Chatto - A Self Hosted E2EE Chat Application
Published: Estimated Reading Time: ~2 minutes
Chatto is a self hosted, end to end encrypted chat application.
Key Features
- Open Source, Self Hosted
- Messages are encrypted end to end using AES GCM encryption (paramters like keysize can be configured)
- No personal information such as names or email required
- Does not rely on any external services like auth services, mail servers or captcha services
- You are in control of your data.
- Backend exposes a JSON API that can be used by third party clients
- The chat messages support markdown
Technical Features
- Made with Java, Spring Boot and Hibernate
- Front end is made with Thymeleaf templates and uses AJAX(written in TypeScript) to provide dynamic functionality
- All password are stored hashed using Bcrypt
- Uses a custom token based authentication scheme making use of Spring Security. Tokens are cached using EhCache
Care has been taken to safeguard against attacks like CSRF and XSS
- Server side cookies are protected against CSRF using CSRF tokens
- To protect the JSON API auth token against XSS, DomPurify is used to sanitize any user provided HTML
- Server side DTO validation is used to sanitize user input
Tech Stack
Backend - Java, Spring Boot, Hibernate, Maven
- Database migrations using flyway
- Caching using EhCache
Frontend -
- Server side templating - Thymeleaf
- JS - TypeScript, Browserify (and plugins like tsify), Terser, Grunt, Yarn
- Templating using Handlebars
Preview
Design
- Full layout
Design adapted from bootsnip
Mobile layout
The UI uses bootstrap grid system for a fully responsive layout. This is how it might look on a mobile screen -Infinite scroll
E2EE Passphrase
Note - passphrase is not stored on the server, or anywhere other than client’s memory. The app simply checks whether decryption was successful to determine whether the passphrase is correct.
Markdown in chat
User search