Separate API logic into a package
jamesmstone opened this issue · comments
Hi,
First, thanks this is an awesome app, I use it every day!
I was looking to try and integrate with the API, this is harder than most web APIs, you can't just send of a curl request, as:
- all the API data needs to be decrypted locally. (via AES?, does the key come from the user's password?)
- lots of the data is sent over websockets
Looking at this application, it looks like most of the API work is done under utils/api/*
, with utils/api/stream.js
for the websocket data.
Given the above, I was wondering if you would consider moving this logic to a NPM package, that this application could then use and other external tools (and maybe the android app too!) could also use.
The reason I ask is I would like to make a command line TUI and not having to redo the decryption and notification logic would be great, particularly if this ever changes in the future.
Yes - all encryption is does locally. This is on purpose - while it's more difficult ot integrate, it protects your data. We have zero-knowledge storage as PulseSMS is unable to decrypt your keys.
We abstract all of our APIs, as you said, in the utils/api/
directories and our websockets (which are not strictly necessary for API use, but is helpful for realtime updates) under utils/api/stream.js
The missing link you want is likely in utils/crypto.js
which handles all the encryption. Keys are generated on your phone and stored in firebase - your password & account_id are a part of your key and complete the security loop. These can be retrieved via the api.
(Note: this isn't the best security, but it's good enough for text messages)
My recommendation is to watch the network requests when you login - that's where the keys are distributed and your account is locally unlocked.
Let me know if you have questions - I'll leave this issue open.
With all that said, I have no plans to move any logic here into an NPM package - but I encourage you to do so. The licensing here is pretty permissive, so you should be fine to do what you need to.