From dc1d65ac158bbca4c1f6514857260e6d9fe52321 Mon Sep 17 00:00:00 2001 From: a2nr Date: Wed, 22 Apr 2026 16:56:02 +0700 Subject: [PATCH] remove blacklist logout feature --- documentation.md | 7 +------ proposal.md | 3 ++- routes/auth.py | 6 +----- services/token_service.py | 12 ------------ 4 files changed, 4 insertions(+), 24 deletions(-) diff --git a/documentation.md b/documentation.md index 1e9482a..3335013 100644 --- a/documentation.md +++ b/documentation.md @@ -491,11 +491,6 @@ Untuk mencegah penebakan token secara massal, terutama pada jaringan WiFi sekola - **Rate Limiting**: Endpoint `/api/login` dibatasi maksimal **50 request per menit per IP**. Angka ini diatur untuk mengakomodasi satu kelas (50 siswa) yang login bersamaan tanpa saling memblokir. - **Tarpitting (Login Delay)**: Setiap percobaan login yang **gagal** akan ditahan selama **1.5 detik** sebelum server memberikan respons. Ini melumpuhkan efektivitas alat brute-force otomatis tanpa mengganggu pengalaman siswa asli yang hanya sesekali salah ketik. -### 3. Session Invalidation (Token Blacklist) -Mekanisme logout server-side untuk memastikan token tidak bisa digunakan kembali setelah sesi berakhir. -- **Mekanisme**: Menggunakan `LOGOUT_BLACKLIST` (in-memory set) di Flask backend. -- **Flow**: Saat user klik logout, token ditambahkan ke blacklist. Semua request berikutnya dengan token tersebut akan ditolak oleh `validate_token()`. - --- ## Touch Crosshair System (CircuitJS) @@ -602,7 +597,7 @@ Redo (Ctrl+Shift+Z / toolbar button) - [x] Velxio integration di Elemes (bridge, parsing, UI, evaluasi) - [x] Mobile wiring UX (pinch-zoom preserve wire, crosshair alignment) - [x] Wire undo/redo (snapshot-based, Ctrl+Z/Ctrl+Shift+Z, toolbar button, mobile-friendly) -- [x] Security Review & Hardening (Cookie security, Rate limiting, Tarpitting, Blacklisting) +- [x] Security Review & Hardening (Cookie security, Rate limiting, Tarpitting) - [x] Contoh lesson Arduino (LED Blink) - [ ] PWA (service worker, offline caching) - [ ] Contoh lesson Arduino tambahan (2-3 lagi) diff --git a/proposal.md b/proposal.md index b959638..dff7827 100644 --- a/proposal.md +++ b/proposal.md @@ -127,10 +127,11 @@ response.set_cookie('student_token', token, httponly=True, secure=False, samesit - **Insider Threat**: Guru yang sudah tidak aktif masih bisa akses jika tokennya tidak dihapus dari CSV. **Task Perbaikan**: -- [x] **Token Blacklist**: Implementasikan in-memory blacklist untuk token yang sudah logout. +- [ ] **Token Blacklist**: (Sempat diimplementasi, namun dihapus agar user/guru tidak terkunci saat pengujian token). - [ ] **Token Versioning**: Tambahkan timestamp/version di token, invalidate jika mismatch dengan database. - [ ] **Force Logout API**: Endpoint untuk guru force logout semua session siswa (useful saat ujian). + --- ### 🟠 7. HTTP Security Headers (MEDIUM-HIGH RISK) diff --git a/routes/auth.py b/routes/auth.py index 0810636..69502e7 100644 --- a/routes/auth.py +++ b/routes/auth.py @@ -7,7 +7,7 @@ import time from flask import Blueprint, request, jsonify from extensions import limiter -from services.token_service import validate_token, blacklist_token +from services.token_service import validate_token auth_bp = Blueprint('auth', __name__) @@ -53,10 +53,6 @@ def login(): def logout(): """Handle student logout.""" try: - token = request.cookies.get('student_token') - if token: - blacklist_token(token) - response = jsonify({'success': True, 'message': 'Logout successful'}) response.set_cookie('student_token', '', expires=0) return response diff --git a/services/token_service.py b/services/token_service.py index 6337565..76ada50 100644 --- a/services/token_service.py +++ b/services/token_service.py @@ -8,15 +8,6 @@ import os from config import TOKENS_FILE -# In-memory blacklist for tokens that have logged out -LOGOUT_BLACKLIST = set() - - -def blacklist_token(token): - """Add a token to the logout blacklist.""" - if token: - LOGOUT_BLACKLIST.add(token) - def get_teacher_token(): """Return the teacher token (first data row in CSV).""" @@ -38,9 +29,6 @@ def is_teacher_token(token): def validate_token(token): """Validate if a token exists in the CSV file and return student info.""" - if not token or token in LOGOUT_BLACKLIST: - return None - if not os.path.exists(TOKENS_FILE): return None