npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@ssc-half-light/envelope2

v0.0.0

Published

Envelopes that have been authorized by the recipient

Downloads

2

Readme

envelope2

tests Socket Badge module types license

Private messages that hide the identity of the sender, but leave the recipient of the message visible. That way the messages do not reveal metadata of who is talking to whom, but we can still index messages by recipient, so, for example, Alice can write a query like show me any private messages addressed to Alice.

Message content is e2e encrypted thanks to a keystore module that lets us store non-extractable keys on the client machines.


the idea

Create an 'envelope' that is certified by the addressee.

Alice wants to send a message to Bob.

Bob has already given Alice a send certificate, or envelope, which is a message signed by Bob that includes a single-use keypair.

In order to send Bob a message, the message must be signed by the private side of the keypair in Bob's send certificate.

Any nodes that relay a message to Bob will look at the envelope carrying the message, and check that it is signed by a keypair that Bob created. How do they know that the keypair was created by Bob? Because the public side of the keypair is visible publicly on the envelope, and the envelope is signed by Bob. The private side of the keypair must be given secretly to people who Bob wants to hear from.

In practical terms, that means that the private side could be encrypted to Alice. Alice then decrypts the private key, and uses it to sign the envelope. Anyone who receives the envelope is then able to check that the signature & public key are valid together.

Thinking about a social network, this means that a server would be able to see that Bob has gotten a message from someone they gave out an envelope to, nothing else. The server can not even determine the set of people that Bob has given envelopes to, because Bob could give out envelopes by a variety of means, like on their website, or via text message.

keypair vs signature

This decoupling of messages from our application is made possilbe by including a single-use keypair in the envelope. For a different version, see @ssc-hermes/envelope. There the envelope is just a signed certificate, which means that Alice would need to know ahead of time who they are expecting to receive messages from. Meaning you would only give out envelopes to people with a pre-existing account in the network.

In this version, Alice doesn't need to know who they gave out an envelope to, but they can be sure that the message is legitimate. So, for example, Alice could give out an envelope to someone who doesn't yet have an account, then get a message after the new person has created an account.


This hides information of who is talking to whom. A relaying node would be able to see that a message is for Bob, but the sender of the message could be encrypted within the message content, so the relay is not able to see who is sending the message to Bob.


A nice thing is that anyone can validate an envelope. You don't need to know anything about who created the message or envelope, you can still check that the signature matches the public key in the envelope.

import { checkEnvelope } from '@ssc-hermes/envelope2'

test('envelope.checkEnvelope', async t => {
    const isOk = await checkEnvelope(envelopedMsg)
    t.equal(isOk, true, 'should validate a valid envelope')
})