nodebb-plugin-pdf-secure2 1.4.2 → 1.5.0

package/.claude/settings.local.json

@@ -5,7 +5,12 @@
       "WebFetch(domain:github.com)",
       "Bash(dir:*)",
       "Bash(npm pack:*)",
-      "Bash(tar:*)"
+      "Bash(tar:*)",
+      "Bash(grep:*)",
+      "Bash(find /c/Users/kadir/OneDrive/Masaüstü/Projeler/nodebb-plugin-pdf-secure/nodebb-plugin-pdf-secure -type f \\\\\\(-name *.conf -o -name *.config -o -name *nginx* -o -name *apache* \\\\\\))",
+      "Bash(xargs ls:*)",
+      "WebSearch",
+      "WebFetch(domain:community.nodebb.org)"
     ]
   }
 }

package/lib/controllers.js

@@ -7,6 +7,7 @@ const pdfHandler = require('./pdf-handler');
 const geminiChat = require('./gemini-chat');
 const groups = require.main.require('./src/groups');
 const db = require.main.require('./src/database');
+const topicAccess = require('./topic-access');
 
 const Controllers = module.exports;
 
@@ -60,8 +61,8 @@ async function checkRateLimit(uid, tier) {
 		await db.sortedSetAdd(key, now, `${now}:${crypto.randomBytes(4).toString('hex')}`);
 		return { allowed: true, used: count + 1, max: rateConfig.max };
 	} catch (err) {
-		// Graceful degradation: allow request if DB fails
-		return { allowed: true, used: 0, max: rateConfig.max };
+		console.error('[PDF-Secure] Rate limit DB error:', err.message);
+		return { allowed: false, used: 0, max: rateConfig.max };
 	}
 }
 
@@ -106,7 +107,8 @@ async function checkQuota(uid, tier) {
 		}
 		return { allowed: true, used: totalTokens, max: cfg.max, resetsIn };
 	} catch (err) {
-		return { allowed: true, used: 0, max: cfg.max, resetsIn: 0 };
+		console.error('[PDF-Secure] Quota check DB error:', err.message);
+		return { allowed: false, used: 0, max: cfg.max, resetsIn: 0 };
 	}
 }
 
@@ -265,7 +267,8 @@ Controllers.handleChat = async function (req, res) {
 	}
 
 	// Body validation
-	const { filename, question, history } = req.body;
+	const { filename, question, history, tid, detailMode } = req.body;
+	const useDetailMode = tier === 'vip' && detailMode === true;
 
 	if (!filename || typeof filename !== 'string') {
 		return res.status(400).json({ error: 'Missing or invalid filename' });
@@ -275,6 +278,12 @@ Controllers.handleChat = async function (req, res) {
 		return res.status(400).json({ error: 'Invalid filename' });
 	}
 
+	// Topic-level access control
+	const accessResult = await topicAccess.validate(req.uid, tid, safeName);
+	if (!accessResult.allowed) {
+		return res.status(403).json({ error: accessResult.reason || 'Access denied' });
+	}
+
 	const trimmedQuestion = typeof question === 'string' ? question.trim() : '';
 	if (!trimmedQuestion || trimmedQuestion.length > 2000) {
 		return res.status(400).json({ error: 'Question is required (max 2000 characters)' });
@@ -312,7 +321,7 @@ Controllers.handleChat = async function (req, res) {
 	}
 
 	try {
-		const result = await geminiChat.chat(safeName, trimmedQuestion, history || [], tier);
+		const result = await geminiChat.chat(safeName, trimmedQuestion, history || [], tier, useDetailMode);
 		// Record actual token usage after successful AI response
 		// Sanitize: clamp to [0, 1000000] to prevent NaN/negative/absurd values
 		const tokensUsed = Math.max(0, Math.min(parseInt(result.tokensUsed, 10) || 0, 1000000));
@@ -331,7 +340,10 @@ Controllers.handleChat = async function (req, res) {
 			return res.status(404).json({ error: 'PDF bulunamadı.', quota });
 		}
 		if (err.message === 'PDF too large for AI chat') {
-			return res.status(413).json({ error: 'Bu PDF çok büyük. AI chat desteklemiyor.', quota });
+			const sizeMsg = tier === 'premium'
+				? 'Bu PDF, Premium limiti (20MB) aşıyor. VIP üyelikle 50MB\'a kadar PDF\'lerle sohbet edebilirsiniz.'
+				: 'Bu PDF çok büyük. AI chat için maksimum dosya boyutu 50MB.';
+			return res.status(413).json({ error: sizeMsg, quota, showUpgrade: tier === 'premium' });
 		}
 		if (err.status === 429 || err.message.includes('rate limit') || err.message.includes('quota')) {
 			return res.status(429).json({ error: 'AI servisi şu an yoğun. Lütfen birkaç saniye sonra tekrar deneyin.', quota });
@@ -345,6 +357,13 @@ Controllers.handleChat = async function (req, res) {
 
 // AI-powered question suggestions for a PDF
 const suggestionsRateLimit = new Map(); // uid -> lastRequestTime
+// Periodic cleanup of stale rate limit entries (every 5 minutes)
+setInterval(() => {
+	const cutoff = Date.now() - 60000; // entries older than 60s are stale
+	for (const [uid, ts] of suggestionsRateLimit.entries()) {
+		if (ts < cutoff) suggestionsRateLimit.delete(uid);
+	}
+}, 5 * 60 * 1000).unref();
 Controllers.getSuggestions = async function (req, res) {
 	if (!req.uid) {
 		return res.status(401).json({ error: 'Authentication required' });
@@ -375,7 +394,7 @@ Controllers.getSuggestions = async function (req, res) {
 	}
 	suggestionsRateLimit.set(req.uid, now);
 
-	const { filename } = req.query;
+	const { filename, tid } = req.query;
 	if (!filename || typeof filename !== 'string') {
 		return res.status(400).json({ error: 'Missing filename' });
 	}
@@ -384,8 +403,14 @@ Controllers.getSuggestions = async function (req, res) {
 		return res.status(400).json({ error: 'Invalid filename' });
 	}
 
+	// Topic-level access control
+	const accessResult = await topicAccess.validate(req.uid, tid, safeName);
+	if (!accessResult.allowed) {
+		return res.status(403).json({ error: accessResult.reason || 'Access denied' });
+	}
+
 	try {
-		const suggestions = await geminiChat.generateSuggestions(safeName);
+		const suggestions = await geminiChat.generateSuggestions(safeName, tier);
 		const quotaUsage = await getQuotaUsage(req.uid, tier);
 		return res.json({ suggestions, quota: quotaUsage });
 	} catch (err) {