Quasar Secure is a real-time messaging application designed under Zero Trust principles. The system provides end-to-end encryption (E2EE) ensuring data confidentiality and security throughout all communications. Audio, video, and screen sharing are managed through peer-to-peer WebRTC connections, eliminating centralized routers to minimize the attack surface.
The project is divided into a backend structured for high security and a lightweight frontend:
- Backend: Developed in Node.js (version 20.x). Uses Socket.io for real-time signaling and event management, along with the native HTTP module.
- Database: SQLite managed via the
better-sqlite3andsql.jslibraries, with encryption support and optimized WAL mode. - Frontend: Implemented with Vanilla JS and React components, ensuring a reactive interface without excessive third-party package dependencies on the client side.
- Communications: Native WebRTC (P2P) for audio and video. Robust JWT-based authentication and strict HTTPOnly cookie validation.
- Integrated Security: File Integrity Monitoring (FIM), protection against timing attacks in hash comparison, and injection mitigation through rigorous Content-Security-Policy (CSP) enforcement.
Before proceeding with installation, the following are required:
- Node.js version 20.x or higher.
- npm (Node Package Manager).
- Generation of an RSA key pair for system administration.
-
Clone the repository and navigate to the directory.
-
Install project dependencies:
npm install
-
RSA Key Generation: The system requires an RSA key pair to verify administrative access. Run the following commands to generate the required keys and store them in the
backend/directory:openssl genrsa -out backend/admin_private.pem 2048 openssl rsa -in backend/admin_private.pem -pubout -out backend/admin_public.pem
The configuration system is strict and will fail if the proper credentials are not provided in a production environment. Create a .env file in the project root or configure the environment variables on the system:
JWT_SECRET: Secure string used to sign JSON Web Tokens.ADMIN_PASSWORD_HASH: Cryptographic hash of the administrator password.DB_SECRET: Symmetric encryption key for the database (optional in development, mandatory in production).NODE_ENV: Set toproductionto enable strict security policies (FIM, enforced HTTPS).PORT: HTTP server listening port (default: 8080).
To start the application, use the script defined in the package:
npm startThis command starts the Node.js server, launching the chat system and WebRTC signaling synchronization.
In local development and testing environments, a tunnel can be used through the auxiliary script when applicable, although the official and recommended entry point is npm start which executes backend/index.js.
/backend: Contains server logic, security modules (auth.js,config.js), and the entry pointindex.js./frontend: React source components and interface resources./public: Vanilla JS, CSS, and image static files served directly by the backend to clients.start-secure.js: Auxiliary script for deployments with Ngrok or Cloudflare (used depending on specific network requirements).
Developed by Eduardo "Noir0x63" Camarillo noir0x63.github.io