feat: explorer API, wallet, CCIP scripts, and config refresh

- Backend REST/gateway/track routes, analytics, Blockscout proxy paths. - Frontend wallet and liquidity surfaces; MetaMask token list alignment. - Deployment docs, verification scripts, address inventory updates. Check: go build ./... under backend/ (pass). Made-with: Cursor
2026-04-07 23:22:12 -07:00
parent 4044fb07e1
commit bdae5a9f6e
224 changed files with 19671 additions and 3291 deletions
--- a/backend/api/websocket/server_test.go
+++ b/backend/api/websocket/server_test.go
@@ -0,0 +1,42 @@
+package websocket
+
+import (
+	"net/http/httptest"
+	"testing"
+)
+
+func TestWebsocketOriginAllowedDefaultsToSameHost(t *testing.T) {
+	t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "")
+
+	req := httptest.NewRequest("GET", "http://example.com/ws", nil)
+	req.Host = "example.com:8080"
+	req.Header.Set("Origin", "https://example.com")
+
+	if !websocketOriginAllowed(req) {
+		t.Fatal("expected same-host websocket origin to be allowed by default")
+	}
+}
+
+func TestWebsocketOriginAllowedRejectsCrossOriginByDefault(t *testing.T) {
+	t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "")
+
+	req := httptest.NewRequest("GET", "http://example.com/ws", nil)
+	req.Host = "example.com:8080"
+	req.Header.Set("Origin", "https://attacker.example")
+
+	if websocketOriginAllowed(req) {
+		t.Fatal("expected cross-origin websocket request to be rejected by default")
+	}
+}
+
+func TestWebsocketOriginAllowedHonorsExplicitAllowlist(t *testing.T) {
+	t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "https://app.example, https://ops.example")
+
+	req := httptest.NewRequest("GET", "http://example.com/ws", nil)
+	req.Host = "example.com:8080"
+	req.Header.Set("Origin", "https://ops.example")
+
+	if !websocketOriginAllowed(req) {
+		t.Fatal("expected allowlisted websocket origin to be accepted")
+	}
+}