nodebb-plugin-pdf-secure 1.2.28 → 1.2.30

package/lib/controllers.js

@@ -1,28 +1,18 @@
 'use strict';
 
+const crypto = require('crypto');
 const nonceStore = require('./nonce-store');
 const pdfHandler = require('./pdf-handler');
 
 const Controllers = module.exports;
 
-// Partial XOR - encrypts first 10KB and every 50th byte after that
-// Now uses dynamic key from nonce data
-function partialXorEncode(buffer, xorKey) {
-	const data = Buffer.from(buffer);
-	const keyLen = xorKey.length;
-
-	// Encrypt first 10KB fully
-	const fullEncryptLen = Math.min(10240, data.length);
-	for (let i = 0; i < fullEncryptLen; i++) {
-		data[i] = data[i] ^ xorKey[i % keyLen];
-	}
-
-	// Encrypt every 50th byte after that
-	for (let i = fullEncryptLen; i < data.length; i += 50) {
-		data[i] = data[i] ^ xorKey[i % keyLen];
-	}
-
-	return data;
+// AES-256-GCM encryption - replaces weak XOR obfuscation
+function aesGcmEncrypt(buffer, key, iv) {
+	const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+	const encrypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
+	const authTag = cipher.getAuthTag(); // 16 bytes
+	// Format: [authTag (16 bytes)] [ciphertext]
+	return Buffer.concat([authTag, encrypted]);
 }
 
 Controllers.renderAdminPage = function (req, res) {
@@ -32,12 +22,17 @@ Controllers.renderAdminPage = function (req, res) {
 };
 
 Controllers.servePdfBinary = async function (req, res) {
+	// Authentication gate - require logged-in user
+	if (!req.uid) {
+		return res.status(401).json({ error: 'Authentication required' });
+	}
+
 	const { nonce } = req.query;
 	if (!nonce) {
 		return res.status(400).json({ error: 'Missing nonce' });
 	}
 
-	const uid = req.uid || 0; // Guest uid = 0
+	const uid = req.uid;
 
 	const data = nonceStore.validate(nonce, uid);
 	if (!data) {
@@ -45,14 +40,16 @@ Controllers.servePdfBinary = async function (req, res) {
 	}
 
 	try {
-		// Always send full PDF - page restriction is handled client-side
-		const pdfBuffer = await pdfHandler.getFullPdf(data.file);
+		// Server-side premium gate: non-premium users only get first page
+		const pdfBuffer = data.isPremium
+			? await pdfHandler.getFullPdf(data.file)
+			: await pdfHandler.getSinglePagePdf(data.file);
 
-		// Apply partial XOR encryption with dynamic key from nonce
-		const encodedBuffer = partialXorEncode(pdfBuffer, data.xorKey);
+		// Apply AES-256-GCM encryption
+		const encodedBuffer = aesGcmEncrypt(pdfBuffer, data.encKey, data.encIv);
 
 		res.set({
-			'Content-Type': 'image/gif',  // Misleading - actual PDF binary
+			'Content-Type': 'application/octet-stream',
 			'Cache-Control': 'no-store, no-cache, must-revalidate, private',
 			'X-Content-Type-Options': 'nosniff',
 			'Content-Disposition': 'inline',

package/lib/nonce-store.js

@@ -17,40 +17,36 @@ setInterval(() => {
 	}
 }, CLEANUP_INTERVAL).unref();
 
-// Generate a random XOR key (8 bytes)
-function generateXorKey() {
-	return crypto.randomBytes(8);
+// Generate AES-256-GCM key (32 bytes) and IV (12 bytes)
+function generateEncryptionParams() {
+	return {
+		key: crypto.randomBytes(32),
+		iv: crypto.randomBytes(12),
+	};
 }
 
 const NonceStore = module.exports;
 
 NonceStore.generate = function (uid, file, isPremium) {
 	const nonce = uuidv4();
-	const xorKey = generateXorKey();
+	const { key, iv } = generateEncryptionParams();
 
 	store.set(nonce, {
 		uid: uid,
 		file: file,
 		isPremium: isPremium,
-		xorKey: xorKey,  // Store unique key for this nonce
+		encKey: key,   // AES-256-GCM key
+		encIv: iv,     // GCM initialization vector
 		createdAt: Date.now(),
 	});
 
 	return {
 		nonce: nonce,
-		xorKey: xorKey.toString('base64')  // Return key for viewer injection
+		dk: key.toString('base64'),   // decryption key for viewer
+		iv: iv.toString('base64'),    // IV for viewer
 	};
 };
 
-// Get key without consuming nonce (for viewer injection)
-NonceStore.getKey = function (nonce) {
-	const data = store.get(nonce);
-	if (!data) {
-		return null;
-	}
-	return data.xorKey.toString('base64');
-};
-
 NonceStore.validate = function (nonce, uid) {
 	const data = store.get(nonce);
 	if (!data) {
@@ -70,5 +66,5 @@ NonceStore.validate = function (nonce, uid) {
 		return null;
 	}
 
-	return data;  // Now includes xorKey
+	return data;  // Includes encKey and encIv for AES-256-GCM
 };

package/library.js

@@ -55,14 +55,19 @@ plugin.init = async (params) => {
 		next();
 	});
 
-	// PDF binary endpoint (nonce-validated, guests allowed)
+	// PDF binary endpoint (nonce-validated, authentication required)
 	router.get('/api/v3/plugins/pdf-secure/pdf-data', controllers.servePdfBinary);
 
 	// Admin page route
 	routeHelpers.setupAdminPageRoute(router, '/admin/plugins/pdf-secure', controllers.renderAdminPage);
 
-	// Viewer page route (fullscreen Mozilla PDF.js viewer, guests allowed)
+	// Viewer page route (fullscreen Mozilla PDF.js viewer, authentication required)
 	router.get('/plugins/pdf-secure/viewer', async (req, res) => {
+		// Authentication gate - require logged-in user
+		if (!req.uid) {
+			return res.status(401).json({ error: 'Authentication required' });
+		}
+
 		const { file } = req.query;
 		if (!file) {
 			return res.status(400).send('Missing file parameter');
@@ -79,10 +84,10 @@ plugin.init = async (params) => {
 			return res.status(500).send('Viewer not available');
 		}
 
-		// Check if user is Premium or Lite (admins/global mods always premium)
-		let isPremium = false;
-		let isLite = false;
-		if (req.uid) {
+		try {
+			// Check if user is Premium or Lite (admins/global mods always premium)
+			let isPremium = false;
+			let isLite = false;
 			const [isAdmin, isGlobalMod, isPremiumMember, isVipMember, isLiteMember] = await Promise.all([
 				groups.isMember(req.uid, 'administrators'),
 				groups.isMember(req.uid, 'Global Moderators'),
@@ -93,48 +98,52 @@ plugin.init = async (params) => {
 			isPremium = isAdmin || isGlobalMod || isPremiumMember || isVipMember;
 			// Lite: full PDF access but restricted UI (no annotations, sidebar, etc.)
 			isLite = !isPremium && isLiteMember;
-		}
 
-		// Lite users get full PDF like premium (for nonce/server-side PDF data)
-		const hasFullAccess = isPremium || isLite;
-		const nonceData = nonceStore.generate(req.uid || 0, safeName, hasFullAccess);
-
-		// Serve the viewer template with comprehensive security headers
-		res.set({
-			'X-Frame-Options': 'SAMEORIGIN',
-			'X-Content-Type-Options': 'nosniff',
-			'X-XSS-Protection': '1; mode=block',
-			'Cache-Control': 'no-store, no-cache, must-revalidate, private, max-age=0',
-			'Pragma': 'no-cache',
-			'Expires': '0',
-			'Referrer-Policy': 'no-referrer',
-			'Permissions-Policy': 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()',
-			'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'self'",
-		});
-
-		// Inject the filename, nonce, and key into the cached viewer
-		// Key is embedded in HTML - NOT visible in any network API response!
-		const injectedHtml = viewerHtmlCache
-			.replace('</head>', `
-				<style>
-					/* Hide upload overlay since PDF will auto-load */
-					#uploadOverlay { display: none !important; }
-				</style>
-				<script>
-					window.PDF_SECURE_CONFIG = {
-						filename: ${JSON.stringify(safeName)},
-						relativePath: ${JSON.stringify(req.app.get('relative_path') || '')},
-						csrfToken: ${JSON.stringify(req.csrfToken ? req.csrfToken() : '')},
-						nonce: ${JSON.stringify(nonceData.nonce)},
-						dk: ${JSON.stringify(nonceData.xorKey)},
-						isPremium: ${JSON.stringify(isPremium)},
-						isLite: ${JSON.stringify(isLite)},
-						uid: ${JSON.stringify(req.uid || 0)}
-					};
-				</script>
-			</head>`);
-
-		res.type('html').send(injectedHtml);
+			// Lite users get full PDF like premium (for nonce/server-side PDF data)
+			const hasFullAccess = isPremium || isLite;
+			const nonceData = nonceStore.generate(req.uid, safeName, hasFullAccess);
+
+			// Serve the viewer template with comprehensive security headers
+			res.set({
+				'X-Frame-Options': 'SAMEORIGIN',
+				'X-Content-Type-Options': 'nosniff',
+				'X-XSS-Protection': '1; mode=block',
+				'Cache-Control': 'no-store, no-cache, must-revalidate, private, max-age=0',
+				'Pragma': 'no-cache',
+				'Expires': '0',
+				'Referrer-Policy': 'no-referrer',
+				'Permissions-Policy': 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()',
+				'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'self'",
+			});
+
+			// Inject the filename, nonce, and key into the cached viewer
+			// Key is embedded in HTML - NOT visible in any network API response!
+			const injectedHtml = viewerHtmlCache
+				.replace('</head>', `
+					<style>
+						/* Hide upload overlay since PDF will auto-load */
+						#uploadOverlay { display: none !important; }
+					</style>
+					<script>
+						window.PDF_SECURE_CONFIG = {
+							filename: ${JSON.stringify(safeName)},
+							relativePath: ${JSON.stringify(req.app.get('relative_path') || '')},
+							csrfToken: ${JSON.stringify(req.csrfToken ? req.csrfToken() : '')},
+							nonce: ${JSON.stringify(nonceData.nonce)},
+							dk: ${JSON.stringify(nonceData.dk)},
+							iv: ${JSON.stringify(nonceData.iv)},
+							isPremium: ${JSON.stringify(isPremium)},
+							isLite: ${JSON.stringify(isLite)},
+							uid: ${JSON.stringify(req.uid)}
+						};
+					</script>
+				</head>`);
+
+			res.type('html').send(injectedHtml);
+		} catch (err) {
+			console.error('[PDF-Secure] Viewer route error:', err.message);
+			return res.status(500).send('Internal error');
+		}
 	});
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure",
-  "version": "1.2.28",
+  "version": "1.2.30",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {

package/static/viewer-app.js

@@ -151,31 +151,37 @@
         // Thumbnails will be generated on-demand when sidebar opens
     }
 
-    // Partial XOR decoder - must match backend encoding
-    function partialXorDecode(encodedData, keyBase64) {
-        const key = Uint8Array.from(atob(keyBase64), c => c.charCodeAt(0));
-        const data = new Uint8Array(encodedData);
-        const keyLen = key.length;
-
-        // Decrypt first 10KB fully
-        const fullDecryptLen = Math.min(10240, data.length);
-        for (let i = 0; i < fullDecryptLen; i++) {
-            data[i] = data[i] ^ key[i % keyLen];
-        }
-
-        // Decrypt every 50th byte after that
-        for (let i = fullDecryptLen; i < data.length; i += 50) {
-            data[i] = data[i] ^ key[i % keyLen];
-        }
-
-        return data.buffer;
+    // AES-256-GCM decoder using Web Crypto API
+    async function aesGcmDecode(encodedData, keyBase64, ivBase64) {
+        const keyBytes = Uint8Array.from(atob(keyBase64), c => c.charCodeAt(0));
+        const iv = Uint8Array.from(atob(ivBase64), c => c.charCodeAt(0));
+        const encData = new Uint8Array(encodedData);
+
+        // Format: [authTag (16 bytes)] [ciphertext]
+        const authTag = encData.slice(0, 16);
+        const ciphertext = encData.slice(16);
+
+        // Web Crypto expects ciphertext + authTag concatenated
+        const combined = new Uint8Array(ciphertext.length + authTag.length);
+        combined.set(ciphertext);
+        combined.set(authTag, ciphertext.length);
+
+        const cryptoKey = await crypto.subtle.importKey(
+            'raw', keyBytes, { name: 'AES-GCM' }, false, ['decrypt']
+        );
+
+        return crypto.subtle.decrypt(
+            { name: 'AES-GCM', iv: iv },
+            cryptoKey,
+            combined
+        );
     }
 
     function showPremiumLockOverlay(totalPages) {
         const viewerEl = document.getElementById('viewer');
         if (!viewerEl) return;
 
-        const uid = (window.PDF_SECURE_CONFIG && window.PDF_SECURE_CONFIG.uid) || 0;
+        const uid = (_cfg && _cfg.uid) || 0;
         const checkoutUrl = 'https://forum.ieu.app/pay/checkout?uid=' + uid;
 
         const overlay = document.createElement('div');
@@ -373,7 +379,8 @@
             if (!pdfBuffer) {
                 // Nonce and key are embedded in HTML config (not fetched from API)
                 const nonce = config.nonce;
-                const xorKey = config.dk;
+                const decryptKey = config.dk;
+                const decryptIv = config.iv;
 
                 // Fetch encrypted PDF binary
                 const pdfUrl = config.relativePath + '/api/v3/plugins/pdf-secure/pdf-data?nonce=' + encodeURIComponent(nonce);
@@ -386,10 +393,10 @@
                 const encodedBuffer = await pdfRes.arrayBuffer();
                 console.log('[PDF-Secure] Encrypted data received:', encodedBuffer.byteLength, 'bytes');
 
-                // Decode XOR encrypted data
-                if (xorKey) {
-                    console.log('[PDF-Secure] Decoding XOR encrypted data...');
-                    pdfBuffer = partialXorDecode(encodedBuffer, xorKey);
+                // Decrypt AES-256-GCM encrypted data
+                if (decryptKey && decryptIv) {
+                    console.log('[PDF-Secure] Decrypting AES-256-GCM data...');
+                    pdfBuffer = await aesGcmDecode(encodedBuffer, decryptKey, decryptIv);
                 } else {
                     pdfBuffer = encodedBuffer;
                 }
@@ -467,7 +474,7 @@
                     <path d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm1 15h-2v-2h2v2zm0-4h-2V7h2v6z"/>
                 </svg>
                 <h2>Hata</h2>
-                <p>${err.message}</p>
+                <p>${err.message.replace(/[<>&"']/g, c => ({'<':'&lt;','>':'&gt;','&':'&amp;','"':'&quot;',"'":'&#39;'}[c]))}</p>
             `;
             }
         }
@@ -2658,7 +2665,7 @@
     function toggleFullscreen() {
         if (window.self !== window.top) {
             // Inside iframe: ask parent to handle fullscreen
-            window.parent.postMessage({ type: 'pdf-secure-fullscreen-toggle' }, '*');
+            window.parent.postMessage({ type: 'pdf-secure-fullscreen-toggle' }, window.location.origin);
         } else {
             // Standalone mode: use native fullscreen
             if (document.fullscreenElement) {