Skip to content

Add support for AuthEvent#20732

Closed
wooorm wants to merge 1 commit into
mozilla:masterfrom
wooorm:wooorm/auth-event
Closed

Add support for AuthEvent#20732
wooorm wants to merge 1 commit into
mozilla:masterfrom
wooorm:wooorm/auth-event

Conversation

@wooorm

@wooorm wooorm commented Feb 24, 2026

Copy link
Copy Markdown
Collaborator

Hi!

This solves GH-20049, it’s an alternative to GH-20140. The analysis is a bit different. It builds on my comment in the other issue, and the fact that they are separate things.

To recap, it is possible to have a document plain text but have attachments encrypted. In that case, instead of prompting upfront, PDFs can prompt later with /AuthEvent /EFOpen. The default is /AuthEvent /DocOpen. Which is typical. So /AuthEvent is uncommon.

So, separate things:

This PR stops prompting for a password on doc open if there is an /AuthEvent /EFOpen. It also does not list delayed encrypted attachments in the sidebar. It does that to prevent an infinite loading screen in a known case but also so that there is a place marked in the code where future logic, after GH-20139, can support lazily decrypting attachments.

Comment thread src/core/catalog.js
Comment on lines +1063 to +1064
// As it stands, we can at least avoid users getting to an infinite loader
// in the case of `decryptOnAttachmentOpen`.

@nicolo-ribaudo nicolo-ribaudo Mar 3, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we console.warn something like "there are encrypted attachments but they are not supported yet"?

Also, question about the PDF format: is it possible to have some encrypted attachments and some not? In this case we should probably still show the non-encrypted ones.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to have some encrypted attachments and some not? In this case we should probably still show the non-encrypted ones.

See the last 2 blockquotes from #20139 (comment).
As I understand it, pdf generators should make PDFs with all attachments encrypted.

There is also the case of encrypted attachments w/o AuthEvent.
I considered looking into it, indeed having a nice warning, but I think it’s better to spend that time into actually solving the issue #20139.

So this also relates to console.warn: this PR does not change encrypted attachment handling. Those are not detected and yield warnings already. This only honors when to ask for a password.

@codecov-commenter

codecov-commenter commented Mar 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.81%. Comparing base (909a700) to head (2fbf027).
⚠️ Report is 352 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #20732      +/-   ##
==========================================
+ Coverage   62.77%   62.81%   +0.03%     
==========================================
  Files         169      169              
  Lines      119824   119837      +13     
==========================================
+ Hits        75224    75274      +50     
+ Misses      44600    44563      -37     
Flag Coverage Δ
fonttest 7.66% <ø> (+0.02%) ⬆️
unittestcli 62.78% <100.00%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

This solves mozillaGH-20049, it’s an alternative to mozillaGH-20140.
The analysis is a bit different. It builds on [my comment in the other issue](mozilla#20139 (comment)), and the fact that they are *separate* things.

To recap, it is possible to have a document plain text but have attachments encrypted.
In that case, instead of prompting upfront, PDFs can prompt later with `/AuthEvent /EFOpen`.
The default is `/AuthEvent /DocOpen`. Which is typical. So `/AuthEvent` is uncommon.

So, separate things:
* encrypted attachments (regardless of `/AuthEvent`) (mozillaGH-20139)
* `/AuthEvent /EFOpen` (regardless of whether there are attachments) (this issue/PR)

This PR stops prompting for a password on doc open if there is an `/AuthEvent /EFOpen`.
It also does not list delayed encrypted attachments in the sidebar. It does that to prevent an infinite loading screen in a known case but also so that there is a place marked in the code where future logic, after mozillaGH-20139, can support lazily decrypting attachments.
@wooorm wooorm force-pushed the wooorm/auth-event branch from e92ce0c to 2fbf027 Compare March 4, 2026 09:45
@nicolo-ribaudo

Copy link
Copy Markdown
Collaborator

/botio test

@moz-tools-bot

Copy link
Copy Markdown
Collaborator

From: Bot.io (Linux m4)


Received

Command cmd_test from @nicolo-ribaudo received. Current queue size: 1

Live output at: http://54.241.84.105:8877/98dfdbb8ea80820/output.txt

@moz-tools-bot

Copy link
Copy Markdown
Collaborator

From: Bot.io (Windows)


Received

Command cmd_test from @nicolo-ribaudo received. Current queue size: 1

Live output at: http://54.193.163.58:8877/d6a920f112a1e0b/output.txt

@moz-tools-bot

Copy link
Copy Markdown
Collaborator

From: Bot.io (Linux m4)


Failed

Full output at http://54.241.84.105:8877/98dfdbb8ea80820/output.txt

Total script time: 60.00 mins

@moz-tools-bot

Copy link
Copy Markdown
Collaborator

From: Bot.io (Windows)


Failed

Full output at http://54.193.163.58:8877/d6a920f112a1e0b/output.txt

Total script time: 71.67 mins

  • Unit tests: Passed
  • Integration Tests: FAILED
  • Regression tests: FAILED
  different ref/snapshot: 1

Image differences available at: http://54.193.163.58:8877/d6a920f112a1e0b/reftest-analyzer.html#web=eq.log

@nicolo-ribaudo

Copy link
Copy Markdown
Collaborator

The browser in the linux bot just crashed

/botio-linux test

@moz-tools-bot

Copy link
Copy Markdown
Collaborator

From: Bot.io (Linux m4)


Received

Command cmd_test from @nicolo-ribaudo received. Current queue size: 1

Live output at: http://54.241.84.105:8877/da34aa3b5bbce24/output.txt

@moz-tools-bot

Copy link
Copy Markdown
Collaborator

From: Bot.io (Linux m4)


Failed

Full output at http://54.241.84.105:8877/da34aa3b5bbce24/output.txt

Total script time: 44.10 mins

  • Unit tests: Passed
  • Integration Tests: FAILED
  • Regression tests: FAILED
  different ref/snapshot: 1

Image differences available at: http://54.241.84.105:8877/da34aa3b5bbce24/reftest-analyzer.html#web=eq.log

Comment thread src/core/xref.js
// But it is at least possible to honour `/AuthEvent /EFOpen` by not
// asking for a password on document open.
this.decryptOnAttachmentOpen =
encrypt.get("CF")?.get("StdCF")?.get("AuthEvent")?.name === "EFOpen";

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So here you're reading the encrypt dict without setting suppressEncryption which is in contradiction with the comment below.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It’s been a while, and I think the other PR landing first will require a rework of this PR anyway, but as I understand it:
This part that is read should not be encrypted.
The else branch (not setting things) prevents the trying-to-decrypt-things.
Otherwise, the trying-to-decrypt-things will prompt for the password on open.

Comment thread src/core/xref.js
// But it is at least possible to honour `/AuthEvent /EFOpen` by not
// asking for a password on document open.
this.decryptOnAttachmentOpen =
encrypt.get("CF")?.get("StdCF")?.get("AuthEvent")?.name === "EFOpen";

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You completely ignore the EFF value, right ? Is it a good idea ?

@calixteman calixteman left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried with a pdf with an encrypted attachment and it's fine no password prompt when opening the file, but there's nothing in the attachments view (the button is even disabled).
So overall it looks like a regression.

@nicolo-ribaudo

Copy link
Copy Markdown
Collaborator

but there's nothing in the attachments view (the button is even disabled).

The behavior today is that the attachments are shown but clicking on them does nothing. Do you think that behavior is more desirable than not showing the undownloadable attachment at all?

@calixteman

Copy link
Copy Markdown
Contributor

but there's nothing in the attachments view (the button is even disabled).

The behavior today is that the attachments are shown but clicking on them does nothing. Do you think that behavior is more desirable than not showing the undownloadable attachment at all?

Yeah, you're right: it's fair.
Couldn't we try to figure out a good solution instead of replacing a bug by an other one ?
I'm ok to land the patch (maybe it's slightly better like you propose), but it should have a follow-up with a real fix.

@nicolo-ribaudo

Copy link
Copy Markdown
Collaborator

Yeah agree. There are two issues going on:

  1. we do not support encrypted attachments at all ([Bug]: File Attachments do not open when they are encrypted #20139)
  2. we ask for the attachment encryption password on open even if the PDF asks to do it on attachment open ([Bug]: PDF.js wrongly prompts for a password on attachment-only encrypted PDFs. #20049)

We should eventually fix both, and for now this PR only fixes 2.

Fixing (1) is a bit more complex because it requires showing the user a popup on attachment download, touching some paths that are currently synchronous.

@wooorm

wooorm commented May 7, 2026

Copy link
Copy Markdown
Collaborator Author

Okay, see GH-21234!

wooorm added a commit to wooorm/pdf.js that referenced this pull request May 13, 2026
This PR is related to mozillaGH-20732, which is about `AuthEvent` (to delay
promting for a password), but instead adds the actual support for
encrypted attachments.
“Encrypted attachments” means that the main things are plain text.
Note that some PDF viewers, like Preview/QuickLook/Safari or Chrome,
do not support attachments at all.
Note that the file checked into the tests is the same as
`output-no-auth-event.pdf` referenced in
<mozilla#20139 (comment)>.

Closes mozillaGH-20139.
wooorm added a commit to wooorm/pdf.js that referenced this pull request May 19, 2026
This PR is related to mozillaGH-20732, which is about `AuthEvent` (to delay
promting for a password), but instead adds the actual support for
encrypted attachments.
“Encrypted attachments” means that the main things are plain text.
Note that some PDF viewers, like Preview/QuickLook/Safari or Chrome,
do not support attachments at all.
Note that the file checked into the tests is the same as
`output-no-auth-event.pdf` referenced in
<mozilla#20139 (comment)>.

Closes mozillaGH-20139.
wooorm added a commit to wooorm/pdf.js that referenced this pull request May 28, 2026
This PR is related to mozillaGH-20732, which is about `AuthEvent` (to delay
promting for a password), but instead adds the actual support for
encrypted attachments.
“Encrypted attachments” means that the main things are plain text.
Note that some PDF viewers, like Preview/QuickLook/Safari or Chrome,
do not support attachments at all.
Note that the file checked into the tests is the same as
`output-no-auth-event.pdf` referenced in
<mozilla#20139 (comment)>.

Closes mozillaGH-20139.
@wooorm

wooorm commented May 28, 2026

Copy link
Copy Markdown
Collaborator Author

Closing, GH-21351 is a proper version.

@wooorm wooorm closed this May 28, 2026
wooorm added a commit to wooorm/pdf.js that referenced this pull request Jun 1, 2026
Normally entire PDFs are encrypted (or not).
But it is also possible to only encrypt attachments.
It is then also possible to *only* prompt for a password when the user opens
them.

In the existing flow, prompting for passwords happens because things are decrypted.
A specific error is thrown, caught, and the user is prompted.
To keep this flow working, this PR changes to decrypting attachments on demand,
instead of eagerly.
This sounds logical: to not read attachments on startup.

I’ve extensively tested this, not only with regular attachments, but also with outline items
and attachments in annotations.

This PR builds on mozillaGH-21234.
It’s an alternative to the naïve mozillaGH-20732.

Closes mozillaGH-20049.
wooorm added a commit to wooorm/pdf.js that referenced this pull request Jun 3, 2026
Normally entire PDFs are encrypted (or not).
But it is also possible to only encrypt attachments.
It is then also possible to *only* prompt for a password when the user opens
them.

In the existing flow, prompting for passwords happens because things are decrypted.
A specific error is thrown, caught, and the user is prompted.
To keep this flow working, this PR changes to decrypting attachments on demand,
instead of eagerly.
This sounds logical: to not read attachments on startup.

I’ve extensively tested this, not only with regular attachments, but also with outline items
and attachments in annotations.

This PR builds on mozillaGH-21234.
It’s an alternative to the naïve mozillaGH-20732.

Closes mozillaGH-20049.
wooorm added a commit to wooorm/pdf.js that referenced this pull request Jun 3, 2026
Normally entire PDFs are encrypted (or not).
But it is also possible to only encrypt attachments.
It is then also possible to *only* prompt for a password when the user opens
them.

In the existing flow, prompting for passwords happens because things are decrypted.
A specific error is thrown, caught, and the user is prompted.
To keep this flow working, this PR changes to decrypting attachments on demand,
instead of eagerly.
This sounds logical: to not read attachments on startup.

I’ve extensively tested this, not only with regular attachments, but also with outline items
and attachments in annotations.

This PR builds on mozillaGH-21234.
It’s an alternative to the naïve mozillaGH-20732.

Closes mozillaGH-20049.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: PDF.js wrongly prompts for a password on attachment-only encrypted PDFs.

6 participants