security: CORS hardening, path traversal fix, WebSocket auth + cleanup

- Restrict CORS to localhost origins (was allow_origins=[*])
- Require valid JWT on WebSocket /ws (anonymous no longer gets admin view)
- Fix path traversal in delete_cell(): resolve() + parent check
- Validate cell_id format in /charts/download-noaa/{cell_id}
- Exclude charts/ and Cartas/ from git (keep US1GC09M world overview)
- Add NOAA ENC Portal external link in charts catalog tab
- Untrack __pycache__/, .db, .claude/ session files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 12:45:43 -04:00
parent 3e04c4113f
commit cfd94f905a
47 changed files with 1847 additions and 427 deletions
+36
View File
@@ -4,6 +4,14 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>AidsMonitoring — Maritime Traffic System</title>
<script>
// Auto-scale UI to physical monitor resolution — same breakpoints as AR ECDIS.
(function () {
const w = window.screen.width;
const z = w < 1366 ? 0.80 : w < 1600 ? 0.90 : w < 1920 ? 1.00 : 1.10;
if (z !== 1.00) document.documentElement.style.zoom = z;
})();
</script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/ol@v9.2.4/ol.css">
<link rel="stylesheet" href="css/main.css">
</head>
@@ -144,6 +152,29 @@
<button class="tb-btn active" id="toggle-lang">EN/ES</button>
<div class="toolbar-sep"></div>
<button class="tb-btn" id="btn-sdr" title="Launch AIS-catcher (RTL-SDR receiver)">SDR</button>
<div class="toolbar-sep"></div>
<span class="toolbar-label">AIS</span>
<button class="tb-btn active" id="btn-trails" title="Show vessel past tracks (breadcrumb trail)">TRAILS</button>
<select class="tb-select" id="trail-window" title="Trail history window">
<option value="60000">1 min</option>
<option value="120000">2 min</option>
<option value="360000" selected>6 min</option>
<option value="720000">12 min</option>
<option value="1800000">30 min</option>
<option value="0">ALL</option>
</select>
<div class="toolbar-sep"></div>
<button class="tb-btn" id="btn-vectors" title="Show COG/SOG vectors">VECT</button>
<select class="tb-select" id="vector-mode" title="Vector mode: True (COG absolute) or Relative (minus own ship)">
<option value="true">TRUE</option>
<option value="relative">RELAT</option>
</select>
<select class="tb-select" id="vector-time" title="Vector time ahead (minutes)">
<option value="3">3 min</option>
<option value="6" selected>6 min</option>
<option value="12">12 min</option>
<option value="20">20 min</option>
</select>
</div>
<div id="map"></div>
<div id="map-coords" class="mono">LAT -- LON --</div>
@@ -272,6 +303,11 @@
<div id="tab-catalog" class="ctab-panel">
<div style="font-size:0.7rem;color:var(--text-muted);margin-bottom:10px">
Click DOWNLOAD to fetch directly from NOAA servers and install. No manual download needed.
<a href="https://charts.coast.noaa.gov/ENCs/AllENCs.zip" target="_blank"
style="color:var(--accent);text-decoration:none;margin-left:8px"
title="Browse all NOAA ENCs on the NOAA Chart Portal">
&#8599; NOAA ENC Portal
</a>
</div>
<table class="chart-table" id="noaa-catalog-table">
<thead><tr><th>Cell</th><th>Description</th><th>Status</th><th></th></tr></thead>