add content-hash dedup for abuse prevention

Throttle repeated submissions of identical content using SHA256 hash
tracking. Configurable via FLASKPASTE_DEDUP_WINDOW and FLASKPASTE_DEDUP_MAX.

app/config.py

@@ -19,6 +19,11 @@ class Config:
     # Paste expiry (default 5 days)
     PASTE_EXPIRY_SECONDS = int(os.environ.get("FLASKPASTE_EXPIRY", 5 * 24 * 60 * 60))
 
+    # Content deduplication / abuse prevention
+    # Throttle repeated submissions of identical content
+    CONTENT_DEDUP_WINDOW = int(os.environ.get("FLASKPASTE_DEDUP_WINDOW", 3600))  # 1 hour
+    CONTENT_DEDUP_MAX = int(os.environ.get("FLASKPASTE_DEDUP_MAX", 3))  # max 3 per window
+
     # Reverse proxy trust configuration
     # SECURITY: The X-SSL-Client-SHA1 header is trusted for authentication.
     # This header MUST only come from a trusted reverse proxy that validates
@@ -47,6 +52,10 @@ class TestingConfig(Config):
     TESTING = True
     DATABASE = ":memory:"
 
+    # Relaxed dedup for testing (100 per second window)
+    CONTENT_DEDUP_WINDOW = 1
+    CONTENT_DEDUP_MAX = 100
+
 
 config = {
     "development": DevelopmentConfig,