Paste viewer: open pastebin.com links on securebin.org with local decryption#2
Open
bindeman wants to merge 1 commit into
Open
Paste viewer: open pastebin.com links on securebin.org with local decryption#2bindeman wants to merge 1 commit into
bindeman wants to merge 1 commit into
Conversation
Open any Pastebin paste in securebin's UI by swapping the domain (pastebin.com/<id> → securebin.org/<id>). Encrypted securebin pastes get a passkey prompt and are decrypted locally with the Web Crypto API — the same code path as the extension (assets/js/viewer-crypto.js); the passkey rides in the URL fragment and never reaches any server. - 404.html mirrors pastebin.com URLs: an alphanumeric single-segment path mounts the viewer in place (pretty URL preserved); real pages and typos of them fall back to the normal Not Found page when the paste 404s. - /view is the canonical share-link landing route; only it honors #paste=, so a mirror link's visible path can't be contradicted by a hidden fragment. - worker/ is a Cloudflare Worker (deploy: wrangler deploy) relaying GET /raw/<id> → pastebin.com/raw/<id> with a securebin.org origin allowlist, a 600 KB cap, and 5-minute edge caching. Runs on the paste.securebin.org custom domain because the Cache API is a no-op on workers.dev — caching is what keeps it on the free tier and dodges Pastebin's bot challenge. Verified: node scripts/verify-viewer.mjs — 29 checks (crypto parity with the extension across GCM/CTR/raw/256-bit, browser flows, routing/spoofing regressions, XSS smoke: paste content only ever reaches textContent). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a paste viewer to securebin.org. Swap
pastebin.com/<id>→securebin.org/<id>to open any paste in securebin's dark UI; encrypted securebin pastes get a passkey prompt and decrypt locally via the Web Crypto API (same code path as the extension). Pastebin stays the source of truth — the viewer only reads from it.Pieces
assets/js/viewer-crypto.js— decrypts securebin ciphertexts (PBKDF2-SHA256 / raw keys, AES-GCM/CTR/legacy-CBC), byte-for-byte parity with the extension'scrypto.ts.assets/js/viewer.js+assets/css/viewer.css— the viewer UI (loading / passkey prompt / content / error). Paste content only ever reachestextContent.404.html— GitHub Pages serves it for unknown paths, sosecurebin.org/<id>mounts the viewer with the pretty URL intact. Real pages and typos of them fall back to the normal Not Found page.view/index.html— canonical share-link landing route; only/viewhonors#paste=, so a mirror link's visible path can't be contradicted by a hidden fragment.worker/— Cloudflare Worker relayingGET /raw/<id>→pastebin.com/raw/<id>(Pastebin sends no CORS headers). Origin allowlist, 600 KB cap, 5-min edge cache, refuses non-text/plain(challenge pages).Privacy
The passkey travels in the URL fragment (
#key=…), which browsers never send to any server. The worker only ever sees the paste id and the ciphertext — never the key or plaintext. Same trust model as the extension.Deploy order (important)
cd worker && npx wrangler deploy— provisionspaste.securebin.org(custom domain; the Cache API is a no-op onworkers.dev, and caching is what keeps it free-tier and dodges Pastebin's bot challenge).WORKER_BASEpoints atpaste.securebin.org, so encrypted/plain fetches only work once the worker is live.Verification
node scripts/verify-viewer.mjs— 29 checks: crypto parity (GCM/CTR/raw/256-bit, wrong-key throws), browser flows (plain, auto-decrypt via#key, mirror path, passkey prompt), routing regressions (spoofed#pasteignored,/viewlanding, typo → normal 404), and an XSS smoke test (paste content never executes).🤖 Generated with Claude Code