secretnotes-go-backend

command module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 16, 2025 License: MIT Imports: 11 Imported by: 0

README ΒΆ

Secret Notes Go Backend

πŸ” A secure, self-hosted notes application with end-to-end encryption for both text notes and file attachments. Built with Go and PocketBase, featuring passphrase-based encryption using AES-256-GCM.

✨ Features

  • πŸ”’ End-to-End Encryption: All notes and files encrypted with AES-256-GCM
  • πŸ”‘ Passphrase-Based Security: No accounts needed - your passphrase is your key
  • πŸ“ Encrypted File Storage: Upload and encrypt any file type
  • πŸš€ Self-Hosted: Deploy on your own infrastructure
  • ⚑ Fast & Lightweight: Built with Go and PocketBase
  • 🌐 RESTful API: Easy integration with any frontend
  • πŸ“± Stateless Design: No sessions or stored authentication tokens

πŸ›‘οΈ How Secure Is Your Data?

πŸ” Your Data is Completely Private

Even if someone gains full access to the server, database, and all files, they CANNOT read your data without your passphrase.

Here's why:

πŸ”’ Military-Grade Encryption
  • AES-256-GCM: The same encryption standard used by governments and banks
  • Authenticated Encryption: Prevents tampering - any modification breaks decryption
  • Unique Per-Operation: Every note and file gets its own random salt and nonce
πŸ”‘ Zero-Knowledge Architecture
  • Server Cannot Decrypt: The server never sees your passphrase or decrypted data
  • No Master Keys: There are no "backdoors" or recovery mechanisms
  • Client-Side Key Derivation: Your passphrase becomes the encryption key using PBKDF2
πŸ›‘οΈ What Gets Stored
βœ… Encrypted Data: [random_salt][random_nonce][encrypted_content]
βœ… Passphrase Hash: SHA-256 hash for lookup (cannot be reversed)
βœ… Metadata: File names, content types (not sensitive)

❌ Your Passphrase: NEVER stored anywhere
❌ Decrypted Content: NEVER touches the database
❌ Encryption Keys: Generated on-demand, never stored
πŸ” Security Verification
  • Open Source: All encryption code is visible and auditable
  • Standard Libraries: Uses Go's crypto package (not custom crypto)
  • No Network Transmission: Decryption happens server-side, only encrypted data in database
🚨 What This Means For You

βœ… If the server is hacked: Your data remains encrypted and unreadable
βœ… If the database is stolen: Attackers get encrypted gibberish
βœ… If we're subpoenaed: We literally cannot provide your data
βœ… If you forget your passphrase: Your data is permanently lost (by design)

⚠️ Your Responsibilities
  • Use a strong passphrase (prefer long and random; minimum 3 characters enforced by API)
  • Never share your passphrase with anyone
  • Use HTTPS in production (to protect passphrase in transit)
  • Keep backups if you want to preserve data
πŸ”¬ Technical Security Details
  • PBKDF2: 100,000 iterations with SHA-256 for key derivation
  • Random Generation: Uses crypto/rand for all random values
  • Memory Safety: Go prevents buffer overflows and memory leaks
  • Constant-Time Operations: Prevents timing attacks
  • No Logging: Passphrases and decrypted content never logged

πŸš€ Quick Start

Prerequisites
  • Go 1.21 or higher
  • Git
Installation

  1. Clone the repository:

    git clone https://github.com/yourusername/secret-notes-go.git
cd secret-notes-go

  2. Install dependencies:

    go mod download

  3. Run the server:

    go run main.go serve

  4. Access the API:

    • Server runs on http://localhost:8090
    • API endpoints available at /api/secretnotes/
    • Admin UI available at http://localhost:8090/_/

πŸ“– API Documentation

Authentication

No traditional authentication required. All operations use a passphrase (minimum 3 characters) that serves as both identifier and encryption key.

Core Endpoints
Notes
  • GET /api/secretnotes/notes/{phrase} - Get or create note
  • POST /api/secretnotes/notes/{phrase} - Create new note
  • PATCH /api/secretnotes/notes/{phrase} - Update note
Files
  • POST /api/secretnotes/notes/{phrase}/image - Upload encrypted file
  • GET /api/secretnotes/notes/{phrase}/image - Download decrypted file
  • DELETE /api/secretnotes/notes/{phrase}/image - Delete file
Example Usage
# Create a note
curl -X POST "http://localhost:8090/api/secretnotes/notes/your-very-long-secure-passphrase-here" \
  -H "Content-Type: application/json" \
  -d '{"title":"My Note","message":"Secret content"}'

# Upload a file
curl -X POST "http://localhost:8090/api/secretnotes/notes/your-very-long-secure-passphrase-here/image" \
  -F "image=@document.pdf"

# Download the file
curl "http://localhost:8090/api/secretnotes/notes/your-very-long-secure-passphrase-here/image" \
  -o downloaded-document.pdf

πŸ—οΈ Architecture

.
β”œβ”€β”€ main.go                 # Main application entry point
β”œβ”€β”€ migrations/
β”‚   └── 001_init.go        # Database schema migrations
β”œβ”€β”€ models/
β”‚   β”œβ”€β”€ encrypted_file.go  # File model definitions
β”‚   └── note.go           # Note model definitions
β”œβ”€β”€ services/
β”‚   β”œβ”€β”€ encryption.go     # AES-256-GCM encryption service
β”‚   β”œβ”€β”€ file.go          # File handling service
β”‚   └── note.go          # Note management service
β”œβ”€β”€ middleware/
β”‚   └── validation.go    # Request validation middleware
β”œβ”€β”€ BACKEND_DOCS.md      # Detailed API documentation
└── FRONTEND_GUIDE.md    # Frontend integration guide

πŸ”§ Configuration

Environment Variables
  • PORT: Server port (default: 8090)
  • DATA_DIR: Data directory for PocketBase (default: ./pb_data)
Production Deployment
  1. Use HTTPS: Always deploy behind HTTPS in production
  2. Secure Headers: Configure proper security headers
  3. Firewall: Restrict access to necessary ports only
  4. Backups: Regular backup of the pb_data directory
  5. Monitoring: Set up logging and monitoring

πŸ“š Documentation

πŸ§ͺ Development

Running Tests
go test ./services/...
Database Reset
rm -rf pb_data/
go run main.go serve
Adding New Endpoints
  1. Add route in main.go
  2. Implement handler function
  3. Update documentation
  4. Add tests

🀝 Contributing

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature-name
  3. Make your changes
  4. Add tests if applicable
  5. Update documentation
  6. Submit a pull request

πŸ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

⚠️ Security Considerations

  • Passphrase Strength: Use strong, unique passphrases (longer is better)
  • HTTPS Only: Never use over unencrypted connections in production
  • Regular Updates: Keep dependencies updated
  • Backup Security: Encrypt backups and store securely
  • Access Control: Implement proper network-level access controls

πŸ†˜ Support

For security issues, please see SECURITY.md.

For general questions and support:

  • Open an issue on GitHub
  • Check the documentation in BACKEND_DOCS.md
  • Review the frontend integration guide in FRONTEND_GUIDE.md

Built with ❀️ using Go and PocketBase

secretnotes-go-backend

Documentation ΒΆ

The Go Gopher

There is no documentation for this package.

Source Files ΒΆ

View all Source files

Directories ΒΆ

Path Synopsis
cli module
cmd/sn command
internal/api
internal/config
internal/tui

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.