# spasteg

A secure, self-hostable "burn after reading" paste service with ephemeral storage written in [Gleam](https://gleam.run).

## Features

- Deletes pastes after they are viewed
- Data is stored only in memory
- No user accounts needed
- Easy to run yourself
- Fast and reliable
- Written in Gleam (type-safe)

## Flowchart

```mermaid
graph TD
    A[User creates paste] --> B[Paste is stored in memory]
    B --> C[Paste is deleted after first view]
    C --> D[User shares paste URL]
    D --> E[User views paste]
    E --> F[Paste is deleted]
```

## Configuration

### SECRET_KEY_BASE (Required for Production)

The application uses a secret key base for signing cookies and security tokens.

You **must** set this for production deployments to ensure security and session persistence across restarts.

```bash
# Generate a secure key (48 bytes of random data)
export SECRET_KEY_BASE=$(openssl rand -base64 48)

# Or set it manually
export SECRET_KEY_BASE="your-secret-key-here"
```

**⚠️ Warning**: If not set, a temporary key will be generated on each startup. This:

- Invalidates all existing user sessions/cookies after restart
- Reduces security (new key generated each time)
- Generates a warning in the logs

For development, you can use:

```bash
SECRET_KEY_BASE=dev gleam run
```

## Quick Start

```bash
# Clone and build
git clone https://git.kharec.info/Kharec/spasteg.git
cd spasteg
gleam run
```

The server starts on `http://localhost:3000`.

## Usage

1. Visit `http://localhost:3000`
2. Enter your text in the form
3. Click "Create Paste"
4. Share the generated URL
5. The paste auto-destructs after first access

Note: the creator can now see their post (except in private browsing) - it would be burned immediately.

## Architecture

- **Gleam**: Type-safe language built upon the BEAM
- **Web**: Wisp framework + Mist HTTP server
- **Frontend**: Lustre for HTML rendering
- **Storage**: In-memory only (no persistence)
- **Security**: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers

## Security Notes

- Pastes are client-side encrypted (AES-256-GCM) before being sent to server
- Server never sees the decryption key (stored in URL fragment after `#`)
- Data is stored **encrypted** in server memory only
- Data is **never written to disk**
- All data is lost on server restart
- CSRF protection via double-submit cookie pattern
- Rate limiting: 10 requests per minute per IP
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- 10MB maximum paste size limit
- Intended for ephemeral sharing only — do not store sensitive data

## License

This project is licensed under the GNU General Public License v3.0 or later (GPLv3+). See the [LICENSE](LICENSE) file for details.