Skip to content

Redact Private Key from CreateWallet API Response #521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 43 commits into
base: main
Choose a base branch
from
Open

Redact Private Key from CreateWallet API Response #521

wants to merge 43 commits into from

Conversation

Sankara-Jefferson
Copy link
Contributor

Summary

This PR redacts the PrivateKey field from the response of the /wallet/create API endpoint to prevent accidental key exposure.

What Was Done

  • CreateHandler: removed PrivateKey from response payload by explicitly clearing the field before return.
  • Added a test case CreateWallet_privateKeyShouldBeRedacted to assert that PrivateKey is empty in the response.
  • Verified that all tests pass locally via go test ./api -v.

Rationale

Previously, the PrivateKey was included in plaintext in API responses. While this endpoint is useful for testing, returning secrets by default is a major security risk. This patch minimizes attack surface and sets groundwork for further key safety improvements.

Follow-ups (to be tracked)

  • Encrypt private keys at rest (symmetric key or KMS)
  • Add secure export flow (wallet export)
  • Audit other wallet-related endpoints for similar redaction
  • Add key handling docs to GitBook

Status

Ready for merge after CI passes.

web3-bot and others added 30 commits June 16, 2025 19:22
@web3-bot
ci: update Unified CI configuration (#78)
2b5ee62 
Co-authored-by: web3-bot <[email protected]>
@xinaxu
Remove autobump and update version.json (#122)
d4b4cd4
@hannahhoward
chore(version): update for v0.3.0
128a493
@masih
Fix version file not matching latest release
0b01a45 
There seem to have been some manual releases which leaves version file
inconsistent with what the latest release is.
@xinaxu
Update version.json to v0.4.0 (#279)
2f0763a
@xinaxu
Update version to v0.4.1 (#288)
beac7a3
@xinaxu
Bump version to v0.5.0 (#343)
7400010 
This is the version for MVP milestone
@gammazero
new version (#380)
0473f8c
@xinaxu
Update version.json to v0.5.2 (#390)
3102b49
@xinaxu
Update version.json to v0.5.3 (#397)
69056e6
@xinaxu
Update version.json (#400)
215ae09
@xinaxu
Update version.json to v0.5.5 (#403)
f15d08a
@gammazero
Update version (#407)
20f3546 
New version includes retrieval optimization.
@xinaxu
Update version.json to v0.5.7 (#409)
694d8d7
@gammazero
Update version (#414)
b9c0c06
@gammazero
New release version (#422)
c8dc8d2
@xinaxu
Update version.json to 0.5.10 (#424)
199de37
@xinaxu
Update version.json (#426)
3a4d20e
@xinaxu
bump version to v0.5.12 (#429)
ffa6dce
@xinaxu
Bump version to v0.5.13 (#432)
01e86f8
@xinaxu
Update version.json (#435)
2b66f5a
@ianconsolata
Update version.json to v0.5.15 (#442)
77e5fdf
@ianconsolata
Bump version.json to 0.5.16 (#445)
5ca2f28
@parkan
v0.5.17 release
85eb594 
- update go-libp2p to v0.39.1
- enable HTTP(S)_PROXY and TCP_PROXY
@parkan
retry workflow
67f32c0
@zachfedor
Add create wallet handler, cmd, and API #469
0e679e4
@zachfedor
Run linter
d220ffd
@zachfedor
Refactor create wallet handler for offline key generation
fa12700
@zachfedor
Run fmt
c55cd30
@zachfedor
Generate swagger docs
8c568dc
zachfedor and others added 10 commits June 16, 2025 19:47
@zachfedor
Create versioned migration process
e422307
@zachfedor
Fix versioned migration schemas
9731593 
- Add init function to create full current schema on brand new clean
databases and run missing migrations on any databases using old
auto-migrate strategy with existing data.
- Add CLI commands to migrate up, down, or to a specified version by ID
- Add utility functions to get list of migration IDs ran on current
database, check if migration has run by ID, etc.
@zachfedor
Generate docs
aee7180
@zachfedor
feat: add admin migrate which command
6b909f9
@zachfedor
fix: tests
42ff511
@zachfedor
feat: better documentation of create cmd
6850d47
@zachfedor
fix: lint errors
b4fde8f
@zachfedor
Update generated storage types file
0cc4bb4 
Fix struct tag ordering in handler/storage/types_gen.go to match
the current code generator output. This resolves CI failures where
go generate was detecting differences between committed and generated files.
@zachfedor
chore: fix go check (#518)
1316f6d 
Merging this now — all tests have passed.
Redact private key from CreateWallet response and add test for redaction
35a1c5a
ianconsolata
ianconsolata approved these changes Jul 29, 2025
View reviewed changes
Copy link
Collaborator

@ianconsolata ianconsolata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, though it seems like there are some merge conflicts to resolve

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianconsolata ianconsolata ianconsolata approved these changes

@zachfedor zachfedor Awaiting requested review from zachfedor

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@Sankara-Jefferson @ianconsolata @web3-bot @xinaxu @hannahhoward @masih @gammazero @parkan @zachfedor