Skip to content

Quick wins: auth error msg, pay_to validation, scorer rate-limit, dev CORS port, setup.sh warn#13

Open
madjin wants to merge 2 commits into
mainfrom
quick-wins/app-validation
Open

Quick wins: auth error msg, pay_to validation, scorer rate-limit, dev CORS port, setup.sh warn#13
madjin wants to merge 2 commits into
mainfrom
quick-wins/app-validation

Conversation

@madjin

@madjin madjin commented May 7, 2026

Copy link
Copy Markdown
Member

Refs #11

Five small audit-derived cleanups scoped strictly to app.py and setup.sh. All behavior-preserving; no protocol changes.

What this PR does

  • Generic auth error message (verify_wallet_auth) — no longer leaks str(e) from signature/key decode failures back to the caller; logs auth.wallet_verify: failed exc=%s server-side without pubkey/signature payload. (parent: Production-default hardening + minimal CI #5)
  • pay_to_address Solana Pubkey validation — new validate_solana_address() helper using solders.pubkey.Pubkey.from_string; applied at (a) the dashboard POST /api/config/pay-to-address settings update and (b) the auto-populate-on-first-sign-in path inside verify_wallet_auth. Both reject with 400 Invalid Solana address. (parent: Production-default hardening + minimal CI #5)
  • Privacy-scorer rate limit + TTL cache@limiter.limit("5/minute") tightened to 2/minute on POST /api/wallet-privacy-score; added in-memory OrderedDict-based per-wallet cache with 1-hour TTL and a 1000-entry bound. Cache hits skip the Helius call. (parent: P2: Privacy logging audit + input validation hygiene #9)
  • Dev CORS allowlist port fix — replaced stale localhost:8080 / localhost:3000 / 127.0.0.1:8080 entries with the actual app port (localhost:8765, 127.0.0.1:8765). (parent: Production-default hardening + minimal CI #5)
  • setup.sh ENVIRONMENT warning banner — at the end of setup, reads ENVIRONMENT from the generated .env (or falls back to the live env var) and, if not production, prints a multi-line banner explaining which dev-mode security checks are still permissive, how to flip to production, and a pointer to CLAUDE.md. (parent: P2: Privacy logging audit + input validation hygiene #9)

What this PR explicitly does NOT do

These remain scoped to their parent issues:

Acceptance criteria (Worktree-1)

  • verify_wallet_auth no longer interpolates str(e) into the HTTP 401 detail; server-side warning logs the exception without wallet/signature material.
  • validate_solana_address helper added and used at every pay_to_address mutation site (dashboard settings + first-sign-in auto-populate).
  • /api/wallet-privacy-score rate-limit lowered to 2/minute and now serves from a 1-hour TTL in-memory cache before hitting Helius.
  • Dev CORS allowlist points at :8765 (the actual app port) instead of stale :8080 / :3000.
  • setup.sh prints a clearly-formatted warning banner when ENVIRONMENT is not production, with remediation steps and a doc pointer.

Test plan

  • git diff --stat shows changes in app.py and setup.sh only.
  • uv run python -c "import ast; ast.parse(open('app.py').read())" passes.
  • bash -n setup.sh passes.
  • uv run python app.py init completes cleanly.
  • uv run python app.py server boots; GET /health returns 200.
  • Spot-checked validate_solana_address returns True for "11111111111111111111111111111111" and False for "hello-not-a-pubkey-but-44-chars-long-padding-x", empty string, and "abc".
  • End-to-end POST of an invalid pay_to_address against the live /api/config/pay-to-address endpoint — skipped, requires a signed-in session (wallet flow). Endpoint returned 401 without auth as expected; reaching the validation branch needs a SIWS sign-in not easily scripted from this worktree.

Generated with Claude Code

… CORS port, setup.sh warn

Cleanup of small audit-derived fixes scoped to app.py and setup.sh.
Five behavior-preserving changes; no protocol or breaking-change work.

Refs: #11

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Self-review pass surfaced micro-cleanups across the five sub-changes:

- validate_solana_address: drop the what-docstring (the function name and
  signature already say it).
- verify_wallet_auth auto-populate: drop the 4-line rationale comment
  block. The why belongs in the commit message and PR body.
- update_pay_to_address: drop the now-redundant length check (Pubkey
  decode handles it) and the stale "(basic Solana address validation)"
  comment.
- Privacy cache: drop the 2-line "what this is" comment block and the
  "Cache hit?" comment. Move the OrderedDict import to the top-of-file
  imports and drop the _ScoreOrderedDict alias. Replace the while-loop in
  _privacy_cache_set with an if (each call adds at most one entry, so the
  loop iterated at most once anyway).
- CORS dev allowlist: drop the "(app default port is 8765 per CLAUDE.md)"
  parenthetical — citing the project's own instructions inside source is
  awkward; the change itself stands on its own.
- setup.sh: drop the "Detect ENVIRONMENT setting" what-comment.

No behavior change. Smoke verified: /health 200.

Refs: #11

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant