Revert "fix: Enforce authenticated user ID in savings controller"

[Junman140]

Reverts #58

Summary by CodeRabbit

• Style

  • Standardized code formatting and string literal conventions across multiple services and controllers.

• Refactor

  • Optimized internal code structures and simplified expressions in authentication, financial transaction processing, and blockchain contract interaction layers for improved maintainability and readability.

• Chores

  • Removed ESLint configuration to streamline development tooling.

[coderabbitai]

📝 Walkthrough

Walkthrough

ESLint configuration removed entirely. String literals converted from double to single quotes across multiple controllers and services. Function signatures reformatted from multi-line to single-line. Auth extraction in savingsController changed from req.apiKey?.userId to req.body.user and req.query.user. Database import changed from prisma to db in usdcConvertAndMintJob.ts.

Changes

Cohort / File(s)	Summary
ESLint Configuration .eslintrc.json	Removed entire ESLint config file including TypeScript parser, extended rulesets, custom rules, and environment settings.
String Literal Quoting & Formatting src/controllers/investmentController.ts, src/jobs/usdcConvertAndMintJob.ts, src/services/auth/authService.ts, src/services/stellar/contractClient.ts	Converted double-quoted strings to single quotes across imports, validation schemas, error/response messages, and logging calls. Collapsed multi-line function signatures and inlined object constructions without semantic changes.
Authentication & Validation Logic src/controllers/savingsController.ts	Changed user authentication extraction from req.apiKey?.userId to req.body.user (deposits/withdrawals) and req.query.user (positions query). Updated validation error responses from 401 to 400 with new error messages. Reformatted string literals to single quotes and adjusted JSON assignment formatting.
Database Import & Configuration src/jobs/usdcConvertAndMintJob.ts	Changed database import from prisma to db (import { db } from '../config/database'), but function logic continues to reference (prisma as any), creating an import-usage mismatch.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• fix: Enforce authenticated user ID in savings controller #58 — Modifies src/controllers/savingsController.ts user-auth extraction and conflicts on .eslintrc.json removal with opposing changes.

Poem

🐰 Single quotes hop about with glee,
Linting rules now wild and free,
Auth flows shift from key to hand,
A formatting sprinkle across the land—
But one little import forgot to play,
Let's catch that mismatch today! 🍀

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title states it reverts a previous security fix for authenticated user ID enforcement in the savings controller, but the actual changes include widespread formatting modifications (quote style, function signatures) across multiple unrelated files beyond just reverting that specific fix.	The title should accurately reflect all significant changes in the PR. Either revert only the specific security fix and remove unrelated formatting changes, or update the title to describe the broader refactoring (e.g., 'Refactor: Switch to single quotes and format function signatures').
Docstring Coverage	⚠️ Warning	Docstring coverage is 52.63% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch revert-58-fix/issue-27-savings-idor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Junman140]

cl failed @Uchechukwu-Ekezie

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/controllers/savingsController.ts`:
- Around line 18-26: The handlers in savingsController.ts are trusting
req.body.user / req.query.user and passing it to acbuSavingsVaultService.deposit
(and similar calls) which allows one caller to act as another; instead, resolve
the caller's Stellar address from the authenticated principal (AuthRequest) or
verify the supplied address belongs to that principal before calling
acbuSavingsVaultService methods (e.g., acbuSavingsVaultService.deposit), and
throw an AppError(403) if the address does not match or cannot be resolved;
update all savings-related handlers in this file to use the principal-derived
address (or ownership check) instead of blindly forwarding the request-supplied
user.

In `@src/jobs/usdcConvertAndMintJob.ts`:
- Line 8: The import at the top of this file uses the wrong named export;
replace the current import of "db" from '../config/database' with the named
export "prisma" so the module matches the exported identifier used throughout
(references to prisma at lines where functions like the usdc conversion/mint
logic call prisma). Ensure the import reads the named export prisma so all
subsequent uses of prisma in this file resolve correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 56ef5959-ede7-4025-aff4-cb304a0494f5

📥 Commits

Reviewing files that changed from the base of the PR and between 5f1f4d1 and 1b77a77.

📒 Files selected for processing (6)

• .eslintrc.json
• src/controllers/investmentController.ts
• src/controllers/savingsController.ts
• src/jobs/usdcConvertAndMintJob.ts
• src/services/auth/authService.ts
• src/services/stellar/contractClient.ts

💤 Files with no reviewable changes (1)

• .eslintrc.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Don't trust user from the request on savings endpoints.

These handlers now take req.body.user / req.query.user and forward it straight into acbuSavingsVaultService. The savings routes only enforce API key + scope, and the contract service passes user directly to the contract, so any authenticated caller can target another Stellar address by swapping that field. Resolve the caller's Stellar address from the authenticated principal, or verify the supplied address belongs to that principal before invoking the contract.

Also applies to: 55-63, 79-89

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/controllers/savingsController.ts` around lines 18 - 26, The handlers in
savingsController.ts are trusting req.body.user / req.query.user and passing it
to acbuSavingsVaultService.deposit (and similar calls) which allows one caller
to act as another; instead, resolve the caller's Stellar address from the
authenticated principal (AuthRequest) or verify the supplied address belongs to
that principal before calling acbuSavingsVaultService methods (e.g.,
acbuSavingsVaultService.deposit), and throw an AppError(403) if the address does
not match or cannot be resolved; update all savings-related handlers in this
file to use the principal-derived address (or ownership check) instead of
blindly forwarding the request-supplied user.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check the import statement at line 8 of the job file
sed -n '1,15p' src/jobs/usdcConvertAndMintJob.ts

Repository: Pi-Defi-world/acbu-backend

Length of output: 638

---

🏁 Script executed:

# Next, check what src/config/database.ts exports
cat src/config/database.ts

Repository: Pi-Defi-world/acbu-backend

Length of output: 1159

---

🏁 Script executed:

# Check the references to prisma in the job file
grep -n "prisma" src/jobs/usdcConvertAndMintJob.ts

Repository: Pi-Defi-world/acbu-backend

Length of output: 278

---

Fix import to match the exported identifier.

src/config/database.ts exports prisma as a named export, not db. The current import will fail to type-check, and all references in this file (lines 51, 64, 76, 92) use prisma, not db.

🐛 Fix

-import { db } from '../config/database';
+import { prisma } from '../config/database';

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	import { db } from '../config/database';
	import { prisma } from '../config/database';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/jobs/usdcConvertAndMintJob.ts` at line 8, The import at the top of this
file uses the wrong named export; replace the current import of "db" from
'../config/database' with the named export "prisma" so the module matches the
exported identifier used throughout (references to prisma at lines where
functions like the usdc conversion/mint logic call prisma). Ensure the import
reads the named export prisma so all subsequent uses of prisma in this file
resolve correctly.