# 🔥 SecureBurn
A ultra-minimalist, zero-dependency Node.js "PrivateBin" clone. It allows users to share encrypted secrets that self-destruct (burn) immediately after the first access.

# 🛡️ Security Model: Zero-Knowledge
Encryption: AES-256-GCM encryption happens entirely in the sender's browser.

Privacy: The decryption key is stored in the URL after the # symbol (the fragment identifier).

Blind Storage: Browsers do not send the URL fragment to the server. Therefore, the server only ever sees and stores encrypted binary data. It has no way to read your secrets.

Self-Destruction: The server deletes the encrypted file from the disk the moment it is streamed to a recipient.

# 🚀 Getting Started
## Prerequisites

Node.js (v16.0.0 or higher recommended)
No package manager (npm/yarn) is required.

## Installation & Running

Clone or copy the three files (server.js, index.html, auth.json) into a directory.

Start the server:

```Bash
node server.js
```
Access the UI: Open http://localhost:3000 in your browser.


# 🛠️ Configuration
The application is designed to be plug-and-play. You can modify the constants at the top of server.js:

PORT: The port the server listens on (default: 3000).

DATA_DIR: Where encrypted blobs are stored (default: ./data).

MAX_SIZE_BYTES: Maximum secret size (default: 10MB).

# 📡 API Usage
You can create burn codes programmatically without using the web UI.

Create a Secret

Endpoint: POST /api/secret

Body: Raw binary data (the encrypted payload).

Example using curl:

```Bash
curl -X POST --data-binary "@encrypted_file.bin" http://localhost:3000/api/secret
Response:

JSON
{ "id": "550e8400-e29b-41d4-a716-446655440000" }
```

# 📋 Features
Zero Dependencies: Uses only native Node.js modules (http, fs, crypto, path).

10MB Capacity: Handles large text blocks or small files.

One-Click Copy: Generated links are automatically copied to the clipboard.

Mobile Friendly: Clean, responsive "Chat-style" UI.

Secure Erasure: Uses fs.unlink to ensure the file is removed from the filesystem after one read.

# ⚠️ Important Notes
Persistence: Since it uses the file system, secrets will survive a server restart until they are burned.

HTTPS: To use the Web Crypto API (window.crypto), this app must be served over HTTPS in production (except for localhost).


# Todo
- tested only on macos using safari (not sure if works on other platforms)
- example of how to use the api ( i think we need another script to alse generate the jwt as well )
- add some method to delete secrets that have not been accessed within a certain time frame.
- add some method to expiry secrets (e.g. when creating, maybe define how long they should be valid for)