• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

decentraland / social-service-ea / 28593221494
90%

Build:
DEFAULT BRANCH: main
Ran 02 Jul 2026 01:25PM UTC
Jobs 1
Files 201
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

02 Jul 2026 01:19PM UTC coverage: 90.298% (-0.1%) from 90.437%
28593221494

push

github

web-flow
fix: harden access control, referral integrity and adapter robustness (#428)

* fix: harden access control, referral integrity and adapter robustness

Findings from a security/correctness review, grouped by area.

Access control:
- Reject direct joins of private communities (require the request/invite flow)
- Enforce bans on the request/invite accept path and when creating requests;
  remove a banned user's pending requests so a ban cannot be circumvented
- Exclude banned users when bulk-accepting requests on a private->public flip
- Enforce block and reject self-calls in private voice chat; normalize social
  settings lookups so a checksummed address can't bypass privacy settings
- Normalize addresses in role-permission and block/unblock self checks

Referral integrity:
- Add a unique(invited_user) index (with dedupe) so one invited user maps to a
  single referrer, closing a reward-inflation race

Robustness / hardening:
- Fix voice-db "user is busy" guard (IN (array) -> = ANY(array))
- Default outbound HTTP request timeout; bound inbound WS payload size
- Escape LIKE/ILIKE wildcards in community search
- Bound placeIds array size; clamp falsy pagination limits
- Fix memory-cache mGet, redis get JSON resilience and EX handling, retrier
  error propagation, feature-flag refresh, interval-leak guards, catalyst
  server rotation, rewards response validation
- Stop leaking internal error details over WS; stop logging referral email PII

Adds unit and integration coverage for the ban-enforcement, voice block/self,
private-community join, and wildcard-escaping paths.

* fix: address PR review feedback

- rewards: log a warning when the reward server responds OK but without a
  data array, instead of silently returning []
- block/unblock: validate the address format before the self-block check so a
  malformed input reports "Invalid address" rather than "Cannot block yourself"
- queries: align the OFFSET guard with LIMIT (typeof offset === 'number')
- memo... (continued)

2314 of 2717 branches covered (85.17%)

Branch coverage included in aggregate %.

79 of 95 new or added lines in 24 files covered. (83.16%)

5802 of 6271 relevant lines covered (92.52%)

80.42 hits per line

Uncovered Changes

Lines Coverage ∆ File
3
0.0
0.0% src/components.ts
2
77.19
-5.16% src/adapters/feature-flags.ts
2
75.0
-6.82% src/adapters/memory-cache.ts
2
93.44
-6.56% src/adapters/peer-tracking.ts
2
87.1
-12.9% src/adapters/peers-synchronizer.ts
2
68.66
-1.66% src/adapters/redis.ts
1
86.77
0.75% src/adapters/communities-db.ts
1
95.52
-2.17% src/adapters/friends-db.ts
1
88.46
0.0% src/controllers/handlers/http/get-community-invites-handler.ts
Jobs
ID Job ID Ran Files Coverage
1 28593221494.1 02 Jul 2026 01:25PM UTC 402
91.26
GitHub Action Run
Source Files on build 28593221494
  • Tree
  • List 201
  • Changed 159
  • Source Changed 26
  • Coverage Changed 159
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #28593221494
  • 5ab3af8a on github
  • Prev Build on main (#28547511600)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc