Security: Remove mock features and demo mode bypass

- Delete LimitOrders.tsx (no blockchain pallet) - Delete P2PMarket.tsx (no blockchain pallet) - Remove P2P Market from AppLayout navigation - Remove LimitOrders from TokenSwap component - Delete FOUNDER_ACCOUNT hardcoded credentials - Delete DEMO_MODE_ENABLED bypass logic - Remove localStorage demo_user persistence - All authentication now goes through Supabase only SECURITY FIX: Closes critical authentication bypass vulnerability
2026-04-22 19:27:56 +00:00 · 2025-11-16 21:20:40 +00:00
parent ca83a59dbc
commit ff75515fab
5 changed files with 1 additions and 1201 deletions
@@ -12,23 +12,6 @@ interface AuthContextType {
  checkAdminStatus: () => Promise<boolean>;
 }

-// Demo/Founder account credentials from environment variables
-// ⚠️ SECURITY: Never hardcode credentials in source code!
-const FOUNDER_ACCOUNT = {
-  email: import.meta.env.VITE_DEMO_FOUNDER_EMAIL || '',
-  password: import.meta.env.VITE_DEMO_FOUNDER_PASSWORD || '',
-  id: import.meta.env.VITE_DEMO_FOUNDER_ID || 'founder-001',
-  user_metadata: {
-    full_name: 'Satoshi Qazi Muhammed',
-    phone: '+9647700557978',
-    recovery_email: 'satoshi@pezkuwichain.io',
-    founder: true
-  }
-};
-
-// Check if demo mode is enabled
-const DEMO_MODE_ENABLED = import.meta.env.VITE_ENABLE_DEMO_MODE === 'true';
-
 const AuthContext = createContext<AuthContextType | undefined>(undefined);

 export const useAuth = () => {
@@ -89,42 +72,6 @@ export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children
  };

  const signIn = async (email: string, password: string) => {
-    // Check if demo mode is enabled and this is the founder account
-    if (DEMO_MODE_ENABLED && email === FOUNDER_ACCOUNT.email && password === FOUNDER_ACCOUNT.password) {
-      // Try Supabase first
-      try {
-        const { data, error } = await supabase.auth.signInWithPassword({
-          email,
-          password,
-        });
-        
-        if (!error && data.user) {
-          await checkAdminStatus();
-          return { error: null };
-        }
-      } catch {
-        // Supabase not available
-      }
-
-      // Fallback to demo mode for founder account
-      const demoUser = {
-        id: FOUNDER_ACCOUNT.id,
-        email: FOUNDER_ACCOUNT.email,
-        user_metadata: FOUNDER_ACCOUNT.user_metadata,
-        email_confirmed_at: new Date().toISOString(),
-        created_at: new Date().toISOString(),
-      } as User;
-      
-      setUser(demoUser);
-      setIsAdmin(true);
-      
-      // Store in localStorage for persistence
-      localStorage.setItem('demo_user', JSON.stringify(demoUser));
-      
-      return { error: null };
-    }
-
-    // For other accounts, use Supabase
    try {
      const { data, error } = await supabase.auth.signInWithPassword({
        email,
@@ -186,21 +133,10 @@ export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children
  };

  const signOut = async () => {
-    localStorage.removeItem('demo_user');
    setIsAdmin(false);
    await supabase.auth.signOut();
  };

-  // Check for demo user on mount
-  useEffect(() => {
-    const demoUser = localStorage.getItem('demo_user');
-    if (demoUser && !user) {
-      const parsedUser = JSON.parse(demoUser);
-      setUser(parsedUser);
-      setIsAdmin(true);
-    }
-  }, []);
-
  return (
    <AuthContext.Provider value={{ 
      user,