Skip to content

fix(exchange): verify Trading212 credentials against an authenticated endpoint#1179

Merged
bennycode merged 2 commits into
mainfrom
fix/trading212-credential-check
Jul 7, 2026
Merged

fix(exchange): verify Trading212 credentials against an authenticated endpoint#1179
bennycode merged 2 commits into
mainfrom
fix/trading212-credential-check

Conversation

@bennycode

Copy link
Copy Markdown
Owner

Summary

getAuthenticatedBrokerClient claimed to prove credentials by calling broker.getTime(). That works for Alpaca (/v2/clock is authenticated), but Trading212Broker.getTime() returns the local clock without any network call (Trading212 has no server-time endpoint) — so Trading212 credentials were never actually validated and bad keys only surfaced at first real use.

  • Broker: new verifyCredentials(): Promise<void> with a default implementation that probes via getTime(); documented that subclasses whose getTime() never leaves the process MUST override. Public API is additive — no removals.
  • Trading212Broker: overrides verifyCredentials() to hit GET /api/v0/equity/account/cash — the cheapest authenticated Trading212 endpoint (1 req / 2s rate limit, vs. 30s for account info per getRetryDelay). A 401 is not retried by axios-retry (isRetryableError excludes 4xx), so bad keys reject immediately with a SimplifiedHttpError.
  • getAuthenticatedBrokerClient: calls verifyCredentials() instead of getTime(); error semantics for callers are unchanged (auth failures still reject with the underlying SimplifiedHttpError).
  • AlpacaBroker: unchanged — its getTime() already performs an authenticated /v2/clock request, so the default probe is correct.

Test plan

  • New Trading212Broker.test.ts: verifyCredentials resolves on a mocked account-cash response and rejects with a SimplifiedHttpError (status 401) when the API denies the credentials.
  • New getAuthenticatedBrokerClient.test.ts: returns the client after successful verification and propagates verification failures (mocked getBrokerClient factory).
  • packages/exchange: npm test — 10 files, 89 tests passed; npm run lint — 0 errors (6 pre-existing unused-directive warnings).
  • packages/messaging (consumes this via getAccountBrokerClient): built dependencies, npm test — 6 files, 84 tests passed, no fallout.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes credential verification for Trading212Broker by introducing a dedicated verifyCredentials() hook on the base Broker and updating authentication flow to use it, ensuring Trading212 keys are validated via an authenticated endpoint rather than a local-time stub.

Changes:

  • Added Broker.verifyCredentials(): Promise<void> with a default implementation that probes via getTime() and documentation requiring overrides when getTime() is not network-authenticated.
  • Implemented Trading212Broker.verifyCredentials() using GET /api/v0/equity/account/cash to perform a low-cost authenticated probe.
  • Updated getAuthenticatedBrokerClient to call verifyCredentials() and added tests covering both success and failure propagation.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
packages/exchange/src/broker/Broker.ts Adds the new verifyCredentials() API with a default probe and guidance for subclasses.
packages/exchange/src/broker/trading212/Trading212Broker.ts Overrides verifyCredentials() to validate Trading212 credentials via an authenticated endpoint.
packages/exchange/src/broker/getAuthenticatedBrokerClient.ts Switches the authentication probe from getTime() to verifyCredentials().
packages/exchange/src/broker/trading212/Trading212Broker.test.ts Adds unit tests verifying Trading212 credential verification success/failure behavior.
packages/exchange/src/broker/getAuthenticatedBrokerClient.test.ts Adds unit tests ensuring verification is invoked and failures are propagated.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bennycode bennycode merged commit fb7382b into main Jul 7, 2026
6 checks passed
@bennycode bennycode deleted the fix/trading212-credential-check branch July 7, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants