pub fn derive_code_proof(
code: &str,
room_id: &str,
joiner_x25519_pub: &[u8; 32],
) -> Result<[u8; 32]>Expand description
huddle 2.2 (audit PA-1): derive a memory-hard proof of knowledge of the
join code, bound to the room and the joiner’s ephemeral X25519 public key.
This replaces putting the cleartext bearer code on the (relay-readable) room
topic. A malicious relay that captures a proof cannot rebind it to its own
forged ephemeral key — that would require recomputing Argon2id(code, …new pubkey…), i.e. knowing the code — and cannot brute-force the ~40-bit code
out of the proof: the salt is unique per (room, ephemeral) so there is no
precomputation, and a single 64 MiB Argon2id guess over a 10-minute,
single-use code window is infeasible at any plausible attacker bandwidth.
Both the joiner (to build the request) and the owner (to verify it) call
this with the SAME joiner_x25519_pub — the 32 raw bytes of the ephemeral
key the joiner put in the request.