Skip to content
/ fluesterfix Public

A simple tool for sharing secrets which will self-destruct on retrieval

License

MIT license
7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

seibert-media/fluesterfix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits

fluesterfix

fluesterfix

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

setup.py

setup.py

 
 

Repository files navigation

fluesterfix

A simple tool for sharing secrets which will self-destruct on retrieval.

Installation

You need:

  • Python 3
  • Flask
  • PyNaCl
  • shred, usually from GNU coreutils

You don’t need a database. However, this program expects to operate on a file system that guarantees POSIX semantics.

Running

For development and testing, just run the script:

$ ./fluesterfix/__init__.py

For anything else, set up a WSGI environment. A Python package can be installed using pip install -e ..

Use the following environment variables:

  • $FLUESTERFIX_DATA: The directory where data will be stored. Must exist prior to running the program. Should be created by sysadmin with correct permissions. Defaults to /tmp for quick tests.
  • $FLUESTERFIX_CSS: URL to custom CSS to use, defaults to style.css.
  • $FLUESTERFIX_LOGO: URL to custom logo to use, defaults to logo.png.
  • $FLUESTERFIX_LOGO_DARK: URL to custom logo in dark mode to use, defaults to logo-darkmode.png.
  • $FLUESTERFIX_LABEL: Custom alternative name for logo, defaults to //SEIBERT/MEDIA.
  • $FLUESTERFIX_MAX_FILE_SIZE: Maximum allowed size (in bytes) for file uploads. The actual filtering must be done in your reverse proxy; this variable only displays that limit. Unset by default.

The program does not automatically remove secrets which have never been retrieved. You might want to install a cron job on your system to remove old directories in $FLUESTERFIX_DATA based on their mtime.

API

Post a JSON object to /new to create a new secret programmatically, this object must contain a string typed member called data holding your secret:

$ curl -X POST https://my.ff/new -H 'Content-Type: application/json' \
    --data '{ "data": "this is my secret" }'
{"secret_link":"https://my.ff/get/foo/bar","status":"ok"}

As you can see, you’ll get a JSON response containing the secret link.

On errors, status will be the string error and there will be an additional field called msg that indicates what went wrong:

$ curl -X POST https://my.ff/new -H 'Content-Type: application/json' \
    --data '{ "data": "" }'
{"msg":"empty secret","status":"error"}

To upload “files”, use data_base64 and provide the filename field:

$ curl -X POST https://my.ff/new -H 'Content-Type: application/json' \
    --data '{"data_base64": "'"$(base64 <some_file | tr -d '\n')"'", "filename": "whatever.bin"}'

(The only difference between “files” and normal secrets is that “files” are being presented as a download to the client’s browser.)

About

A simple tool for sharing secrets which will self-destruct on retrieval

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

7 stars

Watchers

8 watching

Forks

1 fork
Report repository

Releases

5 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages