fix: division-by-zero guard, rate-limit wallet endpoints, safer JSON parse, Lighter HTTP checks

- Guard GridCount-1 division by zero in grid spacing calculation (both grid.go and grid_levels.go)
- Rate-limit /wallet/validate and /wallet/generate endpoints (prevent DoS on key generation)
- Wrap JSON.parse(localStorage) in try-catch in AuthContext (corrupted data → graceful re-login)
- Wrap handleJSONResponse JSON.parse in try-catch with descriptive error
- Add HTTP status code checks for Lighter GetActiveOrders and sendTx
- Replace deprecated strings.Title with cases.Title (golang.org/x/text)
- Reuse HTTP client in checkClaw402Health (was creating new client per call)
This commit is contained in:
shinchan-zhai
2026-03-23 16:47:23 +08:00
parent 3f1dd71f2b
commit 76a7b88ba8
9 changed files with 64 additions and 17 deletions

View File

@@ -115,9 +115,10 @@ func (s *Server) handleWalletGenerate(c *gin.Context) {
})
}
var walletHTTPClient = &http.Client{Timeout: 5 * time.Second}
func checkClaw402Health() string {
client := &http.Client{Timeout: 5 * time.Second}
resp, err := client.Get("https://claw402.ai/health")
resp, err := walletHTTPClient.Get("https://claw402.ai/health")
if err != nil {
return "unreachable"
}

View File

@@ -144,8 +144,10 @@ func (s *Server) setupRoutes() {
s.route(api, "GET", "/config", "Get system configuration", s.handleGetSystemConfig)
// Wallet validation (no authentication required — used by frontend config form)
api.POST("/wallet/validate", s.handleWalletValidate)
api.POST("/wallet/generate", s.handleWalletGenerate)
// Rate-limited to prevent DoS (key generation is computationally expensive)
walletLimited := api.Group("/", LoginRateLimitMiddleware(s.loginLimiter))
walletLimited.POST("/wallet/validate", s.handleWalletValidate)
walletLimited.POST("/wallet/generate", s.handleWalletGenerate)
// Crypto public key & config (needed by frontend before login for transport encryption)
api.GET("/crypto/config", s.cryptoHandler.HandleGetCryptoConfig)