feat: Password-protected AES-256 encrypted pastes #33
Comments
|
do it in javascript only so the server dont need to know anything about the encryption |
Maybe- one of the original goals of Spacebin was to be as free of JavaScript as possible but it may be impossible to stick to that. Additionally, wouldn't it be more secure to do it server-side? |
|
nope the whole point of encryption is that no one knows the password not even the server and having protected pastes just make the IDs longer and put in rate limits it results in the same as a password |
|
I forgot to mention the server only receives the part before the #, meaning anything after it isn’t sent to the server. |
|
Yeah, I really meant that having the encryption/decryption logic on the client side might mean it's able to be bypassed. Also, if the password were in the URL it would be seen by the server that hosts the website (In Spacebin's case it's combined w/ the API) so that it could fulfill the request. I will keep your suggestion in mind while researching the best way to implement this feature. |
Please check the box if you understand that this repo is only for server-side backend issues. Please write issues related to the frontend or cli client in their respective repositories:
Is your feature request related to a problem? Please describe.
N/A
Describe the solution you'd like
When pastes are uploaded, perhaps through a
/encryptendpoint, you would need to specify apasswordin the query parameters (or multipart form value). The server would then hash the password, salt it, encrypt the paste, and return the ID. No other data will be stored on the server other than the hash of the password.Describe alternatives you've considered
N/A
Additional context
The text was updated successfully, but these errors were encountered: