Local Coding Time Tracker

[atul-upadhyay-7]

Implements local coding time tracking feature as requested in #379.

Features

• Track local coding time from VS Code extension
• API key authentication for secure data sync
• Dashboard widget showing coding time statistics
• Respect privacy - users control what gets shared

API Endpoints

• GET/POST /api/local-coding/keys - Manage API keys
• POST /api/local-coding/sync - Sync sessions from VS Code extension
• GET /api/local-coding/stats - Get statistics for dashboard

Database

• local_coding_sessions table - Stores daily coding time aggregates
• local_coding_api_keys table - API key authentication

Components

• LocalCodingTime component - Shows coding time in dashboard
• Replace FriendComparison with LocalCodingTime widget

[vercel]

Someone is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Priyanshu-byte-coder]

Security: API keys stored in plaintext.

api_key in local_coding_api_keys stores the raw token. If the database is compromised, all API keys are exposed. Store a SHA-256 hash of the key and compare against the hash on authentication (the raw key is shown to the user only once at generation time).

Additional required fixes:

• No rate limiting on /api/local-coding/sync — this endpoint is authenticated by bearer token only (no NextAuth session). A leaked key can upsert unlimited rows with no throttle.
• days param not validated — parseInt(searchParams.get('days') || '30', 10) allows arbitrarily large values. Clamp to an allowlist (7/30/90) or set a hard max.
• No per-user session row limit — users can accumulate unlimited rows with no cap.
• Missing EOF newlines on all three new API route files and LocalCodingTime.tsx and the migration SQL.

[atul-upadhyay-7]

Security Fixes Applied

Addressed all mentor review feedback:

1. API Key Hashing (Blocking)

• API keys now stored as SHA-256 hashes in api_key_hash column
• Raw key shown to user only once at generation time
• Authentication compares hash of provided key against stored hash
• Migration 20260522000000_add_api_key_hash_column.sql adds the hash column

2. Rate Limiting on /api/local-coding/sync

• MAX_SESSIONS_PER_REQUEST = 100 — limits sessions per sync request
• MAX_SESSIONS_PER_USER = 365 — caps total sessions per user (1 year of daily data)
• Requests exceeding limits return 400 with clear error message

3. Days Parameter Validation

• Allowlist: [7, 30, 90] days only
• Invalid values default to 30 days
• Applied to both /sync and /stats endpoints

4. Per-User Session Row Limit

• Hard cap of 365 sessions per user
• Checked before upsert to prevent unlimited row accumulation

5. EOF Newlines

• Added trailing newlines to:
  • src/app/api/local-coding/sync/route.ts
  • src/app/api/local-coding/keys/route.ts
  • src/app/api/local-coding/stats/route.ts
  • src/components/LocalCodingTime.tsx
  • supabase/migrations/20260521000000_add_local_coding_tables.sql
  • supabase/migrations/20260522000000_add_api_key_hash_column.sql