Address multiple vulnerabilities found during security review:
- Remove unauthenticated POST /api/crypto/decrypt decryption oracle (route,
handler, dead frontend helper) + regression test. Transport encryption is
one-directional; the server never needs to decrypt arbitrary client payloads.
- Redact secrets in config-update logs: handler_ai_model/handler_exchange logged
%+v of decrypted requests, leaking API keys / secret keys / passphrases /
private keys. Use named types shared with the log sanitizer so the masking
can never drift again; extend masking to passphrase + lighter_api_key_private_key.
- crypto: require a valid timestamp in DecryptPayload (a missing ts previously
skipped replay protection entirely).
- crypto: EncryptedString.Value() now fails closed instead of silently
persisting plaintext secrets when encryption errors.
- auth: per-IP token-bucket rate limiting on /login and /register against online
brute-force; raise registration password minimum 6 -> 8; add dummy bcrypt
compare on unknown-email login to close the user-enumeration timing channel.
- IDOR: getTraderFromQuery no longer falls back to the global in-memory trader
map; trader access is strictly scoped to the authenticated caller.
- Bump Go 1.25.10 -> 1.25.11 to resolve reachable net/textproto and crypto/x509
stdlib advisories (govulncheck now reports 0 affecting vulnerabilities).
Unauthenticated POST /api/reset-password and /api/reset-account were a
remotely exploitable auth-bypass on public-facing deployments. The confirm
phrase was embedded in the frontend and echoed back by the API, so it was
friction, not authentication: anyone who knew the account email could reset
the password, log in, and obtain a valid JWT.
Recovery now runs as local CLI commands that operate directly on the database
without starting the HTTP server:
nofx reset-password --email you@example.com
nofx reset-account
These require shell/file access to the host, which a remote attacker does not
have, so recovery stays safe even when NOFX is exposed to the public internet.
- cli.go: new reset-password / reset-account subcommands (hidden password
input on a TTY, --password/stdin for scripting, min 8 chars)
- main.go: dispatch subcommands before the server starts (backward compatible
with the legacy `nofx <dbpath>` arg)
- api: remove public /reset-password and /reset-account routes, their handlers,
and the public confirm-phrase constants
- web: replace the self-service reset form with CLI instructions; drop the
AuthContext resetPassword call and the LoginPage reset-account call (en/zh/id)
- telegram: refresh the bot allowlist comment
- config: require JWT_SECRET >=32 bytes and reject the historical
default fallback; MustInit aborts startup under an insecure config
- api: CORS now uses CORS_ALLOWED_ORIGINS allowlist with safe
localhost defaults instead of returning Access-Control-Allow-Origin: *
- api: /api/reset-password and /api/reset-account stay public so
recovery still works, but require an explicit confirm phrase in the
body to block accidental and drive-by triggers
- api: drop adoptOrphanRecords so wiping the account no longer hands
the next registrant the previous owner's wallet keys and exchange
API credentials
- api: getTraderFromQuery now does a soft ownership check; equity-history
is restricted to traders with show_in_competition=true and
GetOrderFills joins on trader_id
- telegram: bot api_request tool uses a default-deny method+path
allowlist so prompt injection cannot reach password, exchange key,
AI provider or wallet endpoints
- ci: drop @master / @main on trivy-action and trufflehog; pin to
released versions with a TODO to move to SHA + Dependabot
- web: reset flows send the required confirm phrase; "Forgot account"
copy (en/zh/id) warns that wallet and exchange keys will be lost
- docker-compose: keep ./.env mount for onboarding wallet persistence
with an inline note on the tradeoff, drop the host-exposed pprof port
Remove the old generic risk-profile defaults from the user strategy bootstrap path and replace them with concrete Hyperliquid USDC equity presets that can be selected directly when creating an AI trader.
Add three ready-to-run strategy presets: a volume-ranked US stock trend preset, a fixed mega-cap preset covering AAPL-USDC/MSFT-USDC/GOOGL-USDC/AMZN-USDC/META-USDC, and a gainers-ranked US stock breakout preset.
Normalize the presets to use Hyperliquid-native stock discovery instead of AI500/OI crypto-style sources, with conservative defaults for max positions, leverage, margin usage, confidence, risk-reward, and multi-timeframe indicators.
Make default strategy synchronization idempotent for existing users: remove obsolete unused legacy preset rows, backfill the new US stock presets, and avoid overriding an already active custom strategy.
Update the trader creation modal preview labels so Hyperliquid stock ranking and fixed US stock sources are described clearly when users select a strategy.
Add API tests covering the new preset set, legacy preset cleanup, idempotent sync behavior, and preservation of an existing active custom strategy.
Verified with: go test ./api ./store; npm run build; docker compose up -d --build nofx nofx-frontend; backend /api/health; frontend HTTP 200; compose health checks.
Add account reset functionality for users who forgot their login credentials.
The reset clears authentication data while preserving wallet private keys and
exchange configs, which are automatically adopted by the new account on
re-registration to prevent fund loss.
- Add POST /api/reset-account endpoint
- Add "Forgot account?" button on login page (zh/en/id)
- Orphan ai_models and exchanges are re-assigned to new user on register
- Onboarding reuses existing claw402 wallet instead of generating new one
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Pass `lang` from register request body to createDefaultStrategies
- Support zh/en/id locales for strategy names and descriptions
- Wrap strategy creation in a transaction to prevent partial writes
- Frontend sends current UI language in register request body
- Strategy list UI: 2-line clamp, unselected border, larger spacing, smaller font for non-zh
