From 89a7c33adb71b28afa3099bb9252e2af18c8eccf Mon Sep 17 00:00:00 2001
From: ComputerTech <computertech312@gmail.com>
Date: Thu, 26 Mar 2026 21:27:52 +0000
Subject: [PATCH] Fix plaintext POST pastes rendering without encryption key

---
 app.py              | 15 +++++++++++++--
 templates/view.html | 11 ++++++++---
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/app.py b/app.py
index e4b6533..21d5914 100644
--- a/app.py
+++ b/app.py
@@ -4,7 +4,7 @@ import re
 import sqlite3
 import uuid
 import datetime
-from flask import Flask, render_template, request, jsonify, abort
+from flask import Flask, render_template, request, jsonify, abort, Response
 
 # ── Load configuration ────────────────────────────────────────────────────────
 
@@ -162,9 +162,20 @@ def view_paste(paste_id):
 @app.route('/<paste_id>/raw')
 def view_paste_raw(paste_id):
     paste = _get_paste_or_abort(paste_id)
+    stored = paste['encrypted_data']
+
+    # Plaintext pastes are stored as a JSON object; return the content directly.
+    if not re.match(r'^[A-Za-z0-9_-]+:[A-Za-z0-9_-]+$', stored):
+        try:
+            data = json.loads(stored)
+            return Response(data.get('content', ''), mimetype='text/plain; charset=utf-8')
+        except (json.JSONDecodeError, TypeError):
+            pass
+
+    # Encrypted paste — return the raw ciphertext blob for API consumers.
     return jsonify({
         'id':             paste['id'],
-        'encrypted_data': paste['encrypted_data'],
+        'encrypted_data': stored,
         'created_at':     paste['created_at'],
         'expires_at':     paste['expires_at'],
         'views':          paste['views'],
diff --git a/templates/view.html b/templates/view.html
index 3624171..751bfe2 100644
--- a/templates/view.html
+++ b/templates/view.html
@@ -27,7 +27,6 @@
 {% block scripts %}
 <script>
 let _decryptedPaste = null;
-const E2E = {{ cfg.features.encrypt_pastes | tojson }};
 
 (async function () {
     let rawPayload;
@@ -38,7 +37,12 @@ const E2E = {{ cfg.features.encrypt_pastes | tojson }};
         return;
     }
 
-    if (E2E) {
+    // Detect format from the data itself, not from the config flag.
+    // Encrypted pastes are stored as "base64url:base64url"; plaintext pastes
+    // are stored as a JSON object string.
+    const isEncrypted = typeof rawPayload === 'string' && /^[A-Za-z0-9_-]+:[A-Za-z0-9_-]+$/.test(rawPayload);
+
+    if (isEncrypted) {
         const keyBase64 = window.location.hash.slice(1);
         if (!keyBase64) {
             showError('No Key', 'The decryption key is missing from the URL. Use the full link including the # part.');
@@ -53,8 +57,9 @@ const E2E = {{ cfg.features.encrypt_pastes | tojson }};
             return;
         }
     } else {
+        // Plaintext paste — rawPayload is already the parsed JSON object.
         try {
-            _decryptedPaste = JSON.parse(rawPayload);
+            _decryptedPaste = typeof rawPayload === 'object' ? rawPayload : JSON.parse(rawPayload);
         } catch (e) {
             showError('Bad Data', 'Could not parse paste data.');
             return;