Open
Conversation
Adds initial E2EE support with device registration, key storage, and encrypted payload handling for private chats. Includes client-side decryption logic and multi-identity handling to avoid losing access when switching accounts on the same browser.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces the foundational implementation of End-to-End Encryption (E2EE) using ECDH (Elliptic Curve Diffie-Hellman) key exchange with AES-GCM encryption. It represents the first step in a multi-phase E2EE rollout, transitioning from server-side encryption to client-side cryptography where only encrypted payloads are stored on the backend.
- Replaces server-side AES-GCM encryption (EncryptionUtil) with client-side ECDH + AES-GCM encryption
- Introduces device registration and discovery mechanisms to support multi-device E2EE
- Implements encryption/decryption in the frontend's E2eeService with identity and key pair management
Reviewed changes
Copilot reviewed 23 out of 25 changed files in this pull request and generated 20 comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/src/app/services/e2ee.service.ts | New service implementing ECDH key exchange, AES-GCM encryption/decryption, device registration, and multi-identity management |
| frontend/src/app/services/web-socket.service.ts | Adds group message sending and subscription support for encrypted group chats |
| frontend/src/app/services/private-chat.service.ts | Adds endpoint to fetch devices for a private chat |
| frontend/src/app/pages/private-chat-dialog/private-chat-dialog.component.ts | Integrates E2EE service for message encryption/decryption and device management in private chats |
| frontend/src/app/models/dtos/DeviceDto.ts | New DTO representing a registered device with its public key |
| frontend/src/app/models/dtos/ChatMessageDto.ts | Updated to include optional e2eePayload and senderDeviceId fields for encrypted messages |
| backend/src/main/java/vaultWeb/services/DeviceService.java | New service handling device registration and public key management |
| backend/src/main/java/vaultWeb/services/ChatService.java | Removes server-side decryption, now validates and stores E2EE payloads |
| backend/src/main/java/vaultWeb/services/DashboardService.java | Updates message preview logic to return placeholder text instead of decrypted content |
| backend/src/main/java/vaultWeb/controllers/DeviceController.java | New controller providing device registration endpoint |
| backend/src/main/java/vaultWeb/controllers/ChatController.java | Updates message handlers to work with encrypted payloads instead of decrypted content |
| backend/src/main/java/vaultWeb/controllers/PrivateChatController.java | Adds device endpoint for private chats, updates message retrieval to return encrypted payloads |
| backend/src/main/java/vaultWeb/controllers/GroupController.java | Adds device endpoint for group chats to support group encryption |
| backend/src/main/java/vaultWeb/repositories/DeviceRepository.java | New repository for device persistence and queries |
| backend/src/main/java/vaultWeb/models/Device.java | New entity representing a user device with deviceId and public key |
| backend/src/main/java/vaultWeb/models/ChatMessage.java | Replaces cipherText/iv fields with e2eePayload and senderDeviceId |
| backend/src/main/java/vaultWeb/dtos/DeviceDto.java | DTO for device data transfer with mapping from entity |
| backend/src/main/java/vaultWeb/dtos/DeviceRegistrationRequest.java | Request DTO for device registration with validation |
| backend/src/main/java/vaultWeb/dtos/ChatMessageDto.java | Updates to support E2EE fields, removes validation constraints for backward compatibility |
| backend/src/main/java/vaultWeb/exceptions/EncryptionFailedException.java | Adds constructor accepting message-only for E2EE validation failures |
| backend/src/main/java/vaultWeb/security/EncryptionUtil.java | Deleted - server-side encryption utility no longer needed |
| backend/src/main/java/vaultWeb/config/EncryptionConfig.java | Deleted - configuration for server-side encryption removed |
| backend/src/main/resources/application.properties | Removes master encryption key property |
| backend/src/main/resources/application-dev.yml | Adds SSL configuration for secure WebSocket connections in development |
| .gitignore | Removes application-dev.yml from ignore list to track SSL configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
frontend/src/app/pages/private-chat-dialog/private-chat-dialog.component.ts
Show resolved
Hide resolved
frontend/src/app/pages/private-chat-dialog/private-chat-dialog.component.ts
Outdated
Show resolved
Hide resolved
frontend/src/app/pages/private-chat-dialog/private-chat-dialog.component.ts
Outdated
Show resolved
Hide resolved
|
@DenizAltunkapan I've opened a new pull request, #176, to work on those changes. Once the pull request is ready, I'll request review from you. |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 26 out of 26 changed files in this pull request and generated 7 comments.
Comments suppressed due to low confidence (1)
frontend/src/app/pages/private-chat-dialog/private-chat-dialog.component.ts:258
- Public component methods in this codebase typically declare an explicit
: voidreturn type.toggleSearch()is missing the return type annotation; please align it with the surrounding methods (ngOnInit(): void,applySearch(): void, etc.).
toggleSearch() {
this.isSearchOpen = !this.isSearchOpen;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
frontend/src/app/pages/private-chat-dialog/private-chat-dialog.component.ts
Show resolved
Hide resolved
…ew login structure
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 55 out of 55 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
frontend/src/app/pages/private-chat-dialog/private-chat-dialog.component.ts
Show resolved
Hide resolved
…y Copilot review fixes Apply and productionize key Copilot review suggestions across backend and frontend: - optimize E2EE base64 encoding to avoid O(n²) string concatenation - add defensive auth null-check in device registration endpoint - return 400 for invalid chat payload input (missing/blank e2eePayload or senderDeviceId) - add @Valid to group WebSocket message handler for consistent DTO validation - improve dashboard keyboard accessibility (Enter + Space activation) Also aligned tests with the new validation behavior and kept error responses sanitized. Co-authored-by: github-copilot[bot] <github-copilot[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 55 out of 55 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
backend/src/main/java/vaultWeb/security/JwtAuthenticationEntryPoint.java
Show resolved
Hide resolved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces the first step toward secure E2EE and intentionally splits the work across multiple PRs for clarity. It replaces the server-side EncryptionUtil with client-side ECDH + AES-GCM encryption, adds device registration/discovery, and stores only ciphertext on the backend.
For a step-by-step explanation of the current v1 flow, see the docs in https://github.com/Vault-Web/server-docs/tree/main/vault-web/e2ee/01-basic-ecdh (these docs contain more details). This PR does not close the E2EE issue #98 because the implementation is still incomplete and not yet fully secure; it is the initial foundation only.
Closes #165