UndefinedLabs.tech

Personal ShareX hosting app:

• Blazor Server (.NET 9) frontend + API
• Self-hosted Convex backend for metadata and storage
• Real-time admin dashboard via Convex WebSocket subscriptions (Convex.Client + Convex.Client.Blazor)

Note

Fully "Vibe Engineered" repo, I have a blog post on my blog if interested in reading how this was built.

Features

• ShareX upload endpoints:
  • POST /i/ (image multipart)
  • POST /f/ (file multipart)
  • POST /t/ (form field text)
• Public view pages:
  • /i/{slug}, /f/{slug}, /t/{slug}
• Image content endpoint (cached, ETag, range requests):
  • GET /content/i/{slug}
• Public download endpoints:
  • /download/i/{slug}, /download/f/{slug}, /download/t/{slug}
• Admin pages:
  • /admin, /admin/dashboard, /admin/images, /admin/files, /admin/texts, /admin/tools
  • Dashboard and per-type admin pages use real-time Convex WebSocket subscriptions (stats update live without refresh)

Security Controls

App-level abuse protection

• ASP.NET Core built-in AddRateLimiter with route-aware global partitions:
  • Upload endpoints (per-IP)
  • Public view pages (per-IP + slug)
  • Download endpoints (per-IP + slug)
  • Admin login (per-IP, stricter window)
• Returns 429 with JSON error body on rejection.

Upload/resource hardening

• Configurable max upload size per type:
  • Images: MAX_IMAGE_MB (default 20)
  • Files: MAX_FILE_MB (default 100)
  • Text: MAX_TEXT_KB (default 1024)
• Streamed upload/download handling to avoid large in-memory buffering.
• Existing rollback-safe cleanup flow remains in place.

Admin auth hardening

• ADMIN_PASSWORD_HASH (PBKDF2-SHA256 format; random temporary password if not set).
• SHAREX_AUTH_KEY_HASH (PBKDF2-SHA256 format; random temporary key if not set).
• Startup logs warn when defaults are active and print the temporary values plus sample hashes.
• Generate hashes via /admin/tools.
• Session cookie hardening:
  • HttpOnly
  • SameSite=Strict
  • Secure in non-development
• Anti-forgery validation on /admin/login and /admin/logout.
• Optional admin IP allowlist (ADMIN_IP_ALLOWLIST).

Proxy/IP trust model

• TRUSTED_PROXY_IPS controls which reverse proxies are trusted for forwarded IP headers.
• If not configured in production, direct connection IP is used and a warning is logged.

Logging

• Structured logs are emitted to container stdout/stderr (JSON console formatter).
• In Dokploy, view these logs directly in the service logs panel.

Environment Variables

Required

• CONVEX_URL
• CONVEX_ADMIN_KEY
• INTERNAL_API_SECRET
• PUBLIC_BASE_URL

Auth (random temporary value if not set)

• ADMIN_PASSWORD_HASH (PBKDF2-SHA256)
• SHAREX_AUTH_KEY_HASH (PBKDF2-SHA256)

Optional security settings

• TRUSTED_PROXY_IPS
• ADMIN_IP_ALLOWLIST
• RATE_LIMIT_UPLOAD_PER_MINUTE (default 20)
• RATE_LIMIT_VIEW_PER_MINUTE_PER_SLUG (default 60)
• RATE_LIMIT_DOWNLOAD_PER_MINUTE_PER_SLUG (default 30)
• RATE_LIMIT_ADMIN_LOGIN_PER_15MIN (default 5)
• MAX_IMAGE_MB (default 20)
• MAX_FILE_MB (default 100)
• MAX_TEXT_KB (default 1024)

Generate Credential Hashes

Both ADMIN_PASSWORD_HASH and SHAREX_AUTH_KEY_HASH use PBKDF2-SHA256 format: pbkdf2$sha256$<iterations>$<saltBase64>$<hashBase64>

The easiest way to generate hashes is via the admin Tools page at /admin/tools.

Alternatively, use PowerShell:

$password = "replace-me"
$iterations = 210000
$salt = [byte[]]::new(16)
[System.Security.Cryptography.RandomNumberGenerator]::Fill($salt)
$hash = [System.Security.Cryptography.Rfc2898DeriveBytes]::Pbkdf2(
    [System.Text.Encoding]::UTF8.GetBytes($password),
    $salt,
    $iterations,
    [System.Security.Cryptography.HashAlgorithmName]::SHA256,
    32
)
"pbkdf2`$sha256`$$iterations`$$( [Convert]::ToBase64String($salt) )`$$( [Convert]::ToBase64String($hash) )"

Local Development

dotnet restore
dotnet build
dotnet test
dotnet run --project src/UndefinedLabs/UndefinedLabs.csproj

Then sign in at /admin.

CI/CD

GitHub Actions (.github/workflows/deploy.yml) runs on every push to master and on PRs:

1. Restore, build, and test the .NET solution
2. On master pushes only: build the Docker image and push to ghcr.io/kyle-undefined/undefinedlabs.tech

The image is tagged with latest and the short commit SHA.

Dokploy pulls the latest image from GHCR for deployment.

Docker (local)

docker build -t undefinedlabs .
docker run --env-file .env -p 8080:8080 undefinedlabs

• Dockerfile runs the .NET app on port 8080.

ShareX Templates

• sharex/undefinedlabs-image.sxcu
• sharex/undefinedlabs-file.sxcu
• sharex/undefinedlabs-text.sxcu

Update each with:

• your domain
• Authorization bearer key (the plaintext key that was hashed into SHAREX_AUTH_KEY_HASH)

Recommended Edge Layer (Cloudflare)

• Enable bot mitigation (Bot Fight Mode or managed bot protections).
• Add rate-limit rules for:
  • POST /i/, /f/, /t/
  • GET /download/*
  • GET /i/*, /f/*, /t/*
  • POST /admin/login (strictest)

App-level limits should stay enabled even with edge protections.

Future Auth Upgrade

• Current setup is intentionally single-user local auth.
• If needed later, move admin auth to Authentik (forward-auth or OIDC) and keep app endpoints unchanged.