Dev to Main #914
Merged
Dev to Main #914
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
test(e2e): add mail login and logout E2E tests
* test(e2e): add signature-based login E2E tests Add comprehensive E2E tests for wallet signature authentication flow: - Test Address 1 (0xd3AD44...): home, account, buy, sell, tx, settings pages - Test Address 2 (0xB18f08...): home and account pages - Invalid signature handling test Test addresses derived from ADMIN_SEED at HD indices 10 and 11. Tests verify: - URL parameter authentication (address + signature) - Page navigation after successful login - Content loading for all main app sections - Case-insensitive content detection for German/English UI * fix: remove sensitive seed from comments and clean up code - Remove ADMIN_SEED mnemonic from code comment - Remove unused shortenAddress helper function - Remove console.log debug statements - Make all content checks case-insensitive for consistency - Improve invalid signature test to verify app doesn't crash
* fix: add security hardening for workflows and redirects - Add explicit permissions (contents: read) to pr.yml, dev.yml, prd.yml following least-privilege principle for GitHub Actions
* refactor: move test credentials to env vars and add session switch bug test - Move TEST_ADDRESS_1/2, TEST_SIGNATURE_1/2, DEV_BASE_URL to .env - Update .env.sample with new test configuration vars - Add dev-account-screenshots.spec.ts for dev environment testing - Add debug-session-switch.spec.ts documenting session switch bug BUG FOUND: Session does not switch when navigating with new address/signature params. The sessionParamApplied ref blocks subsequent logins. See: src/contexts/wallet.context.tsx:206-210 * fix: remove hardcoded email addresses from E2E tests Replace all hardcoded email addresses with process.env.TEST_EMAIL: - e2e/mail-only-test.spec.ts - e2e/mail-login-manual.spec.ts - e2e/mail-send-new.spec.ts - e2e/mail-buy-email-button.spec.ts - e2e/synpress/sepolia-full-metamask.spec.ts Tests now require TEST_EMAIL environment variable to be set. * chore: remove obsolete .env.test.manual from gitignore Only .env should be used for all configuration. * fix: allow session switch when logging in with different address The previous implementation used a simple boolean flag (sessionParamApplied) that blocked ALL subsequent logins after the first one. This prevented users from switching accounts via URL parameters. Now we store the last applied credentials and only skip if the SAME credentials are used again. New address/signature combinations will correctly create a new session. * fix: reset credentials on logout to allow re-login Without this, users couldn't re-login with the same link after logout because lastAppliedCredentials still contained the previous values. * fix: clear storage on URL login to enable session switching When navigating to URL with address+signature or session parameter, clear localStorage and sessionStorage before React initializes. This ensures the @dfx.swiss/react package doesn't load a stale session from storage, allowing proper session switching between different accounts. Also update app-handling.context.tsx to detect new URL session parameters during SPA navigation. * refactor: improve session switch fix - Use targeted localStorage key removal instead of clear() - Preserve user preferences (language, infoBanner) - Remove ineffective SPA navigation handling from app-handling.context - Keep only the minimal fix needed in index.tsx * refactor: remove redundant comments in wallet.context * fix: prevent race condition in handleParamSession Set lastAppliedCredentials BEFORE async createSession() call to prevent duplicate API calls in React StrictMode (double-render). Reset credentials on error to allow retry. * fix: remove unused variables in debug-session-switch test
- Update bug-session-2-account2.png - Update signature-login-1-buy.png - Update signature-login-2-account.png - Remove unused dev-account screenshots
#907) The TypeScript check was using the default tsconfig.json which includes src/__tests__/ files that require Jest types. Using tsconfig.build.json which properly excludes test files.
Add E2E test that verifies: - User can access /account when logged in - Logout button in navigation menu works - After logout, /account redirects to login page - Session is properly cleared Test generates 4 screenshots documenting the complete flow.
Use strict domain matching instead of substring check to prevent potential spoofing attacks with malicious domains like 'getalby.com.evil.com' or 'fakegetalby.com'.
- Parse redirect URL with URL constructor to catch malformed URLs - Only allow HTTPS protocol to block javascript:/data:/http: URLs - Addresses CodeQL client-side-unvalidated-url-redirection warning
* fix: allow IBAN override when MultiAccountIban error occurs When a customer's original IBAN is a Multi-Account IBAN (Wise, Revolut, etc.), the refund fails with "MultiAccountIban not allowed". Previously, the customer was stuck because the IBAN dropdown was hidden when refundTarget was pre-filled. Changes: - Add showIbanOverride state to track when override is needed - Add localError state to show error without replacing the form - Detect "MultiAccountIban" error and set showIbanOverride=true - Show IBAN dropdown and name input when override is active - Update validation rules to require IBAN/name when override is active - Show user-friendly error message inline in the form Flow after fix: 1. Customer opens refund page 2. Pre-filled Multi-Account IBAN is used (dropdown hidden) 3. Submit fails with "MultiAccountIban not allowed" 4. Error shown inline, IBAN dropdown appears 5. Customer selects different IBAN 6. Refund succeeds * fix: small refactoring --------- Co-authored-by: David May <david.leo.may@gmail.com>
🤖 PR Review Bot
|
davidleomay
approved these changes
Jan 13, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.