Feat/remove mock credentials gate prod#656
Open
fridaypetra55-afk wants to merge 3 commits into
Open
Conversation
- Cap /api/upload at MAX_FILES_PER_REQUEST=10; return 400 if exceeded - Validate /api/jobs/[id] id format (alphanumeric/UUID, max 64 chars); return 400 on invalid - Add server-side in-memory token bucket rate limiter (applyRateLimit) - Return X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After on 429 - Add integration tests covering all acceptance criteria (16 tests) Closes ANYTECHS#499
ANYTECHS#435 — StellarWalletProvider integration tests: - Wallet creation on first load (no stored data) - Restoration from encrypted secureStorage - Failed decryption / corrupted data / missing address handling - Export returns public key only; secret never written to storage - Concurrent mount / importStellarKey edge cases - secureStorage fully mocked to isolate provider logic ANYTECHS#496 — Secure secret key export in Settings: - Replace window.confirm() with modal requiring typed 'I understand' - Re-authentication step: user must enter password via /api/auth/verify-session - Secret key never rendered as selectable text — clipboard-copy only flow - Auto-hides after 15 seconds via exportHideTimerRef - Sentry breadcrumb emitted (without key value) on export trigger Closes ANYTECHS#435 Closes ANYTECHS#496
- Remove hardcoded test user (test@example.com / Password123) from mockApi users array
- Add NODE_ENV production guard to mockApi — throws at import time in prod
- Remove test-mnemonic detection ('abandon ability able...') from recovery page
- Remove test@example.com special-case branch from social recovery completion
- Remove MockApi imports from recovery page; use real /api/recovery/* fetch calls
- Remove random failure simulation from mintCollection and postClips
- Add CI lint step: fails if Password123 literal appears in non-test source files
Closes ANYTECHS#495
|
@fridaypetra55-afk Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #495
Summary
This PR removes hardcoded mock credentials from the application, prevents the mock API from being used in production, replaces mock recovery flows with real API requests, and adds a CI safeguard to prevent test credentials from being committed to production source code.
Changes
test@example.com/Password123user fromapp/lib/mockApi.ts.mockApiis imported withNODE_ENV === "production".mintCollectionandpostClipsto provide deterministic mock behavior during development."abandon ability able...") from the recovery page.test@example.comspecial-case branch from the social recovery flow.MockApirecovery calls with realfetch("/api/recovery/...")requests.Password123literal and fails the build if found.Testing
Verified the following acceptance criteria:
mockApi.tsno longer contains hardcoded test credentials.mockApiin production is prevented by a runtime guard./api/recovery/*API endpoints.Password123appears in non-test.tsor.tsxsource files.Checklist
main