Skip to content

Add GraphQL API #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 19 commits into
base: main
Choose a base branch
from
Draft

Add GraphQL API #306

wants to merge 19 commits into from
+19,780 −4,028

Conversation

aditya1702
Copy link
Contributor

What

[TODO: Short statement about what is changing.]

Why

[TODO: Why this change is being made. Include any context required to understand the why.]

Known limitations

[TODO or N/A]

Issue that this PR addresses

[TODO: Attach the link to the GitHub issue or task. Include the priority of the task here in addition to the link.]

Checklist

PR Structure

  • It is not possible to break this PR down into smaller PRs.
  • This PR does not mix refactoring changes with feature changes.
  • This PR's title starts with name of package that is most changed in the PR, or all if the changes are broad or impact many packages.

Thoroughness

  • This PR adds tests for the new functionality or fixes.
  • All updated queries have been tested (refer to this check if the data set returned by the updated query is expected to be same as the original one).

Release

  • This is not a breaking change.
  • This is ready to be tested in development.
  • The new functionality is gated with a feature flag if this is not ready for production.

aditya1702 and others added 19 commits July 21, 2025 10:27
@aditya1702
Add GraphQL API for wallet indexer (#239)
3b9f42b
@akcays
Move /accounts/ REST APIs to GraphQL (#253)
c462e85 
* Add registerAccount and deregisterAccount mutations

* Remove the REST endpoints for registerAccount and deregisterAccount

* Add tests for registerAccount and deregisterAccount mutations

* RegisterAccount mutation should return error on conflict

* Adjust existing tests to support the new behavior

* Complete REST to GraphQL migration for /accounts/ endpoints

* Remove ON CONFLICT DO NOTHING from account insertion to detect duplicates
* Add custom errors: ErrAccountAlreadyExists and ErrAccountNotFound
* Update Insert method to detect duplicate account errors
  using PostgreSQL error codes
* Update Delete method to check RowsAffected() and return
  ErrAccountNotFound for non-existent accounts
* Add tests for duplicate registration and non-existent account
  deregistration
* Implement GraphQL error codes:
  - ACCOUNT_ALREADY_EXISTS for duplicate registrations
  - ACCOUNT_NOT_FOUND for deregistering non-existent accounts
  - ACCOUNT_REGISTRATION_FAILED for registration failures
  - ACCOUNT_DEREGISTRATION_FAILED for deregistration failures
* Update resolver tests to expect GraphQL errors

REST Cleanup:
* Remove RegisterAccount and DeregisterAccount methods
* Remove related REST handler tests for the removed routes

* Update assertions to use assert.ErrorContains

* Add address validation

* Remove deadcode

* Add success to registerAccountPayload for consistency

* Rename isValidStellarAddress method to isValidAddress

* Update assertion

* Update the method to return wrapped error

* Fix goimports errors
@aditya1702
Merge remote-tracking branch 'upstream/main' into graphql-main
86b808a
@aditya1702
Build dynamic sql query based on columns requested in GraphQL (#261)
4f38d87
@aditya1702
Merge remote-tracking branch 'origin/main' into graphql-main
16e9873
@aditya1702
Update resolvers to use state change's toID and order (#274)
daa299e
@akcays
Move /transactions/build/ from REST to GraphQL (#260)
61f019c 
* Move /transactions/build endpoint from REST to GraphQL

* Fix shadowing error

* Add tests for soroban smart contract simulation

* Fix imports check

* Fix test error

* Fix build transaction integration tests

* Fix test

* Fix lint check

* Remove transactions http handler

* Update type names to transaction

* Update tests

* Add custom errors to handle different tx validation failures

Transaction Validation:
 * ErrInvalidTimeout - Timeout exceeds maximum allowed
 * ErrInvalidOperationChannelAccount - Operation uses channel account as source
 * ErrInvalidOperationMissingSource - Non-Soroban operation missing source account

Soroban-Specific Validation:
 * ErrInvalidSorobanOperationCount - Must have exactly one operation
 * ErrInvalidSorobanSimulationEmpty - Missing simulation response
 * ErrInvalidSorobanSimulationFailed - Simulation failed with error
 * ErrInvalidSorobanOperationType - Unsupported operation type

* Remove deadcode

* Fix goimports check

* Fix tests

* Update errors add logs and todos

* Update tests

* Remove redundant error handling

* Refactor
@aditya1702
[Test Optimization] Use a common db setup for testing resolvers (#277)
0767bbc
@akcays
Remove tx/create-sponsored-account endpoint (#267)
8674e4a 
* Remove /tx/create-sponsored-account endpoint

* Remove accountSponsorhipService and move wrapTransaction to feeBumpService
@JakeUrban @claude
Remove audience claim from JWT authentication (#281)
39482f8 
* update docker-compose.yaml

* Remove audience claim from JWT authentication

Removes the `audience` claim from JWTs. This claim did not meaningfully improve security for wallet backend instances, and while it did ensure JWTs could not be used for instances of the wallet backend running on different hosts, this is a defensive measure for the client's sake, not the server's. However, this does simplify client implementations and reduce the chances of misconfiguration. For example, when I run the wallet backend using docker-compose, the URL I make requests with have `localhost` hostnames, but the hostname of the server is actually `api` as its defined within the compose file. This possibility, for the domain clients must send requests to differ from the hostname configured for the instance, forces client SDKs to have one parameter for the URL to make requests to and a separate parameter for the `audience`.

## Changes Made:

### JWT Interface Updates:
- Removed `audience` parameter from `JWTTokenParser.ParseJWT()` and `JWTTokenGenerator.GenerateJWT()` interfaces
- Updated `HTTPRequestVerifier.VerifyHTTPRequest()` to no longer require audience parameter

### Core Logic Updates:
- Removed audience validation logic from `claims.Validate()` function
- Removed unused `slices` import from claims.go
- Removed `Audience` field generation from JWT tokens
- Removed hostname parsing logic that was only used for audience validation

### Middleware Updates:
- Updated `AuthenticationMiddleware()` to no longer require `serverHostname` parameter
- Removed `ServerHostname` field from `handlerDeps` struct since it was only used for audience validation
- Removed unused `net/url` import from serve.go

### Test Cleanup:
- Removed audience-only test cases: `🔴invalid_audience` and `🔴invalid_hostname`
- Updated all remaining tests to remove audience parameters and references
- Removed unused variables like `validAudience`, `invalidAudience`, `validHostname`, `invalidHostname`

### Documentation Update:
- Removed `aud` claim documentation from README.md

## What's Still Preserved:

- **`SERVER_BASE_URL` configuration** - Still used by PaymentService for building pagination URLs
- **All other JWT validations** - Subject, method/path, body hash, expiration, etc. remain intact
- **All other security mechanisms** - JWT signature validation, token expiration, etc. still work

## Verification:

- ✅ All tests pass in auth and middleware packages
- ✅ Entire codebase compiles successfully
- ✅ No remaining audience/aud references found
- ✅ Minimal impact achieved - only audience-specific functionality removed

The changes are surgical and focused solely on removing audience claim validation while preserving all other authentication mechanisms and functionality.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Fix formatting issues - remove extra blank lines

Applied golangci-lint --fix to resolve CI formatting failures

* move back to stable rpc image

---------

Co-authored-by: Claude <[email protected]>
@akcays
Remove /payments/ endpoint, models, and ingestion logic (#284)
1a97fda 
* Remove /payments/ endpoint, models, and ingestion logic

* Code review changes
@JakeUrban
Make JWT authentication optional (#291)
b5f73b4 
* make JWT auth optional

* update custom env var parser

* remove start-ledger

* update custom value setter test to expect passing on empty list
@aditya1702
Paginate through an account's transactions and operations (#279)
e31c712
@aditya1702
Paginate through an account's state changes (#286)
042d542
@aditya1702
Paginate through all transactions and operations (#293)
a44d6b7
@JakeUrban
update docker compose to remove warning logs (#298)
9617171
@aditya1702
Add relay pagination to remaining queries (#297)
f333831
@aditya1702
Merge branch 'main' into graphql-main
0141f8d
@aditya1702
Merge branch 'main' into graphql-main
3353015
@socket-security Socket Security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub.com/​99designs/​gqlgen@​v0.17.7675100100100100
Updatedgithub.com/​stellar/​stellar-rpc@​v0.9.6-0.20250523162628-6bb9d7a387d5 ⏵ v0.9.6-0.20250618231249-2d3e8ff6936590 +1100100100100
Addedgithub.com/​vektah/​gqlparser/​v2@​v2.5.3099100100100100
Addedgithub.com/​vikstrous/​dataloadgen@​v0.0.9100100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aditya1702 @akcays @JakeUrban