Skip to content

Add comprehensive token management UI application#1269

Merged
Majorfi merged 31 commits into
mainfrom
feat/ui
Jul 9, 2026
Merged

Add comprehensive token management UI application#1269
Majorfi merged 31 commits into
mainfrom
feat/ui

Conversation

@Majorfi

@Majorfi Majorfi commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Introduces a complete Next.js-based UI application for token asset management with multi-chain support, authentication, token submission workflows, and SEO optimization. Includes 1366 token logos across 21 chains, design system components, and improved validation infrastructure.

What changed

Added complete UI application structure under _config/ui/ including: Next.js project with TypeScript configuration, design system with core UI components (buttons, drawers, inputs, select), token listing pages with grid/list views and search functionality, token submission flow with form validation and blockchain integration, authentication support via NextAuth with JWT-only storage, context providers for chain and settings management, API routes for token submission and OG image generation, utility functions for token handling and validation, metadata and SEO support, 1366 token logos organized across 21 chains, improved form accessibility, performance optimizations in hooks, and enhanced CI/CD validation for token and chain data integrity.

Risks

Large codebase addition requires comprehensive integration testing; token logo fallback handling across 21 chains needs validation; authentication system changes (JWT-only OAuth storage) may affect existing session management; token submission requires thorough blockchain interaction testing; form accessibility improvements need cross-browser verification; clipboard operations need reliability testing; performance with large token datasets not yet validated; potential security considerations with JWT token handling and OAuth integration.

Test plan

Verify token listing pages load correctly for all supported chains; test token search, filtering, and sorting functionality; validate token submission flow end-to-end with proper error handling; test authentication workflows including login, logout, and session persistence; verify token logos display correctly with proper fallbacks for missing assets; test form accessibility features across screen readers and keyboard navigation; validate clipboard copy operations; test responsive design across mobile, tablet, and desktop viewports; verify SEO metadata generation in page headers; test settings persistence through context providers; validate OG image generation for social sharing.

Docs impact

README updated with UI application documentation; API endpoint paths documented; requires additional documentation for authentication setup instructions, token submission flow walkthrough, environment configuration, UI component usage guide, and deployment procedures.

Breaking changes

OAuth token storage mechanism changed from mixed storage to JWT-only, which may affect existing token management and require migration of stored credentials; applications relying on previous OAuth token format will require updates.

Majorfi added 26 commits July 9, 2026 15:27
Set up Next.js project with TypeScript, Tailwind CSS, Biome linting, and configuration files including environment setup, build configuration, and CI/CD workflow.

Change-Type: chore
Scope: config
Implement reusable UI component library including button, input, drawer, select, and toast primitives with styling utilities and font provider.

Change-Type: feature
Scope: ui
Set up application page structure with root layout, home page, app layout with chain routing, and token submission page.

Change-Type: feature
Scope: pages
Implement token browsing features including token list, drawer, logo display, grid/list view modes, and on-chain token utilities.

Change-Type: feature
Scope: tokens
Implement token submission feature with form, preview display, result handling, and backend API route for processing submissions.

Change-Type: feature
Scope: submission
Set up NextAuth configuration and authentication utilities for user management and session handling.

Scope: auth
Change-Type: feature
Implement header navigation component with navbar, menu buttons, mobile drawer, and search functionality.

Change-Type: feature
Scope: navigation
Add command palette for global search, code snippet display, info field, transaction result display, and supporting hooks for search and intersection observation.

Change-Type: feature
Scope: components
Implement utility functions for clipboard operations, downloads, string helpers, SVG safety validation, search scoring, and type definitions.

Change-Type: feature
Scope: utils
Implement React context providers for chain selection and settings management with server-side support.

Change-Type: feature
Scope: contexts
Implement SEO and metadata features including manifest, robots.txt, sitemap generation, Open Graph image generation, and app icons.

Change-Type: feature
Scope: metadata
Include SVG icon set and placeholder images for UI components and app branding.

Change-Type: chore
Scope: assets
verify-tokens.mjs, verify-chains.mjs and the fork-PR workflow now fail if a
token or chain folder holds anything beyond the logo set (logo.svg,
logo-32.png, logo-128.png, logo-alt.*) plus info.json for tokens.

Removes 4 pre-existing stray files that violated this rule.
Adds base58 decoding and validation for Solana mint addresses. Ensures folder names decode to valid 32-byte pubkeys and rejects corrupted or case-mismatched addresses, since Solana addresses are case-sensitive.

Change-Type: feat
Scope: ci
Updates endpoint documentation to reflect removal of /api path segment. Endpoint is now /token/[chainID]/... instead of /api/token/[chainID]/...

Scope: docs
Change-Type: docs
Moves submit page out of (app) route group to flatten routing hierarchy and simplify URL structure.

Change-Type: refactor
Scope: ui
Adds .claude to gitignore for local development artifacts. Updates Next.js SWC binaries to macOS-compatible versions.

Change-Type: chore
Scope: config
Add validateInfoJson function to verify info.json files conform to schema: required fields name/symbol (non-empty strings) and decimals (non-negative integer), optional fields description/website (strings) and tags (string array), unknown fields rejected. Add fork-safe CI step that validates both Solana addresses and info.json metadata without executing PR code.

Scope: ci
Change-Type: feature
Store GitHub OAuth accessToken only in encrypted JWT (server-side) and never expose on browser session. /api/submit reads token from JWT with getToken() instead of session. Improve rate limiting with opportunistic per-IP bucket cleanup to prevent memory accumulation on long-lived instances. Add duplicate-address guard that rejects tokens already in CDN before opening PR. Update session check to use user object.

Change-Type: feature
Scope: api
Implement base58Decode and isValidSolanaAddress to properly validate 32-byte Solana addresses. Base58 validation closes injection paths via special characters that would corrupt file paths or markdown in PR bodies. Add 10-second timeout to RPC calls so hung public endpoints surface as errors instead of indefinitely blocking the submit flow.

Change-Type: feature
Scope: validation
Add htmlFor associations to Field labels for screen reader navigation. Validate SVG file type on file input change to reject non-SVG files before setting as logo, matching drag-and-drop and paste handlers. Replace 'hidden' class with 'sr-only' for proper accessibility semantics. Add early return guard in handleSubmit to prevent submission if token already exists.

Change-Type: fix
Scope: ui
Wrap handleViewChange with useCallback and memoize context value in WithSettings to prevent unnecessary provider re-renders. Fix useGlobalSearch to adopt cached index from other instances even when re-enabled, preventing stale loading state. Stabilize useIntersectionObserver ref with useCallback and read callback/options through refs to prevent re-observing on unrelated renders, which would trigger infinite-scroll fetchNextPage multiple times.

Scope: hooks
Change-Type: perf
Wrap navigator.clipboard.writeText in try-catch to surface errors as destructive toasts instead of silent unhandled rejections. Handles insecure contexts, denied permissions, and Safari edge cases where clipboard API is unavailable.

Change-Type: fix
Scope: utils
Update README to reflect new token detail routing, modal features, and asset additions.

Change-Type: docs
Scope: readme
@vercel

vercel Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
tokenassets Ready Ready Preview, Comment Jul 9, 2026 8:31pm

Request Review

Comment thread _config/ui/app/_hooks/useTokens.ts Fixed
Comment thread _config/ui/app/_utils/svgSafety.ts Fixed
Comment thread _config/ui/app/_utils/tokens.server.ts Fixed
Majorfi added 3 commits July 9, 2026 21:10
# Conflicts:
#	tokens/1/list.json
#	tokens/10/list.json
#	tokens/100/list.json
#	tokens/137/list.json
#	tokens/42161/list.json
#	tokens/56/list.json
#	tokens/8453/list.json
#	tokens/list.json
- Bound the data-URI regex quantifier to kill polynomial ReDoS (js/polynomial-redos),
  in both the UI mirror and the CI source of truth
- Allowlist chainID before filesystem path construction (js/path-injection)
- Resolve chainID through CHAINS and fetch with the canonical id (js/request-forgery)
- Scope the _config/ guard in verify-fork.yml to actual fork PRs, matching its
  sibling steps — it was failing same-repo PRs
Review + simplify pass over PR 1269 (10 lenses, adversarially verified findings):

Correctness
- Header search on a token detail page now targets the chain list instead of
  re-matching the drawer interceptor with the current token's own URL
- Manual name/symbol/decimals entry for chains without a public RPC — 23 of 38
  selectable chains previously dead-ended at a permanently disabled button
- Missing token or failed list fetch in the intercepted drawer shows an honest
  empty state instead of an infinite spinner; TokenList distinguishes network
  failure from an empty chain
- generateIndex bails out of addedAt dates on shallow clones instead of
  flagging the entire catalog as new and destroying market-cap ranking
- Search-index fetch failure no longer disables global search for the session
- Recent-tier ranking breaks addedAt ties by market cap so bulk imports don't
  bury recognizable tokens alphabetically for a month
- Addresses are trimmed once at the boundary (validation, RPC fetch, POST)
- GitHub 401/403 on PR creation maps to a re-authenticate message, not a 502
- fetchOnchainToken issues its three reads concurrently

Accessibility
- Accessible names for all icon-only buttons (menu, drawers, search clear)
- Form errors announced via role=alert; busy spinner gets an sr-only label
- Command palette implements the WAI-ARIA combobox pattern
- Drawer format selector uses aria-pressed instead of disabled, with
  contrast-passing colors; view toggle announces its effect
- No more nested interactive controls (buttons inside links)

Performance
- View toggle is instant client state + cookie write, dropping the
  per-click server action round-trip (cookie now persists for a year)
- framer-motion replaced by a CSS enter animation, removed from deps

CI hardening (verify-fork.yml)
- grep -z on SVG checks closes a newline-inside-attribute evasion
- Stray files above token/chain folder depth are now rejected
- SVG submissions capped at 150KB in validateSubmission, mirroring CI
…lesystem reads

CodeQL does not recognize a regex-test guard as a path-injection barrier; using
the canonical id from the static allowlist breaks the taint chain outright —
the same pattern that cleared the request-forgery alert in useTokens.
@Majorfi Majorfi merged commit 17679dc into main Jul 9, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants