talmolab
diff --git a/‎dashboard/app.js‎
Lines changed: 10 additions & 261 deletions b/‎dashboard/app.js‎
Lines changed: 10 additions & 261 deletions
@@ -147,12 +147,6 @@ class SleapRTCDashboard {
         this.activeJobs = new Map(); // jobId → job state
         this._workerPollInterval = null;
 
-        // E2E encryption state (per-session, cleared on page refresh)
-        this._e2eSessionId = null;
-        this._e2ePrivateKey = null;  // CryptoKey (P-256 ECDH)
-        this._e2eSharedKey = null;   // CryptoKey (AES-256-GCM)
-        this._e2eReady = false;
-
         this.init();
     }
 
@@ -668,25 +662,10 @@ class SleapRTCDashboard {
         const url = `${CONFIG.RELAY_SERVER}/stream/${encodeURIComponent(channel)}`;
         const es = new EventSource(url);
         const handlers = {};
-        const dashboard = this;
 
-        es.onmessage = async (event) => {
+        es.onmessage = (event) => {
             let data;
             try { data = JSON.parse(event.data); } catch { return; }
-
-            // Handle encrypted relay messages — decrypt and re-dispatch
-            if (data.type === 'encrypted_relay') {
-                if (!dashboard._e2eReady || !dashboard._e2eSharedKey) {
-                    return; // No key yet, discard
-                }
-                if (data.session_id !== dashboard._e2eSessionId) {
-                    return; // Stale session, discard
-                }
-                const decrypted = await dashboard._e2eDecrypt(data.nonce, data.ciphertext);
-                if (!decrypted) return; // Decryption failed, discard silently
-                data = decrypted;
-            }
-
             const type = data.type;
             if (type && handlers[type]) handlers[type](data);
             if (handlers['*']) handlers['*'](data);
@@ -703,229 +682,18 @@ class SleapRTCDashboard {
         };
     }
 
-    // =========================================================================
-    // E2E Encryption for Relay Transport
-    // =========================================================================
-
-    /**
-     * Generate an ephemeral ECDH P-256 keypair for E2E encryption.
-     * @returns {Promise<{privateKey: CryptoKey, publicKeyRaw: ArrayBuffer}>}
-     */
-    async _e2eGenerateKeypair() {
-        const keyPair = await crypto.subtle.generateKey(
-            { name: 'ECDH', namedCurve: 'P-256' },
-            false, // private key not extractable
-            ['deriveBits']
-        );
-        const publicKeyRaw = await crypto.subtle.exportKey('raw', keyPair.publicKey);
-        return { privateKey: keyPair.privateKey, publicKeyRaw };
-    }
-
-    /**
-     * Derive an AES-256-GCM key from ECDH shared secret + HKDF.
-     * Parameters must match Python side exactly.
-     * @param {CryptoKey} privateKey - Our P-256 private key
-     * @param {ArrayBuffer} peerPublicKeyRaw - Peer's raw public key (65 bytes)
-     * @returns {Promise<CryptoKey>} AES-256-GCM key
-     */
-    async _e2eDeriveKey(privateKey, peerPublicKeyRaw) {
-        const peerPublicKey = await crypto.subtle.importKey(
-            'raw', peerPublicKeyRaw,
-            { name: 'ECDH', namedCurve: 'P-256' },
-            false, []
-        );
-
-        // ECDH → shared secret
-        const sharedBits = await crypto.subtle.deriveBits(
-            { name: 'ECDH', public: peerPublicKey },
-            privateKey, 256
-        );
-
-        // Import as HKDF key material
-        const hkdfKey = await crypto.subtle.importKey(
-            'raw', sharedBits, 'HKDF', false, ['deriveKey']
-        );
-
-        // HKDF → AES-256-GCM key (must match Python: SHA-256, no salt, info="sleap-rtc-relay-e2e-v1")
-        return crypto.subtle.deriveKey(
-            {
-                name: 'HKDF',
-                hash: 'SHA-256',
-                salt: new Uint8Array(0),
-                info: new TextEncoder().encode('sleap-rtc-relay-e2e-v1'),
-            },
-            hkdfKey,
-            { name: 'AES-GCM', length: 256 },
-            false, ['encrypt', 'decrypt']
-        );
-    }
-
-    /**
-     * Encrypt a JSON payload with AES-256-GCM.
-     * @param {object} payload - JSON-serializable object
-     * @returns {Promise<{nonce: string, ciphertext: string}>} Base64-encoded nonce and ciphertext
-     */
-    async _e2eEncrypt(payload) {
-        const nonce = crypto.getRandomValues(new Uint8Array(12));
-        const plaintext = new TextEncoder().encode(JSON.stringify(payload));
-        const ciphertext = new Uint8Array(await crypto.subtle.encrypt(
-            { name: 'AES-GCM', iv: nonce },
-            this._e2eSharedKey, plaintext
-        ));
-        return {
-            nonce: btoa(String.fromCharCode(...nonce)),
-            ciphertext: btoa(String.fromCharCode(...ciphertext)),
-        };
-    }
-
-    /**
-     * Decrypt an AES-256-GCM ciphertext back to a JSON object.
-     * @param {string} nonceB64 - Base64-encoded nonce
-     * @param {string} ciphertextB64 - Base64-encoded ciphertext
-     * @returns {Promise<object|null>} Decrypted JSON object, or null on failure
-     */
-    async _e2eDecrypt(nonceB64, ciphertextB64) {
-        try {
-            const nonceBin = atob(nonceB64);
-            const nonce = new Uint8Array(nonceBin.length);
-            for (let i = 0; i < nonceBin.length; i++) nonce[i] = nonceBin.charCodeAt(i);
-
-            const ctBin = atob(ciphertextB64);
-            const ct = new Uint8Array(ctBin.length);
-            for (let i = 0; i < ctBin.length; i++) ct[i] = ctBin.charCodeAt(i);
-
-            const plaintext = await crypto.subtle.decrypt(
-                { name: 'AES-GCM', iv: nonce },
-                this._e2eSharedKey, ct
-            );
-            return JSON.parse(new TextDecoder().decode(plaintext));
-        } catch (e) {
-            console.warn('[E2E] Decryption failed:', e.message);
-            return null;
-        }
-    }
-
-    /**
-     * Initiate E2E key exchange with a worker. Called from sjEnterStep3() and
-     * sjGoToInferenceStep() after opening the SSE connection.
-     *
-     * Sends our ephemeral public key, waits for the worker's response on SSE,
-     * derives the shared AES key. Retries once on timeout (5s).
-     *
-     * @param {string} peerId - Worker peer ID
-     * @returns {Promise<boolean>} True if key exchange succeeded
-     */
-    async _e2eInitKeyExchange(peerId) {
-        this._e2eReady = false;
-        this._e2eSharedKey = null;
-        this._e2eSessionId = crypto.randomUUID();
-
-        const { privateKey, publicKeyRaw } = await this._e2eGenerateKeypair();
-        this._e2ePrivateKey = privateKey;
-
-        // Encode public key as URL-safe base64 (no padding)
-        const pubBytes = new Uint8Array(publicKeyRaw);
-        let pubB64 = btoa(String.fromCharCode(...pubBytes))
-            .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-
-        const attempt = async () => {
-            return new Promise((resolve, reject) => {
-                const timeout = setTimeout(() => {
-                    reject(new Error('Key exchange timeout'));
-                }, 5000);
-
-                // Listen for key_exchange_response on existing SSE
-                const originalHandler = this._sjWorkerSSE?.raw?.onmessage;
-                const wrappedHandler = async (event) => {
-                    let data;
-                    try { data = JSON.parse(event.data); } catch { return; }
-
-                    if (data.type === 'key_exchange_response' &&
-                        data.session_id === this._e2eSessionId) {
-                        clearTimeout(timeout);
-
-                        // Decode worker's public key
-                        let workerPubB64 = data.public_key
-                            .replace(/-/g, '+').replace(/_/g, '/');
-                        while (workerPubB64.length % 4) workerPubB64 += '=';
-                        const workerPubBin = atob(workerPubB64);
-                        const workerPubBytes = new Uint8Array(workerPubBin.length);
-                        for (let i = 0; i < workerPubBin.length; i++)
-                            workerPubBytes[i] = workerPubBin.charCodeAt(i);
-
-                        // Derive shared key
-                        try {
-                            this._e2eSharedKey = await this._e2eDeriveKey(
-                                this._e2ePrivateKey, workerPubBytes.buffer
-                            );
-                            this._e2eReady = true;
-                            console.log(`[E2E] Key exchange complete (session ${this._e2eSessionId.slice(0, 8)}...)`);
-                            resolve(true);
-                        } catch (e) {
-                            reject(e);
-                        }
-                    }
-
-                    // Also call original handler for other message types
-                    if (originalHandler) originalHandler(event);
-                };
-
-                // Temporarily wrap the SSE handler to intercept key_exchange_response
-                if (this._sjWorkerSSE?.raw) {
-                    this._sjWorkerSSE.raw.onmessage = wrappedHandler;
-                }
-
-                // Send key exchange request
-                this.apiWorkerMessage(this._sjRoomId, peerId, {
-                    type: 'key_exchange',
-                    session_id: this._e2eSessionId,
-                    public_key: pubB64,
-                }).catch(reject);
-            });
-        };
-
-        // Try twice
-        for (let i = 0; i < 2; i++) {
-            try {
-                await attempt();
-                return true;
-            } catch (e) {
-                console.warn(`[E2E] Key exchange attempt ${i + 1} failed: ${e.message}`);
-                if (i === 0) continue; // Retry once
-            }
-        }
-
-        console.error('[E2E] Key exchange failed after 2 attempts');
-        return false;
-    }
-
     /**
      * Forward an arbitrary message to a worker via the signaling server.
-     * If E2E encryption is active, the message is encrypted before sending.
      */
     async apiWorkerMessage(roomId, peerId, message) {
-        let outMessage = message;
-
-        // Encrypt if E2E is ready (but not the key_exchange itself)
-        if (this._e2eReady && this._e2eSharedKey && message.type !== 'key_exchange') {
-            const { nonce, ciphertext } = await this._e2eEncrypt(message);
-            outMessage = {
-                type: 'encrypted_relay',
-                session_id: this._e2eSessionId,
-                nonce,
-                ciphertext,
-            };
-        }
-
         return this.apiRequest('/api/worker/message', {
             method: 'POST',
-            body: JSON.stringify({ room_id: roomId, peer_id: peerId, message: outMessage }),
+            body: JSON.stringify({ room_id: roomId, peer_id: peerId, message }),
         });
     }
 
     /**
      * Request a directory listing from a worker's filesystem.
-     * When E2E is active, routes through apiWorkerMessage for encryption.
      */
     async apiFsList(roomId, peerId, path, reqId, offset = 0) {
         if (this._e2eReady && this._e2eSharedKey) {
@@ -941,13 +709,17 @@ class SleapRTCDashboard {
 
     /**
      * Submit a training job to a worker.
-     * When E2E is active, routes through apiWorkerMessage for encryption.
+     * When E2E is active, generates job_id client-side and routes through
+     * apiWorkerMessage. The dedicated endpoint can't be used because the
+     * signaling server would see the config in plaintext.
      */
     async apiJobSubmit(roomId, peerId, config) {
         if (this._e2eReady && this._e2eSharedKey) {
-            return this.apiWorkerMessage(roomId, peerId, {
-                type: 'job_assigned', config,
+            const jobId = `job_${crypto.randomUUID().replace(/-/g, '').slice(0, 8)}`;
+            await this.apiWorkerMessage(roomId, peerId, {
+                type: 'job_assigned', job_id: jobId, config,
             });
+            return { job_id: jobId };
         }
         return this.apiRequest('/api/jobs/submit', {
             method: 'POST',
@@ -2718,7 +2490,7 @@ class SleapRTCDashboard {
         }
     }
 
-    async sjGoToInferenceStep() {
+    sjGoToInferenceStep() {
         // Hide all views
         ['sj-step1', 'sj-step2', 'sj-step3', 'sj-status'].forEach(id => {
             document.getElementById(id)?.classList.add('hidden');
@@ -2753,17 +2525,6 @@ class SleapRTCDashboard {
             .on('worker_path_ok', (data) => this._sjHandlePathOk(data))
             .on('worker_path_error', (data) => this._sjHandlePathError(data));
 
-        // E2E key exchange with worker
-        const inferenceError = document.getElementById('sj-inference-error');
-        const e2eOk = await this._e2eInitKeyExchange(this._sjWorkerId);
-        if (!e2eOk) {
-            if (inferenceError) {
-                inferenceError.textContent = 'Could not establish secure connection with worker. The worker may need to be updated.';
-                inferenceError.classList.remove('hidden');
-            }
-            return;
-        }
-
         // Init icons
         const inferenceView = document.getElementById('sj-step-inference');
         if (window.lucide && inferenceView) {
@@ -3674,18 +3435,6 @@ class SleapRTCDashboard {
                 .on('worker_path_error', (data) => this._sjHandlePathError(data))
                 .on('fs_check_videos_response', (data) => this._sjHandleVideoCheck(data));
 
-            // E2E key exchange with worker
-            const e2eOk = await this._e2eInitKeyExchange(this._sjWorkerId);
-            if (!e2eOk) {
-                document.getElementById('sj-browser-spinner')?.classList.add('hidden');
-                const errEl = document.getElementById('sj-browser-error');
-                if (errEl) {
-                    errEl.textContent = 'Could not establish secure connection with worker. The worker may need to be updated.';
-                    errEl.classList.remove('hidden');
-                }
-                return;
-            }
-
             // Re-fetch worker data to get fresh metadata (mounts may change after reconnection)
             await this.loadRoomWorkers(this._sjRoomId);
             const workers = this.roomWorkers[this._sjRoomId]?.workers ?? [];