darkwire / darkwire.io Goto Github PK
View Code? Open in Web Editor NEWEnd-to-end encrypted instant web chat
Home Page: https://darkwire.io
License: MIT License
End-to-end encrypted instant web chat
Home Page: https://darkwire.io
License: MIT License
Hi,
Thank you for this really great tool I've discovered recently ! I tried to send a file inside a chat, and I couldn't because of the message "File type not supported". I don't understand, and I don't find any information bout the file types supported.
Is it possible to know which files types are supported ? Why is there a restriction in the file type for sending files ? In my case, the file type was a .kdbx (file type for KeepassXC application), and it was under the size limit of 1Mb (my file is 60Kb).
SSL Certs are broken right now. We are working on migrating the servers soon.
When entering €
then the recipient gets ¬
. There might be other symbols that don't work.
This is what was returned after running "yarn dev":
$ concurrently 'cd client && yarn start' 'cd server && yarn dev'
[0] ''cd' is not recognized as an internal or external command,
[0] operable program or batch file.
[1] 'client' is not recognized as an internal or external command,
[1] operable program or batch file.
[0] 'cd exited with code 1
[1] client exited with code 1
error Command failed with exit code 1.
Purpose: Provide a sharable link that allows temporary file download and/or image viewing.
/pin <UUID> <file-key> <{options}>
the file will be pinned to the top of the chatroom. This command will also temporarily store the file for up to 24 hours (default), via memorydarkwire.io/<room-id>/<uuid>?key=file-key
(if a key is not provided, the user will be redirected to the room-id
)d
(duration, optional): anywhere between 1m - 24hr. Will use shorthand annotation and support minutes and hours only ( m|h
, ex:1m / 2m / 24h
)file-key
as its encryption key.file-key
while new users will be required to enter the file-key
in order to access the file.A pinned file cannot be unpinned- only after the set duration of file expiration has passed.
File keys cannot be changed and must have a minimum character count of 12
Target release: v2.1
Hi. Since the new version, it's impossible to click directly into the links. Hope it's only a little bug.
After a fresh install, if we try to execute the server side tests, we get this error:
yarn run v1.22.4
$ jest
FAIL src/utils/utils.test.js
● Test suite failed to run
Requires Babel "^7.0.0-0", but was loaded with "6.26.3". If you are sure you have a compatible version of @babel/core, it is likely that something in your build process is loading the wrong version. Inspect the stack trace of this error to look for the first entry that doesn't mention "@babel/core" or "babel-core" to see what is calling Babel.
at throwVersionError (node_modules/@babel/helper-plugin-utils/lib/index.js:65:11)
at Object.assertVersion (node_modules/@babel/helper-plugin-utils/lib/index.js:13:11)
at node_modules/@babel/plugin-transform-async-to-generator/lib/index.js:51:7
at node_modules/@babel/helper-plugin-utils/lib/index.js:19:12
at Function.memoisePluginContainer (node_modules/babel-core/lib/transformation/file/options/option-manager.js:113:13)
at Function.normalisePlugin (node_modules/babel-core/lib/transformation/file/options/option-manager.js:146:32)
at node_modules/babel-core/lib/transformation/file/options/option-manager.js:184:30
at Array.map (<anonymous>)
at Function.normalisePlugins (node_modules/babel-core/lib/transformation/file/options/option-manager.js:158:20)
at OptionManager.mergeOptions (node_modules/babel-core/lib/transformation/file/options/option-manager.js:234:36)
at OptionManager.init (node_modules/babel-core/lib/transformation/file/options/option-manager.js:368:12)
at File.initOptions (node_modules/babel-core/lib/transformation/file/index.js:212:65)
at new File (node_modules/babel-core/lib/transformation/file/index.js:135:24)
at Pipeline.transform (node_modules/babel-core/lib/transformation/pipeline.js:46:16)
at Generator.next (<anonymous>)
at new Promise (<anonymous>)
Test Suites: 1 failed, 1 total
Tests: 0 total
Snapshots: 0 total
Time: 1.473s
Ran all test suites.
error Command failed with exit code 1.
Use Lambda@edge to add these missing headers
Looks like https://darkwire.io has an expired certificate:
Looks like you use letsencrypt with nginx, so an nginx reload might be enough to fix it if the certificate renewal happened without errors.Just so anyone cannot enter and follow the conversation.
It would add a layer of protection, small but still.
To the best of my knowledge environment variable names are, by convention, in upper-case.
In addition, in some environments, such as in Heroku (the popular PaaS), the aforementioned convention is followed.
I believe it would be better if this convention is followed.
The issue that arises though, should such a change be adopted, whether it is backward-compatible or not.
I suggest that it is backward-compatible.
Namely, this change would suffice:
diff --git a/src/app.js b/src/app.js
index 7d3193d..cbfeffc 100644
--- a/src/app.js
+++ b/src/app.js
@@ -11,7 +11,7 @@ import fs from 'fs';
import Room from './room';
const $CONFIG = {
- port: process.env.port || 3000
+ port: process.env.port || process.env.PORT || 3000
};
const app = express();
Do you have any other considerations?
PS: I have a PR ready, but I thought it would be better if I opened an issue first.
The steps I follow seem like not installing any products related to darkwire chat system. Please advise on this matter.
npm install -g n
n stable
npm install
npm run dev
brew install chromedriver
npm test
npm run bundle
npm start
port=3000 npm start
When a user sends a message containing a URL, Darkwire transforms the URL into an HTML anchor tag with an href link to the URL in question using the Autolinker module.
This creates two important security vulnerabilities.
When a user clicks on a link sent by another user in the same chat room, the request made by the browser to fetch the resource referenced by the URL will contain a Referrer
header who's value will be the chatroom's full URL.
This creates an issue where any website administrator to which a Darkwire user browsed to can just look up the Darkwire chatroom URL in the Referrer
header of his server logs.
Since anchor tags create by Autolinker contain a target=_blank
attribute, users clicking on this link will be vulnerable to tab-jacking attacks.
More details can be found in this blog post: https://mathiasbynens.github.io/rel-noopener/
I've just tested the new /nick name
function. Works perfect. I was wondering if perhaps an additional /colour <hex code|name>
option would be feasible.
*Removed from v1.5
Hi !
Thanks for the work, our association has pull it on web and it's smoking good !
I need to know if there is a configuration file somewhere ?
Specially to set the default language for example or change the theme...
I've just started playing with this service (due to cryptocat becoming more and more unreliable due to outages) and one thing that would be nice to have is being able to rename the handles to make identification of different people easier. I know it will undermine the anonymity somewhat and you don't have any guarantee that the person is really the one it's saying it is but still would be nice to have.
Core
Functionality
The ... is typing
message is kind of a nuisance when the screen is full which means each time it appears all the conversation text jumps slightly up and then slightly down again. This is distracting. So it would be nice to either make it configurable so it can be switched off or change the message display in such a way that there is always space for a last blank line left in which the ... is typing
message can appear without moving previous text.
If the same user wrote several message in a row, the header should be displayed only once for easy reading and space saving.
Would it be possible to include the version of the running darkwire installation in the "About" dialogue?
Sun, 02 Jul 2017 14:31:00 UTC EXPIRED
https://www.ssllabs.com/ssltest/analyze.html?d=darkwire.io&latest
I propose to split the Home component in three components:
Activity.js
with all the code concerning the getActivity
functionActivityStream.js
with the main-chat
component partindex.js
for whatever remainsWhat do you think ?
I don't want to get into a war between Whatsapp vs. Signal vs. Telegram vs. Slack vs... but who gets all their contacts on the same tool? I don't want to create an account on all these platforms to be able to communicate with everyone. And what if I want to create a temporary group with customers for example. Do they all have to create an account on a common tool for a few months?
To my knowledge, there is no chatroom yet that
With such a solution, I no longer need to make a choice. Not to mention the fact that I have to install a utility or that uses the phone number or the email. Yes I know my issue looks like that but eh, we are developers ;-)
In order for Darkwire to answer all these points, the last point is mainly missing, i.e. the possibility to receive the messages that were sent during my absence. I don't want to keep an ad vitam history of the messages, but just the last messages I didn't receive (within a month for example).
The idea is not to put an end to the ephemeral aspect of this chat but to complete it with a slightly longer term use. As long as you use it regularly, it stays alive. Messages are erased as they get older and if nobody uses the room for a while, it is totally deleted. This would be an option to be activated by the owner of the room if needed.
To meet this need I propose 3 technical solutions:
The first idea is to use symmetrical AES-type encryption to encrypt messages. When you choose to enable persistence, a hash is added to the URL containing a passphrase to encrypt and decrypt messages. Each time a message is sent, it is stored encrypted in the store on the backend side and the messages are all sent back to each user who logs in. Only users with the correct hash in the url will be able to decrypt the messages.
With this option, the server keeps a list of users who logged in with their public key. When someone logs in, they receive a list of all users, even those who are not logged in anymore for this room. Each message are sent to the server encrypted with the public key of each recipients, like now, but messages whose recipient is not logged in are kept on the server until the user concerned logs in or until the message expires.
This time, the first user in a room creates two encryption key pairs at the first connection. One for him as usual and one for messages. Then, for each user who logs in, the room owner sends the key messages encrypted with the user's public key (like a normal message in fact). The difference is that each time a message is sent, it is encrypted with the public key of the message and is sent only once. The message history is therefore kept only once on the server side and the encryption method remains asymmetrical. We can even imagine that is the default way of exchanging messages.
What do you think? Did I miss an option?
We experienced that it happens from time to time that the server is "loosing" the room but the client still thinks it's connected and sends off message after message and even shows the other participants still present. Unfortunately I'm not sure how to best reproduce this properly.
I'm not an expert on JS but it is the case of every programming language, that Math.random() is not a cryptographically secure pseudorandom number generator (CSPRNG).
Your encryption key generator is completely insecure.
Once that's fixed, the charset you're using is missing the 'm' and the length is only 16 chars. The current encryption keys have theoretical maximum strength of 61^16 = 94 bits. This is not enough; While it's secure against many crackers, it's not secure against nation states that break crypto. Ensure that the length of key generated by a CSPRNG is at least 43.
It would be nice to have the possibility to create a chat room where only people can enter that are invited and for whom their public keys are entered by the room owner.
When we get a new message and the windows is not focused, we should get an desktop notification id addition/in place of sound the notification.
If we click on the notification, the window/tab with notification is focused.
Should be activable/deactivable through parameters menu.
In Darkwire there is a feature where a user can rename himself from the originally assigned random alias to any username he'd like provided it is smaller than 16 characters:
https://github.com/seripap/darkwire.io/blob/master/src/room.js#L90
On the other hand, this length check is not done when the user initially connects to the room which is an issue because the username is generated by the client and not the server:
https://github.com/seripap/darkwire.io/blob/master/src/room.js#L40
Proof of concept:
const io = require('socket.io-client');
const socket = io.connect('http://127.0.0.1:3000/$ROOM_ID');
socket.emit('add user', {
username: '<script>alert(1)</script>',
publicKey: ''
});
setTimeout(() => socket.disconnect(), 3000);
Just replace the "$ROOM_ID" placeholder with the room id of a Darkwire room you are currently connected to in your browser and run the script.
Although this attack requires the room id, it still compromises any end user that opens a chat with the attacker. From the other security vulnerability issue #46 I opened we can see that it is possible for the app to leak the room id information so relying to much on this single line of defense might not be enough.
To fix this issue, the server has to validate that usernames are only alphanumeric and in a certain length range.
Hi.
It was easier to write when the button to download was at the right instead of left.
When we want to write, we click on the button by accident and it opens the download windows.
Please can you replace it at the extrem right ?
I was wondering if it was possible to make our own room by entering for example www.darkwire.io/#Test or www.darkwire.io/?Test .. that would also be a good idea. and if they want a random roomname,they can just leave it blank at the end of the link. both would be optional
nice chat! Are you thinking on update socket.io to 2.0 for the next milestone?
Currently text messages seemed to be interpreted which makes it hard to use it for exchange of code snippets (especially HTML).
Example: "As you can see in the <script> tag...
" becomes "As you can see in the tag...
".
So textinput should be transmitted literal unless one of the official switches are used (e.g., /nick
). This also means than one would loose HTML entity rendering but that is just as well. Especially when developers trying to discuss code.
To better code style consistency I propose to add prettier. This can be done in 4 PRs:
Please make it so you mask people's IP's so the IPs doesnt show to anyone no matter what,completely anonymous and encrypted (that means no logs whatsoever no matter what,no trace of IPs or of any kind,nothing is saved on the server,people can't see people's IPs or any info. people won't use the chat otherwise.
Second thing..
About the roomname that changes everytime you enter. please make it so people can name their room with their own roomname instead of just name that comes up randomly
When you send a file, the download link is broken. It's open a new tabs and do nothing else.
Would be nice to have this. From IRC:
/clear Clears the entire scrollback buffer of the current window.
Until now I simply used refresh page but since /nick is available this means loosing the handle.
It's annoying to set is nickname each time we connect, same for notification sound, etc.
It would be nice if this data could be stored in the localstorage for instance.
I tried deploying darkwire.io on Heroku but it seems the gulp setup is conflicting. I don't know if you haver tried it with Heroku but given that you can one instance of a node.js application for free it makes a great test system for the newest features if one doesn't just want to test locally.
If there is interest in making it runnable on Heroku I can provide some logs. I was hoping to be able to fix it myself and send you a PR. But it seems my node.js foo is just too pathetic for that.
Instead of being english by default, the application should read default language from browser configuration.
Can I install using Node.js version 8.4.0 ?
Current (designed) behaviour is that when the last person leaves a room the room "object" is destroyed. Visiting the a room address of a non existing room triggers the generation of a new random hashed room. Now it would be nice to be able to reuse earlier room "hashes" in order to establish a semi-secret meeting place that people can visit. Which means if a room object with a hasg is called that does not exist it should simply create the room with exactly that hash and not trigger the creation of a room with a new hash.
Was that understandable and would that be doable?
Hi, is it possible to edit the urlbase path for reverse proxy using a path like /darkwire? Thanks
It would be nice to have time stamps in front of the username or as mouse-over of the username. Whatever works best.
Here another nice function from IRC. Using the /me switch one can express things like
/me really would like this feature
as
@dietmarw* really would like this feature
Not important but nice to have.
Hello, I think what's missing from this fantastic project is support for docker, so as to be able to deploy the app anywhere and seamlessly.
For instance we should be able to:
1) Build the image
docker build -t darkwire .
2) Optionally push it to our private registry
docker tag darkwire private-registry/darkwire
docker push private-registry/darkwire
3) And ultimately run the app (in the production host)
docker run -d -p 3000:3000 private-registry/darkwire
I can send you a PR for a respective Dockerfile
:)
What do you think?
Does not work with Chrome and Safari on iOS.
Only works with Chrome on Desktop (Mac). Does not work with Safari on Desktop (Mac)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.