EekChat!

@CyberHacker101 Yeah
You got 10 cycles from us just clicking upvote on the comments :)

wow, I just said "don't expose me" a billion times. @tussiez

@tussiez But srsly, try making session tokens. Might take a bit to figure out, but basically you generate a token for a user and send that token to the server. If the token isn't valid, don't send the message because it might be an impersonator. Also, make the token expire after some time as to make it harder to hack.

tHiS mE eVeRdAY

@Baconman321

@Baconman321 I've added session tokens, they don't expire, but they're never passed to other users. It stays on client and server, and they're deleted after the user leaves.

@CyberHacker101
Reminds me of SortaCraft, genius concept, terrible programming

@CyberHacker101 XD

@Baconman321 Theoretically, it should be impossible to acquire these session keys without listening to the socket, which is already encrypted, which encrypts the messages and account data.

@tussiez That's great! Also, change the chat.txt to chat.json and encrypt it using an encryption method. You can store the key in an env file.

@tussiez IDK much about sockets because I never really need to use them...

@Baconman321 I definitely should.

yup also ur very bad at organizing @tussiez

@Baconman321 Socket.IO makes it really easy, if you ever need to learn.. the entire library can be used in simple send and recieve event handlers.

@CyberHacker101 It isn't my best programming, but it works!
@Baconman321 I'm going to add the save encryption soon. I need to do my homework right now though, so I'll come back to it later.

sToP wItH tHe pInGs gUyS @tussiez @Baconman321

@tussiez Anything with .io is blocked for me, but only if I look it up or in an iframe (HaHa adults think kids are dum, well I just outsmurted them. Just fetch the webpage and display it as srcdoc LOL).

@CyberHacker101 .

LOL it will happen if anyone replies to ur comment. As you see, I left out your name. This should still ping you though :/

@Baconman321 oof I just realized that the link really is socket.io

hm? @tussiez

Yeah, if it's on the correct thread.

Now seriously stop with the pings T^T @Baconman321

Right now I'm getting pinged by 40 different people @tussiez

@tussiez Remember, it only works on web browsers/iframes. If I link socket.io it will work because it is a web asset, not an iframe or a web search. It will work on nodejs because that is backend, not client side. However, like I said it will work on client side as long as I don't put it in an iframe.

@tussiez Imagine knowing more about the monitoring equipment the school uses than the school.
oh and cyberhacker, just click the notifications and wait like 1 second. Then the notifications alert goes away.

Yeah. I read a book for 5 minutes and repl blows up lol

Hmmm it didn't [email protected]

I really don't like the part where it says "mostly" secure @tussiez

And plz add the part where we can change our username
@tussiez

@CyberHacker101 Oof
When I finish my schoolwork, I'll get to encrypting saved chat messages

@CyberHacker101 Hommmeeewwwoooooorrrrrk

Please waiiiittt

I have no patience xD @tussiez

@CyberHacker101 20 cycles lol
ee

Every single comment gives u a upvote @tussiez

Confusing Comments are illegal

Yes.

Can you make a sign in with repl.it. @tussiez

They're working on it @Whippingdot

@CyberHacker101 ?

I don't know what to say after someone says ? @tussiez

@CyberHacker101 I'm confused about what you're talking about, I can only see the current comment
sorry :)

@tussiez

@CyberHacker101 oof

Woah didn't you have 300 cycles? @tussiez

@CyberHacker101 I don't believe so

Hmmm did you fix the chat? Did you make it to sign in with repl? @tussiez

HURRY UP AND CHANGE IT IMA GET EXPOSED @tussiez

@CyberHacker101 It seems like it'll take some time to figure out exactly how to use Repl.it auth (it's in Python) I'll figure it out soon enough.
However chat is working, I'll just anem everyone 'annonymous'

NOooooo name everybody "anonymous or cyberhacker" @tussiez

yess @CyberHacker101

You also spelled "anonymous" wrong. HAHHAHHA ME AM BIG BRAIN @tussiez

noooo @tussiez

It failed the comments don't show @tussiez

Hmmmm.... We Couldn't Reach Your Repl
Make sure your repl has a port open and is ready to receive HTTP traffic.
Return to Repl.it? @tussiez

@CyberHacker101 Maybe

@CyberHacker101 yes i bad at speeling

ur gonna have to change this <meta name="google-signin-client_id" content="561624177260-9gge9gc015oeqqhbkf907s872uomi8sd.apps.googleusercontent.com">

@tussiez

@CyberHacker101 try agai

@CyberHacker101 fixed

Again spelling ME AM ULTIMATE BIG BRAIN @tussiez

wait
@tussiez

U broke it @tussiez

Yoo i figured it out in python @tussiez

nvm it node @tussiez

JOIN THE INVITE @tussiez

@Baconman321 how do u do that

@Crosis Do what?

Search it up lol @Crosis

Holy cow one day you have 249 cycles and the next you got 366 cycles @Baconman321

@CyberHacker101 It's been almost a month... -_-

Oof I've been on repl for the past weeks @Baconman321

@CyberHacker101 duuuude repl is blowing up with notifications
SPelling?

hmmm can you help? @tussiez

@CyberHacker101 With what again? Sorry

@CyberHacker101 XD u must not have seen me a lot then.

WIth a repl @tussiez

eh wanna help
? @Baconman321

https://repl.it/join/fnmcqwqr-cyberhacker101 @Baconman321

@CyberHacker101 ah

@CyberHacker101 What for?

the chat @Baconman321

@CyberHacker101 Your chat?

lol @CyberHacker101

@CyberHacker101 huh ....😂😂 same with me

@HimanshuShekha4 Huh?

@tussiez why did you named it as "Eek chat" ?

@HimanshuShekha4 It’s 11:21 PM where I live :)
I used to name my apps with Eek for some strange reason a while ago, so I don’t really know

oof @HimanshuShekha4

idk @tussiez

Hmm eKeY cHaT @tussiez

https://www.wireclub.com/places/united_states/alaska/eek/ACSVegkAAAAAAAAA0 we have been copied @tussiez

@CyberHacker101 Eek looks like a place..

@RyanGardiner1 Used to... I’ll try to fix it later today. Stay tuned! :)

@johnnyfrancis I have no idea what's pointing to that file, but it doesn't exist. The error is harmless though..

@tussiez hmm. Thats weird

@Squirrel777 Yeah, I kept it simple.

@Kokuhou Thanks!

Great chat program though
Maybe add a way to change your name viewed, instead of creating a fake Google account?

@foodandmoarfood yes

@Bookie0
1. Yeah, I've have to familiarize myself with Repl.it authentication
2. It was written quickly since I was tired of Gmail, so isn't super polished
3. It should have been centered. Weird, I'll look into it later.
4. Again, I wrote this in a night or two, it has pretty simplistic CSS.
5. Sure!
6. I'll probably add this with Repl auth
7. Sure!
8.Yay! Thanks for the review

@Bookie0 By the way, is it possible to use Repl.it auth on just node.js? I'm a noob at Python :)

@tussiez
ok
ok
ok
ok
yay
ok
yay
ok np! :D

@tussiez yeye i think so, ive seen some chats already with repl auth

check this (but it uses express

and this maybe it could help! :D

@Bookie0 yay

@Bookie0 Express is a node.js library, should work.
Thanks!

huzzah! @tussiez

@tussiez okie dokie, gl! :D

@Bookie0 Yay!

@CyberHacker101 FLOAT:NONE

eh it really looks like a deformed cat @tussiez

Hey, wanna see something I made? @tussiez

@CyberHacker101 Sure

@CyberHacker101 css programmers in a nutshell

@ZDev1 ????

@tussiez eekboi was a mod

@tussiez you dunno eek?

@ZDev1 i think @tussiez joined repl after eek wasn't a mod

@Kookiez oh yes

@Kookiez Yeah, eek just came to mind for me lol

@tussiez lol

@ZDev1 Yee

yes. @ZDev1

yes. @JBYT27

yes. @ZDev1

@ZDev1 <3 I miss you all too!

@eekboi It's you

@eekboi <3

@tussiez It is!

@CyberHacker101 We're working on gravity (I'm collaborating with tussiez). Later on we might make a saving option...

Hmmm goood I'm working on Minecraft clone try 6842 mk 2kxY343 @Baconman321

@CyberHacker101 ?

? @tussiez

@CyberHacker101 What do you mean by 23427r2u9g

@tussiez merry christmas >40cycles!

@CyberHacker101 ? Wut are you trying to say?

@Baconman321 I have no idea

Idk https://repl.it/join/mgiwabby-cyberhacker101 ( i was bored) @Baconman321

@CyberHacker101hmm

And this is very good for people who want to stay anonymous. @tussiez

@CyberHacker101 Yeah, it was intended to be a private chat.
I'm fixing the anti-spam, pelas wait

well just dont change the part where you can change your name @tussiez

@CyberHacker101 You can't

@Baconman321 Pretty easy, actually!
https://developers.google.com/identity/sign-in/web/sign-in

@CyberHacker101 eh

Hmm, will my comments stay on there? @tussiez

@CyberHacker101 I've wiped the chat a few times already

ooof @tussiez

@CyberHacker101 yeah

@CyberHacker101 Try https://eekchat.tussiez.repl.co, I've registered it on OAuth as that.

@tussiez They seem to behave as two different links.

[email protected]

@CyberHacker10 It was intended to be a private chat, but that's K! I'll see if I can disable it but will probably break something else

yo it says my full real name @tussiez

@CyberHacker101 yeah, I made a fake Google account for this

I don't want to be exposed @tussiez

@tussiez I can remove your message if you wish to stay private :)

Ehh nah just tell me how to sign [email protected]

@CyberHacker101 Close the tab, your information shouldn't be saved

k @tussiez

@CyberHacker101 Yeah

Umm to much [email protected]

Please!There's too much

@CyberHacker101 Lol, replit had too many save issues

bro ive never seen someone use a comma in replit are you ok? @tussiez

@CyberHacker101 Lol huh

Yeah forget what i said lol @tussiez

@DerpBurgerPlayz video support?

@tussiez aaaa sorryyy

@tussiez image support~

@DerpBurgerPlayz lol, but i can help

@DerpBurgerPlayz Send an image URL on server, client makes an img element and displays

@tussiez wat -confused derp noises-

@DerpBurgerPlayz ?

1. Send the url of the image e.g https://hey.foodandmoarfood.repl.co/img/wheat.png

2. On the website, load the img

const makeImage = (url) => {
return new Promise((resolve,reject) => {
let img = document.createElement('img');
img.setAttribute('src',url);
img.onload = () => { resolve(img) }
});
}

@tussiez ur a god, thank you!

@DerpBurgerPlayz Yay, np

[email protected] oofs, it wont work thanks for the help!

@tussiez in return for helping me, do you want me to tell you how to make a basic custom context menu?

@DerpBurgerPlayz F, here's another

function img(url){
let im = document.createElement('img');
im.setAttribute('src',url);
document.body.appendChild(im);
return im;
}
img('https://hey.foodandmoarfood.repl.co/img/wheat.png');

Try that

@tussiez works, check the Repl

@tussiez I made the web server tutorial!

@Baconman321 Awesome!

@CyberHacker101 weird

Hmmmm what you doing on the multiplayer test thing? @tussiez

@CyberHacker101 A test

ok @tussiez

@HimanshuShekha4 Huh?

@tussiez what

@inyourface3445 Working on it!

@tussiez ok

@inyourface3445 try: https://EekChat.tussiez.repl.co
?However this error pops up in Safari. Try Chrome

@tussiez it still happens:

Error: ENOENT: no such file or directory, stat '/home/runner/EekChatlogin.html'

using chrome on a mac mini also happens on firefox and safari and chromeinuim

@inyourface3445 Maybe a Mac issue? Idk
try
https://eekchat.tussiez.repl.co/login

@CyberHacker101 Yay and sure!

Why do u keep leaving and coming? @tussiez

@CyberHacker101 Replying to comments

@ironblockhd Did that yesterday :)

@CyberHacker101 Sure!

@CyberHacker101 It's wheat oof

@CyberHacker101 Huh?

[email protected]

@CyberHacker101 ??

?? @tussiez

@CyberHacker101 What do you mean?

So I have been trying to clone Minecraft a billon times and after that many tries, I change each name @tussiez

wait a sec let me invite ya @tussiez

here https://repl.it/join/mgiwabby-cyberhacker101 @tussiez

@CyberHacker101 ah yes

@CyberHacker101 K

@programmeruser lol
Fixing right now, thanks for telling me about the hack!

@programmeruser That's why I now put everything in an anonymous function XD.

@Baconman321 you can just use the io() function to get a reference to a socket.

@programmeruser yeah

@programmeruser Can't they just use that then?

@Baconman321 The anti-spam is server side

@tussiez

Date.now-sinceLastChat

Date.now() not Date.now

@tussiez Good idea. That way they can't tamper with it client side!

@Baconman321 it's so easy to impersonate people

const socket = io();
socket.emit('msg', {
  name:"tussiez's testaccount",
  profileImg:'https://lh6.googleusercontent.com/-dgT6Ex2alT0/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclrj2vdCjdQSgn1o71wgTFdbZZzdQ/s96-c/photo.jpg',
  msg: 'Hi there!',
  time: new Date().toLocaleString("en-US", {timeZone: "America/New_York"}),
});

@Baconman321 YOu can impersonate people though, will be fixing that will sign on keys or someting

@programmeruser adding signon "keys" thanks again
It sounds sarcastic but this is super helpful

@programmeruser If he doesn't enforce strict checking (seeing if that user is in fact registered), then yeah it's quite easy. I don't think encrypting would do the trick, as people can just send the encrypted message. Might want to set a session token so as to make sure people don't impersonate you. That would require bit of effort though...

@tussiez Like I mentioned to programmeruser, use session tokens and send that to server-side to make sure people can't impersonate you without the token.

@tussiez also, image xss:

const socket = io();
socket.emit('msg', {
  name:"tussiez's testaccount",
  profileImg:'https://repl.it/logout',
  msg: 'Hi there!',
  time: new Date().toLocaleString("en-US", {timeZone: "America/New_York"}),
});

Check the MIME type of the url:

const url = 'https://repl.it/logout'; //or whatever the url is
(async () => {
  const res = await fetch(url);
  if (res.headers.get('Content-Type').indexOf('image/') === -1) alert('invalid url'); // or whatever
})();

@Baconman321 Should be working now..Idk

@programmeruser Hmm

@tussiez still insecure:

const socket = io();
const key = Math.floor(Math.random() * 9999);
socket.on('goodtogo', code => {
  socket.emit('checkcode', {code, key, name: window.atob(window.location.href.split('?')[1].split('&')[1])});
  socket.emit('msg', {
    name: "tussiez's testaccount",
    profileImg: 'https://lh3.googleusercontent.com/a-/AOh14GiU7DtwESR0DLRj5aAkBn5DhacdE2HD5B-wMWEN=s96-c',
    msg:'Hi There',
    time: (new Date()).toLocaleString('en-US', {timeZone: "America/New_York"}),
    key
  });
});
socket.emit('account', '');

@programmeruser Maybe key isn't working, but it should be

@tussiez Key is working now, try impersonating again
However, you can see session keys in chat.txt. I'll encrypt that soon.

@tussiez Wait, I don't think so. Nevermind

@programmeruser i managed to crash it with this bookmarklet:

javascript: (function(){const socket = io(); Array(1000).fill(null).forEach((_,i) => socket.emit('msg', { name:'Someone', profileImg:'https://repl.it', msg:String(i+1), time: 'Sorry (can you put a rate limit on msgs?)', }));})();

@inyourface3445 that's the exact same thing that I posted before.

@inyourface3445 Should only crash your client, but hmm

@tussiez Does it work still?

@programmeruser Lol,just in a bookmarklet

@tussiez impersonating still works.

@programmeruser Hmm

@tussiez solution: use session cookies.

@tussiez also, I think I just broke the chat.

const send = (msg, username) => socket.emit('msg', {
  msg,
  name: username,
  profileImg: '',
  time: ''
});
socket.on('msg', msg => send('Beep boop! You said: ' + msg.msg, 'EekChat Bot #1'));
socket.on('msg', msg => send('Beep boop! You said: ' + msg.msg, 'EekChat Bot #2'));

@programmeruser Absolutely no checks whatsoever! However these kinds of hacks can't really be "blocked"

@tussiez You can only make it more difficult :/