From 73739b5bc47faee27849f77e2e90e4ed02205c47 Mon Sep 17 00:00:00 2001
From: blek <me@blek.codes>
Date: Mon, 9 Oct 2023 20:13:07 +1000
Subject: [PATCH] add file password security notice

---
 filed/src/web/pages.rs                | 22 ++++++++++
 filed/templates/index.html            | 33 +++++++++++----
 filed/templates/passworded-files.html | 59 +++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 9 deletions(-)
 create mode 100644 filed/templates/passworded-files.html

diff --git a/filed/src/web/pages.rs b/filed/src/web/pages.rs
index 6bf88ad..19339ad 100644
--- a/filed/src/web/pages.rs
+++ b/filed/src/web/pages.rs
@@ -31,6 +31,13 @@ pub struct Uploaded {
     pub env: Env
 }
 
+#[derive(Template)]
+#[template( path = "passworded-files.html" )]
+#[allow(dead_code)]
+pub struct PasswordedFilesHelpPage {
+    pub env: Env
+}
+
 
 pub async fn uploaded(query: HashMap<String, String>, state: SharedState) -> Result<Html<String>, Rejection> {
 
@@ -67,7 +74,22 @@ pub fn index_f(state: SharedState) -> impl Filter<Extract = impl Reply, Error =
         .and_then(index)
 }
 
+pub async fn passworded(state: SharedState) -> Result<Html<String>, Rejection> {
+    let rendered = PasswordedFilesHelpPage {
+        env: state.env.clone()
+    };
+    Ok(warp::reply::html(rendered.render().map_err(|err| warp::reject::custom(HttpReject::AskamaError(err)))?))
+}
+
+pub fn passworded_f(state: SharedState) -> impl Filter<Extract = impl Reply, Error = Rejection> + Clone {
+    warp::path!("password-files")
+        .and(warp::path::end())
+        .map(move || state.clone())
+        .and_then(passworded)
+}
+
 pub fn get_routes(state: SharedState) -> impl Filter<Extract = impl Reply, Error = Rejection> + Clone {
     index_f(state.clone())
         .or(uploaded_f(state.clone()))
+        .or(passworded_f(state))
 }
\ No newline at end of file
diff --git a/filed/templates/index.html b/filed/templates/index.html
index b147042..a6777b9 100644
--- a/filed/templates/index.html
+++ b/filed/templates/index.html
@@ -42,15 +42,30 @@
                             <input style="max-width:100px" id='bfile-formupload-file-name' type="text" name="filename" placeholder="file.txt"></input>
                         </span>
                     </p>
-                    <p>
-                        <label>
-                            <input type="checkbox" name="passworded">
-                        </label>
-                        <label>
-                            I want to add a password to the file:
-                            <input type="password" name="password" style="max-width:90px">
-                        </label>
-                    </p>
+                    <table>
+                        <tbody>
+                            <tr>
+                                <td>
+                                    <label>
+                                        <input type="checkbox" name="passworded">
+                                        I want to add a password to the file:
+                                    
+                                        <span style="font-size:80%;display:block;padding:2px 0 0 24px">
+                                            Warning: the file WILL NOT be encrypted.<br/>
+                                            <a href="/passworded-files">
+                                                Learn more
+                                            </a>
+                                        </span>
+                                    </label>
+                                </td>
+                                <td style="padding-left:4px">
+                                    <label>
+                                        <input type="password" name="password" style="max-width:90px">
+                                    </label>
+                                </td>
+                            </tr>
+                        </tbody>
+                    </table>
                     <p>
                         <input type="file" name="file" id="bfile-formupload-file" style="display: none" />
                         <label for="bfile-formupload-file">
diff --git a/filed/templates/passworded-files.html b/filed/templates/passworded-files.html
new file mode 100644
index 0000000..435151e
--- /dev/null
+++ b/filed/templates/passworded-files.html
@@ -0,0 +1,59 @@
+{% extends "base.html" %}
+
+{% block body %}
+
+
+<div style="max-width:95vw;width:900px;margin:0 auto;line-height:16pt">
+    <h1 style="text-align:center">Password-protected file uploads</h1>
+
+    <p>
+        When uploading a file to blek! File, you may add a password to it, if it has confidential data.
+    </p>
+
+    <p>
+        However, be aware that even though the file won't be sent unless the user provides a password,
+
+        <b>the instance owner will still be able to see the file contents without a password.</b>
+    </p>
+
+    <h2>Why can't the site encrypt it for me?</h2>
+    <p>
+        There is a number of reasons why that is a stupid idea.
+    </p>
+    <ol style="list-style:decimal;padding-left:12px;">
+        <li>
+            This site's only purpose is to store files for short periods of time.
+            It doesnt include "storing the files securely", or encrypting them.
+        </li>
+        <li>
+            When the encryption happens server-side, there is a risk that the password could be logged.
+        </li>
+    </ol>
+
+    <h2>How do I encrypt a file, then?</h2>
+    <p>
+        Its dead simple: download a program for encrypting files on your computer and use it to handle
+        all encryption operations.
+    </p>
+    <p>
+        As for the encryption program, it is recommended to use
+        <a href='https://gnupg.org'>GnuPG</a>
+        (
+            <a href="https://gpg4win.org">Windows</a>
+            <a href="https://openkeychain.org">Android</a>
+        ).
+
+        <a href="https://www.openpgp.org/software/kleopatra">
+            Kleopatra
+        </a>
+        is a cross-platform easy to use GUI for GPG.
+    </p>
+
+    <p style="margin-top:40px">
+        <a role='button' href="/" class="btn" style="display:block">
+            Go back to upload
+        </a>
+    </p>
+</div>
+
+{% endblock %}
\ No newline at end of file