Feature request

[KianBrose]

Is it possible to have a login / password requirement to make it possible for "just the people you want to" to submit things to wastebin? I'm mildly concerned about people making a threaded request bot that would flood the db with junk really quickly

[matze]

I am a bit reluctant because that request needs answers for a bunch of other questions:

• What kind of authentication?
• Can users be banned?
• Do we need an admin view out of a sudden?
• What does the UI/UX look like?
• etc.

I think for simple use cases basic auth via a reverse proxy is probably the easiest solution.

[KianBrose]

Authentication

There are a few options, but the most obvious ones are

• Password: A simple password with no username prompt where the password is properly salted & hashed
• Username + Password: Same thing but with a username

Can users be banned?

I'd like to say that user should not be "banned", but the one that owns the domain should have some way to administrate the users & who has access to upload data

Do we need an admin view out of a sudden?

Not necessarily, the "laziest" implementation would be to have a config file in the back end with plain text passwords. Then in terms of UI, whenever a user would try to click on the "Paste" button it would show a standard html prompt requesting for one of the passwords inside the back end config file

What does the UI/UX look like?

There's honestly lots of ways this could go depending on where the project is headed, but a good ui is what makes people interested in a project nowadays (it's what got me into this one for example, it's the best one I have seen in a while, especially the markdown)

So while using the "lazy" minimalistic option with promps to make it "work" could be an option, ultimately having a well designed back end depends on whether you feel satisfied with the current state of the project / if you want to push it further and give it more appeal

The main concern I had with this project

As someone with my own server, there are quite a few people that like to make bots to spam my databases on a daily basis, and not having the option to limit "who" can access the wastebin is a bit of a dealbreaker due to its implications. For example, I once had a guy make a bot to fill up a forum with gigabytes of junk in the matter of minutes due to a lack of this feature (he was using proxies, so the ip rate limits didn't do anything to stop it either). So due to the risk of it being possible for someone to fill the host with junk in minutes it's turning me away from the possibility of self hosting

Where I see this project could go

Personally I feel like out of all pastebins, this one is by far the best looks-wise and a few more features could turn it into an insanely attractive option for lots of people, here are some suggestions for use cases it could fill:

• Authentication & administration: As previously mentioned, adding an admin panel that would allow for the creation of users allowed to use the service / to turn off features (like the "never" as expiration date) or to even manually wipe the database with a button from an admin account without having to do it via a terminal on the actual server
• Drag & Drop: Dragging and dropping an entire file and having it be "read" by the website and then converted to a paste could be useful in case large portions of code want to be shared without having to go into it and do ctrl c
• "CDN": Modern chat applications like discord limit your ability to upload files over a certain size limit (8MB for free 50MB for nitro), a solution to drag and drop a file into a website, get an embeddable link to then post on the chat application would be insanely useful, especially paired with "self destruct" features / lifetime features (I am aware there is an api, but since it's not authenticated it means making a bot to fill the db with junk is even easier)
• API: Together with authentication, it would make it possible to automatically create and delete pastes through an api

But then again, you already succeeded in making an absolutely astonishing feature rich pastebin, the question from now on is "what's next"? Would you rather be interested in making different unrelated projects or making one great one even greater?

[matze]

Regarding authentication: so, the first option would certainly be easily and quickly doable, not sure it's that useful though. The second is still not as easy as you make it sound like because the "password map" would still have to be managed in some way. Perhaps, avoiding authentication on the service itself and rely on something like OAuth/OIDC would be even better?

Don't get me wrong, I understand your use case and would like to prevent abuse just like you but I still want to make it right from the bat. So, give me some time to think about these options.

Regarding the vision:

• Drag & Drop: good idea, I will make a separate issue to track that.
• "CDN"/file store: that sounds like it exceeds the scope a bit. I was always thinking about pastebins in terms of text "storage" with additional features like syntax highlighting etc. But I am not entirely opposed to the idea.
• Authentication for API access, sure thing but as I said earlier, it requires some more fleshing out. Just as a bit of background: the "open" way it is now is because we use it in an internal network where audit trails are done on a separate level and abusing the service would cause severe consequences for the person. But I see, people would like to use it on the internet as is.

[berezovskyi]

Two ¢ from my side: I don't trust low-maintenance projects with authentication due to understandable risks. My need is for the system not to interfere with the Basic auth I set up on the reverse proxy in front.

[MichaelSasser]

Honestly, I would prefer OIDC over some custom login solution with an admin interface. The admin can enable/disable registration and allow/disallow access to wastebin using the OIDC provider. In addition, the user gets all the security and fancy authentication flows the OIDC provider has to offer without relying on someone to implement and maintain them for wastebin.

I would appreciate it if an authorized user could decide if the bin is only visible to other authorized users, or if it is visible to everyone. I would put this between the timer and the "Paste" button. An environment variable could set the default for that feature.

A dropdown menu could be used that shows the username when it is collapsed and lets users log in or out. Alternatively, if an authentication is required to read or manipulate a bin, it could send the unauthorized user directly to the OIDC provider for authentication. Though, I would at least add a log-out button and something that shows the prepared username somewhere on the top. Maybe even a mixture of both.
A dropdown menu would allow future extensions like adding a link for a user to show all their bins or so.

[matze]

Indeed, OIDC and a simple admin dashboard for the bare minimum of administrative tasks sounds compelling. However, even that requires some effort (both coding and testing) that I cannot promise to deliver in the near future. Whoever is willing to step up to do it, is heartily welcome to sketch a PoC. If not, I will try to tackle this eventually.

[NiFNi]

I mean the easy solution for the mentioned problem would be to introduce a setting which creates a password field when creating pastes which has to contain a secret. The secret can be shared with everyone whom you trust though most people will probably just use it without sharing access with other people anyway. I see no need for user accounts etc. in a pastebin when just trying to tackle spam.
Just my two cents.

[matze]

I mean the easy solution for the mentioned problem would be to introduce a setting which creates a password field when creating pastes which has to contain a secret

Hmm, interesting idea that would augment 868a064. Not sure, it will make it the next release though.