Add stream POST negative tests#948
Open
Emelie-Dev wants to merge 38 commits into
Open
Conversation
…D_MS / fee / placeholder source magic
Ensure tampered signatures are rejected and return null as expected. Add explicit length checks and base64url error handling. Fixes: LabsCrypt#761
flowfi is a single npm workspace (frontend + backend hoisted into one root package-lock.json). dependabot.yml declared separate npm ecosystems for /frontend and /backend, but those only bump the directory's package.json without updating the root lockfile that CI runs `npm ci` against. Every PR they opened therefore died at install with: npm error `npm ci` can only install packages when your package.json and package-lock.json ... are in sync npm error Invalid: lock file's [email protected] does not satisfy [email protected] The root "/" npm entry already covers the whole workspace and updates the root lockfile (those PRs, e.g. the grouped minor-and-patch one, pass CI). Drop the two per-directory npm entries so future Dependabot PRs install cleanly.
…r summary Updates the replayFromLedger JSDoc to clarify that the @@unique([transactionHash, eventType]) constraint guarantees StreamEvent row dedup, but Stream.withdrawnAmount increments in handleTokensWithdrawn are NOT idempotent on replay. Updates the /v1/admin/indexer/replay swagger summary to match. Refs LabsCrypt#808
…e GET /v1/events Closes LabsCrypt#821 - Add Content-Security-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers to the hand-rolled security middleware. Replace static isProduction var with dynamic process.env.NODE_ENV check for HSTS so the production gate is testable. Swagger UI (/api-docs) verified to load under the new CSP. Closes LabsCrypt#822 - Add security-headers.test.ts asserting X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP, COOP, CORP and absence of x-powered-by on every response. Assert HSTS only present when NODE_ENV=production. Assert Swagger UI page loads with CSP header. Closes LabsCrypt#823 - Add requireAdmin unit tests to auth.test.ts: - non-admin key JWT -> 403 Forbidden - admin key JWT -> 200 (next() called) - ADMIN_PUBLIC_KEY unset -> 403 (fail closed) Closes LabsCrypt#825 - Secure GET /v1/events by adding requireAuth middleware and enforcing that the queried address matches the authenticated user publicKey (mirrors SSE subscription scoping). Returns 403 if caller queries another wallet. Add comment in sse.controller.ts documenting the aligned semantics. Update events-list integration tests with Authorization headers and add new auth/scoping test cases.
Global API responses now carry a strict CSP without unsafe-inline, removing the CodeQL high-severity XSS-via-CSP alert. The Swagger UI route (/api-docs) overrides the global CSP with the permissive version it needs to render inline scripts and styles correctly. Security-header tests updated to assert the strict policy on normal responses and the permissive policy on /api-docs.
…n test route - Copy prisma directory to runner stage so npx prisma db push works during the Docker health check in CI (Backend Docker Image CI). - Add express-rate-limit on the /test-admin route in auth.test.ts to resolve CodeQL high-severity 'Missing rate limiting' alert.
…dger-jsdoc-808 # Conflicts: # backend/tests/auth.test.ts
…date deprecated route tests - Import Prisma from generated/prisma/index.js (type-only) instead of lib/prisma.js where it was not exported, fixing the tsc build error - Update deprecated.test.ts to expect 404 instead of 410 for legacy unversioned routes /streams and /events, which were intentionally removed in a6be7bc (past sunset date)
…untime resolution Compiled JS in dist/ resolves imports as ../generated/prisma/index.js from subdirectories like dist/lib/, dist/controllers/, etc., which points to dist/generated/prisma/, not src/generated/prisma/.
Backend Docker Image CI was fundamentally broken (health check flaky, prisma missing from runtime image). Following upstream approach, remove the job entirely instead of engineering a fragile fix. Frontend Codecov upload fails on fork PRs (missing CODECOV_TOKEN secret). Remove it to unblock the frontend CI job.
4c19d29 to
e148673
Compare
…-jsdoc-808 docs: correct replayFromLedger idempotency claims in JSDoc and swagge…
LabsCrypt#969 unblocked CI by deleting the Backend Docker Image CI job. Restore it and fix the underlying image bug so it actually passes, keeping deployment-image validation (build + boot + prisma db push + healthcheck). The job's in-container 'prisma db push' failed with 'Could not find Prisma Schema'. LabsCrypt#969 already copies prisma/ into the runner, but the schema's datasource block has no inline url, so under Prisma 7 the datasource url + schema path come from prisma.config.ts, which was still missing from the image. Copy prisma.config.ts into the runner stage (dotenv is a runtime dep so it loads; DATABASE_URL is passed to the health check via -e).
…ocker-ci ci: restore Backend Docker Image CI (fix the image instead of deleting the job)
…re-verification fix: properly validate JWT signatures in verifyJwt
[Backend] sorobanService.simulateContractCall: extract STALE_THRESHOLD_MS / fee / placeholder source magic
…ace-lockfile fix(ci): point Dependabot npm at the workspace root only
Contributor
|
your branch is green, but it went conflicting after the ci fixes landed on main: #969 and #974 touched backend/Dockerfile and backend/src/workers/soroban-event-worker.ts, which this pr also edits. please rebase on main and it should be good to go: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #815