feat(roomcrypto): direct AES-256-GCM room encryption; add client decoder

broadcast-worker/handler.go

@@ -39,10 +39,18 @@ type Handler struct {
 	pub       Publisher
 	keyStore  RoomKeyProvider
 	encrypt   bool
+	encoder   *roomcrypto.Encoder
 }
 
 func NewHandler(store Store, userStore userstore.UserStore, pub Publisher, keyStore RoomKeyProvider, encrypt bool) *Handler {
-	return &Handler{store: store, userStore: userStore, pub: pub, keyStore: keyStore, encrypt: encrypt}
+	return &Handler{
+		store:     store,
+		userStore: userStore,
+		pub:       pub,
+		keyStore:  keyStore,
+		encrypt:   encrypt,
+		encoder:   roomcrypto.NewEncoder(),
+	}
 }
 
 // HandleMessage processes a single MESSAGES_CANONICAL message payload.
@@ -207,7 +215,7 @@ func (h *Handler) encryptEditedContent(ctx context.Context, roomID string, edite
 	if err != nil {
 		return err
 	}
-	encrypted, err := roomcrypto.Encode(edited.NewContent, key.KeyPair.PublicKey, key.Version)
+	encrypted, err := h.encoder.Encode(roomID, edited.NewContent, key.KeyPair.PrivateKey, key.Version)
 	if err != nil {
 		return fmt.Errorf("encrypt edit content for room %s: %w", roomID, err)
 	}
@@ -251,7 +259,7 @@ func (h *Handler) publishChannelEvent(ctx context.Context, meta roommetacache.Me
 			return err
 		}
 
-		encrypted, err := roomcrypto.Encode(string(msgJSON), key.KeyPair.PublicKey, key.Version)
+		encrypted, err := h.encoder.Encode(meta.ID, string(msgJSON), key.KeyPair.PrivateKey, key.Version)
 		if err != nil {
 			return fmt.Errorf("encrypt message for room %s: %w", meta.ID, err)
 		}

broadcast-worker/handler_test.go

@@ -650,7 +650,7 @@ func TestHandler_HandleMessage_ChannelRoom_Encryption(t *testing.T) {
 		var env roomcrypto.EncryptedMessage
 		require.NoError(t, json.Unmarshal(evt.EncryptedMessage, &env))
 		assert.Equal(t, key.Version, env.Version)
-		assert.NotEmpty(t, env.EphemeralPublicKey)
+		assert.Empty(t, env.EphemeralPublicKey, "HKDF-only scheme does not use ephemeral public key")
 		assert.NotEmpty(t, env.Nonce)
 		assert.NotEmpty(t, env.Ciphertext)
 

broadcast-worker/testhelpers_test.go

@@ -3,7 +3,6 @@ package main
 import (
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/ecdh"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/json"
@@ -19,34 +18,26 @@ import (
 	"github.com/hmchangw/chat/pkg/roomkeystore"
 )
 
+// hkdfInfo is the HKDF info string used by the Encoder (HKDF-only scheme).
+const hkdfInfo = "room-message-encryption-v2"
+
 func testRoomKey(t *testing.T) *roomkeystore.VersionedKeyPair {
 	t.Helper()
-	priv, err := ecdh.P256().GenerateKey(rand.Reader)
+	buf := make([]byte, 32)
+	_, err := rand.Read(buf)
 	require.NoError(t, err)
 	return &roomkeystore.VersionedKeyPair{
 		Version: 3,
 		KeyPair: roomkeystore.RoomKeyPair{
-			PublicKey:  priv.PublicKey().Bytes(),
-			PrivateKey: priv.Bytes(),
+			PrivateKey: buf,
 		},
 	}
 }
 
 func decryptForTest(env *roomcrypto.EncryptedMessage, roomPrivateKey []byte) (string, error) {
-	privKey, err := ecdh.P256().NewPrivateKey(roomPrivateKey)
-	if err != nil {
-		return "", fmt.Errorf("parse room private key: %w", err)
-	}
-	ephPubKey, err := ecdh.P256().NewPublicKey(env.EphemeralPublicKey)
-	if err != nil {
-		return "", fmt.Errorf("parse ephemeral public key: %w", err)
-	}
-	sharedSecret, err := privKey.ECDH(ephPubKey)
-	if err != nil {
-		return "", fmt.Errorf("ecdh: %w", err)
-	}
+	// New HKDF-only scheme: derive AES key directly from the room private key.
 	aesKey := make([]byte, 32)
-	hkdfReader := hkdf.New(sha256.New, sharedSecret, nil, []byte("room-message-encryption"))
+	hkdfReader := hkdf.New(sha256.New, roomPrivateKey, nil, []byte(hkdfInfo))
 	if _, err := io.ReadFull(hkdfReader, aesKey); err != nil {
 		return "", fmt.Errorf("hkdf: %w", err)
 	}

chat-frontend/scripts/gen-crypto-fixtures.go

@@ -0,0 +1,67 @@
+//go:build ignore
+
+// gen-crypto-fixtures generates a known-plaintext encrypted message for
+// chat-frontend's lib/roomcrypto round-trip tests. Run with:
+//
+//	go run chat-frontend/scripts/gen-crypto-fixtures.go > chat-frontend/test/fixtures/encrypted-message.json
+//
+// Commit the output. The fixture exists to lock the cross-language wire
+// format: any change in the server encoder's HKDF parameters or wire
+// shape MUST update this fixture together with the corresponding TS
+// decoder.
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/hmchangw/chat/pkg/roomcrypto"
+)
+
+func main() {
+	// Deterministic private key so the fixture is stable across runs.
+	priv := make([]byte, 32)
+	for i := range priv {
+		priv[i] = byte(i + 1)
+	}
+	const plaintext = "fixture plaintext — encoded by the Go server, decoded by chat-frontend"
+	const version = 1
+	const roomID = "fixture-room"
+
+	// Construct an Encoder with a fixed-nonce reader so the ciphertext is
+	// reproducible. Twelve-byte zero nonce is fine for a fixture (it's a
+	// known-key test, not real traffic).
+	enc := roomcrypto.NewEncoder(roomcrypto.WithRand(zeroReader{}))
+	msg, err := enc.Encode(roomID, plaintext, priv, version)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "encode:", err)
+		os.Exit(1)
+	}
+
+	out := struct {
+		PrivateKey string                       `json:"privateKey"`
+		Plaintext  string                       `json:"plaintext"`
+		Message    *roomcrypto.EncryptedMessage `json:"message"`
+	}{
+		PrivateKey: base64.StdEncoding.EncodeToString(priv),
+		Plaintext:  plaintext,
+		Message:    msg,
+	}
+	data, err := json.MarshalIndent(out, "", "  ")
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "marshal:", err)
+		os.Exit(1)
+	}
+	fmt.Println(string(data))
+}
+
+type zeroReader struct{}
+
+func (zeroReader) Read(p []byte) (int, error) {
+	for i := range p {
+		p[i] = 0
+	}
+	return len(p), nil
+}

chat-frontend/src/App.jsx

@@ -1,5 +1,6 @@
 import { useEffect, useState, useCallback } from 'react'
 import { NatsProvider, useNats } from '@/context/NatsContext'
+import { RoomKeysProvider } from '@/context/RoomKeysContext'
 import { RoomEventsProvider } from '@/context/RoomEventsContext'
 import { ThreadEventsProvider } from '@/context/ThreadEventsContext'
 import LoginPage from '@/pages/LoginPage'
@@ -35,11 +36,13 @@ function AppContent() {
   }
 
   return (
-    <RoomEventsProvider>
-      <ThreadEventsProvider>
-        <MainApp />
-      </ThreadEventsProvider>
-    </RoomEventsProvider>
+    <RoomKeysProvider>
+      <RoomEventsProvider>
+        <ThreadEventsProvider>
+          <MainApp />
+        </ThreadEventsProvider>
+      </RoomEventsProvider>
+    </RoomKeysProvider>
   )
 }
 

chat-frontend/src/api/_transport/subjects.test.js

@@ -1,6 +1,7 @@
 import { describe, it, expect } from 'vitest'
 import {
   userRoomEvent,
+  userRoomKey,
   roomEvent,
   memberAdd,
   memberRemove,
@@ -21,6 +22,7 @@ import {
   userSubscriptionGetApps,
   userSubscriptionGetRooms,
   userSubscriptionCount,
+  roomsKeysBootstrap,
 } from './subjects'
 
 describe('subjects', () => {
@@ -135,5 +137,16 @@ describe('subjects', () => {
       'chat.user.alice.request.user.site-A.subscription.count'
     )
   })
+})
 
+describe('userRoomKey', () => {
+  it('builds the per-user room-key event subject', () => {
+    expect(userRoomKey('alice')).toBe('chat.user.alice.event.room.key')
+  })
+})
+
+describe('roomsKeysBootstrap', () => {
+  it('builds the per-user keys-bootstrap RPC subject', () => {
+    expect(roomsKeysBootstrap('alice')).toBe('chat.user.alice.request.rooms.keys')
+  })
 })

chat-frontend/src/api/_transport/subjects.ts

@@ -37,6 +37,10 @@ export function roomsGet(account: string, roomId: string): string {
   return `chat.user.${account}.request.rooms.get.${roomId}`
 }
 
+export function roomsKeysBootstrap(account: string): string {
+  return `chat.user.${account}.request.rooms.keys`
+}
+
 // roomCreate is the room-service create subject. The site segment is the
 // requester's site — room-service queue-subscribes on its own siteID, so a
 // caller from site-A always lands its create on the site-A room-service.
@@ -56,6 +60,10 @@ export function userRoomEvent(account: string): string {
   return `chat.user.${account}.event.room`
 }
 
+export function userRoomKey(account: string): string {
+  return `chat.user.${account}.event.room.key`
+}
+
 export function memberAdd(account: string, roomId: string, siteId: string): string {
   return `chat.user.${account}.request.room.${roomId}.${siteId}.member.add`
 }

chat-frontend/src/api/fetchRoomKeysBootstrap/index.test.ts

@@ -0,0 +1,14 @@
+import { describe, it, expect, vi } from 'vitest'
+import { fetchRoomKeysBootstrap } from './index'
+
+describe('fetchRoomKeysBootstrap', () => {
+  it('issues a request on chat.user.{account}.request.rooms.keys with an empty payload and returns the parsed RoomKeysResponse', async () => {
+    const request = vi.fn().mockResolvedValue({ keys: [{ roomId: 'r1', version: 7, privateKey: 'AAAA' }] })
+    const nats = { request, user: { account: 'alice', id: '' }, subscribe: vi.fn(), publish: vi.fn(), requestWithAsyncResult: vi.fn(), connected: true, error: null }
+
+    const got = await fetchRoomKeysBootstrap(nats as never)
+
+    expect(request).toHaveBeenCalledWith('chat.user.alice.request.rooms.keys', {})
+    expect(got).toEqual({ keys: [{ roomId: 'r1', version: 7, privateKey: 'AAAA' }] })
+  })
+})

chat-frontend/src/api/fetchRoomKeysBootstrap/index.ts

@@ -0,0 +1,10 @@
+import { roomsKeysBootstrap } from '../_transport/subjects'
+import type { Nats, RoomKeysResponse } from '../types'
+
+/** Fetch the full snapshot of (roomId, version, privateKey) for every
+ *  room the caller is subscribed to. Call once on (re)connect. */
+export function fetchRoomKeysBootstrap(
+  { request, user }: Pick<Nats, 'request' | 'user'>,
+): Promise<RoomKeysResponse> {
+  return request<RoomKeysResponse>(roomsKeysBootstrap(user.account), {})
+}

chat-frontend/src/api/index.ts

@@ -16,6 +16,7 @@ export { createRoom } from './createRoom'
 export { deleteMessage } from './deleteMessage'
 export { editMessage } from './editMessage'
 export { fetchMessageHistory } from './fetchMessageHistory'
+export { fetchRoomKeysBootstrap } from './fetchRoomKeysBootstrap'
 export { fetchReadReceipt } from './fetchReadReceipt'
 export { fetchSidebarBuckets } from './fetchSidebarBuckets'
 export { fetchSurroundingMessages } from './fetchSurroundingMessages'
@@ -32,6 +33,7 @@ export { searchRooms } from './searchRooms'
 export { sendMessage } from './sendMessage'
 export { subscribeToRoomEvents } from './subscribeToRoomEvents'
 export { subscribeToRoomMetadataUpdates } from './subscribeToRoomMetadataUpdates'
+export { subscribeToRoomKeyEvents } from './subscribeToRoomKeyEvents'
 export { subscribeToSubscriptionUpdates } from './subscribeToSubscriptionUpdates'
 export { subscribeToUserRoomEvents } from './subscribeToUserRoomEvents'
 export { updateMemberRole } from './updateMemberRole'
@@ -72,4 +74,7 @@ export type {
   ChannelRef,
   HistoryConfig,
   HistoryMode,
+  RoomKeyEvent,
+  RoomKeysEntry,
+  RoomKeysResponse,
 } from './types'

chat-frontend/src/api/subscribeToRoomKeyEvents/index.test.ts

@@ -0,0 +1,15 @@
+import { describe, it, expect, vi } from 'vitest'
+import { subscribeToRoomKeyEvents } from './index'
+
+describe('subscribeToRoomKeyEvents', () => {
+  it('subscribes to chat.user.{account}.event.room.key with the given callback', () => {
+    const subscribe = vi.fn().mockReturnValue({ unsubscribe: vi.fn() })
+    const nats = { subscribe, user: { account: 'alice', id: '' }, request: vi.fn(), publish: vi.fn(), requestWithAsyncResult: vi.fn(), connected: true, error: null }
+    const cb = vi.fn()
+
+    const sub = subscribeToRoomKeyEvents(nats as never, cb)
+
+    expect(subscribe).toHaveBeenCalledWith('chat.user.alice.event.room.key', cb)
+    expect(sub).toBeDefined()
+  })
+})

chat-frontend/src/api/subscribeToRoomKeyEvents/index.ts

@@ -0,0 +1,10 @@
+import { userRoomKey } from '../_transport/subjects'
+import type { Nats, NatsSubscription, SubscriptionCallback } from '../types'
+
+/** Subscribe to the calling user's room-key event stream. */
+export function subscribeToRoomKeyEvents(
+  { subscribe, user }: Pick<Nats, 'subscribe' | 'user'>,
+  callback: SubscriptionCallback,
+): NatsSubscription {
+  return subscribe(userRoomKey(user.account), callback)
+}

chat-frontend/src/api/types.ts

@@ -262,6 +262,31 @@ export interface SubscriptionUpdateEvent {
   timestamp: number
 }
 
+/**
+ * Mirrors pkg/model.RoomKeyEvent — payload of
+ * chat.user.{account}.event.room.key. PrivateKey is base64-encoded on
+ * the wire (Go's encoding/json default for []byte). PublicKey is
+ * omitted from the client wire payload.
+ */
+export interface RoomKeyEvent {
+  roomId: string
+  version: number
+  privateKey: string  // base64
+  timestamp: number
+}
+
+/** One entry in RoomKeysResponse — see pkg/model.RoomsKeysEntry. */
+export interface RoomKeysEntry {
+  roomId: string
+  version: number
+  privateKey: string  // base64
+}
+
+/** Response to roomsKeysBootstrap RPC — see pkg/model.RoomsKeysResponse. */
+export interface RoomKeysResponse {
+  keys: RoomKeysEntry[]
+}
+
 /** Two-phase async-job result returned by `requestWithAsyncResult`. */
 export interface AsyncJobResult<S = unknown, A = unknown> {
   requestId: string

chat-frontend/src/components/MainApp/MainApp.integration.test.jsx

@@ -23,6 +23,12 @@ import MainApp from './MainApp'
 // If this test passes but the user reports the panel doesn't appear, the
 // remaining suspects are CSS clipping or browser-specific (nginx caching).
 
+// RoomEventsProvider calls useRoomKeys() internally. Stub it so this test
+// doesn't need a real RoomKeysProvider (which would try to connect to NATS).
+vi.mock('@/context/RoomKeysContext', () => ({
+  useRoomKeys: () => ({ decrypt: async () => null, hasKey: () => false }),
+}))
+
 vi.mock('./AppHeader/AppHeader', () => ({
   default: ({ onSelectRoom }) => (
     <header>

chat-frontend/src/context/RoomEventsContext/RoomEventsContext.test.jsx

@@ -6,6 +6,14 @@ import { RoomEventsProvider, useRoomEvents, useRoomSummaries, useSidebarSections
 import { BUFFER_MODE } from './reducer'
 // jumpToMessage / resetToLiveTail tests — see suite below
 
+// RoomEventsContext now calls useRoomKeys() internally. Stub it out so tests
+// don't need a real RoomKeysProvider (which would try to connect to NATS and
+// fetch key material). The no-op decrypt matches the default used in
+// useRoomSubscriptions when no key is available.
+vi.mock('@/context/RoomKeysContext', () => ({
+  useRoomKeys: () => ({ decrypt: async () => null, hasKey: () => false }),
+}))
+
 /** Turn an inline "room-shaped" fixture into a subscription record that
  *  the new bootstrap (3 subscription RPCs) returns. The real user-service
  *  embeds room metadata (userCount, lastMsgAt) inline on each subscription