siftlode/backend/alembic/versions/0027_message_e2ee.py
npeter83 002a79949b feat(messages): end-to-end encrypted real-time direct messaging backend
Private user-to-user messages are end-to-end encrypted: the server only ever
stores ciphertext + iv and acts as a key directory (public keys) plus an opaque
store for each user's private key, wrapped client-side with a passphrase the
server never sees — so not even an admin can read a conversation. A separate
kind=system message (plaintext, no sender) powers a server-authored Siftlode
welcome shown on first open, reusable later for announcements.

- models: rework Message (kind, nullable sender/body, ciphertext+iv) + MessageKey;
  migrations 0026 (table) + 0027 (E2EE rework).
- routes/messages.py: key directory/blob endpoints, ciphertext send, conversations
  + threads (system + user), lazy welcome, all gated by require_human.
- realtime.py: in-process WebSocket connection registry; /ws delivers sent
  messages to a user's open tabs instantly (sync-callable push, single-process).
2026-06-25 22:05:35 +02:00

68 lines
2.6 KiB
Python

"""end-to-end encrypted messages + system messages
Revision ID: 0027_message_e2ee
Revises: 0026_messages
Create Date: 2026-06-25
Reworks direct messaging for end-to-end encryption. The `messages` table now stores ciphertext
(+ iv) for private user-to-user messages instead of plaintext `body`; `body` is kept (nullable)
for server-authored `kind="system"` messages (welcome / announcements). Adds `message_keys` to
hold each user's public key + passphrase-wrapped private key (the server can never decrypt).
Any pre-existing rows were plaintext with no keys, so they're dropped (the feature is unshipped;
prod has none).
"""
from typing import Sequence, Union
import sqlalchemy as sa
from alembic import op
revision: str = "0027_message_e2ee"
down_revision: Union[str, None] = "0026_messages"
branch_labels: Union[str, Sequence[str], None] = None
depends_on: Union[str, Sequence[str], None] = None
def upgrade() -> None:
# Old rows were plaintext with no E2EE keys — can't be migrated; drop them.
op.execute("DELETE FROM messages")
op.add_column(
"messages",
sa.Column("kind", sa.String(length=16), nullable=False, server_default="user"),
)
op.add_column("messages", sa.Column("ciphertext", sa.Text(), nullable=True))
op.add_column("messages", sa.Column("iv", sa.String(length=32), nullable=True))
# System messages have no human sender and carry plaintext `body`.
op.alter_column("messages", "sender_id", existing_type=sa.Integer(), nullable=True)
op.alter_column("messages", "body", existing_type=sa.Text(), nullable=True)
op.create_table(
"message_keys",
sa.Column(
"user_id",
sa.Integer(),
sa.ForeignKey("users.id", ondelete="CASCADE"),
primary_key=True,
),
sa.Column("public_key", sa.Text(), nullable=False),
sa.Column("wrapped_private_key", sa.Text(), nullable=False),
sa.Column("salt", sa.String(length=64), nullable=False),
sa.Column("wrap_iv", sa.String(length=32), nullable=False),
sa.Column("key_check", sa.Text(), nullable=False),
sa.Column(
"created_at",
sa.DateTime(timezone=True),
server_default=sa.func.now(),
nullable=False,
),
)
def downgrade() -> None:
op.drop_table("message_keys")
op.execute("DELETE FROM messages")
op.alter_column("messages", "body", existing_type=sa.Text(), nullable=False)
op.alter_column("messages", "sender_id", existing_type=sa.Integer(), nullable=False)
op.drop_column("messages", "iv")
op.drop_column("messages", "ciphertext")
op.drop_column("messages", "kind")