Feat/stellar wallet tests secure export#655
Open
fridaypetra55-afk wants to merge 2 commits into
Open
Conversation
- Cap /api/upload at MAX_FILES_PER_REQUEST=10; return 400 if exceeded - Validate /api/jobs/[id] id format (alphanumeric/UUID, max 64 chars); return 400 on invalid - Add server-side in-memory token bucket rate limiter (applyRateLimit) - Return X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After on 429 - Add integration tests covering all acceptance criteria (16 tests) Closes ANYTECHS#499
ANYTECHS#435 — StellarWalletProvider integration tests: - Wallet creation on first load (no stored data) - Restoration from encrypted secureStorage - Failed decryption / corrupted data / missing address handling - Export returns public key only; secret never written to storage - Concurrent mount / importStellarKey edge cases - secureStorage fully mocked to isolate provider logic ANYTECHS#496 — Secure secret key export in Settings: - Replace window.confirm() with modal requiring typed 'I understand' - Re-authentication step: user must enter password via /api/auth/verify-session - Secret key never rendered as selectable text — clipboard-copy only flow - Auto-hides after 15 seconds via exportHideTimerRef - Sentry breadcrumb emitted (without key value) on export trigger Closes ANYTECHS#435 Closes ANYTECHS#496
|
@fridaypetra55-afk Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #435
Closes #496
Summary
This PR improves the security and reliability of the Stellar wallet experience by adding comprehensive test coverage for
StellarWalletProviderand strengthening the secret key export flow with explicit user confirmation, session re-verification, clipboard-only handling, and audit logging.Changes
StellarWalletProvider Test Coverage (#435)
StellarWalletProvider(13tests).importStellarKeyoperations.secureStorageto isolate provider behavior.Secure Secret Key Export (#496)
window.confirm()with a dedicated confirmation modal requiring users to type "I understand" before exporting.POST /api/auth/verify-sessionprior to allowing secret key export.handleCopyExportKey).exportHideTimerRef.Sentry.addBreadcrumbaudit event when a verified export occurs without logging or exposing the secret key.Testing
Verified locally with a new test suite covering:
importStellarKeyrequests.All 13 tests passed successfully.
Checklist
main