Yoru Pastebin

A production-grade, security-first pastebin with enterprise features

A production-grade, security-hardened pastebin service built for teams and organizations.

Yoru Pastebin implements enterprise-grade security, performance optimizations, and production deployment capabilities. Built with Go, PostgreSQL, deployed on GCP with support for hybrid cloud storage.

Live Demo: https://paste.alokranjan.me

Key Features

Security Architecture

• Zero-knowledge encryption with AES-256-GCM for password-protected pastes
• Cryptographically secure ID generation using Base62 encoding
• PBKDF2 key derivation with bcrypt cost factor 12 for password hashing
• Secure file storage with hash-based paths preventing direct access
• Creator session management with 15-minute expiration for seamless UX
• Protected file downloads requiring authentication for password-protected content
• Content Security Policy headers and XSS protection via Traefik
• Rate limiting (2 requests/second default) and DDoS protection
• Automatic expiration with secure deletion (24-hour default)

Performance Optimizations

• Lazy-loaded syntax highlighting with 35+ language support
• Optimized Go backend with efficient request handling
• PostgreSQL 16 with connection pooling
• Multi-stage Docker builds for minimal image size
• Static asset optimization with proper caching headers

Production Infrastructure

• Multi-replica deployment with Docker Swarm/Compose
• Hybrid file storage using local volumes and optional AWS S3 (20MB max per file)
• PostgreSQL persistence with volume mounting
• Graceful shutdown handling with 10-second timeout
• Health monitoring and container orchestration

Developer Experience

• RESTful API for programmatic access
• File upload support with drag-and-drop interface
• 35+ programming languages with syntax highlighting
• Responsive web interface with modern catppuccin UI
• Comprehensive Makefile for development workflow
• Database migrations with version control

Quick Start

Development Setup

# Clone repository
git clone https://github.com/ryu-ryuk/yoru-pastebin.git
cd yoru-pastebin

# Initialize development environment
make setup

# Start application (PostgreSQL + Go server)
make run

# Access at http://localhost:8080

Production Deployment

# Setup production environment
make prod-setup

# Deploy with Docker Compose
./deployment.sh

# Check deployment status  
make prod-status

Documentation

• API Reference - Complete API documentation [To be updated]
• Deployment Guide - Production deployment instructions [TODO]
• Architecture Overview - System design and diagrams [To be updated]

Configuration

Configuration

Core Configuration (configs/config.toml)

[server]
port = 8080

[database]
connection_string = "postgres://ryu:pass@localhost:5432/yoru_pastebin?sslmode=disable"

[paste]
id_length = 8
default_expiration_minutes = 1440  # 24 hours
max_content_size_bytes = 20971520  # 20MB

[security]
bcrypt_cost = 12
rate_limit_per_second = 2

[s3]
bucket = "your-s3-bucket-name"
region = "your-aws-region"

Environment Variables (.env)

# Server Configuration
SERVER_PORT=8080
BASE_URL=https://paste.alokranjan.me
ENVIRONMENT=production

# Database
DATABASE_CONNECTION_STRING=postgres://yoru_user:${POSTGRES_PASSWORD}@db:5432/yoru_pastebin?sslmode=require
POSTGRES_USER=yoru_user
POSTGRES_PASSWORD=secure_password
POSTGRES_DB=yoru_pastebin

# AWS S3 Storage
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=your_access_key
AWS_SECRET_ACCESS_KEY=your_secret_key
AWS_S3_BUCKET=yoru-pastebin-files

# Security & Rate Limiting
RATE_LIMIT_ENABLED=true
RATE_LIMIT_REQUESTS_PER_MINUTE=60

# TLS Configuration
[email protected]

Architecture

Production Infrastructure

graph TB

    %% define graph nodes
    subgraph "Load Balancer & SSL"
        LB[Traefik v2.10<br/>SSL Termination<br/>Rate Limiting]
    end

    subgraph "Application Layer"
        LB --> APP1[Yoru 1<br/>]
        LB --> APP2[Yoru 2<br/>]
    end

    subgraph "Data Layer"
        APP1 --> DB[(PostgreSQL 16<br/>Persistent Storage)]
        APP2 --> DB
        APP1 --> FS[Hybrid File Storage<br/>Local or S3]
        APP2 --> FS
    end

    subgraph "Security"
        SEC1[CSP Headers]
        SEC2[Rate Limiting]
        SEC3[TLS 1.3]
    end

    %% assign classes
    classDef mocha fill:#1e1e2e,stroke:#313244,color:#cdd6f4;
    classDef blue fill:#1e1e2e,stroke:#89b4fa,color:#89b4fa;
    classDef pink fill:#1e1e2e,stroke:#f5c2e7,color:#f5c2e7;
    classDef green fill:#1e1e2e,stroke:#a6e3a1,color:#a6e3a1;
    classDef yellow fill:#1e1e2e,stroke:#f9e2af,color:#f9e2af;

    class LB,APP1,APP2 mocha;
    class DB yellow;
    class FS green;
    class SEC1,SEC2,SEC3 pink;

Loading

Container Orchestration

Development (docker-compose.yml):

• Single replica for local development
• Direct database connection
• Volume mounting for live reload

Production (docker-compose.prod.yml):

• 2 replicas with load balancing
• External network configuration
• Health checks and restart policies
• Traefik integration with SSL

Security Implementation

• Traefik Middleware: Security headers, rate limiting, SSL redirect
• Database Security: SSL connections, credential isolation
• Container Security: Non-root users, read-only filesystems
• Network Security: Internal Docker networks, isolated services

Production Deployment

Using Docker Compose

# 1. Clone and setup
git clone https://github.com/ryu-ryuk/yoru-pastebin.git
cd yoru-pastebin

# 2. Configure environment
cp .env.example .env
# Edit .env with your production values

# 3. Deploy with automated script
./deployment.sh

# 4. Monitor deployment
make prod-status
docker-compose -f docker-compose.prod.yml logs -f

Manual Deployment Steps

# Build production image
docker build -t yoru-pastebin:latest .

# Create external network
docker network create yoru_web

# Deploy with production compose
docker-compose -f docker-compose.prod.yml up -d

# Check container health
docker-compose -f docker-compose.prod.yml ps

Infrastructure Components

• Application: Go 1.24.4 multi-stage Docker build
• Database: PostgreSQL 16 Alpine with persistent volumes
• Reverse Proxy: Traefik v2.10 with Let's Encrypt integration
• File Storage: AWS S3 with configurable regions
• Networking: Docker overlay networks for service isolation

API Usage

See API Reference for complete documentation.

Create a paste:

curl -X POST https://paste.alokranjan.me/api/v1/pastes \
  -H "Content-Type: application/json" \
  -d '{
    "content": "package main\n\nimport \"fmt\"\n\nfunc main() {\n    fmt.Println(\"Hello, Yoru!\")\n}",
    "language": "go",
    "expiration_minutes": 1440
  }'

Retrieve a paste:

curl https://paste.alokranjan.me/api/v1/pastes/aB3kX9mP

Upload a file:

curl -X POST https://paste.alokranjan.me/api/v1/pastes \
  -F "[email protected]" \
  -F "language=go" \
  -F "expiration_minutes=60"

Security Features

Encryption Implementation

• AES-256-GCM for authenticated encryption
• PBKDF2-SHA256 for password-based key derivation
• Constant-time comparison for password verification
• Secure random ID generation with sufficient entropy

Deployment & Operations

Health Monitoring

# Check application health
curl https://paste.alokranjan.me/health

# Monitor logs
docker-compose -f docker-compose.prod.yml logs -f yoru

# Check database status
docker-compose -f docker-compose.prod.yml exec db psql -U yoru_user -d yoru_pastebin -c "\l"

Backup & Maintenance

# Manual database backup
docker-compose -f docker-compose.prod.yml exec db pg_dump -U yoru_user yoru_pastebin > backup.sql

# Update deployment
./deployment.sh

# Scale application instances
docker-compose -f docker-compose.prod.yml up -d --scale yoru=3

Security Features

File Storage Security

Yoru implements a multi-layered security approach for file storage:

Hash-Based Storage Paths:

• Files are stored using SHA-256 hashes instead of predictable paste IDs
• Directory structure: secure/ab/cd/abcdef123... prevents enumeration
• Original filenames are preserved only in database metadata

Access Control:

• All file downloads go through application authentication
• Protected files require password verification before serving
• Creator session cookies (15-minute expiration) provide seamless access
• Path traversal protection prevents unauthorized directory access

Storage Implementation:

// Example secure file path generation
func generateSecureFilePath(pasteID, filename string) string {
    hash := sha256.Sum256([]byte(pasteID + filename + timestamp))
    hashStr := hex.EncodeToString(hash[:])
    return fmt.Sprintf("secure/%s/%s/%s", hashStr[:2], hashStr[2:4], hashStr)
}

Encryption & Password Protection

• AES-256-GCM encryption for password-protected content
• PBKDF2 key derivation with configurable iteration count
• Cryptographically secure salt generation (32 bytes per paste)
• Zero-knowledge architecture - server never stores plaintext passwords

Session Management

• Temporary creator sessions allow seamless access to protected pastes
• Secure session tokens using crypto/rand with 32-byte entropy
• HttpOnly cookies with appropriate SameSite and Secure flags
• Automatic expiration prevents long-term session hijacking

Infrastructure Security

• Traefik Security Headers: Frame denial, XSS protection, HSTS
• Rate Limiting: 10 requests/minute average, 20 burst
• Content Security Policy: Strict policy for XSS prevention
• TLS Configuration: Modern TLS with automatic certificate renewal
• Database Security: SSL connections, isolated credentials

Development

Prerequisites

• Go 1.22+ (application uses Go 1.24.4 in Docker)
• Docker & Docker Compose
• PostgreSQL (for local development)
• Make (optional but recommended)

Available Make Commands

make help           # Show all available commands
make setup          # Initialize development environment
make start_db       # Start PostgreSQL container
make run            # Start the application
make test           # Run test suite
make build          # Build production binary
make clean          # Clean up development environment
make prod-setup     # Setup production environment
make prod-deploy    # Deploy to production
make prod-status    # Check production deployment status

Development Workflow

# First time setup
make setup          # Creates DB, runs migrations, builds app

# Daily development
make start_db       # Start database if not running
make run            # Start application with hot reload

# Testing and building
make test           # Run unit and integration tests
make build          # Create optimized production build

Directory Structure

cmd/yoru/           # Application entry point
internal/           # Private application code
├── config/         # Configuration management
├── database/       # Database connection and utilities
├── paste/          # Core paste functionality
└── server/         # HTTP server and routing
pkg/                # Public packages
├── crypt/          # Encryption utilities
└── idgen/          # ID generation
web/                # Frontend assets
├── static/         # CSS, JS, images
└── templates/      # HTML templates
db/migrations/      # Database schema migrations

Contributing

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Make your changes with tests
4. Run the test suite (make test)
5. Commit your changes (git commit -m 'Add amazing feature')
6. Push to the branch (git push origin feature/amazing-feature)
7. Submit a pull request

Development Guidelines

• Follow Go best practices and gofmt formatting
• Include unit tests for new features
• Update documentation for API changes
• Test with both development and production Docker configurations

Testing [TODO]

# Run all tests
make test

# Run specific test packages
go test ./internal/paste/...
go test ./pkg/crypt/...

License

See LICENSE for details.

---

Built for developers who prioritize security, performance and a whole lot of catppuccin ;)