Skip to content

fix: throw error instead of warning for test-only function in production#335

Open
zkasuran wants to merge 1 commit into
base:masterfrom
zkasuran:fix/spend-permission-production-guard
Open

fix: throw error instead of warning for test-only function in production#335
zkasuran wants to merge 1 commit into
base:masterfrom
zkasuran:fix/spend-permission-production-guard

Conversation

@zkasuran

Copy link
Copy Markdown

Summary

Changes createSpendPermissionTypedDataWithSeconds production guard from soft console.warn to hard throw.

Problem (Issue #325)

Current production guard is ineffective:

if (process.env.NODE_ENV === 'production') {
  console.warn(
    '⚠️ createSpendPermissionTypedDataWithSeconds is being used. ' +
      'This function is intended for testing purposes only.'
  );
}
// Function continues and returns valid SpendPermissionTypedData

Issues:

  • console.warn is invisible to end-users
  • Silently swallowed by logging pipelines
  • Function continues execution regardless
  • Returns valid typed data that can be signed and submitted on-chain

Security Risk

Spend permissions authorize recurring token withdrawals from user accounts. This test utility creates permissions with arbitrary second-level periods (not day-level like production).

Attack scenarios:

  1. Accidental misuse: Developer copies test code to production, creates 60-second period instead of 60-day
  2. Rapid drainage: Very short periods drain allowances much faster than intended
  3. UX mismatch: Production UI doesn't support second-level periods, causing confusion

Solution

Replace with hard error:

if (process.env.NODE_ENV === 'production') {
  throw new Error(
    'createSpendPermissionTypedDataWithSeconds is for testing only and must not be called in production. ' +
      'Use createSpendPermissionTypedData with periodInDays instead.'
  );
}

Impact

Production callers fail fast and loudly
Prevents accidental misuse
Aligns with @testOnly JSDoc intent
No breaking change for correct usage (test-only)

Testing

  • No existing tests use this function (verified with grep)
  • CI will verify no regressions
  • Function is already marked @testOnly in JSDoc

Fixes #325

Changes createSpendPermissionTypedDataWithSeconds production guard from
soft console.warn to hard throw.

## Problem
Current guard uses console.warn which is invisible to end-users and
silently swallowed by logging pipelines. Function continues execution
and returns valid SpendPermissionTypedData that can be signed and
submitted on-chain in production.

## Risk
Spend permissions authorize recurring token withdrawals. Test utility
with arbitrary second-level periods could be used (accidentally or
intentionally) in production, creating permissions with very short
periods that drain allowances rapidly and are not supported by
production UX.

## Solution
Replace console.warn with throw Error:

```ts
if (process.env.NODE_ENV === 'production') {
  throw new Error(
    'createSpendPermissionTypedDataWithSeconds is for testing only...'
  );
}
```

## Impact
- Production callers fail fast and loudly
- Prevents accidental misuse in production
- Aligns with @testonly JSDoc annotation intent
- No breaking change for correct usage (test-only)

Fixes base#325

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cb-heimdall

Copy link
Copy Markdown
Collaborator

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 1
Sum 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

createSpendPermissionTypedDataWithSeconds: soft production guard (console.warn) should be a hard throw to prevent silent misuse

3 participants