nodebb-plugin-pdf-secure2 1.4.3 → 1.5.0

package/lib/nonce-store.js

@@ -53,18 +53,18 @@ NonceStore.validate = function (nonce, uid) {
 		return null;
 	}
 
-	// Delete immediately (single-use)
-	store.delete(nonce);
-
-	// Check UID match
+	// Validate BEFORE deleting — prevents DoS via nonce consumption with wrong UID
 	if (data.uid !== uid) {
 		return null;
 	}
 
 	// Check TTL
 	if (Date.now() - data.createdAt > NONCE_TTL) {
+		store.delete(nonce); // Expired, clean up
 		return null;
 	}
 
+	// All checks passed — delete now (single-use)
+	store.delete(nonce);
 	return data;  // Includes encKey and encIv for AES-256-GCM
 };

package/lib/pdf-handler.js

@@ -36,7 +36,6 @@ PdfHandler.resolveFilePath = function (filename) {
 	const uploadPath = nconf.get('upload_path') || path.join(nconf.get('base_dir'), 'public', 'uploads');
 	const filePath = path.join(uploadPath, 'files', safeName);
 
-	// Verify the resolved path is still within the upload directory
 	const resolvedPath = path.resolve(filePath);
 	const resolvedUploadDir = path.resolve(path.join(uploadPath, 'files'));
 	if (!resolvedPath.startsWith(resolvedUploadDir)) {

package/lib/topic-access.js

@@ -0,0 +1,96 @@
+'use strict';
+
+const privileges = require.main.require('./src/privileges');
+const topics = require.main.require('./src/topics');
+const posts = require.main.require('./src/posts');
+const groups = require.main.require('./src/groups');
+const db = require.main.require('./src/database');
+
+const TopicAccess = module.exports;
+
+/**
+ * Validate that a user has access to a PDF through a specific topic.
+ * Checks: 1) User can read the topic, 2) The PDF filename exists in the topic's posts.
+ * Admin/Global Moderators bypass all checks.
+ *
+ * @param {number} uid - User ID
+ * @param {number|string} tid - Topic ID
+ * @param {string} filename - Sanitized PDF filename (basename only)
+ * @returns {Promise<{allowed: boolean, reason?: string}>}
+ */
+TopicAccess.validate = async function (uid, tid, filename) {
+	// Require valid tid
+	tid = parseInt(tid, 10);
+	if (!tid || isNaN(tid) || tid <= 0) {
+		return { allowed: false, reason: 'Missing or invalid topic ID' };
+	}
+
+	try {
+		// Admin/Global Moderator bypass
+		const [isAdmin, isGlobalMod] = await Promise.all([
+			groups.isMember(uid, 'administrators'),
+			groups.isMember(uid, 'Global Moderators'),
+		]);
+		if (isAdmin || isGlobalMod) {
+			return { allowed: true };
+		}
+
+		// Check if user can read the topic (NodeBB privilege system)
+		const canRead = await privileges.topics.can('topics:read', tid, uid);
+		if (!canRead) {
+			return { allowed: false, reason: 'Access denied' };
+		}
+
+		// Verify the PDF filename exists in one of the topic's posts
+		const exists = await TopicAccess.pdfExistsInTopic(tid, filename);
+		if (!exists) {
+			return { allowed: false, reason: 'Access denied' };
+		}
+
+		return { allowed: true };
+	} catch (err) {
+		// DB error, topic not found, etc. — deny by default
+		return { allowed: false, reason: 'Access check failed' };
+	}
+};
+
+/**
+ * Check if a PDF filename is referenced in any post of a topic.
+ * Searches both the main post and all reply posts.
+ *
+ * @param {number} tid - Topic ID
+ * @param {string} filename - PDF filename to search for
+ * @returns {Promise<boolean>}
+ */
+TopicAccess.pdfExistsInTopic = async function (tid, filename) {
+	// Get the topic's main post ID
+	const topicData = await topics.getTopicFields(tid, ['mainPid']);
+	if (!topicData || !topicData.mainPid) {
+		return false;
+	}
+
+	// Get all post IDs in this topic (replies)
+	const replyPids = await db.getSortedSetRange('tid:' + tid + ':posts', 0, -1);
+	const allPids = [topicData.mainPid, ...replyPids].filter(Boolean);
+
+	if (allPids.length === 0) {
+		return false;
+	}
+
+	// Get raw content of all posts
+	const postsData = await posts.getPostsFields(allPids, ['content']);
+
+	// Escape filename for regex safety, also match URL-encoded variant
+	// (post content may store "Özel Döküman.pdf" as "%C3%96zel%20D%C3%B6k%C3%BCman.pdf")
+	const escaped = filename.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+	const encodedEscaped = encodeURIComponent(filename).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+	const pattern = new RegExp('(' + escaped + '|' + encodedEscaped + ')', 'i');
+
+	for (const post of postsData) {
+		if (post && post.content && pattern.test(post.content)) {
+			return true;
+		}
+	}
+
+	return false;
+};

package/library.js

@@ -11,6 +11,7 @@ const controllers = require('./lib/controllers');
 const nonceStore = require('./lib/nonce-store');
 const pdfHandler = require('./lib/pdf-handler');
 const geminiChat = require('./lib/gemini-chat');
+const topicAccess = require('./lib/topic-access');
 
 const plugin = {};
 
@@ -18,6 +19,16 @@ const plugin = {};
 let viewerHtmlCache = null;
 let pluginSettings = {};
 
+// Rate limit for viewer endpoint — prevents brute-force topic ID enumeration
+const viewerRateLimit = new Map(); // uid -> { count, windowStart }
+const VIEWER_RATE_LIMIT = { max: 15, window: 60 * 1000 }; // 15 requests per 60 seconds
+setInterval(() => {
+	const cutoff = Date.now() - VIEWER_RATE_LIMIT.window;
+	for (const [uid, data] of viewerRateLimit.entries()) {
+		if (data.windowStart < cutoff) viewerRateLimit.delete(uid);
+	}
+}, 60 * 1000).unref();
+
 plugin.init = async (params) => {
 	const { router, middleware } = params;
 
@@ -26,6 +37,7 @@ plugin.init = async (params) => {
 	try {
 		viewerHtmlCache = fs.readFileSync(viewerPath, 'utf8');
 	} catch (err) {
+		console.error('[PDF-Secure] Failed to read viewer.html:', err.message);
 	}
 
 	// Double slash bypass protection - catches /uploads//files/ attempts
@@ -94,6 +106,19 @@ plugin.init = async (params) => {
 			return res.status(401).json({ error: 'Authentication required' });
 		}
 
+		// Rate limit — prevent brute-force topic ID enumeration
+		const now = Date.now();
+		const rateData = viewerRateLimit.get(req.uid) || { count: 0, windowStart: now };
+		if (now - rateData.windowStart > VIEWER_RATE_LIMIT.window) {
+			rateData.count = 0;
+			rateData.windowStart = now;
+		}
+		rateData.count++;
+		viewerRateLimit.set(req.uid, rateData);
+		if (rateData.count > VIEWER_RATE_LIMIT.max) {
+			return res.status(429).json({ error: 'Too many requests. Please slow down.' });
+		}
+
 		const { file } = req.query;
 		if (!file) {
 			return res.status(400).send('Missing file parameter');
@@ -105,6 +130,13 @@ plugin.init = async (params) => {
 			return res.status(400).send('Invalid file');
 		}
 
+		// Topic-level access control: require tid and validate access
+		const { tid } = req.query;
+		const accessResult = await topicAccess.validate(req.uid, tid, safeName);
+		if (!accessResult.allowed) {
+			return res.status(403).json({ error: accessResult.reason || 'Access denied' });
+		}
+
 		// Check cache
 		if (!viewerHtmlCache) {
 			return res.status(500).send('Viewer not available');
@@ -138,6 +170,7 @@ plugin.init = async (params) => {
 			try {
 				totalPages = await pdfHandler.getTotalPages(safeName);
 			} catch (err) {
+				console.error('[PDF-Secure] Failed to get total pages for', safeName, ':', err.message);
 			}
 		}
 
@@ -158,6 +191,7 @@ plugin.init = async (params) => {
 		// Key is embedded in HTML - NOT visible in any network API response!
 		const configObj = {
 			filename: safeName,
+			tid: parseInt(tid, 10) || 0,
 			relativePath: req.app.get('relative_path') || '',
 			csrfToken: req.csrfToken ? req.csrfToken() : '',
 			nonce: nonceData.nonce,
@@ -193,7 +227,7 @@ plugin.init = async (params) => {
 			.replace(/<script>(\r?\n\s*\/\/ IIFE to prevent global access)/, `<script nonce="${cspNonce}">$1`);
 
 		// Update CSP header with the nonce for the inline viewer script
-		res.set('Content-Security-Policy', `default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-${cspNonce}' https://cdnjs.cloudflare.com; worker-src 'self' blob:; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: blob: https://cdnjs.cloudflare.com https://i.ibb.co; connect-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'`);
+		res.set('Content-Security-Policy', `default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-${cspNonce}' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; worker-src 'self' blob:; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; img-src 'self' data: blob: https://cdnjs.cloudflare.com https://i.ibb.co; connect-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'`);
 
 		res.type('html').send(injectedHtml);
 	});
@@ -263,19 +297,32 @@ plugin.filterConfig = async function (data) {
 
 // Transform PDF links to secure placeholders (server-side)
 // This hides PDF URLs from: page source, API, RSS, ActivityPub
+// Supports both filter:parse.post (data.postData.content) and filter:parse.raw (string)
 plugin.transformPdfLinks = async (data) => {
-	if (!data || !data.postData || !data.postData.content) {
+	// Support multiple hook data formats
+	let content = null;
+	let contentPath = null;
+
+	if (data && data.postData && data.postData.content) {
+		content = data.postData.content;
+		contentPath = 'postData';
+	} else if (data && typeof data === 'string') {
+		content = data;
+		contentPath = 'raw';
+	} else {
 		return data;
 	}
 
-
 	// Regex to match PDF links: <a href="...xxx.pdf">text</a>
 	// Captures: full URL path, filename, link text
 	const pdfLinkRegex = /<a\s+[^>]*href=["']([^"']*\/([^"'\/]+\.pdf))["'][^>]*>([^<]*)<\/a>/gi;
 
-	const matchCount = (data.postData.content.match(pdfLinkRegex) || []).length;
+	const matchCount = (content.match(pdfLinkRegex) || []).length;
+	if (matchCount === 0) {
+		return data;
+	}
 
-	data.postData.content = data.postData.content.replace(pdfLinkRegex, (match, fullPath, filename, linkText) => {
+	content = content.replace(pdfLinkRegex, (match, fullPath, filename, linkText) => {
 		// Decode filename to prevent double encoding (URL may already be encoded)
 		let decodedFilename;
 		try { decodedFilename = decodeURIComponent(filename); }
@@ -294,6 +341,13 @@ plugin.transformPdfLinks = async (data) => {
 		</div>`;
 	});
 
+	// Write back to the correct location
+	if (contentPath === 'postData') {
+		data.postData.content = content;
+	} else if (contentPath === 'raw') {
+		data = content;
+	}
+
 	return data;
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure2",
-  "version": "1.4.3",
+  "version": "1.5.0",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {

package/plugin.json

@@ -26,6 +26,10 @@
 		{
 			"hook": "filter:parse.post",
 			"method": "transformPdfLinks"
+		},
+		{
+			"hook": "filter:parse.raw",
+			"method": "transformPdfLinks"
 		}
 	],
 	"staticDirs": {

package/static/lib/main.js

@@ -40,32 +40,6 @@
 	let isLoading = false;
 	let currentResolver = null;
 
-	// ============================================
-	// SPA MEMORY CACHE - Cache decoded PDF buffers
-	// ============================================
-	const pdfBufferCache = new Map();  // filename -> { buffer: ArrayBuffer, cachedAt: number }
-	const CACHE_MAX_SIZE = 5;  // ~50MB limit (avg 10MB per PDF)
-	const CACHE_TTL = 5 * 60 * 1000;  // 5 minutes
-
-	function setCachedBuffer(filename, buffer) {
-		// Evict oldest if cache is full
-		if (pdfBufferCache.size >= CACHE_MAX_SIZE) {
-			const firstKey = pdfBufferCache.keys().next().value;
-			pdfBufferCache.delete(firstKey);
-		}
-		pdfBufferCache.set(filename, { buffer: buffer, cachedAt: Date.now() });
-	}
-
-	function getCachedBuffer(filename) {
-		const entry = pdfBufferCache.get(filename);
-		if (!entry) return null;
-		if (Date.now() - entry.cachedAt > CACHE_TTL) {
-			pdfBufferCache.delete(filename);
-			return null;
-		}
-		return entry.buffer;
-	}
-
 	// Listen for postMessage from iframe
 	window.addEventListener('message', function (event) {
 		// Security: Only accept messages from same origin
@@ -79,21 +53,6 @@
 			}
 		}
 
-		// PDF buffer from viewer - cache it
-		if (event.data && event.data.type === 'pdf-secure-buffer') {
-			// Source verification: only accept buffers from pdf-secure iframes
-			var isFromSecureIframe = false;
-			document.querySelectorAll('.pdf-secure-iframe').forEach(function (f) {
-				if (f.contentWindow === event.source) isFromSecureIframe = true;
-			});
-			if (!isFromSecureIframe) return;
-
-			const { filename, buffer } = event.data;
-			if (filename && buffer) {
-				setCachedBuffer(filename, buffer);
-			}
-		}
-
 		// Fullscreen toggle request from iframe viewer
 		if (event.data && event.data.type === 'pdf-secure-fullscreen-toggle') {
 			var sourceIframe = document.querySelector('.pdf-secure-iframe');
@@ -135,35 +94,6 @@
 			}
 		}
 
-		// Viewer asking for cached buffer
-		if (event.data && event.data.type === 'pdf-secure-cache-request') {
-			// Source verification: only respond to pdf-secure iframes
-			var isFromSecureIframe = false;
-			document.querySelectorAll('.pdf-secure-iframe').forEach(function (f) {
-				if (f.contentWindow === event.source) isFromSecureIframe = true;
-			});
-			if (!isFromSecureIframe) return;
-
-			const { filename } = event.data;
-			const cached = getCachedBuffer(filename);
-			if (cached && event.source) {
-				// Send cached buffer to viewer (transferable for 0-copy)
-				// Clone once: keep original in cache, transfer the copy
-				const copy = cached.slice(0);
-				event.source.postMessage({
-					type: 'pdf-secure-cache-response',
-					filename: filename,
-					buffer: copy
-				}, event.origin, [copy]);
-			} else if (event.source) {
-				// No cache, viewer will fetch normally
-				event.source.postMessage({
-					type: 'pdf-secure-cache-response',
-					filename: filename,
-					buffer: null
-				}, event.origin);
-			}
-		}
 	});
 
 	// Forward fullscreen state changes to all viewer iframes
@@ -300,8 +230,6 @@
 			loadQueue.length = 0;
 			isLoading = false;
 			currentResolver = null;
-			// Clear decrypted PDF buffer cache on navigation
-			pdfBufferCache.clear();
 			// Exit simulated fullscreen on SPA navigation
 			exitSimulatedFullscreen();
 			interceptPdfLinks();
@@ -453,7 +381,8 @@
 			var iframe = document.createElement('iframe');
 			iframe.className = 'pdf-secure-iframe';
 			iframe.style.cssText = 'position:absolute;top:0;left:0;width:100%;height:100%;border:none;z-index:1;';
-			iframe.src = config.relative_path + '/plugins/pdf-secure/viewer?file=' + encodeURIComponent(filename);
+				var tidParam = (ajaxify && ajaxify.data && ajaxify.data.tid) ? '&tid=' + encodeURIComponent(ajaxify.data.tid) : '';
+			iframe.src = config.relative_path + '/plugins/pdf-secure/viewer?file=' + encodeURIComponent(filename) + tidParam;
 			iframe.setAttribute('frameborder', '0');
 			iframe.setAttribute('allowfullscreen', 'true');
 			iframe.setAttribute('allow', 'fullscreen; clipboard-write');

package/static/viewer-app.js

@@ -353,73 +353,29 @@
         }
 
         try {
-            // ============================================
-            // SPA CACHE - Check if parent has cached buffer
-            // ============================================
-            let pdfBuffer = null;
+            // Nonce and key are embedded in HTML config (not fetched from API)
+            const nonce = config.nonce;
+            const decryptKey = config.dk;
+            const decryptIv = config.iv;
 
-            if (window.parent && window.parent !== window) {
-                // Request cached buffer from parent
-                const cachePromise = new Promise((resolve) => {
-                    const handler = (event) => {
-                        if (event.data && event.data.type === 'pdf-secure-cache-response' && event.data.filename === config.filename) {
-                            window.removeEventListener('message', handler);
-                            resolve(event.data.buffer);
-                        }
-                    };
-                    window.addEventListener('message', handler);
-
-                    // Timeout after 100ms
-                    setTimeout(() => {
-                        window.removeEventListener('message', handler);
-                        resolve(null);
-                    }, 100);
+            // Fetch encrypted PDF binary
+            const pdfUrl = config.relativePath + '/api/v3/plugins/pdf-secure/pdf-data?nonce=' + encodeURIComponent(nonce);
+            const pdfRes = await fetch(pdfUrl, { credentials: 'same-origin' });
 
-                    window.parent.postMessage({ type: 'pdf-secure-cache-request', filename: config.filename }, window.location.origin);
-                });
-
-                pdfBuffer = await cachePromise;
-                if (pdfBuffer) {
-                    console.log('[PDF-Secure] Using cached buffer');
-                }
+            if (!pdfRes.ok) {
+                throw new Error('PDF yüklenemedi (' + pdfRes.status + ')');
             }
 
-            // If no cache, fetch from server
-            if (!pdfBuffer) {
-                // Nonce and key are embedded in HTML config (not fetched from API)
-                const nonce = config.nonce;
-                const decryptKey = config.dk;
-                const decryptIv = config.iv;
-
-                // Fetch encrypted PDF binary
-                const pdfUrl = config.relativePath + '/api/v3/plugins/pdf-secure/pdf-data?nonce=' + encodeURIComponent(nonce);
-                const pdfRes = await fetch(pdfUrl, { credentials: 'same-origin' });
+            const encodedBuffer = await pdfRes.arrayBuffer();
+            console.log('[PDF-Secure] Encrypted data received:', encodedBuffer.byteLength, 'bytes');
 
-                if (!pdfRes.ok) {
-                    throw new Error('PDF yüklenemedi (' + pdfRes.status + ')');
-                }
-
-                const encodedBuffer = await pdfRes.arrayBuffer();
-                console.log('[PDF-Secure] Encrypted data received:', encodedBuffer.byteLength, 'bytes');
-
-                // Decrypt AES-256-GCM encrypted data
-                if (decryptKey && decryptIv) {
-                    console.log('[PDF-Secure] Decrypting AES-256-GCM data...');
-                    pdfBuffer = await aesGcmDecode(encodedBuffer, decryptKey, decryptIv);
-                } else {
-                    pdfBuffer = encodedBuffer;
-                }
-
-                // Send buffer to parent for caching (premium/lite only - non-premium must not leak decoded buffer)
-                if ((_cfg.isPremium !== false || _cfg.isLite) && window.parent && window.parent !== window) {
-                    // Clone buffer for parent (we keep original)
-                    const bufferCopy = pdfBuffer.slice(0);
-                    window.parent.postMessage({
-                        type: 'pdf-secure-buffer',
-                        filename: config.filename,
-                        buffer: bufferCopy
-                    }, window.location.origin, [bufferCopy]);  // Transferable
-                }
+            // Decrypt AES-256-GCM encrypted data
+            let pdfBuffer;
+            if (decryptKey && decryptIv) {
+                console.log('[PDF-Secure] Decrypting AES-256-GCM data...');
+                pdfBuffer = await aesGcmDecode(encodedBuffer, decryptKey, decryptIv);
+            } else {
+                pdfBuffer = encodedBuffer;
             }
 
             console.log('[PDF-Secure] PDF decoded successfully');