Security fixes:
1. Drawings cache now includes userId in cache key to prevent data leakage
between users making identical queries.
2. Socket.io connections now require JWT authentication when auth is enabled.
3. Socket.io join-room verifies drawing ownership before allowing access.
4. Frontend passes auth token when connecting to Socket.io.
Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com>
The demonstration tests had incorrect assumptions about how Express
trust proxy works in supertest (no real socket connection). Updated
assertions to match actual behavior while preserving the test's purpose
of showing that trust proxy: true extracts the correct client IP.
Clarifies that FRONTEND_URL accepts multiple comma-separated URLs
for accessing ExcaliDash from different addresses (e.g., localhost
and LAN IP simultaneously).
- Update test utilities for user authentication
- Update Settings page for authenticated export
- Update docker-compose.yml if needed
- Update package-lock.json files
- Document all security features added
- Document UX improvements added
- Include migration strategy and backward compatibility notes
- Provide enable instructions for optional features
- Add comprehensive tests for logAuditEvent
- Add tests for getAuditLogs with user filtering
- Test graceful degradation when feature disabled
- Test JSON details parsing
- Follow existing test patterns and style
- Add Select All button with CheckSquare/Square icons
- Toggle selection of all drawings in current view
- Match styling with other icon buttons
- Add tooltip for better UX
- Add Login page with email/password form
- Add Register page with email validation
- Add forgot password link to login page
- Update App.tsx with auth routes and AuthProvider
- Add email validation in registration form
- Add AuthContext for managing user authentication state
- Add ProtectedRoute component for route protection
- Update API client with JWT token injection
- Add refresh token rotation support
- Add CSRF token handling
- Add logAuditEvent function for security event logging
- Add getAuditLogs function for retrieving audit logs
- Gracefully handles disabled feature or missing table
- Feature disabled by default via config flag
- Add POST /auth/register endpoint with email validation
- Add POST /auth/login endpoint with JWT token generation
- Add POST /auth/refresh endpoint for token refresh
- Add GET /auth/me endpoint for current user info
- Add rate limiting for auth endpoints
- Add bcrypt password hashing
- Add JWT access and refresh token generation
- Add enablePasswordReset, enableRefreshTokenRotation, enableAuditLogging flags
- All flags default to false for backward compatibility
- Add getOptionalBoolean helper for parsing boolean env vars
- Update .env.example with feature flag documentation
- Add PasswordResetToken model for password reset flow
- Add RefreshToken model for token rotation tracking
- Add AuditLog model for security event logging
- All features disabled by default via feature flags
- Add User model with email, passwordHash, and name fields
- Add userId foreign key to Drawing and Collection models
- Create initial migration for user authentication
- Added a new `LoginAttempt` model to track login attempts, including rate limiting and lockout functionality.
- Introduced environment variables for configuring login rate limits and maximum failures.
- Updated the authentication middleware to handle login attempts and enforce rate limits.
- Enhanced the user model with indexing for username and email for improved lookup performance.
- Modified the `.env.example` file to include new optional authentication settings.
- Updated integration tests to cover new login attempt features and authentication state management.
* fix: sync pasted/uploaded images across collaborating tabs
- Implement file delta synchronization to broadcast image file data
- Add periodic file sync check to catch async file data arrival
- Wrap Excalidraw addFiles API to automatically emit file changes
- Enhance socket element-update to include file payloads
- Add comprehensive E2E test for image collaboration scenarios
- Improve CORS flexibility for development localhost ports
Fixes#25: New images not appearing when collaborating - collaborators
now see uploaded images immediately instead of placeholder until refresh.
* perf: increase file sync polling interval from 500ms to 1000ms
Reduces CPU overhead while still catching async file arrivals. Most
updates go through the addFiles wrapper anyway.
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
* pass rest of appState in put request
* fix: support both legacy and current currentItemRoundness formats
Add union type to accept both the old object format {type, value} and
the new enum format for backwards compatibility with existing drawings.
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
Express was not configured to trust proxy headers, causing req.ip to return nginx's internal container IP instead of the actual client IP. In Docker environments, nginx can appear with different internal IPs between requests, causing the CSRF clientId to change and token validation to fail.
- Introduced a `mustResetPassword` field in the User model to manage password reset requirements.
- Enhanced authentication flow to support password changes, including validation and error handling.
- Updated frontend components to handle password reset scenarios and integrate with the new API endpoints.
- Modified authentication context and hooks to accommodate the new password reset logic.
- Adjusted E2E tests to ensure proper coverage for the password reset functionality.
- Implemented multi-user authentication with role-based access control.
- Added environment variables for initial admin user setup.
- Updated README and example environment file with new authentication options.
- Introduced user and system configuration models in the database schema.
- Enhanced authentication middleware to support user registration and role management.
- Updated frontend to handle new authentication flows, including admin user creation and role updates.
* feat(security): implement CSRF protection
* chore: clean up CSRF implementation
- Remove unused generateCsrfToken export from security.ts
- Remove redundant /csrf-token path check (GET already exempt)
- Restore defineConfig wrapper in vitest.config.ts for type safety
* add K8S note in README, fix broken e2e
* feat/upload-bar (#30)
* feat/upload-bar: add a upload bar when user upload file, indicate the upload process
* feat/save-loading-status: add save status when click back button from editor
* fix: address PR review issues in upload and save features
- Replace deprecated substr() with substring() in UploadContext
- Fix broken error handling that checked stale task status
- Fix missing useEffect dependency in UploadStatus
- Fix CSS class conflict in progress bar styling
- Add error recovery for save state in Editor (reset on failure)
- Use .finally() instead of .then() to ensure refresh on upload failure
- Fix inconsistent indentation in UploadContext
* fix e2e tests
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
* chore: pre-release v0.2.1-dev
* Update backend/src/security.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix filename/math random UUID generation
---------
Co-authored-by: AdrianAcala <adrianacala017@gmail.com>
Co-authored-by: adamant368 <60790941+Yiheng-Liu@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* feat: implement comprehensive testing infrastructure
- Fix image dataURL truncation bug in security.ts with configurable size limits
- Add backend integration tests (22 tests) with Vitest for API validation
- Add frontend unit tests (11 tests) for JSON serialization
- Implement browser-based E2E tests (8 tests) with Playwright
- Create Docker setup for repeatable E2E testing environment
- Add GitHub Actions CI workflow for automated testing
- Update .gitignore for test artifacts and temporary files
Testing Infrastructure:
- Backend: Vitest + Supertest for API integration tests
- Frontend: Vitest + Testing Library for component tests
- E2E: Playwright with Chromium for full browser automation
- CI/CD: GitHub Actions with parallel test execution
Security Improvements:
- Make dataURL size limit configurable (default: 10MB)
- Enhanced validation for image dataURLs
- Block malicious content (javascript:, script tags)
All tests pass: 41 total (22 backend + 11 frontend + 8 E2E)
* feat(tests): add comprehensive E2E tests for dashboard workflows and image persistence
chore(env): update environment variables for consistent API URL usage
fix(api): centralize API request helpers for drawing and collection management
style(DrawingCard): enhance accessibility with ARIA attributes and data-testid for testing
* cleanup/revise documentation
* cleanup/revise documentation
* Add end-to-end tests for drawing CRUD, export/import, search/sort, and theme toggle functionalities
- Implemented E2E tests for drawing creation, editing, and deletion in `drawing-crud.spec.ts`.
- Added tests for export and import features, including JSON and SQLite formats in `export-import.spec.ts`.
- Created tests for searching and sorting drawings by name and date in `search-and-sort.spec.ts`.
- Developed tests for theme toggle functionality to ensure persistence across sessions in `theme-toggle.spec.ts`.
* fix: exclude test files from production build to fix Docker build
* feat: implement comprehensive testing infrastructure (#19)
* bump version 0.1.7
* feat: implement comprehensive testing infrastructure
- Fix image dataURL truncation bug in security.ts with configurable size limits
- Add backend integration tests (22 tests) with Vitest for API validation
- Add frontend unit tests (11 tests) for JSON serialization
- Implement browser-based E2E tests (8 tests) with Playwright
- Create Docker setup for repeatable E2E testing environment
- Add GitHub Actions CI workflow for automated testing
- Update .gitignore for test artifacts and temporary files
Testing Infrastructure:
- Backend: Vitest + Supertest for API integration tests
- Frontend: Vitest + Testing Library for component tests
- E2E: Playwright with Chromium for full browser automation
- CI/CD: GitHub Actions with parallel test execution
Security Improvements:
- Make dataURL size limit configurable (default: 10MB)
- Enhanced validation for image dataURLs
- Block malicious content (javascript:, script tags)
All tests pass: 41 total (22 backend + 11 frontend + 8 E2E)
* feat(tests): add comprehensive E2E tests for dashboard workflows and image persistence
chore(env): update environment variables for consistent API URL usage
fix(api): centralize API request helpers for drawing and collection management
style(DrawingCard): enhance accessibility with ARIA attributes and data-testid for testing
* Add end-to-end tests for drawing CRUD, export/import, search/sort, and theme toggle functionalities
- Implemented E2E tests for drawing creation, editing, and deletion in `drawing-crud.spec.ts`.
- Added tests for export and import features, including JSON and SQLite formats in `export-import.spec.ts`.
- Created tests for searching and sorting drawings by name and date in `search-and-sort.spec.ts`.
- Developed tests for theme toggle functionality to ensure persistence across sessions in `theme-toggle.spec.ts`.
* Update backend/src/__tests__/testUtils.ts
---------
Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
* version bump 0.1.8
* fix(ci): consolidate E2E server startup to prevent shell isolation issues
Background processes started with & in separate GitHub Actions run steps
can terminate when those steps complete because each step creates a new
shell. This caused the backend and frontend servers to die before the
E2E tests could run.
Fixed by consolidating server startup and test execution into a single
shell step with:
- Proper PID tracking for cleanup
- Health check loops instead of fixed sleep times
- All processes run in the same shell session
* fix(ci): use absolute database path for E2E tests
* fix(backend): use resolved DATABASE_URL path for export/import endpoints
---------
Co-authored-by: Adrian Acala <adrianacala017@gmail.com>
- Improve cache key generation using JSON.stringify for consistent formatting
- Add promise deduplication in DrawingCard to prevent redundant API calls for full drawing data
- Clear full data state when drawing ID changes to ensure fresh data loading
- Fix async cache invalidation in drawing update and collection delete endpoints
- Move cache invalidation after database operations in SQLite import endpoint
- Add HydratedDrawingData type for better type safety in drawing data management
- Moved BACKEND_URL configuration to the frontend service in the README.
- Added validation for the generated nginx configuration in the entrypoint script.
- Removed fallback nginx configuration copy from the Dockerfile.
- Adjusted nginx template to ensure proper header formatting.
This improves the deployment process and clarifies configuration instructions.
- Add 5s in-memory cache for /drawings responses with automatic cleanup
- Split Drawing/DrawingSummary types for efficient data fetching
- Implement lazy loading of drawing data in DrawingCard component
- Add configurable DRAWINGS_CACHE_TTL_MS and RATE_LIMIT_MAX_REQUESTS env vars
- Prevent memory leaks with periodic cleanup of cache and rate limit maps
- Add loading states and better UX for export operations
- Improve JSON parsing with error handling for malformed stored data
Benchmark results (100 drawings, cached):
- Avg latency: 6.94ms (p50: 4ms, p97.5: 8ms)
- Avg throughput: 668 req/s (peak: 1,023)
- 3k requests in 5s with 0 errors
Update .gitignore to exclude generated files, env files, and build artifacts
- Added BACKEND_URL environment variable to docker-compose for frontend service.
- Introduced a new entrypoint script to configure nginx with the BACKEND_URL at runtime.
- Created a template for nginx configuration to handle API and WebSocket requests dynamically.
- Updated README with instructions for configuring reverse proxy setups.
Fixes#12
This fork adds optional security features and UX improvements with **zero breaking changes** and **minimal migration overhead**. All security features are **disabled by default** via feature flags.
@@ -74,7 +79,10 @@ See [release notes](https://github.com/ZimengXiong/ExcaliDash/releases) for a sp
# Installation
> [!CAUTION]
> NOT for production use. This is just a side project (and also the first release), and it likely contains some bugs. DO NOT open ports to the internet (e.g. CORS is set to allow all)
> NOT for production use. While attempts have been made at hardening (XSS/dompurify, CORS, rate-limiting, sanitization), they are inadequate for public deployment. Do not expose any ports.
> [!CAUTION]
> ExcaliDash is in BETA. Please backup your data regularly (e.g. with cron).
## Docker Hub (Recommended)
@@ -93,6 +101,10 @@ docker compose -f docker-compose.prod.yml up -d
# Access the frontend at localhost:6767
```
For single-container deployments, `JWT_SECRET` can be omitted and will be auto-generated and persisted in the backend volume on first start. For portability and all multi-instance deployments, set a fixed `JWT_SECRET` explicitly.
By default, the provided Compose files set `TRUST_PROXY=false` for safer setup. Only set `TRUST_PROXY` to a positive hop count (for example, `1`) when requests always pass through a trusted reverse proxy that correctly sets forwarded headers.
When running ExcaliDash behind Traefik, Nginx, or another reverse proxy, configure both containers so that API + WebSocket calls resolve correctly:
-`FRONTEND_URL` (backend) must match the public URL that users hit (e.g. `https://excalidash.example.com`). This controls CORS and Socket.IO origin checks. **Supports multiple comma-separated URLs** for accessing from different addresses.
-`TRUST_PROXY` (backend) should be set to `1` when requests pass through one trusted reverse proxy hop (for example: frontend nginx -> backend) and forwarded headers are sanitized. This ensures rate limiting and logging use the real client IP from trusted proxy headers.
-`BACKEND_URL` (frontend) tells the Nginx container how to reach the backend from inside Docker/Kubernetes. Override it if your reverse proxy exposes the backend under a different hostname.
```yaml
# docker-compose.yml example
backend:
environment:
# Single URL
- FRONTEND_URL=https://excalidash.example.com
# Trust exactly one reverse-proxy hop
- TRUST_PROXY=1
# Or multiple URLs (comma-separated) for local + network access
When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set both `JWT_SECRET` and `CSRF_SECRET` to the same values across all instances.
```bash
# Generate a secure secret
openssl rand -base64 32
```
```yaml
# docker-compose.yml or k8s deployment
backend:
environment:
- JWT_SECRET=your-generated-jwt-secret-here
- CSRF_SECRET=your-generated-secret-here
```
Without this, each container generates its own ephemeral CSRF secret, causing token validation failures when requests are routed to different replicas. Single-container deployments work without this setting.
### Authentication Modes (Local + OIDC)
ExcaliDash supports three auth modes via backend `AUTH_MODE`:
Multi user setup is opt-in, single user by default
Multi-user support for excalidash
- Admin dashboard
- Password reset, force user password reset (admin only), account lockout recovery
- Rate limits
Deprecates .json and .sqlite database backups in favor of .excalidash archives (user scoped, prevents exporting of senstive information). Legacy import is maintained.
**Problem**: Backend used lazy `z.object({}).passthrough()` validation for elements and appState, allowing arbitrary JSON storage without sanitization.
**Attack Vectors**:
- Malicious `.excalidraw` files containing `<script>` tags in element properties
-`javascript:` URIs in link attributes
- SVG previews with embedded malicious code
- Compromised clients sending XSS payloads
**Solution Implemented**:
- **Strict Zod Schemas**: Replaced `.passthrough()` with detailed validation schemas for elements and appState
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
tototomate123
Zimeng Xiong