Spaces:

mike23415
/

Sharelock

Running

App Files Files Community

mike23415 commited on Feb 11

Commit

3d367a5

verified ·

1 Parent(s): 79b702c

Update app.py

Browse files

Files changed (1) hide show

app.py +64 -712

app.py CHANGED Viewed

@@ -1,10 +1,8 @@
 import sys
 import os
 from flask import Flask, request, jsonify, send_file
 from flask_cors import CORS
-from flask_limiter import Limiter
-from flask_limiter.util import get_remote_address
-from collections import defaultdict
 from werkzeug.utils import secure_filename
 import tempfile
 import uuid
@@ -23,32 +21,10 @@ import threading
 from database import init_supabase, get_supabase
 from auth import signup_user, login_user, check_username_exists, verify_token
 from functools import wraps
-from datetime import datetime, timedelta
-from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicNumbers, SECP256R1
-from cryptography.hazmat.backends import default_backend
-from cryptography.exceptions import InvalidSignature
-import secrets
 app = Flask(__name__)
 CORS(app)
-@app.after_request
-def add_security_headers(response):
-    """Add security headers"""
-    response.headers['X-Content-Type-Options'] = 'nosniff'
-    response.headers['X-Frame-Options'] = 'DENY'
-    response.headers['X-XSS-Protection'] = '1; mode=block'
-    response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
-    # Cache control for sensitive data
-    if '/api/' in request.path:
-        response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, private'
-        response.headers['Pragma'] = 'no-cache'
-    return response
 print("Initializing Supabase...")
 init_supabase()
@@ -71,6 +47,9 @@ socketio = SocketIO(
     transports=['websocket', 'polling']  # Explicitly allow both
 )
 # In-memory storage
 SECRETS = {}  # { id: { data, file_data, file_type, expire_at, view_once, theme, analytics, etc. } }
 SHORT_LINKS = {}  # { short_id: full_id }
@@ -79,11 +58,6 @@ SCREEN_SHARE_ROOMS = {}  # { room_id: { host_hash, participants, settings, creat
 CURSOR_STATES = {}
 CHAT_ROOMS = {}
-# NEW: Rate limiting storage
-SESSION_REQUESTS = defaultdict(list)  # {uuid: [timestamp1, timestamp2, ...]}
-SEEN_NONCES = {}  # {nonce: timestamp}
-MESSAGE_VALIDITY_WINDOW = 300  # 5 minutes
 # Configuration
 MAX_FILE_SIZE = 5 * 1024 * 1024  # 5MB
 ALLOWED_EXTENSIONS = {
@@ -96,102 +70,6 @@ ALLOWED_EXTENSIONS = {
 ONLINE_USERS = {}
 FILE_TRANSFERS = {}
-def import_ecdsa_public_key(base64_key):
-    """Import ECDSA P-256 public key from base64 (RAW format from Web Crypto API)"""
-    try:
-        # Web Crypto API exports ECDSA public keys in RAW format (65 bytes for P-256)
-        # Format: 0x04 || X (32 bytes) || Y (32 bytes)
-        key_bytes = base64.b64decode(base64_key)
-        print(f"📊 Public key bytes length: {len(key_bytes)}")
-        # Expected: 65 bytes for uncompressed P-256 point
-        if len(key_bytes) != 65:
-            print(f"❌ Invalid key length: expected 65, got {len(key_bytes)}")
-            return None
-        # Check format marker (should be 0x04 for uncompressed point)
-        if key_bytes[0] != 0x04:
-            print(f"❌ Invalid key format marker: {hex(key_bytes[0])}")
-            return None
-        # Extract X and Y coordinates (32 bytes each)
-        x = int.from_bytes(key_bytes[1:33], byteorder='big')
-        y = int.from_bytes(key_bytes[33:65], byteorder='big')
-        # Create ECDSA public key from coordinates
-        from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicNumbers, SECP256R1
-        public_numbers = EllipticCurvePublicNumbers(x, y, SECP256R1())
-        public_key = public_numbers.public_key(default_backend())
-        print(f"✅ Successfully imported ECDSA public key")
-        return public_key
-    except Exception as e:
-        print(f"❌ Failed to import ECDSA public key: {e}")
-        import traceback
-        traceback.print_exc()
-        return None
-def verify_ecdsa_signature(public_key_base64, challenge, signature_base64):
-    """Verify ECDSA signature for challenge-response auth"""
-    try:
-        print(f"\n=== ECDSA SIGNATURE VERIFICATION ===")
-        print(f"Challenge (base64): {challenge[:30]}...")
-        print(f"Signature (base64): {signature_base64[:30]}...")
-        print(f"Public Key (base64): {public_key_base64[:50]}...")
-        # Import public key (RAW format from Web Crypto API)
-        public_key = import_ecdsa_public_key(public_key_base64)
-        if not public_key:
-            print("❌ Failed to import public key")
-            print("=====================================\n")
-            return False
-        # Decode signature from base64
-        signature_bytes = base64.b64decode(signature_base64)
-        print(f"📊 Signature bytes length: {len(signature_bytes)}")
-        # ✅ FIX: Decode the base64 challenge to bytes (match frontend)
-        # Frontend does: atob(challenge) before signing
-        challenge_bytes = base64.b64decode(challenge)
-        print(f"📊 Challenge bytes length: {len(challenge_bytes)}")
-        # Verify signature using ECDSA with SHA-256
-        public_key.verify(
-            signature_bytes,
-            challenge_bytes,
-            ec.ECDSA(hashes.SHA256())
-        )
-        print("✅ Signature verification successful!")
-        print("=====================================\n")
-        return True
-    except InvalidSignature:
-        print("❌ Invalid ECDSA signature - cryptographic verification failed")
-        print("=====================================\n")
-        return False
-    except Exception as e:
-        print(f"❌ ECDSA verification error: {e}")
-        import traceback
-        traceback.print_exc()
-        print("=====================================\n")
-        return False
-# Challenge storage for ECDSA auth (temporary, expires in 60s)
-CHALLENGE_STORE = {}  # {room_id: {challenge, created_at}}
-def cleanup_old_challenges():
-    """Remove expired challenges"""
-    now = time.time()
-    expired = [k for k, v in CHALLENGE_STORE.items() if now - v['created_at'] > 60]
-    for key in expired:
-        del CHALLENGE_STORE[key]
 def assign_cursor_color(existing_participants):
     """Assign unique cursor color to new participant"""
     import random
@@ -268,68 +146,6 @@ def get_location_info(ip):
             'timezone': 'Unknown'
         }
-def check_rate_limit(session_uuid, limit, window_seconds):
-    """
-    Check if session_uuid exceeded rate limit
-    Returns: (is_allowed: bool, message: str)
-    """
-    now = time.time()
-    if not session_uuid:
-        return False, "Session UUID required"
-    # Get request history for this session
-    requests = SESSION_REQUESTS[session_uuid]
-    # Remove old requests outside window
-    requests = [ts for ts in requests if now - ts < window_seconds]
-    # Check limit
-    if len(requests) >= limit:
-        return False, f"Rate limit exceeded: {limit} requests per {window_seconds}s"
-    # Add current request
-    requests.append(now)
-    SESSION_REQUESTS[session_uuid] = requests
-    return True, "OK"
-def verify_nonce_and_timestamp(nonce, timestamp):
-    """
-    Prevent replay attacks
-    Returns: (is_valid: bool, message: str)
-    """
-    current_time = time.time()
-    if not nonce:
-        return False, "Nonce required"
-    # Check if message is too old
-    if current_time - timestamp > MESSAGE_VALIDITY_WINDOW:
-        return False, "Message expired (older than 5 minutes)"
-    # Check if message is from the future
-    if timestamp > current_time + 60:
-        return False, "Invalid timestamp"
-    # Check if nonce was already used
-    if nonce in SEEN_NONCES:
-        return False, "Replay attack detected"
-    # Store nonce
-    SEEN_NONCES[nonce] = timestamp
-    # Cleanup old nonces
-    cleanup_old_nonces(current_time)
-    return True, "OK"
-def cleanup_old_nonces(current_time):
-    """Remove expired nonces"""
-    expired = [k for k, v in SEEN_NONCES.items() if current_time - v > MESSAGE_VALIDITY_WINDOW]
-    for key in expired:
-        del SEEN_NONCES[key]
 def generate_qr_code(data):
     """Generate QR code for the given data"""
     qr = qrcode.QRCode(
@@ -423,40 +239,10 @@ def store():
     try:
         form = request.form
         data = form.get("data")
-        session_uuid = form.get("session_uuid")
-        nonce = form.get("nonce")
-        timestamp_str = form.get("timestamp")
-        # Validate required fields
         if not data:
             return jsonify({"error": "Data is required"}), 400
-        if not session_uuid:
-            return jsonify({"error": "Session UUID required"}), 400
-        if not nonce:
-            return jsonify({"error": "Nonce required"}), 400
-        if not timestamp_str:
-            return jsonify({"error": "Timestamp required"}), 400
-        try:
-            timestamp = float(timestamp_str)
-        except ValueError:
-            return jsonify({"error": "Invalid timestamp"}), 400
-        # Check rate limit (10 secrets per minute)
-        allowed, message = check_rate_limit(session_uuid, limit=10, window_seconds=60)
-        if not allowed:
-            print(f"[RateLimit] Blocked {session_uuid[:8]}... - {message}")
-            return jsonify({"error": message}), 429
-        # Verify nonce and timestamp (prevent replay attacks)
-        valid, message = verify_nonce_and_timestamp(nonce, timestamp)
-        if not valid:
-            print(f"[Security] Blocked - {message}")
-            return jsonify({"error": message}), 400
         # Parse parameters
         ttl = int(form.get("ttl", 300))
         view_once = form.get("view_once", "false").lower() == "true"
@@ -539,14 +325,6 @@ def store():
 def fetch(secret_id):
     """Fetch and decrypt secret with analytics - MODIFIED TO HANDLE verify_only"""
     try:
-        # ADD THIS SECTION FOR RATE LIMITING:
-        session_uuid = request.args.get("session_uuid")
-        if session_uuid:
-            allowed, message = check_rate_limit(session_uuid, limit=20, window_seconds=60)
-            if not allowed:
-                print(f"[RateLimit] Fetch blocked {session_uuid[:8]}... - {message}")
-                return jsonify({"error": message}), 429
         # Check if it's a short link
         if secret_id in SHORT_LINKS:
             secret_id = SHORT_LINKS[secret_id]
@@ -781,16 +559,6 @@ def get_stats():
     except Exception as e:
         return jsonify({"error": str(e)}), 500
-# NEW ENDPOINT: Ping endpoint for uptime monitoring
-@app.route('/ping', methods=['GET'])
-def ping():
-    """Simple ping endpoint to keep the service alive"""
-    return jsonify({
-        "status": "alive",
-        "timestamp": datetime.utcnow().isoformat(),
-        "message": "Pong! Service is awake."
-    }), 200
 @app.route("/api/cleanup", methods=["POST"])
 def cleanup_expired():
     """Clean up expired secrets"""
@@ -833,68 +601,41 @@ def create_chat_room():
         max_receivers = int(form.get("max_receivers", 5))
         password = form.get("password", "")
         allow_files = form.get("allow_files", "true").lower() == "true"
-        admin_public_key = form.get("admin_public_key", "")  # NEW: ECDSA public key
-        if not admin_public_key:
-            return jsonify({"error": "Admin public key required"}), 400
         room_id = str(uuid.uuid4())
-        admin_session = str(uuid.uuid4())  # Still used for admin link
-        # Generate individual receiver tokens
-        receiver_tokens = []
-        for i in range(max_receivers):
-            receiver_tokens.append({
-                "token": str(uuid.uuid4()),
-                "receiver_number": i + 1,
-                "claimed": False,
-                "public_key": None,  # NEW: Will be set when receiver joins
-                "claimed_at": None
-            })
-        expires_at = time.time() + ttl
         CHAT_ROOMS[room_id] = {
             "admin_session": admin_session,
-            "admin_ecdsa_public_key": admin_public_key,  # NEW: Store admin's ECDSA public key
             "created_at": time.time(),
-            "expires_at": expires_at,
             "settings": {
                 "max_receivers": max_receivers,
                 "password": password,
                 "allow_files": allow_files,
                 "burn_on_admin_exit": True
             },
-            "receiver_tokens": receiver_tokens,
             "active_sessions": {},
             "receiver_counter": 0
         }
-        print(f"✅ Room created: {room_id[:8]}... (TTL: {ttl}s, Expires: {time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(expires_at))})")
-        print(f"🔑 Admin public key stored (length: {len(admin_public_key)})")
-        # Return IDs + receiver tokens
         return jsonify({
             "room_id": room_id,
             "admin_session": admin_session,
-            "receiver_tokens": [{"token": t["token"], "receiver_number": t["receiver_number"]} for t in receiver_tokens],
-            "expires_at": expires_at  # Return as Unix timestamp (frontend converts to local time)
         })
     except Exception as e:
-        print(f"❌ Error creating chat room: {e}")
-        import traceback
-        traceback.print_exc()
         return jsonify({"error": str(e)}), 500
 @app.route("/api/chat/join/<room_id>")
 def join_chat_room(room_id):
-    """Join chat room - FIRST TIME ONLY (registration)"""
     try:
         password = request.args.get("password", "")
         admin_session = request.args.get("admin", "")
-        receiver_token = request.args.get("receiver", "")
-        public_key = request.args.get("public_key", "")
         if room_id not in CHAT_ROOMS:
             return jsonify({"error": "Chat room not found"}), 404
@@ -908,324 +649,25 @@ def join_chat_room(room_id):
         # Check password
         if room["settings"]["password"] and password != room["settings"]["password"]:
             return jsonify({"error": "Wrong password"}), 403
-        # ADMIN FIRST JOIN (Registration)
-        if admin_session and admin_session == room["admin_session"]:
-            if not public_key:
-                return jsonify({"error": "Public key required for admin join"}), 400
-            # Check if this is first join or rejoin
-            if public_key == room["admin_ecdsa_public_key"]:
-                # This is first join (keys match from creation)
-                print(f"✅ Admin first join with registered ECDSA key")
-                role = "admin"
-                session_id = admin_session
-                receiver_number = None
-                return jsonify({
-                    "session_id": session_id,
-                    "role": role,
-                    "receiver_number": receiver_number,
-                    "room_settings": room["settings"],
-                    "expires_at": room["expires_at"]
-                })
-            else:
-                # Different key - this should use challenge-response
-                return jsonify({
-                    "error": "Use challenge-response for rejoin (/api/chat/challenge)"
-                }), 400
-        # RECEIVER FIRST JOIN (Registration)
-        if not receiver_token or not public_key:
-            return jsonify({"error": "Receiver token and public key required"}), 400
-        # Find the token
-        token_data = None
-        for token in room["receiver_tokens"]:
-            if token["token"] == receiver_token:
-                token_data = token
-                break
-        if not token_data:
-            return jsonify({"error": "Invalid receiver token"}), 403
-        # Check if token already claimed
-        if token_data["claimed"]:
-            # Already claimed - should use challenge-response
-            return jsonify({
-                "error": "Token already claimed. Use challenge-response for rejoin (/api/chat/challenge)"
-            }), 400
-        # First time claim - BIND the ECDSA public key to token
-        token_data["claimed"] = True
-        token_data["ecdsa_public_key"] = public_key
-        token_data["claimed_at"] = time.time()
-        print(f"🔑 Receiver #{token_data['receiver_number']} registered with ECDSA key")
-        # ✅ ADD THIS DETAILED LOGGING:
-        print(f"\n{'='*60}")
-        print(f"🔑 ECDSA KEY REGISTRATION")
-        print(f"{'='*60}")
-        print(f"Room ID: {room_id[:8]}...")
-        print(f"Receiver #: {token_data['receiver_number']}")
-        print(f"Token: {receiver_token[:8]}...")
-        print(f"ECDSA Public Key (stored):")
-        print(f"  - Length: {len(public_key)} characters")
-        print(f"  - First 50 chars: {public_key[:50]}")
-        print(f"  - Last 20 chars: {public_key[-20:]}")
-        print(f"  - Full key: {public_key}")
-        print(f"{'='*60}\n")
-        # Verify storage
-        print(f"🔍 VERIFICATION: Reading back stored key...")
-        stored_key = token_data.get("ecdsa_public_key")
-        print(f"  - Stored key exists: {stored_key is not None}")
-        if stored_key:
-            print(f"  - Stored key length: {len(stored_key)}")
-            print(f"  - Keys match: {stored_key == public_key}")
-            print(f"  - Stored key: {stored_key}")
-        print(f"{'='*60}\n")
-        role = "receiver"
-        session_id = str(uuid.uuid4())
-        receiver_number = token_data["receiver_number"]
-        return jsonify({
-            "session_id": session_id,
-            "role": role,
-            "receiver_number": receiver_number,
-            "room_settings": room["settings"],
-            "expires_at": room["expires_at"]
-        })
-    except Exception as e:
-        print(f"❌ Error joining chat room: {e}")
-        import traceback
-        traceback.print_exc()
-        return jsonify({"error": str(e)}), 500
-@socketio.on('request_challenge')
-def handle_request_challenge(data):
-    """Generate challenge for ECDSA authentication (rejoin) - via WebSocket"""
-    try:
-        room_id = data.get("room_id")
-        role = data.get("role")
-        identifier = data.get("identifier")  # admin_session or receiver_token
-        print(f"\n{'='*60}")
-        print(f"🎲 CHALLENGE REQUEST")
-        print(f"{'='*60}")
-        print(f"Room: {room_id[:8] if room_id else 'None'}...")
-        print(f"Role: {role}")
-        print(f"Identifier: {identifier[:8] if identifier else 'None'}...")
-        if not room_id or not role or not identifier:
-            emit('challenge_error', {"error": "Missing required fields"})
-            return
-        if room_id not in CHAT_ROOMS:
-            emit('challenge_error', {"error": "Chat room not found"})
-            return
-        room = CHAT_ROOMS[room_id]
-        # Check if expired
-        if time.time() > room["expires_at"]:
-            emit('challenge_error', {"error": "Chat room has expired"})
-            return
-        # Verify identifier exists
-        if role == "admin":
-            if identifier != room["admin_session"]:
-                emit('challenge_error', {"error": "Invalid admin session"})
-                return
-            print(f"✅ Admin session valid")
-        elif role == "receiver":
-            # Find token
-            token_found = False
-            for token in room["receiver_tokens"]:
-                if token["token"] == identifier:
-                    if not token["claimed"]:
-                        emit('challenge_error', {"error": "Token not yet registered"})
-                        return
-                    if not token.get("ecdsa_public_key"):
-                        emit('challenge_error', {"error": "No public key registered"})
-                        return
-                    # ✅ ADD THIS DETAILED LOGGING:
-                    print(f"✅ Found receiver token")
-                    print(f"Token data:")
-                    print(f"  - Receiver #: {token['receiver_number']}")
-                    print(f"  - Claimed: {token['claimed']}")
-                    print(f"  - Claimed at: {token.get('claimed_at')}")
-                    print(f"  - ECDSA key exists: {token.get('ecdsa_public_key') is not None}")
-                    if token.get('ecdsa_public_key'):
-                        ecdsa_key = token['ecdsa_public_key']
-                        print(f"  - ECDSA key length: {len(ecdsa_key)}")
-                        print(f"  - ECDSA key (first 50): {ecdsa_key[:50]}")
-                        print(f"  - ECDSA key (last 20): {ecdsa_key[-20:]}")
-                        print(f"  - Full ECDSA key: {ecdsa_key}")
-                    print(f"✅ Found receiver token, public_key exists")
-                    token_found = True
-                    break
-            if not token_found:
-                emit('challenge_error', {"error": "Invalid receiver token"})
-                return
         else:
-            emit('challenge_error', {"error": "Invalid role"})
-            return
-        # Generate random challenge (32 bytes)
-        challenge_bytes = secrets.token_bytes(32)
-        challenge_b64 = base64.b64encode(challenge_bytes).decode()
-        # Store challenge temporarily (expires in 60 seconds)
-        challenge_key = f"{room_id}_{identifier}"
-        CHALLENGE_STORE[challenge_key] = {
-            "challenge": challenge_b64,
-            "created_at": time.time(),
-            "role": role
-        }
-        print(f"✅ Generated challenge")
-        print(f"  - Challenge (base64): {challenge_b64}")
-        print(f"  - Challenge length: {len(challenge_b64)} chars")
-        print(f"  - Challenge bytes: {len(challenge_bytes)} bytes")
-        print(f"{'='*60}\n")
-        emit('challenge_response', {"challenge": challenge_b64})
-    except Exception as e:
-        print(f"❌ Error generating challenge: {e}")
-        import traceback
-        traceback.print_exc()
-        emit('challenge_error', {"error": str(e)})
-@socketio.on('verify_signature')
-def handle_verify_signature(data):
-    """Verify ECDSA signature and authenticate - via WebSocket"""
-    try:
-        room_id = data.get("room_id")
-        role = data.get("role")
-        identifier = data.get("identifier")
-        signature_b64 = data.get("signature")
-        print(f"\n{'='*60}")
-        print(f"🔐 SIGNATURE VERIFICATION")
-        print(f"{'='*60}")
-        print(f"Room: {room_id[:8] if room_id else 'None'}...")
-        print(f"Role: {role}")
-        print(f"Identifier: {identifier[:8] if identifier else 'None'}...")
-        print(f"Signature (first 30): {signature_b64[:30] if signature_b64 else 'None'}...")
-        print(f"Signature (full): {signature_b64}")
-        if not room_id or not role or not identifier or not signature_b64:
-            emit('verification_error', {"error": "Missing required fields"})
-            return
-        if room_id not in CHAT_ROOMS:
-            emit('verification_error', {"error": "Chat room not found"})
-            return
-        room = CHAT_ROOMS[room_id]
-        # Check if expired
-        if time.time() > room["expires_at"]:
-            emit('verification_error', {"error": "Chat room has expired"})
-            return
-        # Retrieve challenge
-        challenge_key = f"{room_id}_{identifier}"
-        print(f"Looking for challenge key: {challenge_key[:50]}...")
-        if challenge_key not in CHALLENGE_STORE:
-            print(f"❌ Challenge not found!")
-            emit('verification_error', {"error": "No challenge found or challenge expired"})
-            return
-        challenge_data = CHALLENGE_STORE[challenge_key]
-        # Check challenge expiry (60 seconds)
-        if time.time() - challenge_data["created_at"] > 60:
-            del CHALLENGE_STORE[challenge_key]
-            emit('verification_error', {"error": "Challenge expired"})
-            return
-        challenge = challenge_data["challenge"]
-        print(f"✅ Found challenge: {challenge[:30]}...")
-        # Get ECDSA public key based on role
-        ecdsa_public_key_b64 = None
-        receiver_number = None
-        if role == "admin":
-            if identifier != room["admin_session"]:
-                emit('verification_error', {"error": "Invalid admin session"})
-                return
-            ecdsa_public_key_b64 = room["admin_ecdsa_public_key"]
-            print(f"✅ Using admin ECDSA public key")
-            print(f"   Public key (first 50): {ecdsa_public_key_b64[:50]}...")
-        elif role == "receiver":
-            token_found = False
-            for token in room["receiver_tokens"]:
-                if token["token"] == identifier:
-                    if not token["claimed"]:
-                        emit('verification_error', {"error": "Token not claimed"})
-                        return
-                    ecdsa_public_key_b64 = token["ecdsa_public_key"]
-                    receiver_number = token["receiver_number"]
-                    # ✅ ADD THIS DETAILED LOGGING:
-                    print(f"\n✅ Found receiver token for verification")
-                    print(f"Token data:")
-                    print(f"  - Receiver #: {receiver_number}")
-                    print(f"  - ECDSA key exists: {ecdsa_public_key_b64 is not None}")
-                    if ecdsa_public_key_b64:
-                        print(f"  - ECDSA key length: {len(ecdsa_public_key_b64)}")
-                        print(f"  - ECDSA key (first 50): {ecdsa_public_key_b64[:50]}")
-                        print(f"  - ECDSA key (last 20): {ecdsa_public_key_b64[-20:]}")
-                        print(f"  - Full ECDSA key: {ecdsa_public_key_b64}")
-                    token_found = True
-                    break
-            if not token_found:
-                emit('verification_error', {"error": "Invalid receiver token"})
-                return
-            if not ecdsa_public_key_b64:
-                emit('verification_error', {"error": "No ECDSA public key found"})
-                return
-        else:
-            emit('verification_error', {"error": "Invalid role"})
-            return
-        # Verify ECDSA signature
-        print(f"🔐 Calling verify_ecdsa_signature...")
-        print(f"   Challenge: {challenge}")
-        print(f"   Signature: {signature_b64}")
-        is_valid = verify_ecdsa_signature(ecdsa_public_key_b64, challenge, signature_b64)
-        # Delete challenge (prevent replay)
-        del CHALLENGE_STORE[challenge_key]
-        if not is_valid:
-            print(f"❌ Signature verification FAILED")
-            emit('verification_error', {"error": "Invalid signature"})
-            return
-        print(f"✅ Signature verified successfully!")
-        # Generate session
-        session_id = str(uuid.uuid4())
-        emit('verification_success', {
             "session_id": session_id,
             "role": role,
             "receiver_number": receiver_number,
@@ -1234,48 +676,6 @@ def handle_verify_signature(data):
         })
     except Exception as e:
-        print(f"❌ Error verifying signature: {e}")
-        import traceback
-        traceback.print_exc()
-        emit('verification_error', {"error": str(e)})
-@app.route("/api/chat/delete/<room_id>", methods=["DELETE"])
-def delete_chat_room(room_id):
-    """Admin manually deletes a chat room"""
-    try:
-        # Get admin session from Authorization header
-        auth_header = request.headers.get('Authorization', '')
-        admin_session = auth_header.replace('Bearer ', '')
-        if not admin_session:
-            return jsonify({"error": "Admin session required"}), 401
-        if room_id not in CHAT_ROOMS:
-            return jsonify({"error": "Chat room not found"}), 404
-        room = CHAT_ROOMS[room_id]
-        # Verify admin session
-        if room["admin_session"] != admin_session:
-            return jsonify({"error": "Unauthorized - not admin"}), 403
-        # Notify all participants that room is closing
-        socketio.emit('room_closing', {
-            'room_id': room_id,
-            'reason': 'Admin deleted the room'
-        }, room=room_id)
-        # Delete room
-        del CHAT_ROOMS[room_id]
-        print(f"🗑️ Admin deleted room: {room_id[:8]}...")
-        return jsonify({"message": "Room deleted successfully"})
-    except Exception as e:
-        print(f"❌ Error deleting chat room: {e}")
-        import traceback
-        traceback.print_exc()
         return jsonify({"error": str(e)}), 500
 # ADD WEBSOCKET EVENTS:
@@ -1284,7 +684,7 @@ def handle_join_chat(data):
     room_id = data['room_id']
     session_id = data['session_id']
     role = data['role']
-    rsa_public_key = data.get('public_key')
     if room_id not in CHAT_ROOMS:
         return
@@ -1295,8 +695,7 @@ def handle_join_chat(data):
     CHAT_ROOMS[room_id]["active_sessions"][session_id] = {
         "role": role,
         "receiver_number": data.get('receiver_number'),
-        "rsa_public_key": rsa_public_key,
-        "socket_id": request.sid,  # NEW: Store socket ID
         "joined_at": time.time(),
         "last_seen": time.time()
     }
@@ -1309,7 +708,7 @@ def handle_join_chat(data):
                 'session_id': sid,
                 'role': session['role'],
                 'receiver_number': session.get('receiver_number'),
-                'public_key': session.get('rsa_public_key')
             })
     emit('peer_list', {'peers': peer_list})
@@ -1319,7 +718,7 @@ def handle_join_chat(data):
         'session_id': session_id,
         'role': role,
         'receiver_number': data.get('receiver_number'),
-        'public_key': rsa_public_key,
         'active_count': len(CHAT_ROOMS[room_id]["active_sessions"])
     }, room=room_id, include_self=False)  # ← CRITICAL: include_self=False
@@ -1407,35 +806,24 @@ def handle_leave_chat(data):
     room_id = data['room_id']
     session_id = data['session_id']
-    if room_id not in CHAT_ROOMS:
-        print(f"⚠️ Room {room_id[:8]}... already deleted")
-        return
-    if session_id not in CHAT_ROOMS[room_id]["active_sessions"]:
-        print(f"⚠️ Session {session_id[:8]}... not in room")
-        return
-    session = CHAT_ROOMS[room_id]["active_sessions"][session_id]
-    # If admin left and burn_on_admin_exit is true
-    if session["role"] == "admin" and CHAT_ROOMS[room_id]["settings"]["burn_on_admin_exit"]:
-        emit('room_closing', {'reason': 'Admin left the room'}, room=room_id)
-        del CHAT_ROOMS[room_id]  # ✅ Delete entire room
-        leave_room(room_id)
-        print(f"🔥 Room {room_id[:8]}... burned (admin left)")
-    else:
-        # Emit BEFORE deleting
-        emit('user_left', {
-            'session_id': session_id,
-            'role': session["role"],
-            'receiver_number': session.get("receiver_number"),
-            'active_count': len(CHAT_ROOMS[room_id]["active_sessions"]) - 1
-        }, room=room_id)
-        # Delete session
         del CHAT_ROOMS[room_id]["active_sessions"][session_id]
         leave_room(room_id)
-        print(f"👋 Session {session_id[:8]}... left room {room_id[:8]}...")
 @app.route("/api/auth/signup", methods=["POST"])
 def api_signup():
@@ -1939,30 +1327,26 @@ def handle_disconnect():
         print(f"👤 User disconnected: {username_hash[:8]}...")
         # Remove from chat rooms
-        # Remove from chat rooms and notify others
         for room_id, room in list(CHAT_ROOMS.items()):
-            for session_id, session in list(room['active_sessions'].items()):
-                # Check if this session matches the disconnected socket
-                if session.get('socket_id') == request.sid:
-                    print(f"[Disconnect] User {session_id} disconnected from room {room_id}")
-                    # CRITICAL: Notify BEFORE deleting
-                    socketio.emit('user_left', {
-                        'session_id': session_id,
-                        'role': session['role'],
-                        'receiver_number': session.get('receiver_number'),
-                        'active_count': len(room['active_sessions']) - 1
-                    }, room=room_id)
-                    # If admin disconnected, close room
-                    if session['role'] == 'admin' and room['settings'].get('burn_on_admin_exit', True):
-                        print(f"[Disconnect] Admin disconnected, closing room {room_id}")
-                        socketio.emit('room_closing', {'reason': 'Admin disconnected'}, room=room_id)
-                        del CHAT_ROOMS[room_id]
-                    else:
-                        del room['active_sessions'][session_id]
-                    break
         # Remove from screen share rooms
         for room_id, room in list(SCREEN_SHARE_ROOMS.items()):
@@ -2170,38 +1554,6 @@ def periodic_cleanup():
         try:
             now = time.time()
-            # ADD THIS: Cleanup old nonces
-            cleanup_old_nonces(now)
-            # ADD THIS: Cleanup old session requests
-            for uuid in list(SESSION_REQUESTS.keys()):
-                requests = [ts for ts in SESSION_REQUESTS[uuid] if now - ts < 300]
-                if requests:
-                    SESSION_REQUESTS[uuid] = requests
-                else:
-                    del SESSION_REQUESTS[uuid]
-            # 0. Cleanup old challenges
-            cleanup_old_challenges()
-            # 1. Cleanup expired chat rooms
-            expired_chat_rooms = []
-            for room_id, room in list(CHAT_ROOMS.items()):
-                if now > room['expires_at']:
-                    expired_chat_rooms.append(room_id)
-                    # Notify participants
-                    socketio.emit('room_closing', {
-                        'room_id': room_id,
-                        'reason': 'Room expired'
-                    }, room=room_id)
-                    # Delete room
-                    del CHAT_ROOMS[room_id]
-            if expired_chat_rooms:
-                print(f"[Cleanup] Expired {len(expired_chat_rooms)} chat room(s)")
             # 1. Cleanup expired screen share rooms
             expired_rooms = []

 import sys
 import os
 from flask import Flask, request, jsonify, send_file
 from flask_cors import CORS
 from werkzeug.utils import secure_filename
 import tempfile
 import uuid
 from database import init_supabase, get_supabase
 from auth import signup_user, login_user, check_username_exists, verify_token
 from functools import wraps
 app = Flask(__name__)
 CORS(app)
 print("Initializing Supabase...")
 init_supabase()
     transports=['websocket', 'polling']  # Explicitly allow both
 )
 # In-memory storage
 SECRETS = {}  # { id: { data, file_data, file_type, expire_at, view_once, theme, analytics, etc. } }
 SHORT_LINKS = {}  # { short_id: full_id }
 CURSOR_STATES = {}
 CHAT_ROOMS = {}
 # Configuration
 MAX_FILE_SIZE = 5 * 1024 * 1024  # 5MB
 ALLOWED_EXTENSIONS = {
 ONLINE_USERS = {}
 FILE_TRANSFERS = {}
 def assign_cursor_color(existing_participants):
     """Assign unique cursor color to new participant"""
     import random
             'timezone': 'Unknown'
         }
 def generate_qr_code(data):
     """Generate QR code for the given data"""
     qr = qrcode.QRCode(
     try:
         form = request.form
         data = form.get("data")
         if not data:
             return jsonify({"error": "Data is required"}), 400
         # Parse parameters
         ttl = int(form.get("ttl", 300))
         view_once = form.get("view_once", "false").lower() == "true"
 def fetch(secret_id):
     """Fetch and decrypt secret with analytics - MODIFIED TO HANDLE verify_only"""
     try:
         # Check if it's a short link
         if secret_id in SHORT_LINKS:
             secret_id = SHORT_LINKS[secret_id]
     except Exception as e:
         return jsonify({"error": str(e)}), 500
 @app.route("/api/cleanup", methods=["POST"])
 def cleanup_expired():
     """Clean up expired secrets"""
         max_receivers = int(form.get("max_receivers", 5))
         password = form.get("password", "")
         allow_files = form.get("allow_files", "true").lower() == "true"
         room_id = str(uuid.uuid4())
+        admin_session = str(uuid.uuid4())
         CHAT_ROOMS[room_id] = {
             "admin_session": admin_session,
             "created_at": time.time(),
+            "expires_at": time.time() + ttl,
             "settings": {
                 "max_receivers": max_receivers,
                 "password": password,
                 "allow_files": allow_files,
                 "burn_on_admin_exit": True
             },
             "active_sessions": {},
             "receiver_counter": 0
         }
+        # Return only IDs - let frontend create URLs
         return jsonify({
             "room_id": room_id,
             "admin_session": admin_session,
+            "expires_at": CHAT_ROOMS[room_id]["expires_at"]
         })
     except Exception as e:
         return jsonify({"error": str(e)}), 500
 @app.route("/api/chat/join/<room_id>")
 def join_chat_room(room_id):
     try:
         password = request.args.get("password", "")
         admin_session = request.args.get("admin", "")
         if room_id not in CHAT_ROOMS:
             return jsonify({"error": "Chat room not found"}), 404
         # Check password
         if room["settings"]["password"] and password != room["settings"]["password"]:
             return jsonify({"error": "Wrong password"}), 403
+        # FIXED: Proper role assignment
+        if admin_session and admin_session == room["admin_session"]:
+            # Only admin if the session matches the room's admin session
+            role = "admin"
+            session_id = admin_session
+            receiver_number = None
         else:
+            # Everyone else is a receiver
+            active_receivers = sum(1 for s in room["active_sessions"].values() if s["role"] == "receiver")
+            if active_receivers >= room["settings"]["max_receivers"]:
+                return jsonify({"error": "Chat room is full"}), 403
+            role = "receiver"
+            session_id = str(uuid.uuid4())
+            room["receiver_counter"] += 1
+            receiver_number = room["receiver_counter"]
+        return jsonify({
             "session_id": session_id,
             "role": role,
             "receiver_number": receiver_number,
         })
     except Exception as e:
         return jsonify({"error": str(e)}), 500
 # ADD WEBSOCKET EVENTS:
     room_id = data['room_id']
     session_id = data['session_id']
     role = data['role']
+    public_key = data.get('public_key')
     if room_id not in CHAT_ROOMS:
         return
     CHAT_ROOMS[room_id]["active_sessions"][session_id] = {
         "role": role,
         "receiver_number": data.get('receiver_number'),
+        "public_key": public_key,
         "joined_at": time.time(),
         "last_seen": time.time()
     }
                 'session_id': sid,
                 'role': session['role'],
                 'receiver_number': session.get('receiver_number'),
+                'public_key': session.get('public_key')
             })
     emit('peer_list', {'peers': peer_list})
         'session_id': session_id,
         'role': role,
         'receiver_number': data.get('receiver_number'),
+        'public_key': public_key,
         'active_count': len(CHAT_ROOMS[room_id]["active_sessions"])
     }, room=room_id, include_self=False)  # ← CRITICAL: include_self=False
     room_id = data['room_id']
     session_id = data['session_id']
+    if room_id in CHAT_ROOMS and session_id in CHAT_ROOMS[room_id]["active_sessions"]:
+        session = CHAT_ROOMS[room_id]["active_sessions"][session_id]
         del CHAT_ROOMS[room_id]["active_sessions"][session_id]
+        # If admin left and burn_on_admin_exit is true
+        if session["role"] == "admin" and CHAT_ROOMS[room_id]["settings"]["burn_on_admin_exit"]:
+            emit('room_closing', {'reason': 'Admin left the room'}, room=room_id)
+            del CHAT_ROOMS[room_id]
+            if room_id in CHAT_MESSAGES:
+                del CHAT_MESSAGES[room_id]
+        else:
+            emit('user_left', {
+                'role': session["role"],
+                'receiver_number': session.get("receiver_number"),
+                'active_count': len(CHAT_ROOMS[room_id]["active_sessions"])
+            }, room=room_id)
         leave_room(room_id)
 @app.route("/api/auth/signup", methods=["POST"])
 def api_signup():
         print(f"👤 User disconnected: {username_hash[:8]}...")
         # Remove from chat rooms
         for room_id, room in list(CHAT_ROOMS.items()):
+            if username_hash in [s for s_id, s in room['active_sessions'].items()]:
+                # Find and remove session
+                for session_id, session in list(room['active_sessions'].items()):
+                    if session.get('username_hash') == username_hash or \
+                       (session['role'] == 'admin' and room['admin_session'] == session_id):
+                        # If admin left, close room
+                        if session['role'] == 'admin' and room['settings'].get('burn_on_admin_exit', True):
+                            socketio.emit('room_closing', {'reason': 'Admin disconnected'}, room=room_id)
+                            if room_id in CHAT_MESSAGES:
+                                del CHAT_MESSAGES[room_id]
+                            del CHAT_ROOMS[room_id]
+                        else:
+                            del room['active_sessions'][session_id]
+                            socketio.emit('user_left', {
+                                'role': session['role'],
+                                'receiver_number': session.get('receiver_number'),
+                                'active_count': len(room['active_sessions'])
+                            }, room=room_id)
         # Remove from screen share rooms
         for room_id, room in list(SCREEN_SHARE_ROOMS.items()):
         try:
             now = time.time()
             # 1. Cleanup expired screen share rooms
             expired_rooms = []