nodebb-plugin-pdf-secure 1.1.6 → 1.2.0

package/.claude/settings.local.json

@@ -2,7 +2,10 @@
   "permissions": {
     "allow": [
       "WebFetch(domain:raw.githubusercontent.com)",
-      "WebFetch(domain:github.com)"
+      "WebFetch(domain:github.com)",
+      "Bash(dir:*)",
+      "Bash(npm pack:*)",
+      "Bash(tar:*)"
     ]
   }
 }

package/lib/controllers.js

@@ -34,38 +34,14 @@ Controllers.servePdfBinary = async function (req, res) {
 			pdfBuffer = await pdfHandler.getSinglePagePdf(data.file);
 		}
 
-		// PARTIAL XOR Encryption: Sadece ilk ve son 8KB'ı şifrele
-		// Bu, PDF'yi açılamaz hale getirir ama performans etkisi minimal
-		const encryptionKey = Buffer.from(nonce.slice(0, 8));
-		const encryptedBuffer = Buffer.from(pdfBuffer); // Copy
-		const chunkSize = 8192; // 8KB
-
-		// İlk 8KB'ı şifrele (PDF header - CRITICAL)
-		const headerEnd = Math.min(chunkSize, pdfBuffer.length);
-		for (let i = 0; i < headerEnd; i++) {
-			encryptedBuffer[i] = pdfBuffer[i] ^ encryptionKey[i % encryptionKey.length];
-		}
-
-		// Son 8KB'ı şifrele (PDF xref table - CRITICAL)
-		const footerStart = Math.max(0, pdfBuffer.length - chunkSize);
-		for (let i = footerStart; i < pdfBuffer.length; i++) {
-			encryptedBuffer[i] = pdfBuffer[i] ^ encryptionKey[i % encryptionKey.length];
-		}
-
 		res.set({
 			'Content-Type': 'application/octet-stream',
-			'Cache-Control': 'no-store, no-cache, must-revalidate, private, max-age=0',
-			'Pragma': 'no-cache',
-			'Expires': '0',
+			'Cache-Control': 'no-store, no-cache, must-revalidate, private',
 			'X-Content-Type-Options': 'nosniff',
-			'X-Download-Options': 'noopen',
-			'X-Frame-Options': 'SAMEORIGIN',
-			'Content-Security-Policy': "default-src 'none'",
 			'Content-Disposition': 'inline',
-			'X-PDF-Encrypted': '1', // İşaretleyici
 		});
 
-		return res.send(encryptedBuffer);
+		return res.send(pdfBuffer);
 	} catch (err) {
 		if (err.message === 'File not found') {
 			return res.status(404).json({ error: 'PDF not found' });

package/library.js

@@ -42,11 +42,17 @@ plugin.init = async (params) => {
 			return res.status(400).send('Invalid file');
 		}
 
-		// Serve the viewer template with security headers
+		// Serve the viewer template with comprehensive security headers
 		res.set({
 			'X-Frame-Options': 'SAMEORIGIN',
 			'X-Content-Type-Options': 'nosniff',
-			'Cache-Control': 'no-store, no-cache, must-revalidate, private',
+			'X-XSS-Protection': '1; mode=block',
+			'Cache-Control': 'no-store, no-cache, must-revalidate, private, max-age=0',
+			'Pragma': 'no-cache',
+			'Expires': '0',
+			'Referrer-Policy': 'no-referrer',
+			'Permissions-Policy': 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()',
+			'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'self'",
 		});
 
 		// Read and send the viewer HTML

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure",
-  "version": "1.1.6",
+  "version": "1.2.0",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {

package/static/lib/viewer.js

@@ -32,7 +32,6 @@ function interceptPdfLinks() {
 
 			var container = document.createElement('div');
 			container.className = 'pdf-secure-inline';
-			container.setAttribute('tabindex', '0'); // Focus için gerekli
 			container.innerHTML =
 				'<div class="pdf-secure-inline-header">' +
 					'<i class="fa fa-file-pdf-o"></i> ' +
@@ -41,10 +40,7 @@ function interceptPdfLinks() {
 				'<div class="pdf-secure-inline-body">' +
 					'<div class="pdf-secure-loading">Loading PDF...</div>' +
 					'<div class="pdf-secure-error"></div>' +
-					'<div class="pdf-secure-canvas-wrapper">' +
-						'<canvas class="pdf-secure-canvas"></canvas>' +
-						'<div class="pdf-secure-overlay"></div>' +
-					'</div>' +
+					'<canvas class="pdf-secure-canvas"></canvas>' +
 				'</div>' +
 				'<div class="pdf-secure-inline-footer">' +
 					'<button class="pdf-secure-prev" disabled>&#8249; Prev</button>' +
@@ -110,29 +106,8 @@ async function loadPdf(container, filename) {
 			return;
 		}
 
-		var encryptedArrayBuffer = await pdfRes.arrayBuffer();
-		console.log('[PDF-Secure][Viewer] Step 2 - Encrypted data loaded:', encryptedArrayBuffer.byteLength, 'bytes');
-
-		// PARTIAL XOR Decryption: Sadece ilk ve son 8KB'ı decrypt et
-		var encryptedBytes = new Uint8Array(encryptedArrayBuffer);
-		var encryptionKey = new TextEncoder().encode(nonce.slice(0, 8));
-		var decryptedBytes = new Uint8Array(encryptedBytes); // Copy
-		var chunkSize = 8192; // 8KB
-
-		// İlk 8KB'ı decrypt et (PDF header)
-		var headerEnd = Math.min(chunkSize, encryptedBytes.length);
-		for (var i = 0; i < headerEnd; i++) {
-			decryptedBytes[i] = encryptedBytes[i] ^ encryptionKey[i % encryptionKey.length];
-		}
-
-		// Son 8KB'ı decrypt et (PDF xref table)
-		var footerStart = Math.max(0, encryptedBytes.length - chunkSize);
-		for (var i = footerStart; i < encryptedBytes.length; i++) {
-			decryptedBytes[i] = encryptedBytes[i] ^ encryptionKey[i % encryptionKey.length];
-		}
-
-		var pdfArrayBuffer = decryptedBytes.buffer;
-		console.log('[PDF-Secure][Viewer] Step 2 - Decrypted PDF:', pdfArrayBuffer.byteLength, 'bytes');
+		var pdfArrayBuffer = await pdfRes.arrayBuffer();
+		console.log('[PDF-Secure][Viewer] Step 2 - PDF loaded:', pdfArrayBuffer.byteLength, 'bytes');
 
 		// Step 3: Render PDF
 		console.log('[PDF-Secure][Viewer] Step 3 - Rendering...');
@@ -147,41 +122,6 @@ async function loadPdf(container, filename) {
 		container.addEventListener('contextmenu', function (e) { e.preventDefault(); });
 		container.addEventListener('dragstart', function (e) { e.preventDefault(); });
 		container.addEventListener('selectstart', function (e) { e.preventDefault(); });
-		container.addEventListener('copy', function (e) { e.preventDefault(); });
-
-		// Keyboard shortcuts engelleme (Ctrl+S, Ctrl+P, Ctrl+C, Print Screen)
-		container.addEventListener('keydown', function (e) {
-			// Ctrl/Cmd + S (Save)
-			if ((e.ctrlKey || e.metaKey) && e.key === 's') {
-				e.preventDefault();
-				console.log('[PDF-Secure] Save blocked');
-				return false;
-			}
-			// Ctrl/Cmd + P (Print)
-			if ((e.ctrlKey || e.metaKey) && e.key === 'p') {
-				e.preventDefault();
-				console.log('[PDF-Secure] Print blocked');
-				return false;
-			}
-			// Ctrl/Cmd + C (Copy)
-			if ((e.ctrlKey || e.metaKey) && e.key === 'c') {
-				e.preventDefault();
-				console.log('[PDF-Secure] Copy blocked');
-				return false;
-			}
-			// Print Screen
-			if (e.key === 'PrintScreen') {
-				e.preventDefault();
-				console.log('[PDF-Secure] PrintScreen blocked');
-				return false;
-			}
-			// F12 (DevTools)
-			if (e.key === 'F12') {
-				e.preventDefault();
-				console.log('[PDF-Secure] F12 blocked');
-				return false;
-			}
-		});
 
 		var ctx = canvas.getContext('2d');
 		var currentPage = 1;

package/static/style.less

@@ -136,142 +136,7 @@
 
 /* Anti-print */
 @media print {
-	.pdf-secure-embed,
-	.pdf-secure-inline {
+	.pdf-secure-embed {
 		display: none !important;
 	}
 }
-
-/* Inline PDF Viewer Styles */
-.pdf-secure-inline {
-	margin: 20px 0;
-	border: 1px solid #ddd;
-	border-radius: 8px;
-	overflow: hidden;
-	background: #f5f5f5;
-	user-select: none;
-	-webkit-user-select: none;
-	-moz-user-select: none;
-	-ms-user-select: none;
-}
-
-.pdf-secure-inline-header {
-	display: flex;
-	align-items: center;
-	gap: 8px;
-	padding: 12px 16px;
-	background: linear-gradient(to bottom, #fff, #f8f8f8);
-	border-bottom: 1px solid #ddd;
-	font-weight: 500;
-	color: #333;
-}
-
-.pdf-secure-inline-header i {
-	color: #e81224;
-	font-size: 18px;
-}
-
-.pdf-secure-filename {
-	flex: 1;
-	overflow: hidden;
-	text-overflow: ellipsis;
-	white-space: nowrap;
-}
-
-.pdf-secure-inline-body {
-	position: relative;
-	min-height: 400px;
-	background: #fff;
-	display: flex;
-	align-items: center;
-	justify-content: center;
-}
-
-.pdf-secure-loading {
-	position: absolute;
-	top: 50%;
-	left: 50%;
-	transform: translate(-50%, -50%);
-	color: #666;
-	font-size: 14px;
-}
-
-.pdf-secure-error {
-	display: none;
-	position: absolute;
-	top: 50%;
-	left: 50%;
-	transform: translate(-50%, -50%);
-	color: #e81224;
-	font-size: 14px;
-	text-align: center;
-	padding: 20px;
-}
-
-.pdf-secure-canvas-wrapper {
-	position: relative;
-	display: inline-block;
-	/* Canvas wrapper'ı güvenlik için kapsayıcı */
-}
-
-.pdf-secure-canvas {
-	display: none;
-	max-width: 100%;
-	height: auto;
-	/* Canvas üzerinde sağ tık ve sürüklemeyi engelle */
-	pointer-events: auto;
-}
-
-.pdf-secure-overlay {
-	position: absolute;
-	top: 0;
-	left: 0;
-	right: 0;
-	bottom: 0;
-	background: transparent;
-	/* Görünmez koruma katmanı - tüm mouse eventlerini yakalar */
-	pointer-events: auto;
-	cursor: default;
-	z-index: 1;
-}
-
-.pdf-secure-inline-footer {
-	display: none;
-	align-items: center;
-	justify-content: center;
-	gap: 16px;
-	padding: 12px;
-	background: #f8f8f8;
-	border-top: 1px solid #ddd;
-}
-
-.pdf-secure-prev,
-.pdf-secure-next {
-	padding: 6px 12px;
-	background: #fff;
-	border: 1px solid #ddd;
-	border-radius: 4px;
-	cursor: pointer;
-	font-size: 14px;
-	color: #333;
-	transition: all 0.2s;
-}
-
-.pdf-secure-prev:hover:not(:disabled),
-.pdf-secure-next:hover:not(:disabled) {
-	background: #f0f0f0;
-	border-color: #999;
-}
-
-.pdf-secure-prev:disabled,
-.pdf-secure-next:disabled {
-	opacity: 0.4;
-	cursor: not-allowed;
-}
-
-.pdf-secure-page-info {
-	font-size: 14px;
-	color: #666;
-	min-width: 60px;
-	text-align: center;
-}

package/static/viewer.html

@@ -3047,7 +3047,178 @@
 
         console.log('PDF Viewer Ready');
         console.log('Keyboard Shortcuts: H=Highlight, P=Pen, E=Eraser, T=Text, R=Shapes, S=Sidebar, M=ReadingMode, Arrows=Navigate');
+
+        // ==========================================
+        // SECURITY FEATURES
+        // ==========================================
+
+        (function initSecurityFeatures() {
+            console.log('[Security] Initializing protection features...');
+
+            // 1. Block dangerous keyboard shortcuts
+            document.addEventListener('keydown', function (e) {
+                // Ctrl+S (Save)
+                if (e.ctrlKey && e.key === 's') {
+                    e.preventDefault();
+                    console.log('[Security] Ctrl+S blocked');
+                    return false;
+                }
+                // Ctrl+P (Print)
+                if (e.ctrlKey && e.key === 'p') {
+                    e.preventDefault();
+                    console.log('[Security] Ctrl+P blocked');
+                    return false;
+                }
+                // Ctrl+Shift+S (Save As)
+                if (e.ctrlKey && e.shiftKey && e.key === 'S') {
+                    e.preventDefault();
+                    return false;
+                }
+                // F12 (DevTools)
+                if (e.key === 'F12') {
+                    e.preventDefault();
+                    console.log('[Security] F12 blocked');
+                    return false;
+                }
+                // Ctrl+Shift+I (DevTools)
+                if (e.ctrlKey && e.shiftKey && e.key === 'I') {
+                    e.preventDefault();
+                    return false;
+                }
+                // Ctrl+Shift+J (Console)
+                if (e.ctrlKey && e.shiftKey && e.key === 'J') {
+                    e.preventDefault();
+                    return false;
+                }
+                // Ctrl+U (View Source)
+                if (e.ctrlKey && e.key === 'u') {
+                    e.preventDefault();
+                    return false;
+                }
+                // Ctrl+Shift+C (Inspect Element)
+                if (e.ctrlKey && e.shiftKey && e.key === 'C') {
+                    e.preventDefault();
+                    return false;
+                }
+            }, true);
+
+            // 2. Block context menu (right-click)
+            document.addEventListener('contextmenu', function (e) {
+                // Allow our custom context menu for annotations
+                if (e.target.closest('.annotationLayer') || e.target.closest('.pdfViewer')) {
+                    // Keep custom context menu behavior
+                    return;
+                }
+                e.preventDefault();
+                return false;
+            }, true);
+
+            // 3. Block copy/cut/paste
+            document.addEventListener('copy', function (e) {
+                e.preventDefault();
+                console.log('[Security] Copy blocked');
+                return false;
+            }, true);
+
+            document.addEventListener('cut', function (e) {
+                e.preventDefault();
+                return false;
+            }, true);
+
+            // 4. Block drag events (prevent dragging content out)
+            document.addEventListener('dragstart', function (e) {
+                e.preventDefault();
+                return false;
+            }, true);
+
+            // 5. DevTools detection (basic)
+            let devToolsOpen = false;
+            const threshold = 160;
+
+            function checkDevTools() {
+                const widthThreshold = window.outerWidth - window.innerWidth > threshold;
+                const heightThreshold = window.outerHeight - window.innerHeight > threshold;
+
+                if (widthThreshold || heightThreshold) {
+                    if (!devToolsOpen) {
+                        devToolsOpen = true;
+                        console.log('[Security] DevTools detected');
+                        // Optional: blur content when devtools open
+                        document.body.classList.add('devtools-open');
+                    }
+                } else {
+                    if (devToolsOpen) {
+                        devToolsOpen = false;
+                        document.body.classList.remove('devtools-open');
+                    }
+                }
+            }
+
+            // Check periodically
+            setInterval(checkDevTools, 1000);
+            window.addEventListener('resize', checkDevTools);
+
+            // 6. Block Print via window.print override
+            window.print = function () {
+                console.log('[Security] Print function blocked');
+                alert('Yazdırma bu belgede engellenmiştir.');
+                return false;
+            };
+
+            // 7. Disable beforeprint event
+            window.addEventListener('beforeprint', function (e) {
+                e.preventDefault();
+                document.body.style.display = 'none';
+            });
+
+            window.addEventListener('afterprint', function () {
+                document.body.style.display = '';
+            });
+
+            // 8. Block screenshot keyboard shortcuts
+            document.addEventListener('keyup', function (e) {
+                // PrintScreen key
+                if (e.key === 'PrintScreen') {
+                    navigator.clipboard.writeText('');
+                    console.log('[Security] PrintScreen clipboard cleared');
+                }
+            }, true);
+
+            // 9. Visibility change detection (tab switching for screenshots)
+            document.addEventListener('visibilitychange', function () {
+                if (document.hidden) {
+                    // User switched tabs - could be for screenshot tools
+                    console.log('[Security] Tab hidden');
+                }
+            });
+
+            console.log('[Security] All protection features initialized');
+        })();
     </script>
+
+    <!-- Security CSS for DevTools detection -->
+    <style>
+        .devtools-open #viewerContainer,
+        .devtools-open #viewer,
+        .devtools-open .pdfViewer {
+            filter: blur(20px) !important;
+            pointer-events: none !important;
+        }
+
+        .devtools-open::after {
+            content: 'Geliştirici araçları açıkken içerik görüntülenemez.';
+            position: fixed;
+            top: 50%;
+            left: 50%;
+            transform: translate(-50%, -50%);
+            background: rgba(0, 0, 0, 0.9);
+            color: #fff;
+            padding: 30px 50px;
+            border-radius: 10px;
+            font-size: 18px;
+            z-index: 99999;
+        }
+    </style>
 </body>
 
 </html>