nodebb-plugin-pdf-secure 1.2.6 → 1.2.8

package/library.js

@@ -129,10 +129,21 @@ plugin.filterMetaTags = async (hookData) => {
 		return hookData;
 	}
 
+	// Admin/Global Moderator bypass - no filtering for privileged users
+	if (hookData.req && hookData.req.uid) {
+		const [isAdmin, isGlobalMod] = await Promise.all([
+			groups.isMember(hookData.req.uid, 'administrators'),
+			groups.isMember(hookData.req.uid, 'Global Moderators'),
+		]);
+		if (isAdmin || isGlobalMod) {
+			return hookData;
+		}
+	}
+
 	// Filter out PDF-related meta tags
 	hookData.tags = hookData.tags.filter(tag => {
-		// Remove og:image if it contains .pdf
-		if (tag.property === 'og:image' && tag.content && tag.content.toLowerCase().includes('.pdf')) {
+		// Remove og:image and og:image:url if it contains .pdf
+		if ((tag.property === 'og:image' || tag.property === 'og:image:url') && tag.content && tag.content.toLowerCase().includes('.pdf')) {
 			return false;
 		}
 		// Remove twitter:image if it contains .pdf
@@ -154,4 +165,37 @@ plugin.filterMetaTags = async (hookData) => {
 	return hookData;
 };
 
+// Transform PDF links to secure placeholders (server-side)
+// This hides PDF URLs from: page source, API, RSS, ActivityPub
+plugin.transformPdfLinks = async (data) => {
+	if (!data || !data.postData || !data.postData.content) {
+		return data;
+	}
+
+	// Regex to match PDF links: <a href="...xxx.pdf">text</a>
+	// Captures: full URL path, filename, link text
+	const pdfLinkRegex = /<a\s+[^>]*href=["']([^"']*\/([^"'\/]+\.pdf))["'][^>]*>([^<]*)<\/a>/gi;
+
+	data.postData.content = data.postData.content.replace(pdfLinkRegex, (match, fullPath, filename, linkText) => {
+		// Decode filename to prevent double encoding (URL may already be encoded)
+		let decodedFilename;
+		try { decodedFilename = decodeURIComponent(filename); }
+		catch (e) { decodedFilename = filename; }
+
+		// Sanitize for HTML attribute
+		const safeFilename = decodedFilename.replace(/[<>"'&]/g, '');
+		const displayName = linkText.trim() || safeFilename;
+
+		// Return secure placeholder div instead of actual link
+		return `<div class="pdf-secure-placeholder" data-filename="${safeFilename}">
+			<svg viewBox="0 0 24 24" style="width:20px;height:20px;fill:#e81224;vertical-align:middle;margin-right:8px;">
+				<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>
+			</svg>
+			<span>${displayName}</span>
+		</div>`;
+	});
+
+	return data;
+};
+
 module.exports = plugin;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure",
-  "version": "1.2.6",
+  "version": "1.2.8",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {

package/plugin.json

@@ -18,6 +18,10 @@
 		{
 			"hook": "filter:meta.getMetaTags",
 			"method": "filterMetaTags"
+		},
+		{
+			"hook": "filter:parse.post",
+			"method": "transformPdfLinks"
 		}
 	],
 	"staticDirs": {

package/static/lib/main.js

@@ -2,13 +2,55 @@
 
 // Main plugin logic - PDF links become inline embedded viewers with lazy loading + queue
 (async function () {
+	// ============================================
+	// PDF.js PRELOAD - Cache CDN assets before iframe loads
+	// ============================================
+	(function preloadPdfJs() {
+		const preloads = [
+			{ href: 'https://cdnjs.cloudflare.com/ajax/libs/pdf.js/3.11.174/pdf.min.js', as: 'script' },
+			{ href: 'https://cdnjs.cloudflare.com/ajax/libs/pdf.js/3.11.174/pdf_viewer.min.css', as: 'style' }
+		];
+		preloads.forEach(({ href, as }) => {
+			if (!document.querySelector(`link[href="${href}"]`)) {
+				const link = document.createElement('link');
+				link.rel = 'preload';
+				link.href = href;
+				link.as = as;
+				link.crossOrigin = 'anonymous';
+				document.head.appendChild(link);
+			}
+		});
+	})();
+
 	// Loading queue - only load one PDF at a time
 	const loadQueue = [];
 	let isLoading = false;
 	let currentResolver = null;
 
-	// Listen for postMessage from iframe when PDF is fully rendered
+	// ============================================
+	// SPA MEMORY CACHE - Cache decoded PDF buffers
+	// ============================================
+	const pdfBufferCache = new Map();  // filename -> ArrayBuffer
+	const CACHE_MAX_SIZE = 5;  // ~50MB limit (avg 10MB per PDF)
+	let currentLoadingFilename = null;
+
+	function setCachedBuffer(filename, buffer) {
+		// Evict oldest if cache is full
+		if (pdfBufferCache.size >= CACHE_MAX_SIZE) {
+			const firstKey = pdfBufferCache.keys().next().value;
+			pdfBufferCache.delete(firstKey);
+			console.log('[PDF-Secure] Cache: Evicted', firstKey);
+		}
+		pdfBufferCache.set(filename, buffer);
+		console.log('[PDF-Secure] Cache: Stored', filename, '(', (buffer.byteLength / 1024 / 1024).toFixed(2), 'MB)');
+	}
+
+	// Listen for postMessage from iframe
 	window.addEventListener('message', function (event) {
+		// Security: Only accept messages from same origin
+		if (event.origin !== window.location.origin) return;
+
+		// PDF ready - resolve queue
 		if (event.data && event.data.type === 'pdf-secure-ready') {
 			console.log('[PDF-Secure] Queue: PDF ready -', event.data.filename);
 			if (currentResolver) {
@@ -16,6 +58,37 @@
 				currentResolver = null;
 			}
 		}
+
+		// PDF buffer from viewer - cache it
+		if (event.data && event.data.type === 'pdf-secure-buffer') {
+			const { filename, buffer } = event.data;
+			if (filename && buffer) {
+				setCachedBuffer(filename, buffer);
+			}
+		}
+
+		// Viewer asking for cached buffer
+		if (event.data && event.data.type === 'pdf-secure-cache-request') {
+			const { filename } = event.data;
+			const cached = pdfBufferCache.get(filename);
+			if (cached && event.source) {
+				// Send cached buffer to viewer (transferable for 0-copy)
+				event.source.postMessage({
+					type: 'pdf-secure-cache-response',
+					filename: filename,
+					buffer: cached
+				}, event.origin, [cached.slice(0)]);  // Clone buffer since we keep original
+				console.log('[PDF-Secure] Cache: Hit -', filename);
+			} else if (event.source) {
+				// No cache, viewer will fetch normally
+				event.source.postMessage({
+					type: 'pdf-secure-cache-response',
+					filename: filename,
+					buffer: null
+				}, event.origin);
+				console.log('[PDF-Secure] Cache: Miss -', filename);
+			}
+		}
 	});
 
 	async function processQueue() {
@@ -59,8 +132,20 @@
 		var postContents = document.querySelectorAll('[component="post/content"]');
 
 		postContents.forEach(function (content) {
-			var pdfLinks = content.querySelectorAll('a[href$=".pdf"], a[href$=".PDF"]');
+			// NEW: Detect server-rendered secure placeholders (hides URL from source)
+			var placeholders = content.querySelectorAll('.pdf-secure-placeholder');
+			placeholders.forEach(function (placeholder) {
+				if (placeholder.dataset.pdfSecureProcessed) return;
+				placeholder.dataset.pdfSecureProcessed = 'true';
 
+				var filename = placeholder.dataset.filename;
+				var displayName = placeholder.querySelector('span')?.textContent || filename;
+
+				createPdfViewer(placeholder, filename, displayName);
+			});
+
+			// FALLBACK: Detect old-style PDF links (for backwards compatibility)
+			var pdfLinks = content.querySelectorAll('a[href$=".pdf"], a[href$=".PDF"]');
 			pdfLinks.forEach(function (link) {
 				if (link.dataset.pdfSecure) return;
 				link.dataset.pdfSecure = 'true';
@@ -68,112 +153,93 @@
 				var href = link.getAttribute('href');
 				var parts = href.split('/');
 				var filename = parts[parts.length - 1];
+				var displayName = link.textContent || filename;
 
-				// Create container
-				var container = document.createElement('div');
-				container.className = 'pdf-secure-embed';
-				container.style.cssText = 'margin:16px 0;border-radius:12px;overflow:hidden;background:#1f1f1f;border:1px solid rgba(255,255,255,0.1);box-shadow:0 4px 20px rgba(0,0,0,0.25);';
-
-				// Header
-				var header = document.createElement('div');
-				header.className = 'pdf-secure-embed-header';
-				header.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:10px 16px;background:linear-gradient(135deg,#2d2d2d 0%,#252525 100%);border-bottom:1px solid rgba(255,255,255,0.08);';
-
-				var title = document.createElement('div');
-				title.className = 'pdf-secure-embed-title';
-				title.style.cssText = 'display:flex;align-items:center;gap:10px;color:#fff;font-size:14px;font-weight:500;';
-
-				var icon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
-				icon.setAttribute('viewBox', '0 0 24 24');
-				icon.style.cssText = 'width:20px;height:20px;min-width:20px;max-width:20px;fill:#e81224;flex-shrink:0;';
-				icon.innerHTML = '<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>';
-
-				var nameSpan = document.createElement('span');
-				nameSpan.style.cssText = 'white-space:nowrap;overflow:hidden;text-overflow:ellipsis;max-width:400px;';
-				nameSpan.textContent = decodeURIComponent(link.textContent || filename);
-
-				title.appendChild(icon);
-				title.appendChild(nameSpan);
-
-				// Actions
-				var actions = document.createElement('div');
-				actions.style.cssText = 'display:flex;gap:8px;';
-
-				var fullscreenBtn = document.createElement('button');
-				fullscreenBtn.className = 'pdf-secure-fullscreen-btn';
-				fullscreenBtn.title = 'Tam Ekran';
-				fullscreenBtn.style.cssText = 'display:flex;align-items:center;justify-content:center;width:32px;height:32px;background:rgba(255,255,255,0.08);border:none;border-radius:6px;cursor:pointer;';
-
-				var fullscreenIcon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
-				fullscreenIcon.setAttribute('viewBox', '0 0 24 24');
-				fullscreenIcon.style.cssText = 'width:18px;height:18px;min-width:18px;max-width:18px;fill:#fff;';
-				fullscreenIcon.innerHTML = '<path d="M7 14H5v5h5v-2H7v-3zm-2-4h2V7h3V5H5v5zm12 7h-3v2h5v-5h-2v3zM14 5v2h3v3h2V5h-5z"/>';
-				fullscreenBtn.appendChild(fullscreenIcon);
-				actions.appendChild(fullscreenBtn);
-
-				header.appendChild(title);
-				header.appendChild(actions);
-				container.appendChild(header);
-
-				// Body with loading placeholder
-				var iframeWrapper = document.createElement('div');
-				iframeWrapper.className = 'pdf-secure-embed-body';
-				iframeWrapper.style.cssText = 'position:relative;width:100%;height:600px;background:#525659;';
-
-				// Loading placeholder - ALWAYS VISIBLE until PDF ready (z-index: 10)
-				var loadingPlaceholder = document.createElement('div');
-				loadingPlaceholder.className = 'pdf-loading-placeholder';
-				loadingPlaceholder.style.cssText = 'position:absolute;top:0;left:0;right:0;bottom:0;display:flex;flex-direction:column;align-items:center;justify-content:center;background:#2d2d2d;color:#fff;gap:16px;z-index:10;transition:opacity 0.3s;';
-				loadingPlaceholder.innerHTML = `
+				createPdfViewer(link, filename, displayName);
+			});
+		});
+	}
+
+	function createPdfViewer(targetElement, filename, displayName) {
+
+		// Create container
+		var container = document.createElement('div');
+		container.className = 'pdf-secure-embed';
+		container.style.cssText = 'margin:16px 0;border-radius:12px;overflow:hidden;background:#1f1f1f;border:1px solid rgba(255,255,255,0.1);box-shadow:0 4px 20px rgba(0,0,0,0.25);';
+
+		// Header
+		var header = document.createElement('div');
+		header.className = 'pdf-secure-embed-header';
+		header.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:10px 16px;background:linear-gradient(135deg,#2d2d2d 0%,#252525 100%);border-bottom:1px solid rgba(255,255,255,0.08);';
+
+		var title = document.createElement('div');
+		title.className = 'pdf-secure-embed-title';
+		title.style.cssText = 'display:flex;align-items:center;gap:10px;color:#fff;font-size:14px;font-weight:500;';
+
+		var icon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+		icon.setAttribute('viewBox', '0 0 24 24');
+		icon.style.cssText = 'width:20px;height:20px;min-width:20px;max-width:20px;fill:#e81224;flex-shrink:0;';
+		icon.innerHTML = '<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>';
+
+		var nameSpan = document.createElement('span');
+		nameSpan.style.cssText = 'white-space:nowrap;overflow:hidden;text-overflow:ellipsis;max-width:400px;';
+		try { nameSpan.textContent = decodeURIComponent(displayName); }
+		catch (e) { nameSpan.textContent = displayName; }
+
+		title.appendChild(icon);
+		title.appendChild(nameSpan);
+
+		header.appendChild(title);
+		container.appendChild(header);
+
+		// Body with loading placeholder
+		var iframeWrapper = document.createElement('div');
+		iframeWrapper.className = 'pdf-secure-embed-body';
+		iframeWrapper.style.cssText = 'position:relative;width:100%;height:600px;background:#525659;';
+
+		// Loading placeholder - ALWAYS VISIBLE until PDF ready (z-index: 10)
+		var loadingPlaceholder = document.createElement('div');
+		loadingPlaceholder.className = 'pdf-loading-placeholder';
+		loadingPlaceholder.style.cssText = 'position:absolute;top:0;left:0;right:0;bottom:0;display:flex;flex-direction:column;align-items:center;justify-content:center;background:#2d2d2d;color:#fff;gap:16px;z-index:10;transition:opacity 0.3s;';
+		loadingPlaceholder.innerHTML = `
 					<svg viewBox="0 0 24 24" style="width:48px;height:48px;fill:#555;">
 						<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>
 					</svg>
 					<div class="pdf-loading-text" style="font-size:14px;color:#a0a0a0;">Sırada bekliyor...</div>
 					<style>@keyframes spin{from{transform:rotate(0deg)}to{transform:rotate(360deg)}}</style>
 				`;
-				iframeWrapper.appendChild(loadingPlaceholder);
+		iframeWrapper.appendChild(loadingPlaceholder);
+
+		container.appendChild(iframeWrapper);
 
-				container.appendChild(iframeWrapper);
+		targetElement.replaceWith(container);
 
-				// Fullscreen handler
-				fullscreenBtn.addEventListener('click', function () {
-					var iframe = iframeWrapper.querySelector('iframe');
-					if (iframe) {
-						if (iframe.requestFullscreen) iframe.requestFullscreen();
-						else if (iframe.webkitRequestFullscreen) iframe.webkitRequestFullscreen();
+		// LAZY LOADING with Intersection Observer + Queue
+		var observer = new IntersectionObserver(function (entries) {
+			entries.forEach(function (entry) {
+				if (entry.isIntersecting) {
+					// Update placeholder to show loading state
+					var textEl = loadingPlaceholder.querySelector('.pdf-loading-text');
+					if (textEl) textEl.textContent = 'PDF Yükleniyor...';
+
+					var svgEl = loadingPlaceholder.querySelector('svg');
+					if (svgEl) {
+						svgEl.style.fill = '#0078d4';
+						svgEl.style.animation = 'spin 1s linear infinite';
+						svgEl.innerHTML = '<path d="M12 4V2A10 10 0 0 0 2 12h2a8 8 0 0 1 8-8z"/>';
 					}
-				});
-
-				link.replaceWith(container);
-
-				// LAZY LOADING with Intersection Observer + Queue
-				var observer = new IntersectionObserver(function (entries) {
-					entries.forEach(function (entry) {
-						if (entry.isIntersecting) {
-							// Update placeholder to show loading state
-							var textEl = loadingPlaceholder.querySelector('.pdf-loading-text');
-							if (textEl) textEl.textContent = 'PDF Yükleniyor...';
-
-							var svgEl = loadingPlaceholder.querySelector('svg');
-							if (svgEl) {
-								svgEl.style.fill = '#0078d4';
-								svgEl.style.animation = 'spin 1s linear infinite';
-								svgEl.innerHTML = '<path d="M12 4V2A10 10 0 0 0 2 12h2a8 8 0 0 1 8-8z"/>';
-							}
-
-							// Add to queue
-							queuePdfLoad(iframeWrapper, filename, loadingPlaceholder);
-							observer.disconnect();
-						}
-					});
-				}, {
-					rootMargin: '200px',
-					threshold: 0
-				});
 
-				observer.observe(container);
+					// Add to queue
+					queuePdfLoad(iframeWrapper, filename, loadingPlaceholder);
+					observer.disconnect();
+				}
 			});
+		}, {
+			rootMargin: '200px',
+			threshold: 0
 		});
+
+		observer.observe(container);
 	}
 
 	function loadPdfIframe(wrapper, filename, placeholder) {