Mernchat is a secure, real-time messaging platform built with Next.js 15, Socket.IO, and end-to-end encryption (E2EE) to ensure privacy-first communication. Designed for seamless group chats, reactions, file sharing, and OAuth login, this app is the perfect solution for secure online conversations.
- Real-time Messaging β Instantly send and receive messages.
- Voice Notes β Record and send encrypted voice messages in private chats (not encrypted in group chats).
- Typing Indicators β See when someone is typing (supports multiple users typing simultaneously in group chats).
- Message Editing β Edit messages after sending (with an edit indicator).
- Message Reactions β React to messages with emojis (double-tap to like/unlike).
- Message Deletion β Delete messages after sending.
- Message Replies β Reply to specific messages in a chat, whether sent by you or others.
- Peer-to-Peer Calls β High-quality, voice and video calls (powered by Webrtc).
- Call History β View and manage past call logs.
- Push Notifications β Stay updated with real-time alerts (powered by Firebase).
- User Presence β See whoβs online in real time.
- Friends System β Add friends and chat with them.
- Group Chats β Create and participate in group conversations.
- Polling β Create polls with single/multiple voting options.
- GIF Support β Send animated GIFs (powered by Tenor).
- File Sharing β Send and receive files securely.
- End-to-End Encryption (E2EE) β Secure messages with advanced encryption.
- Private Key Recovery β Retrieve your encryption key with MFA-protected email verification.
- OAuth Integration β Sign in with Google & GitHub.
- PWA Support β Install next-js-chat-app as a Progressive Web App for a native-like experience.
At this project Mernchat, i have taken privacy and security seriously. The app is built, designed, and structured with user privacy in mind, ensuring that certain messages remain completely inaccessibleβeven to me as a developer.
Private one-on-one text messages and voice notes are end-to-end encrypted using AES-256-GCM + ECDH. This means:
β
No oneβincluding me as the developerβcan access your private chats or private voice notes.
β
Text messages sent in private chats (between two users) and voice notes sent in private chats (between two users) are encrypted at the senderβs device and only decrypted on the recipientβs device.
β
Even if I access the database directly, I cannot read or retrieve private messages or private voice notes in plain text/data
For full transparency, hereβs a snapshot of how private messages and private voice notes are stored in the databaseβfully encrypted and unreadable to anyone, including myself.
While all data is stored securely, end-to-end encryption is only applied to private text messages and private voice notes. The following are not end-to-end encrypted:
β Group chats
β Audio & video calls (powered by webrtc)
β Media files (images, videos, GIFs, documents, attachments, etc.)
These features are still securely transmitted and stored, but they do not follow the same encryption standard as private messages and private voice notes.
At Mernchat, i am committed to transparency and security. As i continue improving, my aim is to enhance encryption features for even greater privacy in future updates.
βοΈ Startups & Teams β Secure & private team collaboration π
βοΈ Developers β Learn how to build a real-time chat app π¨βπ»
βοΈ Open-Source Enthusiasts β Contribute & improve the project π
βοΈ Personal Use β Chat privately with friends & family π¬
- βοΈ Next.js 15 + React 19 β Modern full-stack React framework.
- π οΈ Redux Toolkit + React-Redux β Efficient global state management.
- π React Hook Form + Zod β Form handling & schema validation.
- π Socket.IO Client β Real-time communication.
- π Date-fns β Date & time utilities.
- π₯ Framer Motion + Lottie-React β Animations & dynamic UI effects.
- π₯ Firebase β Push notifications & backend integration.
- π Tailwind CSS β Responsive & scalable UI.
- π Nodemailer β Email handling.
- π bcryptjs + jose β Authentication & encryption.
- π¬ Emoji-Picker-React + Gif-Picker-React β Interactive media in chat.
- π οΈ Prisma ORM β Database management.
- π’ Node.js + Express β Scalable backend API.
- π Socket.IO β Real-time bidirectional communication.
- ποΈ Prisma ORM β Type-safe database management.
- π JWT Authentication (jsonwebtoken) β Secure authentication.
- βοΈ Cloudinary β Cloud storage for images & files.
- π§ Nodemailer β Email notifications & MFA verification.
- π Passport.js + Google OAuth β OAuth-based authentication.
- π₯ Firebase Admin SDK β Push notifications.
- π‘οΈ Helmet β Security headers for protection.
- π Morgan β HTTP request logging.
- πͺ Cookie-Parser β Secure cookie handling.
- π οΈ Multer β File uploads.
- π CORS β Cross-origin requests.
- π οΈ UUID β Unique ID generation.
- βοΈ dotenv β Environment variable management.
git clone https://github.com/RishiBakshii/nextjs-chat-app
cd nextjs-chat-app- Navigate to the backend folder.
- Rename
.env.development.exampleto.env.development. - Rename
.env.production.exampleto.env.production. - Replace the placeholder values with actual credentials.
- Create a
firebase-admin-cred.jsonfile insidebackend/src/(root level ofsrc). This file should contain your Firebase service account credentials required for Firebase push notifications. - π Example
backend/src/firebase-admin-cred.jsonfile, Paste your own cred here provided by firebase
{
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "your-private-key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nYOUR_PRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "your-client-email",
"client_id": "your-client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "your-client-x509-cert-url",
"universe_domain": "googleapis.com"
}- Navigate to the frontend folder.
- Rename
.env.development.exampleto.env.development. - Rename
.env.production.exampleto.env.production. - Replace the placeholder values with actual credentials.
π¨ Important Notes:
- Never expose sensitive credentials to client side by prefixing them with
NEXT_PUBLIC_. - Ensure the correct Firebase cred and API URLs are set.
cd backend
npm install
npm run devThe backend will start at http://localhost:8000.
cd next-js-frontend
npm install
npm run devVisit http://localhost:3000 in your browser.
These scripts are defined in package.json under the next-js-frontend folder:
{
"db:push:dev": "dotenv -e .env.development -- npx prisma db push",
"db:push:prod": "dotenv -e .env.production -- npx prisma db push",
"migrate:dev": "dotenv -e .env.development -- npx prisma migrate deploy",
"migrate:prod": "dotenv -e .env.production -- npx prisma migrate deploy"
}If you just need to sync the database schema without migrations:
- Development:
npm run db:push:dev
- Production:
npm run db:push:prod
If you are making structural changes and need to apply existing migrations:
- Development:
npm run migrate:dev
- Production:
npm run migrate:prod
π Note:
db pushis useful when setting up the database initially or for quick schema changes without migration tracking.migrate deployensures existing migrations are applied in production and development.
Contributions are welcome! To contribute:
- Fork the repository.
- Create a branch:
git checkout -b feature-branch
- Commit your changes:
git commit -m "Add new feature" - Push to GitHub:
git push origin feature-branch
- Open a Pull Request π
For feedback or queries, reach out:
π LinkedIn @Rishi Bakshi
π© [email protected]
