nodebb-plugin-pdf-secure2 1.2.30

package/.gitattributes

@@ -0,0 +1,22 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Custom for Visual Studio
+*.cs     diff=csharp
+*.sln    merge=union
+*.csproj merge=union
+*.vbproj merge=union
+*.fsproj merge=union
+*.dbproj merge=union
+
+# Standard to msysgit
+*.doc	 diff=astextplain
+*.DOC	 diff=astextplain
+*.docx diff=astextplain
+*.DOCX diff=astextplain
+*.dot  diff=astextplain
+*.DOT  diff=astextplain
+*.pdf  diff=astextplain
+*.PDF	 diff=astextplain
+*.rtf	 diff=astextplain
+*.RTF	 diff=astextplain

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 NodeBB Inc. <sales@nodebb.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,17 @@
+# Quickstart Plugin for NodeBB
+
+A starter kit for quickly creating NodeBB plugins. Comes with a pre-setup SCSS file, server side JS script with an `static:app.load` hook, and a client-side script. Most plugins need at least one of the above, so this ought to save you some time. For a full list of hooks have a look at our [wiki page](https://github.com/NodeBB/NodeBB/wiki/Hooks), and for more information about creating plugins please visit our [documentation portal](https://docs.nodebb.org/).
+
+Fork this or copy it, and using your favourite text editor find and replace all instances of `nodebb-plugin-quickstart` with `nodebb-plugin-your-plugins-name`. Change the author's name in the LICENSE and package.json files.
+
+## Hello World
+
+Really simple, just edit `public/lib/main.js` and paste in `console.log('hello world');`, and that's it!
+
+## Installation
+
+    npm install nodebb-plugin-quickstart
+
+## Screenshots
+
+Don't forget to add screenshots!

package/commitlint.config.js

@@ -0,0 +1,26 @@
+'use strict';
+
+module.exports = {
+	extends: ['@commitlint/config-angular'],
+	rules: {
+		'header-max-length': [1, 'always', 72],
+		'type-enum': [
+			2,
+			'always',
+			[
+				'breaking',
+				'build',
+				'chore',
+				'ci',
+				'docs',
+				'feat',
+				'fix',
+				'perf',
+				'refactor',
+				'revert',
+				'style',
+				'test',
+			],
+		],
+	},
+};

package/docs/plans/2026-02-24-premium-gate-design.md

@@ -0,0 +1,52 @@
+# Premium Gate Design
+
+## Problem
+All PDFs are currently fully viewable by all users. We need to restrict non-Premium users to viewing only the first page, with a lock overlay prompting them to upgrade.
+
+## Requirements
+- Users in the "Premium" NodeBB group see all PDF pages
+- Users NOT in "Premium" see only the first page
+- Locked pages show a warning overlay with:
+  - Lock icon + "Premium required" message
+  - Link to forumtest.ieu.app/premium
+  - Secondary message about uploading materials to become Premium
+- Admins and Global Moderators always get full access
+
+## Approach: Server-Side Control
+
+### Server Changes
+
+**library.js (viewer route, line ~83):**
+- Replace `const isPremium = true;` with actual group membership check
+- Use `groups.isMember(req.uid, 'Premium')`
+- Admin + Global Mod bypass (already exists for direct access, reuse pattern)
+- Inject `isPremium` and `totalPages` into `window.PDF_SECURE_CONFIG`
+
+**lib/pdf-handler.js:**
+- Add `getTotalPages(filename)` function
+- Loads PDF, returns `srcDoc.getPageCount()`
+- Used by viewer route to tell client how many pages exist
+
+**lib/controllers.js:**
+- No changes needed - already handles `isPremium` flag from nonce data
+
+### Client Changes
+
+**static/viewer.html / viewer-app.js:**
+- After PDF loads, if `isPremium === false`:
+  - Show only 1 page (server already sends only 1 page)
+  - Below the first page, render a lock overlay
+  - Overlay content:
+    - Lock icon (SVG)
+    - "Bu icerigi goruntulemek icin Premium uyelik gereklidir"
+    - "Premium Satin Al" button → forumtest.ieu.app/premium
+    - "Materyal yukleyerek de Premium olabilirsiniz!" secondary text
+
+### Flow
+1. User clicks PDF → viewer route called
+2. Server checks Premium group membership
+3. isPremium flag set in nonce + injected to viewer HTML
+4. If not premium: server sends single-page PDF via getSinglePagePdf()
+5. Client shows the page + lock overlay with upgrade prompt
+6. If premium: server sends full PDF via getFullPdf()
+7. Client shows all pages normally

package/docs/plans/2026-02-24-premium-gate.md

@@ -0,0 +1,323 @@
+# Premium Gate Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Restrict non-Premium users to viewing only the first PDF page, with a lock overlay prompting upgrade.
+
+**Architecture:** Server checks user's "Premium" group membership, sends single-page PDF for non-premium users. Client renders a lock overlay below the first page showing upgrade prompts. Admin/Global Moderators always get full access.
+
+**Tech Stack:** NodeBB plugin (Node.js), pdf-lib, PDF.js viewer, LESS/CSS
+
+---
+
+### Task 1: Add getTotalPages to pdf-handler
+
+**Files:**
+- Modify: `lib/pdf-handler.js`
+
+**Step 1: Add getTotalPages function**
+
+Add after `getSinglePagePdf` (after line 89):
+
+```javascript
+PdfHandler.getTotalPages = async function (filename) {
+	const filePath = PdfHandler.resolveFilePath(filename);
+	if (!filePath) {
+		throw new Error('Invalid filename');
+	}
+
+	if (!fs.existsSync(filePath)) {
+		throw new Error('File not found');
+	}
+
+	const pdfBytes = await fs.promises.readFile(filePath);
+	const srcDoc = await PDFDocument.load(pdfBytes);
+	return srcDoc.getPageCount();
+};
+```
+
+**Step 2: Commit**
+
+```bash
+git add lib/pdf-handler.js
+git commit -m "feat: add getTotalPages to pdf-handler"
+```
+
+---
+
+### Task 2: Add Premium group check to viewer route
+
+**Files:**
+- Modify: `library.js` (lines 63-119, the viewer route)
+
+**Step 1: Replace hardcoded isPremium with group check**
+
+In `library.js`, replace line 83:
+```javascript
+const isPremium = true;
+```
+
+With:
+```javascript
+// Check if user is Premium (admins/global mods always premium)
+let isPremium = false;
+if (req.uid) {
+	const [isAdmin, isGlobalMod, isPremiumMember] = await Promise.all([
+		groups.isMember(req.uid, 'administrators'),
+		groups.isMember(req.uid, 'Global Moderators'),
+		groups.isMember(req.uid, 'Premium'),
+	]);
+	isPremium = isAdmin || isGlobalMod || isPremiumMember;
+}
+```
+
+**Step 2: Add totalPages to config injection**
+
+In `library.js`, inside the viewer route handler, before the nonce generation, add:
+```javascript
+// Get total page count for non-premium lock overlay
+const pdfHandler = require('./lib/pdf-handler');
+let totalPages = 1;
+try {
+	totalPages = await pdfHandler.getTotalPages(safeName);
+} catch (e) {
+	console.error('[PDF-Secure] Failed to get page count:', e.message);
+}
+```
+
+Note: Move the `pdfHandler` require to the top of the file (line 10 area) instead of inline.
+
+**Step 3: Inject isPremium and totalPages into viewer config**
+
+In the `window.PDF_SECURE_CONFIG` object (around line 108-114), add two new fields:
+```javascript
+window.PDF_SECURE_CONFIG = {
+	filename: ${JSON.stringify(safeName)},
+	relativePath: ${JSON.stringify(req.app.get('relative_path') || '')},
+	csrfToken: ${JSON.stringify(req.csrfToken ? req.csrfToken() : '')},
+	nonce: ${JSON.stringify(nonceData.nonce)},
+	dk: ${JSON.stringify(nonceData.xorKey)},
+	isPremium: ${JSON.stringify(isPremium)},
+	totalPages: ${JSON.stringify(totalPages)}
+};
+```
+
+**Step 4: Make the viewer route handler async**
+
+The current route handler at line 64 is a sync callback: `router.get('/plugins/pdf-secure/viewer', (req, res) => {`
+
+Change it to async: `router.get('/plugins/pdf-secure/viewer', async (req, res) => {`
+
+**Step 5: Commit**
+
+```bash
+git add library.js
+git commit -m "feat: check Premium group membership in viewer route"
+```
+
+---
+
+### Task 3: Add lock overlay to viewer-app.js
+
+**Files:**
+- Modify: `static/viewer-app.js`
+
+**Step 1: Add premium lock overlay after PDF loads**
+
+In `autoLoadSecurePDF()`, after `await loadPDFFromBuffer(pdfBuffer);` (line 262), add the lock overlay logic. The config is still available at this point (it gets deleted on line 270).
+
+Insert before `pdfBuffer = null;` (line 267):
+
+```javascript
+// Premium Gate: Show lock overlay for non-premium users
+if (config.isPremium === false && config.totalPages > 1) {
+	showPremiumLockOverlay(config.totalPages);
+}
+```
+
+**Step 2: Add showPremiumLockOverlay function**
+
+Add this function inside the IIFE, before `autoLoadSecurePDF()`:
+
+```javascript
+function showPremiumLockOverlay(totalPages) {
+	const viewerEl = document.getElementById('viewer');
+	if (!viewerEl) return;
+
+	const overlay = document.createElement('div');
+	overlay.id = 'premiumLockOverlay';
+	overlay.innerHTML = `
+		<div class="premium-lock-icon">
+			<svg viewBox="0 0 24 24" width="64" height="64" fill="#ffd700">
+				<path d="M18 8h-1V6c0-2.76-2.24-5-5-5S7 3.24 7 6v2H6c-1.1 0-2 .9-2 2v10c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V10c0-1.1-.9-2-2-2zm-6 9c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2zm3.1-9H8.9V6c0-1.71 1.39-3.1 3.1-3.1s3.1 1.39 3.1 3.1v2z"/>
+			</svg>
+		</div>
+		<div class="premium-lock-pages">
+			${totalPages - 1} sayfa daha kilitli
+		</div>
+		<div class="premium-lock-message">
+			Bu icerigi goruntuleye devam etmek icin Premium uyelik gereklidir.
+		</div>
+		<a href="https://forumtest.ieu.app/premium" target="_blank" class="premium-lock-button">
+			Premium Satin Al
+		</a>
+		<div class="premium-lock-secondary">
+			Materyal yukleyerek de Premium olabilirsiniz!
+		</div>
+	`;
+
+	viewerEl.appendChild(overlay);
+}
+```
+
+**Step 3: Commit**
+
+```bash
+git add static/viewer-app.js
+git commit -m "feat: add premium lock overlay for non-premium users"
+```
+
+---
+
+### Task 4: Add lock overlay CSS styles
+
+**Files:**
+- Modify: `static/viewer.html` (inline styles section)
+
+**Step 1: Add premium lock overlay styles**
+
+Add these styles inside the `<style>` tag in viewer.html, before the closing `</style>`:
+
+```css
+/* Premium Lock Overlay */
+#premiumLockOverlay {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    justify-content: center;
+    padding: 60px 20px;
+    text-align: center;
+    background: linear-gradient(180deg, rgba(31,31,31,0.95) 0%, rgba(20,20,20,0.98) 100%);
+    border-top: 2px solid rgba(255, 215, 0, 0.3);
+    min-height: 400px;
+    margin: 0 auto;
+    max-width: 100%;
+}
+
+.premium-lock-icon {
+    margin-bottom: 20px;
+    opacity: 0.9;
+}
+
+.premium-lock-pages {
+    font-size: 22px;
+    font-weight: 600;
+    color: #ffd700;
+    margin-bottom: 12px;
+}
+
+.premium-lock-message {
+    font-size: 16px;
+    color: #a0a0a0;
+    margin-bottom: 28px;
+    max-width: 400px;
+    line-height: 1.5;
+}
+
+.premium-lock-button {
+    display: inline-block;
+    padding: 14px 40px;
+    background: linear-gradient(135deg, #ffd700 0%, #ffaa00 100%);
+    color: #1a1a1a;
+    font-size: 16px;
+    font-weight: 700;
+    border-radius: 8px;
+    text-decoration: none;
+    transition: transform 0.2s, box-shadow 0.2s;
+    box-shadow: 0 4px 15px rgba(255, 215, 0, 0.3);
+}
+
+.premium-lock-button:hover {
+    transform: translateY(-2px);
+    box-shadow: 0 6px 20px rgba(255, 215, 0, 0.4);
+}
+
+.premium-lock-secondary {
+    margin-top: 20px;
+    font-size: 14px;
+    color: #888;
+    font-style: italic;
+}
+
+@media (max-width: 768px) {
+    #premiumLockOverlay {
+        padding: 40px 16px;
+        min-height: 300px;
+    }
+
+    .premium-lock-pages {
+        font-size: 18px;
+    }
+
+    .premium-lock-message {
+        font-size: 14px;
+    }
+
+    .premium-lock-button {
+        padding: 12px 32px;
+        font-size: 14px;
+    }
+}
+```
+
+**Step 2: Commit**
+
+```bash
+git add static/viewer.html
+git commit -m "feat: add premium lock overlay CSS styles"
+```
+
+---
+
+### Task 5: Hide sidebar and page count for non-premium users
+
+**Files:**
+- Modify: `static/viewer-app.js`
+
+**Step 1: Update page count display for non-premium**
+
+In the `pagesinit` event handler (around line 360-362), update the page count to show total pages from config instead of the actual loaded pages:
+
+Find the `eventBus.on('pagesinit', ...)` handler and wrap the pageCount update:
+
+```javascript
+eventBus.on('pagesinit', () => {
+    pdfViewer.currentScaleValue = 'page-width';
+    // For non-premium, show "1 / totalPages" instead of "1 / 1"
+    const savedConfig = window._pdfSecurePremiumInfo;
+    if (savedConfig && !savedConfig.isPremium && savedConfig.totalPages > 1) {
+        document.getElementById('pageCount').textContent = `/ ${savedConfig.totalPages}`;
+    } else {
+        document.getElementById('pageCount').textContent = `/ ${pdfViewer.pagesCount}`;
+    }
+});
+```
+
+**Step 2: Save premium info before config is deleted**
+
+In `autoLoadSecurePDF()`, right before the config delete line (`delete window.PDF_SECURE_CONFIG`), save the premium info:
+
+```javascript
+// Save premium info for UI (page count display)
+window._pdfSecurePremiumInfo = {
+    isPremium: config.isPremium,
+    totalPages: config.totalPages
+};
+```
+
+**Step 3: Commit**
+
+```bash
+git add static/viewer-app.js
+git commit -m "feat: show real total page count for non-premium users"
+```

package/eslint.config.mjs

@@ -0,0 +1,10 @@
+'use strict';
+
+import serverConfig from 'eslint-config-nodebb';
+import publicConfig from 'eslint-config-nodebb/public';
+
+export default [
+	...publicConfig,
+	...serverConfig,
+];
+

package/languages/de/pdf-secure.json

@@ -0,0 +1,7 @@
+{
+	"view-pdf": "PDF anzeigen",
+	"premium-upgrade": "Upgrade auf Premium, um das vollständige Dokument anzuzeigen.",
+	"loading": "PDF wird geladen...",
+	"access-denied": "Zugriff verweigert",
+	"login-required": "Sie müssen angemeldet sein, um diese PDF anzuzeigen."
+}

package/languages/en-GB/pdf-secure.json

@@ -0,0 +1,7 @@
+{
+	"view-pdf": "View PDF",
+	"premium-upgrade": "Upgrade to Premium to view the full document.",
+	"loading": "Loading PDF...",
+	"access-denied": "Access denied",
+	"login-required": "You must be logged in to view this PDF."
+}

package/languages/en-US/pdf-secure.json

@@ -0,0 +1,7 @@
+{
+	"view-pdf": "View PDF",
+	"premium-upgrade": "Upgrade to Premium to view the full document.",
+	"loading": "Loading PDF...",
+	"access-denied": "Access denied",
+	"login-required": "You must be logged in to view this PDF."
+}

package/lib/controllers.js

@@ -0,0 +1,65 @@
+'use strict';
+
+const crypto = require('crypto');
+const nonceStore = require('./nonce-store');
+const pdfHandler = require('./pdf-handler');
+
+const Controllers = module.exports;
+
+// AES-256-GCM encryption - replaces weak XOR obfuscation
+function aesGcmEncrypt(buffer, key, iv) {
+	const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+	const encrypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
+	const authTag = cipher.getAuthTag(); // 16 bytes
+	// Format: [authTag (16 bytes)] [ciphertext]
+	return Buffer.concat([authTag, encrypted]);
+}
+
+Controllers.renderAdminPage = function (req, res) {
+	res.render('admin/plugins/pdf-secure', {
+		title: 'PDF Secure Viewer',
+	});
+};
+
+Controllers.servePdfBinary = async function (req, res) {
+	// Authentication gate - require logged-in user
+	if (!req.uid) {
+		return res.status(401).json({ error: 'Authentication required' });
+	}
+
+	const { nonce } = req.query;
+	if (!nonce) {
+		return res.status(400).json({ error: 'Missing nonce' });
+	}
+
+	const uid = req.uid;
+
+	const data = nonceStore.validate(nonce, uid);
+	if (!data) {
+		return res.status(403).json({ error: 'Invalid or expired nonce' });
+	}
+
+	try {
+		// Server-side premium gate: non-premium users only get first page
+		const pdfBuffer = data.isPremium
+			? await pdfHandler.getFullPdf(data.file)
+			: await pdfHandler.getSinglePagePdf(data.file);
+
+		// Apply AES-256-GCM encryption
+		const encodedBuffer = aesGcmEncrypt(pdfBuffer, data.encKey, data.encIv);
+
+		res.set({
+			'Content-Type': 'application/octet-stream',
+			'Cache-Control': 'no-store, no-cache, must-revalidate, private',
+			'X-Content-Type-Options': 'nosniff',
+			'Content-Disposition': 'inline',
+		});
+
+		return res.send(encodedBuffer);
+	} catch (err) {
+		if (err.message === 'File not found') {
+			return res.status(404).json({ error: 'PDF not found' });
+		}
+		return res.status(500).json({ error: 'Internal error' });
+	}
+};

package/lib/nonce-store.js

@@ -0,0 +1,70 @@
+'use strict';
+
+const crypto = require('crypto');
+const { v4: uuidv4 } = require('uuid');
+
+const store = new Map();
+const NONCE_TTL = 30 * 1000; // 30 seconds
+const CLEANUP_INTERVAL = 60 * 1000; // 60 seconds
+
+// Periodic cleanup of expired nonces
+setInterval(() => {
+	const now = Date.now();
+	for (const [nonce, data] of store.entries()) {
+		if (now - data.createdAt > NONCE_TTL) {
+			store.delete(nonce);
+		}
+	}
+}, CLEANUP_INTERVAL).unref();
+
+// Generate AES-256-GCM key (32 bytes) and IV (12 bytes)
+function generateEncryptionParams() {
+	return {
+		key: crypto.randomBytes(32),
+		iv: crypto.randomBytes(12),
+	};
+}
+
+const NonceStore = module.exports;
+
+NonceStore.generate = function (uid, file, isPremium) {
+	const nonce = uuidv4();
+	const { key, iv } = generateEncryptionParams();
+
+	store.set(nonce, {
+		uid: uid,
+		file: file,
+		isPremium: isPremium,
+		encKey: key,   // AES-256-GCM key
+		encIv: iv,     // GCM initialization vector
+		createdAt: Date.now(),
+	});
+
+	return {
+		nonce: nonce,
+		dk: key.toString('base64'),   // decryption key for viewer
+		iv: iv.toString('base64'),    // IV for viewer
+	};
+};
+
+NonceStore.validate = function (nonce, uid) {
+	const data = store.get(nonce);
+	if (!data) {
+		return null;
+	}
+
+	// Delete immediately (single-use)
+	store.delete(nonce);
+
+	// Check UID match
+	if (data.uid !== uid) {
+		return null;
+	}
+
+	// Check TTL
+	if (Date.now() - data.createdAt > NONCE_TTL) {
+		return null;
+	}
+
+	return data;  // Includes encKey and encIv for AES-256-GCM
+};