added encryption
This commit is contained in:
57
.github/copilot-instructions.md
vendored
57
.github/copilot-instructions.md
vendored
@@ -101,13 +101,60 @@ backend/ # FastAPI backend (Port 8001)
|
||||
- Entry filtering by date
|
||||
- Pagination support
|
||||
|
||||
### Zero-Knowledge Encryption Implementation (Completed)
|
||||
|
||||
✅ **Crypto Module** (`src/lib/crypto.ts`) — Complete zero-knowledge privacy
|
||||
|
||||
- Libsodium.js (sodium-native compatible) for cryptography (XSalsa20-Poly1305)
|
||||
- KDF: `deriveSecretKey(firebaseUID, firebaseIDToken, salt)` using Argon2i
|
||||
- Device key: random 256-bit, persisted in localStorage
|
||||
- Master key: encrypted with device key → stored in IndexedDB
|
||||
- Session: Master key in memory only, cleared on logout
|
||||
|
||||
✅ **AuthContext Enhanced** — Encryption initialization
|
||||
|
||||
- `secretKey` state (Uint8Array, in-memory) added to AuthContext
|
||||
- Key derivation on login with Firebase credentials
|
||||
- Device key auto-generation and caching
|
||||
- IndexedDB encryption key recovery on returning visits
|
||||
- Graceful handling of key mismatch on cross-device login
|
||||
|
||||
✅ **HomePage** — Encrypted entry creation
|
||||
|
||||
- Combines title + entry: `{title}\n\n{entry}`
|
||||
- Encrypts with `encryptEntry(content, secretKey)`
|
||||
- Transmits only ciphertext + nonce to backend
|
||||
- Backend never receives plaintext
|
||||
|
||||
✅ **HistoryPage** — Client-side decryption
|
||||
|
||||
- Fetches encrypted entries with ciphertext + nonce
|
||||
- Decrypts with `decryptEntry(ciphertext, nonce, secretKey)`
|
||||
- Extracts title from first line of decrypted content
|
||||
- Graceful error display on decrypt failure
|
||||
|
||||
✅ **Backend Models** — Zero-knowledge storage
|
||||
|
||||
- `EncryptionMetadata`: stores ciphertext, nonce, algorithm only
|
||||
- `JournalEntry`: title/content optional (null if encrypted)
|
||||
- All encrypted entries use XSalsa20-Poly1305 algorithm
|
||||
- Server processes metadata only, never accesses plaintext
|
||||
|
||||
✅ **API Routes** — Encrypted entry flow
|
||||
|
||||
- POST `/api/entries/{userId}`: validates ciphertext + nonce required
|
||||
- GET `/api/entries/{userId}`: returns full encryption metadata
|
||||
- Entries automatically return decryption data to authorized clients
|
||||
- No decryption performed server-side
|
||||
|
||||
### Next Steps (Implementation)
|
||||
|
||||
🔄 Connect frontend React app to backend APIs
|
||||
🔄 Pass Firebase user ID from frontend to backend
|
||||
🔄 Integrate Auth context with entry save/load
|
||||
🔄 Add optional: Firebase token verification in backend middleware
|
||||
🔄 Entry detail view with full plaintext display
|
||||
🔄 Edit encrypted entries (re-encrypt on update)
|
||||
🔄 Search encrypted entries (client-side decryption)
|
||||
🔄 Export/backup entries with device key encryption
|
||||
🔄 Multi-device key sync (optional: manual backup codes)
|
||||
|
||||
---
|
||||
|
||||
_Last updated: 2026-03-04_
|
||||
_Last updated: 2026-03-05_
|
||||
|
||||
Reference in New Issue
Block a user