Skip to content

Desktop App: Security, Deployment & FAQ

Part 5 of 5 in the Architecture & Foundation series.

This page closes out the series: how authentication and encryption are layered, how code reaches students on web and desktop, and answers to the questions students ask most often.

Security & Privacy Architecture

Authentication: Proving You're You

Firebase Auth (web) issues a JWT — a cryptographically signed token proving "this user is logged in." On sign-in: Firebase verifies the credentials, creates a JWT signed with its private key, and the browser stores it and attaches it to every Firestore request. Firestore verifies the signature, then checks security rules to confirm the user is allowed to touch the requested document.

If a JWT is stolen, the exposure is bounded: tokens expire after an hour, they're only ever sent over HTTPS, and Firebase flags suspicious activity like a login from a new country.

Desktop auth uses OAuth 2.0 with PKCE instead of Firebase's in-browser popup, because Google's consent screen refuses to render inside an embedded Tauri webview as an anti-phishing measure. The desktop app opens the student's real system browser to Google's actual consent page, and a local server inside the Rust backend listens on localhost for the redirect. Once Rust has the token, it hands it to React, which finishes signing in through Firebase like any other client — no client secret ever ships inside the binary.

Firestore Security Rules

Firestore enforces server-side access control: even if a hacker guesses a document URL, the rule blocks access to data that isn't theirs.

// Security rule: User can only read/write their own documents
match /users/{userId} {
  allow read, write: if request.auth.uid == userId;
}

// Security rule: User can't read other users' submissions
match /submissions/{submissionId} {
  allow read: if request.auth.uid == resource.data.user_id;
  allow write: if request.auth.uid == resource.data.user_id;
}

If user 123 requests user 456's data, Firestore checks request.auth.uid (123) == userId (456) — the answer is no, and access is denied, regardless of anything the client claims.

Data Encryption

In transit: every connection runs over HTTPS/TLS — browser to Cloudflare, Cloudflare to Firebase, Cloudflare to Judge0.

At rest: Firestore data is encrypted automatically inside Google's data centers. Desktop SQLite isn't encrypted by default, but Tauri can add AES-256 encryption if a use case requires it.

Integrity Logs for Online Assessments

During an OA simulation, every action is logged: a problem opened, code submitted, the window losing focus. These entries are hash-chained: each new entry's hash incorporates the previous entry's hash, so altering any past entry breaks every hash that follows it and makes tampering detectable rather than merely discouraged.

Deployment: How Code Reaches Users

Website Deployment (ediky.com)

  1. A developer pushes to main.
  2. GitHub Actions runs the linter, tests, and type checks.
  3. Vite builds the React app into optimized JS/CSS/HTML, along with the search index.
  4. The build is uploaded to Cloudflare Pages and replicated across 200+ edge servers.
  5. ediky.com is updated within about 30 seconds, with zero downtime.

Desktop Deployment (Tauri App)

  1. A developer pushes code and bumps the version (kept in sync across package.json, Cargo.toml, and tauri.conf.json).
  2. GitHub Actions builds installers for Windows, macOS Intel, and macOS Apple Silicon.
  3. Each binary is code-signed, proving it came from Ediky rather than a malicious copy.
  4. Installers are uploaded to GitHub Releases.
  5. Students download and run the installer once; from then on, the auto-updater checks for and installs new releases in the background.
diagram100%
rendering diagram…

drag to pan · ctrl / ⌘ + scroll to zoom

Web ships automatically and immediately; desktop always requires a user download and install.

Frequently Asked Questions

Why do I need to sign in? To track your progress — solved problems, notes, bookmarks — and keep it synced across devices.

Is my code private? Yes. Firestore security rules ensure only you can access your submissions. Code is retained for plagiarism checks but never shown to other students.

Why is the desktop app so large? It bundles the OS webview engine, the Rust runtime, and roughly 2 GB of SQLite data covering every problem and solution. The web version stays small because it only ever downloads what you're viewing.

Can I use Ediky offline? On web, only cached pages — you can't write new notes. On desktop, fully: all problems, notes, and code work offline, syncing automatically when you're back online.

Why two versions? Different scenarios: web for zero-setup accessibility, desktop for offline capability, exam proctoring, and native OS integration.

How often are new problems added? As instructors write them — web updates within minutes via Cloudflare, desktop updates when it next syncs.

Is Ediky free? Yes, during the current beta stage, with optional premium features and college partnerships planned later — not ads.

How is Ediky different from LeetCode, GeeksforGeeks, or Codeforces? Those cover one slice each — problems, tutorials, or contests. Ediky integrates DSA, OA simulation, notes, and progress tracking in one place.

What languages can I code in? Judge0 supports 60+; Ediky surfaces C, C++, Python, PyPy3, Java, JavaScript, TypeScript, Go, Rust, and Kotlin.

Will my data be deleted if I leave? No — Firestore data is backed up by Google. Sign back in anytime and your progress is still there.

Why does the desktop app sometimes crash on first launch? First launch does one-time setup — creating the local SQLite database and an initial content sync — which can fail if disk space or permissions are wrong. Re-running the installer usually resolves it; report a persistent issue on GitHub.

Can I sync desktop to multiple devices? Yes — any device signed into the same account sees the same synced progress.

How is exam integrity ensured during an OA simulation? The desktop app monitors system processes, keyboard activity, clipboard, and webcam (if enabled), logging every action with a hash-chained audit trail that makes tampering detectable.

Architecture at a Glance

Web: React (browser) + Cloudflare (edge) + Firebase (cloud) + Judge0 (Oracle)

Desktop: React (Tauri webview) + Rust (IPC) + SQLite (local) + Judge0 (Oracle, when reachable)

Sync: Firestore bridges both — real-time on web, manual on desktop

Security: JWT auth, Firestore rules, TLS encryption, hash-chained audit logs

Deployment: CI/CD automated — instant on web, user-driven on desktop


← Previous: Desktop Features & Data Flows↩ Overview: Architecture & FoundationNext section: Backend & Infrastructure

Ediky Workflow — internal engineering documentation.