CryptoQ | Devpost

The demo website I've made for the waiting room! https://aguo.dev/cryptoq
Screenshot of the client-side cookie that is signed and encrypted using the CryptoJS library.
The screen a user receives upon passing the waiting room! How nice!
Error handling for unrecognized events!
Session expired page, when the server detects the cookie's expiry property has passed.

Inspiration

I've seen sites utilizing waiting rooms before to act as a load balancer, and decided to try it out with my own little twist of encrypted cookies! I also took some inspiration from Fastly's waiting room system that is able to be implemented via their VCL service.

What it does

Acts as a queue/waiting room infrastructure where users will wait before being let into a certain site. Encrypts cookie strings server-side and returns them back and forth with the client (end user). Encryption is done using the hmacsha256 encryption algorithm via the CryptoJS library. The cookies are split into two parts: the text-based area and the encrypted signature. The signature, however, is only an encrypted version of the text-based area that comes before it. This is useful because the system validates the cookies by comparing the signature portion of the cookie to the string before it. If the signature matches the string before it, we know it is an authentic user because nobody but us has the private keys (which are used to encrypt).

How we built it

Utilizing Express.JS for the server-side handling, cookie-parser to handle cookies sent to the server via HTTP requests, qs in order to parse the cookie strings which are formatted similar to query strings, CryptoJS in order to encrypt the strings via hmacsha256 algorithm, fs (filesystem) in order to read and write to our configuration file.

Challenges we ran into

Bugs with the overall logic of the code, as well as encrypting the cookie strings. I was also quite limited time-wise so I had to sacrifice some functionality that I wanted to add.

Accomplishments that we're proud of

I didn't have to fix too many bugs and I didn't have to refactor much! The program worked well and seemingly flawlessly, which I'm proud of. I also pulled an all-nighter!

What we learned

I learned about how certain security mechanisms work at a low level, as well as more about encryption, cookies, and cybersecurity in general when it came to preventing bots and malicious requests from being made to a server.

What's next for CryptoQ

I plan on adding more functionality, such as a max number of people allowed to cross through the waiting room, POST protection, and rate-limiting middleware to prevent spam.

Thanks for the opportunity to participate, I really appreciate it! Happy Valentine's Day!

Built With

cookie-parser
cryptojs
express.js
fs
javascript
qs

Updates

Andy Guo started this project — Feb 14, 2021 08:00 AM EST

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.