167 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Username	e2e2039903	docs: update for tiered expiry, admin features, batch delete	2025-12-21 22:16:51 +01:00
Username	916a09f595	fpaste: add batch delete and --all with confirmation	2025-12-21 22:06:53 +01:00
Username	e8a99d5bdd	add tiered auto-expiry based on auth level	2025-12-21 21:55:30 +01:00
Username	3fe631f6b9	fpaste: add --all flag and expiry countdown to list	2025-12-21 21:43:48 +01:00
Username	40873434c3	pki: admin can list/delete any paste ... Add is_admin() helper to check if current user is admin. Update DELETE /<id> to allow admin to delete any paste. Update GET /pastes to support ?all=1 for admin to list all pastes. Admin view includes owner fingerprint in paste metadata.	2025-12-21 21:30:50 +01:00
Username	2acf640d91	pki: first registered user gets admin rights ... Auto-detect first certificate issuance and grant admin flag. Add is_admin column to issued_certificates table. Add is_admin_certificate() helper function. Include is_admin in /pki/issue response and X-Is-Admin header in registration.	2025-12-21 21:13:30 +01:00
Username	99e6a019f4	tests: fix flaky cleanup test timing for CI	2025-12-21 13:45:05 +01:00
Username	2ccbfcbfaa	ci: update linting and security checks ... - Fix bandit suppressions (use # nosec B608 for bandit) - Add # noqa: S608 for ruff compatibility - CI workflow: add coverage reporting (informational) - CI workflow: track mypy error baseline - CI workflow: improve documentation	2025-12-21 13:39:30 +01:00
Username	0c7bf6b587	improve index endpoint with comprehensive API info ... - Add all endpoints including PUT, register, PKI - Show authentication tiers (anonymous/client_cert/trusted) - Display current limits (size, rate) for each tier - Show PoW status and difficulty - Add CLI install/usage hints - Conditionally show PKI endpoints when enabled	2025-12-21 13:16:49 +01:00
Username	098789ff89	allow untrusted certs to manage own pastes ... Split authentication into two functions: - get_client_fingerprint(): Identity for ownership (any cert) - get_client_id(): Elevated privileges (trusted certs only) Behavior: - Anonymous: Create only, strict limits - Untrusted cert: Create + delete/update/list own pastes, strict limits - Trusted cert: All operations, relaxed limits (50MB, 5x rate) Updated tests to reflect new behavior where revoked certs can still manage their own pastes.	2025-12-21 12:59:18 +01:00
Username	1f09f2686a	fpaste: consolidate code and add type hints ... - Add type hints throughout (NoReturn, Path | None, etc.) - Extract helper functions to eliminate duplication: - read_config_file() / write_config_file() - parse_error() for JSON error parsing - format_paste_row() / print_paste_list() - prepare_content(), extract_paste_id() - auth_headers(), require_auth() - Add constants (CONFIG_DIR, CONFIG_KEYS, MIME_EXTENSIONS) - Replace if/elif chains with command dispatch tables - Extract build_parser() from main() - Use walrus operators and frozenset where appropriate Net reduction: 170 lines (-793 +623)	2025-12-21 12:43:34 +01:00
Username	37d2ccef0f	docs: update for v1.5.0 public registration feature	2025-12-21 12:34:35 +01:00
Username	c0c65a23ad	bump version to 1.5.0	2025-12-21 11:09:53 +01:00
Username	880bf631e3	fpaste: add register command for public certificate enrollment ... - Add register command to obtain client cert from server - Solve PoW challenge, receive PKCS#12 bundle - Extract cert/key, optionally update config (--configure) - Fix registration to work without PKI_ENABLED (only needs PKI_CA_PASSWORD) - Add skip_enabled_check param to get_ca_info() for registration path - Update docs: README examples, API header name fix (X-Fingerprint-SHA1)	2025-12-21 10:59:09 +01:00
Username	5849c7406f	add /register endpoint for public certificate registration ... Public endpoint allows anyone to obtain a client certificate for authentication. Features: - Higher PoW difficulty than paste creation (24 vs 20 bits) - Auto-generates CA on first registration if not present - Returns PKCS#12 bundle with cert, key, and CA - Configurable via FLASKPASTE_REGISTER_POW Endpoints: - GET /register/challenge - Get registration PoW challenge - POST /register - Register and receive PKCS#12 bundle	2025-12-21 10:34:02 +01:00
Username	68d51c5b3e	fpaste: show elevated pow difficulty on create	2025-12-20 21:57:13 +01:00
Username	b47c26dd14	docs: update for v1.4.0 features ... - Add anti-flood, rate limiting, scheduled cleanup to feature lists - Update version to 1.4.0, test count to 205 - Document /pastes endpoint with query parameters - Add anti-flood fields to /challenge response - Update CLI docs with new commands (list, search, export) - Add decision log entries for recent features	2025-12-20 21:36:09 +01:00
Username	98bc656c87	config: increase anti-flood decay to 60s	2025-12-20 21:18:54 +01:00
Username	c6b3dd410a	fpaste: retry on pow failure (max 5 attempts)	2025-12-20 21:09:14 +01:00
Username	89ac2af161	fpaste info: show pow difficulty level	2025-12-20 20:58:17 +01:00
Username	8d13f52549	bump to 1.4.0, lower anti-flood threshold to 5	2025-12-20 20:53:49 +01:00
Username	45712ea93f	add anti-flood: dynamic PoW difficulty under load ... When paste creation rate exceeds threshold, PoW difficulty increases to slow down attackers. Decays back to base when abuse stops. Config: - ANTIFLOOD_THRESHOLD: requests/window before increase (30) - ANTIFLOOD_STEP: difficulty bits per step (2) - ANTIFLOOD_MAX: maximum difficulty cap (28) - ANTIFLOOD_DECAY: seconds before reducing (30)	2025-12-20 20:45:58 +01:00
Username	a6812af027	remove /solver endpoint	2025-12-20 20:38:02 +01:00
Username	3fe3f6f160	add /solver endpoint for PoW solver script download	2025-12-20 20:32:39 +01:00
Username	4f0b33fd7b	compose: set URL_PREFIX for HAProxy deployment	2025-12-20 20:25:09 +01:00
Username	14be46cdaf	compose: use port 5001 (avoid libretranslate conflict)	2025-12-20 20:22:55 +01:00
Username	dfca09102a	bump version to 1.3.0	2025-12-20 20:20:47 +01:00
Username	bfc238b5cf	add CLI enhancements and scheduled cleanup ... CLI commands: - list: show user's pastes with pagination - search: filter by type (glob), after/before timestamps - update: modify content, password, or extend expiry - export: save pastes to directory with optional decryption API changes: - PUT /<id>: update paste content and metadata - GET /pastes: add type, after, before query params Scheduled tasks: - Thread-safe cleanup with per-task intervals - Activate cleanup_expired_hashes (15min) - Activate cleanup_rate_limits (5min) Tests: 205 passing	2025-12-20 20:13:00 +01:00
Username	cf31eab678	ci: handle pre-existing type and audit issues	2025-12-20 18:42:09 +01:00
Username	d364c954d8	style: format with ruff	2025-12-20 18:32:47 +01:00
Username	d0b199de11	fix lint errors (line length, unused var, nested if)	2025-12-20 18:31:47 +01:00
Username	9e92db5217	fpaste: fix -E flag with piped stdin	2025-12-20 18:22:59 +01:00
Username	a2c5a013ef	docs: update for encrypt-by-default CLI ... Update README.md, api.md, and error hints to reflect: - encryption is now default (no -e flag needed) - use -E/--no-encrypt to disable - file path shortcut (fpaste file.txt)	2025-12-20 18:12:00 +01:00
Username	ba29b6e319	fpaste: encrypt by default, add file path shortcut ... Change encryption from opt-in (-e) to opt-out (-E/--no-encrypt). Add argument preprocessing to auto-insert "create" command when file path is detected, allowing `fpaste file.txt` shortcut.	2025-12-20 18:05:33 +01:00
Username	85110b2570	fpaste: add file path shortcut (fpaste <file>)	2025-12-20 17:56:34 +01:00
Username	cdf8de5a8b	document encryption enforcement options	2025-12-20 17:46:58 +01:00
Username	b7f247d148	add tests for size and binary enforcement	2025-12-20 17:46:54 +01:00
Username	28ee2bae31	add minimum size and binary content enforcement	2025-12-20 17:46:49 +01:00
Username	01ee337936	slim down production dependencies	2025-12-20 17:37:41 +01:00
Username	486bac1d85	docs: update project status for v1.2.0	2025-12-20 17:24:41 +01:00
Username	260d6e894d	update project documentation	2025-12-20 17:20:40 +01:00
Username	713052de3d	ci: optimize workflow structure ... - add concurrency control to cancel stale runs - job dependencies (test waits for lint) - move syntax check to lint job - quieter apt-get and pip output - remove continue-on-error on pip-audit	2025-12-20 17:20:33 +01:00
Username	9da33f786e	fix lint issues across codebase	2025-12-20 17:20:27 +01:00
Username	adbb5be5c0	add security tooling and development workflow ... - ruff for linting and formatting - bandit for security scanning - mypy for type checking - pip-audit for dependency vulnerabilities - Makefile with lint/format/security/test targets	2025-12-20 17:20:21 +01:00
Username	4e38517faf	pki: add minimal certificate authority ... - CA generation with encrypted private key storage (AES-256-GCM) - Client certificate issuance with configurable validity - Certificate revocation with status tracking - SHA1 fingerprint integration with existing mTLS auth - API endpoints: /pki/status, /pki/ca, /pki/issue, /pki/revoke - CLI commands: fpaste pki status/issue/revoke - Comprehensive test coverage	2025-12-20 17:20:15 +01:00
Username	7deba711d4	entropy: exempt small content from check ... Small data has unreliable entropy measurement due to sample size. MIN_ENTROPY_SIZE (default 256 bytes) sets the threshold.	2025-12-20 08:48:13 +01:00
Username	8addf2d9e8	add entropy enforcement for optional encryption requirement ... Shannon entropy check rejects low-entropy content when MIN_ENTROPY > 0. Encrypted data ~7.5-8.0 bits/byte, plaintext ~4.0-5.0 bits/byte. Configurable via FLASKPASTE_MIN_ENTROPY environment variable.	2025-12-20 06:57:50 +01:00
Username	9ccd4225dd	fpaste: add E2E encryption support ... -e/--encrypt flag encrypts content with AES-256-GCM before upload. Key is appended to URL fragment (#...), never sent to server. Auto-detects key fragment on retrieval and decrypts locally.	2025-12-20 06:51:35 +01:00
Username	964698428c	routes: use detected base URL in usage examples	2025-12-20 05:27:10 +01:00
Username	677d3e5ba1	client: also update help text with detected URL	2025-12-20 05:23:00 +01:00