Minecon724/anonsubmit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
5 commits 1 branch 0 tags 350 KiB
Find a file
Minecon724 6c0f8ca955
 Tweak argon2 settings
2025-04-02 15:27:27 +02:00
docs Initial commit 2025-04-02 06:46:59 +02:00
src/anonchat Tweak argon2 settings 2025-04-02 15:27:27 +02:00
tests Initial commit 2025-04-02 06:46:59 +02:00
.dockerignore Initial commit 2025-04-02 06:46:59 +02:00
.gitignore Initial commit 2025-04-02 06:46:59 +02:00
docker-compose.yml Initial commit 2025-04-02 06:46:59 +02:00
Dockerfile Initial commit 2025-04-02 06:46:59 +02:00
entrypoint.sh Initial commit 2025-04-02 06:46:59 +02:00
fly.toml Refactor admin inquiry handling and password management; integrate Argon2 for password hashing, update session configuration, and enhance admin dashboard templates. Remove deprecated admin inquiry template. 2025-04-02 13:20:30 +02:00
pyproject.toml Refactor admin inquiry handling and password management; integrate Argon2 for password hashing, update session configuration, and enhance admin dashboard templates. Remove deprecated admin inquiry template. 2025-04-02 13:20:30 +02:00
README.md Update README to remove password hashing section and add read-only sharing links for inquiries; simplify inquiry template by always displaying refresh notice. 2025-04-02 13:22:48 +02:00

README.md

AnonChat

An anonymous chat application built with Flask.

Features

  • Anonymous inquiries and messaging
  • Admin dashboard to manage inquiries
  • Customizable site title
  • Redis-based session storage for improved scalability

Development Approach

AnonChat was created using "vibe coding" - a programming approach where developers leverage AI tools to generate code through natural language prompts rather than writing code manually. This modern development method allows focusing on high-level problem-solving and design while letting AI handle implementation details.

Rest assured though, I know what I'm (or the AI is) doing. Here's what would happen if I didn't:

  1. my saas was built with Cursor, zero hand written code
    AI is no longer just an assistant, its also the builder
    Now, you can continue to whine about it or start building.
  2. random thing are happening, maxed out usage on api keys, people bypassing the subscription, creating random shit on db
    there are just some weird ppl out there

Configuration

AnonChat can be configured using environment variables:

  • SECRET_KEY: Secret key for session management
  • DATABASE_URL: Database connection string (defaults to SQLite)
  • ADMIN_USERNAME: Admin username for admin dashboard
  • ADMIN_PASSWORD: Admin password for admin dashboard
  • ADMIN_FORCE_RESET: When set to "true", forces a reset of the admin password to the value in ADMIN_PASSWORD (defaults to "false")
  • SITE_TITLE: Customizable site title (defaults to "AnonChat")
  • BEHIND_PROXY: Set to "true" when running behind a reverse proxy to properly handle client IP addresses (defaults to "false")
  • RATELIMIT_STORAGE_URL: Storage backend for rate limiting (defaults to memory storage)
  • REDIS_URL: Redis connection URL for session storage (defaults to "redis://localhost:6379/0")

You can set these variables in a .env file:

SECRET_KEY=your_secret_key_here
FLASK_APP=src/anonchat
FLASK_ENV=development
SITE_TITLE=My Custom Chat
BEHIND_PROXY=true
REDIS_URL=redis://redis:6379/0

Reverse Proxy Configuration

When running AnonChat behind a reverse proxy (like Nginx or Apache), set the BEHIND_PROXY environment variable to "true" to ensure rate limiting works correctly. This enables the application to use the X-Forwarded-For header to determine the client's real IP address.

Your reverse proxy should be configured to pass the client IP address in the X-Forwarded-For header:

Nginx Example

server {
    listen 80;
    server_name your-domain.com;

    location / {
        proxy_pass http://localhost:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Installation

  1. Clone the repository
  2. Install dependencies with Poetry: poetry install
  3. Create .env file with your configuration
  4. Run the application: poetry run start

Development

This project uses Poetry for dependency management.

  • Install dependencies: poetry install
  • Run tests: poetry run pytest
  • Run the application: poetry run start

Admin Authentication

AnonChat includes a secure admin authentication system that protects administrative routes and functions. This ensures that only authorized users can access the admin dashboard, manage inquiries, and configure system settings.

Security Features

  • Secure Password Storage: Admin passwords are securely hashed using SHA-256 with the application's secret key as salt
  • Session-Based Authentication: Uses Flask sessions to maintain admin login state
  • Protected Routes: All admin routes are protected by middleware that verifies authentication
  • Password Management: Admins can change their password through the Admin Settings page
  • Logout Functionality: Secure logout to clear session data

Setting Admin Credentials

Admin credentials are set using environment variables:

ADMIN_USERNAME=admin
ADMIN_PASSWORD=your-secure-password
ADMIN_FORCE_RESET=false

These values should be set in your .env file or server environment. The default admin user is created automatically when the application first runs.

Password Reset

You can force a reset of the admin password by setting ADMIN_FORCE_RESET=true in your environment variables. This is useful when:

  • You need to recover from a forgotten admin password
  • You're deploying to a new environment and want to ensure the admin credentials are set correctly
  • You want to update the admin password during deployment without accessing the admin interface

When enabled, the application will update the admin user's password to match the value in ADMIN_PASSWORD during initialization or when running the init-db command.

Admin Functions

  • View and respond to user inquiries
  • Delete inquiries
  • Configure webhook settings
  • Change admin password

Security Best Practices

  • Always use a strong, unique password for the admin account
  • Keep your SECRET_KEY secure and unique for each deployment
  • In production, ensure you're using HTTPS to protect admin credentials during transmission
  • Change the default admin password immediately after deployment

TODO: Security Improvements

The following security enhancements are planned for future releases:

  • Implement CAPTCHA protection for admin login
    • Add CAPTCHA verification to prevent brute force attacks
    • Support multiple CAPTCHA providers (reCAPTCHA, hCaptcha)
    • Implement rate limiting for failed login attempts
    • Add IP-based blocking after multiple failed attempts

Authentication Methods

  • Add OAuth 2.0 support for admin authentication
    • Integrate with common providers (Google, GitHub, Microsoft)
    • Implement proper PKCE flow for added security
    • Support for custom OAuth providers for enterprise deployments
    • Add multi-factor authentication options

Inquiry Management

  • Add "Close Inquiry" functionality
    • Mark inquiries as closed without immediate deletion
    • Automatically delete closed inquiries after 2 days
    • Allow reopening inquiries before deletion occurs
    • Provide visual indicators for closed inquiries in admin interface

Read-Only Links

  • Implement read-only sharing links for inquiries
    • Generate unique, cryptographically secure sharing links
    • Allow users to create links that provide view-only access
    • Set optional expiration times for sharing links
    • Allow users to revoke sharing links at any time