complete redesign: use nodejs on server instead of php - documentation to be updated

nodejs/doc/documentation.dox

@@ -0,0 +1,147 @@
+/*! @file
+
+    @id $Id$
+*/
+//       1         2         3         4         5         6         7         8
+// 45678901234567890123456789012345678901234567890123456789012345678901234567890
+
+/** @mainpage SafeChat
+
+    SafeChat runs on:
+    https://safechat.ch
+
+    SafeChat development is on:
+    https://dev.marc.waeckerlin.org/redmine/projects/safechat
+
+    Implementation Details: @ref security, @ref api, @ref protocol,
+    @ref database
+
+    SafeChat is a chat program designed to protect your privacy. It is
+    designed to be:
+    
+    -# extremely easy to use
+       -# zero installation
+       -# simple registration, within seconds
+       -# web 2.0 - works in any modern browser
+       -# user does not have to care about keys, security, encryption
+    -# all cool features
+       -# pseudonym accounts, no phone number, no email,nothing required
+       -# send images and other attachments
+       -# build groups
+       -# no need to be online, receive messages on next login
+       -# central user directory
+    -# absolutely secure
+       -# tap-proof
+       -# no metadata available
+         -# all messages are sent to all users, only the authorized users can decrypt it
+       -# server can be untrusted
+         -# thin server, rich client
+           -# all encryption is done in the client
+           -# server only stores minimal user data (name, public key) and encrypted messages
+           -# no access to plain data, not even through server confiscation
+       -# double secured internet transport
+         -# messages are encrypted for the recipents only
+         -# server connection is SSL secured in addition
+       -# private data fully in the user's hand
+         -# password is stored in the user's brain only
+         -# private key is password encrypted
+         -# private key is stored in the user's local machine only
+       -# two factor security, access needs two tokens
+         -# the password in the user's brain
+         -# the private key in the user's browser memory
+    -# fully open source
+
+    @section why Why I Created SafeChat
+
+    The Swiss parliament has decided to increase the power of police
+    (BÜPF: Bundesgesetz zur Überwachung des Post- und
+    Fernmeldeverkehrs) and secret service (NDG:
+    Nachrichtendienstgesetz). This increases global enforced data
+    preservation without any suspicion. This even allows the police to
+    run a trojan in computers of suspicious persons.
+
+    That was the point, when I started to think about secure
+    communication that defeats these attacks against our
+    privacy. Noone should be able to read what's not for his eyes,
+    even if he controls the server. There should be no metadata,
+    i.e. no one should know, who is communicating to each other.
+
+    There are secure means of communication, i.e. Jabber/OTR and
+    PGP-Mail (but with unprotected metadata). But these are too
+    complicated for the avarage user. He has to take care about keys
+    and their distribution. In some chat programs, there is no offline
+    message store, so you can only send a message, if the receiver is
+    online. Some chat programs require to identify you, they ask your
+    phone number and some even steal your address book
+    (i.e. WhatsApp). Not here! Use any pseudonym. No special knowledge
+    needed. User is guided as much as possible, the interface is as
+    simple as possible. Data is only collected, if it is necessary.
+
+    So I present here the safe chat program for dummies
+
+    @page security Password and Secrets Concept
+
+    Neither the password nor the private key are sent to the
+    server. They remain under the user's control and in the user's
+    property. Only the user name and the public key are sent to the
+    server.
+
+     - The password is only kept in the browser's transient memory.
+     - The private key is kept in encrypted form in the browser's
+       persistent local storage.
+     - The public key is stored on server, so that other users can
+       lookup for a user's public key.
+
+    There are two secret security tokens: The password, that is in the
+    user's mind and the private key, which is in the user's device, in
+    the local storage of his browser. Messages can only be sent or
+    read with access to both security tokens.
+
+    @page protocol SafeChat Protocol
+
+    @tableofcontents
+
+    @section newuser Create New User
+
+    If no credentials exist in the browser's local storage, the
+    browser asks the user for a user name and a password and creates a
+    private key that is encrypted with the password.
+
+    In the login(), the browser sends the user's name and public key
+    to the server. The server creates a new user, if the user does not
+    exist yet. Then the server returns, whether user name and public
+    key match to what he has in his table.
+
+    @msc
+    user, browser, server;
+    user -> browser [label="https://safechat.ch"];
+    browser -> server [label="index.html"];
+    browser <- server [label="safechat.js",URL="\ref safechat.js"];
+    user <- browser [label="register new user"];
+    user -> browser [label="username / password"];
+    browser -> browser [label="create openpgp-public/private keys"];
+    browser -> server [label="login.php(username, public-key)"];
+    server -> server [label="if user name does not exist:\nstore username/public-key"];
+    server -> browser [label="success"];
+    @endmsc
+
+*/
+
+/** @page api Server API Calls
+
+    @tableofcontents
+
+    List of server REST API calls. SafeChat server implement s REST
+    API, so that all API calls are in the following form, where
+    parameters and values are url encoded:
+
+    @code
+    https://safechat.ch/api-call.php?param1=value1&param2=value2[...]
+    @endcode
+
+    So for method get() a valid call could be:
+    @code
+    https://safechat.ch/get.php?start=100
+    @endcode
+    
+*/