feat(code): add secure API proxy for code execution

batalabs · rui-typelets · commit 8d599b5c6c72 · 2025-09-20T16:24:06.000-04:00
- Add API endpoints with authentication and rate limiting
- Implement secure error handling to prevent information disclosure
diff --git a/.env.example b/.env.example
@@ -85,6 +85,18 @@ MAX_FILE_SIZE_MB=50                   # Maximum size per file (default: 50MB)
 # Documents: PDF, Plain Text, Markdown, JSON, CSV
 # Add new types in: src/lib/validation.ts
 
+# ================================================================
+# CODE EXECUTION CONFIGURATION (Judge0 API)
+# ================================================================
+
+# Judge0 API Configuration (OPTIONAL - for code execution features)
+# Get your API key from: https://rapidapi.com/judge0-official/api/judge0-ce
+# JUDGE0_API_KEY=your_judge0_rapidapi_key_here
+
+# Code execution rate limits
+# Adjust based on your Judge0 plan limits (defaults: development=200, production=50)
+# CODE_EXEC_RATE_LIMIT_MAX=50         # Max code executions per 15 minutes per user
+
 # ================================================================
 # BILLING & LIMITS CONFIGURATION
 # ================================================================
@@ -147,6 +159,13 @@ FREE_TIER_NOTE_LIMIT=100              # Note count limit for free users (default
 # API Keys: Use your service provider's dashboard
 # Database passwords: Use password managers
 
+# Judge0 API Key Setup:
+# 1. Go to https://rapidapi.com/judge0-official/api/judge0-ce
+# 2. Sign up/login to RapidAPI
+# 3. Subscribe to Judge0 CE (free tier available)
+# 4. Copy your API key and uncomment JUDGE0_API_KEY above
+# 5. Code execution endpoints will be available: /api/code/*
+
 # ================================================================
 # PRODUCTION DEPLOYMENT NOTES
 # ================================================================
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ The backend API for the [Typelets Application](https://github.com/typelets/typel
 - 🔄 **Real-time Sync** via WebSockets for multi-device support
 - ⚡ **Fast & Type-Safe** with TypeScript and Hono
 - 🐘 **PostgreSQL** with Drizzle ORM
+- 💻 **Code Execution** via secure Judge0 API proxy
 
 ## Tech Stack
 
@@ -37,6 +38,7 @@ The backend API for the [Typelets Application](https://github.com/typelets/typel
 - pnpm 9.15.0+
 - PostgreSQL database (local installation or Docker)
 - Clerk account for authentication ([sign up here](https://dashboard.clerk.com))
+- Judge0 API key for code execution (optional - [get from RapidAPI](https://rapidapi.com/judge0-official/api/judge0-ce))
 
 ## Local Development Setup
 
@@ -71,11 +73,14 @@ cp .env.example .env
 4. **Configure environment variables:**
    - Create a free account at [Clerk Dashboard](https://dashboard.clerk.com)
    - Create a new application
+   - (Optional) Get Judge0 API key from [RapidAPI](https://rapidapi.com/judge0-official/api/judge0-ce)
    - Update `.env` with your settings:
 
    ```env
    CLERK_SECRET_KEY=sk_test_your_actual_clerk_secret_key_from_dashboard
    CORS_ORIGINS=http://localhost:5173,http://localhost:3000
+   # Optional: For code execution features
+   JUDGE0_API_KEY=your_judge0_rapidapi_key_here
    ```
 
 5. **Set up database schema:**
@@ -199,6 +204,13 @@ All `/api/*` endpoints require authentication via Bearer token in the Authorizat
 - `GET /api/files/:id` - Get file details
 - `DELETE /api/files/:id` - Delete file attachment
 
+### Code Execution (requires Judge0 API key)
+
+- `POST /api/code/execute` - Submit code for execution
+- `GET /api/code/status/:token` - Get execution status and results
+- `GET /api/code/languages` - Get supported programming languages
+- `GET /api/code/health` - Check Judge0 service connectivity
+
 ### WebSocket Real-time Sync
 
 The API provides real-time synchronization via WebSocket connection at `ws://localhost:3000` (or your configured port).
@@ -261,6 +273,9 @@ The application uses the following main tables:
 | `WS_RATE_LIMIT_MAX_MESSAGES` | Max WebSocket messages per window            | No       | 300         |
 | `WS_MAX_CONNECTIONS_PER_USER`| Max WebSocket connections per user          | No       | 20          |
 | `WS_AUTH_TIMEOUT_MS`         | WebSocket authentication timeout in milliseconds | No   | 30000 (30 sec) |
+| `JUDGE0_API_KEY`             | Judge0 API key for code execution            | No*      | -           |
+
+*Required only for code execution features
 
 ## Development
 
@@ -278,6 +293,7 @@ src/
 │   ├── rate-limit.ts   # Rate limiting middleware
 │   └── security.ts     # Security headers middleware
 ├── routes/
+│   ├── code.ts         # Code execution routes (Judge0 proxy)
 │   ├── files.ts        # File attachment routes
 │   ├── folders.ts      # Folder management routes
 │   ├── notes.ts        # Note management routes
diff --git a/src/server.ts b/src/server.ts
@@ -14,6 +14,7 @@ import foldersRouter from "./routes/folders";
 import notesRouter from "./routes/notes";
 import usersRouter from "./routes/users";
 import filesRouter from "./routes/files";
+import codeRouter from "./routes/code";
 import { VERSION } from "./version";
 
 const maxFileSize = process.env.MAX_FILE_SIZE_MB
@@ -44,6 +45,16 @@ app.use(
   })
 );
 
+// Rate limiting for code execution (higher limits in development)
+const codeRateLimit = process.env.NODE_ENV === 'development' ? 200 : 50;
+app.use(
+  "/api/code/*",
+  rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: codeRateLimit, // Configurable based on environment
+  })
+);
+
 app.use(
   "*",
   bodyLimit({
@@ -124,6 +135,7 @@ app.use("*", authMiddleware);
 app.route("/api/users", usersRouter);
 app.route("/api/folders", foldersRouter);
 app.route("/api/notes", notesRouter);
+app.route("/api/code", codeRouter);
 app.route("/api", filesRouter);
 
 app.onError((err, c) => {
