nodebb-plugin-pdf-secure2 1.3.9 → 1.4.0

package/lib/controllers.js

@@ -38,7 +38,6 @@ Controllers.initQuotaSettings = function (settings) {
 		QUOTAS.premium.window = windowMs;
 		QUOTAS.vip.window = windowMs;
 	}
-	console.log('[PDF-Secure] Quota settings: Premium', QUOTAS.premium.max, 'tokens/', QUOTAS.premium.window / 3600000, 'h, VIP', QUOTAS.vip.max, 'tokens/', QUOTAS.vip.window / 3600000, 'h');
 };
 
 // DB-backed sliding window rate limiter
@@ -180,17 +179,13 @@ Controllers.renderAdminPage = function (req, res) {
 };
 
 Controllers.servePdfBinary = async function (req, res) {
-	console.log('[PDF-Secure] servePdfBinary called - uid:', req.uid, 'nonce:', req.query.nonce ? 'present' : 'missing');
-
 	// Authentication gate - require logged-in user
 	if (!req.uid) {
-		console.log('[PDF-Secure] servePdfBinary - REJECTED: no uid');
 		return res.status(401).json({ error: 'Authentication required' });
 	}
 
 	const { nonce } = req.query;
 	if (!nonce) {
-		console.log('[PDF-Secure] servePdfBinary - REJECTED: no nonce');
 		return res.status(400).json({ error: 'Missing nonce' });
 	}
 
@@ -198,12 +193,9 @@ Controllers.servePdfBinary = async function (req, res) {
 
 	const data = nonceStore.validate(nonce, uid);
 	if (!data) {
-		console.log('[PDF-Secure] servePdfBinary - REJECTED: invalid/expired nonce for uid:', uid);
 		return res.status(403).json({ error: 'Invalid or expired nonce' });
 	}
 
-	console.log('[PDF-Secure] servePdfBinary - OK: file:', data.file, 'isPremium:', data.isPremium);
-
 	try {
 		// Server-side premium gate: non-premium users only get first page
 		const pdfBuffer = data.isPremium
@@ -300,11 +292,15 @@ Controllers.handleChat = async function (req, res) {
 			if (entry.role !== 'user' && entry.role !== 'model') {
 				return res.status(400).json({ error: 'Invalid history role' });
 			}
-			if (typeof entry.text !== 'string' || entry.text.length > 4000) {
+			if (typeof entry.text !== 'string' || entry.text.length > 12000) {
 				return res.status(400).json({ error: 'Invalid history text' });
 			}
+			// Truncate overly long entries (AI responses can be up to ~4096 tokens ≈ 10K chars)
+			if (entry.text.length > 10000) {
+				entry.text = entry.text.slice(0, 10000);
+			}
 			totalHistorySize += entry.text.length;
-			if (totalHistorySize > 50000) {
+			if (totalHistorySize > 150000) {
 				return res.status(400).json({ error: 'History too large' });
 			}
 			// Sanitize: strip null bytes and control characters

package/lib/gemini-chat.js

@@ -68,6 +68,20 @@ function sanitizeAiOutput(text) {
 const suggestionsCache = new Map(); // filename -> { suggestions, cachedAt }
 const SUGGESTIONS_TTL = 30 * 60 * 1000; // 30 minutes
 
+// Cache for PDF summary responses — most expensive request type (~3000-4000 tokens)
+// Same PDF summary is identical for all users, so cache aggressively
+const summaryCache = new Map(); // filename -> { text, tokensUsed, cachedAt }
+const SUMMARY_TTL = 60 * 60 * 1000; // 1 hour
+
+// Patterns that indicate a summary request (Turkish + English)
+const SUMMARY_PATTERNS = [
+	/\b(özet|özetle|özetini|özetini çıkar|özetле)\b/i,
+	/\b(summary|summarize|summarise|overview)\b/i,
+	/\bkapsamlı\b.*\b(özet|liste)\b/i,
+	/\bana\s+(noktalar|başlıklar|konular)\b/i,
+	/\bmadde\s+madde\b/i,
+];
+
 // Sanitize history text to prevent injection attacks
 function sanitizeHistoryText(text) {
 	// Strip null bytes and control characters (except newline, tab)
@@ -80,8 +94,8 @@ function sanitizeHistoryText(text) {
 
 // Tier-based configuration
 const TIER_CONFIG = {
-	vip: { maxHistory: 30, maxOutputTokens: 4096 },
-	premium: { maxHistory: 20, maxOutputTokens: 2048 },
+	vip: { maxHistory: 30, maxOutputTokens: 4096, recentFullMessages: 6 },
+	premium: { maxHistory: 20, maxOutputTokens: 2048, recentFullMessages: 4 },
 };
 
 const MODEL_NAME = 'gemini-2.5-flash';
@@ -99,6 +113,11 @@ const cleanupTimer = setInterval(() => {
 			fileUploadCache.delete(key);
 		}
 	}
+	for (const [key, entry] of summaryCache.entries()) {
+		if (now - entry.cachedAt > SUMMARY_TTL) {
+			summaryCache.delete(key);
+		}
+	}
 }, 10 * 60 * 1000);
 cleanupTimer.unref();
 
@@ -141,79 +160,32 @@ async function getOrUploadPdf(filename) {
 	}
 
 	// Upload to Gemini File API — file is stored server-side, only URI is sent per request
-	console.log('[PDF-Secure] === FILE API UPLOAD START ===');
-	console.log('[PDF-Secure] Filename:', filename);
-	console.log('[PDF-Secure] FilePath:', filePath);
-	console.log('[PDF-Secure] FileSize:', stats.size, 'bytes');
-	console.log('[PDF-Secure] ai.files exists:', !!ai.files);
-	console.log('[PDF-Secure] ai.files.upload exists:', typeof (ai.files && ai.files.upload));
-
 	const fileBuffer = await fs.promises.readFile(filePath);
-	console.log('[PDF-Secure] File read OK, buffer size:', fileBuffer.length);
 
-	// Try upload with multiple approaches
+	// Try upload with multiple approaches (path string → Blob → Buffer)
 	let uploadResult;
-	const uploadErrors = [];
-
-	// Approach 1: file path string
-	console.log('[PDF-Secure] Trying approach 1: file path string...');
-	try {
-		uploadResult = await ai.files.upload({
-			file: filePath,
-			config: { mimeType: 'application/pdf', displayName: filename },
-		});
-		console.log('[PDF-Secure] Approach 1 SUCCESS! Result:', JSON.stringify(uploadResult).slice(0, 500));
-	} catch (err1) {
-		console.error('[PDF-Secure] Approach 1 FAILED:', err1.message);
-		console.error('[PDF-Secure] Approach 1 error detail:', err1.status || '', err1.code || '', err1.stack?.split('\n').slice(0, 3).join(' | '));
-		uploadErrors.push('path: ' + err1.message);
-	}
-
-	// Approach 2: Blob (Node 18+)
-	if (!uploadResult) {
-		console.log('[PDF-Secure] Trying approach 2: Blob...');
-		console.log('[PDF-Secure] Blob available:', typeof Blob !== 'undefined');
-		try {
-			const blob = new Blob([fileBuffer], { type: 'application/pdf' });
-			uploadResult = await ai.files.upload({
-				file: blob,
-				config: { mimeType: 'application/pdf', displayName: filename },
-			});
-			console.log('[PDF-Secure] Approach 2 SUCCESS! Result:', JSON.stringify(uploadResult).slice(0, 500));
-		} catch (err2) {
-			console.error('[PDF-Secure] Approach 2 FAILED:', err2.message);
-			uploadErrors.push('blob: ' + err2.message);
-		}
-	}
+	const methods = [
+		() => ai.files.upload({ file: filePath, config: { mimeType: 'application/pdf', displayName: filename } }),
+		() => ai.files.upload({ file: new Blob([fileBuffer], { type: 'application/pdf' }), config: { mimeType: 'application/pdf', displayName: filename } }),
+		() => ai.files.upload({ file: fileBuffer, config: { mimeType: 'application/pdf', displayName: filename } }),
+	];
 
-	// Approach 3: Buffer directly
-	if (!uploadResult) {
-		console.log('[PDF-Secure] Trying approach 3: Buffer...');
+	for (const method of methods) {
+		if (uploadResult) break;
 		try {
-			uploadResult = await ai.files.upload({
-				file: fileBuffer,
-				config: { mimeType: 'application/pdf', displayName: filename },
-			});
-			console.log('[PDF-Secure] Approach 3 SUCCESS! Result:', JSON.stringify(uploadResult).slice(0, 500));
-		} catch (err3) {
-			console.error('[PDF-Secure] Approach 3 FAILED:', err3.message);
-			uploadErrors.push('buffer: ' + err3.message);
+			uploadResult = await method();
+		} catch (err) {
+			// Try next method
 		}
 	}
 
 	if (uploadResult && uploadResult.uri) {
-		const fileUri = uploadResult.uri;
-		const mimeType = uploadResult.mimeType || 'application/pdf';
-		console.log('[PDF-Secure] === UPLOAD FINAL: SUCCESS ===', fileUri);
-
-		fileUploadCache.set(filename, { fileUri, mimeType, cachedAt: Date.now() });
-		return { type: 'fileData', fileUri, mimeType };
+		fileUploadCache.set(filename, { fileUri: uploadResult.uri, mimeType: uploadResult.mimeType || 'application/pdf', cachedAt: Date.now() });
+		return { type: 'fileData', fileUri: uploadResult.uri, mimeType: uploadResult.mimeType || 'application/pdf' };
 	}
 
-	// All upload methods failed
-	console.error('[PDF-Secure] === UPLOAD FINAL: ALL FAILED ===');
-	console.error('[PDF-Secure] Errors:', uploadErrors.join(' | '));
-	console.error('[PDF-Secure] Falling back to inline base64 (will use many tokens!)');
+	// All upload methods failed — fallback to inline base64
+	console.error('[PDF-Secure] File API upload failed for', filename, '- falling back to inline base64');
 	const base64 = fileBuffer.toString('base64');
 	return { type: 'inlineData', mimeType: 'application/pdf', data: base64 };
 }
@@ -242,29 +214,52 @@ async function getPdfBase64(filename) {
 	return base64;
 }
 
+// Check if a question is a summary request
+function isSummaryRequest(question, history) {
+	// Only cache first-time summary requests (no history = fresh summary)
+	if (history && history.length > 0) return false;
+	return SUMMARY_PATTERNS.some((p) => p.test(question));
+}
+
 GeminiChat.chat = async function (filename, question, history, tier) {
 	if (!ai) {
 		throw new Error('AI chat is not configured');
 	}
 
+	// Summary cache: same PDF summary is identical for all users
+	if (isSummaryRequest(question, history)) {
+		const cached = summaryCache.get(filename);
+		if (cached && Date.now() - cached.cachedAt < SUMMARY_TTL) {
+			return { text: cached.text, suspicious: false, tokensUsed: 0 };
+		}
+	}
+
 	const config = TIER_CONFIG[tier] || TIER_CONFIG.premium;
 	const pdfRef = await getOrUploadPdf(filename);
 
 	// Build conversation contents from history (trimmed to last N entries)
+	// Cost optimization: only recent messages get full text, older ones are truncated
 	const contents = [];
 	if (Array.isArray(history)) {
 		const trimmedHistory = history.slice(-config.maxHistory);
+		const recentStart = Math.max(0, trimmedHistory.length - config.recentFullMessages);
 		// Start with 'model' as lastRole since the preamble ends with a model message
 		let lastRole = 'model';
-		for (const entry of trimmedHistory) {
+		for (let i = 0; i < trimmedHistory.length; i++) {
+			const entry = trimmedHistory[i];
 			if (entry.role && entry.text) {
 				const role = entry.role === 'user' ? 'user' : 'model';
 				// Skip consecutive same-role entries (prevents injection via fake model responses)
 				if (role === lastRole) continue;
 				lastRole = role;
+				let text = sanitizeHistoryText(entry.text);
+				// Truncate older messages to save input tokens (~90% cost reduction on history)
+				if (i < recentStart && text.length > 500) {
+					text = text.slice(0, 500) + '...';
+				}
 				contents.push({
 					role,
-					parts: [{ text: sanitizeHistoryText(entry.text) }],
+					parts: [{ text }],
 				});
 			}
 		}
@@ -310,9 +305,27 @@ GeminiChat.chat = async function (filename, question, history, tier) {
 		throw new Error('Empty response from AI');
 	}
 
-	const tokensUsed = response?.usageMetadata?.candidatesTokenCount || 0;
+	// Extract output token count — multiple fallbacks for SDK version compatibility
+	const usage = response?.usageMetadata || response?.usage_metadata || {};
+	let tokensUsed = usage.candidatesTokenCount
+		|| usage.candidates_token_count
+		|| usage.outputTokenCount
+		|| usage.output_token_count
+		|| 0;
+	// Last resort: estimate from text length if API didn't return token count
+	// (~4 chars per token is a reasonable approximation for multilingual text)
+	if (!tokensUsed && text.length > 0) {
+		tokensUsed = Math.ceil(text.length / 4);
+	}
+
 	const result = sanitizeAiOutput(text);
 	result.tokensUsed = tokensUsed;
+
+	// Cache summary responses (most expensive request type)
+	if (isSummaryRequest(question, history) && !result.suspicious) {
+		summaryCache.set(filename, { text: result.text, tokensUsed, cachedAt: Date.now() });
+	}
+
 	return result;
 };
 

package/library.js

@@ -121,7 +121,6 @@ plugin.init = async (params) => {
 			// Lite: full PDF access but restricted UI (no annotations, sidebar, etc.)
 			isLite = !isPremium && isLiteMember;
 		}
-		console.log('[PDF-Secure] Viewer request - uid:', req.uid, 'file:', safeName, 'isPremium:', isPremium, 'isVip:', isVip, 'isLite:', isLite);
 
 		// Lite users get full PDF like premium (for nonce/server-side PDF data)
 		const hasFullAccess = isPremium || isLite;
@@ -253,7 +252,6 @@ plugin.filterMetaTags = async (hookData) => {
 
 // Inject plugin config into client-side
 plugin.filterConfig = async function (data) {
-	console.log('[PDF-Secure] filterConfig called - data exists:', !!data, 'config exists:', !!(data && data.config));
 	return data;
 };
 
@@ -261,18 +259,15 @@ plugin.filterConfig = async function (data) {
 // This hides PDF URLs from: page source, API, RSS, ActivityPub
 plugin.transformPdfLinks = async (data) => {
 	if (!data || !data.postData || !data.postData.content) {
-		console.log('[PDF-Secure] transformPdfLinks - no data/postData/content, skipping');
 		return data;
 	}
 
-	console.log('[PDF-Secure] transformPdfLinks - processing post tid:', data.postData.tid, 'pid:', data.postData.pid);
 
 	// Regex to match PDF links: <a href="...xxx.pdf">text</a>
 	// Captures: full URL path, filename, link text
 	const pdfLinkRegex = /<a\s+[^>]*href=["']([^"']*\/([^"'\/]+\.pdf))["'][^>]*>([^<]*)<\/a>/gi;
 
 	const matchCount = (data.postData.content.match(pdfLinkRegex) || []).length;
-	console.log('[PDF-Secure] transformPdfLinks - found', matchCount, 'PDF links in post');
 
 	data.postData.content = data.postData.content.replace(pdfLinkRegex, (match, fullPath, filename, linkText) => {
 		// Decode filename to prevent double encoding (URL may already be encoded)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure2",
-  "version": "1.3.9",
+  "version": "1.4.0",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {