A modular FastAPI-based API that proxies requests to Google’s Gemini LLM and manages a real-time game leaderboard.
Designed to be embedded in a Godot game so your project can consume a language‑model API securely and with rate‑limiting, while also tracking player scores securely.
⚠️ Security note
The server expects requests to carryX‑App‑Token/X-Admin-Keyheaders; keep these tokens secret.
The real LLM API key and other secrets are securely encrypted at rest and decrypted in memory during runtime.
.
├── app/ # Main application package
│ ├── config/ # Centralized configuration & runtime decryption
│ ├── database/ # Supabase / PostgreSQL connection
│ ├── routers/ # API endpoints (AI, Leaderboard, etc.)
│ ├── security/ # Cryptography scripts (gen_key.py, encrypt.py)
│ ├── services/ # Business logic & AI context
│ └── main.py # FastAPI application factory
├── main.py # Main Uvicorn entry point
├── render.yaml # Render Infrastructure-as-Code config
├── requirements.txt # Python dependencies
└── README.md # This documentation
- Single endpoint (
/askai) to send prompts and receive generated text. - Advanced AI Service layer using static methods and external markdown context.
- Leaderboard API for managing a PostgreSQL database (Supabase).
- Built‑in rate limiting (10 requests/minute per client IP for the AI).
- CORS enabled for cross‑origin calls from your Godot project or Astro Frontend.
- Simple token‑based authentication to prevent unauthorized use.
Multiple security layers have been implemented to protect the server, the Gemini API quota, and mitigate vulnerabilities:
- Environment Variable Encryption (Zero-Disk): Secrets are NOT stored in plain text. The project uses the
cryptographylibrary (Fernet AES-128-CBC) to encrypt the.envfile into a.env.encpayload.app/config/settings.pydecrypts this payload directly into RAM viaio.StringIOduring startup. - Anti-DDoS Rate Limiting: Integration of
slowapi, limiting requests to 10 per minute per IP. It usesX-Forwarded-For(forwarded_allow_ips="*") to accurately resolve real IPs behind cloud reverse proxies like Render. - Strict Origin Validation (CORS): HTTP requests are restricted exclusively to trusted domains.
- Token Authentication (
X-App-Token/X-Admin-Key): Mandatory validation before processing requests, returning403 Forbiddenif invalid. - Prompt Injection Mitigation: User inputs are safely encapsulated and system instructions are strictly enforced.
To ensure maximum operational security (OPSEC), we encrypt secrets locally before deploying.
Run the key generator to create your local secret.key (This file is ignored in .gitignore):
python app/security/gen_key.pyCreate your standard .env file with your real secrets:
GEMINI_API_KEY=your_key
DATABASE_URL=your_db_url
APP_TOKEN=your_tokenRun the encryptor script:
python app/security/encrypt.pyThis will generate .env.enc.
The settings.py file automatically handles loading. Locally, it looks for app/security/secret.key and decrypts .env.enc. In production (Render), it looks for the SECRET_KEY environment variable.
-
Clone the repo:
git clone https://github.com/<your‑username>/advad-backend.git cd advad-backend
-
Create a virtual environment:
python -m venv venv source venv/bin/activate # macOS / Linux .\venv\Scripts\activate # Windows
-
Install dependencies:
pip install -r requirements.txt
-
Run locally: Simply run the main entry point. The server will decrypt variables and boot up Uvicorn.
python main.py
The unified server listens on the port specified by the environment (default
10000).
This project is fully configured for Render utilizing Secret Files to maintain a clean GitHub repository.
- Connect your repository to Render using the
render.yamlblueprint (Docker environment). - Go to the Environment tab in your Render Web Service dashboard.
- Add a normal Environment Variable:
SECRET_KEY=<paste the contents of your local secret.key>
- Scroll down to Secret Files and create a file:
- Filename:
.env.enc - Contents:
<paste the contents of your .env.enc (gAAAAAB...)>
- Filename:
- Render will automatically place the Secret File at
/etc/secrets/.env.enc. Thesettings.pymodule will detect it, decrypt it in memory, and boot the server seamlessly.
GET /→ Health check.POST /askai→ Send a prompt to the LLM. RequiresX-App-Token.
POST /api/record-phase→ Submit a player's reached phase.GET /api/check-name/{pilot_name}→ Check pilot name availability.GET /api/top-pilots→ Returns the top 10 grouped high scores.DELETE /api/admin/delete-pilot/{pilot_name}→ Purge a pilot (RequiresX-Admin-Key).
- Change AI Context: Modify
app/services/chatai_context.mdto alter the core instructions. - Adjust rate limiting: Modify the
@limiter.limitdecorator rules in the routers.
Feel free to fork, modify, or integrate this microserver into your own projects.
Contributions and issues are welcome.