goploader

goploader is a self‑hosted file‑transfer system written entirely in Go, designed to give developers a lightweight, secure way to expose temporary file uploads. The project is split into two binaries: goploader-server, a stateless HTTP(S) service, and gpldr, a command‑line client that can push files via stdin or arguments. The core promise is “privacy matters”—files are encrypted on the server side and never persist in cleartext, with decryption keys stored only client‑side.

Architecture & Technical Stack

The server is a minimal Go HTTP application that relies on the standard library for routing and TLS handling, but it delegates certificate management to Caddy (or any ACME‑compatible client) for automatic Let's Encrypt provisioning. Internally, goploader stores uploads in a flat file store or an S3‑compatible bucket; the persistence layer is pluggable through simple interface implementations, making it trivial to swap out for a database or in‑memory cache. The client uses Go’s net/http to POST multipart/form data and follows the server’s API spec exactly, ensuring compatibility with curl‑style requests.

Key language features employed include:

• Go 1.18 generics for type‑safe request handling.
• Context cancellation to support graceful shutdown and timeout control.
• Standard library crypto for AES‑GCM encryption of file payloads, with keys derived from a user‑supplied passphrase via Argon2id.

The codebase is intentionally small (≈ 6 k LOC) and leverages Go modules for dependency management, making it easy to audit and extend.

Core Capabilities & APIs

• One‑click uploads: gpldr file.txt or piping data (cat big.log | gpldr) sends the payload in a single HTTP request.
• Secure URLs: The server returns a short, self‑contained URL that encodes the decryption key; no session or cookie management is required.
• HTTP/HTTPS only: All endpoints are served over TLS, with optional HTTP/2 support via Caddy.
• Curl‑compatible: The API accepts raw multipart/form-data, allowing integration into existing CI/CD pipelines or shell scripts.
• Expiration hooks: Developers can configure a TTL for uploads; the server automatically deletes expired files from disk or bucket.

The API surface is intentionally minimal, but it exposes hooks for custom authentication (e.g., JWT) or rate limiting by wrapping the HTTP handler.

Deployment & Infrastructure

Because goploader is written in Go, a single static binary suffices for deployment. The recommended pattern is:

1. Build the server and client binaries.
2. Run the server behind a reverse proxy (Caddy, Traefik, Nginx) that handles TLS and optional load balancing.
3. Mount a persistent volume or configure an S3 endpoint for storage.

Containerization is straightforward: the Dockerfile in the repository exposes port 8080 and copies the compiled binary. Kubernetes users can deploy it as a stateless pod with an emptyDir or external object store. The lightweight nature of the binary (≈ 10 MB) keeps resource footprints low, making it suitable for edge devices or Raspberry Pi deployments.

Integration & Extensibility

While the core product is simple, goploader offers several extension points:

• Plugin interface: The server exposes a Store interface; developers can write custom backends (e.g., GCS, Azure Blob) without touching the core logic.
• Webhooks: After a successful upload, the server can POST to a configurable URL with metadata (file size, MIME type, timestamp), enabling downstream processing or archival.
• CLI flags: The client accepts --server to target custom endpoints, and --metadata to attach arbitrary key/value pairs that survive decryption.
• Configuration files: Both server and client read YAML/JSON config files (~/.config/goploader.conf.yml), allowing per‑environment overrides (port, storage path, encryption parameters).

The project’s documentation includes a developer guide that walks through implementing a custom store and integrating webhooks, making it approachable for contributors.

Developer Experience & Community

• Documentation quality: The repo contains a dedicated website (depado.github.io/goploader/) with API references, deployment examples, and a FAQ section. Inline code comments are concise yet informative.
• Licensing: MIT license ensures no commercial restrictions, encouraging adoption in private or open‑source projects.
• Community: Although the project is not heavily maintained, the issue tracker remains open for pull requests and feature discussions. The code quality metrics (Go Report Card, Codebeat) indicate a well‑structured base that can be forked and extended.

Use Cases

1. Internal tooling: A DevOps team can spin up a quick file‑sharing service for log dumps or build artifacts, exposing a single URL to stakeholders without opening firewalls.
2. Edge deployments: Raspberry Pi or IoT devices can run the server locally, allowing firmware updates to be pushed securely to clients via short URLs.
3. Privacy‑centric sharing: Developers building secure communication tools can embed goploader as a microservice, leveraging its encryption model to keep payloads confidential.
4. CI/CD pipelines: Automated jobs can upload test reports or screenshots to a temporary goploader instance and email the generated link, all via shell scripts.

Advantages Over Alternatives

• Zero‑configuration encryption: Unlike raw S3 uploads, goploader encrypts files server‑side without