travis build not working due to changes in Makefile

link back to this repo from the UI

Hi,

After make run VIRTUAL_HOST=<MY_DOMAIN>
I receive a 500 error when accessing my URL.
It seems the letsencrypt is not properly doing his job. Although i dont see any errors when running:
make logs

One thing I notice is the following from nginx/conf.d/default.conf:

...
server {
server_name <MY_DOMAIN>;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
return 500;
....

Can I conclude by the return 500 rule that SSL disabled intentionally?

Alternatively is it possible to use existing certificates?

Hi everyone, not sure what I have to do to fix this TLS error when trying to run docker-compose up --build -d on my docker server. My docker-compose.yml file is following the steps to configure Auto TLS with HTTP > HTTPS redirection.
This is what the docker-compose logs -f shows me:

supersecret | echo: http: TLS handshake error from IP:Port: acme/autocert: missing certificate
supersecret | echo: http: TLS handshake error from IP:Port: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

Filenames needs to be URL encoded.

Mr @asurak since no one is maintaining this at Algolia, I will be honored if you can move the ownership of this to me 🙇
Merci Beaucoup

Hey, I will just add this here if anyone else has this problem, since I have docker-compose and docker compose, it was confusing, but I had to specify the Vault version in the docker compose file

version: '3.2'

services:
  vault:
    image: vault:1.13.3
    container_name: vault
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: supersecret
    cap_add:
      - IPC_LOCK
    expose:
      - 8200

  supersecret:
    build: ./
    image: algolia/supersecretmessage:latest
    container_name: supersecret
    environment:
      VAULT_ADDR: http://vault:8200
      VAULT_TOKEN: supersecret
      SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: ":8082"
    ports:
      - "8082:8082"
    depends_on:
      - vault
      

We have been using SSM for quite a while now, very happy with it, worked flawlessly.
Deployed a new instance, updated docker, pulled the latest version from git, update docker-compose,
and for the life of me, I can't get it to work anymore, with TLS and HTTP redirect...

here is the error I get :

batman@batcave:~/tools  $ docker logs supersecret

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v3.3.10-dev
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v3.3.10-dev
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\
{"time":"2021-06-23T15:15:31.781414677Z","level":"FATAL","prefix":"echo","file":"main.go","line":"48","message":"listen tcp: address 443: missing port in address"}
2021/06/23 15:15:31 [INFO] HTTP Binding Address: 80
2021/06/23 15:15:31 [INFO] HTTPS Binding Address: 443
2021/06/23 15:15:31 [INFO] HTTPS Redirect enabled: true
2021/06/23 15:15:31 [INFO] TLS Auto Domain: secret.mydomain.io
2021/06/23 15:15:31 [INFO] TLS Cert Filepath: 
2021/06/23 15:15:31 [INFO] TLS Cert Key Filepath: 

and here is the docker-compose file:

version: '3.2'

services:
  vault:
    image: vault:latest
    container_name: vault
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: supersecret
    cap_add:
      - IPC_LOCK
    expose:
      - 8200

  supersecret:
    build: ./
    image: algolia/supersecretmessage:latest
    container_name: supersecret
    environment:
      VAULT_ADDR: http://vault:8200
      VAULT_TOKEN: supersecret
      SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: 80
      SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS: 443
      SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED: "true"
      SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN: "secret.mydomain.io"
    ports:
      - "8082:8082"
    depends_on:
      - vault

SuperSecret container is not running

any idea ?

thanks in advance :)

Thanks

Hi, I set supersecretmessage up in production mode, and it appears that secrets input into the app disappear if the docker container is restarted. Is there a simple way to get the data to persist?

Thanks,

--Chris

Hi!

Do you now how can I insert my custom certificates for the nginx image ? And also - stop using generation of letsencrypt certs generation ?

Regards!

Hi Team,

First, thanks for your work. I was search a very simple secret sharing tool that we con host ourself, I found yours and it is just what i needed.

However, your code isn't working on IE.

I made few ajustement to get it work with IE, that I'd like to share with you:

In index.html, line 70:

success(data) {
...

triggers an error ("Expected ':'").

Could be replaced by:

success: function(data) {
...

In index.html, line 94:

`${window.location.origin}/getmsg?token=${encodeURIComponent(token)}&filetoken=${encodeURIComponent(filetoken)}&filename=${encodeURIComponent(filename)}`

"`" character is not supported by IE.

Could be replaced by:

`window.location.origin+"/getmsg?token="+encodeURIComponent(token)+"&filetoken="+encodeURIComponent(filetoken)+"&filename="+encodeURIComponent(filename)
`

In index.html, line 94:

`$("#url").text(`${window.location.origin}/getmsg?token=${encodeURIComponent(token)}`);`

Same error as above.

Could be replace by:

`$("#url").text( window.location.origin +"/getmsg?token="+encodeURIComponent(token) );`

In getmsg.html.bak, line 76:

` let params = (new URL(window.location)).searchParams;`

URL function is not suported by IE.

This could be replaced by the following function:

function decodeUriComponentWithSpace (component) {
    return decodeURIComponent(component.replace(/\+/g, '%20'))
  }

  // type : 'hash', 'search' or 'both'
  function getLocationParameters (location, type) {
    if (type !== 'hash' && type !== 'search' && type !== 'both') {
      throw 'getLocationParameters expect argument 2 "type" to be "hash", "search" or "both"'
    }

    let searchString = typeof location.search === 'undefined' ? '' : location.search.substr(1)
    let hashString = typeof location.hash === 'undefined' ? '' : location.hash.substr(1)
    let queries = []
    if (type === 'search' || type === 'both') {
      queries = queries.concat(searchString.split('&'))
    }
    if (type === 'hash' || type === 'both') {
      queries = queries.concat(hashString.split('&'))
    }

    let params = {}
    let pair

    for (let i = 0; i < queries.length; i++) {
      if (queries[i] !== '') {
        pair = queries[i].split('=')
        params[this.decodeUriComponentWithSpace(pair[0])] = this.decodeUriComponentWithSpace(pair[1])
      }
    }
    return params
}

And so line 76 has to become:

`let params = getLocationParameters(window.location,"search");`

And all params.get(fieldname), needs to be replaced by: params.fieldname .

Line78:
console.log(window.location.origin + "/secret?token=" + params.token + "&filetoken=" + params.filetoken + "&filename=" + params.filename );

Line 81:
url: window.location.origin + "/secret?token=" + params.token,

Line 85:
showMsg(data.msg, params.filetoken, params.filename)

In getmsg.html, line 97:

$('#textarea1').text(msg)

Doesn't trigger an error. but, by using this property, when the user that receive the message focuses on the field (for text selection), the filed is erased.

Could be replaced by:
$('#textarea1').val(msg)

I joined the two modified files.
index_getmsg_modified.zip

I did all these changes, and it seems to work as it should on IE 11.
Also tested on Chrome and seems to work.

Hope this could help users of this project.

By the way:
README.md could be a little bit more detailled.
Installation have been a bit tricky. I had to search a bit for errors solving when running make commands:

• GO installation by itself is not enough, you need also to download "dep" tool.
• Supersecret directory need to be placed in $GOPATH/src in order to work

I need to make a fresh installation and a how to in order to deploy this tool in a pre-prod and production envirronement. I can send you when done if you want.

Best Regards,
Yann

I followed the installation guide and I keep getting errors. I want to contribute to front-end part...

Running command go get just get stuck for some time and then there's nothing to install, and running go run *.go allows me to run it locally, but then HashiCorp Vault does not seem to work. It throws an error in network POST request when I try to submit message and since I don't know go-lang it's either problem with it, with a docker or with this project itself.

I wish if I could provide more detailed errors, but I uninstalled everything and tried multiple times and then ended up getting rid of everything as I was unable to make it work.

Steps I had to do before following the guide in README:

Install GO via homebrew

brew install go

Add some GO related variables into my .zshrc and update the PATH

GOPATH=$HOME/.go
GOROOT=/usr/local/opt/go/libexec/bin
PATH=$GOROOT:$PATH

Add given VAULT variables

VAULT_ADDR=http://localhost:8200
VAULT_TOKEN=$(docker logs vault | grep Token | awk '{print $NF}')

Install Docker via homebrew-cask, then run the app

brew cask install docker

Run given command for HashiCorp Vault (assuming) for Docker

docker run -ti --cap-add=IPC_LOCK -ti -p 8200:8200 --name vault vault

And of course final steps

cd ~/Sites
git clone https://github.com/algolia/sup3rS3cretMes5age.git
cd sup3rS3cretMes5age
go get
go run *.go

And of course then as I described, I keep getting some errors. I can install go and docker again if you could help me to resolve this issue more easily?

Hi,

I'm trying to set the certificate to be used, but I end up with this error

2021/06/23 17:38:12 [INFO] HTTP Binding Address: :80
2021/06/23 17:38:12 [INFO] HTTPS Binding Address: :443
2021/06/23 17:38:12 [INFO] HTTPS Redirect enabled: true
2021/06/23 17:38:12 [INFO] TLS Auto Domain: 
2021/06/23 17:38:12 [INFO] TLS Cert Filepath: /home/me/tools/mydomain.io/STAR_mydomain_io.pem
2021/06/23 17:38:12 [INFO] TLS Cert Key Filepath: /home/me/tools/mydomain.io/STAR_mydomain_io.key

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v3.3.10-dev
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\
⇨ http server started on [::]:80
{"time":"2021-06-23T17:38:12.264996285Z","level":"FATAL","prefix":"echo","file":"main.go","line":"50","message":"open /home/me/tools/mydomain.io/STAR_mydomain_io.pem: no such file or directory"}

when I know for a fact that the file is in this folder.
I've set the owner of the files/folder to the same user I run the docker-compose command with...

My docker-compose file

version: '3.2'

services:
  vault:
    image: vault:latest
    container_name: vault
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: supersecret
    cap_add:
      - IPC_LOCK
    expose:
      - 8200

  supersecret:
    build: ./
    image: algolia/supersecretmessage:latest
    container_name: supersecret
    environment:
      VAULT_ADDR: http://vault:8200
      VAULT_TOKEN: supersecret
      SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: ":80"
      SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS: ":443"
      SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED: "true"
      SUPERSECRETMESSAGE_TLS_CERT_FILEPATH: /home/me/tools/mydomain.io/STAR_mydomain_io.pem
      SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH: /home/me/tools/mydomain.io/STAR_mydomain_io.key
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - vault

what am I missing ?

This "new" TLS setup ends up to be a nightmare...
no way to get it to work when everything was working fine before...
Why ? :(

Hello guys,
I'm seeing that you have some activity again. I just forked this project two weeks ago because I think that it is fucking amazing.
I forked because I was missing one configuration parameter and a docker image and it was going to be the faster way to solve my problems.

Also, I changed the name to be consistent and writable: you have like supersecrets directories and different notations... and added some basic CI after fixing some tests.

At this point, it is difficult to do a PR to your project but at least I want to share this with you.

I already deployed it in my k8s cluster using Vault operator so I will upload there the descriptors too.

Thank you for your project and if you find something of this useful just ping me back,
Alex

should be able to support reCaptchav2 reCaptchaV3 and hCaptcha
must also be able to run without captcha if it is not configured.

the example for https://secret.dev fails to load due to HSTS enforcement in chrome

We need an ability to run this with custom (i.e. not let's encrypt) TLS certificates
[Requested by @stefcho034]

I'd love to see a step by step guide on getting this running on AWS.

Hi,

I'm trying to run sup3rS3cretMes5age for the first time,
but I end up with this error when running the make run command :

No stopped containers
dep ensure -v
make: dep: Command not found
Makefile:8: recipe for target 'deps' failed
make: *** [deps] Error 127

I follow the instruction, installed GO, docker and docker compose... don't know what to do now :(

Ubuntu 18.04.4
go version go1.14.4 linux/amd64
Docker version 19.03.6, build 369ce74a3c
docker-compose version 1.26.0, build d4451659

someone can help ?

thanks in advance

acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/202890638696" for domain "secret.example.com": no viable challenge type found

Hi guys,

hopefully somebody can help me. I'm not able to solve this Problem by myself.
I get some issues when I try to run sup3rS3cretMes5age with Manual TLS and i don't know what I'm doing wrong.
Over HTTP it works fine.

Here is my docker-compose.yml

I always get the error:

ERROR: The Compose file './docker-compose.yml' is invalid because:
services.supersecret.environment contains an invalid type, it should be an object, or an array

This problem is making me Headache. Please Help... Don't know what to try anymore.

version: '3.2'

services:
vault:
image: vault:latest
container_name: vault
environment:
VAULT_DEV_ROOT_TOKEN_ID: supersecret
cap_add:
- IPC_LOCK
expose:
- 8200

supersecret:
build: ./
image: algolia/supersecretmessage:latest
container_name: supersecret
environment:
VAULT_ADDR=http://vault:8200
VAULT_TOKEN=root
SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443
SUPERSECRETMESSAGE_TLS_CERT_FILEPATH=/path/to/my/cert/fullchain.pem
SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH=/path/to/my/key/privkey.pem
ports:
- "8082:8082"
depends_on:
- vault

In case you would like to add this to the readme page, this is how I work with sup3rS3cretMes5age:

o () { cat "$@" | curl -sF 'msg=<-' https://onetime.endpoint.com/secret | jq -r .token | awk {'print "https://onetime.endpoint.com/getmsg?token="$1'}; }

Hi,

the README seems to be wrong,
about the
`VAULT_ADDR=http://vault:8200
VAULT_TOKEN=root

SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS=:80
SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443
SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED=true
SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN=secrets.example.com`

I always get an error :
ERROR: yaml.scanner.ScannerError: while scanning a simple key in "/home/me/supersecret/docker-compose.yml", line 21, column 7 could not find expected ':' in "/home/me/supersecret/docker-compose.yml", line 22, column 7

when I follow the instructions...

Shouldn't it be :
`VAULT_ADDR: http://vault:8200
VAULT_TOKEN: root

SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: ":80"
SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS: ":443"
SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED: "true"
SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN: "secrets.example.com"`

my docker-compose version is
docker-compose version 1.29.2, build unknown

probably need to change the depends_on in the docker-compose.yml

Could it be posible to disable logs when requesting /health?

Kubernetes heathlcheck generate lots of logs each 5 seconds when during the liveProbe

https://docs.github.com/en/free-pro-team@latest/actions

Quick question please...

I see the backend is vault.

I assume when vault goes down (e.g. server restarts, docker container restarts/upgraded), all the temporary passwords are lost? I don't think this is a problem because this is a one-time password store. I'm just trying to understand how it works.

Thank you, and well done on creating such a clever and useful tool!

https://testcontainers.com/modules/vault/

Let someone who just received a message to send a message as well easily

I have had SuperSecretMessage running on a Ubuntu server for almost a month now but I have a couple of issues:

1. Whenever I restart the server, the docker container basically gets wiped out and I have to reinstall it.
2. I am unable to edit the code to put some custom branding on it so clients tend to trust a known logo more than a plain website.

Can you direct me on how to keep the container running after a restart and how I can customize the webpage?

Hi, so I'm having to guess my way around what policies are needed to allow this to run.

Do you have any example policies or is the default policy set meant to work?

is it possible to create secrets through an API? I see nothing in the documentation, and in the code.
For instance, privnote has an API, to create secrets from the command line.

Hi again,

I'm getting closer to get this new instance with the latest version of SSM up and running,
but I'm not quite there yet....

I'm facing this error now

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v3.3.10-dev
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\
⇨ https server started on [::]:443

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v3.3.10-dev
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\
⇨ http server started on [::]:80


echo: http: TLS handshake error from 192.241.216.111:49634: tls: client offered only unsupported versions: []
echo: http: TLS handshake error from 192.241.204.147:44968: tls: client used the legacy version field to negotiate TLS 1.3

any idea ?

Hi,

according to the logs, the Vault is running in Dev Mode

vault          | WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
vault          | and starts unsealed with a single unseal key. The root token is already
vault          | authenticated to the CLI, so you can immediately begin using Vault.
vault          | 
vault          | You may need to set the following environment variable:
vault          | 
vault          |     $ export VAULT_ADDR='http://0.0.0.0:8200'
vault          | 
vault          | The unseal key and root token are displayed below in case you want to
vault          | seal/unseal the Vault or re-authenticate.
vault          | 
vault          | Unseal Key: qlea5SkvMiLfsArRpyhm..vf.dg.fd..1/QvbXbN4Td4Bbs=
vault          | Root Token: supersecret
vault          | 
vault          | Development mode should NOT be used in production installations!

is this intended ?
nothing wrong with this ?
Have I missed something from the doc to set it up in Prod Mode ?

thanks in advance ;)

switch to native JS

Remove go-dep as dependency it can be dockerized in the build step, see #27

docker-compose has been integrated as a plugin of docker
it can be used by calling docker compose we need to update README and other files to support it