Merge pull request #99 from auth0/feat/generate-pdf-buffer

vinodpatidar-okta · web-flow · commit 45ab44ed339d · 2026-04-02T10:30:19.000+05:30
feat: add PDF buffer generation via Puppeteer
diff --git a/analyzer/report.js b/analyzer/report.js
@@ -1,5 +1,9 @@
+const fs = require("fs");
 const i18n = require("i18n");
+const path = require("path");
 const _ = require("lodash");
+const Handlebars = require("handlebars");
+const puppeteer = require("puppeteer");
 const listOfAnalyser = require("./lib/listOfAnalyser");
 const {
   getAccessToken,
@@ -24,7 +28,31 @@ const {
 
 const logger = require("./lib/logger");
 const { getSummaryReport } = require("./tools/summary");
-const { convertToTitleCase, tranformReport } = require("./tools/utils");
+const { convertToTitleCase, tranformReport, getToday } = require("./tools/utils");
+const { version } = require("../package.json");
+
+i18n.configure({
+  defaultLocale: "en",
+  objectNotation: true,
+  directory: path.join(__dirname, "../locales")
+});
+
+Handlebars.registerHelper("chooseFont", function (locale) {
+  if (locale === "ja") return "Noto Sans JP, sans-serif";
+  if (locale === "ko") return "Noto Sans KR, sans-serif";
+  return "DM Sans, sans-serif";
+});
+Handlebars.registerHelper("replace", function (str, search, replace) {
+  return str.replace(search, replace);
+});
+Handlebars.registerHelper("and", (a, b) => a && b);
+Handlebars.registerHelper("inc", (a) => parseInt(a) + 1);
+
+const templateData = fs.readFileSync(
+  path.join(__dirname, "../views/pdf_cli_report.handlebars"),
+  "utf8"
+);
+
 async function runProductionChecks(tenant, validators) {
   try {
     logger.log("info", "Checking your configuration...");
@@ -170,7 +198,7 @@ async function generateReport(locale, tenantConfig, config) {
             cd.message = i18n.__(`checkEmailTemplates.${cd.field}`, cd.value);
           });
           break;
-          case "checkErrorPageTemplate":
+        case "checkErrorPageTemplate":
           report.details.forEach((cd) => {
             cd.message = i18n.__(`checkErrorPageTemplate.${cd.field}`, cd.value);
           });
@@ -307,7 +335,7 @@ async function generateReport(locale, tenantConfig, config) {
             });
           });
           break;
-        case "checkPasswordResetMFA":  
+        case "checkPasswordResetMFA":
         case "checkPreRegistrationUserEnumeration":
         case "checkActionsHardCodedValues":
         case "checkDASHardCodedValues":
@@ -334,7 +362,7 @@ async function generateReport(locale, tenantConfig, config) {
                   return `<li>${message}</li>`;
                 }).join("\n");
                 const dasTitle = i18n.__(`${report.name}.action_script_title`,
-                    scriptName);
+                  scriptName);
                 return `<p>${dasTitle}<p>\n<ul>\n${listItems}\n</ul>`;
               });
 
@@ -401,6 +429,84 @@ async function generateReport(locale, tenantConfig, config) {
   }
 }
 
+async function generatePdfBuffer(report, auth0Domain, locale) {
+  locale = locale || "en";
+  const today = await getToday(locale);
+
+  const data = { report, auth0Domain, today, locale, version, config: {} };
+
+  const browser = await puppeteer.launch({
+    headless: true, // Run in headless mode
+    args: [
+      "--no-sandbox", // Disable the sandbox
+      "--disable-setuid-sandbox", // Disable setuid sandbox
+    ],
+  });
+
+  try {
+    const template = Handlebars.compile(templateData);
+    const htmlContent = template({
+      locale: data.locale,
+      data,
+      preamble: data.report.preamble,
+    });
+    const page = await browser.newPage();
+
+    // Disable JS execution in the Puppeteer page. Disabling
+    // JS eliminates the browser-side execution surface during PDF rendering.
+    await page.setJavaScriptEnabled(false);
+
+    // Allowlist only the CDN hostnames the template legitimately loads from
+    // (Bootstrap, Google Fonts). All other outbound requests — including RFC 1918
+    // addresses and cloud metadata endpoints — are aborted to prevent SSRF via
+    // passive resource loading (e.g. <img src="http://169.254.169.254/...">) in
+    // case tenant-controlled data ever reaches an unescaped template field.
+    await page.setRequestInterception(true);
+    page.on("request", (req) => {
+      const url = new URL(req.url());
+      const allowed = [
+        "fonts.googleapis.com",
+        "fonts.gstatic.com",
+        "cdn.jsdelivr.net",
+      ];
+      if (req.resourceType() === "document" || allowed.includes(url.hostname)) {
+        req.continue();
+      } else {
+        req.abort();
+      }
+    });
+
+    await page.setContent(htmlContent, { waitUntil: "networkidle2" });
+
+    const pdfResult = await page.pdf({
+      format: "A4",
+      printBackground: true,
+      displayHeaderFooter: true,
+      headerTemplate: `<div></div>`,
+      footerTemplate: `
+        <div style="font-size:10px; width:100%; padding:10px 0; display:flex; align-items:center; justify-content:space-between; border-top:1px solid #ddd;">
+          <span style="flex:1; text-align:center;">Confidential. For internal evaluation purposes only.</span>
+          <span style="flex:1; text-align:right; padding-right:20px;">Page <span class="pageNumber"></span> of <span class="totalPages"></span></span>
+        </div>`,
+      margin: {
+        top: "20px",
+        bottom: "60px",
+      },
+    });
+    // Puppeteer v20+ returns Uint8Array, not Buffer. Express's res.send() calls
+    // Buffer.isBuffer() and JSON-serialises anything that fails the check,
+    // producing {"0":37,"1":80,...} instead of raw binary. Convert explicitly.
+
+    return Buffer.from(pdfResult);
+  } catch (error) {
+    logger.log("error", `Error generating PDF: ${error}`);
+    throw error;
+  } finally {
+    await browser.close();
+  }
+}
+
 module.exports = {
   generateReport,
+  generatePdfBuffer,
 };
diff --git a/locales/en.json b/locales/en.json
@@ -182,7 +182,7 @@
 		},
 		"no_custom_domains": "This tenant is not configured to use a custom domain. We recommend using custom domains with Universal Login for the most seamless and secure experience for end users. We also highly recommend using custom domains for passkey authentication, given they are tied to a specific domain during enrollment.",
 		"ready": "This tenant is configured to use a custom domain. %s",
-		"pending_verfification": "The tenant's custom domain configuration is incomplete, %s",
+		"pending_verification": "The tenant's custom domain configuration is incomplete, %s",
 		"severity": "High",
 		"status": "red",
 		"severity_message": "Configure a Custom Domain",
@@ -1477,4 +1477,4 @@
 			"https://auth0.com/docs/customize/events/event-testing-observability-and-failure-recovery"
 		]
 	}
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@`
`182`	`182`	`},`
`183`	`183`	`"no_custom_domains": "This tenant is not configured to use a custom domain. We recommend using custom domains with Universal Login for the most seamless and secure experience for end users. We also highly recommend using custom domains for passkey authentication, given they are tied to a specific domain during enrollment.",`
`184`	`184`	`"ready": "This tenant is configured to use a custom domain. %s",`
`185`		`- "pending_verfification": "The tenant's custom domain configuration is incomplete, %s",`
	`185`	`+ "pending_verification": "The tenant's custom domain configuration is incomplete, %s",`
`186`	`186`	`"severity": "High",`
`187`	`187`	`"status": "red",`
`188`	`188`	`"severity_message": "Configure a Custom Domain",`
`@@ -1477,4 +1477,4 @@`
`1477`	`1477`	`"https://auth0.com/docs/customize/events/event-testing-observability-and-failure-recovery"`
`1478`	`1478`	`]`
`1479`	`1479`	`}`
`1480`		`-}`
	`1480`	`+}`