This project is using an NX style monorepository that helps divide and map the project dependencies for each project.
The core modules are in the packages
directory and the example apps are in the examples
directory. In order to figure out the commands you need to run, you can use the nx
command line tool.
You can also use the infix notation to run a target: nx [target] [project] [options, ...]
On the other hand, if you want to run a specific command in a package, you can use the nx run
command. There are a lot of things defined in every project's project.json
file:
To run a target:
yarn nx run [project][:target][:configuration] [options, ...]
yarn nx r [project][:target][:configuration] [options, ...]
In order to run a specific example, make sure you build the packages beforehand by running:
yarn build:all # builds all packages
yarn nx serve react # run the react example
yarn nx serve angular # run the angular example
Note:
modal-ui
package must be re-build after every change in the source files of this packageyarn nx run modal-ui:build
Build and deploy angular example
yarn nx build angular # build the angular example
yarn nx deploy angular # deploys angular example to gh-pages
In this project there are two important branches main
and dev
branch. Pushing or committing directly in these two branches is forbidden.
This is the default branch and will be equal the latest official release.
This is the branch for development used by the team and/or other contributors from the community.
New features, fixes and other improvements are first implemented and tested in this
branch.
When adding new features/fixes team members must always create a new branch locally based on latest changes of dev
branch.
When your work is ready a merge request should be opened from your branch to dev
. When your PR is reviewed and approved then it can be merged.
Except main
and dev
branch other branches are work in progress by the team or related to the open PR(s).
Once the planned work has been finished and the set date has arrived a merge request from dev
to main
should be made.
After merging only two steps remain:
- Publish packages to NPM.
- Draft release in Github.
Since main
is the default branch of this project in case of regular release it will be always equal to the latest release.
In case of a pre-release
a specific branch will be linked to the pre-release
version(tag).
Criteria for Including New Wallets for Wallet Selector
A wallet project must have comply the following product criteria to listed on Wallet Selector.
- Non-custodial: The user controls their fund.
- Conformity to Wallet Standards: The wallet product conforms to NEAR NEP wallet standards. (Injected Wallet near/NEPs#370 and Bridged Wallet near/NEPs#368)
- Ease of use: The wallet product provides a usable interface for the end users. Please provide a user guide.
- Ability to recover accounts: The wallet product allows users to be able to recover accounts.
- Actively maintained: The wallet is actively maintained by a team and can provide user support.
A wallet project must have a significant portion of these security program features in place, and shall self-certify that they maintain a security program that is commensurate (sufficiently similar) or better than the elements of the program outlined below. A project may also certify that they have a significant program in place, but intend to enhance the program to a level commensurate with the program outlined below by a given date.
Wallets shall checkbox a statement of compliance to be maintained on the wallet’s GitHub account or Website. The statement may qualitatively discuss the security program and include additional elements, or simply state that it is compliant with the program outlined below. When asserting that open items will be in place within some time period of being listed, target dates shall be included and clearly defined. The overall statement must be dated and the date shall be commensurate with the commit date. All wallet projects must maintain compliance while being included in the wallet listing/selector program. If a wallet is no longer in compliance, or no longer supported, the security statement must reflect that change and the wallet selector team shall be notified. The wallet project shall make verification of the following requirements as easy as possible--maximizing transparency through the use of relevant links pointing toward program descriptions, audit reports, etc. for the user/researcher.
-
Has a security program in place that covers or is dedicated to the wallet and...
-
Publishes information about its security program in an easily findable place.
-
Conducts regular audits of wallet code, at regular intervals of less than a year or based on meaningful code changes.
-
Conducts regular penetration tests, both “authenticated” and “non-authenticated” upon significant code changes.
-
Conducts penetration tests on related infrastructure, such as databases, virtual machines, web servers, etc.
-
Remediates any critical, high, or medium findings from audits (3, 4, an 5 above) in a rapid fashion, as suggested by auditors. Auditors should validate the remediation in their reports.
-
Makes such reports (audits, penetration tests) publicly available, on at least a summary level.
-
When making reports (7) available, wallet projects should ensure the equivalent reports appear on the security vendor’s site or simply links to the security vendor’s report. This ensures the authenticity of the audit reports.
-
Conducts operational readiness reviews and testing or an equivalent process before deployment to production to ensure that code changes have not resulted in unanticipated behavior, compatibility issues, or inclusion of vulnerabilities.
-
Maintains a testnet wallet, available to developers and security researchers.
-
Maintains a bug bounty program.
-
Implements minimal privilege and access policies with regard to supporting infrastructure.
-
Implements MFA and strong passwords for access to critical related systems, such as domain registration, hosting platforms, cloud platforms, etc.
-
Conducts known vulnerability and vulnerable dependency checks; and remediates critical, medium, and high findings before deploying to testnet or production.
-
If the wallet is a browser “extension,” it is listed on the official extension marketplace.
-
Logs are collected from supporting infrastructure, web servers, etc.
-
Ensures that logs do not contain sensitive information, are encrypted at rest in storage, and have restricted access with least privilege.
-
Enables “audit logs” on related platforms (AWS, GCP, monitoring platforms, etc).
-
Logs shall be maintained for 90 days for forensic purposes.
-
Security feature shall be enabled in hosting environments, i.e. AWS GuardDuty.
-
Inputs shall be sanitized.
-
Code SAST scanning for vulnerabilities and vulnerable dependencies shall be conducted prior to production.
-
Vulnerability scanning shall be conducted regularly on websites, infrastructure-related VMs, etc. Findings shall be quickly remediated.
-
Patch management shall be conducted frequently on supporting infrastructure.
-
VM and bare-metal infrastructure shall be protected by endpoint detection and response software.
-
An incident monitoring, alerting, and response program shall be in place.
-
Additional protective technologies, such as web application firewalls, should be put in place and appropriately configured to prevent attacks on the wallet.
-
White and black lists should be maintained for ip addresses and domains interacting with the wallet to the extent possible.
-
Reduction in attack surface shall be conducted by removing access to paths and unused ports; properly configuring domains, CSP, etc.
-
Access to infrastructure should be limited to VPNs or commensurate technology, IP restricted, etc. in order to prevent malicious access. For example, port 22 for the web server would not be accessible from the internet.
-
OWASP top 10 vulnerabilities shall be regularly tested and remediated.
-
Tools such as Nessus and Qualys, or similar should be used to scan for vulnerabilities.
-
Tools such as Burp Suite, or similar should be used to instrument and and analyze the interaction of the wallet with the browser for security issues.
-
Playbooks for public disclosure and communication to stakeholders and users should be prepared in advance and practiced via tabletop exercises in order to ensure rapid response and disclosure to protect such stakeholders and their assets.
-
An incident response retainer should be considered.
-
Wallet projects should clearly inform users of risks, risky behavior, best practices in the use of the wallet, and the most secure methods for using the wallet.
-
Wallet projects should have a clear path to reporting and receiving help on issues that is easily found by users.
-
Sensitive information should not be stored in the client-side wallet in a way that could be scraped from storage by malicious software, such as keys, recovery phrases, etc.
-
Encryption of sensitive data should likewise not rely on hard-coded keys or weak ciphers.
-
A user’s ability to recover their wallet under various circumstances should be clearly spelled out to the user when setting up the wallet.
-
Communication between infrastructure elements should be secured to the maximum extent possible. Please link to your the statement on your website or GitHub repo showing a statement of compliance. Please put link below (even if it is a placeholder).