Production ready1 chat made with Node.js (Express), MongoDB (Mongoose) and WebSocket.
Kryfos uses the Mongoose ODM to connect to a MongoDB Atlas cloud database deployed on AWS, and EJS as a template engine (for Server-Side Rendering). WebSocket exchanges are handled natively on the front end, not by using a third party library like socket.io, for better performance. On the back end, Kryfos uses express-ws. The user can create an account, log in, send and receive messages in the main room.
Kryfos uses morgan for its logs, compresses its HTTP responses in gzip and secures their headers with helmet. Authentication is done by sessions saved in a secure memory store based on lru-cache.
The application hashes its passwords with bcrypt, protects itself against HTTP Parameter Pollution attacks with hpp, XSS attacks by never using innerHTML, and NoSQL injections with the Mongoose sanitizeFilter()
flag (which I added to the Mongoose documentation during this project). All user inputs are validated and sanitized with express-validator and Kryfos even supports HTML entites. Custom security rules have been added on WebSocket exchanges to allow only connections from the chat.
- Node
- Git
- CLI
Clone the repo and install the dependencies.
git clone https://github.com/pathei-kosmos/kryfos
cd kryfos
npm install
Note that for obvious security reasons the environment variables are not provided. You will have to create a file named ".env"
at the root of the project with this content:
SECRET_KEY_SESSION = "your security key for sessions, a random sequence of 32 characters and numbers"
PORT = the port of your choice on which the server will run
DBURI = "the connection link to your MongoDB Atlas database"
DOMAIN = "localhost"
Launch the live server:
npm run start
- Reorganize in MVC structure
- Create and use CSRF tokens
- Add end-to-end encryption with Diffie-Hellman key exchange
Footnotes
-
The chat has already been successfully deployed online on Heroku. ↩