matze / wastebin

wastebin is a pastebin 📝
https://bin.bloerg.net
MIT License
336 stars 27 forks source link

Feature request #8

Open KianBrose opened 2 years ago

KianBrose commented 2 years ago

Is it possible to have a login / password requirement to make it possible for "just the people you want to" to submit things to wastebin? I'm mildly concerned about people making a threaded request bot that would flood the db with junk really quickly

matze commented 2 years ago

I am a bit reluctant because that request needs answers for a bunch of other questions:

I think for simple use cases basic auth via a reverse proxy is probably the easiest solution.

KianBrose commented 2 years ago

Authentication

There are a few options, but the most obvious ones are

Can users be banned?

I'd like to say that user should not be "banned", but the one that owns the domain should have some way to administrate the users & who has access to upload data

Do we need an admin view out of a sudden?

Not necessarily, the "laziest" implementation would be to have a config file in the back end with plain text passwords. Then in terms of UI, whenever a user would try to click on the "Paste" button it would show a standard html prompt requesting for one of the passwords inside the back end config file

What does the UI/UX look like?

There's honestly lots of ways this could go depending on where the project is headed, but a good ui is what makes people interested in a project nowadays (it's what got me into this one for example, it's the best one I have seen in a while, especially the markdown)

So while using the "lazy" minimalistic option with promps to make it "work" could be an option, ultimately having a well designed back end depends on whether you feel satisfied with the current state of the project / if you want to push it further and give it more appeal

The main concern I had with this project

As someone with my own server, there are quite a few people that like to make bots to spam my databases on a daily basis, and not having the option to limit "who" can access the wastebin is a bit of a dealbreaker due to its implications. For example, I once had a guy make a bot to fill up a forum with gigabytes of junk in the matter of minutes due to a lack of this feature (he was using proxies, so the ip rate limits didn't do anything to stop it either). So due to the risk of it being possible for someone to fill the host with junk in minutes it's turning me away from the possibility of self hosting

Where I see this project could go

Personally I feel like out of all pastebins, this one is by far the best looks-wise and a few more features could turn it into an insanely attractive option for lots of people, here are some suggestions for use cases it could fill:

But then again, you already succeeded in making an absolutely astonishing feature rich pastebin, the question from now on is "what's next"? Would you rather be interested in making different unrelated projects or making one great one even greater?

matze commented 2 years ago

Regarding authentication: so, the first option would certainly be easily and quickly doable, not sure it's that useful though. The second is still not as easy as you make it sound like because the "password map" would still have to be managed in some way. Perhaps, avoiding authentication on the service itself and rely on something like OAuth/OIDC would be even better?

Don't get me wrong, I understand your use case and would like to prevent abuse just like you but I still want to make it right from the bat. So, give me some time to think about these options.

Regarding the vision:

berezovskyi commented 1 year ago

Two ¢ from my side: I don't trust low-maintenance projects with authentication due to understandable risks. My need is for the system not to interfere with the Basic auth I set up on the reverse proxy in front.

MichaelSasser commented 1 year ago

Honestly, I would prefer OIDC over some custom login solution with an admin interface. The admin can enable/disable registration and allow/disallow access to wastebin using the OIDC provider. In addition, the user gets all the security and fancy authentication flows the OIDC provider has to offer without relying on someone to implement and maintain them for wastebin.

I would appreciate it if an authorized user could decide if the bin is only visible to other authorized users, or if it is visible to everyone. I would put this between the timer and the "Paste" button. An environment variable could set the default for that feature.

A dropdown menu could be used that shows the username when it is collapsed and lets users log in or out. Alternatively, if an authentication is required to read or manipulate a bin, it could send the unauthorized user directly to the OIDC provider for authentication. Though, I would at least add a log-out button and something that shows the prepared username somewhere on the top. Maybe even a mixture of both. A dropdown menu would allow future extensions like adding a link for a user to show all their bins or so.

matze commented 1 year ago

Indeed, OIDC and a simple admin dashboard for the bare minimum of administrative tasks sounds compelling. However, even that requires some effort (both coding and testing) that I cannot promise to deliver in the near future. Whoever is willing to step up to do it, is heartily welcome to sketch a PoC. If not, I will try to tackle this eventually.

NiFNi commented 1 year ago

I mean the easy solution for the mentioned problem would be to introduce a setting which creates a password field when creating pastes which has to contain a secret. The secret can be shared with everyone whom you trust though most people will probably just use it without sharing access with other people anyway. I see no need for user accounts etc. in a pastebin when just trying to tackle spam. Just my two cents.

matze commented 1 year ago

I mean the easy solution for the mentioned problem would be to introduce a setting which creates a password field when creating pastes which has to contain a secret

Hmm, interesting idea that would augment 868a064b6e80ee54df1fef55f6e9c050da8a9532. Not sure, it will make it the next release though.