Skip to content

Feat/stellar wallet tests secure export#655

Open
fridaypetra55-afk wants to merge 2 commits into
ANYTECHS:mainfrom
fridaypetra55-afk:feat/stellar-wallet-tests-secure-export
Open

Feat/stellar wallet tests secure export#655
fridaypetra55-afk wants to merge 2 commits into
ANYTECHS:mainfrom
fridaypetra55-afk:feat/stellar-wallet-tests-secure-export

Conversation

@fridaypetra55-afk

Copy link
Copy Markdown
Contributor

Closes #435
Closes #496

Summary

This PR improves the security and reliability of the Stellar wallet experience by adding comprehensive test coverage for StellarWalletProvider and strengthening the secret key export flow with explicit user confirmation, session re-verification, clipboard-only handling, and audit logging.

Changes

StellarWalletProvider Test Coverage (#435)

  • Added a comprehensive test suite for StellarWalletProvider (13 tests).
  • Covered wallet creation on first application load.
  • Verified wallet restoration from secure storage.
  • Tested failed decryption and corrupted storage scenarios.
  • Validated behavior when stored wallet data is incomplete or missing required fields.
  • Ensured public-key-only exports behave correctly.
  • Tested concurrent importStellarKey operations.
  • Fully mocked secureStorage to isolate provider behavior.

Secure Secret Key Export (#496)

  • Replaced window.confirm() with a dedicated confirmation modal requiring users to type "I understand" before exporting.
  • Added session re-verification through POST /api/auth/verify-session prior to allowing secret key export.
  • Ensured the secret key is never rendered in the DOM and is available only through a clipboard-copy action (handleCopyExportKey).
  • Automatically clears and hides the export state after 15 seconds using exportHideTimerRef.
  • Added a Sentry.addBreadcrumb audit event when a verified export occurs without logging or exposing the secret key.

Testing

Verified locally with a new test suite covering:

  • ✅ Wallet creation on first load.
  • ✅ Wallet restoration from secure storage.
  • ✅ Failed decryption handling.
  • ✅ Corrupted and incomplete wallet data.
  • ✅ Public-key-only export behavior.
  • ✅ Concurrent importStellarKey requests.
  • ✅ Secure storage interactions using mocked dependencies.

All 13 tests passed successfully.

Checklist

  • Branch is based on the latest main
  • Commit messages follow Conventional Commits
  • Tests were run locally
  • Documentation updated if needed
  • CHANGELOG updated or release notes covered

- Cap /api/upload at MAX_FILES_PER_REQUEST=10; return 400 if exceeded
- Validate /api/jobs/[id] id format (alphanumeric/UUID, max 64 chars); return 400 on invalid
- Add server-side in-memory token bucket rate limiter (applyRateLimit)
- Return X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After on 429
- Add integration tests covering all acceptance criteria (16 tests)

Closes ANYTECHS#499
ANYTECHS#435 — StellarWalletProvider integration tests:
- Wallet creation on first load (no stored data)
- Restoration from encrypted secureStorage
- Failed decryption / corrupted data / missing address handling
- Export returns public key only; secret never written to storage
- Concurrent mount / importStellarKey edge cases
- secureStorage fully mocked to isolate provider logic

ANYTECHS#496 — Secure secret key export in Settings:
- Replace window.confirm() with modal requiring typed 'I understand'
- Re-authentication step: user must enter password via /api/auth/verify-session
- Secret key never rendered as selectable text — clipboard-copy only flow
- Auto-hides after 15 seconds via exportHideTimerRef
- Sentry breadcrumb emitted (without key value) on export trigger

Closes ANYTECHS#435
Closes ANYTECHS#496
@drips-wave

drips-wave Bot commented Jun 28, 2026

Copy link
Copy Markdown

@fridaypetra55-afk Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Secret Key Export Must Require Re-Authentication Write unit tests for StellarWalletProvider wallet creation and restoration

1 participant