tx-history model assertion

[ronaldsg20]

No description provided.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/nock	13.5.6	🟢 4.7	Details Check Score Reason Code-Review 🟢 6 Found 12/18 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 7 8 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 7 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 17 existing vulnerabilities detected

Scanned Files

• package-lock.json

[Copilot]

Pull request overview

This PR adds comprehensive validation and schema assertions to the transaction history API models and controllers. It extends support for additional tokens and networks, adds new optional fields for liquidity provider tracking, implements strict input validation patterns, and includes extensive acceptance tests to verify the validation behavior.

Changes:

• Extended TOKENS enum to include ETH, USDT, USDC, DAI, WBTC, BNB, and Fiat
• Extended NETWORKS enum to include Ethereum, BNB Smart Chain, and Lightning Network
• Added liquidityProviderName and liquidityProviderId optional fields to TxHistory model with validation
• Added comprehensive input validation patterns to controller endpoints (address, page, txHash)
• Added txHash validation pattern to RegisterPayload model
• Added 533 lines of acceptance tests covering positive and negative validation scenarios
• Modified test script to run both unit and acceptance tests together
• Downgraded nock package from v14 to v13
• Fixed import ordering in fireblocks acceptance test
• Updated input sanitization test to verify SQL injection prevention in txHash field

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
src/models/tx-history.model.ts	Added new tokens/networks to enums, added liquidityProviderName and liquidityProviderId fields with validation
src/models/register-payload.model.ts	Added regex validation pattern for txHash field to prevent injection attacks
src/controllers/tx-history.controller.ts	Added parameter validation schemas for address, page, and txHash with regex patterns and error responses
src/tests/acceptance/tx-history.acceptance.ts	New comprehensive acceptance test suite with 533 lines testing all validation scenarios
src/tests/acceptance/input-sanitization.acceptance.ts	Updated SQL injection test to expect rejection (422) instead of acceptance, removed skipped hex data test
src/tests/acceptance/fireblocks.controller.acceptance.ts	Reordered imports to follow consistent pattern
package.json	Modified test script to run both unit and acceptance tests; downgraded nock from v14 to v13
package-lock.json	Updated dependency tree reflecting nock downgrade and removed related dependencies

[Copilot]

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 8 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.

[Copilot]

The value 'teks-staging' added to SOURCES uses lowercase with a hyphen, which is inconsistent with all other values in the array that use uppercase letters (e.g., 'FLYOVER', 'SWAP', 'POWPEG', 'UNION', 'LIFI', 'SYMBIOSIS'). This inconsistency could cause confusion for API consumers and violates the established naming convention for this enum. Consider renaming it to 'TEKS_STAGING' or 'TEKS-STAGING' to match the existing pattern.

Suggested change

	export const SOURCES = ['FLYOVER', 'SWAP', 'POWPEG', 'UNION', 'LIFI', 'SYMBIOSIS', 'teks-staging'] as const;
	export const SOURCES = ['FLYOVER', 'SWAP', 'POWPEG', 'UNION', 'LIFI', 'SYMBIOSIS', 'TEKS-STAGING'] as const;

[Copilot]

There are two blank lines (96-97) in the middle of the method implementation. This appears to be unintentional and reduces code readability. Remove the extra blank line to maintain consistent code formatting.

Suggested change

[Copilot]

The method verifyTransactionExistsOnBlockchain returns true for networks other than 'bitcoin' and 'rootstock', but the NETWORKS constant now includes 'Ethereum', 'BNB Smart Chain', and 'Lightning Network'. This means transactions from these networks will be accepted without any blockchain verification. This creates a security risk where invalid transaction hashes could be stored for these networks. Either implement verification for the newly-added networks or explicitly return false for unsupported networks to prevent storing unverified transactions.

Suggested change

	}
	} else {
	this.logger.warn(
	`[verifyTransactionExists] Unsupported network for verification: ${txHistory.fromNetworkName}`,
	);
	return false;
	}

[Copilot]

The pattern ^[a-fA-F0-9]{64}$|^0x[a-fA-F0-9]{64}$ will always match with the first alternative ^[a-fA-F0-9]{64}$ for strings without the '0x' prefix because the regex alternation is evaluated left-to-right. However, due to the anchor ^ at the start of the second alternative, a string like '0x1234...' will fail the first alternative and then be tested by the second. The pattern works correctly but could be more efficiently written as ^(0x)?[a-fA-F0-9]{64}$. Consider refactoring for clarity and consistency with the pattern used in tx-history.model.ts line 29: ^(0x[a-fA-F0-9]{64}|[a-fA-F0-9]{64})$

[Copilot]

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 10 comments.

[Copilot]

Using null as unknown as TxHistory to return a falsy value is an anti-pattern. The method should have a clearer return type. Consider changing the method signature to return Promise<boolean> and return true when the transaction exists and false when it doesn't, instead of using null casts. This would make the code more readable and type-safe.

[Copilot]

The acceptance test stubs TxHistoryService.storeTransaction but does not stub BitcoinService.getTx or RskNodeService.getTransaction. Since the storeTransaction endpoint now calls verifyTransactionExistsOnBlockchain (which calls these services) before storing, the acceptance tests will likely fail or make real network calls. You should stub these services in the acceptance tests to prevent network calls and ensure tests are isolated.

[Copilot]

The method verifyTransactionExistsOnBlockchain returns TxHistory (or null cast as TxHistory), but it's being used as a boolean in line 57 with if (!transactionExists). When the method returns null (cast as TxHistory), this will be falsy and work as expected. However, when it returns a TxHistory object, the truthiness check will pass. The return type should be changed to Promise<boolean> or Promise<TxHistory | null>, and the usage should be updated accordingly. Additionally, the method mutates the input txHistory parameter (lines 93-94, 97-98) and returns it, which is confusing since the caller doesn't use the returned value except for the truthiness check.

[Copilot]

Using null as unknown as TxHistory to return a falsy value is an anti-pattern. The method should have a clearer return type. Consider changing the method signature to return Promise<boolean> and return true when the transaction exists and false when it doesn't, instead of using null casts. This would make the code more readable and type-safe.

[Copilot]

The log message references '[verifyTransactionExists]' but the method name is 'verifyTransactionExistsOnBlockchain'. Update the log message to use the correct method name for consistency and easier debugging.

Suggested change

	`[verifyTransactionExists] Transaction not found for ${txHistory.fromNetworkName}: ${txHistory.txHash} ${errorMessage}`,
	`[verifyTransactionExistsOnBlockchain] Transaction not found for ${txHistory.fromNetworkName}: ${txHistory.txHash} ${errorMessage}`,

[Copilot]

The value 'teks-staging' in SOURCES uses kebab-case while all other values use SCREAMING_SNAKE_CASE. This is inconsistent with the established naming pattern. Consider renaming to 'TEKS_STAGING' to maintain consistency.

Suggested change

	export const SOURCES = ['FLYOVER', 'SWAP', 'POWPEG', 'UNION', 'LIFI', 'SYMBIOSIS', 'teks-staging'] as const;
	export const SOURCES = ['FLYOVER', 'SWAP', 'POWPEG', 'UNION', 'LIFI', 'SYMBIOSIS', 'TEKS_STAGING'] as const;

[Copilot]

The code attempts to access btcTransaction.amount and btcTransaction.address properties (lines 93-94), but the BitcoinTx model does not define these properties. The BitcoinTx model only has properties like txid, vin, vout, valueOut, valueIn, etc. This will result in undefined values being assigned to txHistory.fromAmount and txHistory.userAddress, causing the verification to fail silently. You need to extract the amount and address from the available properties (e.g., from vout for amount and vin for address) or update the BitcoinService.getTx to return the required properties.

Suggested change

	txHistory.fromAmount = btcTransaction.amount.toString();
	txHistory.userAddress = btcTransaction.address;
	const amount =
	(btcTransaction as any).valueOut ??
	((btcTransaction as any).vout
	? (btcTransaction as any).vout.reduce(
	(sum: number, output: any) => sum + (output?.value ?? 0),
	0,
	)
	: undefined);
	txHistory.fromAmount = amount != null ? amount.toString() : '';
	const inputAddress =
	(btcTransaction as any).vin?.[0]?.addr ??
	(btcTransaction as any).vin?.[0]?.addresses?.[0] ??
	(btcTransaction as any).vout?.[0]?.scriptPubKey?.addresses?.[0] ??
	'';
	txHistory.userAddress = inputAddress;

[Copilot]

The eslint-disable directive for no-param-reassign is applied to the entire file, but parameter reassignment only occurs in the verifyTransactionExistsOnBlockchain method (lines 93-94, 97-98). Consider moving this directive to only disable the rule for the specific method or lines where it's needed, rather than the entire file.

[Copilot]

The address validation pattern is duplicated in three places: in the parameters array (lines 113-123), in the @param decorator (lines 171-177), and in the GET endpoint parameters. The txHash pattern is also duplicated (lines 208-218 and 238-242). Consider extracting these patterns to constants to improve maintainability and reduce duplication.

[Copilot]

The test script has been changed to run both unit and acceptance tests together instead of just unit tests. This changes the behavior of npm test to run a more comprehensive test suite. Ensure this change is intentional and that CI/CD pipelines are updated accordingly, as the test execution time will likely increase significantly.

Suggested change

	"test": "npm run pretest && lb-nyc mocha --recursive 'dist/__tests__/**/*.unit.js' 'dist/__tests__/**/*.acceptance.js' --timeout 30000 --reporter spec",
	"test": "npm run unit-test",

In general, to fix an unused variable where the expression’s side effect is required, you should keep the expression but remove the variable binding. Here, we still want to stub TxHistoryService.prototype.getTransactionByHash so that the real implementation is not called, but we do not need to store the stub instance in getTransactionByHashStub.

Concretely, in src/__tests__/acceptance/tx-history.acceptance.ts, within the "should store a valid transaction and return 200" test, replace the line that declares and assigns getTransactionByHashStub with a plain sinon.stub(...) call that is not assigned to any variable. No imports or other lines need to change, and we do not need to touch storeTransactionStub or any other code.

[sonarqubecloud]

Quality Gate passed

Issues
31 New issues
0 Accepted issues

Measures
0 Security Hotspots
90.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.