flaskpaste: initial commit with security hardening

Features: - REST API for text/binary pastes with MIME detection - Client certificate auth via X-SSL-Client-SHA1 header - SQLite with WAL mode for concurrent access - Automatic paste expiry with LRU cleanup Security: - HSTS, CSP, X-Frame-Options, X-Content-Type-Options - Cache-Control: no-store for sensitive responses - X-Request-ID tracing for log correlation - X-Proxy-Secret validation for defense-in-depth - Parameterized queries, input validation - Size limits (3 MiB anon, 50 MiB auth) Includes /health endpoint, container support, and 70 tests.
2025-12-16 04:42:18 +01:00
commit 8f9868f0d9
21 changed files with 2588 additions and 0 deletions
--- a/app/api/init.py
+++ b/app/api/init.py
@@ -0,0 +1,32 @@
+"""API blueprint registration."""
+
+import time
+
+from flask import Blueprint, current_app
+
+bp = Blueprint("api", __name__)
+
+# Throttle cleanup to run at most once per hour
+_last_cleanup = 0
+_CLEANUP_INTERVAL = 3600  # 1 hour
+
+
+@bp.before_request
+def cleanup_expired():
+    """Periodically clean up expired pastes."""
+    global _last_cleanup
+
+    now = time.time()
+    if now - _last_cleanup < _CLEANUP_INTERVAL:
+        return
+
+    _last_cleanup = now
+
+    from app.database import cleanup_expired_pastes
+
+    count = cleanup_expired_pastes()
+    if count > 0:
+        current_app.logger.info(f"Cleaned up {count} expired paste(s)")
+
+
+from app.api import routes  # noqa: E402, F401