mirror of https://github.com/Luzifer/ots.git synced 2024-06-18 10:19:43 +00:00

One-Time-Secret sharing platform with a symmetric 256bit AES encryption in the browser

aes256 encryption golang one-time-secret

Go to file

Knut Ahlers ea631beeef Replace redis client, move expiry into creation interface Signed-off-by: Knut Ahlers <knut@ahlers.me>		2023-06-10 01:42:46 +02:00
.github/workflows	ci: Add CodeQL Scanning	2023-06-10 00:27:01 +02:00
docs	Add OpenAPI documentation (#48 )	2021-09-27 00:52:44 +02:00
frontend	Add security HTTP headers (#45 )	2021-09-26 16:47:25 +02:00
src	Update dependencies	2023-06-09 23:06:44 +02:00
.dockerignore	[#46 ] Remove external font deps, add SRI checks (#47 )	2021-09-26 14:49:18 +02:00
.gitignore	Add OpenAPI documentation (#48 )	2021-09-27 00:52:44 +02:00
api.go	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
cli_create.sh	Breaking: Replace deprecated / archived crypto library (#80 )	2023-04-14 13:06:14 +02:00
cli_get.sh	Breaking: Replace deprecated / archived crypto library (#80 )	2023-04-14 13:06:14 +02:00
CONTRIBUTING.md	Initial API	2017-08-03 14:13:53 +02:00
Dockerfile	Add OpenAPI documentation (#48 )	2021-09-27 00:52:44 +02:00
Dockerfile.minimal	Add OpenAPI documentation (#48 )	2021-09-27 00:52:44 +02:00
go.mod	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
go.sum	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
History.md	prepare release v1.0.0	2023-04-14 13:13:15 +02:00
LICENSE	Fix LICENSE file	2018-05-05 18:10:10 +02:00
main.go	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
Makefile	Replace repo-runner with Github actions	2023-03-07 16:56:55 +01:00
README.md	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
storage_mem.go	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
storage_redis.go	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
storage.go	Replace redis client, move expiry into creation interface	2023-06-10 01:42:46 +02:00
tplFuncs.go	[#46 ] Remove external font deps, add SRI checks (#47 )	2021-09-26 14:49:18 +02:00

README.md

Luzifer / OTS

ots is a one-time-secret sharing platform. The secret is encrypted with a symmetric 256bit AES encryption in the browser before being sent to the server. Afterwards an URL containing the ID of the secret and the password is generated. The password is never sent to the server so the server will never be able to decrypt the secrets it delivers with a reasonable effort. Also the secret is immediately deleted on the first read.

Features

AES 256bit encryption
Server does never get the password
Secret is deleted on first read

Setup

Download the release
Start it and you can access the server on http://localhost:3000/

For a better setup you can choose the backend which is used to store the secrets:

mem - In memory storage (wiped on restart of the daemon)
redis - Storing the secrets in a hash under one key
- REDIS_URL - Redis connection string redis://auth:PWD@HOST:PORT/DB
- REDIS_KEY - Key prefix to store the keys under (Default io.luzifer.ots)
Common options
- SECRET_EXPIRY - Expiry of the keys in seconds (Default 0 = no expiry)

Creating secrets through CLI / scripts

As ots is designed to never let the server know the secret you are sharing you should not just send the plain secret to it though it is possible.

This is slightly more complex as you first need to encrypt your secret before sending it to the API but in this case you can be sure the server will in no case be able to access the secret. Especially if you are using ots.fyi (my public hosted instance) you should not trust me with your secret but use an encrypted secret:

# echo "my password" | openssl aes-256-cbc -base64 -pass pass:mypass -iter 300000 -md sha512
U2FsdGVkX18wJtHr6YpTe8QrvMUUdaLZ+JMBNi1OvOQ=

# curl -X POST -H 'content-type: application/json' -i -s -d '{"secret": "U2FsdGVkX18wJtHr6YpTe8QrvMUUdaLZ+JMBNi1OvOQ="}' https://ots.fyi/api/create
HTTP/2 201
server: nginx
date: Wed, 29 Jan 2020 14:08:54 GMT
content-type: application/json
content-length: 68
cache-control: no-cache

{"secret_id":"5e0065ee-5734-4548-9fd3-bb0bcd4c899d","success":true}

You will now need to supply the web application with the password in addition to the ID of the secret: https://ots.fyi/#5e0065ee-5734-4548-9fd3-bb0bcd4c899d|mypass

In this case due to how browsers are handling hashes in URLs (the part after the #) the only URL the server gets to know is https://ots.fyi/ which loads the frontend. Afterwards the Javascript executed in the browser fetches the encrypted secret at the given ID and decrypts it with the given password (in this case mypass). I will not be able to tell the content of your secret and just see the AES 256bit encrypted content.

You can find a script cli_create.sh in this repo demonstrating the creation of the secret with all steps.

# curl -X POST -H 'content-type: application/json' -i -s -d '{"secret": "my password"}' https://ots.fyi/api/create

HTTP/2 201
server: nginx
date: Wed, 29 Jan 2020 14:02:42 GMT
content-type: application/json
content-length: 68
cache-control: no-cache

{"secret_id":"1cb08e53-46b9-4f21-bbd9-f1eea1594ad9","success":true}

You can then use the URL https://ots.fyi/#1cb08e53-46b9-4f21-bbd9-f1eea1594ad9 to access the secret.

Localize to your own language

If you want to help translating the application to your own language please download the en.json file from this repository and translate the strings inside. Afterwards please open an issue and attach your translation including the information which language you translated the strings into.

Of course you also could open a pull-request to add the new file to the src/langs folder. In this case please also edit the langs.js file and add your translation.

Same goes with when you're finding translation errors: Just open an issue and let me know!