+ create user with public/private key

+ sign and verify votes and prevent unverified updates
* init p2p polling app
2026-04-04 22:36:17 +02:00 · 2026-03-31 19:09:46 +02:00
20 changed files with 11258 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,24 @@
 # Nuxt dev/build outputs
 .output
 .data
 .nuxt
 .nitro
 .cache
 dist
 # Node dependencies
 node_modules
 # Logs
 logs
 *.log
 # Misc
 .DS_Store
 .fleet
 .idea
 # Local env files
 .env
 .env.*
 !.env.example
--- a/README.md
+++ b/README.md
@@ -1 +1,129 @@
-# P2P Poll App
+# 🗳️ P2P Verified Polling App
 A decentralized, real-time polling application built with **Nuxt 3**, **Yjs**, and **WebRTC**. This app allows users to create and participate in polls where every vote is cryptographically signed and verified peer-to-peer, ensuring data integrity without a central authority "owning" the results.
 ---
 ## 🌟 Key Features
 * **Serverless Real-time Sync:** Uses **Yjs** (CRDTs) and **WebRTC** to sync poll data directly between browsers. No database is required for live updates.
 * **Persistence with Nitro:** While the logic is P2P, the **Nuxt/Nitro** backend provides a "Snapshot" service to ensure polls persist even after all peers go offline.
 * **Cryptographic Integrity:** Every vote is signed using **RSA-PSS (Web Crypto API)**. Each user has a unique private key (stored locally via `.pem` files) to ensure votes cannot be forged or tampered with.
 * **Chained Verification:** Implements a "History-Signing" logic where each new vote signs the entire preceding state of the poll, creating a verifiable chain of trust.
 * **Privacy First:** Users identify via UUIDs and Public/Private key pairs rather than traditional accounts.
 ---
 ## ⚙️ How It Works
 ### 1. Identity Creation
 When a new user is created, the system generates a unique **UUID (User ID)** and an **RSA Key Pair**. The user is prompted to save their **Private Key** as a `.pem` file, named after their User ID (e.g., `550e8400-e29b.pem`). This file acts as their "Passport"—it is never uploaded to the server and must be kept secure by the user.
 ### 2. Authentication
 Upon returning to the app, users load their local `.pem` file. The application extracts the Private Key for signing and the UUID for identification. No passwords or central servers are involved in this local-first login process.
 ### 3. Joining a Poll
 When a user joins a poll, the app fetches the latest binary snapshot from the server to populate a local **Y.Doc**. This ensures the user sees the current state immediately, even before connecting to other peers.
 ### 4. The P2P Mesh
 The app establishes connections to other active voters via a WebRTC signaling server. Any changes made to the poll (adding options or voting) are broadcasted instantly to all peers using Conflict-free Replicated Data Types (CRDTs) to prevent sync conflicts.
 ### 5. Casting a Signed Vote
 To ensure security, the voting process follows a strict cryptographic chain:
 * The app captures the current list of votes.
 * It appends the new vote data (User ID + Timestamp).
 * It signs the **entire array** (the previous history + the new vote) using the user's RSA private key.
 * The signed update is merged into the shared Yjs Map and broadcasted.
 ### 6. Distributed Verification
 Whenever a peer receives a new update, they fetch the voter's **Public Key** from the API. They then verify that the signature matches the current state of the poll history. If a signature is invalid or the history has been tampered with, the vote is rejected by the peer's local state.
 ---
 ## 🛠️ Tech Stack
 * **Framework:** [Nuxt 3](https://nuxt.com/) (Vue 3 + TypeScript)
 * **Conflict-Free Replicated Data Types (CRDT):** [Yjs](https://yjs.dev/)
 * **P2P Transport:** `y-webrtc`
 * **Security:** Web Crypto API (SubtleCrypto)
 * **Backend/Storage:** Nitro (Nuxt's server engine) with filesystem storage drivers
 # AI Disclaimer
 This App was developed with the assistance of AI.
 # Nuxt Minimal Starter
 Look at the [Nuxt documentation](https://nuxt.com/docs/getting-started/introduction) to learn more.
 ## Setup
 Make sure to install dependencies:
 ```bash
 # npm
 npm install
 # pnpm
 pnpm install
 # yarn
 yarn install
 # bun
 bun install
 ```
 ## Development Server
 Start the development server on `http://localhost:3000`:
 ```bash
 # npm
 npm run dev
 # pnpm
 pnpm dev
 # yarn
 yarn dev
 # bun
 bun run dev
 ```
 ## Production
 Build the application for production:
 ```bash
 # npm
 npm run build
 # pnpm
 pnpm build
 # yarn
 yarn build
 # bun
 bun run build
 ```
 Locally preview production build:
 ```bash
 # npm
 npm run preview
 # pnpm
 pnpm preview
 # yarn
 yarn preview
 # bun
 bun run preview
 ```
 Check out the [deployment documentation](https://nuxt.com/docs/getting-started/deployment) for more information.
--- a/app/app.vue
+++ b/app/app.vue
@@ -0,0 +1,175 @@
 <style>
 /* Basic styling to make it look clean */
 body {
  font-family: system-ui, -apple-system, sans-serif;
  background-color: #f4f4f9;
  color: #333;
  margin: 0;
  display: flex;
  justify-content: center;
  padding: 2rem;
 }
 header {
  margin-bottom: 2rem;
  text-align: center;
 }
 h1 { margin: 0 0 0.5rem 0; }
 input {
  flex-grow: 1;
  padding: 0.75rem;
  border: 1px solid #ccc;
  border-radius: 6px;
  font-size: 1rem;
 }
 button,
 .button {
  background: #3b82f6;
  color: white;
  border: none;
  padding: 0.75rem 1rem;
  border-radius: 6px;
  cursor: pointer;
  font-weight: bold;
  transition: background 0.2s;
 }
 button:hover,
 .button:hover { background: #2563eb; }
 .status {
  font-size: 0.85rem;
  color: #666;
 }
 .status .connected { color: #10b981; font-weight: bold; }
 .connectionFailed { color: #FF2525; font-weight: bold; }
 .poll-container {
  background: white;
  padding: 2rem;
  border-radius: 12px;
  box-shadow: 0 4px 6px rgba(0,0,0,0.1);
  width: 100%;
  max-width: 500px;
 }
 .back-btn { 
  margin-left: 1rem; 
  padding: 0.2rem 0.5rem; 
  font-size: 0.7rem; 
  background: #64748b; 
 }
 /* Hide the actual file input */
 input[type="file"] {
  display: none;
 }
 </style>
 <template>
    <div class="poll-container">
        <header>
            <h1 @click="activePollId = null" style="cursor:pointer">P2P Polling App 🗳️</h1>
            <div class="status">
                <button v-if="activePollId" @click="activePollId = null" class="back-btn">← Back To List</button>
                <span :class="{ 'connected': isConnected }">
                    ● {{ isConnected ? 'Synced' : 'Waiting for other Peers...' }}
                </span>
                <span> | Peers online: {{ connectedPeers }}</span>
                <h2 v-if="connectionAttempFailed" class="connectionFailed">⚠ Connection to Signaling Server Failed!</h2>
                <div v-if="user===null" style="margin-top: 10px;">
                    <button @click="createUser">Create New User</button>
                    Or
                    <label title="Select Key File">
                        <span class="button">Login</span>
                        <input 
                            type="file"
                            accept=".pem"
                            @change="loadUser"
                        />
                    </label>
                </div>
            </div>
        </header>
        <main>
            <PollList v-if="!activePollId" :userid="user?.userid" @select-poll="selectPoll" />
            <Poll v-else :activePollId="activePollId" :userid="user?.userid" :poll-data="pollData" :addOption="addOption" :vote="vote"/>
        </main>
    </div>
 </template>
 <script setup lang="ts">
    import { v4 as uuidv4 } from 'uuid';
    const activePollId = ref<string | null>(null);
    const user = shallowRef<UserData | null>(null);
    const { pollData, isConnected, connectionAttempFailed, connectedPeers, addOption, vote } = usePoll(activePollId,user);
    const selectPoll = (id: string) => {
        activePollId.value = id;
    };
    const createUser = async () => {
        try {
            const keypair : CryptoKeyPair = await generateUserKeyPair();
            console.log('keypair:', keypair);
            const uuid = uuidv4();
            user.value = {
                userid: uuid,
                private_key: keypair.privateKey,
                public_key: keypair.publicKey,
            };
            const prvKeyString = await exportPrivateKey(keypair.privateKey);
            await savePrivateKeyToFile(prvKeyString,uuid+".pem")
            const pubKeyString = await exportPublicKey(keypair.publicKey);
            await $fetch(`/api/users/${uuid}`, {
                method: 'POST',
                body: { public_key: pubKeyString }
            });
        } catch (err) {
            user.value = null
            console.error("Failed to create new User!", err);
        }
    };
    const loadUser = async (event: Event) => {
        const target = event.target as HTMLInputElement;
        const file = target.files?.[0];
        if (file) {
            try {
                const content = await file.text();
                console.log("File loaded: ");
                if (file.name && content) {
                    try {
                        const uuid = file.name.replace(".pem", "");
                        // Standardize the string for the importer
                        const pkBase64 = content.replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----/g, "").replace(/\s+/g, "");
                        const key = await stringToCryptoKey(pkBase64, "private");
                        user.value = {
                            userid: uuid,
                            private_key: key,
                            public_key: undefined, // Note: You might need to import a pub key too!
                        };
                        console.log("Login successful for:", uuid);
                    } catch (err) {
                        console.error("Crypto Import Error:", err);
                        alert("The file content is not a valid Private Key.");
                    }
                }
            } catch (e) {
                console.error("Failed to read file", e);
            }
        }
    };
 </script>
--- a/app/components/Poll.vue
+++ b/app/components/Poll.vue
@@ -0,0 +1,83 @@
 <style scoped>
 .poll-list {
  list-style: none;
  padding: 0;
  margin: 0;
 }
 .poll-item {
  display: flex;
  justify-content: space-between;
  align-items: center;
  padding: 1rem;
  background: #f8fafc;
  border: 1px solid #e2e8f0;
  border-radius: 8px;
  margin-bottom: 0.5rem;
 }
 .poll-title { 
  font-size: 1.1rem; 
  color: #3b82f6; 
  text-transform: uppercase; 
  letter-spacing: 1px;
 }
 .add-option-form {
  display: flex;
  gap: 0.5rem;
  margin-bottom: 2rem;
 }
 .option-name { font-weight: 500; }
 .vote-section { display: flex; align-items: center; gap: 1rem; }
 .vote-count { font-size: 0.9rem; color: #475569; }
 .vote-btn { padding: 0.4rem 0.8rem; background: #10b981; }
 .vote-btn:hover { background: #059669; }
 .vote-btn:disabled,
 .vote-btn[disabled] { background: #888888; }
 .vote-btn:disabled:hover,
 .vote-btn[disabled]:hover { background: #AAAAAA; }
 </style>
 <template>
    <div>
        <h2 class="poll-title">Poll: {{ activePollId }}</h2>
        <p v-if="Object.keys(pollData).length==0">Note: Add at least one Option to save the Poll.</p>
        <form @submit.prevent="handleAddNewOption" class="add-option-form" v-if="userid">
            <input v-model="newOption" placeholder="Enter a new poll option..." required />
            <button type="submit">Add Option</button>
        </form>
        <ul class="poll-list">
            <li v-for="(votes, optionName) in pollData" :key="optionName" class="poll-item">
                <span class="option-name">{{ optionName }}</span>
                <div class="vote-section">
                    <span class="vote-count">{{ votes.length }} {{ votes.length === 1 ? 'vote' : 'votes' }}</span>
                    <button @click="vote(String(optionName))" class="vote-btn" :disabled="userid==undefined || voted(votes)">+1</button>
                </div>
            </li>
        </ul>
    </div>
 </template>
 <script setup lang="ts">
    import type { PollProps, SignedData, VoteData } from '@/utils/types'
    const props = defineProps<PollProps>()
    const newOption = ref('');
    const handleAddNewOption = () => {
        props.addOption(newOption.value);
        newOption.value = '';
    };
    const voted = (votes: SignedData<VoteData>[]) => {
        for(let vote of votes){
            if(vote.data.userid == props.userid){
                return true;
            }
        }
        return false;
    }
 </script>
--- a/app/components/PollList.vue
+++ b/app/components/PollList.vue
@@ -0,0 +1,64 @@
 <style scoped>
    .poll-list { margin-top: 1rem; }
    .empty-state { text-align: center; color: #94a3b8; font-style: italic; }
    .create-poll { display: flex; gap: 0.5rem; margin-bottom: 1.5rem; }
    .poll-links { list-style: none; padding: 0; }
    .poll-link-btn {
        width: 100%;
        text-align: left;
        background: #f1f5f9;
        color: #1e293b;
        margin-bottom: 0.5rem;
        display: flex;
        justify-content: space-between;
    }
    .poll-link-btn:hover { background: #e2e8f0; }
 </style>
 <template>
    <div class="poll-list">
        <h3>Available Polls</h3>
        <ul v-if="polls && polls.length > 0" class="poll-links">
            <li v-for="id in polls" :key="id">
                <button class="poll-link-btn" @click="$emit('select-poll', id)">
                    {{ id }} <span>→</span>
                </button>
            </li>
        </ul>
        <p v-else class="empty-state">No polls found. Create the first one!</p>
        <div class="create-poll" v-if="userid !== undefined">
            <input 
                v-model="newPollId" 
                placeholder="Enter new poll name..." 
                @keyup.enter="createPoll"
            />
            <button @click="createPoll">Create & Join</button>
        </div>
    </div>
 </template>
 <script setup lang="ts">
    import type { PollListProps } from '@/utils/types'
    const props = defineProps<PollListProps>()
    const newPollId = ref('');
    const polls = ref<string[]>([]);
    // Fetch existing polls on mount
    const fetchPolls = async () => {
        const data = await $fetch<{ polls: string[] }>('/api/polls');
        polls.value = data.polls;
    };
    const createPoll = () => {
        const id = newPollId.value.trim().toLowerCase().replace(/\s+/g, '-');
        if (id) {
            // In a real app, you might want to POST to create it first, 
            // but here we just navigate to it and let usePoll handle the save.
            emit('select-poll', id);
        }
    };
    const emit = defineEmits(['select-poll']);
    onMounted(fetchPolls);
 </script>
--- a/app/composables/usePoll.ts
+++ b/app/composables/usePoll.ts
@@ -0,0 +1,131 @@
 // composables/usePoll.ts
 import { ref, watch, onUnmounted } from 'vue';
 import * as Y from 'yjs';
 export const usePoll = (pollId: Ref<string | null>, user: Ref<UserData | null>) => {
    const pollData = ref<PollData>({});
    const isConnected = ref(false);
    const connectionAttempFailed = ref(false);
    const connectedPeers = ref(1);
    let ydoc: Y.Doc | null = null;
    let provider: any = null;
    let yMap: Y.Map<SignedData<VoteData>[]> | null = null;
    const cleanup = () => {
    if (provider) provider.disconnect();
        if (ydoc) ydoc.destroy();
        isConnected.value = false;
        pollData.value = {};
    };
    const initPoll = async (id: string) => {
        cleanup(); // Clear previous session
        ydoc = new Y.Doc();
        // 1. Fetch Snapshot from Nuxt API
        try {
            const response = await $fetch<{ update: number[] | null }>(`/api/polls/${id}`).catch((e) => {
                console.error("Failed to get poll: " + id,e)
            });
            //trust the server without verification.
            if (response?.update) {
                Y.applyUpdate(ydoc, new Uint8Array(response.update));
            }
        } catch (err) {
            console.error('Persistence fetch failed', err);
        }
        yMap = ydoc.getMap<SignedData<VoteData>[]>('shared-poll');
        // 2. Local State Sync
        yMap.observe(async () => {
            await performUpdateAndVerify();
            saveStateToServer(id);
        });
        await performUpdateAndVerify();
        // 3. P2P Connection
        const { WebrtcProvider } = await import('y-webrtc');
        provider = new WebrtcProvider(`nuxt-p2p-${id}`, ydoc, {
            signaling: ["ws://localhost:4444", "ws://lynxpi.ddns.net:4444"]
        });
        provider.on('synced', (arg: {synced: boolean}) => {
            isConnected.value = arg.synced;
            console.log('Connection synced:', arg.synced) // "connected" or "disconnected"
        });
        provider.on('status', (event: { connected: boolean }) => {
            console.log('Connection status:', event.connected) // "connected" or "disconnected"
        })
        provider.on('peers', (data: any) => {
            connectedPeers.value = data.webrtcPeers.length + 1
        });
    };
    const saveStateToServer = async (id: string) => {
        if (!ydoc) return;
        const stateUpdate = Y.encodeStateAsUpdate(ydoc);
        await $fetch(`/api/polls/${id}`, {
            method: 'POST',
            body: { update: Array.from(stateUpdate) }
        }).catch((e) => {
            console.error("Failed to update poll",e)
        });
    };
    // Watch for ID changes (e.g., user clicks a link or goes back)
    watch(pollId, (newId) => {
        if (newId && import.meta.client) {
            initPoll(newId);
        } else {
            cleanup();
        }
    }, { immediate: true });
    onUnmounted(cleanup);
    const addOption = (optionName: string) => {
        if (yMap && !yMap.has(optionName)) yMap.set(optionName, []);
    };
    const performUpdateAndVerify = async () => {
        const pollDataUpdate = yMap!.toJSON();
        console.log("Poll Data Update: ", pollDataUpdate)
        for(var option in pollDataUpdate){
            console.log("verifying votes for option: " + option);
            const votes = pollDataUpdate[option] || [];
            const verified = await verifyAllVotesForOption(votes);
            if(!verified){
                console.error("Failed to verify option: "+option)
                return;
            }
        }
        console.log("All options verified! :)")
        pollData.value = pollDataUpdate
    }
    const vote = async (optionName: string) => {
        const currentUser = user.value;
        if (currentUser != undefined && yMap?.has(optionName)) {
            const voteData = [...(yMap.get(optionName) || [])];
            if(voteData != undefined && currentUser.private_key){
                var unsignedVoteData : VoteData = {
                    userid: currentUser.userid,
                    timestamp: new Date().toISOString()
                }
                var newVote : SignedData<VoteData> = {
                    data: unsignedVoteData,
                    signature: "",
                }
                voteData?.push(newVote)
                const signature = await signVote(voteData,currentUser.private_key);
                newVote.signature=signature
                yMap?.set(optionName, voteData);
            }
        }
    };
    return { pollData, isConnected, connectionAttempFailed, connectedPeers, addOption, vote };
 };
--- a/app/composables/user.ts
+++ b/app/composables/user.ts
@@ -0,0 +1,2 @@
 export const user = (user: Ref<UserData | null>) => {
 }
--- a/app/utils/crypto.ts
+++ b/app/utils/crypto.ts
@@ -0,0 +1,187 @@
 // utils/crypto.ts
 export const generateUserKeyPair = async () => {
  return await window.crypto.subtle.generateKey(
    {
      name: "RSASSA-PKCS1-v1_5",
      modulusLength: 2048,
      publicExponent: new Uint8Array([1, 0, 1]), // 65537
      hash: "SHA-256",
    },
    true, // extractable
    ["sign", "verify"]
  );
 };
 export const signVote = async (data: any, privateKey: CryptoKey) => {
  const encoder = new TextEncoder();
  const encodedData = encoder.encode(JSON.stringify(data));
  const signature = await window.crypto.subtle.sign(
    "RSASSA-PKCS1-v1_5",
    privateKey,
    encodedData
  );
  // Convert to Base64 or Hex to store in Yjs easily
  return btoa(String.fromCharCode(...new Uint8Array(signature)));
 };
 export const verifyVote = async (data: any, signatureStr: string, publicKey: CryptoKey) => {
  const encoder = new TextEncoder();
  const encodedData = encoder.encode(JSON.stringify(data));
  // Convert Base64 back to Uint8Array
  const signature = Uint8Array.from(atob(signatureStr), c => c.charCodeAt(0));
  return await window.crypto.subtle.verify(
    "RSASSA-PKCS1-v1_5",
    publicKey,
    signature,
    encodedData
  );
 };
 /**
 * Verifies a specific vote within an array of votes by 
 * reconstructing the "signed state" at that point in time.
 */
 export const verifyChainedVote = async (
    voteData: SignedData<VoteData>[], 
    index: number
 ) => {
    const voteToVerify = voteData[index];
    console.log("Verifying vote: " + voteToVerify)
    if(voteToVerify) {
        // 1. Reconstruct the exact data state the user signed
        // We need the array exactly as it was when they pushed their vote
        const historicalState = voteData.slice(0, index + 1).map((v, i) => {
            if (i === index) {
                // For the current vote, the signature must be empty string
                // because it wasn't signed yet when passed to signVote
                return { ...v, signature: "" };
            }
            return v;
        });
        try {
            // 2. Fetch public key
            const response = await $fetch<{ public_key: string }>(`/api/users/${voteToVerify.data.userid}`);
            console.log("Got key: ",response)
            const pubKey = await stringToCryptoKey(response.public_key, 'public');
            console.log("Using pubKey to verify Vote.")
            // 3. Verify: Does this historicalState match the signature?
            return await verifyVote(historicalState, voteToVerify.signature, pubKey);
        } catch (err) {
            console.error("Verification failed")
            console.error(err);
            return false;
        }
    }
    console.error("Vote is undefined or null");
    return false;
 };
 export const verifyAllVotesForOption = async (votes: SignedData<VoteData>[]) => {
    console.log("verifying votes for option ",votes);
    for (let i = votes.length-1; i >= 0 ; i--) {
        const isValid = await verifyChainedVote(votes, i);
        if(!isValid){
            console.error("Error! Invalid Vote at: " + i,votes)
            return false;
        }
    }
    return true;
 };
 // Helper to convert ArrayBuffer to Base64 string
 const bufferToBase64 = (buf: ArrayBuffer) => 
  window.btoa(String.fromCharCode(...new Uint8Array(buf)));
 export const exportPublicKey = async (key: CryptoKey) => {
  // Export Public Key
  const exportedPublic = await window.crypto.subtle.exportKey("spki", key);
  const publicKeyString = bufferToBase64(exportedPublic);
  return publicKeyString;
 };
 export const exportPrivateKey = async (key: CryptoKey) => {
  // Export Private Key
  const exportedPrivate = await window.crypto.subtle.exportKey("pkcs8", key);
  const privateKeyString = bufferToBase64(exportedPrivate);
  return privateKeyString;
 };
 /**
 * Converts a Base64 string back into a usable CryptoKey object
 * @param keyStr The Base64 string (without PEM headers)
 * @param type 'public' or 'private'
 */
 export const stringToCryptoKey = async (keyStr: string, type: 'public' | 'private'): Promise<CryptoKey> => {
  // 1. Convert Base64 string to a Uint8Array (binary)
  const binaryString = window.atob(keyStr);
  const bytes = new Uint8Array(binaryString.length);
  for (let i = 0; i < binaryString.length; i++) {
    bytes[i] = binaryString.charCodeAt(i);
  }
  // 2. Identify the format based on the key type
  // Public keys usually use 'spki', Private keys use 'pkcs8'
  const format = type === 'public' ? 'spki' : 'pkcs8';
  const usages: KeyUsage[] = type === 'public' ? ['verify'] : ['sign'];
  // 3. Import the key
  return await window.crypto.subtle.importKey(
    format,
    bytes.buffer,
    {
      name: "RSASSA-PKCS1-v1_5",
      hash: "SHA-256",
    },
    true, // extractable (set to false if you want to lock it in memory)
    usages
  );
 };
 export const savePrivateKeyToFile = (privateKeyStr: string, filename: string) => {
  // Optional: Wrap in PEM headers for standard formatting
  const pemHeader = "-----BEGIN PRIVATE KEY-----\n";
  const pemFooter = "\n-----END PRIVATE KEY-----";
  const fileContent = pemHeader + privateKeyStr + pemFooter;
  const blob = new Blob([fileContent], { type: "text/plain" });
  const url = URL.createObjectURL(blob);
  const link = document.createElement("a");
  link.href = url;
  link.download = filename;
  document.body.appendChild(link);
  link.click();
  // Cleanup
  document.body.removeChild(link);
  URL.revokeObjectURL(url);
 };
 export const loadPrivateKeyFromFile = async (file: File): Promise<string> => {
  return new Promise((resolve, reject) => {
    const reader = new FileReader();
    reader.onload = (e) => {
      const content = e.target?.result as string;
      // Clean up the string by removing PEM headers and newlines
      const cleanKey = content
        .replace("-----BEGIN PRIVATE KEY-----", "")
        .replace("-----END PRIVATE KEY-----", "")
        .replace(/\s+/g, ""); // Removes all whitespace/newlines
      resolve(cleanKey);
    };
    reader.onerror = () => reject("Error reading file");
    reader.readAsText(file);
  });
 };
--- a/app/utils/types.ts
+++ b/app/utils/types.ts
@@ -0,0 +1,36 @@
 export interface PollProps {
    userid: string | undefined,
    activePollId: string,
    pollData: PollData,
    addOption: (name: string) => void,
    vote: (optionName: string) => void
 }
 export interface PollListProps {
    userid: string | undefined,
 }
 export interface PollData extends Record<string, SignedData<VoteData>[]> {
 }
 export interface SignedData<T> {
    data: T,
    signature: string
 }
 export interface VoteData {
    userid: string,
    timestamp: string
 }
 export interface OptionData {
    userid: string,
    timestamp: string,
    optionName: string
 }
 export interface UserData {
    userid: string,
    private_key: CryptoKey | undefined,
    public_key: CryptoKey | undefined
 }
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -0,0 +1,23 @@
 // https://nuxt.com/docs/api/configuration/nuxt-config
 export default defineNuxtConfig({
  compatibilityDate: '2025-07-15',
  devtools: { enabled: true },
  vite: {
    optimizeDeps: {
      include: ['yjs', 'y-webrtc']
    }
  },
  // ... existing config
  nitro: {
    storage: {
      polls: {
        driver: 'fs',
        base: './.data/polls'
      },
      users: {
        driver: 'fs',
        base: './.data/users'
      }
    }
  }
 })
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -0,0 +1,20 @@
 {
  "name": "p2p-poll",
  "type": "module",
  "private": true,
  "scripts": {
    "build": "nuxt build",
    "dev": "PORT=4444 npx y-webrtc & nuxt dev",
    "generate": "nuxt generate",
    "preview": "nuxt preview",
    "postinstall": "nuxt prepare"
  },
  "dependencies": {
    "nuxt": "^4.1.3",
    "uuid": "^13.0.0",
    "vue": "^3.5.30",
    "vue-router": "^5.0.3",
    "y-webrtc": "^10.3.0",
    "yjs": "^13.6.30"
  }
 }
--- a/public/favicon.ico
+++ b/public/favicon.ico
--- a/public/robots.txt
+++ b/public/robots.txt
@@ -0,0 +1,2 @@
 User-Agent: *
 Disallow:
--- a/server/api/polls/[id].ts
+++ b/server/api/polls/[id].ts
@@ -0,0 +1,68 @@
 import * as Y from 'yjs';
 // server/api/polls/[id].ts
 export default defineEventHandler(async (event) => {
    const method = event.node.req.method;
    const pollId = getRouterParam(event, 'id');
    // We use Nitro's built-in storage. 
    // 'polls' is the storage namespace.
    const storage = useStorage('polls'); 
    if (!pollId) {
        throw createError({ statusCode: 400, statusMessage: 'Poll ID required' });
    }
    // GET: Fetch the saved Yjs document state
    if (method === 'GET') {
        const data = await storage.getItem(`poll:${pollId}`);
        // Return the array of numbers (or null if it doesn't exist yet)
        return { update: data || null };
    }
    // POST: Save a new Yjs document state
    if (method === 'POST') {
        const body = await readBody(event);
        if (body.update && Array.isArray(body.update)) {
            // create a temp Y.Doc to encode the Data
            const tempDoc = new Y.Doc();
            Y.applyUpdate(tempDoc, new Uint8Array(body.update));
            const yMap = tempDoc.getMap('shared-poll');
            const pollData = yMap.toJSON();
            // verify pollData
            for(var option in pollData){
                const votes = pollData[option] || [];
                var pubKeys: CryptoKey[] = [];
                const verifyAllVotesForOption = async (votes: SignedData<VoteData>[]) => {
                    console.log("verifying votes for option " + option,votes);
                    // check last votes first. if there is something wrong, its likely in the last vote.
                    for (let i = votes.length-1; i >= 0 ; i--) {
                        const userStorage = useStorage('users'); 
                        const votePubKeyString = await userStorage.getItem(`user:${votes[i]?.data.userid}`);
                        //console.log("Using public key: "+votePubKeyString)
                        const votePubKey = await stringToCryptoKey(String(votePubKeyString),'public')
                        const isValid = await verifyChainedVote(votes, i,votePubKey);
                        if(!isValid){
                            console.error("Error! Invalid Vote at: " + i,votes)
                            return false;
                        }
                    }
                    return true;
                };
                const verified = await verifyAllVotesForOption(votes);
                if(!verified){
                    console.error("Failed to verify option: "+option)
                    throw createError({ statusCode: 400, statusMessage: 'PollData contains unverifyable content!' });
                }
            }
            // Save the binary update (sent as an array of numbers) to storage
            await storage.setItem(`poll:${pollId}`, body.update);
            return { success: true };
        }
        throw createError({ statusCode: 400, statusMessage: 'Invalid update payload' });
    }
 });
--- a/server/api/polls/index.get.ts
+++ b/server/api/polls/index.get.ts
@@ -0,0 +1,15 @@
 // server/api/polls/index.get.ts
 export default defineEventHandler(async () => {
    const storage = useStorage('polls');
    // Get all keys in the 'polls' namespace
    const allKeys = await storage.getKeys();
    // Filter for our specific poll prefix and strip it for the UI
    // poll:my-id -> my-id
    const polls = allKeys
        .filter(key => key.startsWith('poll:'))
        .map(key => key.replace('poll:', ''));
    return { polls };
 });
--- a/server/api/users/[id].ts
+++ b/server/api/users/[id].ts
@@ -0,0 +1,41 @@
 // server/api/users/[id].ts
 export default defineEventHandler(async (event) => {
    const method = event.node.req.method;
    const userId = getRouterParam(event, 'id');
    // We use Nitro's built-in storage. 
    // 'polls' is the storage namespace.
    const storage = useStorage('users'); 
    if (!userId) {
        throw createError({ statusCode: 400, statusMessage: 'User ID required' });
    }
    // GET: Fetch the saved Yjs document state
    if (method === 'GET') {
        const data = await storage.getItem(`user:${userId}`);
        // Return the array of numbers (or null if it doesn't exist yet)
        return { public_key: data };
    }
    // POST: Save a new Yjs document state
    if (method === 'POST') {
        const body = await readBody(event);
        if (body.public_key) {
            const data = await storage.getItem(`user:${userId}`);
            if (data == undefined || data == null) {
                // Save the binary update (sent as an array of numbers) to storage
                await storage.setItem(`user:${userId}`, body.public_key);
                console.log("New User created: " + userId)
                console.log("Public Key: " + body.public_key);
                return { success: true };
            }
            throw createError({ statusCode: 400, statusMessage: 'User already exists.' });
        }
        throw createError({ statusCode: 400, statusMessage: 'Invalid update payload' });
    }
 });
--- a/server/utils/crypto.ts
+++ b/server/utils/crypto.ts
@@ -0,0 +1,86 @@
 import { SignedData, VoteData } from "./types";
 /**
 * Gets the WebCrypto API regardless of environment (Node vs Browser)
 */
 const getCrypto = () => {
  return (globalThis as any).crypto;
 };
 export const verifyVote = async (data: any, signatureStr: string, publicKey: CryptoKey) => {
  const encoder = new TextEncoder();
  const encodedData = encoder.encode(JSON.stringify(data));
  // Convert Base64 back to Uint8Array
  const signature = Uint8Array.from(atob(signatureStr), c => c.charCodeAt(0));
  return await getCrypto().subtle.verify(
    "RSASSA-PKCS1-v1_5",
    publicKey,
    signature,
    encodedData
  );
 };
 /**
 * Verifies a specific vote within an array of votes by 
 * reconstructing the "signed state" at that point in time.
 */
 export const verifyChainedVote = async (
    voteData: SignedData<VoteData>[], 
    index: number,
    pubKey: CryptoKey
 ) => {
    const voteToVerify = voteData[index];
    console.log("Verifying vote: " + voteToVerify)
    if(voteToVerify) {
        // 1. Reconstruct the exact data state the user signed
        // We need the array exactly as it was when they pushed their vote
        const historicalState = voteData.slice(0, index + 1).map((v, i) => {
            if (i === index) {
                // For the current vote, the signature must be empty string
                // because it wasn't signed yet when passed to signVote
                return { ...v, signature: "" };
            }
            return v;
        });
        try {
            // 3. Verify: Does this historicalState match the signature?
            return await verifyVote(historicalState, voteToVerify.signature, pubKey);
        } catch (err) {
            console.error("Verification failed")
            console.error(err);
            return false;
        }
    }
    console.error("Vote is undefined or null");
    return false;
 };
 /**
 * Converts a Base64 string back into a usable CryptoKey object
 * @param keyStr The Base64 string (without PEM headers)
 * @param type 'public' or 'private'
 */
 export const stringToCryptoKey = async (keyStr: string, type: 'public' | 'private'): Promise<CryptoKey> => {
  // 1. Convert Base64 string to a Uint8Array (binary)
  const bytes = Buffer.from(keyStr, 'base64');
  // 2. Identify the format based on the key type
  // Public keys usually use 'spki', Private keys use 'pkcs8'
  const format = type === 'public' ? 'spki' : 'pkcs8';
  const usages: KeyUsage[] = type === 'public' ? ['verify'] : ['sign'];
  // 3. Import the key
  return await getCrypto().subtle.importKey(
    format,
    bytes,
    {
      name: "RSASSA-PKCS1-v1_5",
      hash: "SHA-256",
    },
    true, // extractable (set to false if you want to lock it in memory)
    usages
  );
 };
--- a/server/utils/types.ts
+++ b/server/utils/types.ts
@@ -0,0 +1,36 @@
 export interface PollProps {
    userid: string | undefined,
    activePollId: string,
    pollData: PollData,
    addOption: (name: string) => void,
    vote: (optionName: string) => void
 }
 export interface PollListProps {
    userid: string | undefined,
 }
 export interface PollData extends Record<string, SignedData<VoteData>[]> {
 }
 export interface SignedData<T> {
    data: T,
    signature: string
 }
 export interface VoteData {
    userid: string,
    timestamp: string
 }
 export interface OptionData {
    userid: string,
    timestamp: string,
    optionName: string
 }
 export interface UserData {
    userid: string,
    private_key: CryptoKey | undefined,
    public_key: CryptoKey | undefined
 }
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -0,0 +1,18 @@
 {
  // https://nuxt.com/docs/guide/concepts/typescript
  "files": [],
  "references": [
    {
      "path": "./.nuxt/tsconfig.app.json"
    },
    {
      "path": "./.nuxt/tsconfig.server.json"
    },
    {
      "path": "./.nuxt/tsconfig.shared.json"
    },
    {
      "path": "./.nuxt/tsconfig.node.json"
    }
  ]
 }
Author	SHA1	Message	Date
1ynx	bc5e2eead8	+ create user with public/private key + sign and verify votes and prevent unverified updates	2026-04-04 22:36:17 +02:00
1ynx	b5cb0e83e3	* init p2p polling app	2026-03-31 19:09:46 +02:00
		`@@ -0,0 +1,2 @@`
							`export const user = (user: Ref<UserData \| null>) => {`
							`}`