Fix critical security and functional issues from audit

Co-authored-by: 0xrinegade <[email protected]>

Author: Copilot

netlify.toml

@@ -3,28 +3,39 @@
   command = "bun install && bun run build --filter=@saasfly/nextjs"
   publish = "apps/nextjs/.next"
 
+# Environment variables should be set in Netlify dashboard, not committed to repo
+# This is for reference only - use actual secrets in Netlify environment settings
 [build.environment]
-  NEXTAUTH_SECRET = "netlify-build-secret-12345"
+  # Authentication secrets - SET THESE IN NETLIFY DASHBOARD
+  # NEXTAUTH_SECRET = "your-secure-nextauth-secret-here"
   NEXTAUTH_URL = "https://svm-pay.netlify.app"
   NEXT_PUBLIC_APP_URL = "https://svm-pay.netlify.app"
-  GITHUB_CLIENT_ID = "1"
-  GITHUB_CLIENT_SECRET = "1"
-  RESEND_API_KEY = "1"
-  RESEND_FROM = "1"
-  STRIPE_API_KEY = "1"
-  STRIPE_WEBHOOK_SECRET = "1"
-  NEXT_PUBLIC_STRIPE_STD_PRODUCT_ID = "prod_"
-  NEXT_PUBLIC_STRIPE_STD_MONTHLY_PRICE_ID = "price_"
-  NEXT_PUBLIC_STRIPE_PRO_PRODUCT_ID = "prod_"
-  NEXT_PUBLIC_STRIPE_PRO_MONTHLY_PRICE_ID = "price_"
-  NEXT_PUBLIC_STRIPE_PRO_YEARLY_PRICE_ID = "price_"
-  NEXT_PUBLIC_STRIPE_BUSINESS_PRODUCT_ID = "prod_"
-  NEXT_PUBLIC_STRIPE_BUSINESS_MONTHLY_PRICE_ID = "price_"
-  NEXT_PUBLIC_STRIPE_BUSINESS_YEARLY_PRICE_ID = "price_"
-  NEXT_PUBLIC_POSTHOG_KEY = " "
+  
+  # OAuth secrets - SET THESE IN NETLIFY DASHBOARD  
+  # GITHUB_CLIENT_ID = "your-github-client-id"
+  # GITHUB_CLIENT_SECRET = "your-github-client-secret"
+  
+  # Email service secrets - SET THESE IN NETLIFY DASHBOARD
+  # RESEND_API_KEY = "your-resend-api-key"
+  # RESEND_FROM = "your-sender-email"
+  
+  # Payment provider secrets - SET THESE IN NETLIFY DASHBOARD
+  # STRIPE_API_KEY = "your-stripe-api-key"
+  # STRIPE_WEBHOOK_SECRET = "your-stripe-webhook-secret"
+  
+  # Public configuration (safe to commit)
+  NEXT_PUBLIC_STRIPE_STD_PRODUCT_ID = "prod_placeholder"
+  NEXT_PUBLIC_STRIPE_STD_MONTHLY_PRICE_ID = "price_placeholder"
+  NEXT_PUBLIC_STRIPE_PRO_PRODUCT_ID = "prod_placeholder"
+  NEXT_PUBLIC_STRIPE_PRO_MONTHLY_PRICE_ID = "price_placeholder"
+  NEXT_PUBLIC_STRIPE_PRO_YEARLY_PRICE_ID = "price_placeholder"
+  NEXT_PUBLIC_STRIPE_BUSINESS_PRODUCT_ID = "prod_placeholder"
+  NEXT_PUBLIC_STRIPE_BUSINESS_MONTHLY_PRICE_ID = "price_placeholder"
+  NEXT_PUBLIC_STRIPE_BUSINESS_YEARLY_PRICE_ID = "price_placeholder"
+  NEXT_PUBLIC_POSTHOG_KEY = ""
   NEXT_PUBLIC_POSTHOG_HOST = "https://app.posthog.com"
-  ADMIN_EMAIL = "admin@saasfly.io,[email protected]"
+  ADMIN_EMAIL = "admin@example.com"
   IS_DEBUG = "false"
 
 [[plugins]]
-  package = "@netlify/plugin-nextjs"
+  package = "@netlify/plugin-nextjs"

website/apps/nextjs/package.json

@@ -21,6 +21,7 @@
     "@solana/wallet-adapter-base": "^0.9.27",
     "@solana/wallet-adapter-react": "^0.15.39",
     "@solana/wallet-adapter-react-ui": "^0.9.39",
+    "@solana/wallet-adapter-wallets": "^0.19.27",
     "@solana/web3.js": "^1.98.2",
     "@t3-oss/env-nextjs": "0.8.0",
     "@tanstack/react-query": "5.72.2",

website/apps/nextjs/src/app/[lang]/(marketing)/page-old.tsx

@@ -106,16 +106,16 @@ export default async function IndexPage({
                   </div>
                   <div className="flex flex-col items-center justify-start ml-8">
                     <div className="w-[340px]">
-                      <text className="font-semibold">6 </text>
-                      <text
-                        className="text-neutral-500 dark:text-neutral-400">{dict.marketing.contributors?.contributors_desc || "contributors made SVM-Pay stronger"}</text>
+                      <span className="font-semibold">6 </span>
+                      <span
+                        className="text-neutral-500 dark:text-neutral-400">{dict.marketing.contributors?.contributors_desc || "contributors made SVM-Pay stronger"}</span>
                     </div>
                     <div className="w-[340px]">
-                      <text
-                        className="text-neutral-500 dark:text-neutral-400">{dict.marketing.contributors?.developers_first || "Help more than "}</text>
+                      <span
+                        className="text-neutral-500 dark:text-neutral-400">{dict.marketing.contributors?.developers_first || "Help more than "}</span>
                       <ColourfulText text="1000"/>
-                      <text
-                        className="text-neutral-500 dark:text-neutral-400">{dict.marketing.contributors?.developers_second || " developers"}</text>
+                      <span
+                        className="text-neutral-500 dark:text-neutral-400">{dict.marketing.contributors?.developers_second || " developers"}</span>
                     </div>
                   </div>
                 </div>

website/apps/nextjs/src/lib/sdk/solana-payment.tsx

@@ -3,7 +3,7 @@
 import React, { FC, useState } from 'react';
 import { useWallet } from '@solana/wallet-adapter-react';
 import { WalletMultiButton } from '@solana/wallet-adapter-react-ui';
-import { PublicKey, Transaction, Connection } from '@solana/web3.js';
+import { PublicKey, Transaction, Connection, SystemProgram, LAMPORTS_PER_SOL } from '@solana/web3.js';
 
 export interface SolanaPaymentProps {
   amount: number; // Amount in SOL
@@ -18,45 +18,43 @@ export const SolanaPayment: FC<SolanaPaymentProps> = ({
   onSuccess,
   onError
 }) => {
-  // Use try-catch to handle missing wallet context gracefully
-  let walletState = { publicKey: null, sendTransaction: null };
-  try {
-    const { publicKey, sendTransaction } = useWallet();
-    walletState = { publicKey, sendTransaction };
-  } catch (error) {
-    console.warn("Wallet context not available:", error);
-  }
-
-  const { publicKey, sendTransaction } = walletState;
+  const { publicKey, sendTransaction, connected } = useWallet();
   const [isProcessing, setIsProcessing] = useState(false);
   const [txSignature, setTxSignature] = useState<string | null>(null);
 
   const handlePayment = async () => {
-    if (!publicKey || !sendTransaction) return;
+    if (!publicKey || !sendTransaction || !connected) return;
 
     try {
       setIsProcessing(true);
 
-      // Create a simple transfer transaction
-      const transaction = new Transaction().add(
-        // Create a transfer instruction
-        // This is a simplified example - in a real app, you would use the Solana SDK to create a proper transfer instruction
-        {
-          keys: [
-            { pubkey: publicKey, isSigner: true, isWritable: true },
-            { pubkey: new PublicKey(recipientAddress), isSigner: false, isWritable: true },
-          ],
-          programId: new PublicKey('11111111111111111111111111111111'), // System program ID
-          data: Buffer.from([2, ...new Uint8Array(8).fill(0)]), // Transfer instruction with amount
-        }
-      );
-
       // Create a connection to use for sending the transaction
       const connection = new Connection('https://api.mainnet-beta.solana.com');
+      
+      // Convert SOL amount to lamports
+      const lamports = Math.floor(amount * LAMPORTS_PER_SOL);
+      
+      // Create a proper transfer instruction using SystemProgram
+      const transferInstruction = SystemProgram.transfer({
+        fromPubkey: publicKey,
+        toPubkey: new PublicKey(recipientAddress),
+        lamports: lamports,
+      });
+
+      // Create transaction and add the transfer instruction
+      const transaction = new Transaction().add(transferInstruction);
+      
+      // Get latest blockhash for the transaction
+      const { blockhash } = await connection.getLatestBlockhash();
+      transaction.recentBlockhash = blockhash;
+      transaction.feePayer = publicKey;
 
       // Send the transaction
       const signature = await sendTransaction(transaction, connection);
 
+      // Wait for confirmation
+      await connection.confirmTransaction(signature, 'confirmed');
+      
       setTxSignature(signature);
       onSuccess?.(signature);
     } catch (error) {
@@ -69,7 +67,7 @@ export const SolanaPayment: FC<SolanaPaymentProps> = ({
 
   return (
     <div className="solana-payment">
-      {!publicKey ? (
+      {!connected || !publicKey ? (
         <div>
           <p>Connect your wallet to make a payment</p>
           <WalletMultiButton />

website/apps/nextjs/src/lib/sdk/solana-provider.tsx

@@ -9,6 +9,34 @@ import { clusterApiUrl } from '@solana/web3.js';
 // Import the styles for the wallet modal
 import '@solana/wallet-adapter-react-ui/styles.css';
 
+// Define wallet adapters with fallback
+let walletAdapters: any[] = [];
+
+try {
+  // Try to import wallet adapters
+  const { 
+    PhantomWalletAdapter,
+    SolflareWalletAdapter,
+    MathWalletAdapter,
+    Coin98WalletAdapter,
+    SolletWalletAdapter,
+    SolletExtensionWalletAdapter,
+  } = require('@solana/wallet-adapter-wallets');
+  
+  walletAdapters = [
+    PhantomWalletAdapter,
+    SolflareWalletAdapter, 
+    MathWalletAdapter,
+    Coin98WalletAdapter,
+    SolletWalletAdapter,
+    SolletExtensionWalletAdapter,
+  ];
+} catch (error) {
+  console.warn('Wallet adapters not available:', error);
+  // Fallback to empty array if wallet adapters are not installed
+  walletAdapters = [];
+}
+
 export interface SolanaWalletProviderProps {
   children: ReactNode;
   projectId: string;
@@ -23,9 +51,15 @@ export const SolanaWalletProvider: FC<SolanaWalletProviderProps> = ({
   // The network can be set to 'devnet', 'testnet', or 'mainnet-beta'
   const endpoint = useMemo(() => clusterApiUrl(network), [network]);
 
-  // For now, use an empty array of wallets to get the build working
-  // In production, you would add specific wallet adapters here
-  const wallets = useMemo(() => [], []);
+  // Configure wallet adapters for popular Solana wallets with fallback
+  const wallets = useMemo(() => {
+    try {
+      return walletAdapters.map((WalletAdapter: any) => new WalletAdapter());
+    } catch (error) {
+      console.warn('Error initializing wallet adapters:', error);
+      return [];
+    }
+  }, []);
 
   return (
     <ConnectionProvider endpoint={endpoint}>