Address code review suggestions for OP Stack

- Fix race condition in batch index assignment using transaction with lock
- Add input validation and sanitization for pagination parameters
- Add named constants for EIP-4844 versioned hash calculations
- Add 404 handling when OP entities are not found
- Add optional chaining for template property access in Vue components

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: Antoine de Chevigné

run/api/opBatches.js

@@ -2,7 +2,16 @@ const express = require('express');
 const router = express.Router();
 const workspaceAuthMiddleware = require('../middlewares/workspaceAuth');
 const db = require('../lib/firebase');
-const { unmanagedError } = require('../lib/errors');
+const { unmanagedError, managedError } = require('../lib/errors');
+
+/**
+ * Sanitize pagination parameters
+ */
+const sanitizePagination = (page, itemsPerPage, order) => ({
+    page: Math.max(1, parseInt(page) || 1),
+    itemsPerPage: Math.min(100, Math.max(1, parseInt(itemsPerPage) || 10)),
+    order: ['ASC', 'DESC'].includes(order?.toUpperCase()) ? order.toUpperCase() : 'DESC'
+});
 
 /**
  * Get paginated list of OP batches for a workspace
@@ -15,7 +24,7 @@ router.get('/', workspaceAuthMiddleware, async (req, res, next) => {
     const data = { ...req.query, ...req.params };
 
     try {
-        const { page, itemsPerPage, order } = data;
+        const { page, itemsPerPage, order } = sanitizePagination(data.page, data.itemsPerPage, data.order);
         const { rows: items, count: total } = await db.getWorkspaceOpBatches(data.workspace.id, page, itemsPerPage, order);
 
         res.status(200).json({ items, total });
@@ -35,6 +44,10 @@ router.get('/:batchIndex', workspaceAuthMiddleware, async (req, res, next) => {
     try {
         const batch = await db.getOpBatch(data.workspace.id, data.batchIndex);
 
+        if (!batch) {
+            return res.status(404).json({ error: 'Batch not found' });
+        }
+
         res.status(200).json(batch);
     } catch (error) {
         unmanagedError(error, req, next);
@@ -53,7 +66,8 @@ router.get('/:batchIndex/transactions', workspaceAuthMiddleware, async (req, res
     const data = { ...req.query, ...req.params };
 
     try {
-        const { total, items } = await db.getOpBatchTransactions(data.workspace.id, data.batchIndex, data.page, data.itemsPerPage, data.order);
+        const { page, itemsPerPage, order } = sanitizePagination(data.page, data.itemsPerPage, data.order);
+        const { total, items } = await db.getOpBatchTransactions(data.workspace.id, data.batchIndex, page, itemsPerPage, order);
 
         res.status(200).json({ total, items });
     } catch (error) {

run/api/opDeposits.js

@@ -2,7 +2,16 @@ const express = require('express');
 const router = express.Router();
 const workspaceAuthMiddleware = require('../middlewares/workspaceAuth');
 const db = require('../lib/firebase');
-const { unmanagedError } = require('../lib/errors');
+const { unmanagedError, managedError } = require('../lib/errors');
+
+/**
+ * Sanitize pagination parameters
+ */
+const sanitizePagination = (page, itemsPerPage, order) => ({
+    page: Math.max(1, parseInt(page) || 1),
+    itemsPerPage: Math.min(100, Math.max(1, parseInt(itemsPerPage) || 10)),
+    order: ['ASC', 'DESC'].includes(order?.toUpperCase()) ? order.toUpperCase() : 'DESC'
+});
 
 /**
  * Get paginated list of OP deposits for a workspace
@@ -15,7 +24,7 @@ router.get('/', workspaceAuthMiddleware, async (req, res, next) => {
     const data = { ...req.query, ...req.params };
 
     try {
-        const { page, itemsPerPage, order } = data;
+        const { page, itemsPerPage, order } = sanitizePagination(data.page, data.itemsPerPage, data.order);
         const { rows: items, count: total } = await db.getWorkspaceOpDeposits(data.workspace.id, page, itemsPerPage, order);
 
         res.status(200).json({ items, total });
@@ -35,6 +44,10 @@ router.get('/:hash', workspaceAuthMiddleware, async (req, res, next) => {
     try {
         const deposit = await db.getOpDepositByL1Hash(data.workspace.id, data.hash);
 
+        if (!deposit) {
+            return res.status(404).json({ error: 'Deposit not found' });
+        }
+
         res.status(200).json(deposit);
     } catch (error) {
         unmanagedError(error, req, next);

run/api/opOutputs.js

@@ -2,7 +2,16 @@ const express = require('express');
 const router = express.Router();
 const workspaceAuthMiddleware = require('../middlewares/workspaceAuth');
 const db = require('../lib/firebase');
-const { unmanagedError } = require('../lib/errors');
+const { unmanagedError, managedError } = require('../lib/errors');
+
+/**
+ * Sanitize pagination parameters
+ */
+const sanitizePagination = (page, itemsPerPage, order) => ({
+    page: Math.max(1, parseInt(page) || 1),
+    itemsPerPage: Math.min(100, Math.max(1, parseInt(itemsPerPage) || 10)),
+    order: ['ASC', 'DESC'].includes(order?.toUpperCase()) ? order.toUpperCase() : 'DESC'
+});
 
 /**
  * Get paginated list of OP outputs for a workspace
@@ -15,7 +24,7 @@ router.get('/', workspaceAuthMiddleware, async (req, res, next) => {
     const data = { ...req.query, ...req.params };
 
     try {
-        const { page, itemsPerPage, order } = data;
+        const { page, itemsPerPage, order } = sanitizePagination(data.page, data.itemsPerPage, data.order);
         const { rows: items, count: total } = await db.getWorkspaceOpOutputs(data.workspace.id, page, itemsPerPage, order);
 
         res.status(200).json({ items, total });
@@ -35,6 +44,10 @@ router.get('/:outputIndex', workspaceAuthMiddleware, async (req, res, next) => {
     try {
         const output = await db.getOpOutput(data.workspace.id, data.outputIndex);
 
+        if (!output) {
+            return res.status(404).json({ error: 'Output not found' });
+        }
+
         res.status(200).json(output);
     } catch (error) {
         unmanagedError(error, req, next);

run/api/opWithdrawals.js

@@ -2,7 +2,16 @@ const express = require('express');
 const router = express.Router();
 const workspaceAuthMiddleware = require('../middlewares/workspaceAuth');
 const db = require('../lib/firebase');
-const { unmanagedError } = require('../lib/errors');
+const { unmanagedError, managedError } = require('../lib/errors');
+
+/**
+ * Sanitize pagination parameters
+ */
+const sanitizePagination = (page, itemsPerPage, order) => ({
+    page: Math.max(1, parseInt(page) || 1),
+    itemsPerPage: Math.min(100, Math.max(1, parseInt(itemsPerPage) || 10)),
+    order: ['ASC', 'DESC'].includes(order?.toUpperCase()) ? order.toUpperCase() : 'DESC'
+});
 
 /**
  * Get paginated list of OP withdrawals for a workspace
@@ -15,7 +24,7 @@ router.get('/', workspaceAuthMiddleware, async (req, res, next) => {
     const data = { ...req.query, ...req.params };
 
     try {
-        const { page, itemsPerPage, order } = data;
+        const { page, itemsPerPage, order } = sanitizePagination(data.page, data.itemsPerPage, data.order);
         const { rows: items, count: total } = await db.getWorkspaceOpWithdrawals(data.workspace.id, page, itemsPerPage, order);
 
         res.status(200).json({ items, total });
@@ -35,6 +44,10 @@ router.get('/:hash', workspaceAuthMiddleware, async (req, res, next) => {
     try {
         const withdrawal = await db.getOpWithdrawalByL2Hash(data.workspace.id, data.hash);
 
+        if (!withdrawal) {
+            return res.status(404).json({ error: 'Withdrawal not found' });
+        }
+
         res.status(200).json(withdrawal);
     } catch (error) {
         unmanagedError(error, req, next);
@@ -52,6 +65,10 @@ router.get('/:hash/proof', workspaceAuthMiddleware, async (req, res, next) => {
     try {
         const proof = await db.getOpWithdrawalProof(data.workspace.id, data.hash);
 
+        if (!proof) {
+            return res.status(404).json({ error: 'Withdrawal proof not found' });
+        }
+
         res.status(200).json(proof);
     } catch (error) {
         unmanagedError(error, req, next);

run/jobs/blockSync.js

@@ -1,5 +1,5 @@
 const { ProviderConnector } = require('../lib/rpc');
-const { Workspace, Explorer, StripeSubscription, RpcHealthCheck, IntegrityCheck, Block, OrbitChainConfig, OpChainConfig, OpBatch } = require('../models');
+const { Workspace, Explorer, StripeSubscription, RpcHealthCheck, IntegrityCheck, Block, OrbitChainConfig, OpChainConfig, OpBatch, sequelize } = require('../models');
 const db = require('../lib/firebase');
 const logger = require('../lib/logger');
 const { processRawRpcObject } = require('../lib/utils');
@@ -194,34 +194,38 @@ module.exports = async job => {
                     });
 
                     if (batchInfo) {
-                        // Get the next batch index
-                        const lastBatch = await OpBatch.findOne({
-                            where: { workspaceId: opConfig.workspaceId },
-                            order: [['batchIndex', 'DESC']]
-                        });
-                        const nextBatchIndex = lastBatch ? lastBatch.batchIndex + 1 : 0;
-
                         // Find the L1 transaction record if it exists
                         const l1Transaction = syncedBlock.transactions.find(t => t.hash === tx.hash);
 
-                        await OpBatch.create({
-                            workspaceId: opConfig.workspaceId,
-                            batchIndex: nextBatchIndex,
-                            l1BlockNumber: batchInfo.l1BlockNumber,
-                            l1TransactionHash: batchInfo.l1TransactionHash,
-                            l1TransactionId: l1Transaction ? l1Transaction.id : null,
-                            l1TransactionIndex: batchInfo.l1TransactionIndex,
-                            epochNumber: batchInfo.l1BlockNumber, // Epoch is typically the L1 block
-                            timestamp: tx.timestamp ? new Date(tx.timestamp * 1000) : new Date(),
-                            txCount: batchInfo.estimatedBlockCount || null,
-                            l2BlockStart: batchInfo.l2BlockStart,
-                            l2BlockEnd: batchInfo.l2BlockEnd,
-                            blobHash: batchInfo.blobHash,
-                            blobData: batchInfo.blobData,
-                            status: 'pending'
+                        // Use transaction with lock to prevent race condition on batch index
+                        await sequelize.transaction(async (t) => {
+                            const lastBatch = await OpBatch.findOne({
+                                where: { workspaceId: opConfig.workspaceId },
+                                order: [['batchIndex', 'DESC']],
+                                lock: t.LOCK.UPDATE,
+                                transaction: t
+                            });
+                            const nextBatchIndex = lastBatch ? lastBatch.batchIndex + 1 : 0;
+
+                            await OpBatch.create({
+                                workspaceId: opConfig.workspaceId,
+                                batchIndex: nextBatchIndex,
+                                l1BlockNumber: batchInfo.l1BlockNumber,
+                                l1TransactionHash: batchInfo.l1TransactionHash,
+                                l1TransactionId: l1Transaction ? l1Transaction.id : null,
+                                l1TransactionIndex: batchInfo.l1TransactionIndex,
+                                epochNumber: batchInfo.l1BlockNumber, // Epoch is typically the L1 block
+                                timestamp: tx.timestamp ? new Date(tx.timestamp * 1000) : new Date(),
+                                txCount: batchInfo.estimatedBlockCount || null,
+                                l2BlockStart: batchInfo.l2BlockStart,
+                                l2BlockEnd: batchInfo.l2BlockEnd,
+                                blobHash: batchInfo.blobHash,
+                                blobData: batchInfo.blobData,
+                                status: 'pending'
+                            }, { transaction: t });
+
+                            logger.info(`Created OP batch ${nextBatchIndex} for L2 workspace ${opConfig.workspaceId} from L1 tx ${tx.hash}`);
                         });
-
-                        logger.info(`Created OP batch ${nextBatchIndex} for L2 workspace ${opConfig.workspaceId} from L1 tx ${tx.hash}`);
                     }
                 } catch (error) {
                     logger.error(`Error processing OP batch for tx ${tx.hash}: ${error.message}`, { location: 'jobs.blockSync.opBatch', error });

run/lib/opBatches.js

@@ -19,6 +19,13 @@ const FRAME_HEADER_SIZE = 23;
 // Derivation version byte
 const DERIVATION_VERSION_0 = 0;
 
+// EIP-4844 Blob versioned hash constants
+// See: https://eips.ethereum.org/EIPS/eip-4844#helpers
+const VERSIONED_HASH_VERSION_KZG = 0x01;  // Version byte for KZG commitments
+const SHA256_HASH_LENGTH_HEX = 64;         // SHA-256 produces 32 bytes = 64 hex chars
+const VERSIONED_HASH_LENGTH_BYTES = 32;    // 1 version byte + 31 hash bytes
+const VERSIONED_HASH_HASH_BYTES = 31;      // Bytes of hash to include (31 of 32)
+
 /**
  * Check if a transaction is a batch submission to the BatchInbox
  * @param {Object} tx - Transaction object
@@ -139,10 +146,13 @@ const computeBlobVersionedHash = (kzgCommitment) => {
     const commitment = kzgCommitment.startsWith('0x') ? kzgCommitment : '0x' + kzgCommitment;
     // EIP-4844 uses SHA-256 for versioned hashes, not keccak256
     const hash = ethers.utils.sha256(commitment);
-    // Remove 0x prefix if present, then prepend version byte 0x01
+    // Remove 0x prefix if present
     const hashWithoutPrefix = hash.startsWith('0x') ? hash.slice(2) : hash;
-    // Version 0x01 for KZG commitments, result is 0x01 + 31 bytes of hash = 66 chars total
-    return '0x01' + hashWithoutPrefix.slice(0, 62);
+    // Versioned hash = version byte + first 31 bytes of SHA-256 hash
+    // Result: 0x + version (2 hex) + 31 bytes (62 hex) = 66 chars total
+    const versionHex = VERSIONED_HASH_VERSION_KZG.toString(16).padStart(2, '0');
+    const truncatedHash = hashWithoutPrefix.slice(0, VERSIONED_HASH_HASH_BYTES * 2);
+    return '0x' + versionHex + truncatedHash;
 };
 
 /**

run/tests/api/opBatches.test.js

@@ -62,7 +62,7 @@ describe('OpBatches API', () => {
                         total: 50
                     });
                     expect(db.getWorkspaceOpBatches).toHaveBeenCalledWith(
-                        1, '1', '10', 'DESC'
+                        1, 1, 10, 'DESC'
                     );
                     done();
                 })

src/components/OpBatches.vue

@@ -58,7 +58,7 @@
 
                     <template v-slot:item.l1TransactionHash="{ item }">
                         <span class="text-truncate" style="max-width: 120px; display: inline-block;">
-                            {{ item.l1TransactionHash.slice(0, 10) }}...{{ item.l1TransactionHash.slice(-6) }}
+                            {{ item.l1TransactionHash ? `${item.l1TransactionHash.slice(0, 10)}...${item.l1TransactionHash.slice(-6)}` : '-' }}
                         </span>
                     </template>
 

src/components/OpDeposits.vue

@@ -51,7 +51,7 @@
 
                     <template v-slot:item.l1TransactionHash="{ item }">
                         <span class="text-truncate" style="max-width: 120px; display: inline-block;">
-                            {{ item.l1TransactionHash.slice(0, 10) }}...{{ item.l1TransactionHash.slice(-6) }}
+                            {{ item.l1TransactionHash ? `${item.l1TransactionHash.slice(0, 10)}...${item.l1TransactionHash.slice(-6)}` : '-' }}
                         </span>
                     </template>
 

src/components/OpOutputDetail.vue

@@ -42,7 +42,7 @@
                                 <tr>
                                     <td class="font-weight-medium">L1 Transaction</td>
                                     <td style="font-family: monospace;">
-                                        {{ output.l1TransactionHash.slice(0, 20) }}...{{ output.l1TransactionHash.slice(-16) }}
+                                        {{ output.l1TransactionHash ? `${output.l1TransactionHash.slice(0, 20)}...${output.l1TransactionHash.slice(-16)}` : '-' }}
                                     </td>
                                 </tr>
                                 <tr>