10.1: bug fixes, ui & self-hosting improvements, better security (#775)

api/package.json

@@ -1,7 +1,7 @@
 {
  "name": "@imput/cobalt-api",
  "description": "save what you love",
- "version": "10.0.0",
+ "version": "10.1.0",
  "author": "imput",
  "exports": "./src/cobalt.js",
  "type": "module",

api/src/config.js

@@ -34,10 +34,15 @@ const env = {
 
  externalProxy: process.env.API_EXTERNAL_PROXY,
 
+ turnstileSitekey: process.env.TURNSTILE_SITEKEY,
  turnstileSecret: process.env.TURNSTILE_SECRET,
  jwtSecret: process.env.JWT_SECRET,
  jwtLifetime: process.env.JWT_EXPIRY || 120,
 
+ sessionEnabled: process.env.TURNSTILE_SITEKEY
+ && process.env.TURNSTILE_SECRET
+ && process.env.JWT_SECRET,
+
  enabledServices,
 }
 

api/src/core/api.js

@@ -49,6 +49,7 @@ export const runAPI = (express, app, __dirname) => {
  url: env.apiURL,
  startTime: `${startTimestamp}`,
  durationLimit: env.durationLimit,
+ turnstileSitekey: env.sessionEnabled ? env.turnstileSitekey : undefined,
  services: [...env.enabledServices].map(e => {
  return friendlyServiceName(e);
  }),
@@ -109,16 +110,14 @@ export const runAPI = (express, app, __dirname) => {
  if (!acceptRegex.test(req.header('Accept'))) {
  return fail(res, "error.api.header.accept");
  }
-
  if (!acceptRegex.test(req.header('Content-Type'))) {
  return fail(res, "error.api.header.content_type");
  }
-
  next();
  });
 
  app.post('/', (req, res, next) => {
- if (!env.turnstileSecret || !env.jwtSecret) {
+ if (!env.sessionEnabled) {
  return next();
  }
 
@@ -160,7 +159,7 @@ export const runAPI = (express, app, __dirname) => {
  });
 
  app.post("/session", async (req, res) => {
- if (!env.turnstileSecret || !env.jwtSecret) {
+ if (!env.sessionEnabled) {
  return fail(res, "error.api.auth.not_configured")
  }
 

web/i18n/en/a11y/save.json

@@ -1,5 +1,6 @@
 {
  "link_area": "link input area",
+ "link_area.turnstile": "link input area. checking if you're not a robot.",
  "clear_input": "clear input",
  "download": "download",
  "download.think": "processing the link...",

web/i18n/en/about.json

@@ -12,5 +12,19 @@
  "community.twitter": "news account on twitter",
  "community.github": "github repo",
  "community.email": "support email",
- "community.telegram": "news channel on telegram"
+ "community.telegram": "news channel on telegram",
+
+ "heading.general": "general terms",
+ "heading.licenses": "licenses",
+ "heading.summary": "best way to save what you love",
+ "heading.privacy": "leading privacy",
+ "heading.speed": "blazing speed",
+ "heading.community": "open community",
+ "heading.local": "on-device processing",
+ "heading.saving": "saving",
+ "heading.encryption": "encryption",
+ "heading.plausible": "anonymous traffic analytics",
+ "heading.cloudflare": "web privacy & security",
+ "heading.responsibility": "user responsibilities",
+ "heading.abuse": "reporting abuse"
 }

web/i18n/en/about/credits.md

@@ -0,0 +1,37 @@
+<script lang="ts">
+ import { contacts, docs } from "$lib/env";
+ import { t } from "$lib/i18n/translations";
+
+ import SectionHeading from "$components/misc/SectionHeading.svelte";
+</script>
+
+<section id="meowbalt">
+<SectionHeading
+ title={$t("general.meowbalt")}
+ sectionId="meowbalt"
+/>
+
+meowbalt is cobalt's speedy mascot. he is an extremely expressive cat that loves fast internet.
+
+all amazing drawings of meowbalt that you see in cobalt were made by [GlitchyPSI](https://glitchypsi.xyz/).
+he is also the original designer of the character.
+
+you cannot use or modify GlitchyPSI's artworks of meowbalt without his explicit permission.
+
+you cannot use or modify the meowbalt character design commercially or in any form that isn't fan art.
+</section>
+
+<section id="licenses">
+<SectionHeading
+ title={$t("about.heading.licenses")}
+ sectionId="licenses"
+/>
+
+cobalt processing server is open source and licensed under [AGPL-3.0]({docs.apiLicense}).
+
+cobalt frontend is [source first](https://sourcefirst.com/) and licensed under [CC-BY-NC-SA 4.0]({docs.webLicense}).
+we decided to use this license to stop grifters from profiting off our work & from creating malicious clones that deceive people and hurt our public identity.
+
+we rely on many open source libraries, create & distribute our own.
+you can see the full list of dependencies on [github]({contacts.github}).
+</section>

web/i18n/en/about/general.md

@@ -0,0 +1,79 @@
+<script lang="ts">
+ import { t } from "$lib/i18n/translations";
+ import { partners, contacts, docs } from "$lib/env";
+
+ import SectionHeading from "$components/misc/SectionHeading.svelte";
+</script>
+
+<section id="saving">
+<SectionHeading
+ title={$t("about.heading.summary")}
+ sectionId="saving"
+/>
+
+cobalt lets you save anything from your favorite websites: video, audio, photos or gifs — cobalt can do it all!
+
+no ads, trackers, or paywalls, no nonsense. just a convenient web app that works everywhere.
+</section>
+
+<section id="privacy">
+<SectionHeading
+ title={$t("about.heading.privacy")}
+ sectionId="privacy"
+/>
+
+all requests to backend are anonymous and all tunnels are encrypted.
+we have a strict zero log policy and don't track *anything* about individual people.
+
+to avoid caching or storing downloaded files, cobalt processes them on-the-fly, sending processed pieces directly to client.
+this technology is used when your request needs additional processing, such as when source service stores video & audio in separate files.
+
+for even higher level of protection, you can [ask cobalt to always tunnel everything](/settings/privacy#tunnel).
+when enabled, cobalt will proxy everything through itself. no one will know what you download, even your network provider/admin.
+all they'll see is that you're using cobalt.
+</section>
+
+<section id="speed">
+<SectionHeading
+ title={$t("about.heading.speed")}
+ sectionId="speed"
+/>
+
+since we don't rely on any existing downloaders and develop our own from ground up,
+cobalt is extremely efficient and a processing server can run on basically any hardware.
+
+main processing instances are hosted on several dedicated servers in several countries,
+to reduce latency and distribute the traffic.
+
+we constantly improve our infrastructure along with our long-standing partner, [royalehosting.net]({partners.royalehosting})!
+you're in good hands, and will get what you need within seconds.
+</section>
+
+<section id="community">
+<SectionHeading
+ title={$t("about.heading.community")}
+ sectionId="community"
+/>
+
+cobalt is used by countless artists, educators, and content creators to do what they love.
+we're always on the line with our community and work together to create even more useful tools for them.
+feel free to [join the conversation](/about/community)!
+
+we believe that the future of the internet is open, which is why cobalt is [source first](https://sourcefirst.com/) and [easily self-hostable]({docs.instanceHosting}). you can [check the source code & contribute to cobalt]({contacts.github})
+at any time, we welcome all contributions and suggestions.
+
+you can use any processing instances hosted by the community, including your own.
+if your friend hosts one, just ask them for a domain and [add it in instance settings](/settings/instances#community).
+</section>
+
+<section id="local">
+<SectionHeading
+ title={$t("about.heading.local")}
+ sectionId="local"
+/>
+
+new features, such as [remuxing](/remux), work on-device.
+on-device processing is efficient and never sends anything over the internet.
+it perfectly aligns with our future goal of moving as much processing as possible to client.
+
+</section>

web/i18n/en/about/privacy.md

@@ -0,0 +1,76 @@
+<script lang="ts">
+ import env from "$lib/env";
+ import { t } from "$lib/i18n/translations";
+
+ import SectionHeading from "$components/misc/SectionHeading.svelte";
+</script>
+
+<section id="general">
+<SectionHeading
+ title={$t("about.heading.general")}
+ sectionId="general"
+/>
+
+cobalt's privacy policy is simple: we don't collect or store anything about you. what you do is solely your business, not ours or anyone else's.
+
+these terms are applicable only when using the official cobalt instance. in other cases, you may need to contact the hoster for accurate info.
+</section>
+
+<section id="local">
+<SectionHeading
+ title={$t("about.heading.local")}
+ sectionId="local"
+/>
+
+tools that use on-device processing work offline, locally, and never send any data anywhere. they are explicitly marked as such whenever applicable.
+</section>
+
+<section id="saving">
+<SectionHeading
+ title={$t("about.heading.saving")}
+ sectionId="saving"
+/>
+
+when using saving functionality, in some cases cobalt will encrypt & temporarily store information needed for tunneling. it's stored in processing server's RAM for 90 seconds and irreversibly purged afterwards. no one has access to it, even instance owners, as long as they don't modify the official cobalt image.
+
+processed/tunneled files are never cached anywhere. everything is tunneled live. cobalt's saving functionality is essentially a fancy proxy service.
+</section>
+
+<section id="encryption">
+<SectionHeading
+ title={$t("about.heading.encryption")}
+ sectionId="encryption"
+/>
+
+temporarily stored tunnel data is encrypted using the AES-256 standard. decryption keys are only included in the access link and never logged/cached/stored anywhere. only the end user has access to the link & encryption keys. keys are generated uniquely for each requested tunnel.
+</section>
+
+{#if env.PLAUSIBLE_ENABLED}
+<section id="plausible">
+<SectionHeading
+ title={$t("about.heading.plausible")}
+ sectionId="plausible"
+/>
+
+for sake of privacy, we use [plausible's anonymous traffic analytics](https://plausible.io/) to get an approximate number of active cobalt users. no identifiable information about you or your requests is ever stored. all data is anonymized and aggregated. the plausible instance we use is hosted & managed by us.
+
+plausible doesn't use cookies and is fully compliant with GDPR, CCPA, and PECR.
+
+[learn more about plausible's dedication to privacy.](https://plausible.io/privacy-focused-web-analytics)
+
+if you wish to opt out of anonymous analytics, you can do it in <a href="/settings/privacy#analytics">privacy settings</a>.
+</section>
+{/if}
+
+<section id="cloudflare">
+<SectionHeading
+ title={$t("about.heading.cloudflare")}
+ sectionId="cloudflare"
+/>
+
+we use cloudflare services for ddos & bot protection. we also use cloudflare pages for deploying & hosting the static web app. all of these are required to provide the best experience for everyone. it's the most private & reliable provider that we know of.
+
+cloudflare is fully compliant with GDPR and HIPAA.
+
+[learn more about cloudflare's dedication to privacy.](https://www.cloudflare.com/trust-hub/privacy-and-data-protection/)
+</section>