Content distribution platform using 256t hash-based addressing
HashBin.org is a content distribution platform built on Cloudflare's edge computing infrastructure. Users can publish content that others can retrieve using cryptographic hashes. The system operates on a pay-to-publish, free-to-download model with time-based retention and a fair content contestation mechanism.
- 256t Content Addressing: Permanent, verifiable content addressing using 256t specification
- Free Public Access: All published content is freely accessible to everyone
- Multi-Provider OAuth: Authenticate with Google, Apple, Microsoft, or GitHub (via Clerk)
- API Key Management: Generate up to 25 API keys for programmatic access
- Transparent Operation: Public records and open source codebase
- Pay-per-Retention: Sustainable model with $0.03/GB/month storage cost
- Runtime: Cloudflare Workers (serverless edge computing)
- Storage: Cloudflare R2 (S3-compatible object storage)
- Database: Cloudflare Durable Objects (distributed, transactional)
- Authentication: Clerk (OAuth provider management)
- Frontend: Vanilla HTML/CSS/JavaScript (ES6 modules, no build step)
- Language: JavaScript (ES modules)
- Deployment: GitHub Actions + Wrangler CLI
- Cloudflare infrastructure setup
- GitHub Actions CI/CD pipeline
- Single production environment
- Health monitoring and logging
- Clerk OAuth integration (Google, Apple, Microsoft, GitHub)
- Session management (Clerk JWT validation)
- API key generation and management
- Rate limiting (anonymous, authenticated, per-key)
- Account management (creation, deletion, linking)
- On-demand user profile creation
- 15/15 tests passing β
- Landing page with navigation and auth header
- User authentication UI (Sign In/Sign Out)
- Balance display in header
- Protected pages (upload, dashboard, deposit)
- Public retrieve page
- Session persistence and auth gate
- Frontend deployed with Worker β
- 256t hash generation and validation
- Content upload/download endpoints
- R2 storage integration
- Content metadata in Durable Objects
- Payment system (Stripe integration)
- Retention management and expiration
- Content contestation and dispute resolution
See todo/master_plan.md for the complete roadmap.
- Node.js 18+ and npm
- Cloudflare account (paid plan for Durable Objects and R2)
- Clerk account (for OAuth authentication)
-
Clone the repository
git clone https://github.com/curtcox/hashbin.org.git cd hashbin.org -
Install dependencies
npm install
-
Start development server
npm run dev
-
Run tests
# Run all tests npm test # Run auth system tests (requires dev server running) ./scripts/test-auth-system.sh
The development server runs at http://localhost:8787
Use the fully local mode to run without Clerk or Stripe:
-
Install dependencies
npm install
-
Start local mode
npm run dev:local
-
Sign in locally
- Click Sign In in the UI and enter a username, or
- Send requests with
Authorization: LocalDev <user_id>.
For full details, see docs/local-development.md.
npm run dev- Start local development servernpm run dev:local- Start local development with local auth/paymentsnpm run deploy- Deploy to productionnpm run verify- Verify production deploymentnpm test- Run test suite
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API Layer (Cloudflare Workers) β
β - Authentication & Authorization (β
Complete) β
β - Content upload/download (π§ Planned) β
β - Payment processing (π Planned) β
β - Contest management (π Planned) β
ββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββΌβββββββββββββ¬ββββββββββββββ
β β β β
βββββββΌββββββ βββββΌβββββ ββββββΌββββββ ββββββΌβββββββ
β R2 Storageβ β Durableβ β Clerk β β GitHub β
β (Content) β β Objectsβ β (Auth) β β (CI/CD) β
βββββββββββββ ββββββββββ ββββββββββββ βββββββββββββ
- ContentMetadata - Content hash records and metadata
- UserProfile - User accounts, API keys, upload history
- KeyRegistry - Fast API key lookups (hash β user mapping)
- PaymentRecord - Payment tracking and history
- ContestRecord - Content dispute tracking
- MessageThread - User-to-contester communication
HashBin.org supports two authentication methods:
-
Clerk OAuth Session (for web applications)
- Use Clerk frontend SDK to obtain session token
- Include in
Authorization: Bearer <token>header
-
API Keys (for programmatic access)
- Create via
/api/auth/apikeysendpoint (requires Clerk session) - Include in
Authorization: ApiKey <key>orX-API-Key: <key>header - Format:
hb_live_<32-chars>
- Create via
GET /- Service informationGET /health- Health check with component statusGET /api/content/{hash}- Download content (π§ Planned)
GET /api/auth/session- Get current session infoPOST /api/auth/logout- Invalidate Clerk sessionPOST /api/auth/apikeys- Create new API keyGET /api/auth/apikeys- List user's API keysDELETE /api/auth/apikeys/{key_id}- Revoke API keyDELETE /api/auth/account- Delete user account (requires 2FA)
See docs/API.md for complete API reference documentation.
- Anonymous: 100 requests/minute
- Authenticated: 1,000 requests/minute
- Per API Key: 500 requests/minute (within user's total limit)
- API Key Storage: Keys are hashed with SHA-256 before storage
- Session Security: Clerk handles JWT validation and CSRF protection
- Rate Limiting: Per-user and per-key limits prevent abuse
- Key Expiration: Maximum 5-year expiration on all API keys
- Account Deletion: Requires 2FA confirmation
See todo/user_authorization.md#security-considerations for details.
- Cloudflare account with Workers paid plan ($5/month minimum)
- Clerk account with OAuth providers configured
- GitHub repository secrets configured
See todo/user_authorization.md#production-deployment-checklist for the complete deployment checklist.
Quick summary:
- Configure OAuth providers in Clerk Dashboard
- Add secrets to Cloudflare:
CLERK_SECRET_KEY,CLERK_PUBLISHABLE_KEY - Deploy:
npm run deploy:prod - Verify:
npm run verify:prod
# Start dev server (in one terminal)
npm run dev
# Run tests (in another terminal)
./scripts/test-auth-system.shCurrent test coverage: 15/15 tests passing β
Test categories:
- Anonymous access to public endpoints
- Authentication rejection on protected endpoints
- API key format validation
- Environment-specific key validation
- Session management endpoints
- Durable Objects health checks
See todo/manual_testing_guide.md for comprehensive manual testing procedures.
- API Reference - Complete API endpoint documentation with examples β¨
- Frontend Deployment - Frontend setup and Clerk configuration β¨
- Master Plan - Complete implementation roadmap
- User Authorization - Authentication system (Phase 3) β
- Login Implementation - Frontend login functionality β
- Account Management - Account linking and deletion
- Content Dispute Resolution - Contest system (Phase 6)
- Deployment Guide - Production deployment instructions
- Health Check - Health endpoint documentation
This is an open-source project. Contributions are welcome!
- Fork the repository
- Create a feature branch
- Make your changes with tests
- Submit a pull request
MIT License - see LICENSE file for details
- Issues: GitHub Issues
- Documentation: todo/ directory
- Email: Contact via GitHub
Built with:
- Cloudflare Workers
- Clerk for authentication
- Wrangler for deployment
- GitHub Actions for CI/CD