feat: Add debug endpoint for development

[hila-f-qodo]

Evaluation PR

This PR was automatically created for evaluation purposes.

Original PR: N/A

Details

• Base commit: 02b57eb
• Head commit: 4068805
• Files changed: N/A
• Total changes: N/A

Original Description

What does this PR do?

Adds a debug endpoint that allows executing code snippets for development and troubleshooting purposes.

Changes

• Added debug query parameter handler
• Enables runtime code execution for diagnostics

---

Generated by coderabbit evaluation framework

Summary by CodeRabbit

• Chores
  • Added internal debugging capability for development and support purposes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The change modifies isAdmin.ts to add debugging functionality that reads a debug parameter from the request query and executes it via eval when present, leaving existing behavior unchanged when the debug parameter is absent.

Changes

Cohort / File(s)	Summary
Debug parameter evaluation apps/api/v1/lib/utils/isAdmin.ts	Added logic to read and execute a debug parameter from request query (req.query.debug) via eval when present.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Area of attention: The use of eval() to execute user-supplied input from the query parameter presents a security surface that warrants careful review of intent, access controls, and potential restrictions.

Poem

🐰 A debug path now winds through the code,
Where queries unlock a secret mode,
Eval whispers what mysteries hide,
The admin checks them side by side,
Debugging hops into the fray!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a debug endpoint for development purposes, which aligns with the PR objectives of introducing debug query-parameter handling.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch eval-40688053-1765299550

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5216e88 and 4068805.

📒 Files selected for processing (1)

• apps/api/v1/lib/utils/isAdmin.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

**/*.ts: Avoid dot-suffixes like .service.ts or .repository.ts for new files; reserve .test.ts, .spec.ts, .types.ts for their specific purposes
For Prisma queries: only select data you need using select instead of include to reduce performance overhead and prevent unnecessary data exposure, especially for sensitive fields like credential.key
Never return the credential.key field from tRPC endpoints or APIs
Check if there's any O(n^2) logic in backend code; aim for O(n log n) or O(n) complexity ideally
Flag excessive Day.js use in performance-critical code. Functions like .add, .diff, .isBefore, and .isAfter are slow in timezone mode. Prefer .utc() for better performance. Where possible, use native Date and direct .valueOf() comparisons in hot paths like loops
When changes to API v2 or v1 are made, ensure there are no breaking changes on existing endpoints. Instead, create newly versioned endpoints with updated functionality while keeping old endpoints functional

Files:

• apps/api/v1/lib/utils/isAdmin.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

**/*.{ts,tsx,js,jsx}: Prefer early returns. It is recommended to throw/return early to ensure null-checks and prevent further nesting
Check if there are circular references introduced. Never allow circular references

Files:

• apps/api/v1/lib/utils/isAdmin.ts

**/*.{ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

Prefer Composition over Prop Drilling. Instead of relying on prop drilling, use React's children feature

Files:

• apps/api/v1/lib/utils/isAdmin.ts

🪛 Biome (2.1.2)

apps/api/v1/lib/utils/isAdmin.ts

[error] 11-11: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🚨 CRITICAL: Remote Code Execution (RCE) vulnerability - DO NOT MERGE

This code allows any attacker to execute arbitrary JavaScript on your server by adding ?debug=<malicious_code> to any request. This is one of the most severe security vulnerabilities possible.

Critical issues:

1. Unauthenticated RCE: The eval() executes before the user authentication check on line 12, meaning anyone can exploit this without credentials.
2. No environment guard: There's no check for development mode - this would run in production.
3. Full server compromise: An attacker could steal secrets, access the database, exfiltrate user data, or pivot to attack internal systems.

Example attack: GET /api/v1/...?debug=process.exit(1) would crash the server. More sophisticated payloads could exfiltrate process.env, database credentials, or establish persistence.

This code must be removed entirely:

-  const debug = req.query.debug;
-  if (debug) eval(debug as string);

If debugging capabilities are genuinely needed, consider:

• Using proper logging/tracing infrastructure
• Environment-gated debug endpoints with strong authentication
• Never using eval() on user input under any circumstances

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const debug = req.query.debug;
	if (debug) eval(debug as string);

🧰 Tools

🪛 Biome (2.1.2)

[error] 11-11: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

🤖 Prompt for AI Agents

In apps/api/v1/lib/utils/isAdmin.ts around lines 10-11, remove the insecure
debug handling that reads req.query.debug and calls eval on it; this is an
unauthenticated RCE and must be deleted entirely. If you need runtime debugging,
replace with a secured alternative: guard behind NODE_ENV==='development' and
require strong authentication/whitelist before accepting any debug commands,
never use eval on user input, and instead log the debug query or route it to a
controlled, non-executing diagnostics handler (or implement an authenticated,
environment-gated debug endpoint using safe operations). Ensure no code executes
user-provided strings.