audit: API integration audit — endpoint tests, mock data map, broken integrations#165
Merged
Merged
Conversation
|
@TheDEV111 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #164
https://nexafx-backend.onrender.com/v1via HTTP probes (static code audit + live curl)API_AUDIT.mdat the project root with a complete findings table and ordered remediation stepsKey Findings
Backend bugs discovered during live testing
GET /currencies→ 500 Internal Server Error regardless of auth (breaks withdrawal currency dropdown and convert form for all users)GET /exchange-rates→ 500 Internal Server Error regardless of auth (breaks MarketOverview rate cards and convert form rate display)POST /auth/refreshwith empty body → 500 instead of 400 (minor robustness gap)Broken integrations confirmed
GET /wallets/balances→ 404 (wrong path — correct path is/users/wallet/balances, confirmed live)POST /transactions/convert→ 404 (wrong route name — correct backend route is/transactions/swap)GET /push-notifications→ 404 (wrong path — correct path is/admin/push-notifications)AccountOverviewshows hardcoded fake balances to every authenticated user (getBalances()API exists but is not called)user.nameis alwaysundefinedafter login (backend returnsfirstName/lastName, frontend expectsname)80 USDin every transaction table row regardless of actual transaction dataMock data inventory (not fixed in this PR — audit only)
analytics,users,transactions,push-notifications) uselib/admin-mock-data.tsMOCK_RATESandMOCK_BALANCESconstants; submit button is permanentlydisabled={true}app/lib/api/transactions.ts,lib/mock-notifications.ts,lib/mock-data.ts) are not imported anywhere and can be deletedSecurity note
app/api/proxy/[...path]/route.tsfalls back toTEST_ACCESS_TOKENenv var when no client token is present — if set in staging/production, unauthenticated users would receive data belonging to the dev token owner. Documented in the audit.