Interesting stack. How is Firebase working out for you (since you want to replace it)? I only dipped my nose in one time and thought it could be helpful, also since there are JS implementations for the client.
The server that handles the routing between the devices is a simple socket.io server. No database at all for this demo. Pairings will be stored in memory. But yeah, it needs some sort of database later. Unless I want to restart the server every other week because it ran out of memory ;).
The data (commands) is en/decrypted on the client side and just passed through the server. The desktop first creates a connection and encryption key. These will be encrypted with the visual verification code and represented as the QR code (with a URL in front).
Once you follow the URL with your phone and enter the visual verification code, the keys are decrypted. The commands are then encrypted with the actual key generated by the desktop before it gets sent to the server.
That way the server should never get hold of the encryption key in any way. However, this increases attack vectors on the client side. I wouldn't control a power plant with it, but for clicking a button for a demo it should be enough :)
Interesting stack. How is Firebase working out for you (since you want to replace it)? I only dipped my nose in one time and thought it could be helpful, also since there are JS implementations for the client.
The server that handles the routing between the devices is a simple socket.io server. No database at all for this demo. Pairings will be stored in memory. But yeah, it needs some sort of database later. Unless I want to restart the server every other week because it ran out of memory ;).
The data (commands) is en/decrypted on the client side and just passed through the server. The desktop first creates a connection and encryption key. These will be encrypted with the visual verification code and represented as the QR code (with a URL in front).
Once you follow the URL with your phone and enter the visual verification code, the keys are decrypted. The commands are then encrypted with the actual key generated by the desktop before it gets sent to the server.
That way the server should never get hold of the encryption key in any way. However, this increases attack vectors on the client side. I wouldn't control a power plant with it, but for clicking a button for a demo it should be enough :)