security: remove insecure wallet endpoints#653
Merged
Conversation
Remove three wallet endpoints that expose dangerous server-side key operations: - POST /wallet/create (generates private keys server-side) - POST /wallet/send (moves funds via the API) - POST /wallet/show-private-key (returns decrypted private keys) Wallets must now be imported via POST /wallet/add with an externally generated key. The safe routes (GET /wallet, /add, /add-hardware, /remove, /set-default) are unchanged. Also drop their request/response schemas, util functions (createWallet, showPrivateKey, sendTransaction and the Solana/Ethereum send helpers) and now-unused imports. Test cleanup: - Delete wallet-new-routes.test.ts (only covered the removed routes) - Delete meteora-sdk-integration.test.ts (only suite hitting live RPC; tested third-party SDK shape, not Gateway code, and timed out) - Remove dead it.skip error-handling tests in the uniswap/pancakeswap universal-router quote-swap suites Full suite: 102 suites / 947 tests passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
pancakeswap-sol.test.ts hit real mainnet RPC (getClmmPoolInfo / getPositionInfo against live pool and position addresses) with no mocks, and never closed the Solana connection — causing 30s timeouts and the "worker process failed to exit gracefully" leak warning. Same class of unmocked live-network test as the meteora SDK suite removed earlier. The mocked pancakeswap-sol clmm-routes tests are unaffected. Full suite: 101 suites / 943 tests passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
rapcmia
approved these changes
Jun 22, 2026
rapcmia
left a comment
rapcmia
left a comment
Contributor
There was a problem hiding this comment.
LGTM
- Confirm POST /wallet/create, /wallet/send, and /wallet/show-private-key now return 404 ✅
- No longer lists /wallet/create, /wallet/send, or /wallet/show-private-key.
- The remaining wallet routes still shown in docs are /wallet/, /wallet/add, /wallet/add-hardware, /wallet/remove, and /wallet/setDefault.
- All removed routes returned 404 Not Found with route-not-found messages.
- The generated docs do not include /wallet/create, /wallet/send, or /wallet/show-private-key.
- Verify the safe wallet routes still work: GET /wallet, POST /wallet/add, DELETE /wallet/remove, and POST /wallet/setDefault ✅
- GET /wallet responded successfully before and after the wallet flow.
- POST /wallet/add added the provided Solana wallet and returned address correct wallet address.
- POST /wallet/setDefault succeeded for the added Solana wallet.
- DELETE /wallet/remove succeeded and the final GET /wallet showed the wallet list empty again.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes three wallet endpoints that expose dangerous server-side key operations, and cleans up tests that no longer serve a purpose.
Removed endpoints (insecure)
POST /wallet/create— generated private keys server-sidePOST /wallet/send— moved funds via the APIPOST /wallet/show-private-key— returned decrypted private keysWallets must now be imported via
POST /wallet/addwith an externally generated key. The safe routes (GET /wallet,/add,/add-hardware,/remove,/set-default) are unchanged.Also dropped the associated request/response schemas, util functions (
createWallet,showPrivateKey,sendTransactionplus the Solana/Ethereum send helpers), and now-unused imports.Test cleanup
wallet-new-routes.test.ts(only covered the removed routes)meteora-sdk-integration.test.ts— the only suite hitting live mainnet RPC; it tested the third-party Meteora SDK's API shape, not Gateway code, and was timing outit.skiperror-handling tests in the uniswap/pancakeswap universal-router quote-swap suites (their comments noted they could never run with the mock setup)Clients that called
/wallet/create,/wallet/send, or/wallet/show-private-keywill now receive 404s.Testing
Full suite green: 102 suites / 947 tests passing (was 1 failing suite / 4 failing + 2 skipped before).
🤖 Generated with Claude Code