fix(frontend): remove stray Token label from handleWithdraw#927
Open
Kaycee276 wants to merge 119 commits into
Open
fix(frontend): remove stray Token label from handleWithdraw#927Kaycee276 wants to merge 119 commits into
Kaycee276 wants to merge 119 commits into
Conversation
Contributor
|
your branch is green, but it went conflicting after the ci fixes landed on main: #969 and #974 touched backend/Dockerfile and backend/src/workers/soroban-event-worker.ts, which this pr also edits. please rebase on main and it should be good to go: |
…tIndexer/replayFromLedger (LabsCrypt#697)
The adminRoutes.ts duplicate (ADMIN_SECRET Bearer auth, awkward /v1/admin/metrics/metrics path) was already removed in e6fa5c2. All four @openapi annotations in admin.routes.ts still declared `security: [{ bearerAuth: [] }]`, implying any user JWT suffices. The router enforces requireAdmin (JWT whose subject must equal ADMIN_PUBLIC_KEY), and swagger.ts already defines an `adminAuth` security scheme for exactly this. Switch all four annotations to `adminAuth` so the OpenAPI spec accurately reflects the access model. Closes LabsCrypt#542
…add periodic cache pruning Issue LabsCrypt#699: Unified localStorage keys for stream templates - Changed StreamCreationWizard to use 'flowfi.stream.templates.v1' - Both wizard and dashboard now share the same template storage - Templates saved in either location are now accessible from both - Added comprehensive tests for template storage unification Issue LabsCrypt#682: Added periodic cache pruning for userSummaryCache - Implemented setInterval to prune expired cache entries every 60s - Prevents memory drift in idle backend instances - Cache entries still expire after 30s TTL as before - Added comprehensive tests for cache pruning behavior Tests: - frontend: 6 new tests for template storage (all passing) - backend: 6 new tests for cache pruning (all passing)
Closes LabsCrypt#545 — cancel.ts read SOROBAN_SECRET_KEY while sorobanService.ts (topUpStream) read KEEPER_SECRET_KEY, forcing operators to set two differently-named vars for the same server-side signing key. Renamed the SOROBAN_SECRET_KEY references in cancel.ts and its tests to KEEPER_SECRET_KEY so both code paths use one canonical name. Also added KEEPER_SECRET_KEY to .env.example with a description covering both cancel_stream and top_up_stream.
…rable (LabsCrypt#643) - Replace the hardcoded 60s sweep interval with a configurable interval reading process.env.MEMORY_CACHE_SWEEP_MS (defaulting to 60_000ms). - Store the interval handle and export stopMemoryCacheSweep() to prevent leaking timers across Vitest runs. - Call stopMemoryCacheSweep() in disconnectRedis() for symmetry. - Document MEMORY_CACHE_SWEEP_MS in .env.example. - Expose startMemoryCacheSweep() and stopMemoryCacheSweep() in unit tests to test configuration and cleanup.
The withdraw function contained an unreachable second if stream.paused guard immediately after an identical first check. Since validate_stream_active and the first paused guard already cause an early return, the second block was dead code. Remove it to improve readability and reduce WASM size.
…irectory Remove the stale contracts/stream_contract/src/stream_contract/ subtree. This nested directory was never wired into the crate module tree (lib.rs declares mod test; which resolves to src/test.rs, not this path), so the 61-line fuzz_stream_invariants stub it contained was never compiled or run. The four arithmetic invariants it tested (withdrawn<=deposited, claimable<= remaining, non-negative accrual, cancel_refund+withdrawn<=deposited) are already covered by test_fuzz_withdrawn_never_exceeds_deposited, test_fuzz_claimable_never_exceeds_remaining, test_fuzz_cancel_early_refunds, and test_fuzz_claimable_overflow_and_cancel_invariants in src/test.rs.
These files were removed from tracking in 46a731f (chore: remove test_snapshots from tracking, add to .gitignore) but were re-committed in subsequent feature branches without being caught by the ignore rule. The policy is clear: test_snapshots/ is auto-generated by the Soroban test runner and must never be committed. No .gitignore changes needed.
The rate_per_second is guaranteed >= 1 due to create_stream's InvalidRate
guard at line 216. Therefore, the else { now } branch in resume_stream's
new_end_time calculation is unreachable and can be removed. Replaced with
a direct calculation and added a comment documenting the invariant.
Closes LabsCrypt#800
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…tion Add test_withdraw_rejects_double_withdraw_after_completion to verify that attempting to withdraw a second time after a stream has been fully drained and marked as inactive returns StreamInactive error. This ensures transfer_and_update_stream properly sets is_active=false on full drain, and subsequent withdraws correctly validate stream activity. Closes LabsCrypt#796 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…ent typing Replace all 10 instances of 'tx: any' in soroban-event-worker.ts with proper Prisma.TransactionClient type. This enables TypeScript to catch typos and missing model methods at compile time, improving type safety for all database transaction callbacks in the worker. Lines replaced: - Line 149: ensureSystemStream method signature - Lines 354, 402, 465, 554, 625, 691, 749, 856, 913: prisma.\$transaction callbacks Closes LabsCrypt#633 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…thdrawn > deposited -> 0) Fix the guard itself: checked_sub().unwrap_or_default() only catches i128 boundary overflow, not an ordinary negative result. Replace with saturating_sub().max(0) so any withdrawn_amount > deposited_amount correctly yields 0 without panicking. Add test_calculate_claimable_underflow_returns_zero that forces the condition via env.as_contract storage manipulation and asserts 0. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…their sunset date The 2024-12-31 sunset date is 18 months in the past. Remove both unversioned route handlers from app.ts (clients hitting them will now get a 404 rather than a 410 with a stale date). Update DEPRECATION_POLICY.md to record the routes as removed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Gates debug/info/warn on NODE_ENV !== 'production'; always surfaces error. Provides a single import point so all call-sites can be replaced consistently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… call-sites Replaces 14 raw console.error/warn/info calls across 9 files with the new logger helper so debug output is suppressed in production builds. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e.* in frontend
Applies to src/**/*.{ts,tsx}, excluding src/lib/logger.ts so the logger
module itself can still reference console internally.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ApiBaseUrl() Remove five independent process.env.NEXT_PUBLIC_API_URL definitions (some with /v1 suffix, some without) and replace each with getApiBaseUrl() from lib/api/_shared.ts. URL paths that previously depended on a /v1 suffix in the variable now concatenate /v1 explicitly, so behaviour is identical regardless of whether the env var includes the suffix. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e GET /v1/events Closes LabsCrypt#821 - Add Content-Security-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers to the hand-rolled security middleware. Replace static isProduction var with dynamic process.env.NODE_ENV check for HSTS so the production gate is testable. Swagger UI (/api-docs) verified to load under the new CSP. Closes LabsCrypt#822 - Add security-headers.test.ts asserting X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP, COOP, CORP and absence of x-powered-by on every response. Assert HSTS only present when NODE_ENV=production. Assert Swagger UI page loads with CSP header. Closes LabsCrypt#823 - Add requireAdmin unit tests to auth.test.ts: - non-admin key JWT -> 403 Forbidden - admin key JWT -> 200 (next() called) - ADMIN_PUBLIC_KEY unset -> 403 (fail closed) Closes LabsCrypt#825 - Secure GET /v1/events by adding requireAuth middleware and enforcing that the queried address matches the authenticated user publicKey (mirrors SSE subscription scoping). Returns 403 if caller queries another wallet. Add comment in sse.controller.ts documenting the aligned semantics. Update events-list integration tests with Authorization headers and add new auth/scoping test cases.
Global API responses now carry a strict CSP without unsafe-inline, removing the CodeQL high-severity XSS-via-CSP alert. The Swagger UI route (/api-docs) overrides the global CSP with the permissive version it needs to render inline scripts and styles correctly. Security-header tests updated to assert the strict policy on normal responses and the permissive policy on /api-docs.
…imports in built app
0e1856c to
a986c11
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Closes #862
Problem
The
handleWithdrawfunction insidefrontend/src/app/streams/[id]/page.tsxcontained an accidental, leftover JavaScript label (Token:) immediately before thesetWithdrawing(true)state update. This stray label served no functional purpose and triggered linting and typecheck warnings (such asno-unused-labels).Solution
Removed the stray
Token:label. The remainder of thehandleWithdrawfunctionality is completely untouched and continues to successfully handle stream withdrawals while properly toggling thewithdrawingloading state.Verification
handleWithdrawlogic functions normally.npm run lint --workspace=frontend) and verified that theno-unused-labelandno-unused-expressionswarnings are resolved and the build now passes lint checks cleanly.