Harden systemd services, restrict file permissions further, add username blocklist and prevent more vulnerabilities

web-app/src/lib/components/WebsiteEditor.svelte

@@ -26,6 +26,8 @@
   });
 
   const tabs = ["settings", "articles", "categories", "collaborators", "publish", "logs"];
+
+  let iframeLoaded = $state(false);
 </script>
 
 <input type="checkbox" id="toggle-mobile-preview" hidden />
@@ -55,7 +57,15 @@
 
 <div class="preview" bind:this={previewElement}>
   {#if fullPreview}
-    <iframe src={previewContent.value} title="Preview"></iframe>
+    {#if !iframeLoaded}
+      <p>Loading preview...</p>
+    {/if}
+    <iframe
+      src={previewContent.value}
+      title="Preview"
+      onload={() => (iframeLoaded = true)}
+      style:display={iframeLoaded ? "block" : "none"}
+    ></iframe>
   {:else}
     {@html md(
       previewContent.value || "Write some markdown content to see a live preview here",

web-app/src/routes/(anonymous)/login/+page.server.ts

@@ -18,7 +18,7 @@ export const actions: Actions = {
       return response;
     }
 
-    cookies.set("session_token", response.data.token, { path: "/", maxAge: 86400 });
+    cookies.set("session_token", response.data.token, { path: "/", maxAge: 43200 });
     return response;
   }
 };

web-app/src/routes/(authenticated)/website/[websiteId]/publish/+page.server.ts

@@ -269,14 +269,15 @@ const generateStaticFiles = async (
 };
 
 const setPermissions = async (dir: string) => {
-  await chmod(dir, 0o777);
+  const mode = dev ? 0o777 : process.env.ORIGIN ? 0o770 : 0o777;
+  await chmod(dir, mode);
   const entries = await readdir(dir, { withFileTypes: true });
   for (const entry of entries) {
     const fullPath = join(dir, entry.name);
     if (entry.isDirectory()) {
       await setPermissions(fullPath);
     } else {
-      await chmod(fullPath, 0o777);
+      await chmod(fullPath, mode);
     }
   }
 };