I'm doing something similar, but storing the PDFs in Redis and serving them from Openresty/Nginx. If you use the password function in Redis it would be a little harder to compromise than leaving the PDFs on the filesystem.