0

I'm developping a web app which basically opens a pdf file using pdf.js. The pdf file is protected with a password. Here's an extract of the code.

    var the_password = 'thepassword';
    var pdf = 'document.pdf';
    var loading = pdfjsLib.getDocument({ url: pdf, password: the_password });

So on the client side everyone can see my password, and I don't want that as my aim is that no one can use the pdf file outside the web app.

How can I protect the password ?

Thanking you in advance.

Improve this question
2
  • 1
    Where does the PDF file come from? If it comes from your web server then deliver a PDF that's encrypted with a random password each time and also pass that random password to the web client in response to an API request from the client. Commented Jun 30, 2020 at 19:06
  • 1
    you should state the actual problem you're trying to solve. eg, why is the pdf password protected? Commented Jun 30, 2020 at 19:12

3 Answers 3

Reset to default
2

There is nothing to be done to give you 100% certainty that the user will not find out the password. The best thing you can do is obfuscate the JavaScript code to make it not readable for attackers without high degree of motivation (and usually high skill and a bit of free time to spare).

What can you do instead? Well, be aware, that a highly motivated attacker can make a screenshot of the page and run OCR tool too, so the question would be - how much do you want to invest into mitigating of what can-not-be-fixed-by-absolutely-any-means.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

en.wikipedia.org/wiki/Security_through_obscurity
1

All data going into the browser can be inspected via the dev console. And all data stored in the browser can also viewed with the console. One should just assume that NOTHING is safe once it hits the browser.

So what to do...? Without stating what the problem(s) your trying to solve with having a password protected PDF is I'll offer a couple ideas.

  1. Convert the PDF on the server side to not have password when the download comes from an approved origin and or user
  2. Convert the PDF per user on download, each with it's own password. It could be a hash of some of the user attribute that could be calculated in the browser. This could also double as a watermark.
  3. Send the password out of bounds (email, sms) and have the user enter it into the UI.
  4. (added after last comment) use a DRM system for PDFs. Adobe has a content-server

An issue with #2 is somebody could find your hashing algro in the JS code, the password per file could be figured out. But you'd know who did it.

Improve this answer

3 Comments

Thanks for your answer.The pdf file is a book I'm selling. One who'll buy it can access it for one year. Then he'll have to subscribe again if he wants to consult it after the year is finished.. The pdf file can be cached in the web browser. Anyone can go in the cache and copy paste it to there personal folder. This being done they can access it after the year has passed. That's why I have to protect the pdf file with a password.
gotcha... i just added a 3rd idea
it sounds like you really need a DRM service
0

Thanks everyone for your answer.

Indeed as most of you said, there are no real solution to my problem. But having a password in plain text at the beginning of a javascript file was something I thought everybody would figure out.

So here's what I did :

  1. Create a php file with my password in it
<?php echo 'password' ?>
  1. Then, when I need it to load my pdf file with pdf.js, I do an Ajax request
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) 
    {
        loading = pdfjsLib.getDocument({ url: pdf_url, password: this.responseText 
    }
);
xmlhttp.open("GET", "filewithpassword.php", true);
xmlhttp.send();

Still, there's an easy way to find the password, but it's still better than the plain text, and I'll stick with this.

Thanks everyone for your help.

Improve this answer

1 Comment

this approach from the longest time has been consider not good - en.wikipedia.org/wiki/Security_through_obscurity it would take someone like myself minutes to reserve this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.