84 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Username	4577a1d7e4	docs: update for systemd and rate limit headers	2025-12-24 20:05:30 +01:00
Username	cf458347ef	add systemd service unit and rate limit headers ... Systemd deployment: - examples/flaskpaste.service with security hardening - examples/flaskpaste.env with all config options - README deployment section updated Rate limit headers (X-RateLimit-*): - Limit, Remaining, Reset on 201 and 429 responses - Per-IP tracking with auth multiplier - api.md documented	2025-12-24 17:51:14 +01:00
Username	cb6eebee59	docs: update for v1.5.0 features ... - Add PKI audit logging, request duration metrics to features list - Update test count from 216 to 283 - Add audit.py and metrics.py to project structure - Document audit logging in api.md - Update TASKLIST.md with completed tasks - Update TODO.md (remove resolved debt items) - Update ROADMAP.md decision log	2025-12-24 17:10:42 +01:00
Username	045f73c998	feat: integrate unused observability features ... - Add request duration metrics via before/after request hooks - Add PKI audit logging: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE - Wire up observe_request_duration() from metrics.py - Log certificate operations (registration, CA gen, issue, revoke) - Log auth failures for revoked/expired certificates	2025-12-24 16:41:31 +01:00
Username	fef5eac1b5	ci: add memory leak detection workflow	2025-12-24 00:19:33 +01:00
Username	51af8fd2f8	fix: suppress S608 for both ruff and bandit	2025-12-23 22:57:38 +01:00
Username	2a287c65f4	fix: use nosec for bandit SQL injection suppression	2025-12-23 22:53:52 +01:00
Username	482bd9a152	style: format metrics.py	2025-12-23 22:51:11 +01:00
Username	7063f8718e	feat: add observability and CLI enhancements ... Audit logging: - audit_log table with event tracking - app/audit.py module with log_event(), query_audit_log() - GET /audit endpoint (admin only) - configurable retention and cleanup Prometheus metrics: - app/metrics.py with custom counters - paste create/access/delete, rate limit, PoW, dedup metrics - instrumentation in API routes CLI clipboard integration: - fpaste create -C/--clipboard (read from clipboard) - fpaste create --copy-url (copy result URL) - fpaste get -c/--copy (copy content) - cross-platform: xclip, xsel, pbcopy, wl-copy Shell completions: - completions/ directory with bash/zsh/fish scripts - fpaste completion --shell command	2025-12-23 22:39:50 +01:00
Username	4d08a4467d	fix: conditional requests import in container tests	2025-12-22 20:06:51 +01:00
Username	ceb81fdd7c	style: format test files	2025-12-22 20:04:46 +01:00
Username	a469fc3343	test: add paste management tests (list, search, update, delete)	2025-12-22 19:42:55 +01:00
Username	bf74988ddb	test: add container integration tests ... Tests verify: - Container image builds successfully - Health endpoint responds - Paste creation/retrieval works - Security headers present - Non-root execution - Gunicorn workers running Skipped by default, run with: FLASKPASTE_INTEGRATION=1 pytest tests/test_container_integration.py	2025-12-22 19:22:41 +01:00
Username	e130e9c84d	test: add concurrent submission tests for abuse prevention	2025-12-22 19:16:24 +01:00
Username	ca9342e92d	fix: add comprehensive type annotations for mypy ... - database.py: add type hints for Path, Flask, Any, BaseException - pki.py: add assertions to narrow Optional types after has_ca() checks - routes.py: annotate config values to avoid Any return types - api/__init__.py: use float for cleanup timestamps (time.time()) - __init__.py: remove unused return from setup_rate_limiting	2025-12-22 19:11:11 +01:00
Username	680b068c00	refactor: code consistency and best practices ... - add type hints to error handlers in app/__init__.py - add docstrings to nested callback functions - remove deprecated X-XSS-Protection header (superseded by CSP) - fix typo in cleanup log message (entr(ies) -> entries) - standardize loop variable naming in fpaste CLI - update test for intentional header removal	2025-12-22 00:25:18 +01:00
Username	028367d803	docs: modernize and clean deprecated content ... - replace deprecated FLASK_ENV with FLASK_DEBUG - remove duplicate FLASKPASTE_MAX_EXPIRY entry - update API version to 1.5.0 - add missing /pastes and /pki endpoints to table - remove deprecated X-XSS-Protection header - add PKI config variables - update features list with current capabilities - update auth benefits and security sections	2025-12-21 22:36:48 +01:00
Username	e2e2039903	docs: update for tiered expiry, admin features, batch delete	2025-12-21 22:16:51 +01:00
Username	916a09f595	fpaste: add batch delete and --all with confirmation	2025-12-21 22:06:53 +01:00
Username	e8a99d5bdd	add tiered auto-expiry based on auth level	2025-12-21 21:55:30 +01:00
Username	3fe631f6b9	fpaste: add --all flag and expiry countdown to list	2025-12-21 21:43:48 +01:00
Username	40873434c3	pki: admin can list/delete any paste ... Add is_admin() helper to check if current user is admin. Update DELETE /<id> to allow admin to delete any paste. Update GET /pastes to support ?all=1 for admin to list all pastes. Admin view includes owner fingerprint in paste metadata.	2025-12-21 21:30:50 +01:00
Username	2acf640d91	pki: first registered user gets admin rights ... Auto-detect first certificate issuance and grant admin flag. Add is_admin column to issued_certificates table. Add is_admin_certificate() helper function. Include is_admin in /pki/issue response and X-Is-Admin header in registration.	2025-12-21 21:13:30 +01:00
Username	99e6a019f4	tests: fix flaky cleanup test timing for CI	2025-12-21 13:45:05 +01:00
Username	2ccbfcbfaa	ci: update linting and security checks ... - Fix bandit suppressions (use # nosec B608 for bandit) - Add # noqa: S608 for ruff compatibility - CI workflow: add coverage reporting (informational) - CI workflow: track mypy error baseline - CI workflow: improve documentation	2025-12-21 13:39:30 +01:00
Username	0c7bf6b587	improve index endpoint with comprehensive API info ... - Add all endpoints including PUT, register, PKI - Show authentication tiers (anonymous/client_cert/trusted) - Display current limits (size, rate) for each tier - Show PoW status and difficulty - Add CLI install/usage hints - Conditionally show PKI endpoints when enabled	2025-12-21 13:16:49 +01:00
Username	098789ff89	allow untrusted certs to manage own pastes ... Split authentication into two functions: - get_client_fingerprint(): Identity for ownership (any cert) - get_client_id(): Elevated privileges (trusted certs only) Behavior: - Anonymous: Create only, strict limits - Untrusted cert: Create + delete/update/list own pastes, strict limits - Trusted cert: All operations, relaxed limits (50MB, 5x rate) Updated tests to reflect new behavior where revoked certs can still manage their own pastes.	2025-12-21 12:59:18 +01:00
Username	1f09f2686a	fpaste: consolidate code and add type hints ... - Add type hints throughout (NoReturn, Path | None, etc.) - Extract helper functions to eliminate duplication: - read_config_file() / write_config_file() - parse_error() for JSON error parsing - format_paste_row() / print_paste_list() - prepare_content(), extract_paste_id() - auth_headers(), require_auth() - Add constants (CONFIG_DIR, CONFIG_KEYS, MIME_EXTENSIONS) - Replace if/elif chains with command dispatch tables - Extract build_parser() from main() - Use walrus operators and frozenset where appropriate Net reduction: 170 lines (-793 +623)	2025-12-21 12:43:34 +01:00
Username	37d2ccef0f	docs: update for v1.5.0 public registration feature	2025-12-21 12:34:35 +01:00
Username	c0c65a23ad	bump version to 1.5.0	2025-12-21 11:09:53 +01:00
Username	880bf631e3	fpaste: add register command for public certificate enrollment ... - Add register command to obtain client cert from server - Solve PoW challenge, receive PKCS#12 bundle - Extract cert/key, optionally update config (--configure) - Fix registration to work without PKI_ENABLED (only needs PKI_CA_PASSWORD) - Add skip_enabled_check param to get_ca_info() for registration path - Update docs: README examples, API header name fix (X-Fingerprint-SHA1)	2025-12-21 10:59:09 +01:00
Username	5849c7406f	add /register endpoint for public certificate registration ... Public endpoint allows anyone to obtain a client certificate for authentication. Features: - Higher PoW difficulty than paste creation (24 vs 20 bits) - Auto-generates CA on first registration if not present - Returns PKCS#12 bundle with cert, key, and CA - Configurable via FLASKPASTE_REGISTER_POW Endpoints: - GET /register/challenge - Get registration PoW challenge - POST /register - Register and receive PKCS#12 bundle	2025-12-21 10:34:02 +01:00
Username	68d51c5b3e	fpaste: show elevated pow difficulty on create	2025-12-20 21:57:13 +01:00
Username	b47c26dd14	docs: update for v1.4.0 features ... - Add anti-flood, rate limiting, scheduled cleanup to feature lists - Update version to 1.4.0, test count to 205 - Document /pastes endpoint with query parameters - Add anti-flood fields to /challenge response - Update CLI docs with new commands (list, search, export) - Add decision log entries for recent features	2025-12-20 21:36:09 +01:00
Username	98bc656c87	config: increase anti-flood decay to 60s	2025-12-20 21:18:54 +01:00
Username	c6b3dd410a	fpaste: retry on pow failure (max 5 attempts)	2025-12-20 21:09:14 +01:00
Username	89ac2af161	fpaste info: show pow difficulty level	2025-12-20 20:58:17 +01:00
Username	8d13f52549	bump to 1.4.0, lower anti-flood threshold to 5	2025-12-20 20:53:49 +01:00
Username	45712ea93f	add anti-flood: dynamic PoW difficulty under load ... When paste creation rate exceeds threshold, PoW difficulty increases to slow down attackers. Decays back to base when abuse stops. Config: - ANTIFLOOD_THRESHOLD: requests/window before increase (30) - ANTIFLOOD_STEP: difficulty bits per step (2) - ANTIFLOOD_MAX: maximum difficulty cap (28) - ANTIFLOOD_DECAY: seconds before reducing (30)	2025-12-20 20:45:58 +01:00
Username	a6812af027	remove /solver endpoint	2025-12-20 20:38:02 +01:00
Username	3fe3f6f160	add /solver endpoint for PoW solver script download	2025-12-20 20:32:39 +01:00
Username	4f0b33fd7b	compose: set URL_PREFIX for HAProxy deployment	2025-12-20 20:25:09 +01:00
Username	14be46cdaf	compose: use port 5001 (avoid libretranslate conflict)	2025-12-20 20:22:55 +01:00
Username	dfca09102a	bump version to 1.3.0	2025-12-20 20:20:47 +01:00
Username	bfc238b5cf	add CLI enhancements and scheduled cleanup ... CLI commands: - list: show user's pastes with pagination - search: filter by type (glob), after/before timestamps - update: modify content, password, or extend expiry - export: save pastes to directory with optional decryption API changes: - PUT /<id>: update paste content and metadata - GET /pastes: add type, after, before query params Scheduled tasks: - Thread-safe cleanup with per-task intervals - Activate cleanup_expired_hashes (15min) - Activate cleanup_rate_limits (5min) Tests: 205 passing	2025-12-20 20:13:00 +01:00
Username	cf31eab678	ci: handle pre-existing type and audit issues	2025-12-20 18:42:09 +01:00
Username	d364c954d8	style: format with ruff	2025-12-20 18:32:47 +01:00
Username	d0b199de11	fix lint errors (line length, unused var, nested if)	2025-12-20 18:31:47 +01:00
Username	9e92db5217	fpaste: fix -E flag with piped stdin	2025-12-20 18:22:59 +01:00
Username	a2c5a013ef	docs: update for encrypt-by-default CLI ... Update README.md, api.md, and error hints to reflect: - encryption is now default (no -e flag needed) - use -E/--no-encrypt to disable - file path shortcut (fpaste file.txt)	2025-12-20 18:12:00 +01:00