.gitignore

@@ -1,2 +1,4 @@
data
sequentialread-password-manager
test-server.key
test-server.pem

Dockerfile

@@ -1,6 +1,6 @@
FROM alpine
COPY sequentialread-password-manager index.appcache.gotemplate index.html.gotemplate ./
COPY sequentialread-password-manager LICENSE ReadMe.md index.html.gotemplate ./
COPY static static
EXPOSE 8073

ReadMe.md

@@ -1,7 +1,6 @@
# SequentialRead Password Manager
This is a Golang / HTML5  / vanilla JavaScript web-application which stores encrypted text files in three places:
 - `localStorage` in the browser
@@ -37,7 +36,7 @@ It was designed that way to strengthen the claim that "everything it sends out f
## High Avaliability by Design
 It uses the [HTML5 Application Cache](https://alistapart.com/article/application-cache-is-a-douchebag/) to ensure that even if my server goes down, the app still loads.
 It uses the [Service Worker API](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers) to ensure that even if my server goes down, the app still loads.
 It also has its own AWS Credential with access to the bucket, so you can still access S3 if my server goes down.
@@ -69,7 +68,7 @@ Casual remote attackers probably won't have access to the ciphertext since they
## Hosting it yourself
You should create a separate IAM user in AWS which only has access to the bucket. This is the policy I used for that user:
You should create a separate IAM user in AWS which only has access to the bucket. This is the policy I used for that user. Note that the user does not have the capability to list the bucket contents, only to get and put objects. This is very important for security reasons, otherwise a remote attacker would have a much easier time trying to break the encryption, because they would have easy access to the ciphertext. 
```
{

build.sh

@@ -1,4 +1,4 @@
#!/bin/bash
GOOS=linux GOARCH=amd64 go build -v -o sequentialread-password-manager server.go \
  && docker build -t sequentialread/sequentialread-password-manager:1.1.0 .
GOOS=linux GOARCH=amd64 go build -v -o sequentialread-password-manager -tags netgo  server.go \
  && docker build -t sequentialread/sequentialread-password-manager:1.2.0 .

index.appcache.gotemplate

@@ -1,14 +0,0 @@
CACHE MANIFEST
# VERSION {{.Version}}
/?v={{.Version}}
/static/application.css?v={{.Version}}
/static/application.js?v={{.Version}}
/static/awsClient.js?v={{.Version}}
/static/vendor/sjcl.js?v={{.Version}}
/static/vendor/tenThousandMostCommonEnglishWords.js?v={{.Version}}
NETWORK:
*
FALLBACK:
/ /?v={{.Version}}

index.html.gotemplate

@@ -1,5 +1,5 @@
<!DOCTYPE HTML>
<html manifest="index.appcache?v={{.Version}}">
<html>
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1"/>
@@ -17,10 +17,10 @@
      window.sequentialReadPasswordManager.sjcl = factory();
    };
  </script>
  <script src="static/vendor/sjcl.js?v={{.Version}}"></script>
  <script src="static/vendor/tenThousandMostCommonEnglishWords.js?v={{.Version}}"></script>
  <script src="static/awsClient.js?v={{.Version}}"></script>
  <link rel="stylesheet" type="text/css" href="static/application.css?v={{.Version}}">
  <script src="static/vendor/sjcl.js"></script> 
  <script src="static/vendor/tenThousandMostCommonEnglishWords.js"></script>
  <script src="static/awsClient.js"></script>
  <link rel="stylesheet" type="text/css" href="static/application.css">
</head>
<body>
  <div class="header">
@@ -90,6 +90,6 @@
    <div class="loader">loading</div>
  </div>
  <script src="static/application.js?v={{.Version}}"></script>
  <script src="static/application.js"></script>
</body>
</html>

server.go

@@ -3,6 +3,7 @@ package main
import (
	"bytes"
	"crypto/sha256"
	"crypto/tls"
	"flag"
	"fmt"
	"io"
@@ -21,7 +22,6 @@ import (
var appPort = "8073"
var dataPath string
var indexTemplate *template.Template
var appcacheTemplate *template.Template
var application Application
type Application struct {
@@ -104,27 +104,7 @@ func indexHtml(response http.ResponseWriter, request *http.Request) {
		fmt.Fprintf(response, "500 %s", err)
		return
	}
	response.Header().Set("Cache-Control", "max-age=0")
	response.Header().Set("Cache-Control", "must-revalidate")
	response.Header().Set("Cache-Control", "no-cache")
	response.Header().Set("Cache-Control", "no-store")
	io.Copy(response, &buffer)
}
func cacheManifest(response http.ResponseWriter, request *http.Request) {
	var buffer bytes.Buffer
	err := appcacheTemplate.Execute(&buffer, application)
	if err != nil {
		response.WriteHeader(500)
		fmt.Fprintf(response, "500 %s", err)
		return
	}
	response.Header().Set("Content-Type", "text/cache-manifest")
	response.Header().Set("Cache-Control", "max-age=0")
	response.Header().Set("Cache-Control", "must-revalidate")
	response.Header().Set("Cache-Control", "no-cache")
	response.Header().Set("Cache-Control", "no-store")
	response.Header().Set("Etag", application.Version)
	io.Copy(response, &buffer)
}
@@ -156,8 +136,8 @@ func hashFiles(filenames []string) string {
func reloadStaticFiles() {
	application.Version = hashFiles([]string{
		"index.html.gotemplate",
		"index.appcache.gotemplate",
		"static/application.js",
		"static/serviceworker.js",
		"static/awsClient.js",
		"static/application.css",
		"static/vendor/sjcl.js",
@@ -169,7 +149,6 @@ func reloadStaticFiles() {
	application.S3BucketRegion = os.ExpandEnv("$SEQUENTIAL_READ_PWM_S3_BUCKET_REGION")
	indexTemplate = loadTemplate("index.html.gotemplate")
	appcacheTemplate = loadTemplate("index.appcache.gotemplate")
}
func main() {
@@ -180,18 +159,29 @@ func main() {
	reloadStaticFiles()
	http.HandleFunc("/", indexHtml)
	http.HandleFunc("/serviceworker.js", func(response http.ResponseWriter, request *http.Request) {
		file, _ := os.OpenFile("static/serviceworker.js", os.O_RDONLY, 0755)
		defer file.Close()
		response.Header().Set("Etag", application.Version)
		response.Header().Set("Content-Type", "application/javascript")
		io.Copy(response, file)
	})
	http.HandleFunc("/version", func(response http.ResponseWriter, request *http.Request) {
		response.WriteHeader(200)
		fmt.Fprint(response, application.Version)
	})
	http.HandleFunc("/index.appcache", cacheManifest)
	http.HandleFunc("/storage/", storage)
	http.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("./static/"))))
	var headless = flag.Bool("headless", false, "headless server mode")
	if *headless == false {
	var tlsFlag = flag.String("tls", "", "path to tlsFlag cert/key (for example, entering \"test\" will resolve \"./test.key\" and \"./test.pem\"")
	flag.Parse()
	if headless == nil || *headless == false {
		go func() {
			for true {
@@ -202,12 +192,20 @@ func main() {
		go func() {
			var appUrl = "http://localhost:" + appPort
			if tlsFlag != nil && *tlsFlag != "" {
				appUrl = "https://localhost:" + appPort
			}
			var serverIsRunning = false
			var attempts = 0
			for !serverIsRunning && attempts < 15 {
				attempts += 1
				time.Sleep(time.Millisecond * 500)
				response, err := http.Get(appUrl)
				tr := &http.Transport{
					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
				}
				client := &http.Client{Transport: tr}
				response, err := client.Get(appUrl)
				if err == nil && response.StatusCode == 200 {
					serverIsRunning = true
				}
@@ -216,8 +214,13 @@ func main() {
		}()
	}
	//http.ListenAndServeTLS(":443", "test-server.pem", "test-server.key", nil)
	http.ListenAndServe(":"+appPort, nil)
	if tlsFlag != nil && *tlsFlag != "" {
		err := http.ListenAndServeTLS(":"+appPort, fmt.Sprintf("%s.pem", *tlsFlag), fmt.Sprintf("%s.key", *tlsFlag), nil)
		panic(err)
	} else {
		err := http.ListenAndServe(":"+appPort, nil)
		panic(err)
	}
}

static/application.css

@@ -20,7 +20,7 @@ h3 {
}
input, button {
  border-radius: 2px;
  border: 1px solid #dddddd;
  border: 1px solid #bbb;
  padding: 5px;
  margin:5px;
}
@@ -44,7 +44,7 @@ button:hover {
}
button:active {
  background: #ffffff;
  border: 1px solid #dddddd;
  border: 1px solid #aaa;
}
input[type="text"]{
  color:  #666666;

static/application.js

@@ -1,14 +1,47 @@
'use strict';
(function(window, undefined){
(function(window, navigator, undefined){
  window.sequentialReadPasswordManager = window.sequentialReadPasswordManager || {};
  window.sequentialReadPasswordManager.localStorageKeyPrefix = "sequentialread-pwm:";
  window.sequentialReadPasswordManager.s3InterceptorSymbol =  "/awsS3/";
  window.sequentialReadPasswordManager.storageBaseUrl = "/storage";
})(window);
  window.addEventListener('load', () => {
    if (!('serviceWorker' in navigator)) {
      console.log('service workers not supported 😣')
      return
    }
  
    navigator.serviceWorker.register('/serviceworker.js').then(
      (reg) => {
        if(reg.installing) {
          console.log('Service worker installing, will reload');
          
          document.getElementById('progress-container').style.display = 'block';
          window.setTimeout(function(){
            window.location = window.location.origin;
          }, 2000);
        } else if(reg.waiting) {
          console.log('Service worker installed');
          
        } else if(reg.active) {
          console.log('Service worker active');
        }
      },
      err => {
        console.error('service worker registration failed! 😱', err)
      }
    );
    navigator.serviceWorker.addEventListener('message', event => {
      if(event.data.log) {
        console.log(event.data.log);
      }
    });
  });
})(window, navigator);
(function(app, window, document, undefined){
@@ -220,6 +253,10 @@
      });
    this.isStoredLocally = (id) => {
      return !!window.localStorage[`${localStorageKeyPrefix}${id}`];
    };
    this.get = (id) => {
      return Promise.all([
        httpButAlwaysResolves('GET', `${storageBaseUrl}/${id}`, {'Accept': 'application/json'}),
@@ -552,7 +589,26 @@
    this.load = () => {
      storageService.get(cryptoService.getKeyId())
      .then(
        renderFileList,
        fileListDocument => {
          // attempt to load all the files that are not already stored locally
          // this way if the user tries to open a file that they have never opened before
          // when they are offline, it should work.
          // console.log(fileListDocument.files
          //   .filter(x => !storageService.isStoredLocally(x.id)).map(x => x.name))
          // console.log(fileListDocument.files
          //   .filter(x => !storageService.isStoredLocally(x.id)).map(x => x.id))
          fileListDocument.files
            .filter(x => !storageService.isStoredLocally(x.id))
            .map(file => storageService.get(file.id).then(
              () => {}, 
              err => console.log(`could not cache file "${file.name}"`, err)
            ));
          return renderFileList(fileListDocument);
        },
        () => {
          modalService.open(
            "New Index File",
@@ -669,9 +725,20 @@
    .then(
      (currentVersion) => {
        var lastVersion = window.localStorage[`${localStorageKeyPrefix}version`];
        if(currentVersion != lastVersion) {
          console.log(`reloading in 1 second due to new app version: ${currentVersion}`)
        if(currentVersion && currentVersion != lastVersion) {
          
          console.log(`reloading service worker due to new app version: ${currentVersion}`)
          window.localStorage[`${localStorageKeyPrefix}version`] = currentVersion;
          if(navigator.serviceWorker && navigator.serviceWorker.controller) {
            navigator.serviceWorker.controller.postMessage({clearCache: true});
          }
          navigator.serviceWorker.getRegistrations().then(registrations => {
            registrations.forEach(registration => {
              registration.unregister()
            }) 
          });
          document.getElementById('progress-container').style.display = 'block';
          window.setTimeout(function(){
            window.location = window.location.origin;
          }, 1000);

static/serviceworker.js

@@ -0,0 +1,85 @@
const cacheVersion = 'v1';
self.addEventListener('install', event => {
  event.waitUntil(clients.get(event.clientId).then(client => {
    // if(client) {
    //   client.postMessage({ log: "asd222" });
    // }
    return caches.open(cacheVersion).then(cache => {
      return cache.addAll([
        '/',
        '/static/application.css',
        '/static/application.js',
        '/static/awsClient.js',
        '/static/vendor/sjcl.js',
        '/static/vendor/tenThousandMostCommonEnglishWords.js',
      ]);
    })
  }));
});
self.addEventListener('message', async event => {
  if(event.source) {
    event.source.postMessage({ log: `sw got message: ${JSON.stringify(event.data)}` });
  } else if(event.clientId) {
    const client = await clients.get(event.clientId);
    client.postMessage({ log: `sw got message: ${JSON.stringify(event.data)}` });
  }
  if(event.data.clearCache) {
    caches.delete(cacheVersion);
  }
});
self.addEventListener('fetch', event => {
  event.respondWith(clients.get(event.clientId).then((client) => {
    return caches.match(event.request).then(response => {
      // caches.match() always resolves
      // but in case of success response will have value
      if (response !== undefined) {
  
        
        if(client) {
          client.postMessage({ log: `cache hit: ${event.request.method}, ${event.request.url}` });
        }
        return response;
      } else {
        return fetch(event.request).then(response => {
          const url = new URL(event.request.url);
          const isServerStorage = url.pathname.startsWith('/storage');
          const isVersion = url.pathname == "/version";
          const isAws = url.host.includes('s3') && (url.host.includes('aws') || url.host.includes('amazon'));
          const isPut = event.request.method == "PUT";
          if(!isServerStorage && !isVersion && !isAws && !isPut) {
            // response may be used only once
            // we need to save clone to put one copy in cache
            // and serve second one
            let responseClone = response.clone();
            
            caches.open(cacheVersion).then((cache) => {
              cache.put(event.request, responseClone);
            });
            if(client) {
              client.postMessage({ log: `cache miss: ${event.request.method}, ${event.request.url}` });
            }
          } else if(client) {
            client.postMessage({ log: `ignored: ${event.request.method}, ${event.request.url}` });
          }
  
          return response;
        }).catch( e => {
          if(client) {
            client.postMessage({ log: `fetch failed in serviceworker! ${event.request.method}, ${event.request.url}: ${e} ` });
          }
          return null;
        });
      }
    });
  }));
  
});