EekChat - a secure online chatroom
EekChat!
Recently, I've been seeing more and more chatrooms on Repl.it, so I guess I'll add mine to the list.
My friends and I usually used Gmail for conversations, but it tended to be slow at responding, and since almost everything was blocked on school computers, it was our only way to communicate "quickly". So I decided to make EekChat! It's a basic chatting application written in JavaScript with node.js and socket.io.
UPDATE
I rewrote all of the server and client script code, and with this, we have the following changes:
-
12/24/2020: Chatroom should be fixed :)
-
Repl.it authentication, no more need to log in with your Google account!
-
Way less bugs and random crashes!
-
Optimizations
-
Way cleaner code
-
Profanity is censored
-
All of the account verification is done solely on the server, which makes it impossible to hack or impersonate, as the server will only accept usernames from Repl.it's auth headers.
-
The Send button works!
Features
- Markdown support!
- Anti-hack
- Censors
- Anti-spam
- Repl.it login
<script>and HTML elements are blocked!- "X person is typing".. box
- Chat saves
- Automatic re-logon
- (Coming soon): Messages and login data saved will be encrypted
- In forked Repls with custom group members set, theoretically it should be difficult for outsiders to join
DISCLAIMER
Here are some things you may want to be aware of when using this app:
- As I stated earlier, messages are saved indefinitely and can be viewed by others long after you leave the chatroom. Keep this in mind when writing messages.
- Messages sent are encrypted, but messages saved aren't (sending with HTTPS, saving in plain text)
Have fun!
@tussiez Sry, but this doesnt work :/
@RyanGardiner1 Used to... I’ll try to fix it later today. Stay tuned! :)
Error: ENOENT: no such file or directory, stat '/home/runner/EekChatlogin.html'
@johnnyfrancis I have no idea what's pointing to that file, but it doesn't exist. The error is harmless though..
@tussiez hmm. Thats weird
This is great! Could use some CSS though...
@Squirrel777 Yeah, I kept it simple.
Who here is "Santa Claus" in the chat?!
Great chat program though
Maybe add a way to change your name viewed, instead of creating a fake Google account?
Do we have to sign in with google? What about using repl auth? ;)
and maybe a favicon?
and why is everything squished to that side lol? center it, make it longer!!
try making the text box a bit nicer, and a bit higher up so it kinda "connects" with the chats above.
You could also try adding markdown.
And also the ability to either choose a name that will display as your username as some folks don't really want to use their google account name. And what if you don't have google...
and maybe a language filter for bad words..?
Anyways pretty good job! :D
- Yeah, I've have to familiarize myself with Repl.it authentication
- It was written quickly since I was tired of Gmail, so isn't super polished
- It should have been centered. Weird, I'll look into it later.
- Again, I wrote this in a night or two, it has pretty simplistic CSS.
- Sure!
- I'll probably add this with Repl auth
- Sure!
8.Yay! Thanks for the review
this is funny to a normal person not that funny to a coder
@CyberHacker101 FLOAT:NONE
eh it really looks like a deformed cat @tussiez
Hey, wanna see something I made? @tussiez
@CyberHacker101 css programmers in a nutshell
Hmmm, how's sorta-craft?
@CyberHacker101 We're working on gravity (I'm collaborating with tussiez). Later on we might make a saving option...
Hmmm goood I'm working on Minecraft clone try 6842 mk 2kxY343 @Baconman321
@CyberHacker101 What do you mean by 23427r2u9g
@CyberHacker101 ? Wut are you trying to say?
@Baconman321 I have no idea
Idk https://repl.it/join/mgiwabby-cyberhacker101 ( i was bored) @Baconman321
Ur chat is broken uh I really think it not a good idea to let people to login with google ig its better if ya make it login with repl or let you change ur username
And this is very good for people who want to stay anonymous. @tussiez
@CyberHacker101 Yeah, it was intended to be a private chat.
I'm fixing the anti-spam, pelas wait
well just dont change the part where you can change your name @tussiez
@CyberHacker101 You can't
How did u do google verification?! :O
@Baconman321 Pretty easy, actually!
https://developers.google.com/identity/sign-in/web/sign-in
well you still don't know my first name eh
Hmm, will my comments stay on there? @tussiez
@CyberHacker101 I've wiped the chat a few times already
ooof @tussiez
also this came up... Authorization Error
Error 400: redirect_uri_mismatch
The JavaScript origin in the request, https://eekchat--tussiez.repl.co, does not match the ones authorized for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/${your_client_id}?project=${your_project_number} to update the authorized JavaScript origins.
Learn more
@CyberHacker101 Try https://eekchat.tussiez.repl.co, I've registered it on OAuth as that.
I don't want to login with google
@CyberHacker10 It was intended to be a private chat, but that's K! I'll see if I can disable it but will probably break something else
yo it says my full real name @tussiez
@CyberHacker101 yeah, I made a fake Google account for this
I don't want to be exposed @tussiez
Ehh nah just tell me how to sign [email protected]
@CyberHacker101 Close the tab, your information shouldn't be saved
Umm to much [email protected]
Please!There's too much
~PROJECT ABANDONED~
@CyberHacker101 Lol, replit had too many save issues
bro ive never seen someone use a comma in replit are you ok? @tussiez
@CyberHacker101 Lol huh
Yeah forget what i said lol @tussiez
how did you get image and video support? can you tell me where to go to learn how to do this?
@DerpBurgerPlayz video support?
@tussiez aaaa sorryyy
@tussiez image support~
@DerpBurgerPlayz lol, but i can help
@DerpBurgerPlayz Send an image URL on server, client makes an img element and displays
@tussiez wat -confused derp noises-
-
Send the url of the image e.g https://hey.foodandmoarfood.repl.co/img/wheat.png
-
On the website, load the img
const makeImage = (url) => { return new Promise((resolve,reject) => { let img = document.createElement('img'); img.setAttribute('src',url); img.onload = () => { resolve(img) } }); }
@tussiez ur a god, thank you!
@DerpBurgerPlayz Yay, np
[email protected] oofs, it wont work thanks for the help!
@tussiez in return for helping me, do you want me to tell you how to make a basic custom context menu?
@DerpBurgerPlayz F, here's another
function img(url){ let im = document.createElement('img'); im.setAttribute('src',url); document.body.appendChild(im); return im; } img('https://hey.foodandmoarfood.repl.co/img/wheat.png');
Try that
@Baconman321 EekChat is back!
@tussiez I made the web server tutorial!
@Baconman321 Awesome!
When you open this on another tab in doesn't work
@CyberHacker101 weird
Hmmmm what you doing on the multiplayer test thing? @tussiez
@CyberHacker101 A test
I don't know man .. I am a Java guy
i get an error when i try to join:
Error: ENOENT: no such file or directory, stat '/home/runner/EekChatlogin.html'
@inyourface3445 Working on it!
@inyourface3445 try: https://EekChat.tussiez.repl.co
?However this error pops up in Safari. Try Chrome
@tussiez it still happens:
Error: ENOENT: no such file or directory, stat '/home/runner/EekChatlogin.html'
using chrome on a mac mini also happens on firefox and safari and chromeinuim
@inyourface3445 Maybe a Mac issue? Idk
try
https://eekchat.tussiez.repl.co/login
Yoo tussiez ya fixed it. I can help with the CSS I really got a good idea with the profile pic
@CyberHacker101 Yay and sure!
Why do u keep leaving and coming? @tussiez
@CyberHacker101 Replying to comments
To fix impersonating, set socket.username as the username on the serverside, then you can just read it on every request instead of giving the client control over it
@ironblockhd Did that yesterday :)
@tussiez @Baconman321 Ima work on the chat tomorrow
@CyberHacker101 Sure!
Pretty cool! But there is an error with the google login :(
@tussiez yoooooo I just noticed that ur profile pic looks like a deformed cat
@CyberHacker101 It's wheat oof
I have been exposed. @tussiez DON'T TELL ANYONE OR YOU WILL HAVE 10 HARD LONG YEARS OF BAD LUCK YOU UNDERSTAND?!??!
@CyberHacker101 What do you mean?
So I have been trying to clone Minecraft a billon times and after that many tries, I change each name @tussiez
wait a sec let me invite ya @tussiez
@CyberHacker101 ah yes
This can be spammed to [censored by @programmeruser] with devtools console:
const socket = io(); Array(1000).fill(null).forEach((_,i) => socket.emit('msg', { name:'Someone', profileImg:'https://repl.it', msg:String(i+1), time: 'Sorry (can you put a rate limit on msgs?)', }));
@programmeruser lol
Fixing right now, thanks for telling me about the hack!
@programmeruser That's why I now put everything in an anonymous function XD.
@Baconman321 you can just use the io() function to get a reference to a socket.
@programmeruser Can't they just use that then?
@Baconman321 The anti-spam is server side
@tussiez Good idea. That way they can't tamper with it client side!
@Baconman321 it's so easy to impersonate people
const socket = io(); socket.emit('msg', { name:"tussiez's testaccount", profileImg:'https://lh6.googleusercontent.com/-dgT6Ex2alT0/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclrj2vdCjdQSgn1o71wgTFdbZZzdQ/s96-c/photo.jpg', msg: 'Hi there!', time: new Date().toLocaleString("en-US", {timeZone: "America/New_York"}), });
@Baconman321 YOu can impersonate people though, will be fixing that will sign on keys or someting
@programmeruser adding signon "keys" thanks again
It sounds sarcastic but this is super helpful
@programmeruser If he doesn't enforce strict checking (seeing if that user is in fact registered), then yeah it's quite easy. I don't think encrypting would do the trick, as people can just send the encrypted message. Might want to set a session token so as to make sure people don't impersonate you. That would require bit of effort though...
@tussiez Like I mentioned to programmeruser, use session tokens and send that to server-side to make sure people can't impersonate you without the token.
@tussiez also, image xss:
const socket = io(); socket.emit('msg', { name:"tussiez's testaccount", profileImg:'https://repl.it/logout', msg: 'Hi there!', time: new Date().toLocaleString("en-US", {timeZone: "America/New_York"}), });
Check the MIME type of the url:
const url = 'https://repl.it/logout'; //or whatever the url is (async () => { const res = await fetch(url); if (res.headers.get('Content-Type').indexOf('image/') === -1) alert('invalid url'); // or whatever })();
@Baconman321 Should be working now..Idk
@tussiez still insecure:
const socket = io(); const key = Math.floor(Math.random() * 9999); socket.on('goodtogo', code => { socket.emit('checkcode', {code, key, name: window.atob(window.location.href.split('?')[1].split('&')[1])}); socket.emit('msg', { name: "tussiez's testaccount", profileImg: 'https://lh3.googleusercontent.com/a-/AOh14GiU7DtwESR0DLRj5aAkBn5DhacdE2HD5B-wMWEN=s96-c', msg:'Hi There', time: (new Date()).toLocaleString('en-US', {timeZone: "America/New_York"}), key }); }); socket.emit('account', '');
@programmeruser Maybe key isn't working, but it should be
@programmeruser i managed to crash it with this bookmarklet:
javascript: (function(){const socket = io(); Array(1000).fill(null).forEach((_,i) => socket.emit('msg', { name:'Someone', profileImg:'https://repl.it', msg:String(i+1), time: 'Sorry (can you put a rate limit on msgs?)', }));})();
@inyourface3445 that's the exact same thing that I posted before.
@inyourface3445 Should only crash your client, but hmm
@programmeruser Lol,just in a bookmarklet
@tussiez impersonating still works.
@tussiez solution: use session cookies.
@tussiez also, I think I just broke the chat.
const send = (msg, username) => socket.emit('msg', { msg, name: username, profileImg: '', time: '' }); socket.on('msg', msg => send('Beep boop! You said: ' + msg.msg, 'EekChat Bot #1')); socket.on('msg', msg => send('Beep boop! You said: ' + msg.msg, 'EekChat Bot #2'));
@programmeruser Absolutely no checks whatsoever! However these kinds of hacks can't really be "blocked"
Y U DO DIS TO ME????
Idk just don't expose me @programmeruser @tussiez @Baconman321
@CyberHacker101 Yeah
You got 10 cycles from us just clicking upvote on the comments :)
wow, I just said "don't expose me" a billion times. @tussiez
@tussiez But srsly, try making session tokens. Might take a bit to figure out, but basically you generate a token for a user and send that token to the server. If the token isn't valid, don't send the message because it might be an impersonator. Also, make the token expire after some time as to make it harder to hack.
tHiS mE eVeRdAY
@Baconman321
@Baconman321 I've added session tokens, they don't expire, but they're never passed to other users. It stays on client and server, and they're deleted after the user leaves.
@CyberHacker101
Reminds me of SortaCraft, genius concept, terrible programming
@CyberHacker101 XD
@Baconman321 Theoretically, it should be impossible to acquire these session keys without listening to the socket, which is already encrypted, which encrypts the messages and account data.
@tussiez That's great! Also, change the chat.txt to chat.json and encrypt it using an encryption method. You can store the key in an env file.
@tussiez IDK much about sockets because I never really need to use them...
@Baconman321 I definitely should.
yup also ur very bad at organizing @tussiez
@Baconman321 Socket.IO makes it really easy, if you ever need to learn.. the entire library can be used in simple send and recieve event handlers.
@CyberHacker101 It isn't my best programming, but it works!
@Baconman321 I'm going to add the save encryption soon. I need to do my homework right now though, so I'll come back to it later.
sToP wItH tHe pInGs gUyS @tussiez @Baconman321
@tussiez Anything with
.iois blocked for me, but only if I look it up or in an iframe (HaHa adults think kids are dum, well I just outsmurted them. Just fetch the webpage and display it assrcdocLOL).@CyberHacker101 .
LOL it will happen if anyone replies to ur comment. As you see, I left out your name. This should still ping you though :/
@Baconman321 oof I just realized that the link really is socket.io
hm? @tussiez
Yeah, if it's on the correct thread.
Now seriously stop with the pings T^T @Baconman321
Right now I'm getting pinged by 40 different people @tussiez
@tussiez Remember, it only works on web browsers/iframes. If I link socket.io it will work because it is a web asset, not an iframe or a web search. It will work on nodejs because that is backend, not client side. However, like I said it will work on client side as long as I don't put it in an iframe.
@tussiez
Imagine knowing more about the monitoring equipment the school uses than the school.oh and cyberhacker, just click the notifications and wait like 1 second. Then the notifications alert goes away.
Yeah. I read a book for 5 minutes and repl blows up lol
Hmmm it didn't [email protected]
I really don't like the part where it says "mostly" secure @tussiez
And plz add the part where we can change our username
@tussiez
@CyberHacker101 Oof
When I finish my schoolwork, I'll get to encrypting saved chat messages
@CyberHacker101 Hommmeeewwwoooooorrrrrk
Please waiiiittt
I have no patience xD @tussiez
@CyberHacker101 20 cycles lol
ee
Every single comment gives u a upvote @tussiez
Confusing Comments are illegal
Yes.
Can you make a sign in with repl.it. @tussiez
They're working on it @Whippingdot
@CyberHacker101 ?
I don't know what to say after someone says ? @tussiez
@CyberHacker101 I'm confused about what you're talking about, I can only see the current comment
sorry :)
@tussiez
@CyberHacker101 oof
Woah didn't you have 300 cycles? @tussiez
@CyberHacker101 I don't believe so
Hmmm did you fix the chat? Did you make it to sign in with repl? @tussiez
HURRY UP AND CHANGE IT IMA GET EXPOSED @tussiez
@CyberHacker101 It seems like it'll take some time to figure out exactly how to use Repl.it auth (it's in Python) I'll figure it out soon enough.
However chat is working, I'll just anem everyone 'annonymous'
NOooooo name everybody "anonymous or cyberhacker" @tussiez
yess @CyberHacker101
You also spelled "anonymous" wrong. HAHHAHHA ME AM BIG BRAIN @tussiez
noooo @tussiez
It failed the comments don't show @tussiez
Hmmmm.... We Couldn't Reach Your Repl
Make sure your repl has a port open and is ready to receive HTTP traffic.
Return to Repl.it? @tussiez
@CyberHacker101 Maybe
@CyberHacker101 yes i bad at speeling
ur gonna have to change this
@tussiez
@CyberHacker101 try agai
@CyberHacker101 fixed
Again spelling ME AM ULTIMATE BIG BRAIN @tussiez
wait
@tussiez
U broke it @tussiez
Yoo i figured it out in python @tussiez
nvm it node @tussiez
JOIN THE INVITE @tussiez
@Baconman321 how do u do that
@Crosis Do what?
Search it up lol @Crosis
Holy cow one day you have 249 cycles and the next you got 366 cycles @Baconman321
@CyberHacker101 It's been almost a month... -_-
Oof I've been on repl for the past weeks @Baconman321
@CyberHacker101 duuuude repl is blowing up with notifications
SPelling?
hmmm can you help? @tussiez
@CyberHacker101 With what again? Sorry
@CyberHacker101 XD u must not have seen me a lot then.
WIth a repl @tussiez
eh wanna help
? @Baconman321
https://repl.it/join/fnmcqwqr-cyberhacker101 @Baconman321
@CyberHacker101 ah
@CyberHacker101 What for?
the chat @Baconman321
@CyberHacker101 Your chat?
lol @CyberHacker101
**@CyberHacker101 huh ....😂😂 same with me **
@HimanshuShekha4 Huh?
@tussiez why did you named it as "Eek chat" ?
@HimanshuShekha4 It’s 11:21 PM where I live :)
I used to name my apps with Eek for some strange reason a while ago, so I don’t really know
oof @HimanshuShekha4
idk @tussiez
Hmm eKeY cHaT @tussiez
https://www.wireclub.com/places/united_states/alaska/eek/ACSVegkAAAAAAAAA0 we have been copied @tussiez
@CyberHacker101 Eek looks like a place..