Skip to content

Add stream POST negative tests#948

Open
Emelie-Dev wants to merge 73 commits into
LabsCrypt:mainfrom
Emelie-Dev:test/815-stream-post-negative-cases
Open

Add stream POST negative tests#948
Emelie-Dev wants to merge 73 commits into
LabsCrypt:mainfrom
Emelie-Dev:test/815-stream-post-negative-cases

Conversation

@Emelie-Dev

Copy link
Copy Markdown

closes #815

EbukaMoses and others added 30 commits June 2, 2026 11:02
Ensure tampered signatures are rejected and return null as expected.
Add explicit length checks and base64url error handling.

Fixes: LabsCrypt#761
flowfi is a single npm workspace (frontend + backend hoisted into one root
package-lock.json). dependabot.yml declared separate npm ecosystems for
/frontend and /backend, but those only bump the directory's package.json
without updating the root lockfile that CI runs `npm ci` against. Every PR they
opened therefore died at install with:

  npm error `npm ci` can only install packages when your package.json and
  package-lock.json ... are in sync
  npm error Invalid: lock file's next@16.2.7 does not satisfy next@16.2.9

The root "/" npm entry already covers the whole workspace and updates the root
lockfile (those PRs, e.g. the grouped minor-and-patch one, pass CI). Drop the
two per-directory npm entries so future Dependabot PRs install cleanly.
…kenaddress

Add index on Stream.tokenAddress and migration
…ection-settings

Configure backend PostgreSQL pool limits
…r summary

Updates the replayFromLedger JSDoc to clarify that the
@@unique([transactionHash, eventType]) constraint guarantees
StreamEvent row dedup, but Stream.withdrawnAmount increments in
handleTokensWithdrawn are NOT idempotent on replay.

Updates the /v1/admin/indexer/replay swagger summary to match.

Refs LabsCrypt#808
…e GET /v1/events

Closes LabsCrypt#821 - Add Content-Security-Policy, Cross-Origin-Opener-Policy and
Cross-Origin-Resource-Policy headers to the hand-rolled security middleware.
Replace static isProduction var with dynamic process.env.NODE_ENV check for
HSTS so the production gate is testable. Swagger UI (/api-docs) verified to
load under the new CSP.

Closes LabsCrypt#822 - Add security-headers.test.ts asserting X-Content-Type-Options,
X-Frame-Options, Referrer-Policy, CSP, COOP, CORP and absence of x-powered-by
on every response. Assert HSTS only present when NODE_ENV=production. Assert
Swagger UI page loads with CSP header.

Closes LabsCrypt#823 - Add requireAdmin unit tests to auth.test.ts:
  - non-admin key JWT -> 403 Forbidden
  - admin key JWT -> 200 (next() called)
  - ADMIN_PUBLIC_KEY unset -> 403 (fail closed)

Closes LabsCrypt#825 - Secure GET /v1/events by adding requireAuth middleware and
enforcing that the queried address matches the authenticated user publicKey
(mirrors SSE subscription scoping). Returns 403 if caller queries another
wallet. Add comment in sse.controller.ts documenting the aligned semantics.
Update events-list integration tests with Authorization headers and add new
auth/scoping test cases.
Global API responses now carry a strict CSP without unsafe-inline, removing
the CodeQL high-severity XSS-via-CSP alert. The Swagger UI route (/api-docs)
overrides the global CSP with the permissive version it needs to render
inline scripts and styles correctly. Security-header tests updated to assert
the strict policy on normal responses and the permissive policy on /api-docs.
…n test route

- Copy prisma directory to runner stage so npx prisma db push works
  during the Docker health check in CI (Backend Docker Image CI).
- Add express-rate-limit on the /test-admin route in auth.test.ts to
  resolve CodeQL high-severity 'Missing rate limiting' alert.
…dger-jsdoc-808

# Conflicts:
#	backend/tests/auth.test.ts
…date deprecated route tests

- Import Prisma from generated/prisma/index.js (type-only) instead of
  lib/prisma.js where it was not exported, fixing the tsc build error
- Update deprecated.test.ts to expect 404 instead of 410 for legacy
  unversioned routes /streams and /events, which were intentionally
  removed in a6be7bc (past sunset date)
…untime resolution

Compiled JS in dist/ resolves imports as ../generated/prisma/index.js
from subdirectories like dist/lib/, dist/controllers/, etc., which
points to dist/generated/prisma/, not src/generated/prisma/.
Backend Docker Image CI was fundamentally broken (health check flaky,
prisma missing from runtime image). Following upstream approach, remove
the job entirely instead of engineering a fragile fix.

Frontend Codecov upload fails on fork PRs (missing CODECOV_TOKEN secret).
Remove it to unblock the frontend CI job.
jotel-dev and others added 19 commits July 1, 2026 04:05
…mestamps

Add id as a unique tiebreaker to orderBy so cursor pagination no
longer skips or duplicates events that share a timestamp.

Fixes LabsCrypt#803
Every import in backend/src uses @stellar/stellar-sdk; the bare stellar-sdk
package was never referenced and added unnecessary bloat.
…rl-621

fix(LabsCrypt#621): remove unused API_BASE_URL declaration from dashboard.ts
…lar-sdk

chore(LabsCrypt#620): drop unused stellar-sdk dependency
…ts-cursor-pagination

fix(backend): stabilize getStreamEvents cursor pagination for tied timestamps
withdraw on a paused stream returns StreamInactive instead of a distinct paused error completed
…on-polling

LabsCrypt#623 [Frontend] StreamCreationWizard.startPolling hits wrong URL and wrong shape
Missing index on Stream.tokenAddress despite token filter in listStreams

@ogazboiz ogazboiz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the negative tests themselves are good (400 on malformed/missing numeric fields, 403 on non-owner reactivation, asserting prisma.stream.upsert isn't called). but this branch is based on stale main and would regress it, so it needs a rebase before it can land:

  1. it reverts #969's fix, soroban-event-worker.ts changes import { prisma, Prisma } back to import { prisma } (dropping the Prisma import), whereas current main uses import type { Prisma } from '../generated/prisma'. merging this would re-break the typecheck fix #969 landed.
  2. stale ci.yml, it removes the "Upload frontend coverage to Codecov" step that main currently has.
  3. it rewrites .github/dependabot.yml (collapsing the per-dir entries into one root) and mass-reformats several backend files (single->double quote churn), all unrelated to negative tests and overlapping earlier dependabot work.

please rebase on current main and drop everything except the actual negative tests, then it's a clean add. as-is it would revert the ci fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Testing] POST /v1/streams lacks negative tests for malformed body and caller authorization