Public endpoint allows anyone to obtain a client certificate for
authentication. Features:
- Higher PoW difficulty than paste creation (24 vs 20 bits)
- Auto-generates CA on first registration if not present
- Returns PKCS#12 bundle with cert, key, and CA
- Configurable via FLASKPASTE_REGISTER_POW
Endpoints:
- GET /register/challenge - Get registration PoW challenge
- POST /register - Register and receive PKCS#12 bundle
- Add anti-flood, rate limiting, scheduled cleanup to feature lists
- Update version to 1.4.0, test count to 205
- Document /pastes endpoint with query parameters
- Add anti-flood fields to /challenge response
- Update CLI docs with new commands (list, search, export)
- Add decision log entries for recent features
When paste creation rate exceeds threshold, PoW difficulty
increases to slow down attackers. Decays back to base when
abuse stops.
Config:
- ANTIFLOOD_THRESHOLD: requests/window before increase (30)
- ANTIFLOOD_STEP: difficulty bits per step (2)
- ANTIFLOOD_MAX: maximum difficulty cap (28)
- ANTIFLOOD_DECAY: seconds before reducing (30)
Update README.md, api.md, and error hints to reflect:
- encryption is now default (no -e flag needed)
- use -E/--no-encrypt to disable
- file path shortcut (fpaste file.txt)
Change encryption from opt-in (-e) to opt-out (-E/--no-encrypt).
Add argument preprocessing to auto-insert "create" command when
file path is detected, allowing `fpaste file.txt` shortcut.
- add concurrency control to cancel stale runs
- job dependencies (test waits for lint)
- move syntax check to lint job
- quieter apt-get and pip output
- remove continue-on-error on pip-audit
- ruff for linting and formatting
- bandit for security scanning
- mypy for type checking
- pip-audit for dependency vulnerabilities
- Makefile with lint/format/security/test targets
-e/--encrypt flag encrypts content with AES-256-GCM before upload.
Key is appended to URL fragment (#...), never sent to server.
Auto-detects key fragment on retrieval and decrypts locally.
