KGDEV.me

Quest-Lock

Quest-Lock is a tool for digital detoxes that locks users out of their social media by splitting their password into shares that can only be recovered by completing real world quests.

https://quest-lock.com

Overview

#saas #security #encryption #maps #Rust #TypeScript #SQL #Axum #React #Vite #SQLx

Repositories

Components

Backend API

backend

Rust · Axum

Hosted on GCP – Cloud Run

  • PostgreSQL with SQLx; Auth0 JWT validation

Frontend App

frontend

TypeScript · React (Vite)

Hosted on Cloudflare – Pages

Live
  • Mapbox GL, client-side encryption, TanStack Query

Database

db

SQL · PostgreSQL

Hosted on GCP – Cloud SQL

Technical Notes

Backend runs on Google Cloud Run with containerized deployment via GitHub Actions. The frontend is a Vite/React application with Auth0 authentication and Mapbox for geospatial quests.

Zero-Knowledge

The system is designed so that Quest-Lock never has access to a user’s new password. This is achieved through client-side encryption and a secret-sharing scheme.

  1. Password Generation & Splitting:
    • A user plans n quests and generates a new, secure password on the client.
    • This password is then split into 2n cryptographic shares using Shamir’s Secret Sharing.
  2. Share Distribution & Storage:
    • All 2n shares are encrypted client-side before any transmission.
    • The user’s device stores n of the encrypted shares locally.
    • The remaining n shares are stored on the server, with each share being locked behind one of the n quests.
  3. Reconstruction Threshold:
    • To reconstruct the password, a threshold of k shares is required.
    • The system enforces that k is always greater than n (k > n).

This model ensures that neither the user (with only n shares) nor the server (with only n shares) possesses enough information to reconstruct the password independently. Access requires the user to complete a sufficient number of quests to combine their local shares with the server-held shares, meeting the k threshold.

Performance & Security

Load Performance

Load performance for Quest-Lock
  • Static assets served from Cloudflare Pages with global edge caching; fast TTFB and repeat visits.
  • React app built with Vite; optimized bundles and route-based code splitting keep the initial payload lean.
  • Not a separate marketing page, the landing page and app are all one app so a little harder to optimize.

Security

Security overview for Quest-Lock
  • Zero‑knowledge model; client‑side encryption and Shamir’s Secret Sharing; server cannot reconstruct secrets.
  • Auth0 JWT validation on the API; all endpoints require verified tokens.
  • TLS enforced end‑to‑end.