~bsprague/upcode

Simple web tool for QR code-authenticated file transfers.
Fix Dockerfile warning
Allow multiple files in a single transfer
Attempt to format README

refs

main
browse  log 

clone

read-only
https://git.sr.ht/~bsprague/upcode
read/write
git@git.sr.ht:~bsprague/upcode

You can also use your local clone with git send-email.

#Upcode

A tool for instantly sharing files between two devices.

The process looks like:

  1. On recipient device, open the site at /
    • It will display a QR code
  2. Scan the QR code on the sending device
    • It will take you to a page with a file dialog
  3. Select files and hit Upload
  4. The filse will be sequentially transferred.

#Why?

Frequently I want to transfer photos from my phone to laptop. I used to just upload it to Drive, but that process was always clunky and annoying.

I know there are other (and better) solutions, like Syncthing, but I just wanted a simple, no-frills, instant way to transfer a file that didn't involve downloading apps, running daemons, signing in, etc.

#How does it work?

Visiting the main page (i.e. /) generates a random 32-byte ID, which is encoded in the QR code. That QR code points to /upload?id=<id>, which is where the sender can upload a file. The receiver has a WebSocket open which waits for the sender to start uploading, at which point the receiver is redirected to /download?id=<id>&name=<filename>.

Then the magic happens! Sender and receiver are connected via in-memory pipes, the data never touches disk (besides what Go does behind the scenes with temp files for multipart uploads).

In my experience, the data transfer is pretty fast, I was getting 1 MB/s transfer speeds with a proxy server hosted a few hundred miles away, and I get even higher speeds over my Tailscale network.

#Is this secure?

Depends! If you host it behind an HTTPS proxy (which you really, really should), then the file is encrypted on the wire. The file is not "end-to-end encrypted", the server could store a copy of your file, but the code can be inspected to assuage such fears.

As always, don't send arbitrarily sensitive information to random people's servers. Risk and security is contextual.

#TODO

  • Don't allow specifying the name query parameter on /download
    • We can just keep it on the server, we open ourselves up to weird client manipulations otherwise.
  • Clean up resources in non-happy path scenarios
  • Maybe add a link on the / page with the QR code, for other methods of sharing