Security fixes:
1. Drawings cache now includes userId in cache key to prevent data leakage
between users making identical queries.
2. Socket.io connections now require JWT authentication when auth is enabled.
3. Socket.io join-room verifies drawing ownership before allowing access.
4. Frontend passes auth token when connecting to Socket.io.
Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com>
The demonstration tests had incorrect assumptions about how Express
trust proxy works in supertest (no real socket connection). Updated
assertions to match actual behavior while preserving the test's purpose
of showing that trust proxy: true extracts the correct client IP.
- Update test utilities for user authentication
- Update Settings page for authenticated export
- Update docker-compose.yml if needed
- Update package-lock.json files
- Add comprehensive tests for logAuditEvent
- Add tests for getAuditLogs with user filtering
- Test graceful degradation when feature disabled
- Test JSON details parsing
- Follow existing test patterns and style
- Add logAuditEvent function for security event logging
- Add getAuditLogs function for retrieving audit logs
- Gracefully handles disabled feature or missing table
- Feature disabled by default via config flag
- Add POST /auth/register endpoint with email validation
- Add POST /auth/login endpoint with JWT token generation
- Add POST /auth/refresh endpoint for token refresh
- Add GET /auth/me endpoint for current user info
- Add rate limiting for auth endpoints
- Add bcrypt password hashing
- Add JWT access and refresh token generation
- Add enablePasswordReset, enableRefreshTokenRotation, enableAuditLogging flags
- All flags default to false for backward compatibility
- Add getOptionalBoolean helper for parsing boolean env vars
- Update .env.example with feature flag documentation
- Add PasswordResetToken model for password reset flow
- Add RefreshToken model for token rotation tracking
- Add AuditLog model for security event logging
- All features disabled by default via feature flags
- Add User model with email, passwordHash, and name fields
- Add userId foreign key to Drawing and Collection models
- Create initial migration for user authentication
* fix: sync pasted/uploaded images across collaborating tabs
- Implement file delta synchronization to broadcast image file data
- Add periodic file sync check to catch async file data arrival
- Wrap Excalidraw addFiles API to automatically emit file changes
- Enhance socket element-update to include file payloads
- Add comprehensive E2E test for image collaboration scenarios
- Improve CORS flexibility for development localhost ports
Fixes#25: New images not appearing when collaborating - collaborators
now see uploaded images immediately instead of placeholder until refresh.
* perf: increase file sync polling interval from 500ms to 1000ms
Reduces CPU overhead while still catching async file arrivals. Most
updates go through the addFiles wrapper anyway.
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
* pass rest of appState in put request
* fix: support both legacy and current currentItemRoundness formats
Add union type to accept both the old object format {type, value} and
the new enum format for backwards compatibility with existing drawings.
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
Express was not configured to trust proxy headers, causing req.ip to return nginx's internal container IP instead of the actual client IP. In Docker environments, nginx can appear with different internal IPs between requests, causing the CSRF clientId to change and token validation to fail.
* feat(security): implement CSRF protection
* chore: clean up CSRF implementation
- Remove unused generateCsrfToken export from security.ts
- Remove redundant /csrf-token path check (GET already exempt)
- Restore defineConfig wrapper in vitest.config.ts for type safety
* add K8S note in README, fix broken e2e
* feat/upload-bar (#30)
* feat/upload-bar: add a upload bar when user upload file, indicate the upload process
* feat/save-loading-status: add save status when click back button from editor
* fix: address PR review issues in upload and save features
- Replace deprecated substr() with substring() in UploadContext
- Fix broken error handling that checked stale task status
- Fix missing useEffect dependency in UploadStatus
- Fix CSS class conflict in progress bar styling
- Add error recovery for save state in Editor (reset on failure)
- Use .finally() instead of .then() to ensure refresh on upload failure
- Fix inconsistent indentation in UploadContext
* fix e2e tests
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
* chore: pre-release v0.2.1-dev
* Update backend/src/security.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix filename/math random UUID generation
---------
Co-authored-by: AdrianAcala <adrianacala017@gmail.com>
Co-authored-by: adamant368 <60790941+Yiheng-Liu@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Zimeng Xiong