design – Designing a privnote clone – security considerations

I’d like to build a simple privnote-type clone for fun. The idea is this:

  1. User A writes a note in their browser, browser encrypts it client-side
  2. Server saves the pre-encrypted note without knowing the decryption key
  3. User A then sends a link like abc.hidden/mynoteid#mydecryptionkey to user B
  4. User B decrypts the message on a local browser

The question I’m struggling with is this – should the server allow anyone to fetch abc.hidden/mynoteid? Server being able to decrypt messages (I’d like this to be entirely immune to logging of any sort and all encryption/decryption happening clientside) defeats the entire purpose.

Because the notes are one-time-use-only, a fetching of the note must destroy it. But how can I know that a correct decryption key was supplied without decrypting the message server-side exposing it to logging?

Lastly, would a React app and a generic REST server with Redis to store messages suffice for this task? (Supposing that messages have a TTL, Redis seems an ideal choice) What happens if a malicious actor gains access somehow (without knowing the decryption keys which should be generated on the spot and only just once)

What encryption algorithm is best suited for this task? I don’t think we need 10 seconds of bcrypt “work”.

I understand that sending sensitive info over the internet is yucky but it happens a lot and if it does happen in a proverbial “marketing department”, having a tool like that could ease some worries about PII.

Plus, I think it’s a fun project either way.