Paaster

Paaster is a lightweight, end‑to‑end encrypted pastebin designed for self‑hosted environments. From a developer’s perspective, it offers a clean separation between the web UI, API layer, and storage backend. Paste data is never stored on the server in plaintext; instead it is encrypted client‑side and only decrypted in the browser, ensuring that even privileged administrators cannot read user content. The application’s history feature is backed by a MongoDB instance, while the actual paste payloads are stored in an S3‑compatible object store (AWS S3, MinIO, or any compatible provider). This dual‑storage strategy keeps the database lean and improves scalability.

• Frontend: Built with modern React (or Preact) and Vite, the UI is a single‑page application that bundles all assets into static files. No dynamic third‑party scripts are loaded at runtime; everything is resolved during the build step, mitigating supply‑chain risks.
• Backend: A Node.js/Express server exposes a minimal REST API for creating, retrieving, and deleting pastes. Authentication is handled via signed cookies with a COOKIE_SECRET.
• Storage:
  • Metadata: MongoDB stores paste metadata (ID, timestamps, expiration policy).
  • Content: S3 or compatible object store holds the encrypted paste blobs. The server only streams these objects to the client; it never decrypts them.
• Containerization: Docker images are available on Docker Hub (wardpearce/paaster). The provided docker-compose.yml demonstrates a fully self‑contained stack with MongoDB and MinIO, but the application can be deployed behind any reverse proxy (Caddy, NGINX, Traefik).

• End‑to‑end encryption: Client-side AES‑256 GCM, key derivation via Argon2id.
• Paste lifecycle: Single‑view deletes, time‑based expirations, and manual deletion.
• API: CRUD endpoints for pastes; supports JSON payloads and URL‑encoded forms.
• CLI Tool: A separate repository (paaster-cli) provides a command‑line interface to upload pastes directly from the terminal.
• Internationalization: Uses i18n with language detection and a contribution workflow via Inlang.
• QR Code generation: Server‑side QR code rendering for quick mobile sharing.

Paaster is intentionally minimalistic to ease scaling. The stateless Node.js process can be replicated behind a load balancer; each instance requires only the same environment variables and access to the shared MongoDB/MinIO cluster. For high availability, deploy MongoDB in a replica set and MinIO with erasure coding or an S3 gateway. The Docker Compose example shows a single‑node setup, but the architecture supports horizontal scaling without modification.

• Webhooks: The API can emit events (e.g., paste created, deleted) that external services can consume.
• Plugin hooks: While the core does not expose a formal plugin system, middleware can be added to the Express app by extending the source code.
• Custom domains: The reverse proxy configuration demonstrates how to expose Paaster on arbitrary subdomains, enabling integration into existing infrastructure.
• OAuth / SSO: Not included by default but can be integrated by adding authentication middleware.

• Configuration: All settings are exposed as environment variables; the README provides a comprehensive list.
• Documentation: The repository includes detailed usage, deployment guides, and a contribution path for i18n.
• Community: The project is open source on GitHub, with active issue tracking and a clear license (MIT).
• Security focus: Use of package-lock.json and Socket.dev scans ensures dependency integrity, while the build process eliminates dynamic script loading.

1. Internal tooling – Developers can host a private pastebin for code snippets, error logs, or configuration files that must remain confidential.
2. CI/CD pipelines – The CLI tool allows automated upload of build artifacts or logs to a secure, self‑hosted paste service.
3. Incident response – Security teams can share encrypted evidence without exposing it to external services.
4. Educational environments – Teachers can host a pastebin for assignments, ensuring that student work stays within the institution’s network.

• Privacy‑first design: End‑to‑end encryption guarantees that only the intended recipient can read content.
• Zero external dependencies: All assets are bundled; no runtime script loading reduces attack surface.
• Flexible storage: Compatible with any S3‑compatible provider, making it easy to use cloud or on‑prem solutions like MinIO.
• Lightweight: Minimal runtime footprint allows quick startup and easy scaling.
• Open source & permissive license: MIT licensing removes deployment constraints, making it suitable for commercial use.

Paaster offers developers a secure, self‑hosted pastebin that balances simplicity with robust privacy guarantees, all while remaining highly configurable and easily integrable into existing infrastructure.