nodebb-plugin-pdf-secure2 1.2.38 → 1.3.1

package/.claude/settings.local.json

@@ -0,0 +1,11 @@
+{
+  "permissions": {
+    "allow": [
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:github.com)",
+      "Bash(dir:*)",
+      "Bash(npm pack:*)",
+      "Bash(tar:*)"
+    ]
+  }
+}

package/lib/controllers.js

@@ -1,11 +1,29 @@
 'use strict';
 
 const crypto = require('crypto');
+const path = require('path');
 const nonceStore = require('./nonce-store');
 const pdfHandler = require('./pdf-handler');
+const geminiChat = require('./gemini-chat');
+const groups = require.main.require('./src/groups');
 
 const Controllers = module.exports;
 
+// Rate limiting: per-user message counter
+const rateLimits = new Map(); // uid -> { count, windowStart }
+const RATE_LIMIT_WINDOW = 60 * 1000; // 1 minute
+const RATE_LIMIT_MAX = 30; // messages per window
+
+// Periodic cleanup of expired rate limit entries
+setInterval(() => {
+	const now = Date.now();
+	for (const [uid, entry] of rateLimits.entries()) {
+		if (now - entry.windowStart > RATE_LIMIT_WINDOW * 2) {
+			rateLimits.delete(uid);
+		}
+	}
+}, 5 * 60 * 1000).unref();
+
 // AES-256-GCM encryption - replaces weak XOR obfuscation
 function aesGcmEncrypt(buffer, key, iv) {
 	const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
@@ -63,3 +81,90 @@ Controllers.servePdfBinary = async function (req, res) {
 		return res.status(500).json({ error: 'Internal error' });
 	}
 };
+
+Controllers.handleChat = async function (req, res) {
+	// Authentication gate
+	if (!req.uid) {
+		return res.status(401).json({ error: 'Authentication required' });
+	}
+
+	// Check AI availability
+	if (!geminiChat.isAvailable()) {
+		return res.status(503).json({ error: 'AI chat is not configured' });
+	}
+
+	// Premium/VIP group check
+	const [isAdmin, isGlobalMod, isPremiumMember, isVipMember] = await Promise.all([
+		groups.isMember(req.uid, 'administrators'),
+		groups.isMember(req.uid, 'Global Moderators'),
+		groups.isMember(req.uid, 'Premium'),
+		groups.isMember(req.uid, 'VIP'),
+	]);
+	const isPremium = isAdmin || isGlobalMod || isPremiumMember || isVipMember;
+	if (!isPremium) {
+		return res.status(403).json({ error: 'Premium membership required for AI chat' });
+	}
+
+	// Rate limiting
+	const now = Date.now();
+	let userRate = rateLimits.get(req.uid);
+	if (!userRate || now - userRate.windowStart > RATE_LIMIT_WINDOW) {
+		userRate = { count: 0, windowStart: now };
+		rateLimits.set(req.uid, userRate);
+	}
+	userRate.count += 1;
+	if (userRate.count > RATE_LIMIT_MAX) {
+		return res.status(429).json({ error: 'Rate limit exceeded. Please wait a moment.' });
+	}
+
+	// Body validation
+	const { filename, question, history } = req.body;
+
+	if (!filename || typeof filename !== 'string') {
+		return res.status(400).json({ error: 'Missing or invalid filename' });
+	}
+	const safeName = path.basename(filename);
+	if (!safeName || safeName !== filename || !safeName.toLowerCase().endsWith('.pdf')) {
+		return res.status(400).json({ error: 'Invalid filename' });
+	}
+
+	const trimmedQuestion = typeof question === 'string' ? question.trim() : '';
+	if (!trimmedQuestion || trimmedQuestion.length > 2000) {
+		return res.status(400).json({ error: 'Question is required (max 2000 characters)' });
+	}
+
+	if (history && (!Array.isArray(history) || history.length > 50)) {
+		return res.status(400).json({ error: 'Invalid history (max 50 entries)' });
+	}
+	if (history) {
+		for (const entry of history) {
+			if (!entry || typeof entry !== 'object') {
+				return res.status(400).json({ error: 'Invalid history entry' });
+			}
+			if (entry.role !== 'user' && entry.role !== 'model') {
+				return res.status(400).json({ error: 'Invalid history role' });
+			}
+			if (typeof entry.text !== 'string' || entry.text.length > 4000) {
+				return res.status(400).json({ error: 'Invalid history text' });
+			}
+		}
+	}
+
+	try {
+		const answer = await geminiChat.chat(safeName, trimmedQuestion, history || []);
+		return res.json({ answer });
+	} catch (err) {
+		console.error('[PDF-Secure] Chat error:', err.message, err.status || '', err.code || '');
+
+		if (err.message === 'File not found') {
+			return res.status(404).json({ error: 'PDF not found' });
+		}
+		if (err.status === 429 || err.message.includes('rate limit') || err.message.includes('quota')) {
+			return res.status(429).json({ error: 'AI service rate limit exceeded. Please try again later.' });
+		}
+		if (err.status === 401 || err.status === 403 || err.message.includes('API key')) {
+			return res.status(503).json({ error: 'AI service configuration error' });
+		}
+		return res.status(500).json({ error: 'Failed to get AI response. Please try again.' });
+	}
+};

package/lib/gemini-chat.js

@@ -0,0 +1,125 @@
+'use strict';
+
+const fs = require('fs');
+const pdfHandler = require('./pdf-handler');
+
+const GeminiChat = module.exports;
+
+let ai = null;
+
+// In-memory cache for PDF base64 data (avoids re-reading from disk)
+const pdfDataCache = new Map(); // filename -> { base64, cachedAt }
+const PDF_DATA_TTL = 30 * 60 * 1000; // 30 minutes
+
+const SYSTEM_INSTRUCTION = `You are a helpful assistant that answers questions about the provided PDF document.
+Respond in the same language the user writes their question in.
+Be concise and accurate. When referencing specific information, mention the relevant page or section when possible.`;
+
+const MODEL_NAME = 'gemini-2.5-flash';
+
+// Periodic cleanup
+const cleanupTimer = setInterval(() => {
+	const now = Date.now();
+	for (const [key, entry] of pdfDataCache.entries()) {
+		if (now - entry.cachedAt > PDF_DATA_TTL) {
+			pdfDataCache.delete(key);
+		}
+	}
+}, 10 * 60 * 1000);
+cleanupTimer.unref();
+
+GeminiChat.init = function (apiKey) {
+	if (!apiKey) {
+		ai = null;
+		return;
+	}
+	try {
+		const { GoogleGenAI } = require('@google/genai');
+		ai = new GoogleGenAI({ apiKey });
+		console.log('[PDF-Secure] Gemini AI client initialized');
+	} catch (err) {
+		console.error('[PDF-Secure] Failed to initialize Gemini client:', err.message);
+		ai = null;
+	}
+};
+
+GeminiChat.isAvailable = function () {
+	return !!ai;
+};
+
+// Read PDF and cache base64 in memory
+async function getPdfBase64(filename) {
+	const cached = pdfDataCache.get(filename);
+	if (cached && Date.now() - cached.cachedAt < PDF_DATA_TTL) {
+		return cached.base64;
+	}
+
+	const filePath = pdfHandler.resolveFilePath(filename);
+	if (!filePath || !fs.existsSync(filePath)) {
+		throw new Error('File not found');
+	}
+
+	const fileBuffer = await fs.promises.readFile(filePath);
+	const base64 = fileBuffer.toString('base64');
+
+	pdfDataCache.set(filename, { base64, cachedAt: Date.now() });
+	return base64;
+}
+
+GeminiChat.chat = async function (filename, question, history) {
+	if (!ai) {
+		throw new Error('AI chat is not configured');
+	}
+
+	const base64Data = await getPdfBase64(filename);
+
+	// Build conversation contents from history
+	const contents = [];
+	if (Array.isArray(history)) {
+		for (const entry of history) {
+			if (entry.role && entry.text) {
+				contents.push({
+					role: entry.role === 'user' ? 'user' : 'model',
+					parts: [{ text: entry.text }],
+				});
+			}
+		}
+	}
+
+	// Add current question
+	contents.push({
+		role: 'user',
+		parts: [{ text: question }],
+	});
+
+	// Always use inline PDF — single API call, no upload/cache overhead
+	const inlineContents = [
+		{
+			role: 'user',
+			parts: [
+				{ inlineData: { mimeType: 'application/pdf', data: base64Data } },
+				{ text: 'I am sharing a PDF document with you. Please use it to answer my questions.' },
+			],
+		},
+		{
+			role: 'model',
+			parts: [{ text: 'I have received the PDF document. I am ready to answer your questions about it.' }],
+		},
+		...contents,
+	];
+
+	const response = await ai.models.generateContent({
+		model: MODEL_NAME,
+		contents: inlineContents,
+		config: {
+			systemInstruction: SYSTEM_INSTRUCTION,
+		},
+	});
+
+	const text = response?.candidates?.[0]?.content?.parts?.[0]?.text;
+	if (!text) {
+		throw new Error('Empty response from AI');
+	}
+
+	return text;
+};