+ create user with public/private key

+ sign and verify votes and prevent unverified updates
* init p2p polling app
2026-04-04 22:36:17 +02:00 · 2026-03-31 19:09:46 +02:00
20 changed files with 11253 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,24 @@
 # Nuxt dev/build outputs
 .output
 .data
 .nuxt
 .nitro
 .cache
 dist
 # Node dependencies
 node_modules
 # Logs
 logs
 *.log
 # Misc
 .DS_Store
 .fleet
 .idea
 # Local env files
 .env
 .env.*
 !.env.example
--- a/README.md
+++ b/README.md
@@ -1,37 +1,129 @@
-# P2P Poll App
+# 🗳️ P2P Verified Polling App
 There are lots of trust-issues:
 The possiblity to generate lots of users that do a lot of things (at a rather low cost)
 The possibility to put out wrong data, maby not even contradicting but additional to existing data.
 The possibility to do all kinds of shenenigans like spam other users with some requests
-Due to low programming knowledge, the starting point of this proposal was to mirror how normal groups of people solve issues of trust to then automate and possibly improve the process. There are already some systems out there like Trust flow or random walk.As far as i understand it, the Flexible Trust Web also already does something like this, also maby RWOT and GNUweb but i didn't read into them too much yet since i discovered them rather late.
+A decentralized, real-time polling application built with **Nuxt 3**, **Yjs**, and **WebRTC**. This app allows users to create and participate in polls where every vote is cryptographically signed and verified peer-to-peer, ensuring data integrity without a central authority "owning" the results.
-If random new people should be able to use the system as equals to previous users, but the system never has real identities as an input, then there is no way to fully prevent the creation of new users to manipulate or sabotage the poll. But it can be assumed, that your friends are rather trustworthy and most likely also their friends and so on. And if someone makes huge ammounts or just one second account, they will probably only have the creator or maby some other people as friends, and even they might already be less socially connected than a normal user. 
+---
 So the social distance to another user should be evaluated to see, whether you should count their vote. 
 This is evaluated for and by every user individually, based on the information they were sent. The ammount of contacts you won't count are displayed to you, such that you get a hint at how many people you are missing but also how many people are not counting you. This encourages people to try to prove others/vise versa and make social connections to officially tie the network closer together such that the voting system works and confirms itself. It would be great, if there was some chat attached to the poll. If people want to prove their (or others) trustworhiness within this system, they are then also encouraged to have productive discussions, probably about the matter of the poll.
 Everyone in a poll with you is a "contact" of yours.
 "users" can have "friends".
 You can also manually mark users as suspicious or trustworthy or normal again.
 The system for evaluating the trustworthyness of users is somehow a mix between the concepts "weighted path score" and "trust flow" with 5 steps.
 That means for 5 steps starting with you, all friends and trusted people of people looked at in this step get some trust from the people we look at: 0.8 * The trust of the looked at person (if trusted) + 0.8 * The trust of the looked at person / friends the looked at person has (if friend). Then the trust of the person that received trust may maximally be 100. The Trust you have to yourself is 100.
 You can also mark someone as trustworthy or untrustworthy. That is then also sent around to everyone if you want(should be the standard, but maby a user wants to just see how the trustworthyness will look like after the change).
 If you receive such an information, you can make the following calculations immidiately and after every assesment of everyones trustworthyness:
 If the accused is less trustworthy then the accusing person, decrease the accused trustworthyness to 0 and the accused friends and trustees trustworthyness by the trustworthyness of the accusing person. 
 If the trustworhyness of the accusing person is less than the trustworthyness of the accused, then reduce the trustworthyness of the accusing person to 0 and the accusing persons friends and trustees by the trustworthyness of the accused.
 If you mark someone as trustworthy:
 The Trust flowing to the trusted person from you will also be 0.8 of your trust. 
 Maby this should also be the effect of beeing "friends" since "trust" might be something you could more intuitively casually deal out after a short chat. If that change were to occur, then the effect would have to be switched around.
 All contacts can maximally have the Trust 100.
 ## 🌟 Key Features
-Future matters:
+* **Serverless Real-time Sync:** Uses **Yjs** (CRDTs) and **WebRTC** to sync poll data directly between browsers. No database is required for live updates.
-If there can be any discrepancy of sent information, depending on what sender you trust most, you will mark one of the senders as untrustworthy and neglect all future information from this user. Since everything can be signed and such, that shouldnˋt be an issue tho, but if it was, the ammount of "useless" messages to already informed people might have to increase to validate received data.
+* **Persistence with Nitro:** While the logic is P2P, the **Nuxt/Nitro** backend provides a "Snapshot" service to ensure polls persist even after all peers go offline.
-A system to showcase the social connections in a 2D - format would be neat.
+* **Cryptographic Integrity:** Every vote is signed using **RSA-PSS (Web Crypto API)**. Each user has a unique private key (stored locally via `.pem` files) to ensure votes cannot be forged or tampered with.
-(most likely something like this exists already)
+* **Chained Verification:** Implements a "History-Signing" logic where each new vote signs the entire preceding state of the poll, creating a verifiable chain of trust.
-Obviously the user would also have to see other context like the total of all votes (trusted or not)
+* **Privacy First:** Users identify via UUIDs and Public/Private key pairs rather than traditional accounts.
-Anonymous polls:
+---
-A system of individually assigned trust poses a challenge for a system where you can decide not to trust some voters. 
+
-If there is no other option some compromises might be makable, such as: 
+## ⚙️ How It Works
-Your Friends can know what you voted for
+
-The Person initiating a poll just decides on the validity of participants according to an own judgement of trust at the moment of poll-creation
+### 1. Identity Creation
 When a new user is created, the system generates a unique **UUID (User ID)** and an **RSA Key Pair**. The user is prompted to save their **Private Key** as a `.pem` file, named after their User ID (e.g., `550e8400-e29b.pem`). This file acts as their "Passport"—it is never uploaded to the server and must be kept secure by the user.
 ### 2. Authentication
 Upon returning to the app, users load their local `.pem` file. The application extracts the Private Key for signing and the UUID for identification. No passwords or central servers are involved in this local-first login process.
 ### 3. Joining a Poll
 When a user joins a poll, the app fetches the latest binary snapshot from the server to populate a local **Y.Doc**. This ensures the user sees the current state immediately, even before connecting to other peers.
 ### 4. The P2P Mesh
 The app establishes connections to other active voters via a WebRTC signaling server. Any changes made to the poll (adding options or voting) are broadcasted instantly to all peers using Conflict-free Replicated Data Types (CRDTs) to prevent sync conflicts.
 ### 5. Casting a Signed Vote
 To ensure security, the voting process follows a strict cryptographic chain:
 * The app captures the current list of votes.
 * It appends the new vote data (User ID + Timestamp).
 * It signs the **entire array** (the previous history + the new vote) using the user's RSA private key.
 * The signed update is merged into the shared Yjs Map and broadcasted.
 ### 6. Distributed Verification
 Whenever a peer receives a new update, they fetch the voter's **Public Key** from the API. They then verify that the signature matches the current state of the poll history. If a signature is invalid or the history has been tampered with, the vote is rejected by the peer's local state.
 ---
 ## 🛠️ Tech Stack
 * **Framework:** [Nuxt 3](https://nuxt.com/) (Vue 3 + TypeScript)
 * **Conflict-Free Replicated Data Types (CRDT):** [Yjs](https://yjs.dev/)
 * **P2P Transport:** `y-webrtc`
 * **Security:** Web Crypto API (SubtleCrypto)
 * **Backend/Storage:** Nitro (Nuxt's server engine) with filesystem storage drivers
 # AI Disclaimer
 This App was developed with the assistance of AI.
 # Nuxt Minimal Starter
 Look at the [Nuxt documentation](https://nuxt.com/docs/getting-started/introduction) to learn more.
 ## Setup
 Make sure to install dependencies:
 ```bash
 # npm
 npm install
 # pnpm
 pnpm install
 # yarn
 yarn install
 # bun
 bun install
 ```
 ## Development Server
 Start the development server on `http://localhost:3000`:
 ```bash
 # npm
 npm run dev
 # pnpm
 pnpm dev
 # yarn
 yarn dev
 # bun
 bun run dev
 ```
 ## Production
 Build the application for production:
 ```bash
 # npm
 npm run build
 # pnpm
 pnpm build
 # yarn
 yarn build
 # bun
 bun run build
 ```
 Locally preview production build:
 ```bash
 # npm
 npm run preview
 # pnpm
 pnpm preview
 # yarn
 yarn preview
 # bun
 bun run preview
 ```
 Check out the [deployment documentation](https://nuxt.com/docs/getting-started/deployment) for more information.
--- a/app/app.vue
+++ b/app/app.vue
@@ -0,0 +1,175 @@
 <style>
 /* Basic styling to make it look clean */
 body {
  font-family: system-ui, -apple-system, sans-serif;
  background-color: #f4f4f9;
  color: #333;
  margin: 0;
  display: flex;
  justify-content: center;
  padding: 2rem;
 }
 header {
  margin-bottom: 2rem;
  text-align: center;
 }
 h1 { margin: 0 0 0.5rem 0; }
 input {
  flex-grow: 1;
  padding: 0.75rem;
  border: 1px solid #ccc;
  border-radius: 6px;
  font-size: 1rem;
 }
 button,
 .button {
  background: #3b82f6;
  color: white;
  border: none;
  padding: 0.75rem 1rem;
  border-radius: 6px;
  cursor: pointer;
  font-weight: bold;
  transition: background 0.2s;
 }
 button:hover,
 .button:hover { background: #2563eb; }
 .status {
  font-size: 0.85rem;
  color: #666;
 }
 .status .connected { color: #10b981; font-weight: bold; }
 .connectionFailed { color: #FF2525; font-weight: bold; }
 .poll-container {
  background: white;
  padding: 2rem;
  border-radius: 12px;
  box-shadow: 0 4px 6px rgba(0,0,0,0.1);
  width: 100%;
  max-width: 500px;
 }
 .back-btn { 
  margin-left: 1rem; 
  padding: 0.2rem 0.5rem; 
  font-size: 0.7rem; 
  background: #64748b; 
 }
 /* Hide the actual file input */
 input[type="file"] {
  display: none;
 }
 </style>
 <template>
    <div class="poll-container">
        <header>
            <h1 @click="activePollId = null" style="cursor:pointer">P2P Polling App 🗳️</h1>
            <div class="status">
                <button v-if="activePollId" @click="activePollId = null" class="back-btn">← Back To List</button>
                <span :class="{ 'connected': isConnected }">
                    ● {{ isConnected ? 'Synced' : 'Waiting for other Peers...' }}
                </span>
                <span> | Peers online: {{ connectedPeers }}</span>
                <h2 v-if="connectionAttempFailed" class="connectionFailed">⚠ Connection to Signaling Server Failed!</h2>
                <div v-if="user===null" style="margin-top: 10px;">
                    <button @click="createUser">Create New User</button>
                    Or
                    <label title="Select Key File">
                        <span class="button">Login</span>
                        <input 
                            type="file"
                            accept=".pem"
                            @change="loadUser"
                        />
                    </label>
                </div>
            </div>
        </header>
        <main>
            <PollList v-if="!activePollId" :userid="user?.userid" @select-poll="selectPoll" />
            <Poll v-else :activePollId="activePollId" :userid="user?.userid" :poll-data="pollData" :addOption="addOption" :vote="vote"/>
        </main>
    </div>
 </template>
 <script setup lang="ts">
    import { v4 as uuidv4 } from 'uuid';
    const activePollId = ref<string | null>(null);
    const user = shallowRef<UserData | null>(null);
    const { pollData, isConnected, connectionAttempFailed, connectedPeers, addOption, vote } = usePoll(activePollId,user);
    const selectPoll = (id: string) => {
        activePollId.value = id;
    };
    const createUser = async () => {
        try {
            const keypair : CryptoKeyPair = await generateUserKeyPair();
            console.log('keypair:', keypair);
            const uuid = uuidv4();
            user.value = {
                userid: uuid,
                private_key: keypair.privateKey,
                public_key: keypair.publicKey,
            };
            const prvKeyString = await exportPrivateKey(keypair.privateKey);
            await savePrivateKeyToFile(prvKeyString,uuid+".pem")
            const pubKeyString = await exportPublicKey(keypair.publicKey);
            await $fetch(`/api/users/${uuid}`, {
                method: 'POST',
                body: { public_key: pubKeyString }
            });
        } catch (err) {
            user.value = null
            console.error("Failed to create new User!", err);
        }
    };
    const loadUser = async (event: Event) => {
        const target = event.target as HTMLInputElement;
        const file = target.files?.[0];
        if (file) {
            try {
                const content = await file.text();
                console.log("File loaded: ");
                if (file.name && content) {
                    try {
                        const uuid = file.name.replace(".pem", "");
                        // Standardize the string for the importer
                        const pkBase64 = content.replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----/g, "").replace(/\s+/g, "");
                        const key = await stringToCryptoKey(pkBase64, "private");
                        user.value = {
                            userid: uuid,
                            private_key: key,
                            public_key: undefined, // Note: You might need to import a pub key too!
                        };
                        console.log("Login successful for:", uuid);
                    } catch (err) {
                        console.error("Crypto Import Error:", err);
                        alert("The file content is not a valid Private Key.");
                    }
                }
            } catch (e) {
                console.error("Failed to read file", e);
            }
        }
    };
 </script>
--- a/app/components/Poll.vue
+++ b/app/components/Poll.vue
@@ -0,0 +1,83 @@
 <style scoped>
 .poll-list {
  list-style: none;
  padding: 0;
  margin: 0;
 }
 .poll-item {
  display: flex;
  justify-content: space-between;
  align-items: center;
  padding: 1rem;
  background: #f8fafc;
  border: 1px solid #e2e8f0;
  border-radius: 8px;
  margin-bottom: 0.5rem;
 }
 .poll-title { 
  font-size: 1.1rem; 
  color: #3b82f6; 
  text-transform: uppercase; 
  letter-spacing: 1px;
 }
 .add-option-form {
  display: flex;
  gap: 0.5rem;
  margin-bottom: 2rem;
 }
 .option-name { font-weight: 500; }
 .vote-section { display: flex; align-items: center; gap: 1rem; }
 .vote-count { font-size: 0.9rem; color: #475569; }
 .vote-btn { padding: 0.4rem 0.8rem; background: #10b981; }
 .vote-btn:hover { background: #059669; }
 .vote-btn:disabled,
 .vote-btn[disabled] { background: #888888; }
 .vote-btn:disabled:hover,
 .vote-btn[disabled]:hover { background: #AAAAAA; }
 </style>
 <template>
    <div>
        <h2 class="poll-title">Poll: {{ activePollId }}</h2>
        <p v-if="Object.keys(pollData).length==0">Note: Add at least one Option to save the Poll.</p>
        <form @submit.prevent="handleAddNewOption" class="add-option-form" v-if="userid">
            <input v-model="newOption" placeholder="Enter a new poll option..." required />
            <button type="submit">Add Option</button>
        </form>
        <ul class="poll-list">
            <li v-for="(votes, optionName) in pollData" :key="optionName" class="poll-item">
                <span class="option-name">{{ optionName }}</span>
                <div class="vote-section">
                    <span class="vote-count">{{ votes.length }} {{ votes.length === 1 ? 'vote' : 'votes' }}</span>
                    <button @click="vote(String(optionName))" class="vote-btn" :disabled="userid==undefined || voted(votes)">+1</button>
                </div>
            </li>
        </ul>
    </div>
 </template>
 <script setup lang="ts">
    import type { PollProps, SignedData, VoteData } from '@/utils/types'
    const props = defineProps<PollProps>()
    const newOption = ref('');
    const handleAddNewOption = () => {
        props.addOption(newOption.value);
        newOption.value = '';
    };
    const voted = (votes: SignedData<VoteData>[]) => {
        for(let vote of votes){
            if(vote.data.userid == props.userid){
                return true;
            }
        }
        return false;
    }
 </script>
--- a/app/components/PollList.vue
+++ b/app/components/PollList.vue
@@ -0,0 +1,64 @@
 <style scoped>
    .poll-list { margin-top: 1rem; }
    .empty-state { text-align: center; color: #94a3b8; font-style: italic; }
    .create-poll { display: flex; gap: 0.5rem; margin-bottom: 1.5rem; }
    .poll-links { list-style: none; padding: 0; }
    .poll-link-btn {
        width: 100%;
        text-align: left;
        background: #f1f5f9;
        color: #1e293b;
        margin-bottom: 0.5rem;
        display: flex;
        justify-content: space-between;
    }
    .poll-link-btn:hover { background: #e2e8f0; }
 </style>
 <template>
    <div class="poll-list">
        <h3>Available Polls</h3>
        <ul v-if="polls && polls.length > 0" class="poll-links">
            <li v-for="id in polls" :key="id">
                <button class="poll-link-btn" @click="$emit('select-poll', id)">
                    {{ id }} <span>→</span>
                </button>
            </li>
        </ul>
        <p v-else class="empty-state">No polls found. Create the first one!</p>
        <div class="create-poll" v-if="userid !== undefined">
            <input 
                v-model="newPollId" 
                placeholder="Enter new poll name..." 
                @keyup.enter="createPoll"
            />
            <button @click="createPoll">Create & Join</button>
        </div>
    </div>
 </template>
 <script setup lang="ts">
    import type { PollListProps } from '@/utils/types'
    const props = defineProps<PollListProps>()
    const newPollId = ref('');
    const polls = ref<string[]>([]);
    // Fetch existing polls on mount
    const fetchPolls = async () => {
        const data = await $fetch<{ polls: string[] }>('/api/polls');
        polls.value = data.polls;
    };
    const createPoll = () => {
        const id = newPollId.value.trim().toLowerCase().replace(/\s+/g, '-');
        if (id) {
            // In a real app, you might want to POST to create it first, 
            // but here we just navigate to it and let usePoll handle the save.
            emit('select-poll', id);
        }
    };
    const emit = defineEmits(['select-poll']);
    onMounted(fetchPolls);
 </script>
--- a/app/composables/usePoll.ts
+++ b/app/composables/usePoll.ts
@@ -0,0 +1,131 @@
 // composables/usePoll.ts
 import { ref, watch, onUnmounted } from 'vue';
 import * as Y from 'yjs';
 export const usePoll = (pollId: Ref<string | null>, user: Ref<UserData | null>) => {
    const pollData = ref<PollData>({});
    const isConnected = ref(false);
    const connectionAttempFailed = ref(false);
    const connectedPeers = ref(1);
    let ydoc: Y.Doc | null = null;
    let provider: any = null;
    let yMap: Y.Map<SignedData<VoteData>[]> | null = null;
    const cleanup = () => {
    if (provider) provider.disconnect();
        if (ydoc) ydoc.destroy();
        isConnected.value = false;
        pollData.value = {};
    };
    const initPoll = async (id: string) => {
        cleanup(); // Clear previous session
        ydoc = new Y.Doc();
        // 1. Fetch Snapshot from Nuxt API
        try {
            const response = await $fetch<{ update: number[] | null }>(`/api/polls/${id}`).catch((e) => {
                console.error("Failed to get poll: " + id,e)
            });
            //trust the server without verification.
            if (response?.update) {
                Y.applyUpdate(ydoc, new Uint8Array(response.update));
            }
        } catch (err) {
            console.error('Persistence fetch failed', err);
        }
        yMap = ydoc.getMap<SignedData<VoteData>[]>('shared-poll');
        // 2. Local State Sync
        yMap.observe(async () => {
            await performUpdateAndVerify();
            saveStateToServer(id);
        });
        await performUpdateAndVerify();
        // 3. P2P Connection
        const { WebrtcProvider } = await import('y-webrtc');
        provider = new WebrtcProvider(`nuxt-p2p-${id}`, ydoc, {
            signaling: ["ws://localhost:4444", "ws://lynxpi.ddns.net:4444"]
        });
        provider.on('synced', (arg: {synced: boolean}) => {
            isConnected.value = arg.synced;
            console.log('Connection synced:', arg.synced) // "connected" or "disconnected"
        });
        provider.on('status', (event: { connected: boolean }) => {
            console.log('Connection status:', event.connected) // "connected" or "disconnected"
        })
        provider.on('peers', (data: any) => {
            connectedPeers.value = data.webrtcPeers.length + 1
        });
    };
    const saveStateToServer = async (id: string) => {
        if (!ydoc) return;
        const stateUpdate = Y.encodeStateAsUpdate(ydoc);
        await $fetch(`/api/polls/${id}`, {
            method: 'POST',
            body: { update: Array.from(stateUpdate) }
        }).catch((e) => {
            console.error("Failed to update poll",e)
        });
    };
    // Watch for ID changes (e.g., user clicks a link or goes back)
    watch(pollId, (newId) => {
        if (newId && import.meta.client) {
            initPoll(newId);
        } else {
            cleanup();
        }
    }, { immediate: true });
    onUnmounted(cleanup);
    const addOption = (optionName: string) => {
        if (yMap && !yMap.has(optionName)) yMap.set(optionName, []);
    };
    const performUpdateAndVerify = async () => {
        const pollDataUpdate = yMap!.toJSON();
        console.log("Poll Data Update: ", pollDataUpdate)
        for(var option in pollDataUpdate){
            console.log("verifying votes for option: " + option);
            const votes = pollDataUpdate[option] || [];
            const verified = await verifyAllVotesForOption(votes);
            if(!verified){
                console.error("Failed to verify option: "+option)
                return;
            }
        }
        console.log("All options verified! :)")
        pollData.value = pollDataUpdate
    }
    const vote = async (optionName: string) => {
        const currentUser = user.value;
        if (currentUser != undefined && yMap?.has(optionName)) {
            const voteData = [...(yMap.get(optionName) || [])];
            if(voteData != undefined && currentUser.private_key){
                var unsignedVoteData : VoteData = {
                    userid: currentUser.userid,
                    timestamp: new Date().toISOString()
                }
                var newVote : SignedData<VoteData> = {
                    data: unsignedVoteData,
                    signature: "",
                }
                voteData?.push(newVote)
                const signature = await signVote(voteData,currentUser.private_key);
                newVote.signature=signature
                yMap?.set(optionName, voteData);
            }
        }
    };
    return { pollData, isConnected, connectionAttempFailed, connectedPeers, addOption, vote };
 };
--- a/app/composables/user.ts
+++ b/app/composables/user.ts
@@ -0,0 +1,2 @@
 export const user = (user: Ref<UserData | null>) => {
 }
--- a/app/utils/crypto.ts
+++ b/app/utils/crypto.ts
@@ -0,0 +1,187 @@
 // utils/crypto.ts
 export const generateUserKeyPair = async () => {
  return await window.crypto.subtle.generateKey(
    {
      name: "RSASSA-PKCS1-v1_5",
      modulusLength: 2048,
      publicExponent: new Uint8Array([1, 0, 1]), // 65537
      hash: "SHA-256",
    },
    true, // extractable
    ["sign", "verify"]
  );
 };
 export const signVote = async (data: any, privateKey: CryptoKey) => {
  const encoder = new TextEncoder();
  const encodedData = encoder.encode(JSON.stringify(data));
  const signature = await window.crypto.subtle.sign(
    "RSASSA-PKCS1-v1_5",
    privateKey,
    encodedData
  );
  // Convert to Base64 or Hex to store in Yjs easily
  return btoa(String.fromCharCode(...new Uint8Array(signature)));
 };
 export const verifyVote = async (data: any, signatureStr: string, publicKey: CryptoKey) => {
  const encoder = new TextEncoder();
  const encodedData = encoder.encode(JSON.stringify(data));
  // Convert Base64 back to Uint8Array
  const signature = Uint8Array.from(atob(signatureStr), c => c.charCodeAt(0));
  return await window.crypto.subtle.verify(
    "RSASSA-PKCS1-v1_5",
    publicKey,
    signature,
    encodedData
  );
 };
 /**
 * Verifies a specific vote within an array of votes by 
 * reconstructing the "signed state" at that point in time.
 */
 export const verifyChainedVote = async (
    voteData: SignedData<VoteData>[], 
    index: number
 ) => {
    const voteToVerify = voteData[index];
    console.log("Verifying vote: " + voteToVerify)
    if(voteToVerify) {
        // 1. Reconstruct the exact data state the user signed
        // We need the array exactly as it was when they pushed their vote
        const historicalState = voteData.slice(0, index + 1).map((v, i) => {
            if (i === index) {
                // For the current vote, the signature must be empty string
                // because it wasn't signed yet when passed to signVote
                return { ...v, signature: "" };
            }
            return v;
        });
        try {
            // 2. Fetch public key
            const response = await $fetch<{ public_key: string }>(`/api/users/${voteToVerify.data.userid}`);
            console.log("Got key: ",response)
            const pubKey = await stringToCryptoKey(response.public_key, 'public');
            console.log("Using pubKey to verify Vote.")
            // 3. Verify: Does this historicalState match the signature?
            return await verifyVote(historicalState, voteToVerify.signature, pubKey);
        } catch (err) {
            console.error("Verification failed")
            console.error(err);
            return false;
        }
    }
    console.error("Vote is undefined or null");
    return false;
 };
 export const verifyAllVotesForOption = async (votes: SignedData<VoteData>[]) => {
    console.log("verifying votes for option ",votes);
    for (let i = votes.length-1; i >= 0 ; i--) {
        const isValid = await verifyChainedVote(votes, i);
        if(!isValid){
            console.error("Error! Invalid Vote at: " + i,votes)
            return false;
        }
    }
    return true;
 };
 // Helper to convert ArrayBuffer to Base64 string
 const bufferToBase64 = (buf: ArrayBuffer) => 
  window.btoa(String.fromCharCode(...new Uint8Array(buf)));
 export const exportPublicKey = async (key: CryptoKey) => {
  // Export Public Key
  const exportedPublic = await window.crypto.subtle.exportKey("spki", key);
  const publicKeyString = bufferToBase64(exportedPublic);
  return publicKeyString;
 };
 export const exportPrivateKey = async (key: CryptoKey) => {
  // Export Private Key
  const exportedPrivate = await window.crypto.subtle.exportKey("pkcs8", key);
  const privateKeyString = bufferToBase64(exportedPrivate);
  return privateKeyString;
 };
 /**
 * Converts a Base64 string back into a usable CryptoKey object
 * @param keyStr The Base64 string (without PEM headers)
 * @param type 'public' or 'private'
 */
 export const stringToCryptoKey = async (keyStr: string, type: 'public' | 'private'): Promise<CryptoKey> => {
  // 1. Convert Base64 string to a Uint8Array (binary)
  const binaryString = window.atob(keyStr);
  const bytes = new Uint8Array(binaryString.length);
  for (let i = 0; i < binaryString.length; i++) {
    bytes[i] = binaryString.charCodeAt(i);
  }
  // 2. Identify the format based on the key type
  // Public keys usually use 'spki', Private keys use 'pkcs8'
  const format = type === 'public' ? 'spki' : 'pkcs8';
  const usages: KeyUsage[] = type === 'public' ? ['verify'] : ['sign'];
  // 3. Import the key
  return await window.crypto.subtle.importKey(
    format,
    bytes.buffer,
    {
      name: "RSASSA-PKCS1-v1_5",
      hash: "SHA-256",
    },
    true, // extractable (set to false if you want to lock it in memory)
    usages
  );
 };
 export const savePrivateKeyToFile = (privateKeyStr: string, filename: string) => {
  // Optional: Wrap in PEM headers for standard formatting
  const pemHeader = "-----BEGIN PRIVATE KEY-----\n";
  const pemFooter = "\n-----END PRIVATE KEY-----";
  const fileContent = pemHeader + privateKeyStr + pemFooter;
  const blob = new Blob([fileContent], { type: "text/plain" });
  const url = URL.createObjectURL(blob);
  const link = document.createElement("a");
  link.href = url;
  link.download = filename;
  document.body.appendChild(link);
  link.click();
  // Cleanup
  document.body.removeChild(link);
  URL.revokeObjectURL(url);
 };
 export const loadPrivateKeyFromFile = async (file: File): Promise<string> => {
  return new Promise((resolve, reject) => {
    const reader = new FileReader();
    reader.onload = (e) => {
      const content = e.target?.result as string;
      // Clean up the string by removing PEM headers and newlines
      const cleanKey = content
        .replace("-----BEGIN PRIVATE KEY-----", "")
        .replace("-----END PRIVATE KEY-----", "")
        .replace(/\s+/g, ""); // Removes all whitespace/newlines
      resolve(cleanKey);
    };
    reader.onerror = () => reject("Error reading file");
    reader.readAsText(file);
  });
 };
--- a/app/utils/types.ts
+++ b/app/utils/types.ts
@@ -0,0 +1,36 @@
 export interface PollProps {
    userid: string | undefined,
    activePollId: string,
    pollData: PollData,
    addOption: (name: string) => void,
    vote: (optionName: string) => void
 }
 export interface PollListProps {
    userid: string | undefined,
 }
 export interface PollData extends Record<string, SignedData<VoteData>[]> {
 }
 export interface SignedData<T> {
    data: T,
    signature: string
 }
 export interface VoteData {
    userid: string,
    timestamp: string
 }
 export interface OptionData {
    userid: string,
    timestamp: string,
    optionName: string
 }
 export interface UserData {
    userid: string,
    private_key: CryptoKey | undefined,
    public_key: CryptoKey | undefined
 }
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -0,0 +1,23 @@
 // https://nuxt.com/docs/api/configuration/nuxt-config
 export default defineNuxtConfig({
  compatibilityDate: '2025-07-15',
  devtools: { enabled: true },
  vite: {
    optimizeDeps: {
      include: ['yjs', 'y-webrtc']
    }
  },
  // ... existing config
  nitro: {
    storage: {
      polls: {
        driver: 'fs',
        base: './.data/polls'
      },
      users: {
        driver: 'fs',
        base: './.data/users'
      }
    }
  }
 })
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -0,0 +1,20 @@
 {
  "name": "p2p-poll",
  "type": "module",
  "private": true,
  "scripts": {
    "build": "nuxt build",
    "dev": "PORT=4444 npx y-webrtc & nuxt dev",
    "generate": "nuxt generate",
    "preview": "nuxt preview",
    "postinstall": "nuxt prepare"
  },
  "dependencies": {
    "nuxt": "^4.1.3",
    "uuid": "^13.0.0",
    "vue": "^3.5.30",
    "vue-router": "^5.0.3",
    "y-webrtc": "^10.3.0",
    "yjs": "^13.6.30"
  }
 }
--- a/public/favicon.ico
+++ b/public/favicon.ico
--- a/public/robots.txt
+++ b/public/robots.txt
@@ -0,0 +1,2 @@
 User-Agent: *
 Disallow:
--- a/server/api/polls/[id].ts
+++ b/server/api/polls/[id].ts
@@ -0,0 +1,68 @@
 import * as Y from 'yjs';
 // server/api/polls/[id].ts
 export default defineEventHandler(async (event) => {
    const method = event.node.req.method;
    const pollId = getRouterParam(event, 'id');
    // We use Nitro's built-in storage. 
    // 'polls' is the storage namespace.
    const storage = useStorage('polls'); 
    if (!pollId) {
        throw createError({ statusCode: 400, statusMessage: 'Poll ID required' });
    }
    // GET: Fetch the saved Yjs document state
    if (method === 'GET') {
        const data = await storage.getItem(`poll:${pollId}`);
        // Return the array of numbers (or null if it doesn't exist yet)
        return { update: data || null };
    }
    // POST: Save a new Yjs document state
    if (method === 'POST') {
        const body = await readBody(event);
        if (body.update && Array.isArray(body.update)) {
            // create a temp Y.Doc to encode the Data
            const tempDoc = new Y.Doc();
            Y.applyUpdate(tempDoc, new Uint8Array(body.update));
            const yMap = tempDoc.getMap('shared-poll');
            const pollData = yMap.toJSON();
            // verify pollData
            for(var option in pollData){
                const votes = pollData[option] || [];
                var pubKeys: CryptoKey[] = [];
                const verifyAllVotesForOption = async (votes: SignedData<VoteData>[]) => {
                    console.log("verifying votes for option " + option,votes);
                    // check last votes first. if there is something wrong, its likely in the last vote.
                    for (let i = votes.length-1; i >= 0 ; i--) {
                        const userStorage = useStorage('users'); 
                        const votePubKeyString = await userStorage.getItem(`user:${votes[i]?.data.userid}`);
                        //console.log("Using public key: "+votePubKeyString)
                        const votePubKey = await stringToCryptoKey(String(votePubKeyString),'public')
                        const isValid = await verifyChainedVote(votes, i,votePubKey);
                        if(!isValid){
                            console.error("Error! Invalid Vote at: " + i,votes)
                            return false;
                        }
                    }
                    return true;
                };
                const verified = await verifyAllVotesForOption(votes);
                if(!verified){
                    console.error("Failed to verify option: "+option)
                    throw createError({ statusCode: 400, statusMessage: 'PollData contains unverifyable content!' });
                }
            }
            // Save the binary update (sent as an array of numbers) to storage
            await storage.setItem(`poll:${pollId}`, body.update);
            return { success: true };
        }
        throw createError({ statusCode: 400, statusMessage: 'Invalid update payload' });
    }
 });
--- a/server/api/polls/index.get.ts
+++ b/server/api/polls/index.get.ts
@@ -0,0 +1,15 @@
 // server/api/polls/index.get.ts
 export default defineEventHandler(async () => {
    const storage = useStorage('polls');
    // Get all keys in the 'polls' namespace
    const allKeys = await storage.getKeys();
    // Filter for our specific poll prefix and strip it for the UI
    // poll:my-id -> my-id
    const polls = allKeys
        .filter(key => key.startsWith('poll:'))
        .map(key => key.replace('poll:', ''));
    return { polls };
 });
--- a/server/api/users/[id].ts
+++ b/server/api/users/[id].ts
@@ -0,0 +1,41 @@
 // server/api/users/[id].ts
 export default defineEventHandler(async (event) => {
    const method = event.node.req.method;
    const userId = getRouterParam(event, 'id');
    // We use Nitro's built-in storage. 
    // 'polls' is the storage namespace.
    const storage = useStorage('users'); 
    if (!userId) {
        throw createError({ statusCode: 400, statusMessage: 'User ID required' });
    }
    // GET: Fetch the saved Yjs document state
    if (method === 'GET') {
        const data = await storage.getItem(`user:${userId}`);
        // Return the array of numbers (or null if it doesn't exist yet)
        return { public_key: data };
    }
    // POST: Save a new Yjs document state
    if (method === 'POST') {
        const body = await readBody(event);
        if (body.public_key) {
            const data = await storage.getItem(`user:${userId}`);
            if (data == undefined || data == null) {
                // Save the binary update (sent as an array of numbers) to storage
                await storage.setItem(`user:${userId}`, body.public_key);
                console.log("New User created: " + userId)
                console.log("Public Key: " + body.public_key);
                return { success: true };
            }
            throw createError({ statusCode: 400, statusMessage: 'User already exists.' });
        }
        throw createError({ statusCode: 400, statusMessage: 'Invalid update payload' });
    }
 });
--- a/server/utils/crypto.ts
+++ b/server/utils/crypto.ts
@@ -0,0 +1,86 @@
 import { SignedData, VoteData } from "./types";
 /**
 * Gets the WebCrypto API regardless of environment (Node vs Browser)
 */
 const getCrypto = () => {
  return (globalThis as any).crypto;
 };
 export const verifyVote = async (data: any, signatureStr: string, publicKey: CryptoKey) => {
  const encoder = new TextEncoder();
  const encodedData = encoder.encode(JSON.stringify(data));
  // Convert Base64 back to Uint8Array
  const signature = Uint8Array.from(atob(signatureStr), c => c.charCodeAt(0));
  return await getCrypto().subtle.verify(
    "RSASSA-PKCS1-v1_5",
    publicKey,
    signature,
    encodedData
  );
 };
 /**
 * Verifies a specific vote within an array of votes by 
 * reconstructing the "signed state" at that point in time.
 */
 export const verifyChainedVote = async (
    voteData: SignedData<VoteData>[], 
    index: number,
    pubKey: CryptoKey
 ) => {
    const voteToVerify = voteData[index];
    console.log("Verifying vote: " + voteToVerify)
    if(voteToVerify) {
        // 1. Reconstruct the exact data state the user signed
        // We need the array exactly as it was when they pushed their vote
        const historicalState = voteData.slice(0, index + 1).map((v, i) => {
            if (i === index) {
                // For the current vote, the signature must be empty string
                // because it wasn't signed yet when passed to signVote
                return { ...v, signature: "" };
            }
            return v;
        });
        try {
            // 3. Verify: Does this historicalState match the signature?
            return await verifyVote(historicalState, voteToVerify.signature, pubKey);
        } catch (err) {
            console.error("Verification failed")
            console.error(err);
            return false;
        }
    }
    console.error("Vote is undefined or null");
    return false;
 };
 /**
 * Converts a Base64 string back into a usable CryptoKey object
 * @param keyStr The Base64 string (without PEM headers)
 * @param type 'public' or 'private'
 */
 export const stringToCryptoKey = async (keyStr: string, type: 'public' | 'private'): Promise<CryptoKey> => {
  // 1. Convert Base64 string to a Uint8Array (binary)
  const bytes = Buffer.from(keyStr, 'base64');
  // 2. Identify the format based on the key type
  // Public keys usually use 'spki', Private keys use 'pkcs8'
  const format = type === 'public' ? 'spki' : 'pkcs8';
  const usages: KeyUsage[] = type === 'public' ? ['verify'] : ['sign'];
  // 3. Import the key
  return await getCrypto().subtle.importKey(
    format,
    bytes,
    {
      name: "RSASSA-PKCS1-v1_5",
      hash: "SHA-256",
    },
    true, // extractable (set to false if you want to lock it in memory)
    usages
  );
 };
--- a/server/utils/types.ts
+++ b/server/utils/types.ts
@@ -0,0 +1,36 @@
 export interface PollProps {
    userid: string | undefined,
    activePollId: string,
    pollData: PollData,
    addOption: (name: string) => void,
    vote: (optionName: string) => void
 }
 export interface PollListProps {
    userid: string | undefined,
 }
 export interface PollData extends Record<string, SignedData<VoteData>[]> {
 }
 export interface SignedData<T> {
    data: T,
    signature: string
 }
 export interface VoteData {
    userid: string,
    timestamp: string
 }
 export interface OptionData {
    userid: string,
    timestamp: string,
    optionName: string
 }
 export interface UserData {
    userid: string,
    private_key: CryptoKey | undefined,
    public_key: CryptoKey | undefined
 }
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -0,0 +1,18 @@
 {
  // https://nuxt.com/docs/guide/concepts/typescript
  "files": [],
  "references": [
    {
      "path": "./.nuxt/tsconfig.app.json"
    },
    {
      "path": "./.nuxt/tsconfig.server.json"
    },
    {
      "path": "./.nuxt/tsconfig.shared.json"
    },
    {
      "path": "./.nuxt/tsconfig.node.json"
    }
  ]
 }
Author	SHA1	Message	Date
1ynx	bc5e2eead8	+ create user with public/private key + sign and verify votes and prevent unverified updates	2026-04-04 22:36:17 +02:00
1ynx	b5cb0e83e3	* init p2p polling app	2026-03-31 19:09:46 +02:00
		`@@ -0,0 +1,2 @@`
							`export const user = (user: Ref<UserData \| null>) => {`
							`}`