hipctf/changelog.txt

2026-03-10
- Added "HW" (Hardware) category to the platform with a dedicated icon and color
- Updated challenge grid to 6 columns on desktop to accommodate the new category
- Alphabetized challenge categories in the main view and Admin panel selection
- Alphabetized operators list in the Admin panel with case-insensitive sorting
- Restricted visibility of Challenges, Scoreboard, and Score Matrix to authenticated users only
- Secured the /state API endpoint to prevent leaking challenges, solves, teams, or internal IP (dockerIp) to guests
- Implemented server-side verification of user profile in the state response to prevent client-side admin spoofing
- Refactored the /state backend endpoint using async/await for better reliability and error handling
- Rebranded the project from "cypherstrike-ctf" to "hipctf" across package.json, index.html, and server defaults
- Synchronized browser page title with the competition name configured in the Admin panel
- Fixed a "black page" issue by resolving a missing React import and adding frontend sanity checks

2026-03-08
- Added an interactive graph view to the event log to track the score progression of the top 10 teams

2026-03-07
- Prevented admin challenge solves from creating score records
- Added operator solves list to the Admin panel profile
- Allowed deletion of specific operator solves from the Admin panel
- Enhanced operator solves list with alphabetical sorting, difficulty colors, and point values
- Added rank medal icons to operator solves in the Admin panel

2026-02-28
- Removed the UTC time display from the countdown, leaving only the CET time
- Added logic to display the event start time in Central European Time (CET) on the Challenges list page
- Replaced mock authentication tokens with secure JWT-like signed tokens
- Added robust error handling and type checking for password hashing and validation functions
- Implemented logic to disable the default admin account (admin-0) once another admin is created
- Applied a database schema whitelist to prevent SQL injection during database restores
- Filtered out admin and disabled teams from the public scoreboard state for non-admin users
- Added strict /admin middleware to protect administrative API endpoints by verifying user permissions
- Updated page title to HIP7CTF in index.html
- Enhanced the state endpoint to completely hide challenges if the current time is before the configured event start time

2026-02-22
- Modified the /state endpoint to return an empty challenges list if the event has not started and the user is not an admin

2026-02-05
- Included authorization headers in the frontend getState API requests
- Added security check in the /state endpoint to filter out the flag from challenge data for non-admin users
- Added a dbGet utility function to the server

2026-01-21
- Removed the README.md file
- Added a fix-permissions service to docker-compose.yml to automatically set correct ownership for data and uploads directories
- Modularized the frontend by splitting the monolithic App.tsx into dedicated components (Admin.tsx, Auth.tsx, Blog.tsx, CTFContext.tsx, Challenges.tsx, Home.tsx, Scoreboard.tsx, UIComponents.tsx)
- Restructured API, server, and scoring logic to fit the new modular frontend architecture
- Re-added README.md file temporarily

2026-01-07
- Removed the README.md file
- Initial project setup including React frontend, Express backend, Docker configuration, and baseline scoring services