# Hastebin

Hastebin is an open-source pastebin software written in node.js, which is easily installable in any network. It can be backed by either redis or filesystem, and has a very easy adapter interface for other stores. A publicly available version can be found at [haste.nixc.us](http://haste.nixc.us)

## Quick Start

```bash
# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server

# Install dependencies
npm install

# Start with file storage (no Redis needed)
npm run start:dev

# Access in your browser
# http://localhost:7777
```

## Features

- **Simple**: Easy to set up and use
- **Secure**: Includes CSP and other security headers
- **Flexible**: Supports multiple storage backends (Redis, File, Postgres, etc.)
- **Customizable**: Configurable via environment variables or config file
- **Modern**: Self-destructing pastes with syntax highlighting

## Installation

### Quick Install

```bash
# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server

# Install dependencies
npm install

# Start with file storage (no Redis needed)
npm run start:file
# OR run directly with environment variables
# NODE_ENV=development HASTEBIN_STORAGE_TYPE=file node server.js
```

### Running Options

```bash
# Start with default settings (requires Redis)
npm start

# Start in development mode with file storage
npm run start:dev

# Same as start:dev (for backward compatibility)
npm run start:file
```

### Docker Installation

```bash
# Clone the repository
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server

# Start with Docker Compose (includes Redis)
docker compose up -d
```

The Docker container is configured to use Redis as the storage backend by default. The `docker-compose.yml` file sets up both a Hastebin container and a Redis container, linking them together.

If you need to customize the Docker setup, you can modify the environment variables in the `docker-compose.yml` file:

```yaml
environment:
  - NODE_ENV=production
  - STORAGE_TYPE=redis
  - STORAGE_HOST=redis
  - HASTEBIN_ENABLE_CSP=true
  - HASTEBIN_ENABLE_HSTS=true
```

The container exists at git.nixc.us/colin/haste:haste-production and may be made public eventually.

## Configuration

### Environment Variables

Hastebin can be configured using the following environment variables:

```bash
# Server configuration
HASTEBIN_PORT=7777                   # Port to listen on (default: 7777)
HASTEBIN_HOST=0.0.0.0                # Host to bind to (default: 0.0.0.0)

# Storage configuration
HASTEBIN_STORAGE_TYPE=file           # Storage type: file, redis, postgres, etc.
HASTEBIN_STORAGE_PATH=./data         # Path for file storage
DATABASE_URL=postgres://user:pass@host:5432/db  # For postgres storage

# Docker-specific storage settings
STORAGE_TYPE=redis                   # Storage type in Docker (default: redis)
STORAGE_HOST=redis                   # Redis host in Docker environment
STORAGE_PORT=6379                    # Redis port
STORAGE_PASSWORD=                    # Redis password if needed
STORAGE_DB=0                         # Redis database number

# Security settings
HASTEBIN_ENABLE_CSP=true             # Enable Content Security Policy
HASTEBIN_ENABLE_HSTS=true            # Enable HTTP Strict Transport Security
HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION=true  # Enable Cross-Origin Isolation
HASTEBIN_BYPASS_CSP_IN_DEV=true      # Bypass CSP in development mode

# Other settings
NODE_ENV=development                 # Environment: development or production
```

You can also configure Hastebin by editing the `config.js` file.

## Security Settings

The `security` section in the configuration allows you to control various security features, particularly the Content Security Policy (CSP):

```json
{
  "security": {
    "csp": true,                  // Enable/disable CSP entirely
    "hsts": false,                // Enable HTTP Strict Transport Security
    "scriptSources": [],          // Additional allowed script sources
    "bypassCSPInDev": false,      // Use permissive CSP in development mode
    "allowUnsafeHashes": true,    // Allow 'unsafe-hashes' in production for event handlers
    "enableCrossOriginIsolation": false // Enable strict Cross-Origin isolation headers
  }
}
```

### Content Security Policy Options

* `csp` - Enable or disable Content Security Policy headers (default: true)
* `hsts` - Enable HTTP Strict Transport Security headers (default: false)
* `scriptSources` - Additional script sources to allow - comma-separated list in env vars
* `bypassCSPInDev` - In development mode (NODE_ENV=development), use a more permissive CSP that includes 'unsafe-inline' (default: false)
* `allowUnsafeHashes` - Allow 'unsafe-hashes' in production mode for DOM event handlers (default: true)
* `enableCrossOriginIsolation` - Enable strict Cross-Origin isolation headers (COEP, COOP, CORP) which enhance security but may break certain integrations (default: false)

### Environment Variables for Security Settings

You can set these options through environment variables:
* `HASTEBIN_ENABLE_CSP` - Enable/disable CSP (true/false) 
* `HASTEBIN_ENABLE_HSTS` - Enable/disable HSTS (true/false)
* `HASTEBIN_SCRIPT_SOURCES` - Additional script sources (comma-separated)
* `HASTEBIN_BYPASS_CSP_IN_DEV` - Allow unsafe-inline in development (true/false)
* `HASTEBIN_ALLOW_UNSAFE_HASHES` - Allow unsafe-hashes in production (true/false)
* `HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION` - Enable Cross-Origin isolation headers (true/false)

### CSP Implementation Details

The Content Security Policy implementation in Hastebin uses nonces to secure inline scripts while maintaining functionality:

1. **Nonces**: A unique cryptographic nonce is generated for each request and applied to all script tags
2. **Development Mode**: When running with `NODE_ENV=development`, you can bypass strict CSP checks using the `bypassCSPInDev` option
3. **Production Mode**: In production, the CSP is configured to use nonces for all scripts, with optional 'unsafe-hashes' for event handlers
4. **Templates**: The template system automatically injects nonces into script tags, so you don't need to manually add them to the HTML

### Additional Security Headers

Besides CSP, Hastebin implements several other security headers:

1. **X-Content-Type-Options**: `nosniff`

## Troubleshooting

### Common Issues

#### Port Already in Use

If you see an error like `Error: listen EADDRINUSE: address already in use :::7777`:

```bash
# Find and kill processes using port 7777
lsof -i :7777 -t | xargs kill -9 || true

# Or use a different port
HASTEBIN_PORT=8000 npm run start:file
```

#### Redis Connection Issues

If you're using Redis and see connection errors:

```bash
# Check if Redis is running
redis-cli ping

# Start Redis if needed
redis-server

# Or use file storage instead
npm run start:file
```

#### Permission Issues with File Storage

If you see permission errors when using file storage:

```bash
# Create data directory with proper permissions
mkdir -p data
chmod 777 data
HASTEBIN_STORAGE_PATH=./data npm run start:file
```

#### Test Server Issues

If tests are failing:

```bash
# Make sure no server is running
lsof -i :7777 -t | xargs kill -9 || true

# Run tests with clean environment
npm run test:all
```

## Testing

### Quick Test Commands

```bash
# Start a local test server with file storage
npm run start:dev

# Run all tests
npm test

# Run core functionality tests
npm run test:core

# Run security tests
npm run test:security
```

### Test Structure

Hastebin includes a comprehensive test suite covering both core functionality and security features. The tests are organized in the following structure:

```
test/
├── core/                           # Core functionality tests
│   └── core_functionality_spec.js  # Tests for basic operations
├── security/                       # Security-related tests
│   ├── security_spec.js           # Main security test suite
│   └── security_shell_spec.sh     # Shell-based security tests
├── key_generators/                 # Key generator tests
├── utils/                         # Test utilities
│   └── test-local.js             # Local test server setup
└── document_handler_spec.js       # Document handler tests
```

### Running Test Suites

```bash
# Run all tests (unit + security)
npm run test:all

# Run specific test suites
npm run test:core          # Run core functionality tests
npm run test:security      # Run all security tests

# Run specific security tests
npm run test:security:csp      # Test CSP configuration
npm run test:security:cors     # Test CORS settings
npm run test:security:combined # Test combined security features
```

## Storage

## API Usage

### Creating a Document

```bash
# Using curl
curl -X POST -d "Hello, world!" http://localhost:7777/documents

# Response: {"key":"uniquekey"}
```

### Retrieving a Document

```bash
# Using curl
curl http://localhost:7777/raw/uniquekey

# Response: Hello, world!
```

### Document Formats

- `http://localhost:7777/uniquekey` - HTML view with syntax highlighting
- `http://localhost:7777/raw/uniquekey` - Raw document content
- `http://localhost:7777/documents/uniquekey` - JSON response with document content

### Client Libraries

- [haste-client](https://git.nixc.us/Nixius/haste-client) - Command line client for Hastebin
- Example usage: `cat file.txt | haste`

## License Update