Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add encryption #642

Merged
merged 3 commits into from
Feb 5, 2020
Merged

Add encryption #642

merged 3 commits into from
Feb 5, 2020

Conversation

vjeux
Copy link
Contributor

@vjeux vjeux commented Feb 1, 2020

This PR implements the following scheme:

Upload:

  • The client generates a random secret (eg: 20 characters in base 64, we’ll need to figure out the right size).
  • The client uses symmetric encryption to encode the json scene with the secret. (Encryption algorithm to be determined)
  • The client uploads the encrypted data to the server (but not the secret)
  • The server replies back the id
  • The client generates a url that contains the id in the query param and the secret after the # (so it doesn’t get sent to the excalidraw.com server, but is available from locally ran javascript code). We may want to also put the id after the hash too.

Download:

  • The client reads the id from the url
  • The client queries the server for the id and receives the encrypted data
  • The client reads the secret from the url
  • The client decodes the json scene from the encrypted data and secret
  • The client renders the scene

Fixes #610

@vercel
Copy link

vercel bot commented Feb 1, 2020

This pull request is being automatically deployed with ZEIT Now (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://zeit.co/vjeux/excalidraw/5gpfonvd8
✅ Preview: https://excalidraw-git-fork-vjeux-encrypt.vjeux.now.sh

@lipis
Copy link
Member

lipis commented Feb 1, 2020

The backend supports storing plain text data in version 2: https://json.excalidraw.com

@dwelle
Copy link
Member

dwelle commented Feb 2, 2020

Ad gzip: We could manually compress before encrypting (with some caveats).

@vjeux
Copy link
Contributor Author

vjeux commented Feb 3, 2020

@lipis it seems like v2 is not whitelisted for CORS :(

Access to fetch at 'https://json.excalidraw.com/api/v2/post/' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
data.ts:130 POST https://json.excalidraw.com/api/v2/post/ net::ERR_FAILED

@vjeux
Copy link
Contributor Author

vjeux commented Feb 3, 2020

@lipis if you want to test it out, I updated the PR.

Repro:

  • Go to https://excalidraw-re7oki8g8.now.sh/
  • draw a rectangle
  • open the export menu
  • click export
  • See that it throws on const json = await response.json();
  • If you change it to .text(), you'll see that the text response is empty
  • On the network tool, the response says it's 200 OK and the response length is 91
    image
  • But can't show the response:
    image

@lipis

This comment has been minimized.

@lipis

This comment has been minimized.

src/scene/data.ts Outdated Show resolved Hide resolved
src/scene/data.ts Outdated Show resolved Hide resolved
@lipis
Copy link
Member

lipis commented Feb 4, 2020

I got a response, by removing these two lines from the commit suggestions.

@vjeux
Copy link
Contributor Author

vjeux commented Feb 4, 2020

The entire flow is working!

You can try with those two scenes:

  • #json=5725470830100480,i21D-alTzlc_yTrPjRFVrg
  • ?id=5746640992337920

In order to avoid the server being able to read the content of the scene, this PR implements local encryption and decryption. This implements the algorithm described in excalidraw#610.

Right now the server doesn't support uploading binary files. I mocked the server with comments. @lipis, could you add support on the server and update this PR? I added a bunch of TODO: that tell you where to comment/uncomment in order to get the server flow going.

To test locally right now:
- Import: Open http://localhost:3000/#json=1234,5oYVOnGpWYPPTz19-PMYYw and see a square
- Export: Click the export link and see the right url with the private key + the encrypted binary in the console

Fixes excalidraw#610
@lipis
Copy link
Member

lipis commented Feb 4, 2020

The list of recently loaded scenes is broken though.. also when there is only one entry it doesn't reload it.

@vjeux
Copy link
Contributor Author

vjeux commented Feb 4, 2020

Oops, I didn't test the recent list, thanks, I'll look into it

@vjeux
Copy link
Contributor Author

vjeux commented Feb 4, 2020

I can't reproduce, it seems to be loading the scenes correctly for me.

@vjeux vjeux merged commit 2dd1796 into excalidraw:master Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

End to end encryption
3 participants