Merge pull request #60 from bamiebot-maker/feature/security-listing-verification

feat(security): verify listing ownership on-chain

Author: elizabetheonoja-art

index.js

@@ -33,12 +33,16 @@ function createApp(dependencies = {}) {
   app.use(express.json());
 const express = require('express');
 const cors = require('cors');
+const { randomUUID } = require('crypto');
+
 const multer = require('multer');
 const path = require('path');
 const fs = require('fs');
 const sharp = require('sharp');
 const app = express();
 const port = 3000;
+const listings = [];
+const HORIZON_URL = process.env.HORIZON_URL || 'https://horizon.stellar.org';
 
 const uploadDir = path.join(__dirname, 'uploads');
 if (!fs.existsSync(uploadDir)) {
@@ -296,6 +300,43 @@ function createApp({ securityDepositService } = {}) {
 const availabilityService = new AvailabilityService();
 const assetMetadataService = new AssetMetadataService();
 
+function hasPositiveTrustline(balances, assetCode, assetIssuer) {
+  return balances.some((balance) => {
+    const isMatchingAsset =
+      balance.asset_code === assetCode &&
+      balance.asset_issuer === assetIssuer &&
+      String(balance.asset_type || '').startsWith('credit_');
+
+    if (!isMatchingAsset) {
+      return false;
+    }
+
+    return Number.parseFloat(balance.balance || '0') > 0;
+  });
+}
+
+async function verifyNftOwnership({ lister, assetCode, assetIssuer }) {
+  const response = await fetch(
+    `${HORIZON_URL.replace(/\/$/, '')}/accounts/${encodeURIComponent(lister)}`
+  );
+
+  if (response.status === 404) {
+    return { isOwner: false, reason: 'ACCOUNT_NOT_FOUND' };
+  }
+
+  if (!response.ok) {
+    throw new Error(`Horizon lookup failed with status ${response.status}`);
+  }
+
+  const account = await response.json();
+  const balances = Array.isArray(account.balances) ? account.balances : [];
+
+  return {
+    isOwner: hasPositiveTrustline(balances, assetCode, assetIssuer),
+    reason: 'TRUSTLINE_MISSING_OR_EMPTY',
+  };
+}
+
 app.get('/', (req, res) => {
   res.json({
     project: 'LeaseFlow Protocol',
@@ -491,6 +532,52 @@ app.get('/api/assets/metadata', async (req, res) => {
   }
 });
 
+app.get('/listings', (req, res) => {
+  res.json({ listings });
+});
+
+app.post('/listings', async (req, res) => {
+  const { lister, assetCode, assetIssuer, price, metadata } = req.body || {};
+
+  if (!lister || !assetCode || !assetIssuer || price === undefined || price === null) {
+    return res.status(400).json({
+      error: 'Missing required fields',
+      required: ['lister', 'assetCode', 'assetIssuer', 'price'],
+    });
+  }
+
+  try {
+    const ownershipCheck = await verifyNftOwnership({ lister, assetCode, assetIssuer });
+
+    if (!ownershipCheck.isOwner) {
+      return res.status(403).json({
+        error: 'Lister does not own the NFT on-chain',
+        reason: ownershipCheck.reason,
+      });
+    }
+
+    // The repo has no persistent database yet, so this in-memory insert marks the
+    // exact point where verified listings would be written once a DB layer exists.
+    const listing = {
+      id: randomUUID(),
+      lister,
+      assetCode,
+      assetIssuer,
+      price,
+      metadata: metadata || null,
+      createdAt: new Date().toISOString(),
+    };
+
+    listings.push(listing);
+    return res.status(201).json({ listing });
+  } catch (error) {
+    return res.status(502).json({
+      error: 'Unable to verify ownership against Horizon',
+      details: error.message,
+    });
+  }
+});
+
 app.post('/api/asset/:id/metadata', async (req, res) => {
   try {
     const { id } = req.params;
@@ -858,6 +945,15 @@ if (require.main === module) {
   });
 }
 
+module.exports = {
+  app,
+  listings,
+  resetListings() {
+    listings.length = 0;
+  },
+  verifyNftOwnership,
+  hasPositiveTrustline,
+};
 const availabilityService = new AvailabilityService();
 module.exports = app;
 module.exports.app = app;

tests/index.test.js

@@ -1,4 +1,21 @@
 const request = require('supertest');
+const {
+  app,
+  listings,
+  resetListings,
+  hasPositiveTrustline,
+} = require('../index');
+
+describe('LeaseFlow Backend API', () => {
+  beforeEach(() => {
+    resetListings();
+    global.fetch = jest.fn();
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
 
 const { createApp } = require('../index');
 const { loadConfig } = require('../src/config');
@@ -87,6 +104,187 @@ describe('LeaseFlow Backend API', () => {
     });
   });
 
+  it('should require listing fields on POST /listings', async () => {
+    const response = await request(app).post('/listings').send({ lister: 'GABC' });
+
+    expect(response.status).toBe(400);
+    expect(response.body).toEqual({
+      error: 'Missing required fields',
+      required: ['lister', 'assetCode', 'assetIssuer', 'price'],
+    });
+    expect(listings).toHaveLength(0);
+  });
+
+  it('should create a listing when Horizon shows a positive trustline', async () => {
+    global.fetch.mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        balances: [
+          {
+            asset_type: 'credit_alphanum12',
+            asset_code: 'LEASE-NFT-1',
+            asset_issuer: 'GISSUER123',
+            balance: '1.0000000',
+          },
+        ],
+      }),
+    });
+
+    const response = await request(app).post('/listings').send({
+      lister: 'GLISTER123',
+      assetCode: 'LEASE-NFT-1',
+      assetIssuer: 'GISSUER123',
+      price: '1500',
+      metadata: { leaseId: 'lease-001' },
+    });
+
+    expect(response.status).toBe(201);
+    expect(response.body.listing).toMatchObject({
+      lister: 'GLISTER123',
+      assetCode: 'LEASE-NFT-1',
+      assetIssuer: 'GISSUER123',
+      price: '1500',
+      metadata: { leaseId: 'lease-001' },
+    });
+    expect(listings).toHaveLength(1);
+    expect(global.fetch).toHaveBeenCalledWith(
+      'https://horizon.stellar.org/accounts/GLISTER123'
+    );
+  });
+
+  it('should reject listings when the trustline is missing', async () => {
+    global.fetch.mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        balances: [
+          {
+            asset_type: 'native',
+            balance: '100.0',
+          },
+        ],
+      }),
+    });
+
+    const response = await request(app).post('/listings').send({
+      lister: 'GLISTER456',
+      assetCode: 'LEASE-NFT-2',
+      assetIssuer: 'GISSUER456',
+      price: '2200',
+    });
+
+    expect(response.status).toBe(403);
+    expect(response.body).toEqual({
+      error: 'Lister does not own the NFT on-chain',
+      reason: 'TRUSTLINE_MISSING_OR_EMPTY',
+    });
+    expect(listings).toHaveLength(0);
+  });
+
+  it('should reject listings when the trustline exists with zero balance', async () => {
+    global.fetch.mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        balances: [
+          {
+            asset_type: 'credit_alphanum12',
+            asset_code: 'LEASE-NFT-3',
+            asset_issuer: 'GISSUER789',
+            balance: '0.0000000',
+          },
+        ],
+      }),
+    });
+
+    const response = await request(app).post('/listings').send({
+      lister: 'GLISTER789',
+      assetCode: 'LEASE-NFT-3',
+      assetIssuer: 'GISSUER789',
+      price: '3000',
+    });
+
+    expect(response.status).toBe(403);
+    expect(response.body.reason).toBe('TRUSTLINE_MISSING_OR_EMPTY');
+    expect(listings).toHaveLength(0);
+  });
+
+  it('should reject listings when Horizon account lookup returns 404', async () => {
+    global.fetch.mockResolvedValue({
+      ok: false,
+      status: 404,
+    });
+
+    const response = await request(app).post('/listings').send({
+      lister: 'GMISSINGACCOUNT',
+      assetCode: 'LEASE-NFT-4',
+      assetIssuer: 'GISSUER404',
+      price: '3500',
+    });
+
+    expect(response.status).toBe(403);
+    expect(response.body.reason).toBe('ACCOUNT_NOT_FOUND');
+    expect(listings).toHaveLength(0);
+  });
+
+  it('should surface Horizon failures without inserting a listing', async () => {
+    global.fetch.mockResolvedValue({
+      ok: false,
+      status: 503,
+    });
+
+    const response = await request(app).post('/listings').send({
+      lister: 'GUPSTREAMFAIL',
+      assetCode: 'LEASE-NFT-5',
+      assetIssuer: 'GISSUER500',
+      price: '4100',
+    });
+
+    expect(response.status).toBe(502);
+    expect(response.body).toEqual({
+      error: 'Unable to verify ownership against Horizon',
+      details: 'Horizon lookup failed with status 503',
+    });
+    expect(listings).toHaveLength(0);
+  });
+
+  it('should detect matching trustlines with positive balances only', () => {
+    expect(
+      hasPositiveTrustline(
+        [
+          {
+            asset_type: 'credit_alphanum12',
+            asset_code: 'LEASE-NFT-6',
+            asset_issuer: 'GISSUERTRUST',
+            balance: '1.0000000',
+          },
+          {
+            asset_type: 'credit_alphanum12',
+            asset_code: 'LEASE-NFT-6',
+            asset_issuer: 'GISSUERTRUST',
+            balance: '0.0000000',
+          },
+        ],
+        'LEASE-NFT-6',
+        'GISSUERTRUST'
+      )
+    ).toBe(true);
+
+    expect(
+      hasPositiveTrustline(
+        [
+          {
+            asset_type: 'credit_alphanum12',
+            asset_code: 'LEASE-NFT-6',
+            asset_issuer: 'GISSUERTRUST',
+            balance: '0.0000000',
+          },
+        ],
+        'LEASE-NFT-6',
+        'GISSUERTRUST'
+      )
+    ).toBe(false);
   it('generates a proposal for an active lease expiring in 60 days', () => {
     seedEligibleLease();