feat: add /api/md-to-pdf route to allow downloading of markdown files from docs (#2151)

marcklingen · github-advanced-security[bot] · ellipsis-dev[bot] · web-flow · commit ea62dcc7dbfb · 2025-10-02T20:31:52.000Z
* feat: add /api/md-to-pdf route to allow downloading of markdown files from docs

* Potential fix for code scanning alert no. 28: Server-side request forgery

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;

* add langfuse.com

* cdn cache headers

* skip dev

* add to privacy

* make a bit nicer

* add to cookie policy

* push

* Update pages/api/md-to-pdf.ts

Co-authored-by: ellipsis-dev[bot] &lt;65095814+ellipsis-dev[bot]@users.noreply.github.com&gt;

* fix

* skip link validation

---------

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
Co-authored-by: ellipsis-dev[bot] &lt;65095814+ellipsis-dev[bot]@users.noreply.github.com&gt;
diff --git a/components/MainContentWrapper.tsx b/components/MainContentWrapper.tsx
@@ -32,6 +32,7 @@ const pathsWithCopyAsMarkdownButton = [
   "/faq",
   "/integrations",
   "/handbook",
+  "/security",
 ];
 const isCustomerStory = (pathname: string) =>
   pathname.startsWith("/customers/");
diff --git a/package.json b/package.json
@@ -54,6 +54,7 @@
     "@radix-ui/react-use-controllable-state": "^1.2.2",
     "@react-three/drei": "^9.120.4",
     "@react-three/fiber": "^8.17.10",
+    "@sparticuz/chromium": "^140.0.0",
     "@supabase/supabase-js": "^2.47.10",
     "@tanstack/react-table": "^8.20.6",
     "@vercel/functions": "^2.2.2",
@@ -73,6 +74,7 @@
     "katex": "^0.16.22",
     "langfuse": "^3.38.4",
     "lucide-react": "^0.469.0",
+    "marked": "^16.3.0",
     "nanoid": "^5.1.5",
     "next": "^15.2.4",
     "next-sitemap": "^4.2.3",
@@ -82,6 +84,7 @@
     "postcss": "^8.4.49",
     "posthog-js": "^1.203.1",
     "posthog-node": "^5.1.1",
+    "puppeteer-core": "^24.23.0",
     "react": "^18.3.1",
     "react-country-flag": "^3.1.0",
     "react-dom": "^18.3.1",
@@ -105,6 +108,7 @@
     "@types/react-syntax-highlighter": "^15.5.13",
     "cross-env": "^7.0.3",
     "markdown-link-check": "^3.13.6",
+    "puppeteer": "^24.23.0",
     "typescript": "^5.6.3",
     "xml2js": "^0.6.2"
   },
diff --git a/pages/api/md-to-pdf.ts b/pages/api/md-to-pdf.ts
@@ -0,0 +1,307 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+import { marked } from "marked";
+
+// Allowed hostnames for markdown sourcing. Only fetch markdown from trusted hosts.
+const ALLOWED_HOSTNAMES = [
+  "langfuse.com",
+  "raw.githubusercontent.com",
+  "github.com",
+];
+
+/**
+ * Remove anchor tags from headings (e.g., [#anchor-id])
+ * These are useful for web navigation but not needed in PDFs
+ */
+function removeAnchorTags(content: string): string {
+  // Match [#anchor-id] at the end of headings
+  return content.replace(/\s*\[#[\w-]+\]/g, "");
+}
+
+/**
+ * Process MDX Callout components and convert them to HTML divs
+ * Supports types: info, warn, warning, error, danger
+ */
+function processCallouts(content: string): string {
+  // Match <Callout type="...">...</Callout> (including self-closing and multiline)
+  const calloutRegex =
+    /<Callout\s+type=["'](\w+)["']\s*>([\s\S]*?)<\/Callout>/g;
+
+  return content.replace(calloutRegex, (match, type, innerContent) => {
+    // The innerContent might contain markdown that will be processed later
+    // Wrap it in a special div that we'll style
+    return `<div class="callout callout-${type}">${innerContent}</div>`;
+  });
+}
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse
+) {
+  try {
+    // Get the markdown URL from query parameters
+    const { url, disposition } = req.query;
+
+    if (!url || typeof url !== "string") {
+      return res.status(400).json({
+        error: "Missing or invalid 'url' query parameter",
+      });
+    }
+
+    // Validate URL
+    let markdownUrl: URL;
+    try {
+      markdownUrl = new URL(url);
+    } catch (error) {
+      return res.status(400).json({
+        error: "Invalid URL format",
+      });
+    }
+
+    // Check hostname against allow-list to prevent SSRF in production
+    // Skip in dev to allow for tests against devserver
+    if (
+      process.env.NODE_ENV !== "development" &&
+      !ALLOWED_HOSTNAMES.includes(markdownUrl.hostname)
+    ) {
+      return res.status(400).json({
+        error: `Fetching from ${markdownUrl.hostname} is not permitted.`,
+        allowed: ALLOWED_HOSTNAMES,
+      });
+    }
+
+    // Fetch the markdown content
+    const response = await fetch(markdownUrl.toString());
+
+    if (!response.ok) {
+      return res.status(response.status).json({
+        error: `Failed to fetch markdown: ${response.statusText}`,
+      });
+    }
+
+    let markdownContent = await response.text();
+
+    // Strip frontmatter (YAML between --- delimiters)
+    markdownContent = markdownContent.replace(
+      /^---\r?\n[\s\S]*?\r?\n---\r?\n/,
+      ""
+    );
+
+    // Remove anchor tags from headings (not needed in PDF)
+    markdownContent = removeAnchorTags(markdownContent);
+
+    // Convert markdown to HTML
+    let htmlContent = await marked.parse(markdownContent);
+
+    // Process Callout components in the HTML
+    htmlContent = processCallouts(htmlContent);
+
+    // Create a complete HTML document with styling
+    const fullHtml = `
+      <!DOCTYPE html>
+      <html>
+        <head>
+          <meta charset="UTF-8">
+          <style>
+            body {
+              font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+              line-height: 1.6;
+              color: #333;
+              max-width: 800px;
+              margin: 0 auto;
+              padding: 20px;
+            }
+            h1, h2, h3, h4, h5, h6 {
+              margin-top: 24px;
+              margin-bottom: 16px;
+              font-weight: 600;
+              line-height: 1.25;
+            }
+            h1 { font-size: 2em; border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; }
+            h2 { font-size: 1.5em; border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; }
+            h3 { font-size: 1.25em; }
+            h4 { font-size: 1em; }
+            h5 { font-size: 0.875em; }
+            h6 { font-size: 0.85em; color: #6a737d; }
+            p { margin-bottom: 16px; }
+            a { color: #0366d6; text-decoration: none; }
+            a:hover { text-decoration: underline; }
+            code {
+              background-color: rgba(27, 31, 35, 0.05);
+              border-radius: 3px;
+              padding: 0.2em 0.4em;
+              font-family: 'SFMono-Regular', Consolas, 'Liberation Mono', Menlo, monospace;
+              font-size: 85%;
+            }
+            pre {
+              background-color: #f6f8fa;
+              border-radius: 3px;
+              padding: 16px;
+              overflow: auto;
+              line-height: 1.45;
+            }
+            pre code {
+              background-color: transparent;
+              padding: 0;
+            }
+            blockquote {
+              border-left: 4px solid #dfe2e5;
+              padding-left: 16px;
+              color: #6a737d;
+              margin-left: 0;
+            }
+            ul, ol {
+              margin-bottom: 16px;
+              padding-left: 2em;
+            }
+            li {
+              margin-bottom: 4px;
+            }
+            table {
+              border-collapse: collapse;
+              width: 100%;
+              margin-bottom: 16px;
+            }
+            table th, table td {
+              border: 1px solid #dfe2e5;
+              padding: 6px 13px;
+            }
+            table th {
+              background-color: #f6f8fa;
+              font-weight: 600;
+            }
+            img {
+              max-width: 100%;
+              height: auto;
+            }
+            hr {
+              border: 0;
+              border-top: 1px solid #eaecef;
+              margin: 24px 0;
+            }
+            .source-url {
+              color: #6a737d;
+              font-size: 0.875em;
+              padding: 12px 0;
+              margin-bottom: 24px;
+              border-bottom: 2px solid #eaecef;
+              word-break: break-all;
+            }
+            .source-url strong {
+              color: #24292e;
+              font-weight: 600;
+            }
+            /* Callout component styles */
+            .callout {
+              padding: 16px;
+              margin: 16px 0;
+              border-radius: 6px;
+              border-left: 4px solid;
+              background-color: #f6f8fa;
+              page-break-inside: avoid;
+            }
+            .callout p:first-child {
+              margin-top: 0;
+            }
+            .callout p:last-child {
+              margin-bottom: 0;
+            }
+            .callout-info {
+              border-left-color: #0969da;
+              background-color: #ddf4ff;
+            }
+            .callout-warn,
+            .callout-warning {
+              border-left-color: #d4a72c;
+              background-color: #fff8dc;
+            }
+            .callout-error,
+            .callout-danger {
+              border-left-color: #cf222e;
+              background-color: #ffebe9;
+            }
+          </style>
+        </head>
+        <body>
+          <div class="source-url">
+            <strong>Source:</strong> ${markdownUrl.toString()}<br/>
+            <strong>PDF created at:</strong> ${new Date().toISOString()}
+          </div>
+          ${htmlContent}
+        </body>
+      </html>
+    `;
+
+    // Launch Puppeteer and generate PDF
+    // Use local Chrome for development, serverless Chromium for production
+    const isDev = process.env.NODE_ENV === "development";
+
+    let browser;
+    if (isDev) {
+      // Use puppeteer with bundled Chromium for local development
+      const puppeteer = await import("puppeteer");
+      browser = await puppeteer.default.launch({
+        headless: true,
+        args: ["--no-sandbox", "--disable-setuid-sandbox"],
+      });
+    } else {
+      // Use puppeteer-core with serverless Chromium for production
+      const puppeteerCore = await import("puppeteer-core");
+      const chromium = await import("@sparticuz/chromium");
+      browser = await puppeteerCore.default.launch({
+        args: chromium.default.args,
+        executablePath: await chromium.default.executablePath(),
+        headless: true,
+      });
+    }
+
+    try {
+      const page = await browser.newPage();
+      await page.setContent(fullHtml, { waitUntil: "networkidle0" });
+
+      const pdf = await page.pdf({
+        format: "A4",
+        printBackground: true,
+        margin: {
+          top: "1cm",
+          right: "1cm",
+          bottom: "1cm",
+          left: "1cm",
+        },
+      });
+
+      // Extract filename from URL
+      const pathname = markdownUrl.pathname;
+      const filename = pathname.split("/").pop() || "document.md";
+      const pdfFilename = filename.replace(/\.mdx?$/i, ".pdf");
+
+      // Determine content disposition (default to inline)
+      const contentDisposition =
+        disposition === "download" ? "attachment" : "inline";
+
+      // Set response headers
+      res.setHeader("Content-Type", "application/pdf");
+      res.setHeader(
+        "Content-Disposition",
+        `${contentDisposition}; filename="${pdfFilename}"`
+      );
+      res.setHeader("Content-Length", pdf.length);
+      // Cache for 60 seconds on CDN, serve stale while revalidating for 24 hours
+      res.setHeader(
+        "Cache-Control",
+        "public, s-maxage=60, stale-while-revalidate=86400"
+      );
+
+      // Send the PDF as a buffer
+      res.status(200).end(pdf);
+    } finally {
+      // Ensure browser is always closed, even if an error occurs
+      await browser.close();
+    }
+  } catch (error) {
+    console.error("Error generating PDF:", error);
+    res.status(500).json({
+      error: "Internal server error while generating PDF",
+      message: "An unexpected error occurred.",
+    });
+  }
+}
diff --git a/pages/cookie-policy.mdx b/pages/cookie-policy.mdx
@@ -4,7 +4,7 @@ title: Cookie Policy
 
 # Cookie Policy
 
-Last updated: May 06, 2024
+**Last updated: May 06, 2024 | <a href="/api/md-to-pdf?url=https://langfuse.com/cookie-policy.md" target="_blank">download as PDF</a>**
 
 This Cookie Policy explains how **Langfuse GmbH** ("Company," "we," "us," and "our") uses cookies and similar technologies to recognize you when you visit our website at https://www.langfuse.com ("Website"). It explains what these technologies are and why we use them, as well as your rights to control our use of them.
 
diff --git a/pages/privacy.mdx b/pages/privacy.mdx
@@ -4,7 +4,7 @@ title: Privacy Policy
 
 # Privacy Policy
 
-**Last updated February 27th, 2025**
+**Last updated February 27th, 2025 | <a href="/api/md-to-pdf?url=https://langfuse.com/privacy.md" target="_blank">download as PDF</a>**
 
 This privacy notice for **Langfuse GmbH** (doing business as **Langfuse**) ("**we**," "**us**," or "**our**"), describes how and why we might collect, store, use, and/or share ("**process**") your information when you use our services ("**Services**"), such as when you:
 
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/scripts/check-links.js b/scripts/check-links.js
