Secure Snippet has been created so that someone can share private information with someone else in a relatively secure manner. The snippet's content is encrypted using a key which is not stored on the server's database but rather is transmitted to the user through the snippet URL constructed. Once the snippet is read by the destinator (or by any potential MITM), the snippet is destroyed in the server's database.
This allows the destinator of the message to know if he's the only one to read the message and if not, to contact the source to notify him that something went wrong.
- User create a snippet by filling the form
- The API give the user a link he can send to the destination
- The destination browse that link and see the sensitive information
- That information is destroyed from the snippet's database
- Snippets are encrypted using a 32 bytes random string and stored in MongoDB;
- That secret key is never stored on the server but is sent once to the creator of the snippet;
- If the creator has ticked the unformatted content option, display will be wrapped around pre tags
- if the creator has ticked the "send confirmation" option:
- Creator also need to fill email and reference
- When the destinator reads the snippet, he will receive an email along with the reference
- Both email and reference will also be encrypted in the server's database, so privacy is ensured
- If the admin calls the clean API function, snippets older than a certain amount of days are removed;
- Method: POST
- Call: /api/snippet
- Arguments:
- content: snippet content
- isRaw: unformatted content (1 or 0)
- isConfirm: we want a confirmation (1 or 0)
- isFile: file upload (1 or 0)
- reference: reference of the source regarding the snippet
- email: Email on where to send confirmation
- Content-type: application/json
- Returns:
- id: the ID of the snippet
- key: encryption key used for this snippet
- msg: success or failure message
- rc: return code (0 == success)
- Method: GET
- Call: /api/snippet/id/key
- Content-type: application/json
- Returns:
- content
- created: unix timestamp
- id: id of the snippet
- isRaw
- Method: GET
- Call: /api/clean/secret
- Content-type: application/json
- Returns:
- rc
- count
$ git clone ...
$ cd snippet
$ virtualenv .
$ source bin/activate
$ pip install -r requirements.txt
Install test dependencies and execute the suite from the activated virtual environment:
$ pip install pytest
$ python -m pytest
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin thomas@espix.net
ServerName snippet.espix.net
ErrorLog ${APACHE_LOG_DIR}/snippet-ssl-error.log
CustomLog ${APACHE_LOG_DIR}/snippet-ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/snippet.espix.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/snippet.espix.net/privkey.pem
WSGIDaemonProcess snippet user=snippet group=snippet threads=5 python-path=/srv/snippet/app/lib/python3.5/site-packages
WSGIScriptAlias /api /srv/snippet/app/snippet.wsgi/api
WSGIScriptReloading on
<Directory /srv/snippet/app>
WSGIProcessGroup snippet
#WSGIPassAuthorization On
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
DocumentRoot /srv/snippet/app/static
<Directory />
Options None
AllowOverride None
</Directory>
<Directory /srv/snippet/app/static/>
Options None
AllowOverride All
Require all granted
</Directory>
# avoid clickjacking
Header always append X-Frame-Options DENY
</VirtualHost>
</IfModule>