Encrypting document updates before they are sent over the socket connection

[nkalpak]

Hi!

I would like to implement end-to-end encryption with (more or less) the approach outlined here. Essentially, I'm looking to setup a "middleware" that would encrypt each Yjs update before it is send over the WebSocket connection.

Now I've gone through the HocuspocusProvider and noted this line of code:

this.document.on('update', this.documentUpdateHandler.bind(this))

which sets up an "update" listener right on the YDoc itself. This makes me think that what I'm trying to do isn't compatible with how the HocuspocusProvider works, since there is no way to put an encryption function between the Yjs update event and the HocusPocus update handler.

I saw this discussion and the way I interpreted the answer is that data should be encrypted before it is sent to Yjs? So basically this:

const doc = new Y.Doc()

const strings = doc.getArray('strings')
strings.push(encrypt('data'))

So I'm posting this question to see if I'm missing something before I venture into building my own provider. Any information is greatly appreciated!

[georeith]

I think this requires a lot more than middleware on the provider, the realtime collaboration aspect of HocusPocus server relies upon applying updates to the in memory document and then relaying those updates, the server can't apply those updates if it can't decrypt the data.

New clients syncing share and compare their state vector with that of the server's which is calculated off the shared document currently, you'd have to merge and store your own state vector and work out which encrypted updates need to be sent to sync based off that.

It all sounds possible but you'd need to change the internal workings of the server too.

[nkalpak]

the realtime collaboration aspect of HocusPocus server relies upon applying updates to the in memory document

Given this, it seems like a custom solution for both client and server will be the best way forward. Thanks for the reply!