Skip to content

refactor: Remove client-side PDF parsing and add URL support#8

Merged
nickwinder merged 4 commits intomainfrom
fix/api-correctness-issues
Jan 15, 2026
Merged

refactor: Remove client-side PDF parsing and add URL support#8
nickwinder merged 4 commits intomainfrom
fix/api-correctness-issues

Conversation

@jdrhyne
Copy link
Contributor

@jdrhyne jdrhyne commented Jan 13, 2026
edited by nickwinder
Loading

Why

This PR improves API correctness by aligning the SDK with how the server actually works, removing unnecessary client-side complexity.

The previous approach included client-side PDF validation, page counting, and SSRF protection logic. However, this was redundant - the DWS API already handles validation and supports features like negative page indices natively. By removing this client-side processing, we:

  1. Let the server do what it's designed to do
  2. Reduce bundle size (~400 lines removed)
  3. Enable URL support for most methods (server handles fetching)
  4. Simplify the codebase

Summary

  • Remove client-side PDF parsing - Removed getPdfPageCount, isValidPdf, and processRemoteFileInput functions that were doing work the server already handles
  • Add URL support to methods - Most methods now accept FileInputWithUrl, allowing users to pass URLs directly (server fetches them)
  • Leverage API's native negative index support - Use -1 for "last page" instead of client-side page counting
  • Simplify sign() method - Remains the only method requiring local files (API limitation), with clear documentation

@jdrhyne jdrhyne marked this pull request as ready for review January 13, 2026 06:19
@jdrhyne jdrhyne requested a review from nickwinder January 13, 2026 15:32
nickwinder and others added 2 commits January 15, 2026 12:00
@nickwinder
fix: API correctness issues (SSRF protection, docs alignment)
9d70586 
- Add allowUrlFetch option to client options (default: false)
- Block automatic URL fetching by default for SSRF protection
- Validate URL protocols (only http/https allowed)
- Add helper method normalizeFileInput() to client
- Update README.md with import statement in Quick Start
- Add SSRF protection documentation section to README
- Update and add tests for SSRF protection behavior

Security: SSRF protection requires explicit opt-in for URL fetching.
Users must set allowUrlFetch: true to enable client-side URL fetching.
@nickwinder @claude
Remove client-side PDF parsing and add URL support to methods
00cc18e 
- Remove getPdfPageCount, isValidPdf, and processRemoteFileInput functions
- Remove allowUrlFetch client option (SSRF protection by design)
- Most methods now accept FileInputWithUrl - URLs passed to server
- Leverage API's native negative index support (-1 = last page)
- sign() remains the only method requiring local files (API limitation)
- Reduces bundle size by ~400 lines of PDF parsing code

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@nickwinder nickwinder force-pushed the fix/api-correctness-issues branch from 3dd01ee to 00cc18e Compare January 15, 2026 00:35
@nickwinder nickwinder self-assigned this Jan 15, 2026
@nickwinder nickwinder marked this pull request as draft January 15, 2026 00:35
@nickwinder nickwinder changed the title fix: API correctness issues from security review refactor: Remove client-side PDF parsing and add URL support Jan 15, 2026
@nickwinder @claude
Fix CI: Replace non-null assertions with undefined checks
5328b79 
ESLint forbids non-null assertions (!). Replaced array index accesses
with explicit undefined checks that TypeScript can verify.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@nickwinder nickwinder marked this pull request as ready for review January 15, 2026 03:18
HungKNguyen
HungKNguyen approved these changes Jan 15, 2026
View reviewed changes
Copy link
Collaborator

@HungKNguyen HungKNguyen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment about the type checking for Action with File Input. Per DWS documentation that also support UrlInput. Also we might want to change the Python library as well, to match this new behavior

@nickwinder @claude
Fix code quality issues from PR review
58da9af 
- Replace unsafe type assertion (as unknown as T) with getRemoteUrl() helper
- Validate HTML assets upfront before calling registerAssets
- Add comprehensive tests for URL support in action file inputs
- Remove unused import and fix linting issues

All 266 tests pass. Fixes all issues identified in PR #8 review.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@nickwinder
Copy link
Collaborator

nickwinder commented Jan 15, 2026

Yeah you're right. I've followed up with a commit to support URLs for Action files

@nickwinder nickwinder merged commit 358cfd6 into main Jan 15, 2026
10 checks passed
@HungKNguyen HungKNguyen mentioned this pull request Jan 30, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HungKNguyen HungKNguyen HungKNguyen approved these changes

@nickwinder nickwinder Awaiting requested review from nickwinder

Assignees

@nickwinder nickwinder

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jdrhyne @nickwinder @HungKNguyen