feat(messages): Add end-to-end message encryption and decryption

[codeunia-dev]

• Implement client-side message encryption and decryption APIs
• Add encryption and decryption routes for secure message handling
• Update message services to support encrypted message storage and retrieval
• Modify hooks and services to transparently handle message encryption
• Create utility functions for generating and managing encryption keys
• Add scripts for encryption key generation and testing
• Ensure secure message content protection during transmission and storage Enhances message privacy and security by implementing robust encryption mechanisms for all user messages.

Summary by CodeRabbit

• New Features

  • Implemented end-to-end encryption for all messages using AES-256-GCM encryption.
  • Messages automatically encrypted when sent and decrypted when retrieved for display.
  • Conversation previews now display decrypted message summaries.

• Chores

  • Added utility scripts for encryption key generation and testing.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
codeunia	Building	Preview	Comment	Nov 3, 2025 0:16am

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The pull request introduces end-to-end message encryption using AES-256-GCM. It adds a new encryption utility module, two API endpoints for encrypt/decrypt operations, integrates encryption into message and conversation services, implements client-side decryption, and provides scripts for key generation and testing.

Changes

Cohort / File(s)	Summary
Encryption Utilities lib/utils/encryption.ts	New module providing AES-256-GCM encryption/decryption functions, key generation, and format validation. Exports encryptMessage(), decryptMessage(), generateEncryptionKey(), and isEncrypted(). Uses MESSAGE_ENCRYPTION_KEY environment variable.
API Routes app/api/messages/encrypt/route.ts, app/api/messages/decrypt/route.ts	Two new Next.js POST endpoints that accept content/encrypted payloads, validate input, apply encryption/decryption via utility functions, and return results with error handling (400 for invalid input, 500 for failures).
Service Layer lib/services/messageService.ts	Adds private encryptContent() and decryptContent() helper methods invoking API routes. Integrates encryption into getMessages() (decrypt before return), sendMessage() (encrypt before storage), deleteMessage() (encrypt notice), and editMessage() (encrypt new content).
Service Layer lib/services/conversationService.ts	Adds private decryptContent() helper method. Modifies getConversations() to decrypt last_message_content via API before returning conversation data.
Client Hook hooks/useMessages.ts	Integrates decryption into message fetching and real-time INSERT handlers. Calls /api/messages/decrypt after retrieving messages and stores decrypted content in state.
Key Generation Script scripts/generate-encryption-key.js	New Node.js utility that generates a 32-byte hex encryption key and attempts to append MESSAGE_ENCRYPTION_KEY=<key> to .env.local with collision detection and error handling.
Testing Script scripts/test-encryption.js	New Node.js script that performs end-to-end encryption/decryption testing by POSTing sample messages to both API routes and validating round-trip correctness.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Service
    participant API as Encrypt/Decrypt<br/>API Routes
    participant Crypto as Encryption<br/>Utilities
    participant DB as Database

    rect rgb(200, 220, 255)
    Note over Client,DB: Message Send Flow
    Client->>Service: sendMessage(content)
    Service->>API: POST /api/messages/encrypt {content}
    API->>Crypto: encryptMessage(content)
    Crypto-->>API: encrypted (iv:authTag:data)
    API-->>Service: {encrypted}
    Service->>DB: Store encrypted content
    Service->>API: POST /api/messages/decrypt {encrypted}
    API->>Crypto: decryptMessage(encrypted)
    Crypto-->>API: decrypted content
    API-->>Service: {decrypted}
    Service-->>Client: Return decrypted message
    end

    rect rgb(220, 255, 220)
    Note over Client,DB: Message Retrieve Flow
    Client->>Service: getMessages()
    Service->>DB: Fetch messages
    DB-->>Service: Messages {encrypted content}
    par Decrypt Each Message
        Service->>API: POST /api/messages/decrypt {encrypted}
        API->>Crypto: decryptMessage(encrypted)
        Crypto-->>API: plaintext
        API-->>Service: {decrypted}
    end
    Service-->>Client: Return messages {decrypted content}
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Cryptographic operations in lib/utils/encryption.ts: Verify AES-256-GCM implementation, key handling, IV generation, error messages, and format parsing.
• API endpoint validation in app/api/messages/encrypt/route.ts and app/api/messages/decrypt/route.ts: Ensure input sanitization, proper HTTP status codes, and error logging.
• Service integration logic in lib/services/messageService.ts and lib/services/conversationService.ts: Confirm encryption/decryption is applied consistently, error fallbacks are reasonable, and no messages are accidentally stored unencrypted.
• Client-side decryption flow in hooks/useMessages.ts: Verify asynchronous decryption doesn't cause race conditions or duplicate handling issues.
• Script correctness in scripts/generate-encryption-key.js and scripts/test-encryption.js: Confirm .env.local handling and API route testing logic.

Poem

🐰 A secret key in hex so fine,
Encrypts each message, oh so divine,
AES-256 guards the chat,
Through routes and hooks, and all of that!
Safe whispers now between you and I. 🔐

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/messaging

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b54065 and e4dbedd.

📒 Files selected for processing (8)

• app/api/messages/decrypt/route.ts (1 hunks)
• app/api/messages/encrypt/route.ts (1 hunks)
• hooks/useMessages.ts (1 hunks)
• lib/services/conversationService.ts (2 hunks)
• lib/services/messageService.ts (6 hunks)
• lib/utils/encryption.ts (1 hunks)
• scripts/generate-encryption-key.js (1 hunks)
• scripts/test-encryption.js (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}