{"id":17601268,"url":"https://github.com/sam-martin/ephemera","last_synced_at":"2025-07-18T09:33:27.001Z","repository":{"id":57764487,"uuid":"42363884","full_name":"Sam-Martin/Ephemera","owner":"Sam-Martin","description":"One time secret distribution","archived":false,"fork":false,"pushed_at":"2019-05-16T16:19:36.000Z","size":361,"stargazers_count":18,"open_issues_count":2,"forks_count":8,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-30T07:49:23.629Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Sam-Martin.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-09-12T16:19:18.000Z","updated_at":"2023-02-24T22:16:17.000Z","dependencies_parsed_at":"2022-08-22T18:20:58.971Z","dependency_job_id":null,"html_url":"https://github.com/Sam-Martin/Ephemera","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sam-Martin%2FEphemera","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sam-Martin%2FEphemera/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sam-Martin%2FEphemera/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sam-Martin%2FEphemera/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Sam-Martin","download_url":"https://codeload.github.com/Sam-Martin/Ephemera/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251666226,"owners_count":21624290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-22T12:09:20.997Z","updated_at":"2025-04-30T07:49:30.427Z","avatar_url":"https://github.com/Sam-Martin.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ephemera - One Time Secret Distribution\n [![GitHub license](http://i.imgur.com/fkMVzNe.png)]() [![Build Status](https://ci.appveyor.com/api/projects/status/9cgvg2f1y0oolleg/branch/master?svg=true)](https://ci.appveyor.com/project/Sam-Martin/ephemera)  \n ![Screenshot](http://i.giphy.com/l41lHcOVaBJnKnbEs.gif)  \nThis repository contains the Node.js, HTML, JavaScript, and supporting [Serverless](https://github.com/serverless/serverless) definition to upload secrets securely to DynamoDB and deliver a one-time URL back to the user.\n## Demo\n[Ephemera Demo](http://ephemera.sammart.in/)  \nAll secrets submitted here are deleted after 24hrs, and for obvious reasons security reasons do not use this as an hosted secret transfer solution!\n\n## Setup\nEither use `invoke-psake` or:\n\n```\nnpm install serverless -g\nnpm install serverless-s3-sync --save\nserverless deploy\n```\n\n**IMPORTANT:** You will need to tweak `config.yml` to make bucket names etc. unique.\n\n## Overview  \nEphemera is a one-time secret transfer tool intended to help you in the transition from legacy tools which do not allow secure secret communication (e.g. via password reset URLs or key fingerprints).  \nIt is intended to be simple enough to be audited by someone with a basic understanding of JavaScript and AWS to validate that it is a non-malicious method for password transfer that you can setup in your own AWS account.  \nIt is not intended to be a replacement for proper user-centric secret management, but merely a transitional phase to help eradicate secrets attached to plaintext emails.  \nThis project is currently functional but needs work to add unit tests etc.\n\n## How it Works\nEphemera uses five components\n\n1. AWS S3 for website hosting\n2. AWS Lambda for GUID creation and secret management\n3. AWS API Gateway as a front-end for Lambda allowing the JavaScript from the S3 website to add/retrieve secrets\n4. AWS DynamoDB for secret storage\n5. AWS KMS for secret encryption\n\nThe user is presented with a website that gives them the option to upload a text secret.\n\n### Uploading a Secret\nWhen uploading a text secret, the user submits the secret via a text box, the contents of which are submitted to the API Gateway `addTextSecret` method. This method generates a GUID and saves the secret in the private S3 bucket as with that GUID as its key. The method then returns the GUID combined with the specified websiteURL for the address of the secret return page which the user can then give to the person they wish to transmit the secret to.\n\n### Retrieving a Secret\nWhen a user clicks on a one-time URL, the JavaScript on the page recognises that the URL contains a GUID and then calls the API Gateway `getSecret` method submitting that GUID for retrieval. The return of this method includes the secret which is displayed for the user.\n\n## HTTPS Support\nEphemera uses client-side JavaScript to connect over HTTPS to API Gateway for adding and accessing secrets. It is therefore not absolutely mandatory to enable HTTPS on the S3 website, but this can be done if desried using the `use_https_ui` setting in `config.yml`. This will additionally create an AWS CloudFront distribution to front the S3 Website and update the S3 Bucket Policy accordingly.\n\n**NOTE:** You will need to request or import an SSL Certificate in ACM in the `us-east-1` Region (See https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html) before enabling the HTTPS feature, and add the resultant ACM Certificate `Identifier` to the `acm_certificate_id` setting.\n\n## Contributing\nPlease feel free to submit pull requests of any type, whether they're bugfixes, test improvements, new features, anything!  \nJust make sure that if it necessitates a new AWS resource you represent it in the Terraform templates and that it does not require per hour services (e.g. EC2 or ECS).\n\n## Author\nAuthor:: Sam Martin (\u003csamjackmartin@gmail.com\u003e)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsam-martin%2Fephemera","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsam-martin%2Fephemera","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsam-martin%2Fephemera/lists"}