Our state of the art Gantt chart


Post by brianfoster »

Hi All,
My team is implementing PDF Export for the React Bryntum Gantt component. (We are running an AWS ECS task from the public Docker image bryntum/pdf-export-server:1.0.1. )

1. We've noticed that there are (at least?) two possible protocols between the client (Gantt component) and server (PDF Export Server.) Can the Bryntum team please confirm these protocols, and the difference in file storage behavior on the server?

PROTOCOL A
By default (saveAsBinary as false), this is the protocol between the Bryntum Gantt UI component & the PDF Export Server:

Step 1
POST to https://pdfexporttest.foo.net/
response: (object including URL of download link)
(note, download link is returned as http due to traffic between our load balancer and the PDF Export Server. This is expected due to our infra setup, and the behavior of the PDF Export Server.)

Step 2
GET to http://pdfexporttest.foo.net/lH9CGymcCq3BdP6nsMS_n
response: file

PROTOCOL B
With "saveAsBinary" passed in as true the request to the server, the file is returned directly in the response to the 1st request. there isn't any user-facing behavior difference. this results in a single https call

Step 1
POST to https://pdfexporttest.foo.net/
response: file binary

2. In PROTOCOL A, the PDF Export Server stores the file in-memory for 10 seconds in the server. This seems like a potential security-by-obscurity vulnerability, which caused us to choose PROTOCOL B as mandatory. Can the Bryntum team please confirm that if, within a 10 second window, using PROTOCOL A, if File Key was known --- the GET endpoint (GET file by key) could be used to fetch a file stored on the PDF Export Server?

3. With limited config on the client-side, we were looking for an opportunity to insert an authorization step like HMAC between client & server. Does Bryntum expose this type of funtionality for Gantt PDF Export?

4. We wish to confirm -- the intent of a simplest approach from Bryntum seems to be that we provision a PUBLICLY AVAILABLE endpoint for this PDF Export Server. Is this accurate? The alternative seems to be proxying of the call from Gantt component UI -> some backend -> PDF Export Server and back to the UI....but I didn't see this pattern mentioned in the docs.

5. Are there any performance or functional concerns to be aware of, around the sendAsBinary config setting?

6. Any best practices, recommendations, or security items to be aware of, for the production deployment of the PDF Export Server? I'll admit - some more robust documentation around this area would make me a bit more confident as a customer of this feature from Bryntum. THANK YOU in advance for any help!

-Brian Foster


Post by Maxim Gorkovsky »

Hello.

brianfoster wrote: Wed May 24, 2023 9:59 pm
  1. We've noticed that there are (at least?) two possible protocols between the client (Gantt component) and server (PDF Export Server.) Can the Bryntum team please confirm these protocols, and the difference in file storage behavior on the server?

Protocol A sends back the link, as you mentioned, link is valid for 10 seconds or first download whichever is sooner. Protocol B sends back the binary and doesn't store anything.

brianfoster wrote: Wed May 24, 2023 9:59 pm
  1. In PROTOCOL A, the PDF Export Server stores the file in-memory for 10 seconds in the server. This seems like a potential security-by-obscurity vulnerability, which caused us to choose PROTOCOL B as mandatory. Can the Bryntum team please confirm that if, within a 10 second window, using PROTOCOL A, if File Key was known --- the GET endpoint (GET file by key) could be used to fetch a file stored on the PDF Export Server?

File gets deleted after first request which usually happens right after first server response. Unless page is reloaded or there's a listener intended to handle the link different. It is difficult to imagine anyone trying to guess a hash in 10s window. Denial of service is more realistic possibility.

brianfoster wrote: Wed May 24, 2023 9:59 pm
  1. With limited config on the client-side, we were looking for an opportunity to insert an authorization step like HMAC between client & server. Does Bryntum expose this type of funtionality for Gantt PDF Export?

Unfortunately, PDF server does not have any authorization/authentication capabilities.

brianfoster wrote: Wed May 24, 2023 9:59 pm
  1. We wish to confirm -- the intent of a simplest approach from Bryntum seems to be that we provision a PUBLICLY AVAILABLE endpoint for this PDF Export Server. Is this accurate? The alternative seems to be proxying of the call from Gantt component UI -> some backend -> PDF Export Server and back to the UI....but I didn't see this pattern mentioned in the docs.

Yes, this is correct. We did not cover proxying requests because there is nothing special about it, just regular considerations using proxy server: which urls to proxy and where.

brianfoster wrote: Wed May 24, 2023 9:59 pm
  1. Are there any performance or functional concerns to be aware of, around the sendAsBinary config setting?

No.

brianfoster wrote: Wed May 24, 2023 9:59 pm
  1. Any best practices, recommendations, or security items to be aware of, for the production deployment of the PDF Export Server? I'll admit - some more robust documentation around this area would make me a bit more confident as a customer of this feature from Bryntum. THANK YOU in advance for any help!

Nothing extra comes to mind. All recommendations could be found in the documentation.
Speaking of more robust documentation about "this area", could you please elaborate? It is difficult to get rid of the tunnel vision writing docs, e.g. I personally think they cover almost everything is possible and have no idea what else could be covered by docs. :) I suppose some of my answers could go to new FAQ section because there's not much to explain.


Post Reply