ββββββ ββββ ββββ βββββββ βββββββ ββββ βββ
βββββββββββββ ββββββββββββββββββββββββββββ βββ
ββββββββββββββββββββββ ββββββ βββββββββ βββ
ββββββββββββββββββββββ ββββββ βββββββββββββ
βββ ββββββ βββ ββββββββββββββββββββββββ ββββββ
βββ ββββββ βββ βββββββ ββββββββββ βββββ
E C L I P S E
End-to-End Encrypted Messenger β Web Β· Mobile Β· Desktop
AMoon Eclipse is a zero-knowledge, end-to-end encrypted messaging platform. The server stores only ciphertext it cannot read. Your private key never leaves your device.
- Web β React 18 + Vite + Tailwind CSS
- Mobile β React Native + Expo (Android & iOS)
- Desktop β Wails v2 (Go + React, single binary β no Electron)
- Backend β Go + Chi router + MySQL/MariaDB + WebSocket hub
Every message is encrypted client-side with AES-256-GCM before transmission. The session key is wrapped per-recipient using RSA-2048-OAEP. The server is a blind relay.
If AMoon Eclipse helped you or you want to keep development going:
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SENDER DEVICE β
β β
β plaintext βββΊ AES-256-GCM βββΊ ciphertext β
β β² β
β ephemeral session key (random) β
β β β
β RSA-OAEP wrap Γ N recipients β
β sessionKeys = { userId: encryptedKey, β¦ } β
βββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ
β { sessionKeys, payload }
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GO SERVER (BLIND) β
β β
β Stores bundle as opaque TEXT in MySQL. β
β Forwards via WebSocket hub. β
β Cannot read any message. Zero-knowledge. β
βββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ
β same bundle
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β RECIPIENT DEVICE β
β β
β sessionKeys[myId] βββΊ RSA-OAEP unwrap β
β βΌ β
β session key βββΊ AES-256-GCM decrypt β
β βΌ β
β plaintext β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Platform | Storage | Backed by |
|---|---|---|
| Web | IndexedDB (idb) |
Browser origin |
| Desktop (Wails) | IndexedDB | WebView2 / WebKitGTK |
| Mobile | expo-secure-store |
Android Keystore / iOS Keychain |
- Scanner auto-ban β detects vulnerability probes (
.env,.php,wp-admin, etc.), bans IPs after 8 hits in 60 s for 2 hours, serves a honeypot page - Rate limiting β separate limits for auth, API, and WebSocket
- Security headers β CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy
- Body size cap β 512 KB max
- Field-level encryption β PII (emails) encrypted with AES-256-GCM at rest using a server-side key
amoon-eclipse/
βββ apps/
β βββ web/ # React + Vite + Tailwind
β βββ mobile/ # React Native + Expo
β βββ desktop/ # Wails v2 (Go + React)
β
βββ packages/
βββ common/
β βββ src/
β βββ crypto-engine.ts # Shared E2EE β runs on all 3 platforms
β
βββ server/ # Go backend
βββ cmd/server/main.go # Router, middleware, graceful shutdown
βββ internal/
βββ auth/ # Register, login, OAuth, TOTP, key management
βββ messages/ # E2EE message store + WebSocket push
βββ rooms/ # DM and group rooms
βββ friends/ # Friend requests
βββ users/ # Profile, search
βββ notes/ # Self-destructing notes
βββ calls/ # WebRTC TURN credentials (Cloudflare)
βββ blocks/ # User blocking
βββ moderation/ # Chat bans, harassment tracking
βββ pending/ # Pending messages (pre-friend)
βββ ws/ # WebSocket hub (rooms + P2P signaling)
βββ middleware/ # JWT auth, rate limit, scanner ban, security headers
βββ crypto/ # AES-GCM field encryption, HMAC tokens
βββ db/ # MySQL connection + schema
βββ email/ # SMTP mailer
βββ config/ # Env + .env file loader
| Feature | Status |
|---|---|
| End-to-end encrypted DM | β |
| End-to-end encrypted group chat | β |
| WebRTC P2P voice/video calls | β |
| Real-time WebSocket delivery | β |
| Friend system | β |
| Pending messages (pre-friend) | β |
| Self-destructing notes | β |
| Google OAuth | β |
| TOTP two-factor authentication | β |
| Passphrase key backup & recovery | β |
| User blocking | β |
| Admin moderation tools | β |
| Web app | β |
| Android / iOS (Expo) | β |
| Desktop β Windows / macOS / Linux (Wails) | β |
- Go 1.22+
- Node.js 20+ and pnpm 9+
- MySQL 8+ or MariaDB 10.6+
git clone https://github.com/your-org/amoon-eclipse
cd amoon-eclipse
pnpm installCREATE DATABASE amoon CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'amoon'@'%' IDENTIFIED BY 'yourpassword';
GRANT ALL PRIVILEGES ON amoon.* TO 'amoon'@'%';mysql -u amoon -p amoon < packages/server/internal/db/schema.sqlcd packages/serverCreate a .env file:
DB_DSN=amoon:yourpassword@tcp(localhost:3306)/amoon?parseTime=true&charset=utf8mb4
JWT_SECRET=<output of: openssl rand -hex 32>
DB_ENCRYPTION_KEY=<output of: openssl rand -hex 32>
DB_HMAC_KEY=<output of: openssl rand -hex 32>
PORT=8080
BASE_URL=http://localhost:8080
ALLOWED_ORIGINS=http://localhost:5173
# Optional
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
SMTP_HOST=
SMTP_PORT=587
SMTP_USER=
SMTP_PASS=
CF_TURN_TOKEN_ID=
CF_TURN_API_TOKEN=Build and run:
go build -o amoon-server ./cmd/server/
./amoon-server
# β AMoon Eclipse server running on :8080cd apps/web
echo "VITE_API_URL=http://localhost:8080" > .env.local
pnpm devcd apps/mobile
echo "EXPO_PUBLIC_API_URL=http://YOUR_LOCAL_IP:8080" > .env
npx expo start# Requires Wails CLI: go install github.com/wailsapp/wails/v2/cmd/wails@latest
cd apps/desktop/wails-app
wails dev| Variable | Required | Description |
|---|---|---|
DB_DSN |
β | MySQL DSN |
JWT_SECRET |
β | Token signing key |
DB_ENCRYPTION_KEY |
β | 64-char hex β AES-256 for PII at rest |
DB_HMAC_KEY |
β | 64-char hex β HMAC for email lookup tokens |
PORT |
β | HTTP listen port (default: 8080, or P_SERVER_PORT) |
BASE_URL |
β | Public URL for OAuth redirect URIs |
ALLOWED_ORIGINS |
β | CORS origins, comma-separated (default: *) |
GOOGLE_CLIENT_ID/SECRET |
β | Google OAuth |
CF_TURN_TOKEN_ID/API_TOKEN |
β | Cloudflare TURN for WebRTC |
SMTP_* |
β | Email (password reset, verification) |
FACEBOOK_APP_ID |
β | Facebook token verification |
The server reads
.envfrom the working directory at startup. Real environment variables always override.envvalues.
# Cross-compile for Linux
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
go build -o amoon-server ./cmd/server/
# Upload binary + .env to server
scp amoon-server .env user@yourhost:/opt/amoon/
# Run (use systemd, PM2, or your preferred process manager)
cd /opt/amoon && ./amoon-serverWorks with the Generic Go egg out of the box:
- Set
EXECUTABLEβamoon-server - Startup command:
./${EXECUTABLE} - Drop a
.envfile into the container β the server loads it automatically PORTfalls back toP_SERVER_PORT(Pterodactyl's primary allocation port) if not explicitly set
Pull requests are welcome. For major changes please open an issue first to discuss.
- Fork the repository
- Create a feature branch:
git checkout -b feat/my-feature - Commit your changes
- Open a Pull Request
Important: Do not break the E2EE bundle format. The
packages/common/src/crypto-engine.tsformat must remain compatible across Web, Mobile, and Desktop. Any change toencryptMessage/decryptMessagemust be reflected on all three platforms.
Copyright (C) 2026 AMoon Team & CongMC Dev Team
This project is licensed under the GNU Affero General Public License v3.0. See LICENSE for the full text.
In short: you are free to use, modify, and distribute this software, but any modified version you deploy as a network service must also be released as open source under the same license.
Built with β€οΈ by AMoon Team & CongMC Dev Team
The server is blind. The key is yours.