arcusiridis/content/projects/chatto-a-self-hosted-e2ee-chat-application.md

+++
title = "Chatto - A Self Hosted E2EE Chat Application"
date = "2020-06-01T15:02:07+05:30"
disable_comments = true
draft = false

categories = [

    "Projects"

]
tags = [

    "java",
    "spring-boot",
    "hibernate",
    "self-hosted",
    "e2ee",
    "encryption",
    "typescript"

]

[menu]

    [menu.main]
    parent = "Projects"
    name = "Chatto"

+++
Chatto is a self hosted, end to end encrypted chat application. 

[Repository](https://git.arcusiridis.com/nova/Chatto)
[Documentation](https://git.arcusiridis.com/nova/Chatto/wiki)

## Key Features

1. Open Source, Self Hosted
2. Messages are encrypted end to end using AES GCM encryption (paramters like keysize can be configured)
3. No personal information such as names or email required
4. Does not rely on any external services like auth services, mail servers or captcha services
5. You are in control of your data.
6. Backend exposes a JSON API that can be used by third party clients
7. The chat messages support markdown

## Technical Features

1. Made with Java, Spring Boot and Hibernate
2. Front end is made with Thymeleaf templates and uses AJAX(written in TypeScript) to provide dynamic functionality
3. All password are stored hashed using Bcrypt
4. Uses a custom token based authentication scheme making use of Spring Security. Tokens are cached using EhCache
5. Care has been taken to safeguard against attacks like CSRF and XSS 

   * Server side cookies are protected against CSRF using CSRF tokens
   * To protect the JSON API auth token against XSS, DomPurify is used to sanitize any user provided HTML
   * Server side DTO validation is used to sanitize user input

## Tech Stack

* **Backend** - Java, Spring Boot, Hibernate, Maven

 + Database migrations using flyway
 * Caching using EhCache

* **Frontend** - 
  + Server side templating - Thymeleaf
  + JS - TypeScript, Browserify (and plugins like tsify), Terser, Grunt, Yarn