qxbot v1.1.2

QX

End-to-end encrypted communication system for MQTT

QX is a secure, end-to-end encrypted communication system leveraging MQTT for real-time data exchange. Designed with privacy in mind, QX ensures that your communications remain confidential and protected from unauthorized access - even on public brokers.

Features

• End-to-End Encryption: All messages are encrypted using robust cryptographic protocols to ensure privacy.
• MQTT Integration: Utilizes public MQTT brokers for efficient message dissemination.
• Real-Time Communication: Instant message delivery with support for online/offline status.
• Discovery Mechanism: Easily discover and connect with peers.
• Heartbeat Mechanism: Maintains active connections and detects offline peers.
• Replay Protection: Prevents replay attacks to enhance security.

Prerequisites

• Node.js: Ensure you have Node.js installed (v18+ recommended).
• MQTT Broker: You need access to an MQTT broker. You can use a public broker or set up a local one (see section below).

Installation

npm install qx

Usage

const { Bot } = require("qx");

const bot = new Bot();

bot.on("connect", () => {
  console.log("Bot connected to MQTT broker");
});

bot.on("message", (data) => {
  console.log(`Received message from ${data.from}:`, data.json);
});

bot.start();

// Sending a message
bot
  .send("recipientId", { text: "Hello!" })
  .then(() => console.log("Message sent"))
  .catch((err) => console.error("Send failed:", err));

Configuration

QX can be configured using environment variables or by passing options during initialization. Below are the primary configuration options:

Environment Variables

• MQTT_HOST: The MQTT broker URL (default: mqtt://localhost:1883)
• VERBOSE: Enable verbose logging (true or false) (default: false)

Events

QX provides several events to handle different stages of communication:

API Reference

Bot Methods

• start(): Connect the bot to the MQTT broker and start listening for messages.
• stop(): Disconnect the bot from the MQTT broker and clear all intervals.
• send(to, message): Send a message to a peer. Returns a promise that resolves when the message is acknowledged.
• sendSync(to, message): Send a message without waiting for an acknowledgment.
• introduce(to, options): Introduce the bot to another peer with optional metadata.
• ping(to): Send a ping message to keep the connection active.

Security

QX uses TweetNaCl to provide both encryption and authentication, ensuring that messages are confidential, integrity-protected, and authenticated. This means:

• Confidentiality: Only the intended recipient can decrypt and read the message.
• Integrity: The message cannot be tampered with without detection.
• Authentication: The recipient can verify that the message genuinely originates from the sender.

Note: this library does not currently support non-repudiation, meaning that there is no mechanism to prevent the sender from denying that they sent a message. This was an intentional design decision.

Replay protection

To prevent replay attacks, QX implements a replay protection mechanism. Each message includes a counter that ensures messages are processed in the correct order and are not duplicated. If a message with a counter value lower than or equal to the last received message from a sender is detected, it is identified as a replay and discarded.

bot.on("replay", (message) => {
  console.warn("Replay detected:", message);
});

Setting Up a Local MQTT Broker

EMQX is a highly scalable, open-source MQTT broker. Follow the steps below to install and manage EMQX locally.

brew install emqx
emqx start
emqx stop
emqx -h

Dashboard: http://localhost:18083/