28 Commits

Author	SHA1	Message	Date
Username	e8a99d5bdd	add tiered auto-expiry based on auth level	2025-12-21 21:55:30 +01:00
Username	40873434c3	pki: admin can list/delete any paste ... Add is_admin() helper to check if current user is admin. Update DELETE /<id> to allow admin to delete any paste. Update GET /pastes to support ?all=1 for admin to list all pastes. Admin view includes owner fingerprint in paste metadata.	2025-12-21 21:30:50 +01:00
Username	2acf640d91	pki: first registered user gets admin rights ... Auto-detect first certificate issuance and grant admin flag. Add is_admin column to issued_certificates table. Add is_admin_certificate() helper function. Include is_admin in /pki/issue response and X-Is-Admin header in registration.	2025-12-21 21:13:30 +01:00
Username	2ccbfcbfaa	ci: update linting and security checks ... - Fix bandit suppressions (use # nosec B608 for bandit) - Add # noqa: S608 for ruff compatibility - CI workflow: add coverage reporting (informational) - CI workflow: track mypy error baseline - CI workflow: improve documentation	2025-12-21 13:39:30 +01:00
Username	0c7bf6b587	improve index endpoint with comprehensive API info ... - Add all endpoints including PUT, register, PKI - Show authentication tiers (anonymous/client_cert/trusted) - Display current limits (size, rate) for each tier - Show PoW status and difficulty - Add CLI install/usage hints - Conditionally show PKI endpoints when enabled	2025-12-21 13:16:49 +01:00
Username	098789ff89	allow untrusted certs to manage own pastes ... Split authentication into two functions: - get_client_fingerprint(): Identity for ownership (any cert) - get_client_id(): Elevated privileges (trusted certs only) Behavior: - Anonymous: Create only, strict limits - Untrusted cert: Create + delete/update/list own pastes, strict limits - Trusted cert: All operations, relaxed limits (50MB, 5x rate) Updated tests to reflect new behavior where revoked certs can still manage their own pastes.	2025-12-21 12:59:18 +01:00
Username	880bf631e3	fpaste: add register command for public certificate enrollment ... - Add register command to obtain client cert from server - Solve PoW challenge, receive PKCS#12 bundle - Extract cert/key, optionally update config (--configure) - Fix registration to work without PKI_ENABLED (only needs PKI_CA_PASSWORD) - Add skip_enabled_check param to get_ca_info() for registration path - Update docs: README examples, API header name fix (X-Fingerprint-SHA1)	2025-12-21 10:59:09 +01:00
Username	5849c7406f	add /register endpoint for public certificate registration ... Public endpoint allows anyone to obtain a client certificate for authentication. Features: - Higher PoW difficulty than paste creation (24 vs 20 bits) - Auto-generates CA on first registration if not present - Returns PKCS#12 bundle with cert, key, and CA - Configurable via FLASKPASTE_REGISTER_POW Endpoints: - GET /register/challenge - Get registration PoW challenge - POST /register - Register and receive PKCS#12 bundle	2025-12-21 10:34:02 +01:00
Username	45712ea93f	add anti-flood: dynamic PoW difficulty under load ... When paste creation rate exceeds threshold, PoW difficulty increases to slow down attackers. Decays back to base when abuse stops. Config: - ANTIFLOOD_THRESHOLD: requests/window before increase (30) - ANTIFLOOD_STEP: difficulty bits per step (2) - ANTIFLOOD_MAX: maximum difficulty cap (28) - ANTIFLOOD_DECAY: seconds before reducing (30)	2025-12-20 20:45:58 +01:00
Username	a6812af027	remove /solver endpoint	2025-12-20 20:38:02 +01:00
Username	3fe3f6f160	add /solver endpoint for PoW solver script download	2025-12-20 20:32:39 +01:00
Username	bfc238b5cf	add CLI enhancements and scheduled cleanup ... CLI commands: - list: show user's pastes with pagination - search: filter by type (glob), after/before timestamps - update: modify content, password, or extend expiry - export: save pastes to directory with optional decryption API changes: - PUT /<id>: update paste content and metadata - GET /pastes: add type, after, before query params Scheduled tasks: - Thread-safe cleanup with per-task intervals - Activate cleanup_expired_hashes (15min) - Activate cleanup_rate_limits (5min) Tests: 205 passing	2025-12-20 20:13:00 +01:00
Username	a2c5a013ef	docs: update for encrypt-by-default CLI ... Update README.md, api.md, and error hints to reflect: - encryption is now default (no -e flag needed) - use -E/--no-encrypt to disable - file path shortcut (fpaste file.txt)	2025-12-20 18:12:00 +01:00
Username	28ee2bae31	add minimum size and binary content enforcement	2025-12-20 17:46:49 +01:00
Username	4e38517faf	pki: add minimal certificate authority ... - CA generation with encrypted private key storage (AES-256-GCM) - Client certificate issuance with configurable validity - Certificate revocation with status tracking - SHA1 fingerprint integration with existing mTLS auth - API endpoints: /pki/status, /pki/ca, /pki/issue, /pki/revoke - CLI commands: fpaste pki status/issue/revoke - Comprehensive test coverage	2025-12-20 17:20:15 +01:00
Username	7deba711d4	entropy: exempt small content from check ... Small data has unreliable entropy measurement due to sample size. MIN_ENTROPY_SIZE (default 256 bytes) sets the threshold.	2025-12-20 08:48:13 +01:00
Username	8addf2d9e8	add entropy enforcement for optional encryption requirement ... Shannon entropy check rejects low-entropy content when MIN_ENTROPY > 0. Encrypted data ~7.5-8.0 bits/byte, plaintext ~4.0-5.0 bits/byte. Configurable via FLASKPASTE_MIN_ENTROPY environment variable.	2025-12-20 06:57:50 +01:00
Username	964698428c	routes: use detected base URL in usage examples	2025-12-20 05:27:10 +01:00
Username	677d3e5ba1	client: also update help text with detected URL	2025-12-20 05:23:00 +01:00
Username	d6fb2e92af	client: auto-detect server URL from request headers	2025-12-20 05:21:55 +01:00
Username	2272b1ff12	add /client endpoint to download fpaste CLI	2025-12-20 05:19:20 +01:00
Username	274648e1f7	fix: return relative URLs in responses, prefix only for docs	2025-12-20 04:48:55 +01:00
Username	5770698847	add URL_PREFIX config for reverse proxy path support	2025-12-20 04:43:36 +01:00
Username	c76a158c18	bump version to 1.1.0, centralize VERSION constant	2025-12-20 04:21:06 +01:00
Username	8fdeeaed9c	add proof-of-work spam prevention ... Clients must solve a SHA256 hash puzzle before paste creation. Configurable via FLASKPASTE_POW_DIFFICULTY (0 = disabled, 16 = default). Challenge tokens expire after FLASKPASTE_POW_TTL seconds (default 300).	2025-12-20 04:03:59 +01:00
Username	4532b9b1d5	add HEAD method for paste endpoints	2025-12-20 03:47:20 +01:00
Username	202e927918	add content-hash dedup for abuse prevention ... Throttle repeated submissions of identical content using SHA256 hash tracking. Configurable via FLASKPASTE_DEDUP_WINDOW and FLASKPASTE_DEDUP_MAX.	2025-12-20 03:31:20 +01:00
Username	8f9868f0d9	flaskpaste: initial commit with security hardening ... Features: - REST API for text/binary pastes with MIME detection - Client certificate auth via X-SSL-Client-SHA1 header - SQLite with WAL mode for concurrent access - Automatic paste expiry with LRU cleanup Security: - HSTS, CSP, X-Frame-Options, X-Content-Type-Options - Cache-Control: no-store for sensitive responses - X-Request-ID tracing for log correlation - X-Proxy-Secret validation for defense-in-depth - Parameterized queries, input validation - Size limits (3 MiB anon, 50 MiB auth) Includes /health endpoint, container support, and 70 tests.	2025-12-16 04:42:18 +01:00