Skip to content

fix(frontend): remove stray Token label from handleWithdraw#927

Open
Kaycee276 wants to merge 119 commits into
LabsCrypt:mainfrom
Kaycee276:fix-issue-862-upstream
Open

fix(frontend): remove stray Token label from handleWithdraw#927
Kaycee276 wants to merge 119 commits into
LabsCrypt:mainfrom
Kaycee276:fix-issue-862-upstream

Conversation

@Kaycee276

Copy link
Copy Markdown
Contributor

Description

Closes #862

Problem

The handleWithdraw function inside frontend/src/app/streams/[id]/page.tsx contained an accidental, leftover JavaScript label (Token:) immediately before the setWithdrawing(true) state update. This stray label served no functional purpose and triggered linting and typecheck warnings (such as no-unused-labels).

Solution

Removed the stray Token: label. The remainder of the handleWithdraw functionality is completely untouched and continues to successfully handle stream withdrawals while properly toggling the withdrawing loading state.

Verification

  • Confirmed that the handleWithdraw logic functions normally.
  • Ran the frontend workspace linters (npm run lint --workspace=frontend) and verified that the no-unused-label and no-unused-expressions warnings are resolved and the build now passes lint checks cleanly.

@ogazboiz

ogazboiz commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

your branch is green, but it went conflicting after the ci fixes landed on main: #969 and #974 touched backend/Dockerfile and backend/src/workers/soroban-event-worker.ts, which this pr also edits. please rebase on main and it should be good to go: git fetch origin && git rebase origin/main && git push --force-with-lease. if any of your Dockerfile or soroban-event-worker changes overlap what #969 already did (copying prisma/ into the runner, and the import type { Prisma } from '../generated/prisma' fix), drop those now-redundant bits and keep just your actual change. i'll re-review and merge once it's rebased and ci is green.

TEEZY234 and others added 29 commits July 1, 2026 11:54
The adminRoutes.ts duplicate (ADMIN_SECRET Bearer auth, awkward
/v1/admin/metrics/metrics path) was already removed in e6fa5c2.
All four @openapi annotations in admin.routes.ts still declared
`security: [{ bearerAuth: [] }]`, implying any user JWT suffices.
The router enforces requireAdmin (JWT whose subject must equal
ADMIN_PUBLIC_KEY), and swagger.ts already defines an `adminAuth`
security scheme for exactly this. Switch all four annotations to
`adminAuth` so the OpenAPI spec accurately reflects the access model.

Closes LabsCrypt#542
…add periodic cache pruning

Issue LabsCrypt#699: Unified localStorage keys for stream templates
- Changed StreamCreationWizard to use 'flowfi.stream.templates.v1'
- Both wizard and dashboard now share the same template storage
- Templates saved in either location are now accessible from both
- Added comprehensive tests for template storage unification

Issue LabsCrypt#682: Added periodic cache pruning for userSummaryCache
- Implemented setInterval to prune expired cache entries every 60s
- Prevents memory drift in idle backend instances
- Cache entries still expire after 30s TTL as before
- Added comprehensive tests for cache pruning behavior

Tests:
- frontend: 6 new tests for template storage (all passing)
- backend: 6 new tests for cache pruning (all passing)
Closes LabsCrypt#545 — cancel.ts read SOROBAN_SECRET_KEY while sorobanService.ts
(topUpStream) read KEEPER_SECRET_KEY, forcing operators to set two
differently-named vars for the same server-side signing key. Renamed
the SOROBAN_SECRET_KEY references in cancel.ts and its tests to
KEEPER_SECRET_KEY so both code paths use one canonical name.
Also added KEEPER_SECRET_KEY to .env.example with a description
covering both cancel_stream and top_up_stream.
…rable (LabsCrypt#643)

- Replace the hardcoded 60s sweep interval with a configurable interval reading process.env.MEMORY_CACHE_SWEEP_MS (defaulting to 60_000ms).
- Store the interval handle and export stopMemoryCacheSweep() to prevent leaking timers across Vitest runs.
- Call stopMemoryCacheSweep() in disconnectRedis() for symmetry.
- Document MEMORY_CACHE_SWEEP_MS in .env.example.
- Expose startMemoryCacheSweep() and stopMemoryCacheSweep() in unit tests to test configuration and cleanup.
The withdraw function contained an unreachable second if stream.paused
guard immediately after an identical first check. Since validate_stream_active
and the first paused guard already cause an early return, the second block
was dead code. Remove it to improve readability and reduce WASM size.
…irectory

Remove the stale contracts/stream_contract/src/stream_contract/ subtree.
This nested directory was never wired into the crate module tree (lib.rs
declares mod test; which resolves to src/test.rs, not this path), so the
61-line fuzz_stream_invariants stub it contained was never compiled or run.

The four arithmetic invariants it tested (withdrawn<=deposited, claimable<=
remaining, non-negative accrual, cancel_refund+withdrawn<=deposited) are
already covered by test_fuzz_withdrawn_never_exceeds_deposited,
test_fuzz_claimable_never_exceeds_remaining, test_fuzz_cancel_early_refunds,
and test_fuzz_claimable_overflow_and_cancel_invariants in src/test.rs.
These files were removed from tracking in 46a731f (chore: remove
test_snapshots from tracking, add to .gitignore) but were re-committed
in subsequent feature branches without being caught by the ignore rule.

The policy is clear: test_snapshots/ is auto-generated by the Soroban
test runner and must never be committed. No .gitignore changes needed.
razeprasine and others added 28 commits July 1, 2026 12:38
The rate_per_second is guaranteed >= 1 due to create_stream's InvalidRate
guard at line 216. Therefore, the else { now } branch in resume_stream's
new_end_time calculation is unreachable and can be removed. Replaced with
a direct calculation and added a comment documenting the invariant.

Closes LabsCrypt#800

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…tion

Add test_withdraw_rejects_double_withdraw_after_completion to verify that
attempting to withdraw a second time after a stream has been fully drained
and marked as inactive returns StreamInactive error.

This ensures transfer_and_update_stream properly sets is_active=false on
full drain, and subsequent withdraws correctly validate stream activity.

Closes LabsCrypt#796

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…ent typing

Replace all 10 instances of 'tx: any' in soroban-event-worker.ts with
proper Prisma.TransactionClient type. This enables TypeScript to catch
typos and missing model methods at compile time, improving type safety
for all database transaction callbacks in the worker.

Lines replaced:
- Line 149: ensureSystemStream method signature
- Lines 354, 402, 465, 554, 625, 691, 749, 856, 913: prisma.\$transaction callbacks

Closes LabsCrypt#633

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…thdrawn > deposited -> 0)

Fix the guard itself: checked_sub().unwrap_or_default() only catches i128
boundary overflow, not an ordinary negative result. Replace with
saturating_sub().max(0) so any withdrawn_amount > deposited_amount
correctly yields 0 without panicking.

Add test_calculate_claimable_underflow_returns_zero that forces the
condition via env.as_contract storage manipulation and asserts 0.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…their sunset date

The 2024-12-31 sunset date is 18 months in the past. Remove both
unversioned route handlers from app.ts (clients hitting them will now
get a 404 rather than a 410 with a stale date). Update
DEPRECATION_POLICY.md to record the routes as removed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Gates debug/info/warn on NODE_ENV !== 'production'; always surfaces
error. Provides a single import point so all call-sites can be replaced
consistently.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… call-sites

Replaces 14 raw console.error/warn/info calls across 9 files with the
new logger helper so debug output is suppressed in production builds.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e.* in frontend

Applies to src/**/*.{ts,tsx}, excluding src/lib/logger.ts so the logger
module itself can still reference console internally.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ApiBaseUrl()

Remove five independent process.env.NEXT_PUBLIC_API_URL definitions
(some with /v1 suffix, some without) and replace each with
getApiBaseUrl() from lib/api/_shared.ts. URL paths that previously
depended on a /v1 suffix in the variable now concatenate /v1 explicitly,
so behaviour is identical regardless of whether the env var includes the
suffix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e GET /v1/events

Closes LabsCrypt#821 - Add Content-Security-Policy, Cross-Origin-Opener-Policy and
Cross-Origin-Resource-Policy headers to the hand-rolled security middleware.
Replace static isProduction var with dynamic process.env.NODE_ENV check for
HSTS so the production gate is testable. Swagger UI (/api-docs) verified to
load under the new CSP.

Closes LabsCrypt#822 - Add security-headers.test.ts asserting X-Content-Type-Options,
X-Frame-Options, Referrer-Policy, CSP, COOP, CORP and absence of x-powered-by
on every response. Assert HSTS only present when NODE_ENV=production. Assert
Swagger UI page loads with CSP header.

Closes LabsCrypt#823 - Add requireAdmin unit tests to auth.test.ts:
  - non-admin key JWT -> 403 Forbidden
  - admin key JWT -> 200 (next() called)
  - ADMIN_PUBLIC_KEY unset -> 403 (fail closed)

Closes LabsCrypt#825 - Secure GET /v1/events by adding requireAuth middleware and
enforcing that the queried address matches the authenticated user publicKey
(mirrors SSE subscription scoping). Returns 403 if caller queries another
wallet. Add comment in sse.controller.ts documenting the aligned semantics.
Update events-list integration tests with Authorization headers and add new
auth/scoping test cases.
Global API responses now carry a strict CSP without unsafe-inline, removing
the CodeQL high-severity XSS-via-CSP alert. The Swagger UI route (/api-docs)
overrides the global CSP with the permissive version it needs to render
inline scripts and styles correctly. Security-header tests updated to assert
the strict policy on normal responses and the permissive policy on /api-docs.
@Kaycee276 Kaycee276 force-pushed the fix-issue-862-upstream branch from 0e1856c to a986c11 Compare July 1, 2026 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Frontend] Stray Token: labeled statement left inside handleWithdraw on stream detail page