Skip to content

maxirmx/klinok.ui

Repository files navigation

Klinok UI

Participant Keys

Klinok P2P records are encrypted in the browser with a participant RSA-OAEP key pair. The current demo configuration uses one shared participant key for all browser users so every demo participant can read, decrypt, and write all replicated records.

This is demo-only behavior. Anyone who receives the shared private key, or a UI artifact containing it, can read and write all demo records.

Runtime Config Files

The browser loads runtime config overlays in this order, with cache: "no-store":

  1. /config.json - non-secret runtime config, generated by config/update-config.sh in the nginx image.
  2. /shared-participant-key.json - production/demo shared key overlay generated during the Docker build from a GitHub Actions secret.
  3. /shared-participant-key.local.json - local development shared key overlay.

Later overlays override earlier overlays. The shared key files are ignored by git and Docker build context rules, so private keys are not committed or copied from a developer machine by accident.

Shared Demo Key

Default participant settings:

{
  "p2p": {
    "participantId": "klinok-demo-shared",
    "allowGeneratedParticipantKeys": false
  }
}

The shared key overlay has this shape:

{
  "p2p": {
    "participantId": "klinok-demo-shared",
    "participantPrivateKey": { "kty": "RSA" },
    "allowGeneratedParticipantKeys": false
  }
}

participantPublicKeys can be omitted. The app derives the public JWK from participantPrivateKey.

Local Development

Generate a local shared key:

npm run p2p:key:generate

This writes:

public/shared-participant-key.local.json

The same command prints a base64 value that can be used as the GitHub repository secret for production/demo image builds.

GitHub Actions Secret

Create a repository secret named:

KLINOK_DEMO_PARTICIPANT_PRIVATE_KEY_B64

Use the base64 value printed by npm run p2p:key:generate.

During publish.yml, the Docker build receives this secret as BuildKit secret:

klinok_demo_participant_private_key_b64

The Docker build validates the secret, derives the public JWK, and writes:

public/shared-participant-key.json

Publishing fails if KLINOK_DEMO_PARTICIPANT_PRIVATE_KEY_B64 is missing. CI builds can still run without the secret.

Generated Browser Keys

The older per-browser generated-key path is still available for future use, but it is disabled by default. To opt into generated browser-local participant keys, set:

{
  "p2p": {
    "participantId": "local-dev-participant",
    "allowGeneratedParticipantKeys": true
  }
}

Generated keys are stored in browser localStorage under klinok:p2p:participant:<participantId>. This mode is not suitable for the shared demo because each browser gets a different key and may not decrypt records written for another participant.

About

Klinok UI

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors