We are evaluating PDF.js Express and are seeing that we (ofcourse) need to set a license which is checked / validated / tracked using a request to auth.pdfjs.express, we would like to not have to do this because of many reasons but mostly privacy.
I understand that a license check is still needed for obvious reasons and that you require us to have a valid license and was wondering if something like the following would be possible.
A REST API we can call with our license key (server side) to generate a temporary license that the viewer can validate without making a request to auth.pdfjs.express in the users browser. We are happy to implement generating that temporary key every x hours / days and pass that to the WebViewer.
We would like to prevent having license checks sending user data (at least IP’s and when the editor is accessed possibly more). I hope you can see and understand why we would prefer to keep this check server side and not have a phone-home in our product to infrastructure unrelated to our own.
This would also remove a dependence on your infrastructure being online / accessible for our users (or our users needing to be online). I saw some certificate related errors and intermittent connection errors in the past we could prevent by having a temporary key we regenerated every x interval so we can retry in case you are down or unavailable for a short period of time and not bother our users with a watermark they won’t understand or help.
Happy to discuss further since I also understand the need to validate we have a valid license key but since there is no user/document limit I don’t see why the check needs to happen every time the viewer is loaded in the browser of our users.
PDF.js Express license keys are tied to a single domain, and they only work on that domain. Granting a temporary license would allow users to easily bypass this restriction since the temporary key could just be shared across domains. Also, calling our auth APIs from your server would not let us check which domain the viewer is being used on.
We do this to prevent license keys from being stolen and used by third parties.
I would like to assure you that we do not track any locations, IPs, users, etc in the request to auth.pdfjs.express, it purely just validates that the domain and license key are valid.
We realize that this authentication flow means that the application needs to have access to internet. Since this is a SaaS service, this will probably always be the case.
If this is still a concern to you, you can check out our sister product, PDFTron WebViewer. It does not make any calls home and validates the license key client side (since it is not domain locked). It also has the exact same API as Express so moving your prototype over is a breeze.
I hope I explained this well enough! If you have any questions please let me know.
Thank you for this detailed explanation, I totally overlooked the domain requirement… that would indeed make this proposal useless since as you correctly identified make it impossible to validate this when we would request a license from our servers.
I have contacted PDFTron (I hate no prices on the websites, but OK) to see what our options are.
Again I think this rules out any non-home calling license checks (which makes perfect sense considering the domain per license requirement).
