| docs | ||
| src/anonchat | ||
| tests | ||
| .dockerignore | ||
| .gitignore | ||
| docker-compose.yml | ||
| Dockerfile | ||
| entrypoint.sh | ||
| fly.toml | ||
| pyproject.toml | ||
| README.md | ||
AnonChat
An anonymous chat application built with Flask.
Features
- Anonymous inquiries and messaging
- Admin dashboard to manage inquiries
- Customizable site title
- Redis-based session storage for improved scalability
Development Approach
AnonChat was created using "vibe coding" - a programming approach where developers leverage AI tools to generate code through natural language prompts rather than writing code manually. This modern development method allows focusing on high-level problem-solving and design while letting AI handle implementation details.
Rest assured though, I know what I'm (or the AI is) doing. Here's what would happen if I didn't:
- my saas was built with Cursor, zero hand written code
AI is no longer just an assistant, it’s also the builder
Now, you can continue to whine about it or start building. - random thing are happening, maxed out usage on api keys, people bypassing the subscription, creating random shit on db
there are just some weird ppl out there
Configuration
AnonChat can be configured using environment variables:
SECRET_KEY: Secret key for session managementDATABASE_URL: Database connection string (defaults to SQLite)ADMIN_USERNAME: Admin username for admin dashboardADMIN_PASSWORD: Admin password for admin dashboardADMIN_FORCE_RESET: When set to "true", forces a reset of the admin password to the value in ADMIN_PASSWORD (defaults to "false")SITE_TITLE: Customizable site title (defaults to "AnonChat")BEHIND_PROXY: Set to "true" when running behind a reverse proxy to properly handle client IP addresses (defaults to "false")RATELIMIT_STORAGE_URL: Storage backend for rate limiting (defaults to memory storage)REDIS_URL: Redis connection URL for session storage (defaults to "redis://localhost:6379/0")
You can set these variables in a .env file:
SECRET_KEY=your_secret_key_here
FLASK_APP=src/anonchat
FLASK_ENV=development
SITE_TITLE=My Custom Chat
BEHIND_PROXY=true
REDIS_URL=redis://redis:6379/0
Reverse Proxy Configuration
When running AnonChat behind a reverse proxy (like Nginx or Apache), set the BEHIND_PROXY environment variable to "true" to ensure rate limiting works correctly. This enables the application to use the X-Forwarded-For header to determine the client's real IP address.
Your reverse proxy should be configured to pass the client IP address in the X-Forwarded-For header:
Nginx Example
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Installation
- Clone the repository
- Install dependencies with Poetry:
poetry install - Create
.envfile with your configuration - Run the application:
poetry run start
Development
This project uses Poetry for dependency management.
- Install dependencies:
poetry install - Run tests:
poetry run pytest - Run the application:
poetry run start
Admin Authentication
AnonChat includes a secure admin authentication system that protects administrative routes and functions. This ensures that only authorized users can access the admin dashboard, manage inquiries, and configure system settings.
Security Features
- Secure Password Storage: Admin passwords are securely hashed using SHA-256 with the application's secret key as salt
- Session-Based Authentication: Uses Flask sessions to maintain admin login state
- Protected Routes: All admin routes are protected by middleware that verifies authentication
- Password Management: Admins can change their password through the Admin Settings page
- Logout Functionality: Secure logout to clear session data
Setting Admin Credentials
Admin credentials are set using environment variables:
ADMIN_USERNAME=admin
ADMIN_PASSWORD=your-secure-password
ADMIN_FORCE_RESET=false
These values should be set in your .env file or server environment. The default admin user is created automatically when the application first runs.
Password Reset
You can force a reset of the admin password by setting ADMIN_FORCE_RESET=true in your environment variables. This is useful when:
- You need to recover from a forgotten admin password
- You're deploying to a new environment and want to ensure the admin credentials are set correctly
- You want to update the admin password during deployment without accessing the admin interface
When enabled, the application will update the admin user's password to match the value in ADMIN_PASSWORD during initialization or when running the init-db command.
Admin Functions
- View and respond to user inquiries
- Delete inquiries
- Configure webhook settings
- Change admin password
Security Best Practices
- Always use a strong, unique password for the admin account
- Keep your SECRET_KEY secure and unique for each deployment
- In production, ensure you're using HTTPS to protect admin credentials during transmission
- Change the default admin password immediately after deployment
TODO: Security Improvements
The following security enhancements are planned for future releases:
- Implement CAPTCHA protection for admin login
- Add CAPTCHA verification to prevent brute force attacks
- Support multiple CAPTCHA providers (reCAPTCHA, hCaptcha)
- Implement rate limiting for failed login attempts
- Add IP-based blocking after multiple failed attempts
Authentication Methods
- Add OAuth 2.0 support for admin authentication
- Integrate with common providers (Google, GitHub, Microsoft)
- Implement proper PKCE flow for added security
- Support for custom OAuth providers for enterprise deployments
- Add multi-factor authentication options
Inquiry Management
- Add "Close Inquiry" functionality
- Mark inquiries as closed without immediate deletion
- Automatically delete closed inquiries after 2 days
- Allow reopening inquiries before deletion occurs
- Provide visual indicators for closed inquiries in admin interface
Read-Only Links
- Implement read-only sharing links for inquiries
- Generate unique, cryptographically secure sharing links
- Allow users to create links that provide view-only access
- Set optional expiration times for sharing links
- Allow users to revoke sharing links at any time