Skip to content

Secure chat made with Node.js, MongoDB, EJS and WebSocket.

Notifications You must be signed in to change notification settings

pathei-kosmos/kryfos

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kryfos 🔒

Logo

Production ready1 chat made with Node.js (Express), MongoDB (Mongoose) and WebSocket.

Kryfos uses the Mongoose ODM to connect to a MongoDB Atlas cloud database deployed on AWS, and EJS as a template engine (for Server-Side Rendering). WebSocket exchanges are handled natively on the front end, not by using a third party library like socket.io, for better performance. On the back end, Kryfos uses express-ws. The user can create an account, log in, send and receive messages in the main room.

Kryfos uses morgan for its logs, compresses its HTTP responses in gzip and secures their headers with helmet. Authentication is done by sessions saved in a secure memory store based on lru-cache.

The application hashes its passwords with bcrypt, protects itself against HTTP Parameter Pollution attacks with hpp, XSS attacks by never using innerHTML, and NoSQL injections with the Mongoose sanitizeFilter() flag (which I added to the Mongoose documentation during this project). All user inputs are validated and sanitized with express-validator and Kryfos even supports HTML entites. Custom security rules have been added on WebSocket exchanges to allow only connections from the chat.

Demo gif

Requirements

  • Node
  • Git
  • CLI

Setup

Clone the repo and install the dependencies.

git clone https://github.com/pathei-kosmos/kryfos
cd kryfos
npm install

Note that for obvious security reasons the environment variables are not provided. You will have to create a file named ".env" at the root of the project with this content:

SECRET_KEY_SESSION = "your security key for sessions, a random sequence of 32 characters and numbers"
PORT = the port of your choice on which the server will run
DBURI = "the connection link to your MongoDB Atlas database"
DOMAIN = "localhost"

Launch the live server:

npm run start

Areas for Improvement:

  • Reorganize in MVC structure
  • Create and use CSRF tokens
  • Add end-to-end encryption with Diffie-Hellman key exchange

Footnotes

  1. The chat has already been successfully deployed online on Heroku.

About

Secure chat made with Node.js, MongoDB, EJS and WebSocket.

Topics

Resources

Stars

Watchers

Forks