8fdeeaed9c
All checks were successful
CI / test (push) Successful in 37s
Clients must solve a SHA256 hash puzzle before paste creation. Configurable via FLASKPASTE_POW_DIFFICULTY (0 = disabled, 16 = default). Challenge tokens expire after FLASKPASTE_POW_TTL seconds (default 300).
77 lines
2.6 KiB
Python
77 lines
2.6 KiB
Python
"""Application configuration."""
|
|
|
|
import os
|
|
from pathlib import Path
|
|
|
|
|
|
class Config:
|
|
"""Base configuration."""
|
|
|
|
BASE_DIR = Path(__file__).parent.parent
|
|
DATABASE = os.environ.get("FLASKPASTE_DB", BASE_DIR / "data" / "pastes.db")
|
|
PASTE_ID_LENGTH = int(os.environ.get("FLASKPASTE_ID_LENGTH", "12"))
|
|
|
|
# Paste size limits
|
|
MAX_PASTE_SIZE_ANON = int(os.environ.get("FLASKPASTE_MAX_ANON", 3 * 1024 * 1024)) # 3MiB
|
|
MAX_PASTE_SIZE_AUTH = int(os.environ.get("FLASKPASTE_MAX_AUTH", 50 * 1024 * 1024)) # 50MiB
|
|
MAX_CONTENT_LENGTH = MAX_PASTE_SIZE_AUTH # Flask request limit
|
|
|
|
# Paste expiry (default 5 days)
|
|
PASTE_EXPIRY_SECONDS = int(os.environ.get("FLASKPASTE_EXPIRY", 5 * 24 * 60 * 60))
|
|
|
|
# Content deduplication / abuse prevention
|
|
# Throttle repeated submissions of identical content
|
|
CONTENT_DEDUP_WINDOW = int(os.environ.get("FLASKPASTE_DEDUP_WINDOW", 3600)) # 1 hour
|
|
CONTENT_DEDUP_MAX = int(os.environ.get("FLASKPASTE_DEDUP_MAX", 3)) # max 3 per window
|
|
|
|
# Reverse proxy trust configuration
|
|
# SECURITY: The X-SSL-Client-SHA1 header is trusted for authentication.
|
|
# This header MUST only come from a trusted reverse proxy that validates
|
|
# client certificates. Direct access to this app MUST be blocked.
|
|
#
|
|
# Set FLASKPASTE_PROXY_SECRET to require the proxy to send a matching
|
|
# X-Proxy-Secret header, providing defense-in-depth against header spoofing.
|
|
TRUSTED_PROXY_SECRET = os.environ.get("FLASKPASTE_PROXY_SECRET", "")
|
|
|
|
# Proof-of-work spam prevention
|
|
# Clients must solve a computational puzzle before paste creation.
|
|
# Difficulty is number of leading zero bits required in hash (0 = disabled).
|
|
POW_DIFFICULTY = int(os.environ.get("FLASKPASTE_POW_DIFFICULTY", "16"))
|
|
POW_CHALLENGE_TTL = int(os.environ.get("FLASKPASTE_POW_TTL", "300")) # 5 minutes
|
|
# Secret key for signing challenges (auto-generated if not set)
|
|
POW_SECRET = os.environ.get("FLASKPASTE_POW_SECRET", "")
|
|
|
|
|
|
class DevelopmentConfig(Config):
|
|
"""Development configuration."""
|
|
|
|
DEBUG = True
|
|
|
|
|
|
class ProductionConfig(Config):
|
|
"""Production configuration."""
|
|
|
|
DEBUG = False
|
|
|
|
|
|
class TestingConfig(Config):
|
|
"""Testing configuration."""
|
|
|
|
TESTING = True
|
|
DATABASE = ":memory:"
|
|
|
|
# Relaxed dedup for testing (100 per second window)
|
|
CONTENT_DEDUP_WINDOW = 1
|
|
CONTENT_DEDUP_MAX = 100
|
|
|
|
# Disable PoW for most tests (easier testing)
|
|
POW_DIFFICULTY = 0
|
|
|
|
|
|
config = {
|
|
"development": DevelopmentConfig,
|
|
"production": ProductionConfig,
|
|
"testing": TestingConfig,
|
|
"default": DevelopmentConfig,
|
|
}
|