+			pdfLinks.forEach((link) => {
+				// Skip already processed links
+				if (link.dataset.pdfSecure) return;
+				link.dataset.pdfSecure = 'true';
+
+				// Extract filename from href
+				const href = link.getAttribute('href');
+				const parts = href.split('/');
+				const filename = parts[parts.length - 1];
+
+				// Create button replacement
+				const btn = document.createElement('button');
+				btn.type = 'button';
+				btn.className = 'btn btn-sm btn-outline-primary pdf-secure-btn';
+				btn.innerHTML = '<i class="fa fa-file-pdf-o"></i> ' + (link.textContent || filename);
+				btn.title = 'View PDF securely';
+				btn.dataset.filename = filename;
+
+				btn.addEventListener('click', (e) => {
+					e.preventDefault();
+					e.stopPropagation();
+					openSecureViewer(filename);
+				});
+
+				link.replaceWith(btn);
+			});
+		});
+	}
+
+	async function openSecureViewer(filename) {
+		try {
+			// Request nonce from server
+			const response = await fetch(
+				`${config.relative_path}/api/v3/plugins/pdf-secure/nonce?file=${encodeURIComponent(filename)}`,
+				{
+					credentials: 'same-origin',
+					headers: {
+						'x-csrf-token': config.csrf_token,
+					},
+				}
+			);
+
+			if (!response.ok) {
+				if (response.status === 401) {
+					app.alertError('You must be logged in to view PDFs.');
+					return;
+				}
+				app.alertError('Failed to load PDF viewer.');
+				return;
+			}
+
+			const result = await response.json();
+			const { nonce, isPremium } = result.response;
+
+			// Create overlay with iframe
+			const overlay = document.createElement('div');
+			overlay.className = 'pdf-secure-overlay';
+			overlay.id = 'pdf-secure-overlay';
+
+			const iframe = document.createElement('iframe');
+			const viewerUrl = `${config.relative_path}/plugins/nodebb-plugin-pdf-secure/static/lib/viewer.html?nonce=${encodeURIComponent(nonce)}&premium=${isPremium}&apiBase=${encodeURIComponent(config.relative_path)}`;
+			iframe.src = viewerUrl;
+			iframe.className = 'pdf-secure-iframe';
+			iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
+
+			overlay.appendChild(iframe);
+			document.body.appendChild(overlay);
+
+			// Listen for close message from viewer
+			function onMessage(e) {
+				if (e.data && e.data.type === 'pdf-viewer-close') {
+					closeOverlay();
+				}
+			}
+			window.addEventListener('message', onMessage);
+
+			// Close on Escape key
+			function onKeydown(e) {
+				if (e.key === 'Escape') {
+					closeOverlay();
+				}
+			}
+			document.addEventListener('keydown', onKeydown);
+
+			function closeOverlay() {
+				window.removeEventListener('message', onMessage);
+				document.removeEventListener('keydown', onKeydown);
+				const el = document.getElementById('pdf-secure-overlay');
+				if (el) el.remove();
+			}
+		} catch (err) {
+			app.alertError('Failed to open PDF viewer.');
+		}
+	}
+})();