- UI: React Native / Flutter
- Chat encryption: libsignal / WebCrypto
- File encryption: AES-256-GCM (client-side)
- Progressive streaming: MediaSource API (Web) + native player (Mobile)
- WebRTC: P2P calls/stream sync
- Auth service: JWT + refresh tokens
- Chatroom metadata store: rooms, members, keys
- File metadata store: filename, encrypted key, expiry, storage path
- Pre-signed short TTL links for downloads
- Admin dashboard: reports, takedowns
- S3-compatible storage (Wasabi/Backblaze/S3)
- File chunks encrypted client-side before upload
- WebRTC P2P mesh (small groups ≤4 users)
- TURN server: Coturn for NAT traversal
- Optional SFU: mediasoup/LiveKit for larger groups
- User types message → encrypts with Signal protocol.
- Message sent to Supabase Realtime.
- Recipient client pulls message → decrypts using session key.
- User selects file → client generates AES key.
- Encrypt file chunks locally.
- Upload encrypted chunks → S3 storage.
- AES key encrypted with recipient’s public key → stored in DB.
- Recipient fetches file → decrypts key with private key → decrypts chunks → plays.
- Uploader sends encrypted chunks to storage while upload continues.
- Recipient fetches progressive chunks (pre-signed URL).
- Decrypt + buffer → playback.
- For co-watch → WebRTC data channel syncs playback position.
sql
id UUID (PK)
email TEXT UNIQUE
public_key TEXT
created_at TIMESTAMP
sql
id UUID (PK)
name TEXT
owner_id UUID (FK → users.id)
created_at TIMESTAMP
sql
id UUID (PK)
chatroom_id UUID (FK → chatrooms.id)
user_id UUID (FK → users.id)
role TEXT (admin/member)
joined_at TIMESTAMP
sql
id UUID (PK)
chatroom_id UUID (FK → chatrooms.id)
sender_id UUID (FK → users.id)
cipher_text TEXT
created_at TIMESTAMP
sql
id UUID (PK)
uploader_id UUID (FK → users.id)
chatroom_id UUID (FK → chatrooms.id)
file_name TEXT
storage_path TEXT
encrypted_key TEXT
expiry TIMESTAMP
created_at TIMESTAMP
- POST /auth/register → create user
- POST /auth/login → login & JWT
- GET /auth/me → current user
- POST /chatrooms → create chatroom
- POST /chatrooms/:id/join → join room
- GET /chatrooms/:id/messages → fetch messages
- POST /chatrooms/:id/message → send encrypted message
- POST /files/upload → request pre-signed URL + upload metadata
- GET /files/:id → fetch file metadata + pre-signed download link
- DELETE /files/:id → delete file
- POST /webrtc/offer → exchange SDP offer
- POST /webrtc/answer → exchange SDP answer
- POST /webrtc/candidate → ICE candidate exchange
- POST /report → report file/message
- GET /admin/reports → view reports
- DELETE /admin/files/:id → force delete file
- Chat: Signal Protocol (X3DH + Double Ratchet).
- Files: AES-256-GCM (per-file Data Encryption Key).
- Key Wrapping: DEK encrypted with recipient’s X25519 public key.
- Transport: HTTPS + TLS 1.3.
- Streaming (WebRTC): DTLS-SRTP + Insertable Streams for E2E.
- Frontend: React Native (Expo) / Flutter
- Backend: Node.js (NestJS/Express) OR Supabase (faster MVP)
- DB: Postgres (Supabase)
- Storage: S3-compatible (Wasabi/Backblaze)
- Streaming: WebRTC (mediasoup / LiveKit for SFU)
- TURN/STUN: Coturn server
- Encryption: libsignal, WebCrypto, Insertable Streams
- Infra: Docker + Kubernetes (later scale)
- CI/CD: GitHub Actions → Deploy to AWS / GCP / Fly.io
- Monitoring: Prometheus + Grafana
- Error tracking: Sentry
- Logs: Encrypted logs for debugging without exposing user data
- Auth system (JWT + refresh)
- Signal protocol integration for chat
- File encryption + pre-signed upload/download
- Progressive decryption + playback
- WebRTC P2P chatroom sync (small groups)
- Basic admin dashboard