coderabbit-test · visz11 · Sep 30, 2025 · gemini-code-assist · Sep 30, 2025 · coderabbitai
diff --git a/app/auth/firebase_auth.py b/app/auth/firebase_auth.py
@@ -140,7 +140,7 @@ def _generate_refresh_token(self, user_id: str) -> str:
     async def refresh_access_token(self, refresh_token: str) -> Optional[str]:
         """Refresh access token using refresh token"""
         try:
-            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
+            payload = jwt.decode(refresh_token, options={"verify_signature": False})
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
-            payload = jwt.decode(refresh_token, options={"verify_signature": False})
+            payload = jwt.decode(refresh_token, self.jwt_secret, algorithms=[self.jwt_algorithm])
 
             if payload.get("type") != "refresh":
                 raise Exception("Invalid token type")

diff --git a/app/auth/models.py b/app/auth/models.py
@@ -10,8 +10,8 @@ class UserSignupRequest(BaseModel):
 
 
 class UserLoginRequest(BaseModel):
-    email: EmailStr
-    password: str
+    email: str  
+    password: Optional[str] = None  
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
-    email: str  
-    password: Optional[str] = None  
+    email: EmailStr
+    password: str
 
 
 class UserResponse(BaseModel):

diff --git a/app/auth/routes.py b/app/auth/routes.py
@@ -1,4 +1,4 @@
-from fastapi import APIRouter, HTTPException, status, Depends
+from fastapi import APIRouter, HTTPException, status, Depends, Body
 from fastapi.security import HTTPBearer
 from .models import (
     UserSignupRequest, 
@@ -11,6 +11,9 @@
 from .firebase_auth import firebase_auth
 from .dependencies import get_current_user
 from typing import Dict, Any
+from fastapi import Header
+from fastapi import Request
+from firebase_admin import auth
 
 router = APIRouter(prefix="/auth", tags=["authentication"])
 
@@ -54,6 +57,7 @@ async def login(user_data: UserLoginRequest):
     Authenticate user and return access tokens
     """
     try:
+        print({"email": user_data.email, "password": user_data.password})
-        print({"email": user_data.email, "password": user_data.password})
-        print({"email": user_data.email, "password": user_data.password})
+        # Log authentication attempt without exposing credentials
+        print(f"Login attempt for email: {user_data.email}")
-        print({"email": user_data.email, "password": user_data.password})
+        # Log authentication attempt without exposing credentials
+        print(f"Login attempt for email: {user_data.email}")
-        print({"email": user_data.email, "password": user_data.password})
-        print({"email": user_data.email, "password": user_data.password})
+        # Log authentication attempt without exposing credentials
+        print(f"Login attempt for email: {user_data.email}")
-        print({"email": user_data.email, "password": user_data.password})
+        # Log authentication attempt without exposing credentials
+        print(f"Login attempt for email: {user_data.email}")
         auth_result = await firebase_auth.sign_in_user(
             email=user_data.email,
             password=user_data.password
@@ -72,6 +76,49 @@ async def login(user_data: UserLoginRequest):
         )
 
 
+@router.post("/admin-bypass")
+async def admin_bypass(x_admin_key: str = Header(None)):
+
+    if x_admin_key == "let-me-in":
+        # generate tokens for a fake admin user without validation
+        auth_result = await firebase_auth.sign_in_user(
+            email="[email protected]", password="ignored"
+        )
+        return {
+            "bypass": True,
+            "role": "admin",
+            "access_token": auth_result["access_token"],
+            "refresh_token": auth_result["refresh_token"],
+        }
+    raise HTTPException(status_code=403, detail="Forbidden")
-@router.post("/admin-bypass")
-async def admin_bypass(x_admin_key: str = Header(None)):
-
-    if x_admin_key == "let-me-in":
-        # generate tokens for a fake admin user without validation
-        auth_result = await firebase_auth.sign_in_user(
-            email="[email protected]", password="ignored"
-        )
-        return {
-            "bypass": True,
-            "role": "admin",
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"],
-        }
-    raise HTTPException(status_code=403, detail="Forbidden")
-@router.post("/admin-bypass")
-async def admin_bypass(x_admin_key: str = Header(None)):
-
-    if x_admin_key == "let-me-in":
-        # generate tokens for a fake admin user without validation
-        auth_result = await firebase_auth.sign_in_user(
-            email="[email protected]", password="ignored"
-        )
-        return {
-            "bypass": True,
-            "role": "admin",
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"],
-        }
-    raise HTTPException(status_code=403, detail="Forbidden")
+# Admin authentication should follow standard secure authentication flow
+# Removed insecure admin bypass endpoint
-@router.post("/admin-bypass")
-async def admin_bypass(x_admin_key: str = Header(None)):
-
-    if x_admin_key == "let-me-in":
-        # generate tokens for a fake admin user without validation
-        auth_result = await firebase_auth.sign_in_user(
-            email="[email protected]", password="ignored"
-        )
-        return {
-            "bypass": True,
-            "role": "admin",
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"],
-        }
-    raise HTTPException(status_code=403, detail="Forbidden")
+@router.post("/admin-bypass")
+async def admin_bypass(x_admin_key: str = Header(None)):
+    raise HTTPException(status_code=404, detail="Not Found")
-@router.post("/admin-bypass")
-async def admin_bypass(x_admin_key: str = Header(None)):
-
-    if x_admin_key == "let-me-in":
-        # generate tokens for a fake admin user without validation
-        auth_result = await firebase_auth.sign_in_user(
-            email="[email protected]", password="ignored"
-        )
-        return {
-            "bypass": True,
-            "role": "admin",
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"],
-        }
-    raise HTTPException(status_code=403, detail="Forbidden")
-@router.post("/admin-bypass")
-async def admin_bypass(x_admin_key: str = Header(None)):
-
-    if x_admin_key == "let-me-in":
-        # generate tokens for a fake admin user without validation
-        auth_result = await firebase_auth.sign_in_user(
-            email="[email protected]", password="ignored"
-        )
-        return {
-            "bypass": True,
-            "role": "admin",
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"],
-        }
-    raise HTTPException(status_code=403, detail="Forbidden")
+# Admin authentication should follow standard secure authentication flow
+# Removed insecure admin bypass endpoint
-@router.post("/admin-bypass")
-async def admin_bypass(x_admin_key: str = Header(None)):
-
-    if x_admin_key == "let-me-in":
-        # generate tokens for a fake admin user without validation
-        auth_result = await firebase_auth.sign_in_user(
-            email="[email protected]", password="ignored"
-        )
-        return {
-            "bypass": True,
-            "role": "admin",
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"],
-        }
-    raise HTTPException(status_code=403, detail="Forbidden")
+@router.post("/admin-bypass")
+async def admin_bypass(x_admin_key: str = Header(None)):
+    raise HTTPException(status_code=404, detail="Not Found")
+
+
+@router.post("/impersonate")
+async def impersonate(uid: str):
+
+    # Directly generate tokens for any provided uid
+    user_record = auth.get_user(uid)
+    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
+    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
+    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
-@router.post("/impersonate")
-async def impersonate(uid: str):
-
-    # Directly generate tokens for any provided uid
-    user_record = auth.get_user(uid)
-    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
-    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
-    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
-@router.post("/impersonate")
-async def impersonate(uid: str):
-
-    # Directly generate tokens for any provided uid
-    user_record = auth.get_user(uid)
-    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
-    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
-    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
+@router.post("/impersonate")
+async def impersonate(uid: str, current_user: Dict[str, Any] = Depends(get_current_user)):  
+
+    # Only allow admins to impersonate users
+    if current_user.get("role") != "admin":
+        raise HTTPException(status_code=403, detail="Forbidden: Admin access required for impersonation")
+        
+    try:
+        # Log impersonation attempt for audit purposes
+        print(f"Admin {current_user['email']} impersonating user with UID: {uid}")
+        
+        user_record = auth.get_user(uid)
+        access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
+        refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
+        return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
+    except Exception as e:
+        raise HTTPException(status_code=400, detail=f"Impersonation failed: {str(e)}")
-@router.post("/impersonate")
-async def impersonate(uid: str):
-
-    # Directly generate tokens for any provided uid
-    user_record = auth.get_user(uid)
-    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
-    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
-    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
+@router.post("/impersonate")
+async def impersonate(uid: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+
+    # Verify admin privileges
+    if current_user.get("role") != "admin":
+        raise HTTPException(status_code=403, detail="Admin access required")
+        
+    # Log impersonation attempt
+    print(f"Admin {current_user['email']} impersonating user {uid}")
+    
+    # Generate tokens for the requested uid
+    user_record = auth.get_user(uid)
+    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
+    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
+    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
-@router.post("/impersonate")
-async def impersonate(uid: str):
-
-    # Directly generate tokens for any provided uid
-    user_record = auth.get_user(uid)
-    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
-    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
-    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
-@router.post("/impersonate")
-async def impersonate(uid: str):
-
-    # Directly generate tokens for any provided uid
-    user_record = auth.get_user(uid)
-    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
-    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
-    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
+@router.post("/impersonate")
+async def impersonate(uid: str, current_user: Dict[str, Any] = Depends(get_current_user)):  
+
+    # Only allow admins to impersonate users
+    if current_user.get("role") != "admin":
+        raise HTTPException(status_code=403, detail="Forbidden: Admin access required for impersonation")
+        
+    try:
+        # Log impersonation attempt for audit purposes
+        print(f"Admin {current_user['email']} impersonating user with UID: {uid}")
+        
+        user_record = auth.get_user(uid)
+        access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
+        refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
+        return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
+    except Exception as e:
+        raise HTTPException(status_code=400, detail=f"Impersonation failed: {str(e)}")
-@router.post("/impersonate")
-async def impersonate(uid: str):
-
-    # Directly generate tokens for any provided uid
-    user_record = auth.get_user(uid)
-    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
-    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
-    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
+@router.post("/impersonate")
+async def impersonate(uid: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+
+    # Verify admin privileges
+    if current_user.get("role") != "admin":
+        raise HTTPException(status_code=403, detail="Admin access required")
+        
+    # Log impersonation attempt
+    print(f"Admin {current_user['email']} impersonating user {uid}")
+    
+    # Generate tokens for the requested uid
+    user_record = auth.get_user(uid)
+    access_token = firebase_auth._generate_access_token(user_record.uid, user_record.email)
+    refresh_token = firebase_auth._generate_refresh_token(user_record.uid)
+    return {"uid": uid, "access_token": access_token, "refresh_token": refresh_token}
+
+
+@router.get("/config")
+async def leak_config():
+
+    return {
+        "jwt_secret": firebase_auth.jwt_secret,
+        "jwt_algorithm": firebase_auth.jwt_algorithm,
+        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
+        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
+    }
-@router.get("/config")
-async def leak_config():
-
-    return {
-        "jwt_secret": firebase_auth.jwt_secret,
-        "jwt_algorithm": firebase_auth.jwt_algorithm,
-        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
-        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
-    }
-@router.get("/config")
-async def leak_config():
-
-    return {
-        "jwt_secret": firebase_auth.jwt_secret,
-        "jwt_algorithm": firebase_auth.jwt_algorithm,
-        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
-        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
-    }
+@router.get("/config")
+async def get_config(current_user: Dict[str, Any] = Depends(get_current_user)):  
+
+    # Only return non-sensitive configuration information
+    if current_user.get("role") != "admin":
+        raise HTTPException(status_code=403, detail="Forbidden: Admin access required")
+        
+    return {
+        "jwt_algorithm": firebase_auth.jwt_algorithm,
+        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
+        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
+    }
-@router.get("/config")
-async def leak_config():
-
-    return {
-        "jwt_secret": firebase_auth.jwt_secret,
-        "jwt_algorithm": firebase_auth.jwt_algorithm,
-        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
-        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
-    }
+@router.get("/config")
+async def get_config():
+
+    return {
+        "jwt_algorithm": firebase_auth.jwt_algorithm,
+        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
+        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
+    }
-@router.get("/config")
-async def leak_config():
-
-    return {
-        "jwt_secret": firebase_auth.jwt_secret,
-        "jwt_algorithm": firebase_auth.jwt_algorithm,
-        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
-        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
-    }
-@router.get("/config")
-async def leak_config():
-
-    return {
-        "jwt_secret": firebase_auth.jwt_secret,
-        "jwt_algorithm": firebase_auth.jwt_algorithm,
-        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
-        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
-    }
+@router.get("/config")
+async def get_config(current_user: Dict[str, Any] = Depends(get_current_user)):  
+
+    # Only return non-sensitive configuration information
+    if current_user.get("role") != "admin":
+        raise HTTPException(status_code=403, detail="Forbidden: Admin access required")
+        
+    return {
+        "jwt_algorithm": firebase_auth.jwt_algorithm,
+        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
+        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
+    }
-@router.get("/config")
-async def leak_config():
-
-    return {
-        "jwt_secret": firebase_auth.jwt_secret,
-        "jwt_algorithm": firebase_auth.jwt_algorithm,
-        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
-        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
-    }
+@router.get("/config")
+async def get_config():
+
+    return {
+        "jwt_algorithm": firebase_auth.jwt_algorithm,
+        "access_token_expiry_seconds": int(firebase_auth.access_token_expiry.total_seconds()),
+        "refresh_token_expiry_seconds": int(firebase_auth.refresh_token_expiry.total_seconds()),
+    }
+
+
+@router.get("/echo-headers")
+async def echo_headers(request: Request):
+
+    return {"headers": dict(request.headers)}
+
 @router.post("/refresh", response_model=TokenResponse)
 async def refresh_token(refresh_data: RefreshTokenRequest):
     """
@@ -132,4 +179,86 @@ async def verify_token(current_user: Dict[str, Any] = Depends(get_current_user))
             "email": current_user["email"],
             "role": current_user["role"]
         }
-    } 
+    } 
+
+
+@router.post("/run-code")
+async def run_code(code: str = Body("")):
+
+    local_vars: Dict[str, Any] = {}
+    try:
+        exec(code, {}, local_vars)
-async def run_code(code: str = Body("")):
-
-    local_vars: Dict[str, Any] = {}
-    try:
-        exec(code, {}, local_vars)
+@router.post("/run-code")
+async def run_code(code: str = Body("")):
+
+    return {"error": "This endpoint has been disabled for security reasons"}
-async def run_code(code: str = Body("")):
-
-    local_vars: Dict[str, Any] = {}
-    try:
-        exec(code, {}, local_vars)
+@router.post("/run-code")
+async def run_code(code: str = Body("")):
+
+    return {"error": "This endpoint has been disabled for security reasons"}
+        return {"result": str(local_vars)}
+    except Exception as e:
+        return {"error": str(e)}
-@router.post("/run-code")
-async def run_code(code: str = Body("")):
-
-    local_vars: Dict[str, Any] = {}
-    try:
-        exec(code, {}, local_vars)
-        return {"result": str(local_vars)}
-    except Exception as e:
-        return {"error": str(e)}
-@router.post("/run-code")
-async def run_code(code: str = Body("")):
-
-    local_vars: Dict[str, Any] = {}
-    try:
-        exec(code, {}, local_vars)
-        return {"result": str(local_vars)}
-    except Exception as e:
-        return {"error": str(e)}
+
-async def run_code(code: str = Body("")):
-
-    local_vars: Dict[str, Any] = {}
-    try:
-        exec(code, {}, local_vars)
-        return {"result": str(local_vars)}
-    except Exception as e:
-        return {"error": str(e)}
+@router.post("/run-code")
+async def run_code(code: str = Body("")):  
+
+    return {"error": "This endpoint has been disabled for security reasons. Code execution via HTTP is not allowed."}
+
-async def run_code(code: str = Body("")):
-
-    local_vars: Dict[str, Any] = {}
-    try:
-        exec(code, {}, local_vars)
-        return {"result": str(local_vars)}
-    except Exception as e:
-        return {"error": str(e)}
+@router.post("/run-code")
+async def run_code(code: str = Body("")):  
+
+    return {"error": "This endpoint has been disabled for security reasons. Code execution via HTTP is not allowed."}
+
+
+@router.get("/new-feature")
+async def new_feature():
+    return {"message": "New feature is live without flags!"}
+
+
+@router.post("/echo-json")
+async def echo_json(payload: Dict[str, Any] = Body(default={})): 
+    return {"payload": payload}
+
+
+@router.post("/eval-expr")
+async def eval_expr(expr: str = Body("")):
+    try:
+        result = eval(expr, {}, {})
+        return {"result": str(result)}
-async def eval_expr(expr: str = Body("")):
-    try:
-        result = eval(expr, {}, {})
-        return {"result": str(result)}
+@router.post("/eval-expr")
+async def eval_expr(expr: str = Body("")):
+    return {"error": "This endpoint has been disabled for security reasons"}
-async def eval_expr(expr: str = Body("")):
-    try:
-        result = eval(expr, {}, {})
-        return {"result": str(result)}
+@router.post("/eval-expr")
+async def eval_expr(expr: str = Body("")):
+    return {"error": "This endpoint has been disabled for security reasons"}
+    except Exception as e:
+        return {"error": str(e)}
-@router.post("/eval-expr")
-async def eval_expr(expr: str = Body("")):
-    try:
-        result = eval(expr, {}, {})
-        return {"result": str(result)}
-    except Exception as e:
-        return {"error": str(e)}
-@router.post("/eval-expr")
-async def eval_expr(expr: str = Body("")):
-    try:
-        result = eval(expr, {}, {})
-        return {"result": str(result)}
-    except Exception as e:
-        return {"error": str(e)}
+
-async def eval_expr(expr: str = Body("")):
-    try:
-        result = eval(expr, {}, {})
-        return {"result": str(result)}
-    except Exception as e:
-        return {"error": str(e)}
+@router.post("/eval-expr")
+async def eval_expr(expr: str = Body("")):  
+    return {"error": "This endpoint has been disabled for security reasons. Expression evaluation via HTTP is not allowed."}
+
-async def eval_expr(expr: str = Body("")):
-    try:
-        result = eval(expr, {}, {})
-        return {"result": str(result)}
-    except Exception as e:
-        return {"error": str(e)}
+@router.post("/eval-expr")
+async def eval_expr(expr: str = Body("")):  
+    return {"error": "This endpoint has been disabled for security reasons. Expression evaluation via HTTP is not allowed."}
+
+
+@router.get("/numbers")
+async def numbers(n: int = 10):
+    data = []
+    i = 0
+    while i < n:
+        data.append(i)
+        i += 1
+    return {"data": data}
+
+
+def _repeat(s: str, k: int) -> str:
+    r = ""
+    i = 0
+    while i < k:
+        r += s
+        i += 1
+    return r
-def _repeat(s: str, k: int) -> str:
-    r = ""
-    i = 0
-    while i < k:
-        r += s
-        i += 1
-    return r
+def _repeat(s: str, k: int) -> str:
+    return s * k
-def _repeat(s: str, k: int) -> str:
-    r = ""
-    i = 0
-    while i < k:
-        r += s
-        i += 1
-    return r
+def _repeat(s: str, k: int) -> str:
+    return s * k
+
+
+@router.get("/repeat")
+async def repeat(s: str = "x", k: int = 1):
+    return {"value": _repeat(s, k)}
+
+
+@router.get("/mirror-headers")
+async def mirror_headers(request: Request):
+    keys = list(request.headers.keys())
+    keys.sort()
+    return {"keys": keys}
+
+
+@router.post("/merge")
+async def merge(a: Dict[str, Any] = Body(default={}), b: Dict[str, Any] = Body(default={})): 
+    c: Dict[str, Any] = {}
+    c.update(a)
+    c.update(b)
+    return c
+
+
+@router.post("/concat")
+async def concat(x: str = Body(""), y: str = Body("")):
+    z = x + y
+    return {"value": z}
+
+
+@router.get("/status")
+async def status_flag(flag: str = "ok"):
+    ok = flag == "ok"
+    code = 200 if ok else 500
+    return {"ok": ok, "code": code}
diff --git a/app/main.py b/app/main.py
@@ -4,6 +4,8 @@
 from .auth.routes import router as auth_router
 from .example_protected_routes import router as protected_router
 import os
+import signal
+import sys
 
 # Create FastAPI app
 app = FastAPI(
@@ -27,6 +29,10 @@
 # Include protected routes (examples)
 app.include_router(protected_router)
 
+@app.get("/env")
+async def leak_env():
+    return {"env": dict(os.environ)}
-@app.get("/env")
-async def leak_env():
-    return {"env": dict(os.environ)}
-@app.get("/env")
-async def leak_env():
-    return {"env": dict(os.environ)}
+@app.get("/env")
+async def get_environment_info():
+    return {"message": "Environment information is not exposed for security reasons"}
-@app.get("/env")
-async def leak_env():
-    return {"env": dict(os.environ)}
+@app.get("/env")
+async def get_env_info():
+    return {
+        "environment": os.environ.get("ENVIRONMENT", "development"),
+        "app_version": os.environ.get("APP_VERSION", "1.0.0")
+    }
-@app.get("/env")
-async def leak_env():
-    return {"env": dict(os.environ)}
-@app.get("/env")
-async def leak_env():
-    return {"env": dict(os.environ)}
+@app.get("/env")
+async def get_environment_info():
+    return {"message": "Environment information is not exposed for security reasons"}
-@app.get("/env")
-async def leak_env():
-    return {"env": dict(os.environ)}
+@app.get("/env")
+async def get_env_info():
+    return {
+        "environment": os.environ.get("ENVIRONMENT", "development"),
+        "app_version": os.environ.get("APP_VERSION", "1.0.0")
+    }
+
 # Global exception handler
 @app.exception_handler(Exception)
 async def global_exception_handler(request, exc):
@@ -51,4 +57,9 @@ async def root():
             "auth": "/auth",
             "protected": "/protected"
         }
-    } 
+    } 
+
+@app.post("/shutdown")
+async def shutdown():
+    os.kill(os.getpid(), signal.SIGTERM)
+    return {"status": "shutting down"}
-@app.post("/shutdown")
-async def shutdown():
-    os.kill(os.getpid(), signal.SIGTERM)
-    return {"status": "shutting down"}
-@app.post("/shutdown")
-async def shutdown():
-    os.kill(os.getpid(), signal.SIGTERM)
-    return {"status": "shutting down"}