1. You list “Activist/journalist secure communication” as a use case. Not all countries have freedom of press.

Is that an inaccurate claim? It should provide the means to organize and communicate securely…to the extent Tor is secure, and if your using the official Tor browser, web crypto can be utilized for group and 1-1s for an additional layer of encryption. I thought it was a fine claim. It should be able to handle quite a few people messaging all at once on the PI varient.

2. Looks like you name images based on a random uuid, so that should protect against filename attacks. But if you do have a filename you can tell whether the image has been an image or not.

How would you ever discover a filename?

If you did have a filename and the exact url to the image you would need to be logged in as a valid user, and the person who shared the photo would have needed to allow access to their profile.

Even if you have the correct link, if those two conditions arnt satisfied you will not be able to view.

Also, looks like all uploads are converted to jpg, regardless as to whether the original image was a jpg (or even an image) or not. Don’t do that.

This was a design choice to have consistency in filetypes. What’s the downside? All browsers will support displaying a jpg.

3. Can you point to where in code this invariant is enforced?

Which part are you talking about? The image compression is defined as the compress and store function.

The “API reference” in the readme goes into further specifics on how this works with flask.

Everything except the login page, registration link will behind these two checks see (def login) where the @loginrequired logic is defined for each of the app routes.