A fully functional anonymous messaging application built on the Tor network with end-to-end encryption, ephemeral chat rooms, and comprehensive admin controls.
- Real-time multi-user chat rooms with WebSocket connections
- Single-use invite URLs that burn after one entry for maximum security
- Admin-controlled message persistence modes (ephemeral, temporary, client-side)
- End-to-end encryption using TweetNaCl cryptographic library
- Tor hidden service integration for complete anonymity
- User management system with live user lists and presence tracking
- Admin controls including user kick functionality and invite generation
- Rate limiting and DoS protection
- Cross-platform responsive web interface
tor-test/
βββ server.js # Main application server
βββ package.json # Dependencies and scripts
βββ torrc # Tor daemon configuration
βββ lib/ # Core backend components
β βββ Room.js # Room management and persistence
β βββ User.js # Anonymous user identity system
β βββ InviteURL.js # Single-use invite system
β βββ MessageHandler.js # Message validation and routing
βββ middleware/
β βββ security.js # Rate limiting and security headers
βββ services/
β βββ torService.js # Tor hidden service management
βββ utils/
β βββ crypto.js # Server-side cryptographic utilities
βββ public/ # Frontend application
β βββ index.html # Main UI
β βββ app.js # Client-side application logic
β βββ crypto.js # Client-side encryption
β βββ style.css # Responsive styling
βββ config/ # Configuration files
β βββ security.json # Security policies
β βββ torrc.template # Tor configuration template
βββ test/ # Test suites
βββ crypto.test.js # Cryptographic function tests
βββ room.test.js # Room management tests
βββ double-ratchet.test.js # Double ratchet protocol tests
- Node.js 18.0.0 or higher
- Tor daemon installed on your system
- Git (for cloning)
-
Clone the repository
git clone <repository-url> cd tor-test
-
Install dependencies
npm install
-
Run setup script (configures Tor and services)
npm run setup
-
Start the application
npm start
The application will be available at:
- Local:
http://localhost:3000 - Tor Hidden Service:
http://4gwm2yc276xo6gnmtisf5xumtmg6wk3cboq76azmv5z3h7657v7f3vqd.onion
npm start # Start the production server
npm run dev # Start development server with auto-restart
npm test # Run comprehensive test suite
npm run test:ratchet # Run double ratchet protocol tests
npm run lint # Lint code for security and style issues
npm run setup # Configure Tor and initialize services- Navigate to the application
- Click "Create New Room"
- Choose a message persistence mode:
- Ephemeral: Messages disappear immediately (maximum security)
- Temporary: Messages stored encrypted for max 30 minutes
- Client-Side: No server storage, users control local saving
- Copy the generated invite URL to share with others
- Click on an invite URL or enter the invite code
- You'll be assigned a random anonymous username (e.g., "SilentFox472")
- Start chatting immediately - all messages are end-to-end encrypted
Admins can:
- Join rooms using admin tokens (preserving invite URLs for others)
- Generate new invite URLs when needed
- Kick disruptive users from rooms
- View which invite code each user used
- Monitor room activity and user count
POST /api/room/create- Create new room with persistence modePOST /api/room/:roomId/invite- Generate new invite URL (admin only)DELETE /api/room/:roomId/user/:userId- Kick user (admin only)
GET /api/invite/:inviteCode/room- Get room ID from invite codeGET /join/:inviteCode- Serve main page with invite code
GET /health- Application health status
// Join room with invite code (burns the invite)
{ type: 'join_room', inviteCode: 'abc123' }
// Admin join (preserves invites)
{ type: 'join_room_admin', roomId: 'room123', adminToken: 'token' }
// Send encrypted message
{ type: 'send_message', message: 'encrypted_content' }
// Leave room
{ type: 'leave_room' }// Successful join response
{ type: 'room_joined', user: {...}, users: [...], room: {...} }
// User events
{ type: 'user_joined', user: {...} }
{ type: 'user_left', userId: 'user123' }
{ type: 'user_kicked', userId: 'user123', kickedBy: 'admin' }
// Messages
{ type: 'message', userId: 'user123', message: 'encrypted_content', timestamp: 1234567890 }
// Errors
{ type: 'error', message: 'Error description' }- End-to-end encryption using TweetNaCl (NaCl cryptographic library)
- Perfect forward secrecy with new keys generated per session
- Double ratchet protocol for advanced message security
- Memory clearing of sensitive cryptographic material
- Tor hidden service integration for IP anonymity
- No external resources - all assets self-hosted
- Anonymous usernames generated randomly per session
- Single-use invite URLs that burn after entry
- Rate limiting on API calls, WebSocket connections, and messages
- Input sanitization to prevent XSS and injection attacks
- Security headers via Helmet.js (CSP, HSTS, etc.)
- DoS protection with connection and request limits
Run the comprehensive test suite:
# Run all tests
npm test
# Run specific test suites
npm run test:ratchet # Double ratchet protocol tests
mocha test/crypto.test.js # Cryptographic function tests
mocha test/room.test.js # Room management tests- β Cryptographic functions (encryption/decryption, key generation)
- β Room management (creation, user join/leave, persistence modes)
- β User systems (anonymous identity generation, admin controls)
- β Invite system (single-use URL generation, expiration, burning)
- β Double ratchet protocol implementation
- Keep admin tokens secure and rotate them regularly
- Monitor room activity for suspicious behavior
- Use the kick functionality responsibly
- Ensure Tor is properly configured and running
- Access the application only through Tor browser when using .onion URLs
- Use ephemeral mode for maximum security
- Never share invite URLs in insecure channels
- Be aware that admins can see which invite you used
- Run behind a reverse proxy with additional security headers
- Monitor system resources and implement additional rate limiting if needed
- Regularly update dependencies for security patches
- Consider running in a sandboxed environment
| Mode | Server Storage | Auto-Deletion | Security Level | Use Case |
|---|---|---|---|---|
| Ephemeral | None | Immediate | Maximum | Highly sensitive communications |
| Temporary | Encrypted | 30 minutes | High | General secure messaging |
| Client-Side | None | User controlled | High | User-managed message history |
Configure rate limits, room constraints, and security policies.
Customize hidden service settings, ports, and Tor daemon behavior.
The application provides:
- Real-time user count and presence tracking
- Connection monitoring via WebSocket events
- Health check endpoint at
/health - Console logging for debugging (configure log levels as needed)
- Fork the repository
- Create a feature branch
- Make your changes
- Run the test suite:
npm test - Run linting:
npm run lint - Submit a pull request
MIT License - see LICENSE file for details.
This application is designed for legitimate privacy and security purposes. Users are responsible for complying with all applicable laws and regulations in their jurisdiction. The developers are not responsible for any misuse of this software.
Current Status: β
Fully operational with all features implemented and tested.
Tor Hidden Service: 4gwm2yc276xo6gnmtisf5xumtmg6wk3cboq76azmv5z3h7657v7f3vqd.onion