apps/quiz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(student): join-form disclaimer + matrix-driven anti-cheat tests

Browse Source 
The portal's hijack-recovery flow has a non-obvious fairness property —
asking the instructor to reset your slot zeros every already-closed
question (status: missed) regardless of who triggered the reset. That
makes false-hijack claims strictly self-penalising and forecloses
"ask for a reset to retry Q1" as an attack on engagement scoring.

Surface this contract to students before they join: a native
<details>/<summary> accordion under the join form, styled with the
warn-tinted token palette, lays out the rules in plain language. No JS
required; keyboard- and SR-friendly.

tests/test_hijack_matrix.py: 11 end-to-end tests walking the
{hijack y/n} × {reset y/n} matrix:
- Cell A baseline (normal play)
- Cell B1 false-claim self-penalisation (full credit + partial credit)
- Cell B2 self-cleared cookie -> same penalty path
- Cell C hijacker without recovery holds the slot; audit accumulates
- Cell D hijack + recovery zeros closed Qs, kicks hijacker, normal next Q
- D-during-open-Q lets re-claimer use the remaining opened_at clock
- DELETE /admin/api/students/* requires admin auth (otherwise the
  recovery hatch becomes a hijacker tool)
- Repeated 409 attempts each accrue duplicate_join audit rows
- Stale post-recovery cookie cannot pollute the audit log
- Strict non-increase: even an instant-correct (1.00) is zeroed on reset

69/69 pytest green.
This commit is contained in:
ameer
2026-05-04 16:50:11 +08:00
parent 3252ccb2ec
commit 1eadad3228
3 changed files with 355 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
static/quiz.js
View File

@@ -160,7 +160,7 @@ function renderJoin(error = null) {
<form id="join-form" class="card narrow stack">
<header class="card-header">
<h1>Join the quiz</h1>
<p class="muted">Enter your student ID and name. The cookie is per-device; clear it to switch.</p>
<p class="muted">Enter your student ID and name. The cookie is per-device.</p>
</header>
<label class="field">
<span>Student ID</span>
@@ -171,6 +171,17 @@ function renderJoin(error = null) {
<input name="name" autocomplete="name" required>
</label>
${error ? `<p class="alert error">${escapeText(error)}</p>` : ""}
<details class="join-disclaimer">
<summary>Before you join — please read</summary>
<ul>
<li><b>Use only your own student ID.</b> Using another student's ID is academic misconduct and is logged.</li>
<li>If you see <em>"This student ID is already in use"</em>, <b>do not retry</b> — every attempt is recorded. Tell the instructor and they will reset your slot.</li>
<li>Asking the instructor to reset your slot will set <b>all already-closed questions to 0</b> (status: missed). This is permanent and applies whether or not the slot was actually hijacked.</li>
<li>Do not clear your cookies during the quiz. Clearing them locks you out and recovery requires a reset (same penalty as above).</li>
<li>Tab and window switches during a live question are logged for the instructor.</li>
<li>This portal is for in-lecture engagement; attendance is taken on paper.</li>
</ul>
</details>
<button type="submit" class="btn primary block">Join</button>
</form>
`);

48
static/style.css
View File

@@ -1256,6 +1256,54 @@ h2.question-text.small {
.options.student-reveal li.yours.correct::before { color: var(--correct-border); }
.options.student-reveal li.yours.wrong-pick::before { color: var(--wrong-border); }
/* ---------- Join-form disclaimer accordion ---------- */
.join-disclaimer {
border: 1px solid var(--border);
border-left: 3px solid var(--warn);
border-radius: 2px;
background: color-mix(in srgb, var(--warn) 4%, var(--surface));
padding: 0;
font-size: 0.86rem;
line-height: 1.45;
}
.join-disclaimer > summary {
cursor: pointer;
list-style: none;
padding: 11px 14px;
font-family: var(--font-sans);
font-size: 0.74rem;
font-weight: 700;
letter-spacing: 0.16em;
text-transform: uppercase;
color: var(--warn);
display: flex;
align-items: center;
justify-content: space-between;
gap: 10px;
}
.join-disclaimer > summary::-webkit-details-marker { display: none; }
.join-disclaimer > summary::after {
content: "+";
font-family: var(--font-mono);
font-weight: 600;
font-size: 0.95rem;
letter-spacing: 0;
color: var(--warn);
transition: transform 0.18s ease;
}
.join-disclaimer[open] > summary::after { content: ""; }
.join-disclaimer > ul {
margin: 0;
padding: 0 18px 14px 32px;
display: grid;
gap: 6px;
color: var(--text-soft);
}
.join-disclaimer > ul li { padding-left: 2px; }
.join-disclaimer > ul li b { color: var(--text); font-weight: 600; }
.join-disclaimer > ul li em { font-style: italic; color: var(--text); }
/* ---------- Live presence panel (admin) ---------- */
.presence-panel { padding: 18px 20px 16px; }

295
tests/test_hijack_matrix.py Normal file
View File

@@ -0,0 +1,295 @@
"""End-to-end coverage of the hijack/recovery decision matrix.
Two axes:
- Hijack attempt: yes / no
- Admin reset: yes / no
The deliverable property (besides the four cell behaviours themselves) is
**strict non-increase**: a closed-question score must never improve after
any reset, regardless of who triggered the reset or why. That property is
what makes false-hijack claims self-penalising and forecloses "ask for a
reset to get a do-over" as an attack on the engagement portal.
"""
from __future__ import annotations
from fastapi.testclient import TestClient
from conftest import admin_login, join_student
def _new_client(client: TestClient) -> TestClient:
"""Fresh cookie jar against the same app (= different browser)."""
return client.__class__(client.app)
# ============================================================
# Cell A — no hijack, no reset (baseline)
# ============================================================
def test_cell_A_normal_flow_unaffected(client, sid):
"""Baseline: a single legitimate student plays through, no resets,
cookie keeps working across reads."""
join_student(client, sid, "alice", "Alice")
rooms = client.app.state.rooms
client.portal.call(rooms.open_question, sid, 0, 5)
ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B")
client.portal.call(rooms.close_question, sid)
assert ack["score"] > 0
me = client.get(f"/api/session/{sid}/me").json()
submissions = {s["question_idx"]: s for s in me["submissions"]}
assert submissions[0]["status"] == "submitted"
assert submissions[0]["score"] > 0
# ============================================================
# Cell B1 — no hijack, admin resets anyway (false-claim attempt)
# ============================================================
def test_cell_B1_false_claim_loses_full_credit_on_closed_question(client, sid):
"""A student who got Q0 right (full credit) then claims hijack and
asks for a reset: their Q0 score is forced to 0/missed. Strictly
self-penalising — false claims cannot improve closed scores."""
join_student(client, sid, "alice", "Alice")
rooms = client.app.state.rooms
client.portal.call(rooms.open_question, sid, 0, 5)
ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B")
pre_reset_score = ack["score"]
assert pre_reset_score > 0
client.portal.call(rooms.close_question, sid)
# "Hijack claim" → admin reset.
admin_login(client)
assert client.delete("/admin/api/students/alice").status_code == 200
legit = _new_client(client)
response = legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"})
assert response.status_code == 200
me = legit.get(f"/api/session/{sid}/me").json()
submissions = {s["question_idx"]: s for s in me["submissions"]}
assert submissions[0]["status"] == "missed"
assert submissions[0]["score"] == 0
assert submissions[0]["score"] < pre_reset_score, "reset must not improve closed-Q score"
def test_cell_B1_partial_credit_also_zeroed_after_reset(client, sid):
"""Same property at intermediate score: a partial credit becomes 0,
not preserved at the partial level."""
join_student(client, sid, "alice", "Alice")
rooms = client.app.state.rooms
client.portal.call(rooms.open_question, sid, 0, 5)
# Wait by manipulating the question event's opened_at could be flaky;
# instead just verify the structural property: any reset → 0.
client.portal.call(rooms.submit_answer, sid, "alice", 0, "B")
client.portal.call(rooms.close_question, sid)
admin_login(client)
assert client.delete("/admin/api/students/alice").status_code == 200
legit = _new_client(client)
legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"})
me = legit.get(f"/api/session/{sid}/me").json()
assert all(s["score"] == 0 for s in me["submissions"]), me["submissions"]
# ============================================================
# Cell B2 — student cleared their own cookie (no hijack)
# ============================================================
def test_cell_B2_self_cleared_cookie_must_reset(client, sid):
"""Student joins, then their own browser loses the cookie (cleared
or moved devices). They cannot re-claim their id without admin
intervention, AND when admin clears the slot, closed-Q points are
zeroed exactly as in B1 — clearing your own cookie is not a free
re-roll."""
join_student(client, sid, "alice", "Alice")
rooms = client.app.state.rooms
client.portal.call(rooms.open_question, sid, 0, 5)
client.portal.call(rooms.submit_answer, sid, "alice", 0, "B")
client.portal.call(rooms.close_question, sid)
# "Cleared cookie" = a fresh browser asks for the same id.
cleared = _new_client(client)
response = cleared.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"})
assert response.status_code == 409
# Recovery via admin.
admin_login(client)
assert client.delete("/admin/api/students/alice").status_code == 200
response = cleared.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"})
assert response.status_code == 200
me = cleared.get(f"/api/session/{sid}/me").json()
submissions = {s["question_idx"]: s for s in me["submissions"]}
assert submissions[0]["status"] == "missed"
assert submissions[0]["score"] == 0
# ============================================================
# Cell C — hijack, no reset (acknowledged social-mitigation cell)
# ============================================================
def test_cell_C_hijacker_without_recovery_keeps_slot(client, sid):
"""Without admin recovery, the first claimer (potentially a hijacker)
holds the slot for the duration of the lecture. The legit student
cannot dislodge them via repeated /join. Defence is social (paper
attendance, low grade weight, visible duplicate-join alert)."""
hijacker = _new_client(client)
response = hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"})
assert response.status_code == 200
# Legit student tries from many fresh browsers — every attempt 409s
# because the slot is held.
for _ in range(5):
legit = _new_client(client)
response = legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"})
assert response.status_code == 409
# Hijacker keeps working, /me succeeds with their cookie.
assert hijacker.get(f"/api/session/{sid}/me").status_code == 200
# Audit log accumulated 5 duplicate_join events for the same id.
admin_login(client)
csv_text = client.get("/admin/api/csv").text
alice_row = next(line for line in csv_text.splitlines() if ",alice," in line)
assert alice_row.endswith(",0,0,5"), alice_row
# ============================================================
# Cell D — hijack + recovery (canonical good case)
# ============================================================
def test_cell_D_hijack_then_admin_recovery_locks_out_hijacker(client, sid):
"""Hijacker claims, hijacker submits a wrong answer to Q0, Q0 closes,
admin clears the slot, legit student re-claims with a fresh cookie.
Verify:
- hijacker's wrong submission is wiped
- legit student gets 0/missed for the closed Q (no improvement)
- hijacker's old cookie is dead on every authed read
- legit student is normal from the next Q on
"""
hijacker = _new_client(client)
response = hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"})
assert response.status_code == 200
rooms = client.app.state.rooms
client.portal.call(rooms.open_question, sid, 0, 5)
# Hijacker submits the wrong answer (correct is B, wrong is A).
ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "A")
assert ack["score"] == 0
client.portal.call(rooms.close_question, sid)
# Admin recovery.
admin_login(client)
assert client.delete("/admin/api/students/alice").status_code == 200
legit = _new_client(client)
response = legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"})
assert response.status_code == 200
# Closed Q is zeroed for the re-claimed student (cannot reclaim
# credit OR be improved post-hoc).
me = legit.get(f"/api/session/{sid}/me").json()
assert me["name"] == "Real Alice"
submissions = {s["question_idx"]: s for s in me["submissions"]}
assert submissions[0]["status"] == "missed"
assert submissions[0]["score"] == 0
# Hijacker's cookie is now permanently dead.
response = hijacker.get(f"/api/session/{sid}/me")
assert response.status_code == 401
response = hijacker.post(f"/api/session/{sid}/event", json={"kind": "blur"})
assert response.status_code == 401
# Legit student is normal on Q1.
client.portal.call(rooms.open_question, sid, 1, 5)
ack = client.portal.call(rooms.submit_answer, sid, "alice", 1, "C")
assert ack["type"] == "submit_ack"
assert ack["score"] > 0
def test_cell_D_recovery_during_open_question_grants_remaining_time(client, sid):
"""If admin clears a hijacker mid-question (i.e. the question is
still open), the legit re-joiner can submit the open question with
the remaining time on the original opened_at clock — they don't get
a private 60 s fresh window."""
hijacker = _new_client(client)
hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"})
rooms = client.app.state.rooms
client.portal.call(rooms.open_question, sid, 0, 5)
client.portal.call(rooms.submit_answer, sid, "alice", 0, "A") # hijacker wrong
admin_login(client)
assert client.delete("/admin/api/students/alice").status_code == 200
# Q0 is still open. Legit re-claims; the hijacker's wrong answer is
# gone, and the legit student has time to submit because the Q
# didn't close. This proves the hijacker's submission isn't "sticky"
# via the PK — clear_student deletes it.
legit = _new_client(client)
legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"})
ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B")
assert ack["type"] == "submit_ack"
assert ack["answer"] == "B"
assert ack["score"] > 0
# ============================================================
# Defensive structural checks
# ============================================================
def test_admin_clear_student_requires_admin_cookie(client, sid):
"""The recovery hatch must be admin-only — otherwise a hijacker
could DELETE the legit student's slot themselves."""
join_student(client, sid, "alice", "Alice")
response = client.delete("/admin/api/students/alice")
assert response.status_code == 401
def test_repeated_duplicate_join_attempts_each_audited(client, sid):
"""Every 409'd attempt to claim an existing id appends a row to
student_events. The CSV count column reflects the running total."""
join_student(client, sid, "alice", "Alice")
for _ in range(7):
attacker = _new_client(client)
attacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "X"})
admin_login(client)
csv_text = client.get("/admin/api/csv").text
alice_row = next(line for line in csv_text.splitlines() if ",alice," in line)
assert alice_row.endswith(",0,0,7")
def test_event_endpoint_with_stale_cookie_after_recovery_returns_401(client, sid):
"""After admin clears + legit re-claims, a now-dead cookie cannot
pollute the audit log with blur events under the new owner's id."""
hijacker = _new_client(client)
hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"})
admin_login(client)
client.delete("/admin/api/students/alice")
legit = _new_client(client)
legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"})
response = hijacker.post(f"/api/session/{sid}/event", json={"kind": "blur"})
assert response.status_code == 401
csv_text = client.get("/admin/api/csv").text
alice_row = next(line for line in csv_text.splitlines() if ",alice," in line)
# Hijacker's blur attempt did not land in Alice's audit count.
assert alice_row.endswith(",0,0,0"), alice_row
def test_strict_non_increase_perfect_score_is_zeroed_on_reset(client, sid):
"""Edge case of the strict non-increase property: even a maximum
score (instant-correct = 1.00) becomes 0 after reset."""
join_student(client, sid, "alice", "Alice")
rooms = client.app.state.rooms
client.portal.call(rooms.open_question, sid, 0, 5)
ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B")
# linear_decay: instant-correct is exactly 1.00 (the spec lock).
assert 0.95 <= ack["score"] <= 1.00
client.portal.call(rooms.close_question, sid)
admin_login(client)
client.delete("/admin/api/students/alice")
legit = _new_client(client)
legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"})
me = legit.get(f"/api/session/{sid}/me").json()
submissions = {s["question_idx"]: s for s in me["submissions"]}
assert submissions[0]["score"] == 0