maxim.dolgolyov/Learn_System
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
64112e56ed908506a6961633ac4ff47f8588bd14
Learn_System/backend/src/controllers/liveController.js
T
Maxim Dolgolyov 952a54f97c security+perf: полное ревью — 17 фиксов P0/P1 (XSS, IDOR, race conditions, rate limits, TURN, WAL) 
## P0
- admin.html:2608, red-book-ecosystem.html:489-495 — XSS: u.name/node.name_ru/description обернуты в LS.esc()
- classController.js getAnnouncements — добавлена проверка teacher_id (B14: учитель A не может читать объявления класса B)

## P1 — auth & validation
- authController.js — минимум пароля 6→8 символов (register + change password + login.html)
- gamificationController adminAward — валидация max XP/coins (1M), Number coercion
- shopController adminAwardCoins — валидация max + проверка changes>0

## P1 — race conditions
- petController.buyBg — atomic UPDATE WHERE coins>=? (race-safe)
- shopController.purchaseItem — atomic conditional UPDATE
- liveController — добавлен question_id в live_answers (миграция с пересозданием таблицы), история ответов сохраняется при смене вопроса учителем
- ws-server: invalidateDrawCache экспортирован, classroomController grant/revoke вызывают его → permission revoke применяется мгновенно (раньше до 10s stale)

## P1 — rate limits & retry
- rateLimit middleware: новый параметр byUser=true (использует req.user.id вместо IP — не блокирует пользователей за NAT)
- routes/classroom.js: reactionLimiter (15/5s) на /chat/:msgId/react, handLimiter (5/5s) на raise/lower hand
- api.js sendAnswer — retry 3x с exp backoff (300/1200/2700ms), не повторяет на 4xx (F5)

## P1 — performance
- classroomController.getStrokes — LIMIT 5000 + флаг hasMore (защита от OOM на 10K+ strokes)
- whiteboard.js _liveStrokes — TTL 1.5s на каждый live preview (auto-cleanup при крашe ремоут юзера)

## Infrastructure
- config.js: TURN_URL/USER/PASS env vars
- server.js: GET /api/ice-servers возвращает STUN + опциональный TURN из env
- classroom-rtc.js: фетчит /api/ice-servers вместо хардкода (поддержка TURN для NAT/CGNAT школьных сетей)
- .env.example: документация TURN
- db.js: PRAGMA synchronous=NORMAL (5x быстрее с WAL), cache_size 16MB, temp_store=MEMORY
- ws-server.js closeAll() + server.js shutdown — graceful WS shutdown при SIGTERM

## False positives (не баги, агенты ошиблись)
- assignmentController FK на tests — на самом деле users (migrate.js:317-318)
- .env в git — gitignore корректно исключает
- admin.html без requireAuth — есть LS.initPage() который вызывает requireAuth
- submissionsController IDOR — обе ручки уже проверяют teacher_id
- screenSender = null inside try/catch — на самом деле снаружи
- SSE без backoff — есть exponential 2s→30s
- sessionController NOT IN на пустом массиве — есть guard usedIds.length>0
- getChat без LIMIT — есть LIMIT 100/200
- trust proxy — установлен на server.js:105

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-23 12:16:08 +03:00

206 lines
8.2 KiB
JavaScript
Raw Blame History

const db = require('../db/db');
const { emit, emitToClass } = require('../sse');
/* POST /api/live — teacher creates live session */
function create(req, res) {
const { class_id } = req.body;
const teacher = req.user;
if (!class_id) return res.status(400).json({ error: 'class_id required' });
const cls = teacher.role === 'admin'
? db.prepare('SELECT id, name FROM classes WHERE id=?').get(class_id)
: db.prepare('SELECT id, name FROM classes WHERE id=? AND teacher_id=?').get(class_id, teacher.id);
if (!cls) return res.status(403).json({ error: 'Forbidden' });
// End any active session for this class
db.prepare(`UPDATE live_sessions SET status='finished', ended_at=datetime('now')
WHERE class_id=? AND status IN ('waiting','active')`).run(class_id);
const { lastInsertRowid } = db.prepare(
`INSERT INTO live_sessions (class_id, teacher_id) VALUES (?,?)`
).run(class_id, teacher.id);
emitToClass(class_id, { type: 'live_started', liveId: lastInsertRowid, className: cls.name });
res.json(db.prepare('SELECT * FROM live_sessions WHERE id=?').get(lastInsertRowid));
}
/* PUT /api/live/:id/question — teacher sets next question */
function setQuestion(req, res) {
const liveId = Number(req.params.id);
const { question_id } = req.body;
const teacher = req.user;
const live = db.prepare('SELECT * FROM live_sessions WHERE id=?').get(liveId);
if (!live) return res.status(404).json({ error: 'Not found' });
if (live.teacher_id !== teacher.id && teacher.role !== 'admin')
return res.status(403).json({ error: 'Forbidden' });
// Don't delete old answers — they're scoped per (session, user, question_id) so history is preserved
db.prepare(`UPDATE live_sessions SET question_id=?, status='active', show_results=0 WHERE id=?`)
.run(question_id, liveId);
const q = db.prepare(
`SELECT q.id, q.text, q.type, q.difficulty, t.name AS topic
FROM questions q LEFT JOIN topics t ON t.id=q.topic_id WHERE q.id=?`
).get(question_id);
const options = db.prepare(
'SELECT id, text, order_index FROM options WHERE question_id=? ORDER BY order_index'
).all(question_id);
emitToClass(live.class_id, { type: 'live_question', liveId, question: { ...q, options } });
res.json({ ok: true, question: { ...q, options } });
}
/* POST /api/live/:id/answer — student submits answer */
function answer(req, res) {
const liveId = Number(req.params.id);
const { option_id, answer_text } = req.body;
const userId = req.user.id;
const live = db.prepare(`SELECT * FROM live_sessions WHERE id=? AND status='active'`).get(liveId);
if (!live) return res.status(404).json({ error: 'Сессия не активна' });
// Verify caller is a member of the class hosting this live session
const isMember = db.prepare(
'SELECT 1 FROM class_members WHERE class_id = ? AND user_id = ?'
).get(live.class_id, userId);
if (!isMember) return res.status(403).json({ error: 'Forbidden' });
if (!live.question_id) return res.status(400).json({ error: 'No active question' });
const existing = db.prepare(
'SELECT id FROM live_answers WHERE live_session_id=? AND user_id=? AND question_id=?'
).get(liveId, userId, live.question_id);
if (existing) return res.status(409).json({ error: 'Уже отвечено' });
let is_correct = null;
if (option_id) {
const opt = db.prepare(
'SELECT is_correct FROM options WHERE id=? AND question_id=?'
).get(option_id, live.question_id);
is_correct = opt ? opt.is_correct : 0;
}
// Atomic INSERT — race-safe via UNIQUE(session, user, question_id)
try {
db.prepare(
`INSERT INTO live_answers (live_session_id, user_id, question_id, option_id, answer_text, is_correct)
VALUES (?,?,?,?,?,?)`
).run(liveId, userId, live.question_id, option_id || null, answer_text || null, is_correct);
} catch (e) {
if (String(e.message).includes('UNIQUE')) return res.status(409).json({ error: 'Уже отвечено' });
throw e;
}
const { c: count } = db.prepare(
'SELECT COUNT(*) AS c FROM live_answers WHERE live_session_id=? AND question_id=?'
).get(liveId, live.question_id);
emit(live.teacher_id, { type: 'live_answer_count', liveId, count });
res.json({ ok: true, is_correct });
}
/* GET /api/live/:id/results — teacher reveals & gets results */
function results(req, res) {
const liveId = Number(req.params.id);
const teacher = req.user;
const live = db.prepare('SELECT * FROM live_sessions WHERE id=?').get(liveId);
if (!live) return res.status(404).json({ error: 'Not found' });
if (live.teacher_id !== teacher.id && teacher.role !== 'admin')
return res.status(403).json({ error: 'Forbidden' });
const question = db.prepare(
'SELECT id, text, explanation FROM questions WHERE id=?'
).get(live.question_id);
const options = db.prepare(`
SELECT o.id, o.text, o.is_correct,
COUNT(la.id) AS chosen_count
FROM options o
LEFT JOIN live_answers la ON la.option_id=o.id AND la.live_session_id=? AND la.question_id=?
WHERE o.question_id=?
GROUP BY o.id ORDER BY o.order_index
`).all(liveId, live.question_id, live.question_id);
const stats = db.prepare(
`SELECT COUNT(*) AS total, SUM(is_correct) AS correct
FROM live_answers WHERE live_session_id=? AND question_id=?`
).get(liveId, live.question_id);
db.prepare('UPDATE live_sessions SET show_results=1 WHERE id=?').run(liveId);
emitToClass(live.class_id, { type: 'live_results', liveId, question, options, stats });
res.json({ question, options, stats });
}
/* DELETE /api/live/:id — teacher ends session */
function end(req, res) {
const liveId = Number(req.params.id);
const teacher = req.user;
const live = db.prepare('SELECT * FROM live_sessions WHERE id=?').get(liveId);
if (!live) return res.status(404).json({ error: 'Not found' });
if (live.teacher_id !== teacher.id && teacher.role !== 'admin')
return res.status(403).json({ error: 'Forbidden' });
db.prepare(`UPDATE live_sessions SET status='finished', ended_at=datetime('now') WHERE id=?`).run(liveId);
emitToClass(live.class_id, { type: 'live_ended', liveId });
res.json({ ok: true });
}
/* GET /api/live/class/:classId/active — student polls active session */
function getActive(req, res) {
const classId = Number(req.params.classId);
// Only class members (or teachers/admins) may poll
if (!['teacher', 'admin'].includes(req.user.role)) {
const isMember = db.prepare(
'SELECT 1 FROM class_members WHERE class_id = ? AND user_id = ?'
).get(classId, req.user.id);
if (!isMember) return res.status(403).json({ error: 'Forbidden' });
}
const live = db.prepare(`
SELECT * FROM live_sessions WHERE class_id=? AND status IN ('waiting','active')
ORDER BY id DESC LIMIT 1
`).get(classId);
if (!live) return res.json({ active: false });
let question = null, options = null, myAnswer = null;
if (live.question_id && live.status === 'active') {
question = db.prepare('SELECT id, text, type FROM questions WHERE id=?').get(live.question_id);
options = db.prepare(
'SELECT id, text, order_index FROM options WHERE question_id=? ORDER BY order_index'
).all(live.question_id);
myAnswer = db.prepare(
'SELECT option_id, is_correct FROM live_answers WHERE live_session_id=? AND user_id=? AND question_id=?'
).get(live.id, req.user.id, live.question_id);
}
res.json({ active: true, live, question, options, myAnswer, showResults: live.show_results });
}
/* GET /api/live/:id — get session info (teacher) */
function getSession(req, res) {
const liveId = Number(req.params.id);
const teacher = req.user;
const live = db.prepare('SELECT * FROM live_sessions WHERE id=?').get(liveId);
if (!live) return res.status(404).json({ error: 'Not found' });
if (live.teacher_id !== teacher.id && teacher.role !== 'admin')
return res.status(403).json({ error: 'Forbidden' });
const answerCount = db.prepare(
'SELECT COUNT(*) AS c FROM live_answers WHERE live_session_id=?'
).get(liveId).c;
const memberCount = db.prepare(
'SELECT COUNT(*) AS c FROM class_members WHERE class_id=?'
).get(live.class_id).c;
res.json({ ...live, answerCount, memberCount });
}
module.exports = { create, setQuestion, answer, results, end, getActive, getSession };
Reference in New Issue View Git Blame Copy Permalink