robherley/snips.sh

Clarify about private and encryption

Mellbourn opened this issue · 1 comments

Mellbourn commented

It seems like a great tool, but I don't think the documentation around security is unambiguous.
It could clarify the following:

  1. Is the code encrypted in the database?
  2. What does --private do?
  3. Is it possible to password-protect the snippets?
  4. Can anyone download any snippet that they have the filename for?
robherley commented

👋 Thanks for using snips! I agree, maybe a high level overview (or even an FAQ) might help.

To answer your questions.

Is the code encrypted in the database?

No, the content in the database is not encrypted.

What does --private do?

It prevents your snippet from being publicly accessible. You will need to use the TUI or the sign -ttl parameters to do so. That will issue an HMAC-signed URL that only lives for the specified amount of time (the TTL).

For instance, this is a private snippet:
https://snips.sh/f/c7fEXkXXtO

Here is a signed URL (ttl of 72 hours from when I post this):
https://snips.sh/f/c7fEXkXXtO?exp=1685289305&sig=-OmATLr-R8ZPwvJGV5K89GJ16gbNSXrCuCU2nacVpPs%3D

The URL path + parameters use an HMAC signature. If any part of it is changed, the server will automatically 404.

Is it possible to password-protect the snippets?

No it is not. The private/ttl combination is used.

Can anyone download any snippet that they have the filename for?

If the snippet is public, yes anyone can use the ttl. But as you see above if the snippet is private, it will 404.

  • 👍1