uniwrtc 2.0.0 → 2.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "uniwrtc",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "A universal WebRTC signaling service",
   "main": "server.js",
   "type": "module",
@@ -27,7 +27,8 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "nostr-tools": "^2.9.0"
+    "nostr-tools": "^2.9.0",
+    "unsea": "^1.1.2"
   },
   "devDependencies": {
     "@playwright/test": "^1.57.0",

package/src/crypto.js

@@ -0,0 +1,96 @@
+import { encryptMessageWithMeta, decryptMessageWithMeta } from 'unsea';
+
+/**
+ * Encryption utilities for signaling messages using unsea (ECIES)
+ * Uses elliptic curve cryptography for secure peer-to-peer encryption
+ */
+
+// Store peer public keys by peer ID (hex)
+const peerPublicKeys = new Map();
+
+/**
+ * Register a peer's public key (hex string)
+ * @param {string} peerId - Peer ID (hex)
+ * @param {object} publicKeyObj - Public key object from unsea
+ */
+export function registerPeerPublicKey(peerId, publicKeyObj) {
+  peerPublicKeys.set(peerId, publicKeyObj);
+}
+
+/**
+ * Get a peer's public key
+ * @param {string} peerId - Peer ID (hex)
+ * @returns {object|null} Public key object or null
+ */
+export function getPeerPublicKey(peerId) {
+  return peerPublicKeys.get(peerId) || null;
+}
+
+/**
+ * Encrypt a JSON payload for transmission to a specific peer
+ * @param {object} payload - Object to encrypt
+ * @param {object} recipientPublicKey - Recipient's public key object from unsea
+ * @returns {Promise<object>} Encrypted message with metadata
+ */
+export async function encryptPayload(payload, recipientPublicKey) {
+  try {
+    const plaintext = JSON.stringify(payload);
+    const encrypted = await encryptMessageWithMeta(plaintext, recipientPublicKey);
+    return encrypted;
+  } catch (e) {
+    console.error('[Crypto] Encryption failed:', e);
+    throw e;
+  }
+}
+
+/**
+ * Decrypt a payload using unsea
+ * @param {object} encrypted - Encrypted message object
+ * @param {object} senderPublicKey - Sender's public key object
+ * @param {object} myPrivateKey - This peer's private key object
+ * @returns {Promise<object>} Decrypted JSON payload
+ */
+export async function decryptPayload(encrypted, senderPublicKey, myPrivateKey) {
+  try {
+    const plaintext = await decryptMessageWithMeta(encrypted, senderPublicKey, myPrivateKey);
+    return JSON.parse(plaintext);
+  } catch (e) {
+    console.error('[Crypto] Decryption failed:', e);
+    throw e;
+  }
+}
+
+/**
+ * Wrap a payload for encrypted transmission
+ * @param {object} payload - Payload to wrap
+ * @param {object} recipientPublicKey - Recipient's public key object from unsea
+ * @returns {Promise<object>} Wrapped envelope with encrypted content
+ */
+export async function wrapEncryptedPayload(payload, recipientPublicKey) {
+  const encrypted = await encryptPayload(payload, recipientPublicKey);
+  return {
+    type: 'encrypted',
+    encrypted: true,
+    content: JSON.stringify(encrypted),
+  };
+}
+
+/**
+ * Unwrap an encrypted payload
+ * @param {object} envelope - Encrypted envelope
+ * @param {object} senderPublicKey - Sender's public key object
+ * @param {object} myPrivateKey - This peer's private key object
+ * @returns {Promise<object>} Decrypted payload
+ */
+export async function unwrapEncryptedPayload(envelope, senderPublicKey, myPrivateKey) {
+  if (!envelope.encrypted) {
+    throw new Error('Payload is not encrypted');
+  }
+  const encrypted = JSON.parse(envelope.content);
+  return decryptPayload(encrypted, senderPublicKey, myPrivateKey);
+}
+
+// Dummy function for compatibility
+export function deriveSharedSecret(pubkey1, pubkey2) {
+  return { pubkey1, pubkey2 };
+}

package/src/main.js

@@ -2,6 +2,8 @@ import './style.css';
 import UniWRTCClient from '../client-browser.js';
 import { createNostrClient } from './nostr/nostrClient.js';
 import { generateSecretKey, getPublicKey } from 'nostr-tools/pure';
+import { wrapEncryptedPayload, unwrapEncryptedPayload, deriveSharedSecret, registerPeerPublicKey, getPeerPublicKey } from './crypto.js';
+import { generateRandomPair } from 'unsea';
 
 // Make UniWRTCClient available globally for backwards compatibility
 window.UniWRTCClient = UniWRTCClient;
@@ -10,6 +12,8 @@ window.UniWRTCClient = UniWRTCClient;
 let nostrClient = null;
 let myPeerId = null;
 let mySessionNonce = null;
+let encryptionEnabled = true; // Encryption toggle - defaults to ON
+let myKeyPair = null; // unsea key pair for encryption { publicKey, privateKey }
 const peerSessions = new Map();
 const peerProbeState = new Map();
 const peerResyncState = new Map();
@@ -76,10 +80,16 @@ document.getElementById('app').innerHTML = `
                     <input type="text" id="roomId" data-testid="roomId" placeholder="my-room">
                 </div>
             </div>
-            <div style="display: flex; gap: 10px; align-items: center;">
-                <button onclick="window.connect()" class="btn-primary" id="connectBtn" data-testid="connectBtn">Connect</button>
-                <button onclick="window.disconnect()" class="btn-danger" id="disconnectBtn" data-testid="disconnectBtn" disabled>Disconnect</button>
-                <span id="statusBadge" data-testid="statusBadge" class="status-badge status-disconnected">Disconnected</span>
+            <div style="display: flex; gap: 10px; align-items: center; justify-content: space-between;">
+                <div style="display: flex; gap: 10px; align-items: center;">
+                    <button onclick="window.connect()" class="btn-primary" id="connectBtn" data-testid="connectBtn">Connect</button>
+                    <button onclick="window.disconnect()" class="btn-danger" id="disconnectBtn" data-testid="disconnectBtn" disabled>Disconnect</button>
+                    <span id="statusBadge" data-testid="statusBadge" class="status-badge status-disconnected">Disconnected</span>
+                </div>
+                <label style="display: flex; align-items: center; gap: 8px; color: #64748b; font-size: 13px; white-space: nowrap;">
+                    <input type="checkbox" id="encryptionToggle" onchange="window.toggleEncryption()" checked style="cursor: pointer; width: 16px; height: 16px;">
+                    Encrypt
+                </label>
             </div>
         </div>
 
@@ -97,11 +107,6 @@ document.getElementById('app').innerHTML = `
             </div>
         </div>
 
-        <div class="card">
-            <h2>Role</h2>
-            <div id="roleBadge" data-testid="roleBadge" class="status-badge status-disconnected">Not assigned</div>
-        </div>
-
         <div class="card">
             <h2>Connected Peers</h2>
             <div id="peerList" data-testid="peerList" class="peer-list">
@@ -129,6 +134,16 @@ document.getElementById('app').innerHTML = `
     </div>
 `;
 
+// FORCE ENCRYPTION DEFAULT ON IMMEDIATELY AFTER HTML IS CREATED
+const encryptCb = document.getElementById('encryptionToggle');
+if (encryptCb) {
+    console.log('[ENCRYPTION] Found checkbox, forcing ON');
+    encryptCb.defaultChecked = true;
+    encryptCb.checked = true;
+    encryptionEnabled = true;
+    console.log('[ENCRYPTION] Set encryptionEnabled=true, checkbox.checked=' + encryptCb.checked);
+}
+
 // Prefill room input from URL (?room= or ?session=); otherwise set a visible default the user can override
 const roomInput = document.getElementById('roomId');
 const params = new URLSearchParams(window.location.search);
@@ -155,6 +170,16 @@ roomInput.addEventListener('input', () => {
     document.getElementById('sessionId').textContent = roomInput.value.trim() || 'Not joined';
 });
 
+// Force encryption toggle to default ON on load
+const encryptionCheckbox = document.getElementById('encryptionToggle');
+if (encryptionCheckbox) {
+    encryptionCheckbox.defaultChecked = true; // force default state
+    encryptionCheckbox.checked = true; // override any persisted form state
+    encryptionEnabled = true;
+    window.toggleEncryption?.(); // ensure UI + state sync on load
+    log('Signaling encryption defaulted to ON', 'success');
+}
+
 // ICE servers: STUN-only by default (no TURN). For deterministic local testing,
 // support host-only ICE via URL flag: ?ice=host (or ?ice=none)
 const iceMode = (params.get('ice') || '').toLowerCase();
@@ -230,27 +255,6 @@ function updateStatus(connected) {
     }
 }
 
-function updateRole(role) {
-    const badge = document.getElementById('roleBadge');
-    if (!badge) return;
-
-    if (role === 'coordinator') {
-        badge.textContent = 'Coordinator';
-        badge.className = 'status-badge status-connected';
-        // If assigned a role, we must be connected
-        updateStatus(true);
-    } else if (role === 'peer') {
-        badge.textContent = 'Peer';
-        badge.className = 'status-badge status-info';
-        // If assigned a role, we must be connected
-        updateStatus(true);
-    } else {
-        badge.textContent = 'Not assigned';
-        badge.className = 'status-badge status-disconnected';
-        updateStatus(false);
-    }
-}
-
 function updatePeerList() {
     const peerList = document.getElementById('peerList');
     if (!peerList) return;
@@ -302,32 +306,63 @@ function isPoliteFor(peerId) {
     return !shouldInitiateWith(peerId);
 }
 
-function sendSignal(to, payload) {
+async function sendSignal(to, payload) {
     if (!nostrClient) throw new Error('Not connected to Nostr');
-
-    const toSession = peerSessions.get(to);
     const type = payload?.type;
-    const needsToSession = type !== 'probe';
+    const isBroadcast = !to;
+    const toSession = isBroadcast ? null : peerSessions.get(to);
+    const needsToSession = !isBroadcast && type !== 'probe';
 
     if (needsToSession && !toSession) throw new Error('No peer session yet');
 
-    return nostrClient.send({
+    let finalPayload = {
         ...payload,
-        to,
+        ...(to ? { to } : {}),
         ...(needsToSession ? { toSession } : {}),
         fromSession: mySessionNonce,
-    });
+    };
+
+    // Optionally encrypt the payload using unsea
+    if (encryptionEnabled && to && myKeyPair) {
+        try {
+            const recipientPublicKey = getPeerPublicKey(to);
+            if (recipientPublicKey) {
+                finalPayload = await wrapEncryptedPayload(finalPayload, recipientPublicKey);
+            }
+            // Silently fall back to unencrypted if no peer key yet - will be available from their hello
+        } catch (e) {
+            console.warn('[Crypto] Encryption failed, sending unencrypted:', e?.message);
+        }
+    }
+
+    return nostrClient.send(finalPayload);
 }
 
-function sendSignalToSession(to, payload, toSession) {
+async function sendSignalToSession(to, payload, toSession) {
     if (!nostrClient) throw new Error('Not connected to Nostr');
     if (!toSession) throw new Error('toSession is required');
-    return nostrClient.send({
+    
+    let finalPayload = {
         ...payload,
         to,
         toSession,
         fromSession: mySessionNonce,
-    });
+    };
+
+    // Optionally encrypt the payload using unsea
+    if (encryptionEnabled && to && myKeyPair) {
+        try {
+            const recipientPublicKey = getPeerPublicKey(to);
+            if (recipientPublicKey) {
+                finalPayload = await wrapEncryptedPayload(finalPayload, recipientPublicKey);
+            }
+            // Silently fall back to unencrypted if no peer key yet - will be available from their hello
+        } catch (e) {
+            console.warn('[Crypto] Encryption failed, sending unencrypted:', e?.message);
+        }
+    }
+
+    return nostrClient.send(finalPayload);
 }
 
 async function maybeProbePeer(peerId) {
@@ -342,7 +377,16 @@ async function maybeProbePeer(peerId) {
     const probeId = Math.random().toString(36).slice(2, 10) + Date.now().toString(36);
     peerProbeState.set(peerId, { session, ts: Date.now(), probeId });
     try {
-        await sendSignal(peerId, { type: 'probe', probeId });
+        const probePayload = { type: 'probe', probeId };
+        // Include our encryption public key so peer can encrypt responses
+        if (encryptionEnabled && myKeyPair && myKeyPair.publicKey) {
+            try {
+                probePayload.encryptionPublicKey = JSON.stringify(myKeyPair.publicKey);
+            } catch (e) {
+                console.warn('[Crypto] Failed to serialize public key for probe:', e?.message);
+            }
+        }
+        await sendSignal(peerId, probePayload);
         log(`Probing peer ${peerId.substring(0, 6)}...`, 'info');
     } catch (e) {
         log(`Probe failed: ${e?.message || e}`, 'warning');
@@ -486,9 +530,11 @@ async function connectNostr() {
             nostrClient = null;
         }
 
-        // Reset local peer state to avoid stale sessions targeting the wrong browser tab.
+        // Preserve session across relay reconnects to avoid breaking existing signaling.
+        // Only reset on true disconnect (Disconnect button), not on relay failures.
         myPeerId = myPeerId || ensureIdentity();
-        mySessionNonce = null;
+        // NOTE: Do NOT reset mySessionNonce here. Keep it stable across relay changes.
+        // If no session exists yet, it will be created below.
         peerSessions.clear();
         peerProbeState.clear();
         readyPeers.clear();
@@ -524,7 +570,21 @@ async function connectNostr() {
         // Any client instance will derive the same per-tab keypair.
         const myPubkey = myPeerId || ensureIdentity();
         myPeerId = myPubkey;
-        mySessionNonce = Math.random().toString(36).slice(2) + Date.now().toString(36);
+        
+        // Generate unsea key pair for encryption (once per connection, defaults to enabled)
+        if (!myKeyPair) {
+            try {
+                myKeyPair = await generateRandomPair();
+                console.log('[Crypto] Generated unsea key pair for peer', myPeerId.substring(0, 6));
+            } catch (e) {
+                console.warn('[Crypto] Failed to generate key pair:', e?.message);
+            }
+        }
+        
+        // Generate session nonce only once per connect session (preserve across relay changes)
+        if (!mySessionNonce) {
+            mySessionNonce = Math.random().toString(36).slice(2) + Date.now().toString(36);
+        }
         document.getElementById('clientId').textContent = myPubkey.substring(0, 16) + '...';
         document.getElementById('sessionId').textContent = effectiveRoom;
 
@@ -533,8 +593,12 @@ async function connectNostr() {
             room: effectiveRoom,
             secretKeyHex: mySecretKeyHex,
             onState: (state) => {
-                if (state === 'connected') updateStatus(true);
-                if (state === 'disconnected') updateStatus(false);
+                if (state === 'connected') {
+                    updateStatus(true);
+                }
+                if (state === 'disconnected') {
+                    updateStatus(false);
+                }
             },
             onNotice: (notice) => {
                 log(`Relay NOTICE (${relayUrl}): ${String(notice)}`, 'warning');
@@ -546,6 +610,27 @@ async function connectNostr() {
                 const peerId = from;
                 if (!peerId || peerId === myPeerId) return;
 
+                // Try to decrypt if encrypted (using unsea)
+                let decrypted = payload;
+                if (payload && payload.encrypted && payload.content && myKeyPair && myKeyPair.privateKey) {
+                    try {
+                        const senderPublicKey = getPeerPublicKey(peerId);
+                        if (senderPublicKey) {
+                            decrypted = await unwrapEncryptedPayload(payload, senderPublicKey, myKeyPair.privateKey);
+                            console.log('[Crypto] Decrypted message from', peerId.substring(0, 6));
+                        } else {
+                            console.warn('[Crypto] No public key for sender, cannot decrypt');
+                        }
+                    } catch (e) {
+                        console.warn('[Crypto] Failed to decrypt message from', peerId.substring(0, 6), ':', e?.message);
+                        // If decryption fails, ignore the message (safety-first for encrypted content)
+                        return;
+                    }
+                }
+
+                // Use decrypted payload for all subsequent processing
+                payload = decrypted;
+
                 // Use the existing peer list UI as a simple "seen peers" list
                 if (!peerConnections.has(peerId)) {
                     peerConnections.set(peerId, null);
@@ -574,6 +659,17 @@ async function connectNostr() {
                         readyPeers.delete(peerId);
                     }
 
+                    // Extract peer's encryption public key if included
+                    if (encryptionEnabled && payload.encryptionPublicKey) {
+                        try {
+                            const publicKeyObj = JSON.parse(payload.encryptionPublicKey);
+                            registerPeerPublicKey(peerId, publicKeyObj);
+                            console.log('[Crypto] Registered peer encryption key from hello:', peerId.substring(0, 6));
+                        } catch (e) {
+                            console.warn('[Crypto] Failed to parse peer public key from hello:', e?.message);
+                        }
+                    }
+
                     // We may receive peer presence while still selecting a relay.
                     // Store and probe once we have a selected/connected `nostrClient`.
                     deferredHelloPeers.add(peerId);
@@ -631,6 +727,16 @@ async function connectNostr() {
                         logDrop(peerId, payload, 'probeId mismatch');
                         return;
                     }
+                    // Extract peer's encryption public key from probe-ack if included
+                    if (encryptionEnabled && payload.encryptionPublicKey) {
+                        try {
+                            const publicKeyObj = JSON.parse(payload.encryptionPublicKey);
+                            registerPeerPublicKey(peerId, publicKeyObj);
+                            console.log('[Crypto] Registered peer encryption key from probe-ack:', peerId.substring(0, 6));
+                        } catch (e) {
+                            console.warn('[Crypto] Failed to parse peer public key from probe-ack:', e?.message);
+                        }
+                    }
                     // Peer session can legitimately rotate between hello/probe/ack (reloads, relay history).
                     // Since this message is already targeted to our toSession, accept it and update our view.
                     if (typeof payload.fromSession === 'string' && payload.fromSession.length >= 6) {
@@ -790,7 +896,17 @@ async function connectNostr() {
         log(`Selected relay: ${selected.relayUrl}`, 'success');
 
         log(`Joined Nostr room: ${effectiveRoom}`, 'success');
-        await nostrClient.send({ type: 'hello', session: mySessionNonce });
+        // Include unsea public key in hello if encryption is enabled
+        const helloPayload = { type: 'hello', session: mySessionNonce };
+        if (encryptionEnabled && myKeyPair && myKeyPair.publicKey) {
+            try {
+                helloPayload.encryptionPublicKey = JSON.stringify(myKeyPair.publicKey);
+                console.log('[Crypto] Including public key in hello message');
+            } catch (e) {
+                console.warn('[Crypto] Failed to serialize public key:', e?.message);
+            }
+        }
+        await nostrClient.send(helloPayload);
 
         // Kick any peers we saw while selecting relays.
         for (const peerId of deferredHelloPeers) {
@@ -929,7 +1045,6 @@ async function connectWebRTC() {
 }
 
 window.disconnect = function() {
-    updateRole(null);
     if (nostrClient) {
         nostrClient.disconnect().catch(() => {});
         nostrClient = null;
@@ -957,6 +1072,16 @@ window.disconnect = function() {
     }
 };
 
+window.toggleEncryption = function() {
+    const checkbox = document.getElementById('encryptionToggle');
+    encryptionEnabled = checkbox.checked;
+    const status = encryptionEnabled ? 'enabled' : 'disabled';
+    console.log('[Crypto] Encryption', status);
+    log(`Signaling encryption ${status}`, 'info');
+};
+
+// REMOVED: load handler was firing before HTML existed
+
 async function createPeerConnection(peerId, shouldInitiate) {
     if (peerConnections.has(peerId)) {
         const existing = peerConnections.get(peerId);
@@ -1060,7 +1185,17 @@ function setupDataChannel(peerId, dataChannel) {
     };
 
     dataChannel.onmessage = (event) => {
-        displayChatMessage(event.data, `${peerId.substring(0, 6)}...`, false);
+        let message;
+        try {
+            message = JSON.parse(event.data);
+        } catch {
+            // Treat as plain text chat message
+            displayChatMessage(event.data, `${peerId.substring(0, 6)}...`, false);
+            return;
+        }
+
+        // Treat as chat message
+        displayChatMessage(JSON.stringify(message), `${peerId.substring(0, 6)}...`, false);
     };
 
     dataChannel.onclose = () => {