Code Editor — Modern, Real‑Time Collaboration
https://monoforge.org/lordofsunshine/code-editor-with-console

Language	Link
English	This page
Русский	README_RU.md

A lightweight, web‑based code editor with real‑time collaboration, project/file management, and a sleek, distraction‑free UI. Powered by Monaco (the editor behind VS Code), Fastify, and Socket.IO.

• Real‑time collaboration: live edits, remote cursor position, presence, and project chat.
• Project & file management: create, upload, delete, and organize assets with nested folder support.
• Project chat: real-time messaging for collaborators with automatic cleanup and message history.
• Invitations: bring teammates into a project (default limit: up to 2 collaborators).
• Live preview: instant preview for HTML/CSS/JS, Markdown, SVG, images, audio, and video.
• Modern UX: dark/light themes, status bar, tabs, keyboard shortcuts, smooth animations.
• Security: sessions with httpOnly cookies, CSRF token checks, protective headers, rate limiting.

Security Updates

1. Safer editor preview Removed allow-same-origin from the sandboxed preview iframe in public/editor.html. This makes the preview area more isolated and safer.

2. Safer content search Content search now has limits for file size, total search budget, number of files, and number of results. This helps protect the service from heavy or abusive searches.

3. Preview instead of full content Search results now return only a small preview fragment instead of the full file content. This makes search faster, lighter, and safer.

4. File migration lock Added a per-file lock when moving stored database content to disk. This helps prevent conflicts when the same file is processed at the same time.

5. Improved HTML escaping Updated HTML escaping in client-side scripts across preview, file tree, chat, search, editor, auth, collaboration, warnings, user menu, and what’s new pages.

6. Stronger text escaping rules User-facing text now escapes &, <, >, ", and '. This reduces the risk of unsafe HTML being rendered in the interface.

Latest updates and improvements:

• Content search fixes: File-content search now works with storage-backed files and handles legacy databases safely
• Legacy encryption resilience: Missing project encryption keys are generated on demand and migrated file contents are cleaned up
• Realtime permission hardening: Viewers can no longer emit edit/create/delete socket events, with stronger payload validation
• Secure file storage: Migrated to encrypted file system with AES-256-GCM encryption and automatic compression
• Expanded limits: Up to 6 projects, 32 files per project, 50MB files, 5MB avatars
• User profile panel: Manage avatar and username from sidebar
• Session persistence: Username remembered for one week
• What's New block: Dynamic updates section on welcome screen
• Local time in chat: Messages display user's local timezone
• UI animations: Smooth transitions for preview panel, modals, and sidebar buttons
• Improved error handling: Better file compression with fallback mechanisms
• Increased rate limits: 100 requests per 15 minutes

Quick Start

• Requirements: Node.js 18+

npm install
npm run start   # production mode
# or
npm run dev     # auto-reload during development

Open http://localhost:3000:

• Landing page at /
• Auth flow at /auth
• Editor at /editor (requires session)

How It Works

• Frontend: Monaco Editor with a split view and integrated preview panel. The preview securely renders content via an iframe and Blob URLs; HTML pages are auto‑stitched with in‑memory CSS/JS for instant feedback.
• Collaboration: Socket.IO rooms per project. Events include file changes, file create/delete, cursor updates, and collaborator presence.
• Backend: Fastify serves static assets and JSON APIs (/api/auth, /api/projects, /api/files, /api/invitations, /api/warnings). Sessions and CSRF are enforced for mutating requests.
• Storage: better-sqlite3 for a simple, fast embedded database. Scheduled cleanup tasks remove stale data.

Configuration

• The server runs on port 3000 by default.
• SESSION_SECRET (optional): provide your own secret for session signing.
• Defaults are sensible; no extra setup is required for local development.

Security & Responsible Disclosure

If you discover a security vulnerability, don’t stay silent — please report it!

• Open an issue in this repository with the “security” label, or
• Contact the maintainers privately if sensitive details are involved.

We appreciate responsible disclosure and will respond promptly.

— Happy coding!