a2nr
/
elemes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
62 Commits
1 Branch
1 Tag
6.2 MiB
Commit Graph

8 Commits (dce4916b94bc901dfd24e548526f6c950891cd49)

Author SHA1 Message Date
a2nr dc1d65ac15 remove blacklist logout feature 2026-04-22 16:56:02 +07:00
a2nr e4c68b2894 feat(security): implement anonymous access with rate limiting and secure proxy, harden authentication and implement session protection 
Implements multiple layers of security to address high-risk session
   and authentication vulnerabilities identified in the security review:

   - Allow code compilation (C, Python, Arduino) for anonymous users.
   - Enforce a 1-request-per-2-minutes rate limit for anonymous IPs.
   - Implement a global anonymous compilation queue with 20 concurrent slots.
   - Proxy Velxio (Arduino) compilation through Flask to prevent API hijacking.
   - Exempt authenticated users (tokens/cookies) from all rate limits.
   - Fix networking and DNS resolution in podman-compose.
   - Fix Svelte a11y warnings and trailing slash routing issues.
   - Cookie Security: Added dynamic 'secure' flag support via COOKIE_SECURE
     env variable for HTTPS/Tailscale Funnel compatibility.
   - Rate Limiting: Integrated Flask-Limiter on /login (50 req/min) to
     prevent API abuse while accommodating shared school networks (NAT).
   - Tarpitting: Added 1.5s artificial delay on failed logins to neutralize
     automated brute-force tools without blocking legitimate users.
   - Session Invalidation: Implemented an in-memory token blacklist on
     logout to ensure session tokens cannot be reused.
   - Documentation: Updated technical docs and proposal status to reflect
     the current security architecture.

   Ref: @elemes/proposal.md (Poin 6.1, 6.2, 6.3)
 2026-04-22 12:57:54 +07:00
a2nr a41711fb54 security: implement gVisor sandboxing and harden API endpoints 
- Menambahkan service 'compiler-worker' terpisah untuk isolasi eksekusi kode C/Python.
   - Mengintegrasikan gVisor (runsc) pada worker untuk mencegah RCE pada level kernel.
   - Menggunakan Gunicorn (4 workers) pada compiler-worker untuk mendukung concurrency.
   - Menambahkan otentikasi token wajib pada endpoint /compile dan laporan progres.
   - Memperketat CORS policy menggunakan environment variable ORIGIN.
   - Menerapkan secure_filename pada rute pelajaran untuk mencegah Path Traversal.
   - Mengubah volume mounting backend utama menjadi Read-Only (:ro) untuk perlindungan data.
   - Memperbarui proposal.md dan .env.example dengan standar keamanan terbaru.
 2026-04-21 15:13:16 +07:00
a2nr 89f0967c3e fix: improve JSON parsing robustness in auth routes and update Locust load test scripts with worker management utilities. 2026-04-17 10:50:46 +07:00
a2nr 10548b1f51 feat: add Arduino lesson support, documentation, and load testing utilities with improved CLI feedback 2026-04-11 08:39:57 +07:00
a2nr 997ab78f56 feat: improve evaluation system and update circuit editor to use localStorage for persistence 2026-04-10 14:00:35 +07:00
a2nr 5f57e67a25 feat: Integrate AVR8js microcontroller simulator into Elemes LMS with custom compilation and simulation workflow 2026-04-03 14:20:41 +07:00
a2nr d29c2f2e3e feat: Integrate CircuitJS1 into Elemes LMS 
- Added CircuitJSApi interface for simulator API interaction.
- Updated lesson page to support circuit simulation alongside code execution.
- Implemented separate output states for code and circuit evaluations.
- Enhanced lesson content rendering to include circuit embeds using markdown.
- Refactored backend to process circuit embed syntax and convert to HTML.
- Updated podman-compose configuration to include new environment variable for cursor offset.
- Created a proposal document outlining the feasibility and implementation plan for CircuitJS1 integration.
 2026-03-31 12:08:42 +07:00