hemmeligorg / hemmelig.app Goto Github PK

If the secret has the flag checked where the secret should be burned after the time expires. It should be possible to download the image until then.

Currently it uses two calls to Redis, however, transactions might solve this: https://redis.io/topics/transactions

Update the API section with information for devs. First, implement create account page. Have to assign the user key:token.

About Hemmelig. Why? How? What next?

So, currently the only support for this repository is the "do-connecting-ip" header for digital ocean to fetch the user IP. However, if people self host, they most likely do not have this header.

To do:
Rewrite this part of the code to accept a string from a ENV var injected to the docker container to decide what header to look for. https://github.com/HemmeligOrg/Hemmelig.app/blob/main/src/server/decorators/allowed-ip.js#L15
Set the default header to "do-connecting-ip".

Note, update this code as well: https://github.com/HemmeligOrg/Hemmelig.app/blob/main/src/server/decorators/rate-limit.js#L21

https://github.com/docker/build-push-action/blob/master/docs/advanced/tags-labels.md

Look into using https://gimlet.io/k8s-yaml-generator#eyJpbWFnZSI6eyJyZXBvc2l0b3J5IjoiaGVtbWVsaWdhcHAvaGVtbWVsaWciLCJ0YWciOiJ2NS45LjEifSwiY29udGFpbmVyUG9ydCI6MzAwMCwicmVzb3VyY2VzIjp7Imlnbm9yZSI6dHJ1ZX0sInByb2JlIjp7ImVuYWJsZWQiOnRydWUsInBhdGgiOiIvYXBpL2hlYWx0aHoifSwibGl2ZW5lc3NQcm9iZSI6eyJlbmFibGVkIjp0cnVlLCJwYXRoIjoiL2FwaS9oZWFsdGh6In0sInZhcnMiOnsiU0VDUkVUX0hPU1QiOiJoZW1tZWxpZy5hcHAiLCJTRUNSRVRfUk9PVF9VU0VSIjoiZ3Jvb3QiLCJTRUNSRVRfUk9PVF9FTUFJTCI6Imdyb290QGhlbW1lbGlnLmFwcCJ9LCJzZWNyZXRFbmFibGVkIjp0cnVlLCJzZWFsZWRTZWNyZXRzIjp7IlNFQ1JFVF9ST09UX1BBU1NXT1JEIjoiaWFtZ3Jvb3QiLCJTRUNSRVRfSldUX1NFQ1JFVCI6IjEzMzc3MzMxYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoifSwidm9sdW1lcyI6W3sibmFtZSI6ImZpbGVzIiwicGF0aCI6Ii92YXIvdG1wL2hlbW1lbGlnL3VwbG9hZC9maWxlcyIsInB2Y0Fubm90YXRpb25zIjp7fSwic2l6ZSI6IjVHaSJ9LHsibmFtZSI6InNxbGl0ZSIsInBhdGgiOiIvaG9tZS9ub2RlL2hlbW1lbGlnL2RhdGFiYXNlLyIsInB2Y0Fubm90YXRpb25zIjp7fSwic2l6ZSI6IjFHaSJ9XX0=

Create account to be able to use the API

Hi, I'm the guy who asked about translation support in Reddit. Would you consider a PR with some support? Frontend maybe.. I think I can add some basic implementation of react-i18n...

To be used to create the secrets from the CLI. Blocked by #7

Allow certain IP range. I.e. if is on a VPN. Per share? Account sets restriction?

Really, nothing yet. Just providing basic auth name / secret for later usage.

This means combining the server and the frontend.

• Site: https://hemmelig.app
  New Alerts
  • Content Security Policy (CSP) Header Not Set [10038] total: 2:
    • https://hemmelig.app
    • https://hemmelig.app/
  • Cross-Domain Misconfiguration [10098] total: 9:
    • https://hemmelig.app
    • https://hemmelig.app/
    • https://hemmelig.app/favicon.ico
    • https://hemmelig.app/icons/apple-touch-icon.png
    • https://hemmelig.app/robots.txt
    • ..
  • Proxy Disclosure [40025] total: 13:
    • https://hemmelig.app
    • https://hemmelig.app/
    • https://hemmelig.app/favicon.ico
    • https://hemmelig.app/icons
    • https://hemmelig.app/icons/apple-touch-icon.png
    • ..
  • Timestamp Disclosure - Unix [10096] total: 180:
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • ..
  • Information Disclosure - Suspicious Comments [10027] total: 2:
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/main.534b9f25.chunk.js
  • Modern Web Application [10109] total: 3:
    • https://hemmelig.app
    • https://hemmelig.app/
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
  • Re-examine Cache-control Directives [10015] total: 2:
    • https://hemmelig.app
    • https://hemmelig.app/

View the following link to download the report.
RunnerID:2269780501

to prettify the app

As the title says. Currently, it was made as a MVP, and is not very clean.

TBD

To be used for i.e. Kubernetes.

And handle cases such at this really bad hack: https://github.com/HemmeligOrg/Hemmelig.app/blob/main/src/client/helpers/state-emitter.js

State manager ftw. Might have a look at a different state manager for React as well. KISS.

Documentation: https://www.npmjs.com/package/bcrypt#user-content-a-note-on-rounds

I would say 10 or 12 should be fine

Just as mentioned in my original reddit comment

Ideally the way I think it should be implemented is with an "Expert mode" option. This way non-technical users won't struggle with it.

1. Alice creates a link and this generates a key pair

2. Alice sends the link (which contains the public key) to bob

3. Bob opens the link, and a key pair is created for bob

4. Bob is prompted to send the public key he has to alice using that same unencrypted channel. Meanwhile the shared key is created and put into a cookie using bobs private key and Alices public key

5. Alice puts bobs key in the link they generated. This creates the shared key on Alices end.

6. Alice then puts the secret data they want to send to bob. The Shared key encrypts the data being sent.

7. Bob then see's the information is available, and decrypts the note because their browser has the shared secret in a cookie.

Make it possible to brand the self-hosted version.

It makes it hard though while using bcrypt. Which means the hash is always different. However, might be able to inject the password as a sha, which again is encrypted by tweetnacl. Look into this.

https://github.com/Stuk/jszip

id exist endpoint: Check whether the id exists or not and if it has a password tied to it.
id view endpoint: Should burn the secret by default

remove the burn endpoint

This code requires a bit of refactoring. Pushed the feature for testing, and will come back to this. Will also enable multi upload for more filetypes. Not just images. Use Signal input field as inspiration

Create an adapter which makes it possible to upload directly to the server where hemmelig is running. By doing this it is possible to eliminate using DO or s3

Currently, a new logo is in the making.

As the title says. Add a flag for this.

Feel free to audit this application. Would be highly appreciated.

they should also be allowed to delete them, and set new passwords to them

• Site: http://hemmelig.app

• Site: https://hemmelig.app
  New Alerts

  • Content Security Policy (CSP) Header Not Set [10038] total: 2:
    • https://hemmelig.app
    • https://hemmelig.app/
  • Cross-Domain Misconfiguration [10098] total: 9:
    • https://hemmelig.app
    • https://hemmelig.app/
    • https://hemmelig.app/favicon.ico
    • https://hemmelig.app/icons/apple-touch-icon.png
    • https://hemmelig.app/robots.txt
    • ..
  • HTTPS Content Available via HTTP [10047] total: 7:
    • https://hemmelig.app
    • https://hemmelig.app/
    • https://hemmelig.app/favicon.ico
    • https://hemmelig.app/icons/apple-touch-icon.png
    • https://hemmelig.app/static/css/main.79ab8250.chunk.css
    • ..
  • Timestamp Disclosure - Unix [10096] total: 181:
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • ..
  • Information Disclosure - Suspicious Comments [10027] total: 2:
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
    • https://hemmelig.app/static/js/main.534b9f25.chunk.js
  • Modern Web Application [10109] total: 3:
    • https://hemmelig.app
    • https://hemmelig.app/
    • https://hemmelig.app/static/js/2.646a466b.chunk.js
  • Re-examine Cache-control Directives [10015] total: 2:
    • https://hemmelig.app
    • https://hemmelig.app/

View the following link to download the report.
RunnerID:2269780501

There are a couple of spelling errors in README.md -- I've forked the repo and will submit a pull request with the corrections

This might be by default, then light mode has to be turned on.

Considering to create a queue mechanism here to trigger an event when the time is up for deletion

Add script to prompt the user if they want to add the app to their home screen.

Easier for everyone

• Collect how many secrets that are currently active
• Collect how many secrets are burned
• Collect how many visits to the page

Important: Do not track personal data at all.

None of these should be tracked by 3d party applications.