Suggestion for a way to improve folder sharing..

I should preface this with the fact that I don’t have the time or experience to code this myself, so if someone wants this, they’ll have to find somebody else who can.

In light of recent discussions with some of my friends (who I have yet to convince to try Syncthing, partly because it’s a bit of a pain to share files with) and a recently opened feature request in the issue tracker, I think I’ve come up with a solution that should (in theory) work for most people who want to quickly share folders.

The general idea is pretty simple, the individual who wants to share a folder with somebody runs some special command in the UI (or from the command line) that generates a special piece of text. They then send this to the person they wish to share the folder with, that person enters the text in a prompt in the UI, and Syncthing handles setting up the required connection and metadata.

In practice I envision this implemented as a string similar in size to an SSH public key which embeds information about the device ID which wants to do the sharing as well as the folder ID to be shared, together with some form of authentication token that the device that generated the string can then verify when the initial connection comes in. Ideally, this should generate a one-time use invitation, preferably with the option of a timeout.

An example might look something like: st-invite-v0 VU03UEg0Wi1KRDJQSk1ILURDTDNVTEgtTElBSVE1Qy1SSE1MSENILUdNSkdWRFAtVFBIM1pSSy1QUjRSS0E2IDNpNmxtLXVhN2ZkIHN1cGVyIHNlY3JldCBhdXRoZW50aWNhdGlvbiBzdHJpbmcK

This could then be easily sent through e-mail or other electronic means to the person you want to share the folder to, with the only further requirement on your side being that your device remain online until they connect.

I had in mind one off codes which are protected by a second factor, which essentially auto-add the device and auto-share the given folder.

Something like:

  1. You click “Share” button on a folder
  2. Select if it’s a one off share code, N time share code or a permanent share code (debatable)
  3. Default expiry time for the share code is 2 hours (you can increase that to let’s say 72 hours)
  4. You enter a pin code for the share code
  5. You email the share code to the user
  6. You send a SMS with the pin code
  7. The person on the other end enters the share code and the pin code
  8. The syncthing at the other end connects to you by looking up who advertised the share code on some central server, and in the hello message presents the code and proves that it has the pin code, we auto-add the device and auto share the folder

share code being totally random not attached to any share of course.

Actually, I like the two factor idea better than a OTP style code like I had been suggesting.

I still think having the ability to time limit the codes would be useful.

I also think that making sure codes are relatively unique is important. For example, if I generate two codes for the same folder on the same device using the same PIN, they ideally should not be the same. We have to plan for the fact that some people will use insecure PIN’s or reuse PIN’s, and generating codes based solely based on the combination of device ID, and folder ID with just the PIN securing it opens people up to the possibility of attacks.