Skip to content

fix: type errors and security hardening#57

Merged
AquiGorka merged 7 commits intomainfrom
fix/moonlight-pay-review-fixes
Mar 24, 2026
Merged

fix: type errors and security hardening#57
AquiGorka merged 7 commits intomainfrom
fix/moonlight-pay-review-fixes

Conversation

@AquiGorka
Copy link
Copy Markdown
Contributor

@AquiGorka AquiGorka commented Mar 24, 2026

Summary

  • Add missing Buffer import in dashboard-auth (10 type errors)
  • Rename composite key methods in bundle-transaction repository (4 type errors)
  • Fix column name in session repository (1 type error)
  • Tighten ownership checks with explicit session type handling in escrow summary and KYC GET
  • Return generic 401 for suspended accounts in custodial login (prevents confirming password correctness)
  • Type-check description field in report handler before calling slice

Test plan

  • deno check src/main.ts — 0 errors (was 15)
  • 136 pay module tests passing
  • E2E passed (54.1s)
  • Lifecycle passed (211.1s)

@AquiGorka
fix: add missing Buffer import in dashboard-auth
b50e179 
dashboard-auth.ts uses Buffer for signature decoding and nonce
handling but was missing the import, causing 10 type errors.
@AquiGorka
fix: rename composite key methods in bundle-transaction repository
a92fa4c 
findById and delete override base class signatures with incompatible
composite key parameters. Rename to findByCompositeId and
deleteByCompositeId to avoid the override conflict. No callers used
the old names.
@AquiGorka
fix: use correct column name in session repository
769b044 
session.userId does not exist on the entity — the column is
session.accountId. Fixes 1 type error.
@AquiGorka
fix: tighten ownership checks with explicit session type handling
19f2e50 
Ownership checks in escrow summary and KYC GET now explicitly match
sep10/undefined session types and reject unknown types, instead of
relying on an implicit else branch that would silently accept any
future token type.
@AquiGorka
fix: return generic error for suspended accounts in custodial login
384f2b5 
Suspended accounts now return 401 "Invalid credentials" instead of
403 "Account suspended" to avoid confirming the password is correct.
The suspension is logged at warn level for operational visibility.
@AquiGorka
fix: type-check description in report handler
48190c1 
Validate description is a string before calling slice. Use the
truncate helper consistently for all logged fields.
@AquiGorka
chore: bump version to 0.5.6
f0fa7b2
@AquiGorka AquiGorka force-pushed the fix/moonlight-pay-review-fixes branch from fcf93d0 to f0fa7b2 Compare March 24, 2026 20:06
@AquiGorka AquiGorka merged commit 262d50a into main Mar 24, 2026
4 checks passed
@AquiGorka AquiGorka deleted the fix/moonlight-pay-review-fixes branch March 24, 2026 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AquiGorka