Merge branch 'main' of https://github.com/orosmatthew/bw-hspc-contest-env

sandbox/.env.example

@@ -1,2 +1,3 @@
-ADMIN_URL="http://localhost:5173"
-REPO_URL="http://localhost:7006"
+ADMIN_URL="http://127.0.0.1:3000"
+REPO_URL="http://127.0.0.1:7006"
+WEB_SANDBOX_SECRET="supersecret"

sandbox/docker-compose.yml

@@ -7,4 +7,5 @@ services:
     environment:
       - ADMIN_URL=${ADMIN_URL}
       - REPO_URL=${REPO_URL}
+      - WEB_SANDBOX_SECRET=${WEB_SANDBOX_SECRET}
     network_mode: 'host'

sandbox/package.json

@@ -6,6 +6,7 @@
 	"type": "module",
 	"scripts": {
 		"build": "esbuild src/index.ts --bundle --outfile=build/sandbox.cjs --format=cjs --platform=node",
+		"check": "tsc -noEmit",
 		"format": "prettier --write .",
 		"lint": "prettier --check . && eslint .",
 		"start": "node ./build/sandbox.cjs"

sandbox/src/index.ts

@@ -49,7 +49,10 @@ enum SubmissionProcessingResult {
 }
 
 async function fetchQueuedSubmission(): Promise<SubmissionGetData | undefined> {
-	const res = await fetch(submissionApiUrl, { method: 'GET' });
+	const res = await fetch(submissionApiUrl, {
+		method: 'GET',
+		headers: { secret: process.env.WEB_SANDBOX_SECRET! }
+	});
 	if (res.status !== 200) {
 		console.error(
 			`Failed to fetch from ${submissionApiUrl} with status: ${res.status} ${res.statusText}`
@@ -142,7 +145,7 @@ async function cloneAndRun(submissionData: SubmissionGetData) {
 		};
 		const res = await fetch(urlJoin(adminUrl, 'api/submission'), {
 			method: 'POST',
-			headers: { 'Content-Type': 'application/json' },
+			headers: { 'Content-Type': 'application/json', secret: process.env.WEB_SANDBOX_SECRET! },
 			body: JSON.stringify(postBodyObject)
 		});
 		if (res.status !== 200) {
@@ -183,7 +186,11 @@ function printRunResult(runResult: RunResult) {
 }
 
 function validateEnv(): boolean {
-	return process.env.ADMIN_URL !== undefined && process.env.REPO_URL !== undefined;
+	return (
+		process.env.ADMIN_URL !== undefined &&
+		process.env.REPO_URL !== undefined &&
+		process.env.WEB_SANDBOX_SECRET !== undefined
+	);
 }
 
 if (!validateEnv()) {

web/.env.example

@@ -1,4 +1,3 @@
 DATABASE_URL=postgresql://bwcontest:password@127.0.0.1:5432/bwcontest
-GIT_PORT=7006
-WEB_PORT=3000
-ORIGIN=http://127.0.0.1
+ORIGIN=http://127.0.0.1:3000
+WEB_SANDBOX_SECRET="supersecret"

web/docker-compose.yml

@@ -14,12 +14,13 @@ services:
       context: ../
       dockerfile: ./web/Dockerfile
     ports:
-      - ${WEB_PORT}:${WEB_PORT}
-      - ${GIT_PORT}:${GIT_PORT}
+      - 3000:3000
+      - 7006:7006
     environment:
       - DATABASE_URL=${DATABASE_URL}
-      - GIT_PORT=${GIT_PORT}
-      - ORIGIN=${ORIGIN}:${WEB_PORT}
+      - GIT_PORT=7006
+      - ORIGIN=${ORIGIN}
+      - WEB_SANDBOX_SECRET=${WEB_SANDBOX_SECRET}
     volumes:
       - ./repo:/app/repo
     depends_on:

web/src/routes/api/submission/+server.ts

@@ -5,7 +5,11 @@ import { z } from 'zod';
 import type { RequestHandler } from './$types';
 import * as Diff from 'diff';
 
-export const GET = (async () => {
+export const GET = (async ({ request }) => {
+	const secret = request.headers.get('secret');
+	if (secret === null || secret !== process.env.WEB_SANDBOX_SECRET!) {
+		throw error(401, 'Unauthorized');
+	}
 	const submissions = await db.submission.findMany({
 		where: { state: SubmissionState.Queued },
 		orderBy: { createdAt: 'asc' },
@@ -56,6 +60,10 @@ const submissionPostData = z
 	.strict();
 
 export const POST = (async ({ request }) => {
+	const secret = request.headers.get('secret');
+	if (secret === null || secret !== process.env.WEB_SANDBOX_SECRET!) {
+		throw error(401, 'Unauthorized');
+	}
 	const requestJson = await request.json();
 	const data = submissionPostData.safeParse(requestJson);
 	if (!data.success) {