Skip to content

Add encryption#642

Merged
vjeux merged 3 commits intoexcalidraw:masterfrom
vjeux:encrypt
Feb 5, 2020
Merged

Add encryption#642
vjeux merged 3 commits intoexcalidraw:masterfrom
vjeux:encrypt

Conversation

@vjeux
Copy link
Contributor

@vjeux vjeux commented Feb 1, 2020
edited
Loading

This PR implements the following scheme:

Upload:

  • The client generates a random secret (eg: 20 characters in base 64, we’ll need to figure out the right size).
  • The client uses symmetric encryption to encode the json scene with the secret. (Encryption algorithm to be determined)
  • The client uploads the encrypted data to the server (but not the secret)
  • The server replies back the id
  • The client generates a url that contains the id in the query param and the secret after the # (so it doesn’t get sent to the excalidraw.com server, but is available from locally ran javascript code). We may want to also put the id after the hash too.

Download:

  • The client reads the id from the url
  • The client queries the server for the id and receives the encrypted data
  • The client reads the secret from the url
  • The client decodes the json scene from the encrypted data and secret
  • The client renders the scene

Fixes #610

@vjeux vjeux requested review from dwelle and lipis February 1, 2020 00:38
@vercel
Copy link

vercel bot commented Feb 1, 2020
edited
Loading

This pull request is being automatically deployed with ZEIT Now (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://zeit.co/vjeux/excalidraw/5gpfonvd8
✅ Preview: https://excalidraw-git-fork-vjeux-encrypt.vjeux.now.sh

@lipis
Copy link
Member

lipis commented Feb 1, 2020

The backend supports storing plain text data in version 2: https://json.excalidraw.com

@dwelle
Copy link
Member

dwelle commented Feb 2, 2020

Ad gzip: We could manually compress before encrypting (with some caveats).

@vjeux
Copy link
Contributor Author

vjeux commented Feb 3, 2020

@lipis it seems like v2 is not whitelisted for CORS :(

Access to fetch at 'https://json.excalidraw.com/api/v2/post/' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
data.ts:130 POST https://json.excalidraw.com/api/v2/post/ net::ERR_FAILED

@vjeux
Copy link
Contributor Author

vjeux commented Feb 3, 2020

@lipis if you want to test it out, I updated the PR.

Repro:

  • Go to https://excalidraw-re7oki8g8.now.sh/
  • draw a rectangle
  • open the export menu
  • click export
  • See that it throws on const json = await response.json();
  • If you change it to .text(), you'll see that the text response is empty
  • On the network tool, the response says it's 200 OK and the response length is 91
    image
  • But can't show the response:
    image

@lipis

This comment has been minimized.

Sign in to view
@lipis

This comment has been minimized.

Sign in to view
lipis
lipis reviewed Feb 4, 2020
View reviewed changes
lipis
lipis reviewed Feb 4, 2020
View reviewed changes
@lipis
Copy link
Member

lipis commented Feb 4, 2020

I got a response, by removing these two lines from the commit suggestions.

@vjeux
Copy link
Contributor Author

vjeux commented Feb 4, 2020

The entire flow is working!

You can try with those two scenes:

  • #json=5725470830100480,i21D-alTzlc_yTrPjRFVrg
  • ?id=5746640992337920

vjeux added 2 commits February 4, 2020 08:52
@vjeux
Add encryption
4ac48f5 
In order to avoid the server being able to read the content of the scene, this PR implements local encryption and decryption. This implements the algorithm described in excalidraw#610.

Right now the server doesn't support uploading binary files. I mocked the server with comments. @lipis, could you add support on the server and update this PR? I added a bunch of TODO: that tell you where to comment/uncomment in order to get the server flow going.

To test locally right now:
- Import: Open http://localhost:3000/#json=1234,5oYVOnGpWYPPTz19-PMYYw and see a square
- Export: Click the export link and see the right url with the private key + the encrypted binary in the console

Fixes excalidraw#610
@vjeux
backend_v2
6d97873
lipis
lipis reviewed Feb 4, 2020
View reviewed changes
@lipis
Copy link
Member

lipis commented Feb 4, 2020

The list of recently loaded scenes is broken though.. also when there is only one entry it doesn't reload it.

@vjeux
Copy link
Contributor Author

vjeux commented Feb 4, 2020

Oops, I didn't test the recent list, thanks, I'll look into it

@vjeux
Copy link
Contributor Author

vjeux commented Feb 4, 2020

I can't reproduce, it seems to be loading the scenes correctly for me.

@vjeux vjeux merged commit 2dd1796 into excalidraw:master Feb 5, 2020
@dwelle dwelle mentioned this pull request Feb 5, 2020
Closed
@lipis lipis removed the do not merge label Feb 7, 2020
@cs01 cs01 mentioned this pull request Feb 9, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lipis lipis lipis left review comments

@dwelle dwelle Awaiting requested review from dwelle

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

End to end encryption

3 participants

@vjeux @lipis @dwelle