Add stream POST negative tests#948
Open
Emelie-Dev wants to merge 73 commits into
Open
Conversation
…D_MS / fee / placeholder source magic
Ensure tampered signatures are rejected and return null as expected. Add explicit length checks and base64url error handling. Fixes: LabsCrypt#761
flowfi is a single npm workspace (frontend + backend hoisted into one root package-lock.json). dependabot.yml declared separate npm ecosystems for /frontend and /backend, but those only bump the directory's package.json without updating the root lockfile that CI runs `npm ci` against. Every PR they opened therefore died at install with: npm error `npm ci` can only install packages when your package.json and package-lock.json ... are in sync npm error Invalid: lock file's next@16.2.7 does not satisfy next@16.2.9 The root "/" npm entry already covers the whole workspace and updates the root lockfile (those PRs, e.g. the grouped minor-and-patch one, pass CI). Drop the two per-directory npm entries so future Dependabot PRs install cleanly.
…kenaddress Add index on Stream.tokenAddress and migration
…ection-settings Configure backend PostgreSQL pool limits
…nct paused error completed
…r summary Updates the replayFromLedger JSDoc to clarify that the @@unique([transactionHash, eventType]) constraint guarantees StreamEvent row dedup, but Stream.withdrawnAmount increments in handleTokensWithdrawn are NOT idempotent on replay. Updates the /v1/admin/indexer/replay swagger summary to match. Refs LabsCrypt#808
…e GET /v1/events Closes LabsCrypt#821 - Add Content-Security-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers to the hand-rolled security middleware. Replace static isProduction var with dynamic process.env.NODE_ENV check for HSTS so the production gate is testable. Swagger UI (/api-docs) verified to load under the new CSP. Closes LabsCrypt#822 - Add security-headers.test.ts asserting X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP, COOP, CORP and absence of x-powered-by on every response. Assert HSTS only present when NODE_ENV=production. Assert Swagger UI page loads with CSP header. Closes LabsCrypt#823 - Add requireAdmin unit tests to auth.test.ts: - non-admin key JWT -> 403 Forbidden - admin key JWT -> 200 (next() called) - ADMIN_PUBLIC_KEY unset -> 403 (fail closed) Closes LabsCrypt#825 - Secure GET /v1/events by adding requireAuth middleware and enforcing that the queried address matches the authenticated user publicKey (mirrors SSE subscription scoping). Returns 403 if caller queries another wallet. Add comment in sse.controller.ts documenting the aligned semantics. Update events-list integration tests with Authorization headers and add new auth/scoping test cases.
Global API responses now carry a strict CSP without unsafe-inline, removing the CodeQL high-severity XSS-via-CSP alert. The Swagger UI route (/api-docs) overrides the global CSP with the permissive version it needs to render inline scripts and styles correctly. Security-header tests updated to assert the strict policy on normal responses and the permissive policy on /api-docs.
…n test route - Copy prisma directory to runner stage so npx prisma db push works during the Docker health check in CI (Backend Docker Image CI). - Add express-rate-limit on the /test-admin route in auth.test.ts to resolve CodeQL high-severity 'Missing rate limiting' alert.
…dger-jsdoc-808 # Conflicts: # backend/tests/auth.test.ts
…date deprecated route tests - Import Prisma from generated/prisma/index.js (type-only) instead of lib/prisma.js where it was not exported, fixing the tsc build error - Update deprecated.test.ts to expect 404 instead of 410 for legacy unversioned routes /streams and /events, which were intentionally removed in a6be7bc (past sunset date)
…untime resolution Compiled JS in dist/ resolves imports as ../generated/prisma/index.js from subdirectories like dist/lib/, dist/controllers/, etc., which points to dist/generated/prisma/, not src/generated/prisma/.
Backend Docker Image CI was fundamentally broken (health check flaky, prisma missing from runtime image). Following upstream approach, remove the job entirely instead of engineering a fragile fix. Frontend Codecov upload fails on fork PRs (missing CODECOV_TOKEN secret). Remove it to unblock the frontend CI job.
…mestamps Add id as a unique tiebreaker to orderBy so cursor pagination no longer skips or duplicates events that share a timestamp. Fixes LabsCrypt#803
…com/Emelie-Dev/flowfi into test/815-stream-post-negative-cases
Every import in backend/src uses @stellar/stellar-sdk; the bare stellar-sdk package was never referenced and added unnecessary bloat.
…rl-621 fix(LabsCrypt#621): remove unused API_BASE_URL declaration from dashboard.ts
…lar-sdk chore(LabsCrypt#620): drop unused stellar-sdk dependency
…ts-cursor-pagination fix(backend): stabilize getStreamEvents cursor pagination for tied timestamps
withdraw on a paused stream returns StreamInactive instead of a distinct paused error completed
…on-polling LabsCrypt#623 [Frontend] StreamCreationWizard.startPolling hits wrong URL and wrong shape
Missing index on Stream.tokenAddress despite token filter in listStreams
ogazboiz
requested changes
Jul 1, 2026
ogazboiz
left a comment
Contributor
There was a problem hiding this comment.
the negative tests themselves are good (400 on malformed/missing numeric fields, 403 on non-owner reactivation, asserting prisma.stream.upsert isn't called). but this branch is based on stale main and would regress it, so it needs a rebase before it can land:
- it reverts #969's fix, soroban-event-worker.ts changes
import { prisma, Prisma }back toimport { prisma }(dropping the Prisma import), whereas current main usesimport type { Prisma } from '../generated/prisma'. merging this would re-break the typecheck fix #969 landed. - stale ci.yml, it removes the "Upload frontend coverage to Codecov" step that main currently has.
- it rewrites .github/dependabot.yml (collapsing the per-dir entries into one root) and mass-reformats several backend files (single->double quote churn), all unrelated to negative tests and overlapping earlier dependabot work.
please rebase on current main and drop everything except the actual negative tests, then it's a clean add. as-is it would revert the ci fixes.
…com/Emelie-Dev/flowfi into test/815-stream-post-negative-cases
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #815