[bug] Generated links from Web UI are not compatible with REST API v0.16.1

[bendoin]

This should apply to v0.17 as well.

Might be a feature request if designed that way from the beginning?

Reproduce (Fedora 31)

curl -LO https://github.com/Luzifer/ots/releases/download/v0.16.1/ots_linux_amd64.tar.gz

sha256sum ots_linux_amd64.tar.gz
7e4469f3cfa60e714dd7ddbd0b34df2644197051a1a4e4b22288bafc9bcd2dab  ots_linux_amd64.tar.gz

tar zxf ots_linux_amd64.tar.gz

sha256sum ots_linux_amd64
03c9c4cb27e65e569aefe80af0ba201327b68f713b3074fecff703960bd8540a  ots_linux_amd64

./ots_linux_amd64 --version
ots v0.16.1

./ots_linux_amd64

web generated links

Generated links add a similar to this |s4ixx29o77a behind the UUID for some reason that is not there in the REST API. (salt?)

this is a web link #1 http://localhost:3000/#6ea9106c-1bc4-4d38-8e48-06c1baefde2e|v3266bllzl

Link works when opened in browser.

this is a web link #2 http://localhost:3000/#1b21cad7-a9c6-45d3-a2d5-885479879d7d|s4ixx29o77a

Link does not work from REST API directly with ot with out the |s4ixx29o77a part

# This is the one I expect to work (missing the salt?)
curl http://localhost:3000/api/get/1b21cad7-a9c6-45d3-a2d5-885479879d7d
{"secret":"U2FsdGVkX1/wxBqw5RsWnsr5SC4tO3i5BXqJ0LHoj3pTncDCipNnM9XR6lD7NslO\n","success":true}

# These were tested as well, but not expecting them to work
curl http://localhost:3000/api/get/#1b21cad7-a9c6-45d3-a2d5-885479879d7d
404 not found

curl http://localhost:3000/api/get/#1b21cad7-a9c6-45d3-a2d5-885479879d7d|s4ixx29o77a
s4ixx29o77a: command not found...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    14  100    14    0     0   3500      0 --:--:-- --:--:-- --:--:--  3500

API generated links

curl localhost:3000/api/create -d "secret=this is a rest link #1"
{"secret_id":"3a8210f4-ed86-4ba8-974b-87bede2f0efb","success":true}

curl localhost:3000/api/create -d "secret=this is a rest link #2"
{"secret_id":"f69f35ed-5b5d-4c89-a6cc-250b573441a5","success":true}

Link 1 works from REST API

curl http://localhost:3000/api/get/3a8210f4-ed86-4ba8-974b-87bede2f0efb
{"secret":"this is a rest link #1","success":true}

Link # works from browser - http://localhost:3000/#f69f35ed-5b5d-4c89-a6cc-250b573441a5
this is a rest link #2

Embedded salt?

[Luzifer]

Generated links add a similar to this |s4ixx29o77a behind the UUID for some reason that is not there in the REST API. (salt?)

This is an encryption passphrase. This project has a zero-knowledge approach which ensures the server will never be able to leak secrets sent to it. All secrets are encrypted in the browser and sent in AES256 bit encrypted form to the server.

The form of the links is <schema>://<host>/#<id>|<pass>.

Given the approach of never sending plain secrets to the server you should encrypt your secrets using OpenSSL when creating them from CLI and then append the decryption passphrase to the URL.

Keeping this as a reminder to add documentation how to create secrets through CLI and assemble the URL from there.

[Luzifer]

I've added documentation and a script for creating secrets to the repo. Please have a look at the changed README whether the explanation is understandable and meets your use-case.

[bendoin]

Hello Luzifer, thanks for adding that documentation part, much appreciated. This will for sure help with my scenario. Thanks a lot.