Lightweight StandardNotes Server

Portable and lightweight Golang implementation of the Standard Notes protocol for self-hosting.

Running your own server

Create a config file standardfile.yml:

address: "0.0.0.0:5000"
no_registration: false
show_real_version: false
database_path: "/etc/standardfile/database"
secret_key: jwt-development
session:
  secret: paseto-development
  access_token_ttl: 1440h
  refresh_token_ttl: 8760h
enable_subscription: true
files_server_url: "http://localhost:5000"

Setup requires Docker: docker run -p 5000:5000 -v $(pwd)/db:/etc/standardfile/database:z -v $(pwd)/standardfile.yml:/etc/standardfile/standardfile.yml:z -it crusaders/standardnote-server

Done! You can register and login using Standard Notes after configuring http://localhost:5000 as custom server.

Build the image

• Requires Earthly for containerized build: https://github.com/earthly/earthly
• git clone https://github.com/Crusader99/standardnote-server.git
• cd standardnote-server
• earthly +build

Technologies / Frameworks

• Golang
• Cobra
• Echo
• BoltDB + Storm Toolkit
• Gowid
• OTP

Differences to repository from mdouchement

• 2FA (aka verify_mfa) implemented using OTP-Library:

Requires enable_subscriptions=true in configuration file.

• Experimental support for encrypted file upload/download: Current state is tracked in #93

• Images are provided on DockerHub (including an aarch64 image for Raspberry Pi)

These features will be merged in mdouchement's repository when pull requests accepted.

Differences from reference implementation

Drop the POST request done on Extensions (backups too)

This feature is pretty undocumented and I feel uncomfortable about the outgoing traffic from my server on unknown URLs.

Drop V1 support

All stuff used in v1 and not in v2 nor v3

JWT revocation strategy after password update

Reference implementation use a pw_hash claim to check if the user has changed their pw and thus forbid them from access if they have an old jwt.

---

Here we will revoke JWT based on its iat claim and User.PasswordUpdatedAt field. Looks more safer than publicly expose any sort of password stuff. See internal/server/middlewares/current_user.go

Session use PASETO tokens instead of random tokens

Here we will be using PASETO to strengthen authentication to ensure that the tokens are issued by the server.

Not working yet

• Note revisions
• Integrity check

Contributing

All PRs are welcome.

1. Fork it
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Add some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request

License

This project is licensed under the MIT license.