apps/quiz - quiz - Gitea: Git with a cup of tea

apps/quiz

Fork 0

Commit Graph

Author	SHA1	Message	Date
ameer	168cffea8b	feat(options): letterless student/projector UI + text-on-wire submit Both student-facing surfaces (the per-device join page and the front-of-room projector) now render options as text only, no A/B/C/D chips, no numeric prefixes. The letter-namespace remains internal: canonical A..D in pool.json + submissions storage; canonical position 1..4 in the CSV export. Admin dashboard keeps letters because it is the instructor's private console. Why this lands now: the discussion of per-student option shuffling flagged that A/B/C/D as discussion handles ("the answer is B") is itself a leaky channel. Removing the labels closes that channel for the non-shuffled case and keeps it closed if shuffling is added later. Wire protocol: the submit message carries the option's full text ("answer": "Pipelining"). Server's submit_answer resolves text -> letter via app.pool.resolve_option_key, which also accepts a canonical letter so internal callers and tests stay readable. A non-matching string is recorded as a zero-score submission with answer=NULL, locked in via the PK + existing_submit_ack short-circuit. So an attempted UI bypass that posts a fabricated string just produces a wrong answer; no retry. CSV: A=1 .. D=2 .. C=3 .. D=4 in the answer column. Empty when no option matched. Header unchanged so downstream pandas readers don't break, but the value type is int instead of letter. Histogram: the failsafe "submitted-but-no-match" row buckets into "missed" alongside genuine misses — both yield zero credit and the instructor cares about the same thing. Tests: - test_submit_accepts_option_text_resolves_to_canonical: production wire format produces correct grading + canonical-letter storage. - test_submit_failsafe_locks_in_zero_score_on_garbage_text: a non- matching string is recorded at score=0 and a follow-up correct submission cannot overwrite it. 71/71 green.	2026-05-04 17:31:12 +08:00
ameer	9ea0a8b039	feat: anti-cheat + presence panel + projector view Refinement pass on top of the validated v1.2 base. Hardening / quick fixes - Caddyfile.tpl: CSP / HSTS / X-Frame / Referrer-Policy / Permissions-Policy, 1 MiB request body cap, X-Forwarded-For pass-through; stock-Caddy compatible. - auth.py: STUDENT_MAX_AGE 1y -> 30d. - bootstrap.sh: stage 5 prepends `git config --add safe.directory` so the re-bootstrap path no longer 'detected dubious ownership' faults. - admin.js: drop the misleading `closedPayload?.state \|\| session.state` shim; state derives from session only. Anti-cheat - New `student_events` audit table; new POST /api/session/{sid}/event for blur / visibility_hidden / focus / visibility_visible. quiz.js debounces events at 1.5s and uses sendBeacon for visibility_hidden so the event survives a navigation. Counts surface in admin presence + CSV export. - First-claim-wins on join: add_participant raises DuplicateStudentId on PK violation; route returns 409 + records a duplicate_join audit event with attempted name + IP + UA. Admin dashboard surfaces a per-row red badge for hits on real participants and a top-of-page alert for orphan attempts. - DELETE /admin/api/students/{id} as the recovery hatch: clears the participant + submissions, kicks active WS sockets so a stale cookie cannot continue submitting. quiz.js surfaces the FastAPI detail message in the join form so users see the 'already in use' guidance. Presence panel - New presence_update WS message; in-process presence map keyed on student_id tracks ws_count + last_seen_ms. Admin dashboard renders per-student rows: connected/idle/dropped dot, blur+hidden+duplicate badges, 'answered current Q' tick, and a clear-student button. Projector view (public, read-only) - /projector/?sid=..., GET /api/session/{sid}/projector, WS /ws/projector/{sid}. Single self-contained projector_state snapshot pushed on every state change. Public leaderboard strips student_id; QR rendered server-side as data: URL (CSP-compliant). - Includes per-Q answer histogram, 8-bucket response-time distribution, 10-bucket score distribution. - static/projector.{html,css,js}: editorial-broadside design — masthead, registration crosses, conic-gradient countdown ring, SVG stepped-area score distribution with median tick, leaderboard row-stagger. Inherits light/dark tokens from style.css; honours prefers-reduced-motion. No scroll at 1366x768 / 1920x1080 / 3440x1440. Tests - tests/test_anti_cheat.py: blur logging + CSV count, unknown-kind 422, unauthenticated event 401, duplicate-join 409 + audit, admin clear-student happy + 404, server-side submit lockout regression. - tests/test_projector.py: snapshot shape, leaderboard student_id redaction, WS push on state change, 404 for unknown sid, page redirect when no sid. - Existing tests updated for the new presence_update snapshot frame + CSV header columns + first-claim-wins refusal of re-key. 57/57 pytest green; smoke-tested locally end-to-end.	2026-05-04 16:08:59 +08:00

Author

SHA1

Message

Date

ameer

168cffea8b

feat(options): letterless student/projector UI + text-on-wire submit

Both student-facing surfaces (the per-device join page and the
front-of-room projector) now render options as text only, no A/B/C/D
chips, no numeric prefixes. The letter-namespace remains internal:
canonical A..D in pool.json + submissions storage; canonical position
1..4 in the CSV export. Admin dashboard keeps letters because it is the
instructor's private console.

Why this lands now: the discussion of per-student option shuffling
flagged that A/B/C/D as discussion handles ("the answer is B") is itself
a leaky channel. Removing the labels closes that channel for the
non-shuffled case and keeps it closed if shuffling is added later.

Wire protocol: the submit message carries the option's full text
("answer": "Pipelining"). Server's submit_answer resolves text -> letter
via app.pool.resolve_option_key, which also accepts a canonical letter
so internal callers and tests stay readable. A non-matching string is
recorded as a zero-score submission with answer=NULL, locked in via the
PK + existing_submit_ack short-circuit. So an attempted UI bypass that
posts a fabricated string just produces a wrong answer; no retry.

CSV: A=1 .. D=2 .. C=3 .. D=4 in the answer column. Empty when no option
matched. Header unchanged so downstream pandas readers don't break, but
the value type is int instead of letter.

Histogram: the failsafe "submitted-but-no-match" row buckets into
"missed" alongside genuine misses — both yield zero credit and the
instructor cares about the same thing.

Tests:
- test_submit_accepts_option_text_resolves_to_canonical: production
  wire format produces correct grading + canonical-letter storage.
- test_submit_failsafe_locks_in_zero_score_on_garbage_text: a non-
  matching string is recorded at score=0 and a follow-up correct
  submission cannot overwrite it.

71/71 green.

2026-05-04 17:31:12 +08:00

ameer

9ea0a8b039

feat: anti-cheat + presence panel + projector view

Refinement pass on top of the validated v1.2 base.

Hardening / quick fixes
- Caddyfile.tpl: CSP / HSTS / X-Frame / Referrer-Policy / Permissions-Policy,
  1 MiB request body cap, X-Forwarded-For pass-through; stock-Caddy compatible.
- auth.py: STUDENT_MAX_AGE 1y -> 30d.
- bootstrap.sh: stage 5 prepends `git config --add safe.directory` so the
  re-bootstrap path no longer 'detected dubious ownership' faults.
- admin.js: drop the misleading `closedPayload?.state || session.state`
  shim; state derives from session only.

Anti-cheat
- New `student_events` audit table; new POST /api/session/{sid}/event for
  blur / visibility_hidden / focus / visibility_visible. quiz.js debounces
  events at 1.5s and uses sendBeacon for visibility_hidden so the event
  survives a navigation. Counts surface in admin presence + CSV export.
- First-claim-wins on join: add_participant raises DuplicateStudentId on
  PK violation; route returns 409 + records a duplicate_join audit event
  with attempted name + IP + UA. Admin dashboard surfaces a per-row red
  badge for hits on real participants and a top-of-page alert for orphan
  attempts.
- DELETE /admin/api/students/{id} as the recovery hatch: clears the
  participant + submissions, kicks active WS sockets so a stale cookie
  cannot continue submitting. quiz.js surfaces the FastAPI detail message
  in the join form so users see the 'already in use' guidance.

Presence panel
- New presence_update WS message; in-process presence map keyed on
  student_id tracks ws_count + last_seen_ms. Admin dashboard renders
  per-student rows: connected/idle/dropped dot, blur+hidden+duplicate
  badges, 'answered current Q' tick, and a clear-student button.

Projector view (public, read-only)
- /projector/?sid=..., GET /api/session/{sid}/projector, WS
  /ws/projector/{sid}. Single self-contained projector_state snapshot
  pushed on every state change. Public leaderboard strips student_id;
  QR rendered server-side as data: URL (CSP-compliant).
- Includes per-Q answer histogram, 8-bucket response-time distribution,
  10-bucket score distribution.
- static/projector.{html,css,js}: editorial-broadside design — masthead,
  registration crosses, conic-gradient countdown ring, SVG stepped-area
  score distribution with median tick, leaderboard row-stagger. Inherits
  light/dark tokens from style.css; honours prefers-reduced-motion. No
  scroll at 1366x768 / 1920x1080 / 3440x1440.

Tests
- tests/test_anti_cheat.py: blur logging + CSV count, unknown-kind 422,
  unauthenticated event 401, duplicate-join 409 + audit, admin
  clear-student happy + 404, server-side submit lockout regression.
- tests/test_projector.py: snapshot shape, leaderboard student_id
  redaction, WS push on state change, 404 for unknown sid, page redirect
  when no sid.
- Existing tests updated for the new presence_update snapshot frame +
  CSV header columns + first-claim-wins refusal of re-key.

57/57 pytest green; smoke-tested locally end-to-end.

2026-05-04 16:08:59 +08:00

2 Commits