Upload app.py

app.py

@@ -1,6 +1,7 @@
 import subprocess
 import sys
 import os
+from pathlib import Path
 
 from fastapi import FastAPI, HTTPException, Request # type: ignore
 from fastapi.middleware.cors import CORSMiddleware # type: ignore
@@ -10,6 +11,36 @@ from slowapi.util import get_remote_address # type: ignore
 from slowapi.errors import RateLimitExceeded # type: ignore
 from compiler import ErasCompiler # type: ignore
 
+# Load secret from .env file or environment variable
+def load_secret():
+    """Load the API secret from .env file or environment variable"""
+    # Try environment variable first (for production)
+    secret = os.getenv("SECRET_PASSWORD")
+    
+    # If not in env, try reading from .env file (for local development)
+    if not secret:
+        env_path = Path(__file__).parent.parent / ".env"
+        if env_path.exists():
+            with open(env_path, 'r') as f:
+                for line in f:
+                    line = line.strip()
+                    if line and not line.startswith('#') and '=' in line:
+                        key, value = line.split('=', 1)
+                        if key.strip() == 'SECRET_PASSWORD':
+                            secret = value.strip()
+                            # Remove surrounding quotes if present
+                            if (secret.startswith('"') and secret.endswith('"')) or \
+                               (secret.startswith("'") and secret.endswith("'")):
+                                secret = secret[1:-1]
+                            break
+    
+    if not secret:
+        raise ValueError("SECRET_PASSWORD must be set in environment variable or .env file")
+    
+    return secret
+
+API_SECRET = load_secret()
+
 # Initialize FastAPI and Rate Limiter
 app = FastAPI(title="ErasLang IDE Backend")
 limiter = Limiter(key_func=get_remote_address)
@@ -19,10 +50,10 @@ app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
 # SWE Best Practice: Enable CORS so your frontend can communicate with this API
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"], # In production, replace with your frontend URL
+    allow_origins=["https://eras-lang-ide.vercel.app", "http://localhost:5173"],
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "OPTIONS"],  # Only allow necessary HTTP methods
+    allow_headers=["Content-Type", "Authorization", "Accept", "X-Requested-With"],
 )
 
 compiler = ErasCompiler()
@@ -30,22 +61,45 @@ compiler = ErasCompiler()
 class PerformanceRequest(BaseModel):
     code: str
     inputs: list[int] = []
+    password: str  # Secret password for authentication (required)
 
 @app.get("/")
 @limiter.limit("20/minute")
 async def root(request: Request):
     return {"message": "ErasLang Stage is Live. Ready for the Performance?"}
 
+@app.get("/health")
+async def health():
+    """
+    Health check endpoint - no CORS restrictions, no rate limiting.
+    Useful for monitoring and testing the deployed backend.
+    """
+    return {"status": "healthy", "service": "ErasLang API"}
+
 @app.post("/perform")
 @limiter.limit("10/minute")
 async def run_eraslang(request: Request, body: PerformanceRequest):
     """
     Main execution endpoint. 
-    1. Transpiles ErasLang -> Python
-    2. Spawns worker.py subprocess
-    3. Returns results or errors
+    1. Validates secret password
+    2. Transpiles ErasLang -> Python
+    3. Spawns worker.py subprocess
+    4. Returns results or errors
     """
     
+    # --- Step 0: Password Check (Always Required) ---
+    if not body.password:
+        raise HTTPException(
+            status_code=401,
+            detail="Unauthorized. Password is required."
+        )
+    
+    if body.password != API_SECRET:
+        raise HTTPException(
+            status_code=401,
+            detail="Unauthorized. Invalid password."
+        )
+    
     # --- Step 1: Transpilation ---
     try:
         # We ensure the compiler adds # ERAS_LINE_X comments for our worker