6

I'm investigating how to use the pdfjs viewer to serve a PDF that is behind a protected resource.

From my understanding, this would work if the resource allowed anonymous access: https://app.com/pdf.js/web/viewer.html?file=https://app.com/pdf/{id}

The resource https://app.com/pdf/{id} returns a response with content type application/pdf.

However, that resource requres a OAuth2 token to be present in the authorization header. So is it possible to modify the headers created by the viewer, to include a authorization header and pass the token of the user?

Tommy Jakobsen
  • 2,323
  • 6
  • 39
  • 66
  • How about building a proxy service transform authorization GET params to authorization headers? – Dat Tran Aug 06 '18 at 03:37
  • If you by "GET params" mean query string, and thus exposing authorization info in the URL, I don't think it's a viable solution. – Tommy Jakobsen Aug 06 '18 at 06:09
  • If you send the request with headers. You can still see it when debugging in the network. That's not the point I think. – Dat Tran Aug 06 '18 at 06:58
  • The headers are encrypted when using HTTPS. The URL is not. – Tommy Jakobsen Aug 06 '18 at 19:39
  • 1
    Only the domain is not encrypted while DNS resolving. The URL is encrypted still. You can check https://stackoverflow.com/questions/499591/are-https-urls-encrypted for more information. So that, in case of man in middle or such. The URL is still safe. – Dat Tran Aug 07 '18 at 02:45

1 Answers1

10

PDF.js can read file in Base64 format (example). So You can use Ajax / HTTP Client to download binary data with authorization header, convert to Base64 string then embed into PDF

Edit: You can set HTTP headers to PDF getDocument function. So you can store access token in Web Storage, then get it in pdf viewer's page 

var loadingTask = pdfjsLib.getDocument({
  url,
  withCredentials,
  httpHeaders: {
    authentication: "abcxyz",
  }
});
hgiasac
  • 2,183
  • 16
  • 14
  • Yes, that might work. But then we're loosing the ability to utilize HTTP Range Request headers, as supported by pdf.js, when loading through a URL. If possible, we would prefer to support that. – Tommy Jakobsen Aug 05 '18 at 19:19
  • Update. getDocument function can be added header. So you can store access token in Web Storage, then include it when loaded file. If web is same domain, you can share data in Web Storage – hgiasac Aug 06 '18 at 03:05
  • I think you're on to something here. "share data in web storage" might be the solution here. I'll look into it. – Tommy Jakobsen Aug 06 '18 at 06:07