Skip to content

Add stream POST negative tests#948

Open
Emelie-Dev wants to merge 38 commits into
LabsCrypt:mainfrom
Emelie-Dev:test/815-stream-post-negative-cases
Open

Add stream POST negative tests#948
Emelie-Dev wants to merge 38 commits into
LabsCrypt:mainfrom
Emelie-Dev:test/815-stream-post-negative-cases

Conversation

@Emelie-Dev

Copy link
Copy Markdown

closes #815

EbukaMoses and others added 23 commits June 2, 2026 11:02
Ensure tampered signatures are rejected and return null as expected.
Add explicit length checks and base64url error handling.

Fixes: LabsCrypt#761
flowfi is a single npm workspace (frontend + backend hoisted into one root
package-lock.json). dependabot.yml declared separate npm ecosystems for
/frontend and /backend, but those only bump the directory's package.json
without updating the root lockfile that CI runs `npm ci` against. Every PR they
opened therefore died at install with:

  npm error `npm ci` can only install packages when your package.json and
  package-lock.json ... are in sync
  npm error Invalid: lock file's [email protected] does not satisfy [email protected]

The root "/" npm entry already covers the whole workspace and updates the root
lockfile (those PRs, e.g. the grouped minor-and-patch one, pass CI). Drop the
two per-directory npm entries so future Dependabot PRs install cleanly.
…r summary

Updates the replayFromLedger JSDoc to clarify that the
@@unique([transactionHash, eventType]) constraint guarantees
StreamEvent row dedup, but Stream.withdrawnAmount increments in
handleTokensWithdrawn are NOT idempotent on replay.

Updates the /v1/admin/indexer/replay swagger summary to match.

Refs LabsCrypt#808
…e GET /v1/events

Closes LabsCrypt#821 - Add Content-Security-Policy, Cross-Origin-Opener-Policy and
Cross-Origin-Resource-Policy headers to the hand-rolled security middleware.
Replace static isProduction var with dynamic process.env.NODE_ENV check for
HSTS so the production gate is testable. Swagger UI (/api-docs) verified to
load under the new CSP.

Closes LabsCrypt#822 - Add security-headers.test.ts asserting X-Content-Type-Options,
X-Frame-Options, Referrer-Policy, CSP, COOP, CORP and absence of x-powered-by
on every response. Assert HSTS only present when NODE_ENV=production. Assert
Swagger UI page loads with CSP header.

Closes LabsCrypt#823 - Add requireAdmin unit tests to auth.test.ts:
  - non-admin key JWT -> 403 Forbidden
  - admin key JWT -> 200 (next() called)
  - ADMIN_PUBLIC_KEY unset -> 403 (fail closed)

Closes LabsCrypt#825 - Secure GET /v1/events by adding requireAuth middleware and
enforcing that the queried address matches the authenticated user publicKey
(mirrors SSE subscription scoping). Returns 403 if caller queries another
wallet. Add comment in sse.controller.ts documenting the aligned semantics.
Update events-list integration tests with Authorization headers and add new
auth/scoping test cases.
Global API responses now carry a strict CSP without unsafe-inline, removing
the CodeQL high-severity XSS-via-CSP alert. The Swagger UI route (/api-docs)
overrides the global CSP with the permissive version it needs to render
inline scripts and styles correctly. Security-header tests updated to assert
the strict policy on normal responses and the permissive policy on /api-docs.
…n test route

- Copy prisma directory to runner stage so npx prisma db push works
  during the Docker health check in CI (Backend Docker Image CI).
- Add express-rate-limit on the /test-admin route in auth.test.ts to
  resolve CodeQL high-severity 'Missing rate limiting' alert.
…dger-jsdoc-808

# Conflicts:
#	backend/tests/auth.test.ts
…date deprecated route tests

- Import Prisma from generated/prisma/index.js (type-only) instead of
  lib/prisma.js where it was not exported, fixing the tsc build error
- Update deprecated.test.ts to expect 404 instead of 410 for legacy
  unversioned routes /streams and /events, which were intentionally
  removed in a6be7bc (past sunset date)
…untime resolution

Compiled JS in dist/ resolves imports as ../generated/prisma/index.js
from subdirectories like dist/lib/, dist/controllers/, etc., which
points to dist/generated/prisma/, not src/generated/prisma/.
Backend Docker Image CI was fundamentally broken (health check flaky,
prisma missing from runtime image). Following upstream approach, remove
the job entirely instead of engineering a fragile fix.

Frontend Codecov upload fails on fork PRs (missing CODECOV_TOKEN secret).
Remove it to unblock the frontend CI job.
@Emelie-Dev Emelie-Dev force-pushed the test/815-stream-post-negative-cases branch from 4c19d29 to e148673 Compare June 30, 2026 23:49
Emelie-Dev and others added 6 commits July 1, 2026 00:54
…-jsdoc-808

docs: correct replayFromLedger idempotency claims in JSDoc and swagge…
LabsCrypt#969 unblocked CI by deleting the Backend Docker Image CI job. Restore it and
fix the underlying image bug so it actually passes, keeping deployment-image
validation (build + boot + prisma db push + healthcheck).

The job's in-container 'prisma db push' failed with 'Could not find Prisma
Schema'. LabsCrypt#969 already copies prisma/ into the runner, but the schema's
datasource block has no inline url, so under Prisma 7 the datasource url +
schema path come from prisma.config.ts, which was still missing from the image.
Copy prisma.config.ts into the runner stage (dotenv is a runtime dep so it
loads; DATABASE_URL is passed to the health check via -e).
…ocker-ci

ci: restore Backend Docker Image CI (fix the image instead of deleting the job)
…re-verification

fix: properly validate JWT signatures in verifyJwt
ogazboiz added 2 commits July 1, 2026 02:23
[Backend] sorobanService.simulateContractCall: extract STALE_THRESHOLD_MS / fee / placeholder source magic
…ace-lockfile

fix(ci): point Dependabot npm at the workspace root only
@ogazboiz

ogazboiz commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

your branch is green, but it went conflicting after the ci fixes landed on main: #969 and #974 touched backend/Dockerfile and backend/src/workers/soroban-event-worker.ts, which this pr also edits. please rebase on main and it should be good to go: git fetch origin && git rebase origin/main && git push --force-with-lease. if any of your Dockerfile or soroban-event-worker changes overlap what #969 already did (copying prisma/ into the runner, and the import type { Prisma } from '../generated/prisma' fix), drop those now-redundant bits and keep just your actual change. i'll re-review and merge once it's rebased and ci is green.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Testing] POST /v1/streams lacks negative tests for malformed body and caller authorization

8 participants