Where does one make the switch to this storage option and configure accordingly?

1.0.0-d3e92c7
export REDIS_URL="redis://auth:[email protected]:6379/0"

Secrets are not being stored correctly, internal error as seen below.
POST /api/create" 500
Reverting to storage type mem fixes the issue.

Previous release 1.0.0-413ad34 worked just fine with
export REDIS_URL="tcp://auth:[email protected]:6379/0"

Hi, I am currently looking into onetimesecret.
I am not familiar with coding and the languages and have no clue on how to install and run the code.
So the current setup process described in README.md won't really help me.

I have been trying a bit reading old issues that might help, haven't been able to get it working.
I am currently using ubuntu server ubuntu-22.04.2 (64bit).
sudo apt-get install build-essential
sudo apt-get install ntp libyaml-dev libevent-dev zlib1g zlib1g-dev openssl libssl-dev libxml2 libreadline-gplv2-dev
sudo apt-get install ruby redis ruby-bundler ruby-dev
sudo apt install golang-go
sudo apt install go-bindata

Somethings still installed from the last onetimesecret I tried. (that didn't work for me)

Could anyone help me do the initial setup?
The initial setup could also be documented in README.md to make it easier to install for noobs like me :)

Thank you in advance.

This is an enhancement request.

Using the pre-built releases, can there be a way to customise the interface of the portal. To brand it or similar?

Hi,

Thanks for this awesome Project!
I had an idea for a simple password generation in the secret. I have created a first version of this on my system:

It uses basic JS code to choose x random characters from a string. An example for that would be: ANk5V0}iQEBw>?L
This is the code I wrote, the length of the password and the characters in it can be changed with customize.yaml

generatePassword() {
  let characterSet = this.customize.passwordCharacterSet ||
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&()*+,-./:;<=>?@[\\]^_`{|}~'
  let passwordLength = this.customize.passwordLength || 15
  let password = ''
    
  for (let i = 0; i < passwordLength; i++) {
    password += characterSet.charAt(Math.floor(Math.random() * characterSet.length))
  }

  const secretInput = document.getElementById("secret")
  secretInput.focus()
  secretInput.setRangeText(password)
  secretInput.setSelectionRange((secretInput.selectionStart + passwordLength), (secretInput.selectionStart + passwordLength))
},

Would this be a feature that is worth implementing?

It may be useful to add information in the popup when and by whom (e.g. IP-address, User-Agent) the link to the secret was compromised (or simply opened by chance). It can be useful for both security and debugging

OTS currently sets a Cache-Control: no-cache header, allowing caches to store the response.

From the MDN page on Cache-Control:

no-cache
The response may be stored by any cache, even if the response is normally non-cacheable. However, the stored response MUST always go through validation with the origin server first before using it, therefore, you cannot use no-cache in-conjunction with immutable. If you mean to not store the response in any cache, use no-store instead. This directive is not effective in preventing caches from storing your response.

no-store
The response may not be stored in any cache. Note that this will not prevent a valid pre-existing cached response being returned. Clients can set max-age=0 to also clear existing cache responses, as this forces the cache to revalidate with the server (no other directives have an effect when used with no-store).

This may expose the encrypted secret to third parties for a longer period of time than was intended.

Hello @Luzifer
Just making sure you were ok for us to perform a veracode scan against the latest source code and share the findings privately as needed.
Please let me know if you have any objections.
Best regards.

Hi Luzifer, would it be possible to suppress or disallow the possibility to create empty secrets?
When hitting the "create secret" button without typing in something it creates a secret (you can see it in redis db) and you can open the secret url and display the secret. The secret won't show, because there is no, but when trying for the second time you'll get the error page that this secret doesn't exist.
Looking at redis db the empty secret is gone after visiting the secret url page.
Can someone reproduce this problem, please?

Hej im getting a Whitescreen when accessing the site ssl cert is working but ots website is completely ?

Howdy!

I really appreciate using ots on daily basis, so I'd like to contribute a little to its internationalization.

The attached i18n.yaml file introduces the Polish translation for the application. Looking forward to see it in next release!

P.S. The attachment will have .txt extension; as it seems, GitHub does not fancy attaching YAMLs to issues.

Hello,

How do I get the release to work through HTTPS on Windows or Linux?

Thanks

I'm trying to write a script to do the decryption of the secret. When calling openssl to decrypt it give me a warning :

$ curl https://ots.fyi/api/get/525bbb9a-7786-437f-b99e-35e8db135054 
{"secret":"U2FsdGVkX1/n+zfF2RYRzmUG9WsgJlasBrzt0lUaseY=\n","success":true}
$ echo "U2FsdGVkX1/n+zfF2RYRzmUG9WsgJlasBrzt0lUaseY=" | openssl aes-256-cbc -base64 -pass "pass:w31xcdfbhpl" -md md5 -d
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
test secret

Perhaps this is nothing but it doesn't feel good for a non expert.

Tor browser warns about possible canvas-based fingerprinting shortly after encrypting a secret. I think the QR code is being rendered in the background even if you don't click the button. (I haven't seen it on other browsers, but I can imagine Firefox may do the same when fingerprint resist is enabled.)

Disabling QR support using the customize feature fixes it.

Add support for a proxy configuration so OTS can be hosted like https://host/ots

(We plan to do it during our weekly workshop at my company)

Hi,

it seems that the language of OTS depends on the browser.
Would it be possible to also implement formal German texts, e. g. „Sie“ instead of „Du“?
Maybe with a new parameter in customize.yaml?

I can provide all texts if needed.

Thank you

{
"alert-secret-not-found": "Aradığınız sır bu değil… - Sırrın burada olmasını bekliyorsanız, bu link başkası tarafından açılmış ve sırrınız tehlikede olabilir.",
"alert-something-went-wrong": "Bir şeyler ters gitti. Bunun için çok üzgünüm…",
"btn-create-secret": "Sır oluştur!",
"btn-new-secret": "Yeni sır",
"btn-reveal-secret": "Sırrı göster!",
"btn-show-explanation": "Nasıl çalışır?",
"items-explanation": [
"Bu sayfadaki alana sırrınızı giriniz",
"Internet tarayıcınız oluşturulan şifre yardımı ile sırrınızı enkripte eder",
"Sadece ektripte edilmiş sır sunucuya gönderilir (ne sır metni nede şifre gönderilmez!)",
"Sunucu enkripte edilmiş sırrı bünyesinde belli bir süre saklar",
"Gösterilen linki, id ve deşifre bilgisi ile birlikte alıcıya gönder",
"Alcı sırrı tam olarak sadece bir kez görebilir: Eğer göremez ise, sır bir başkası tarafından daha önce görülmüş olabilir!",
"Sır bir kez gösterildikten sonra hemen sunucudan silinir"
],
"label-secret-data": "Sır bilgisi:",
"text-burn-hint": "Lütfen linki kendiniz acmayın, bu sırrın silinmesine neden olur. Linki sadece alıcıya gönderin!",
"text-hint-burned": "Dikkat: Bunu sadece bir kez göreceksiniz. Sayfayı güncellediğinizde yada kapattiğınızda sır kaybolacaktır, belkide şimdi sırrı kopyalamanız akıllıca olacaktır.…",
"text-powered-by": "Destekçi",
"text-pre-reveal-hint": "Sırrı görmek için bu düğmeye tıklayın, ama bunu yaptıktan sonra sırrın silineceğini unutmayın. Bunu sadece bir kez görebilirsin!",
"text-pre-url": "Sırrınız oluşturuldu ve bu link kullanılarak kaydedildi:",
"title-explanation": "Bu sekilde çalışır…",
"title-new-secret": "Yeni sır oluştur",
"title-reading-secret": "Sırrınız okunuyor…",
"title-secret-created": "Sır oluşturuldu!"
}

Did you think about the feature of the QR-code generation shared link to the secret? It can be very convenient to share secrets between the laptop and the mobile for example. For the security reasons, the option can be disconnected in UI or globally

Hi,

I have downloaded the current release and noticed that when using IE11 it only brings up a blank page. This also occurs on "https://ots.fyi/". I see this error when investigating ": Unable to get property 'apply' of undefined or null reference", app.js (68,58522).

Thanks,

Hello!

I get an error when trying to install with make.

...
+ chown -R 0 ../frontend node_modules
go generate
flag provided but not defined: -md5checksum
Usage: go-bindata [options]

-debug
Do not embed the assets, but provide the embedding API. Contents will still be loaded from disk.
-dev
Similar to debug, but does not emit absolute paths. Expects a rootDir variable to already exist in the generated code's package.
-ignore value
Regex pattern to ignore
-mode uint
Optional file mode override for all files.
-modtime int
Optional modification unix timestamp override for all files.
-nocompress
Assets will not be GZIP compressed when this flag is specified.
-nomemcopy
Use a .rodata hack to get rid of unnecessary memcopies. Refer to the documentation to see what implications this carries.
-nometadata
Assets will not preserve size, mode, and modtime info.
-o string
Optional name of the output file to be generated. (default "./bindata.go")
-pkg string
Package name to use in the generated code. (default "main")
-prefix string
Optional path prefix to strip off asset names.
-tags string
Optional set of build tags to include.
-version
Displays version information.
main.go:3: running "go-bindata": exit status 2
make: *** [Makefile:15: generate] Error 1

# go version
go version go1.11.6 linux/amd64

# go-bindata -version
go-bindata 3.1.0 (Go runtime go1.11.5).

Tested on the latest Debian and Ububtu distributions.
Help me install ots.

Hi,

thank you for this great application!

I tried to manually build the docker container under Ubuntu 22.04 but it seems to fail with an error:

docker build -f Dockerfile.minimal .

node: error while loading shared libraries: libicui18n.so.73: cannot open shared object file: No such file or directory
make: *** [Makefile:15: generate-inner] Error 127

The fix for me was to update both Dockerfiles and add the option -u to the pacman command as described on Stackoverflow:

RUN set -ex \
 && pacman --noconfirm -Syyu \
...

Can you confirm the issue and the simple fix?

Thank you

Hi Luzifer, would it be possible to have a button "Copy" or "Copy to clipboard" to the left side of the QR code button?
This would be a huge benefit for the mouse-only people who are not so familiar with ctrl-c / ctrl-v.
Just as an idea, maybe fot future versions. 😊

As an OPS engineer I don't want to guess how to set-up and secure the instance so nobody outside the company can create secrets on it.

Therefore a little "Walk-Through" would be great to have. It should

• demonstrate setting up a plain OTS (plain Docker)
• show how to customize the instance
• get into detail how to secure the instance using nginx proxy module

Thank you for the product. It is working very well. One suggestion: the possibility from the UI to display and overwrite the default SECRET_EXPIRY value would be a very nice addition. Similar to what https://onetimesecret.com/ does.

Would it be possible to shorten the url? Like when using the bitly url shortener service?
Maybe with an additional click to use an internal shortener service (more work for you) or to use an external url shortener service?

Reproduce (Fedora 31)

curl -LO https://github.com/Luzifer/ots/releases/download/v0.17.0/ots_linux_amd64.tar.gz

sha256sum ots_linux_amd64.tar.gz
4753078d6aafcdd8cb128217cda2c8f2618ab284b9191718849d7a2bd63ec109  ots_linux_amd64.tar.gz

tar zxf ots_linux_amd64.tar.gz

sha256sum ots_linux_amd64
f2cade9b0fecc0ce468a73de978f16d6ae2f9b9f582b37ac76e50e8a59876b79  ots_linux_amd64

./ots_linux_amd64

curl localhost:3000/api/create -d "secret=thisisarestlinktest"
{"secret_id":"1926fb79-47bb-4c30-ae55-fcc92d38cff2","success":true}

curl localhost:3000/api/read/1926fb79-47bb-4c30-ae55-fcc92d38cff2
{"error":"Secret not found","success":false}

Creating link from web ui - http://localhost:3000/#306867d9-7347-475a-acb1-270fffcc8dc2|r6cy4vs1gaf gives message

This is not the secret you are looking for… - If you expected the secret to be here it might be comprimised as someone else might have opened the link already.

Expected behavior that works with v0.16.1

Web UI - Link works

REST API

curl localhost:3000/api/create -d "secret=thisisarestlinktestthat will work v0.161"
{"secret_id":"ec82f65a-6a67-494e-b984-44a115352c84","success":true}

curl localhost:3000/api/get/ec82f65a-6a67-494e-b984-44a115352c84
{"secret":"thisisarestlinktestthat will work v0.161","success":true}

After I add an icon tag in it. In console, it shows

Refused to load the image '<ImageURL>' because it violates the following Content Security Policy directive: "img-src data: 'self'".

Looking for a way to run this as a https web. Thankful for any pointers! Here is a swedish translation by way of saying thanks for this project.
sv.zip

Frontend code tries to load /css/all.min.css which is not included in the builds available on the Github releases page. (Same issue on the hosted version at https://ots.fyi/)

The files exist (and are embedded in the binary) when I build OTS myself.

I see the css and webfonts folders are in gitignore, is it possible they're ignored for your builds that way?

Check the compatibility and use Google distroless go image to reduce size and attack surface.

(We plan to do it during our weekly workshop at my company)

Hi i get a blank white site when friends try to access, also i just get a blank white page on my phone
What should i provide to debug and where to find it?

After cloning the repo and building, I get the following error when performing a GET to localhost:3000:

    ...
    <link
      as="font"
      crossorigin="anonymous"
      href="webfonts/fa-solid-900.woff2"
      integrity="executing template: template: index.html:46:20: executing "index.html" at <assetSRI .>: error calling assetSRI: open frontend/webfonts/fa-solid-900.woff2: file does not exist

Would it be possible to implement a button to select all the secret field and copy to client clipboard ?
It would help the recipient users.

I'm looking into adding integrity='' attributes to the stylesheet and javascript files in index.html.

We can change index.html to a Go template and parse it on startup. There's already a conditional for / in the assetDelivery function so we can render the template there. There's already an unused assetSRIHash in tplFuncs.go that can be modified to cache the hashes for embedded assets.

Am I right in thinking that index.html is a static file, not generated by the nodejs/vue code?

Then there are also a few font files that are loaded by the stylesheet (or possibly javascript). I'm not sure there's a way to add integrity hashes to those.

This should apply to v0.17 as well.

Might be a feature request if designed that way from the beginning?

Reproduce (Fedora 31)

curl -LO https://github.com/Luzifer/ots/releases/download/v0.16.1/ots_linux_amd64.tar.gz

sha256sum ots_linux_amd64.tar.gz
7e4469f3cfa60e714dd7ddbd0b34df2644197051a1a4e4b22288bafc9bcd2dab  ots_linux_amd64.tar.gz

tar zxf ots_linux_amd64.tar.gz

sha256sum ots_linux_amd64
03c9c4cb27e65e569aefe80af0ba201327b68f713b3074fecff703960bd8540a  ots_linux_amd64

./ots_linux_amd64 --version
ots v0.16.1

./ots_linux_amd64

web generated links

Generated links add a similar to this |s4ixx29o77a behind the UUID for some reason that is not there in the REST API. (salt?)

this is a web link #1 http://localhost:3000/#6ea9106c-1bc4-4d38-8e48-06c1baefde2e|v3266bllzl

Link works when opened in browser.

this is a web link #2 http://localhost:3000/#1b21cad7-a9c6-45d3-a2d5-885479879d7d|s4ixx29o77a

Link does not work from REST API directly with ot with out the |s4ixx29o77a part

# This is the one I expect to work (missing the salt?)
curl http://localhost:3000/api/get/1b21cad7-a9c6-45d3-a2d5-885479879d7d
{"secret":"U2FsdGVkX1/wxBqw5RsWnsr5SC4tO3i5BXqJ0LHoj3pTncDCipNnM9XR6lD7NslO\n","success":true}

# These were tested as well, but not expecting them to work
curl http://localhost:3000/api/get/#1b21cad7-a9c6-45d3-a2d5-885479879d7d
404 not found

curl http://localhost:3000/api/get/#1b21cad7-a9c6-45d3-a2d5-885479879d7d|s4ixx29o77a
s4ixx29o77a: command not found...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    14  100    14    0     0   3500      0 --:--:-- --:--:-- --:--:--  3500

API generated links

curl localhost:3000/api/create -d "secret=this is a rest link #1"
{"secret_id":"3a8210f4-ed86-4ba8-974b-87bede2f0efb","success":true}

curl localhost:3000/api/create -d "secret=this is a rest link #2"
{"secret_id":"f69f35ed-5b5d-4c89-a6cc-250b573441a5","success":true}

Link 1 works from REST API

curl http://localhost:3000/api/get/3a8210f4-ed86-4ba8-974b-87bede2f0efb
{"secret":"this is a rest link #1","success":true}

Link # works from browser - http://localhost:3000/#f69f35ed-5b5d-4c89-a6cc-250b573441a5
this is a rest link #2

Embedded salt?

Hello everybody, after downloading and executing the binary of ots_linux_amd64.tar.gz and landing on the clear http page on port 3000 I'm experiencing this problem:
I can't execute the button so that I get the URL with the encrypted data. 😱
What am I doing wrong?
System: Ubuntu Server 22.04.2 LTS (fresh installation, test system)
I'm using this command to run the program: ./ots_linux_amd64 > ots.log 2>&1 &
I'm executing this as root (yes, I know) on my test server.

As I have no clue why it's not working maybe I can get some help here. 👍

Add french language to the interface.

(We plan to do it during our weekly workshop at my company)

Suggestions would be to either change the os.Getenv("REDIS_EXPIRY") to os.Getenv("OTS_EXPIRY") or just read that same os.Getenv("REDIS_EXPIRY") for the memory only storage?

I am trying to figure out how to build this application.

goi18n and go-bindata are supposed to be installed globally? Is there a way around this?
I can't seem to find where the go-bindata repository is either.

Can you clarify on how I can build this?

Hey,

would it be possible to integrate prometheus? I just don´t wanna fork your go_helpers repo ;)

Kind regards

Brazilian Portuguese translation: pt-br.json

{
"alert-secret-not-found": "Esta não é o segredo que você está procurando… - Se você esperava que o segredo estaria aqui, ele pode ter sido comprometido por alguém que já acessou o link.",
"alert-something-went-wrong": "Desculpe, algo deu errado…",
"btn-create-secret": "Criar segredo!",
"btn-new-secret": "Novo segredo",
"btn-reveal-secret": "Mostrar o segredo!",
"btn-show-explanation": "Como funciona?",
"items-explanation": [
"Você insere o segredo no campo de texto desta página",
"Seu navegador criptografa o segredo usando uma senha gerada",
"Somente o segredo criptografado é enviado para o servidor (nem o segredo em texto claro, nem a senha é enviada para o servidor!)",
"O servidor armazena o segredo criptografado por um certo tempo",
"Você envia a URL mostrada contendo a ID e a senha de descriptografia para o destinatário",
"O destinatário pode ver o segredo apenas uma vez: se ele não pode ver, o segredo pode ter sido visto por outra pessoa!",
"Após o segredo ter sido obtido uma vez, o mesmo é deletado do servidor"
],
"label-secret-data": "Informação secreta:",
"text-burn-hint": "Importante você lembrar de não acessar esta URL, pois isto irá indisponibilizar o segredo. Apenas encaminhe para outra pessoa!",
"text-hint-burned": "Atenção: Você está vendo esta informação apenas uma vez. Logo que você recarregar a página o segredo ficará indisponível. É recomendado que você copie a informação agora…",
"text-powered-by": "Powered by",
"text-pre-reveal-hint": "Para revelar o segredo clique neste botão, mas lembre-se que esta ação vai destruir o segredo. Você só pode ver uma única vez!",
"text-pre-url": "Seu segredo foi criado e armazenado na seguinte URL:",
"title-explanation": "É assim como funciona…",
"title-new-secret": "Criar um novo segredo",
"title-reading-secret": "Lendo seu segredo…",
"title-secret-created": "Segredo criado!"
}

Can you think of a way to prevent some users from creating secrets ?
I had some feedback on the tool and this question emerged. ie, having secret consumers only.

That seems difficult to me as we do not have roles in the application. Maybe a specific value encoded in the URL to just mask the new secret button ? Obviously, that's a poor implementation as visual only.

I would imagine a lot of interest of having the roles producer only, consumer only, producer/consumer.

Is it reasonable to consider the possibility to attach binary files to a secret ?
We do have a test case where we need to send PDF files as secrets. I thought it would be interesting to raise that topic.
I did a POC where I did a base64 encoding of a PDF as a secret, and it worked just fine, but I feel a binary attachment would provide a better user experience.

Hi Luzifer, when retrieving the secret via /api/get the secret gets displayed exactly one time. Everything fine so far.
When trying to reload the url with secret and password in it, the error message which has been shown before (1.0.0) doesn't get displayed anymore.
Instead, nothing is shown when clicking on "show me the secret".
Server logs (ots own log as well as nginx rev proxy logs):
first call: 200 (secret is displayed)
further calls: 404 error
Maybe I configured something wrong? I am making use of the customization feature if this is important to you.

All of my intended users will have one language in common. Is it possible to define this setting for the frontend somewhere, short of re-compiling?

Is this possible to limit access to secret creation without limiting access to reading secrets?

Let's say OTS has two main parts - "create secret" and "read secret".
In my particular case I need to limit access to "create secret" (be it by IP or password - nothing fancy high security, just so random people can't create secrets) while "read secret" remains accessible to anyone.

I am even thinking of running two instances of OTS on the same server - one with "creation" parts edited out of app.vue template and other with full functionality, but with limited access. Would it even be possible?

The pipeline inside inside the created link makes a problem, when the link is sent through outlook 365 and the workstation is connected to network through a VPN. It seems that outlook reads the password and then lets the browser opening it, which leads to an expired password. Is it possible to have the link without pipeline?

Hi,

is there a UI component currently available to enable optionally protecting the secret with a password like the way CLI has?

Hello,
I wonder if or how to install and run your script in a shared hosting environment?
My hosting does not provide redis, I'm afraid …
Thank you and kind regards,
Sasch

As a Kubernetes operator I want to be able to create an OTS instance easily without having to write the chart myself. The repo should bring its own chart.

To ease deployment on K8s create a chart containing options for customization.