nodebb-plugin-pdf-secure 1.2.4 → 1.2.5

package/lib/controllers.js

@@ -5,23 +5,21 @@ const pdfHandler = require('./pdf-handler');
 
 const Controllers = module.exports;
 
-// XOR key for partial encryption (rotates through this pattern)
-const XOR_KEY = [0x5A, 0x3C, 0x7E, 0x1F, 0x9D, 0xB2, 0x4A, 0xE8];
-
 // Partial XOR - encrypts first 10KB and every 50th byte after that
-function partialXorEncode(buffer) {
+// Now uses dynamic key from nonce data
+function partialXorEncode(buffer, xorKey) {
 	const data = Buffer.from(buffer);
-	const keyLen = XOR_KEY.length;
+	const keyLen = xorKey.length;
 
 	// Encrypt first 10KB fully
 	const fullEncryptLen = Math.min(10240, data.length);
 	for (let i = 0; i < fullEncryptLen; i++) {
-		data[i] = data[i] ^ XOR_KEY[i % keyLen];
+		data[i] = data[i] ^ xorKey[i % keyLen];
 	}
 
 	// Encrypt every 50th byte after that
 	for (let i = fullEncryptLen; i < data.length; i += 50) {
-		data[i] = data[i] ^ XOR_KEY[i % keyLen];
+		data[i] = data[i] ^ xorKey[i % keyLen];
 	}
 
 	return data;
@@ -56,16 +54,14 @@ Controllers.servePdfBinary = async function (req, res) {
 			pdfBuffer = await pdfHandler.getSinglePagePdf(data.file);
 		}
 
-		// Apply partial XOR encryption
-		const encodedBuffer = partialXorEncode(pdfBuffer);
+		// Apply partial XOR encryption with dynamic key from nonce
+		const encodedBuffer = partialXorEncode(pdfBuffer, data.xorKey);
 
 		res.set({
-			'Content-Type': 'application/octet-stream',
+			'Content-Type': 'image/gif',  // Misleading - actual PDF binary
 			'Cache-Control': 'no-store, no-cache, must-revalidate, private',
 			'X-Content-Type-Options': 'nosniff',
 			'Content-Disposition': 'inline',
-			// Send XOR key as header for client decoding
-			'X-PDF-Key': Buffer.from(XOR_KEY).toString('base64'),
 		});
 
 		return res.send(encodedBuffer);

package/lib/nonce-store.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const crypto = require('crypto');
 const { v4: uuidv4 } = require('uuid');
 
 const store = new Map();
@@ -16,17 +17,38 @@ setInterval(() => {
 	}
 }, CLEANUP_INTERVAL).unref();
 
+// Generate a random XOR key (8 bytes)
+function generateXorKey() {
+	return crypto.randomBytes(8);
+}
+
 const NonceStore = module.exports;
 
 NonceStore.generate = function (uid, file, isPremium) {
 	const nonce = uuidv4();
+	const xorKey = generateXorKey();
+
 	store.set(nonce, {
 		uid: uid,
 		file: file,
 		isPremium: isPremium,
+		xorKey: xorKey,  // Store unique key for this nonce
 		createdAt: Date.now(),
 	});
-	return nonce;
+
+	return {
+		nonce: nonce,
+		xorKey: xorKey.toString('base64')  // Return key for viewer injection
+	};
+};
+
+// Get key without consuming nonce (for viewer injection)
+NonceStore.getKey = function (nonce) {
+	const data = store.get(nonce);
+	if (!data) {
+		return null;
+	}
+	return data.xorKey.toString('base64');
 };
 
 NonceStore.validate = function (nonce, uid) {
@@ -48,5 +70,5 @@ NonceStore.validate = function (nonce, uid) {
 		return null;
 	}
 
-	return data;
+	return data;  // Now includes xorKey
 };

package/library.js

@@ -59,6 +59,11 @@ plugin.init = async (params) => {
 			return res.status(500).send('Viewer not available');
 		}
 
+		// Generate nonce + key HERE (in viewer route)
+		// This way the key is ONLY embedded in HTML, never in a separate API response
+		const isPremium = true;
+		const nonceData = nonceStore.generate(req.uid, safeName, isPremium);
+
 		// Serve the viewer template with comprehensive security headers
 		res.set({
 			'X-Frame-Options': 'SAMEORIGIN',
@@ -72,7 +77,8 @@ plugin.init = async (params) => {
 			'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'self'",
 		});
 
-		// Inject the filename and config into the cached viewer
+		// Inject the filename, nonce, and key into the cached viewer
+		// Key is embedded in HTML - NOT visible in any network API response!
 		const injectedHtml = viewerHtmlCache
 			.replace('</head>', `
 				<style>
@@ -83,7 +89,9 @@ plugin.init = async (params) => {
 					window.PDF_SECURE_CONFIG = {
 						filename: ${JSON.stringify(safeName)},
 						relativePath: ${JSON.stringify(req.app.get('relative_path') || '')},
-						csrfToken: ${JSON.stringify(req.csrfToken ? req.csrfToken() : '')}
+						csrfToken: ${JSON.stringify(req.csrfToken ? req.csrfToken() : '')},
+						nonce: ${JSON.stringify(nonceData.nonce)},
+						dk: ${JSON.stringify(nonceData.xorKey)}
 					};
 				</script>
 			</head>`);
@@ -93,30 +101,8 @@ plugin.init = async (params) => {
 };
 
 plugin.addRoutes = async ({ router, middleware, helpers }) => {
-	// Nonce generation endpoint
-	routeHelpers.setupApiRoute(router, 'get', '/pdf-secure/nonce', [middleware.ensureLoggedIn], async (req, res) => {
-		const { file } = req.query;
-		if (!file) {
-			return helpers.formatApiResponse(400, res, new Error('Missing file parameter'));
-		}
-
-		// Sanitize filename
-		const path = require('path');
-		const safeName = path.basename(file);
-		if (!safeName || !safeName.toLowerCase().endsWith('.pdf')) {
-			return helpers.formatApiResponse(400, res, new Error('Invalid file'));
-		}
-
-		// Premium check disabled for testing — everyone gets full PDF
-		const isPremium = true;
-
-		const nonce = nonceStore.generate(req.uid, safeName, isPremium);
-
-		helpers.formatApiResponse(200, res, {
-			nonce: nonce,
-			isPremium: isPremium,
-		});
-	});
+	// Nonce endpoint removed - nonce is now generated in viewer route
+	// This improves security by not exposing any key-related data in API responses
 };
 
 plugin.addAdminNavigation = (header) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure",
-  "version": "1.2.4",
+  "version": "1.2.5",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {