forked from username/flaskpaste
8.6 KiB
8.6 KiB
FlaskPaste
Purpose
FlaskPaste is a lightweight, security-hardened pastebin REST API for self-hosted deployments. It provides a minimal, dependency-light alternative to public pastebin services, designed for environments where data privacy, authentication control, and operational simplicity are priorities.
Problem Statement
Public pastebin services present risks:
- Data sovereignty concerns (content stored on third-party infrastructure)
- Limited authentication options
- No control over retention policies
- Abuse/spam from other users affecting service reliability
- Feature bloat and complex UIs when only an API is needed
Solution
A self-hosted pastebin API that:
- Stores pastes locally in SQLite
- Supports client certificate authentication via reverse proxy
- Provides optional built-in PKI for certificate management
- Automatically expires content based on access patterns
- Prevents abuse through content-hash deduplication and proof-of-work
- Serves text and binary content with proper MIME detection
- Runs behind any reverse proxy (nginx, HAProxy, Caddy)
Success Criteria
┌────────────────────────────────┬────────────────────────────────────────────┐
│ Criterion │ Metric
├────────────────────────────────┼────────────────────────────────────────────┤
│ Security │ Zero injection vulnerabilities
│ │ All OWASP headers implemented
│ │ Input validation on all endpoints
│ │ Security scanning in CI (bandit)
├────────────────────────────────┼────────────────────────────────────────────┤
│ Reliability │ SQLite ACID guarantees
│ │ Graceful degradation on errors
│ │ Health check endpoint for monitoring
├────────────────────────────────┼────────────────────────────────────────────┤
│ Simplicity │ Single dependency (Flask)
│ │ SQLite for storage (no external DB)
│ │ Environment-based configuration
├────────────────────────────────┼────────────────────────────────────────────┤
│ Operability │ Container-ready (Podman/Docker)
│ │ Gunicorn-compatible WSGI
│ │ Request tracing via X-Request-ID
│ │ Prometheus metrics endpoint
└────────────────────────────────┴────────────────────────────────────────────┘
Scope
In Scope
- REST API for paste CRUD operations
- Text and binary content support
- Magic-byte MIME type detection
- Client certificate authentication (via proxy header)
- Built-in PKI (CA generation, certificate issuance, revocation)
- Configurable size limits (anon vs authenticated)
- Time-based expiry with access-touch semantics
- Content-hash deduplication for abuse prevention
- Proof-of-work spam prevention
- Entropy enforcement for encrypted content
- Client-side E2E encryption (CLI)
- Burn-after-read pastes
- Custom expiry per paste
- URL shortener with open redirect prevention
- URL prefix for reverse proxy deployments
- Security headers (HSTS, CSP, X-Frame-Options, etc.)
- Request tracing and structured logging
- Container deployment support
- SQLite storage
- CI/CD with security scanning
Out of Scope
- Web UI / HTML frontend
- User registration / account management
- Syntax highlighting
- Paste forking / versioning
- Public paste listing / discovery
- Multi-node clustering / distributed storage
- Alternative storage backends (S3, PostgreSQL)
Constraints
- Single process - SQLite limits concurrency; scale via multiple containers
- Reverse proxy required - Client cert auth requires TLS termination
- No web UI - API-only; CLI tools (curl, httpie) are the interface
- Ephemeral by design - Pastes expire; not for permanent storage
Assumptions
- Deployment behind a TLS-terminating reverse proxy
- Client certificates managed externally or via built-in PKI
- Operators have container runtime (Podman/Docker) or Python venv
- SQLite performance sufficient for expected load
Technical Stack
┌─────────────────┬──────────────────────────────────────────────────────────┐
│ Component │ Technology
├─────────────────┼──────────────────────────────────────────────────────────┤
│ Framework │ Flask 3.x
│ Database │ SQLite 3 (built-in)
│ WSGI Server │ Gunicorn (production)
│ Container │ Podman / Docker
│ Testing │ pytest
│ Linting │ ruff, mypy
│ Security │ bandit, pip-audit
│ CI/CD │ Gitea Actions
│ Python │ 3.11+
└─────────────────┴──────────────────────────────────────────────────────────┘
Current Status
Version: 1.6.0
┌─────────────────────────────────┬────────────────────────────────────────────┐
│ Feature │ Status
├─────────────────────────────────┼────────────────────────────────────────────┤
│ Core API (CRUD) │ Complete
│ Binary content support │ Complete
│ MIME detection │ Complete
│ Client cert authentication │ Complete
│ Built-in PKI │ Complete
│ Size limits │ Complete
│ Paste expiry │ Complete
│ Content-hash deduplication │ Complete
│ Proof-of-work │ Complete
│ Anti-flood (dynamic PoW) │ Complete
│ IP-based rate limiting │ Complete (with X-RateLimit-* headers)
│ URL prefix support │ Complete
│ /client endpoint │ Complete
│ E2E encryption (CLI) │ Complete
│ Entropy enforcement │ Complete
│ Burn-after-read │ Complete
│ Custom expiry │ Complete
│ Security headers │ Complete
│ Request tracing │ Complete
│ Container deployment │ Complete
│ Security tooling │ Complete
│ CI/CD pipeline │ Complete
│ Scheduled cleanup │ Complete
│ CLI paste listing/search │ Complete
│ Public certificate registration │ Complete
│ CLI register command │ Complete
│ systemd deployment │ Complete (security-hardened)
│ Test suite │ 346 tests passing
│ Kubernetes deployment │ Complete (k3s, NodePort :30500)
│ Harbor registry integration │ Complete (CI/CD + Trivy scanning)
│ URL shortener │ Complete (8-char base62, redirect, info)
└─────────────────────────────────┴────────────────────────────────────────────┘