ap-proxy 0.4.0

Zero-knowledge WebSocket proxy server for access-protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

# ap-proxy

A WebSocket proxy server for `aac` (ap-cli) that routes messages between authenticated clients without access to message contents.

For the client library, see [`ap-proxy-client`](../ap-proxy-client/).
For shared protocol types, see [`ap-proxy-protocol`](../ap-proxy-protocol/).

## Quick Start

### Running the Proxy Server

```bash
cargo run --bin ap-proxy
```

The server will start listening on `ws://localhost:8080` by default.

### Embedding in Your Application

```rust
use ap_proxy::server::ProxyServer;
use std::net::SocketAddr;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let addr: SocketAddr = "127.0.0.1:8080".parse()?;
    let server = ProxyServer::new(addr);
    server.run().await?;
    Ok(())
}
```

## Architecture

The proxy implements a three-phase protocol:

### 1. Authentication Phase

- Client connects to proxy via WebSocket
- Server sends a cryptographic challenge
- Client signs the challenge with its cryptographic identity
- Server verifies the signature and authenticates the client
- This establishes the client's identity

### 2. Rendezvous Phase (Optional)

- Clients can request temporary pairing tokens (e.g., "ABC-DEF-GHI")
- Other clients can look up an identity by providing the code
- Enables peer discovery without sharing long-lived identifiers

### 3. Messaging Phase

- Authenticated clients can send messages to other clients by fingerprint
- Messages are routed through the proxy server
- The proxy validates the source identity but cannot decrypt message contents