2017 / 10 / 27 - article
Paste - Quick'n'easy online pastebin tool - School-time projects
Between my first and last project, I took the time to try and make a small pastebin tool.
As always, and once more, my main concern was about lightness. Small’n’easy !
I also had the goal to “securely” store the text that was sent.
After some bumps and fails, I finally managed to make it work !
Why do you talk about this project after the µRL project, that came later ?
Tbh, I only finished this pastebin project recently, due to some mistakes I made during the development.
A nice start
My first steps were, like with every project, easy:
- A quick composer init ;
- Adding Siler as a dependency (Lightness~) ;
- Making the default config ;
- Adding the default route:
I wanted a trusted and secure PHP cryptography library, and, obviously, my first thoughts came to the Paragonie Initiative’s library, LibSodium.
Since it’ll be natively integrated in PHP7.2 (Yay~), it could be a good choice. The only constraint I found was manually compiling and installing the extension.
On my linux servers, I don’t say. Windows ? Such a pain to use for compilation.
So, after that, I tried and searched a bit more for a composer-dependency-managed, secured library.
I searched and searched, always looking for an up-to-date solution, until I found this one. Clean code, nice reviews, seems to be quite rock solid and a very approached look on security.
Let’s try that !
Making the flow~
After choosing the first requirements (of course, for database, I’d go with PostgreSQL, as it’s list-ordered entries), I started working on the core workflow: Routes and base logic thinking.
Once the first base
/ route was setup and running (not something very hard…), I started thinking in-depth on how I wanted the upload/storing and download flow to work.
The two flows (send/retrieve) are described below.
Send flow (aka. Upload)
The send flow has a few “security” steps, to allow retrieval key checking.
- Generating the random UID and Key using a cryptographically-secure random key generation ;
- Using the key to cypher the sent text ;
- Calculating the decyphered text’s hashsum (using the RipeMD160 hash algorithm) ;
- Hashing this hashsum using the native
password_hashfunction, only passing
PASSWORD_BCRYPTas a restriction (when PHP7.2 will be released, and Argon2I with it, I’ll change this line) ;
- Inserting the generated uid, the hashed text hashsum and the cyphered content in database ;
- And that’s all.
Retrieve flow (aka. Download)
The retrieve flow have a bit less work: only removing the generation part.
- Extracting the first (and technically, only) entry ;
- If no result, well… Fuck off ! Else, … ;
- Decyphering the text with the key ;
- Generating a hashsum of the decyphered text using the same RipeMD160 algorithm ;
- Verifying the two hashes (the checksum and the new one) using the
- And that’s all.
As shown, the workflow is pretty straightforward and identical. No hidden magic, no complicated craft with the data. Only using secure systems and libraries.
Note that the random key generation library was taken and not modified from here and I couldn’t use RandomLib.
Now the only thing left is to make some tools to interact with the server !
As I could discover (and as you could discover by looking at the sourcecode here), it’s quite easy to make a basic text storing service, even when security’s one of the most important concerns !
Something I wanted to make was an upload client tool, like the µClient one, but a bit more able.