WIP: v3 (#112)

* feat: encode secret as webpack instead of json+base64

* test: add msgpack deserialization failure tests for Payload

* test: add serialize tests verifying msgpack byte format

* remove usage of deprecated decode_bytes function

* docs: update API.md to document MessagePack payload encoding

* docs: update base64-encoding.md to reflect MessagePack serialization

* docs: update openapi.yaml to reflect MessagePack payload format

* chore: bump version to 3.0.0

* feat: PayloadData does now also have data in bytes instead of base64 encoded string in typescript implementation

* feat: encode to messagepack in typescript

* fix: fix tests

* fix: secrets send by CLI could not be parsed

* fix: allow either array or uint8array for data

* feat: replace UUID by ULID

* fix: fix tests replacing UUIDs with ULIDs

* fix: add v4 feature for uuid to use UUIDs as request IDs

* chore(nix): update cargo hash

* doc: add breaking changes to readme

Author: czerwonk

Cargo.lock

@@ -10,7 +10,7 @@ members = [
 ]
 
 [workspace.dependencies]
-hakanai-lib = { path = "lib", version = "2.20.4" }
+hakanai-lib = { path = "lib", version = "3.0.0" }
 
 [profile.release]
 opt-level = "z"

Cargo.toml

@@ -25,6 +25,10 @@ Hakanai embodies the Japanese concept of transience - secrets that exist only fo
 
 **Enhanced Security Mode**: With `--separate-key`, the secret URL and decryption key are provided separately, allowing you to share them through different communication channels for defense in depth.
 
+## Breaking Changes
+
+With version 3.x hakanai has switched from using UUIDs as secret identifiers to ULIDs. This allows for shorter URLs. Secret URLs created with previous versions below 3.x will not work anymore. Also the secret storage format has changed. Secrets are now encoded using MessagePack instead of JSON. This change reduces secret size significantly since binary data has not to be base64-encoded anymore.
+
 ## Quick Start
 
 ### Docker Compose (Recommended)
@@ -74,13 +78,13 @@ echo "restricted secret" | hakanai send --allow-ip 192.168.1.0/24 --allow-countr
 
 ```bash
 # Get using the URL returned by send
-hakanai get https://hakanai.example.com/s/uuid-here
+hakanai get https://hakanai.example.com/s/ulid-here
 
 # Get with separate key (when --separate-key was used)
-hakanai get https://hakanai.example.com/s/uuid-here --key base64-key
+hakanai get https://hakanai.example.com/s/ulid-here --key base64-key
 
 # Save to custom location
-hakanai get https://hakanai.example.com/s/uuid-here --output-dir /downloads/
+hakanai get https://hakanai.example.com/s/ulid-here --output-dir /downloads/
 ```
 
 ### Web Interface

README.md

@@ -81,7 +81,7 @@ Hakanai implements a zero-knowledge architecture where:
 #### Application Security (Built-in)
 
 - **Authentication**: Token-based with SHA-256 hashing
-- **Input Validation**: UUID format validation, size limits
+- **Input Validation**: ULID format validation, size limits
 - **CORS Policy**: Restrictive by default
 - **Security Headers**: X-Frame-Options, X-Content-Type-Options, HSTS
 - **Memory Safety**: Sensitive data zeroized after use