https://github.com/kkanho/chat
A secure chat web application
https://github.com/kkanho/chat
chat-app docker docker-compose end-to-end-encryption javascript nginx python
Last synced: 2 months ago
JSON representation
A secure chat web application
- Host: GitHub
- URL: https://github.com/kkanho/chat
- Owner: kkanho
- Created: 2024-03-23T05:59:38.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-03-22T08:42:18.000Z (over 1 year ago)
- Last Synced: 2025-08-25T04:59:51.913Z (10 months ago)
- Topics: chat-app, docker, docker-compose, end-to-end-encryption, javascript, nginx, python
- Language: HTML
- Homepage: https://kkanhoe2eechat.azurewebsites.net
- Size: 17 MB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
### Chat - Group_39
A secure chat web application
# Demonstration videos:
[](https://www.youtube.com/watch?v=Pk3HRQ5v5B4)
## Available Scripts
```sh
#Clone this repository(chat)
git clone https://github.com/kkanho/chat
#Change to the correct directory
cd chat
#Build the server through docker
docker-compose up --build
```
To view it in the browser,
open [http://group-39.comp3334.xavier2dc.fr:8080/](http://group-39.comp3334.xavier2dc.fr:8080/)
or with TLSv1.3 [https://group-39.comp3334.xavier2dc.fr:8443/](https://group-39.comp3334.xavier2dc.fr:8443/)
## Features
### Part 1 - Authentication
- [x] User-chosen memorized Secret (password/passphrase)
- [x] Single-Factor OTP Device (Google Authenticator)
- [x] Look-Up Secrets (recovery keys)
- [x] Password salted and hashed
- [x] Password verifiers - check against corpus form haveibeenpwned api
- [x] Implement rate-limiting mechanisms
- [x] Image-based CAPTCHAs
- [x] OTP bind to new account when registration
- [x] Implement proper session binding requirements
- [x] Provide a way to change authenticators after account registration
### Part 2 - E2EE chat
- [x] ECDH key exchange - establish a shared secret between two users
- [x] Underlying curve - P-384
- [x] Derive two 256-bit AES-GCM encryption keys
- [x] Derive two 256-bit MAC keys
- [x] Share secret using HKDF-SHA256
- [x] Unique salt for each message
- [x] Represent the info using JSON, console log in dev tools
- [x] Message encrypted using AES in GCM mode
- [x] Prevent replay attacks as a recipient
- [x] All key material stored in local storage
- [x] All history messages should be display
- [x] Show warning if previous messages cannot be decrypted
- [x] Refresh button - re-derived all the symmetric key and IV and with a new salt
- [x] Keep all old keys in local storage for next login
- [x] Error message notify the user if the key is not found/cleared
- [x] Protected against CSRF or XSS or SQL injection (samesite: lax)
### Part 3 - TLS
- [x] Communications encrypted - protect data in transit with TLSv1.3
To use TLS in your own browser, set the root CA(COMP3334 Project Root CA 2024) to always trust
### Webapp (Front-end)
- [x] Ability to sign up, login and logout
- [x] zxcvbn password strength meter