# SecureChat 🔒

A real-time, end-to-end encrypted chat application with 1-on-1 DMs and group chats. Deployable as a Hugging Face Space via Docker.

## Features

- **End-to-End Encryption (E2EE)** — RSA-OAEP for DMs, AES-GCM + RSA key wrapping for group chats. Server never sees plaintext.
- **Authentication** — Username/password + Google OAuth
- **Direct Messages** — 1-on-1 encrypted conversations
- **Group Chats** — Encrypted group messaging with per-member AES key wrapping
- **Display Name** — Change your display name anytime in Settings
- **Real-time** — WebSocket-based, instant message delivery
- **Typing Indicators** — See when someone is typing

## Deployment on Hugging Face Spaces

1. Create a new Space on [huggingface.co/spaces](https://huggingface.co/spaces)
2. Choose **Docker** as the SDK
3. Push this repository to the Space

### Environment Variables (Space Secrets)

Set these in your Space settings → Repository Secrets:

| Variable | Description | Required |
|----------|-------------|----------|
| `SECRET_KEY` | JWT signing key (random 32+ char string) | Yes |
| `GOOGLE_CLIENT_ID` | Google OAuth Client ID | Optional |
| `GOOGLE_CLIENT_SECRET` | Google OAuth Client Secret | Optional |
| `GOOGLE_REDIRECT_URI` | `https://YOUR-SPACE.hf.space/api/auth/google/callback` | If using Google |

### Setting up Google OAuth (Optional)

1. Go to [Google Cloud Console](https://console.cloud.google.com)
2. Create OAuth 2.0 credentials
3. Add your Space URL as an authorized redirect URI: `https://YOUR-SPACE.hf.space/api/auth/google/callback`
4. Set the credentials as Space secrets

## Local Development

```bash
pip install -r requirements.txt
mkdir -p data
uvicorn main:app --reload --port 7860
```

Open `http://localhost:7860`

## Security Notes

- **Private keys never leave the browser** — stored in localStorage as JWK
- RSA-2048 OAEP with SHA-256 for DM message encryption
- AES-256-GCM for group message content (per-message random IV)
- RSA-OAEP used to wrap the AES key for each group member
- Passwords hashed with bcrypt
- JWT tokens with 7-day expiry
- All transport over HTTPS (on HF Spaces)