elemes

Author	SHA1	Message	Date
a2nr	e4c68b2894	feat(security): implement anonymous access with rate limiting and secure proxy, harden authentication and implement session protection Implements multiple layers of security to address high-risk session and authentication vulnerabilities identified in the security review: - Allow code compilation (C, Python, Arduino) for anonymous users. - Enforce a 1-request-per-2-minutes rate limit for anonymous IPs. - Implement a global anonymous compilation queue with 20 concurrent slots. - Proxy Velxio (Arduino) compilation through Flask to prevent API hijacking. - Exempt authenticated users (tokens/cookies) from all rate limits. - Fix networking and DNS resolution in podman-compose. - Fix Svelte a11y warnings and trailing slash routing issues. - Cookie Security: Added dynamic 'secure' flag support via COOKIE_SECURE env variable for HTTPS/Tailscale Funnel compatibility. - Rate Limiting: Integrated Flask-Limiter on /login (50 req/min) to prevent API abuse while accommodating shared school networks (NAT). - Tarpitting: Added 1.5s artificial delay on failed logins to neutralize automated brute-force tools without blocking legitimate users. - Session Invalidation: Implemented an in-memory token blacklist on logout to ensure session tokens cannot be reused. - Documentation: Updated technical docs and proposal status to reflect the current security architecture. Ref: @elemes/proposal.md (Poin 6.1, 6.2, 6.3)	2026-04-22 12:57:54 +07:00
a2nr	a0d6f2615a	feat: Implement anti copy-paste system and enhance asset proxying - Added proxy handling for `/assets/` in `sinau-c-tail.json` to route requests to the asset server. - Enhanced `hooks.server.ts` to support proxying for both `/api/` and `/assets/` endpoints, including handling binary content. - Introduced an anti copy-paste system in the lesson page to prevent text selection and copying from lesson content. - Updated `CodeEditor.svelte` to prevent pasting from external sources with multiple layers of protection. - Improved lesson page structure to support floating editor functionality and mobile responsiveness. - Added celebration overlay for successful code completion in the lesson page. - Adjusted `vite.config.ts` to include asset proxy configuration. - Modified `podman-compose.yml` for production deployment with gunicorn and updated network settings.	2026-03-26 13:52:59 +07:00
a2nr	d2b6d62b28	refactor to make it better	2026-03-25 09:39:51 +07:00

Author

SHA1

Message

Date

a2nr

feat(security): implement anonymous access with rate limiting and secure proxy, harden authentication and implement session protection

Implements multiple layers of security to address high-risk session
   and authentication vulnerabilities identified in the security review:

   - Allow code compilation (C, Python, Arduino) for anonymous users.
   - Enforce a 1-request-per-2-minutes rate limit for anonymous IPs.
   - Implement a global anonymous compilation queue with 20 concurrent slots.
   - Proxy Velxio (Arduino) compilation through Flask to prevent API hijacking.
   - Exempt authenticated users (tokens/cookies) from all rate limits.
   - Fix networking and DNS resolution in podman-compose.
   - Fix Svelte a11y warnings and trailing slash routing issues.
   - Cookie Security: Added dynamic 'secure' flag support via COOKIE_SECURE
     env variable for HTTPS/Tailscale Funnel compatibility.
   - Rate Limiting: Integrated Flask-Limiter on /login (50 req/min) to
     prevent API abuse while accommodating shared school networks (NAT).
   - Tarpitting: Added 1.5s artificial delay on failed logins to neutralize
     automated brute-force tools without blocking legitimate users.
   - Session Invalidation: Implemented an in-memory token blacklist on
     logout to ensure session tokens cannot be reused.
   - Documentation: Updated technical docs and proposal status to reflect
     the current security architecture.

   Ref: @elemes/proposal.md (Poin 6.1, 6.2, 6.3)

2026-04-22 12:57:54 +07:00

a2nr

a0d6f2615a

feat: Implement anti copy-paste system and enhance asset proxying

- Added proxy handling for `/assets/` in `sinau-c-tail.json` to route requests to the asset server.
- Enhanced `hooks.server.ts` to support proxying for both `/api/*` and `/assets/*` endpoints, including handling binary content.
- Introduced an anti copy-paste system in the lesson page to prevent text selection and copying from lesson content.
- Updated `CodeEditor.svelte` to prevent pasting from external sources with multiple layers of protection.
- Improved lesson page structure to support floating editor functionality and mobile responsiveness.
- Added celebration overlay for successful code completion in the lesson page.
- Adjusted `vite.config.ts` to include asset proxy configuration.
- Modified `podman-compose.yml` for production deployment with gunicorn and updated network settings.

2026-03-26 13:52:59 +07:00

a2nr

d2b6d62b28

refactor to make it better

2026-03-25 09:39:51 +07:00

3 Commits (dc1d65ac158bbca4c1f6514857260e6d9fe52321)