Skip to content

Feat/remove mock credentials gate prod#656

Open
fridaypetra55-afk wants to merge 3 commits into
ANYTECHS:mainfrom
fridaypetra55-afk:feat/remove-mock-credentials-gate-prod
Open

Feat/remove mock credentials gate prod#656
fridaypetra55-afk wants to merge 3 commits into
ANYTECHS:mainfrom
fridaypetra55-afk:feat/remove-mock-credentials-gate-prod

Conversation

@fridaypetra55-afk

Copy link
Copy Markdown
Contributor

Closes #495

Summary

This PR removes hardcoded mock credentials from the application, prevents the mock API from being used in production, replaces mock recovery flows with real API requests, and adds a CI safeguard to prevent test credentials from being committed to production source code.

Changes

  • Removed the hardcoded test@example.com / Password123 user from app/lib/mockApi.ts.
  • Added a production safeguard that throws when mockApi is imported with NODE_ENV === "production".
  • Removed random failure simulation from mintCollection and postClips to provide deterministic mock behavior during development.
  • Removed the hardcoded recovery mnemonic check ("abandon ability able...") from the recovery page.
  • Removed the test@example.com special-case branch from the social recovery flow.
  • Replaced MockApi recovery calls with real fetch("/api/recovery/...") requests.
  • Added a CI workflow step that scans non-test TypeScript source files for the Password123 literal and fails the build if found.

Testing

Verified the following acceptance criteria:

  • mockApi.ts no longer contains hardcoded test credentials.
  • ✅ Importing mockApi in production is prevented by a runtime guard.
  • ✅ Recovery flow no longer relies on hardcoded mnemonic or email shortcuts.
  • ✅ Recovery operations use the real /api/recovery/* API endpoints.
  • ✅ Mock API methods no longer simulate random failures.
  • ✅ CI fails if Password123 appears in non-test .ts or .tsx source files.
  • ✅ Existing test credentials remain permitted only within test directories.

Checklist

  • Branch is based on the latest main
  • Commit messages follow Conventional Commits
  • Tests were run locally
  • CI validation updated
  • Documentation updated if needed
  • CHANGELOG updated or release notes covered

- Cap /api/upload at MAX_FILES_PER_REQUEST=10; return 400 if exceeded
- Validate /api/jobs/[id] id format (alphanumeric/UUID, max 64 chars); return 400 on invalid
- Add server-side in-memory token bucket rate limiter (applyRateLimit)
- Return X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After on 429
- Add integration tests covering all acceptance criteria (16 tests)

Closes ANYTECHS#499
ANYTECHS#435 — StellarWalletProvider integration tests:
- Wallet creation on first load (no stored data)
- Restoration from encrypted secureStorage
- Failed decryption / corrupted data / missing address handling
- Export returns public key only; secret never written to storage
- Concurrent mount / importStellarKey edge cases
- secureStorage fully mocked to isolate provider logic

ANYTECHS#496 — Secure secret key export in Settings:
- Replace window.confirm() with modal requiring typed 'I understand'
- Re-authentication step: user must enter password via /api/auth/verify-session
- Secret key never rendered as selectable text — clipboard-copy only flow
- Auto-hides after 15 seconds via exportHideTimerRef
- Sentry breadcrumb emitted (without key value) on export trigger

Closes ANYTECHS#435
Closes ANYTECHS#496
- Remove hardcoded test user (test@example.com / Password123) from mockApi users array
- Add NODE_ENV production guard to mockApi — throws at import time in prod
- Remove test-mnemonic detection ('abandon ability able...') from recovery page
- Remove test@example.com special-case branch from social recovery completion
- Remove MockApi imports from recovery page; use real /api/recovery/* fetch calls
- Remove random failure simulation from mintCollection and postClips
- Add CI lint step: fails if Password123 literal appears in non-test source files

Closes ANYTECHS#495
@drips-wave

drips-wave Bot commented Jun 28, 2026

Copy link
Copy Markdown

@fridaypetra55-afk Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remove Hardcoded Test Credentials from mockApi.ts

1 participant