test(e2e): mock NFT API to remove from allowlist (MMQA-1781)

[chrisleewilcox]

Description

Tier 3 of MMQA-1364 (allowlist reduction), scoped to the nft.api.cx.metamask.io endpoints. Closes out Tier 3 (signature-insights done in MMQA-1779).

Matcher	Method	Response
^https://nft\.api\.cx\.metamask\.io/users/0x[0-9a-fA-F]+/tokens\?.*$	GET	{ tokens: [], continuation: null }
^https://nft\.api\.cx\.metamask\.io/collections\?.*$	GET	{ collections: [] }
^https://nft\.api\.cx\.metamask\.io/explore/sites\?.*$	GET	{ dapps: [] }

Why these response shapes.

• /users/.../tokens shape verified from @metamask/assets-controllers NftDetectionController._getOwnerNfts (consumer calls .tokens.filter(...)).
• /explore/sites shape verified from app/components/UI/Sites/hooks/useSiteData/useSitesData.ts:146 (data.dapps.map(...) then mergePortfolioSite() falls back to a hard-coded Portfolio entry on empty input).
• /collections shape is a guess — the caller can't be located in the current SDK (path was likely refactored away from the singular /collections?contract= form to the /tokens POST batch endpoint in NftController._getNftInformationFromApi). The matcher is harmless insurance: either it never fires, or it fires and returns empty. No active spec asserts on collection content.

Why regex, not exact URLs. Same rationale as Tier 2 / Tier 3 Part 1: the previous allowlist enumerated specific contract addresses and a specific user account. Any new NFT in fixtures, any new chainId, or any new test account would re-introduce live requests. Regex covers the entire category.

Why dev-api / uat-api hosts can drop without mocking. Neither is referenced anywhere in app/ or node_modules/@metamask/*. The SDK hardcodes nft.api.cx.metamask.io (prod) only via controller-utils/constants.cjs:193. The dev/uat entries were added defensively in PR #26141 alongside portfolio.dev-api/portfolio.uat-api patterns and are dead.

Spec audit.

• tests/regression/assets/nft-detection-modal.spec.ts — describe.skip (not active).
• tests/smoke/snaps/test-snap-get-preferences.spec.ts — only sets useNftDetection: true as a flag; doesn't assert on detected NFT content.
• No active spec positively asserts on NFTs being present, collection content, or /explore/sites content. Empty defaults are safe.

Files changed

• tests/api-mocking/mock-responses/defaults/nft-api.ts — new
• tests/api-mocking/mock-responses/defaults/index.ts — import + spread into DEFAULT_MOCKS.GET
• tests/api-mocking/mock-e2e-allowlist.ts — removed 3 hosts + 3 URLs

Out of scope

• Polymarket hosts (3) — separate Tier 1 follow-up
• Tier 4 entries (api.avax.network, mainnet.era.zksync.io, rpc.atlantischain.network, testnet-rpc.monad.xyz)
• metamask.github.io — handled by MMQA-1367

Changelog

CHANGELOG entry: null

Related issues

MMQA-1781 — parent epic MMQA-1364

Manual testing steps

Feature: NFT API default mocks for E2E tests

  Scenario: NFT detection sweep is mocked
    Given the E2E mock server is running with default mocks loaded
    When NftDetectionController fires GET /users/<address>/tokens for the connected account
    Then mockttp returns { tokens: [], continuation: null }
    And no NFTs are added to wallet state
    And validateLiveRequests() does not record a live request to nft.api

  Scenario: NFT collection lookup is mocked
    Given a fixture transaction history references an unknown NFT contract
    When the wallet looks up collection metadata via GET /collections?…
    Then mockttp returns { collections: [] }
    And the wallet falls back to its default rendering

  Scenario: Sites tab is mocked
    Given the user opens the Sites tab
    When useSitesData fetches GET /explore/sites?…
    Then mockttp returns { dapps: [] }
    And the Portfolio entry is shown via the hard-coded fallback

Screenshots/Recordings

Before

mock-e2e-allowlist.ts allowlisted the entire nft.api.cx.metamask.io host plus 3 specific URLs. Every E2E run that exercised the connected account, NFT-bearing tx history, or the Sites tab fired live requests to the production NFT API. The host wildcard silenced validateLiveRequests(), so the leaks were invisible to the test runner. The dev/uat host entries were there defensively but never hit.

After

mockttp intercepts the three known endpoints with empty default responses that match each consumer's shape expectations. The 3 hosts and 3 URLs are gone from the allowlist; validateLiveRequests() records zero leaks for nft.api.cx.metamask.io. New chainIds, new fixture NFT contracts, and new test accounts all stay covered automatically because the matchers are regex-based.

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Low risk; changes are confined to E2E test mocking/allowlisting, with the main risk being unexpected NFT API call patterns causing new test failures if they aren’t matched by the regex mocks.

Overview
E2E tests no longer rely on live nft.api.cx.metamask.io traffic: the PR removes NFT hosts/URLs from mock-e2e-allowlist.ts and adds default regex-based mocks for the NFT API.

DEFAULT_MOCKS now includes NFT_API_MOCKS, returning empty-shaped responses for GET /users/:address/tokens, GET /collections, and GET /explore/sites, reducing allowlisted leakage while keeping tests stable.

^{Reviewed by Cursor Bugbot for commit 95f6a27. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.81%. Comparing base (51b6bbd) to head (cf2524b).
⚠️ Report is 33 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #29620      +/-   ##
==========================================
- Coverage   82.15%   81.81%   -0.34%     
==========================================
  Files        5178     5226      +48     
  Lines      137450   138584    +1134     
  Branches    31079    31456     +377     
==========================================
+ Hits       112924   113388     +464     
- Misses      16875    17466     +591     
- Partials     7651     7730      +79     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeWalletPlatform, SmokeConfirmations
• Selected Performance tags: None (no tests recommended)
• Risk Level: medium
• AI Confidence: 78%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes are purely in the E2E test infrastructure (mock server configuration):

1. mock-e2e-allowlist.ts: Removed NFT API hosts/URLs from the allowlist. Previously, NFT API calls would be forwarded to live servers; now they must be mocked.

2. nft-api.ts (new file): Provides default mock responses for NFT API endpoints using regex patterns:

   • /users/{address}/tokens → returns { tokens: [], continuation: null }
   • /collections → returns { collections: [] }
   • /explore/sites → returns { dapps: [] }

3. defaults/index.ts: Integrates NFT_API_MOCKS into DEFAULT_MOCKS, which is used by FixtureHelper.ts as the base mock configuration for ALL E2E tests.

Impact Assessment:

• The explore/sites endpoint is used by useSitesData.ts in the Sites/Trending feature, which is part of SmokeWalletPlatform (Trending tab with Sites section)
• NFT collections/tokens endpoints are used by the wallet's NFT display features
• The change makes tests more deterministic by replacing live API calls with controlled mocks
• Tests that previously relied on live NFT API data will now receive empty arrays, which could affect tests that assert on NFT content
• SmokeConfirmations is included as confirmations tests often involve wallet state that may trigger NFT detection calls

The primary risk is that tests relying on NFT API responses (even implicitly) may behave differently with empty mock responses. SmokeWalletPlatform is the most directly affected tag due to the Trending/Sites integration. Running these tags validates that the new default mocks don't break existing test flows.

Performance Test Selection:
These changes are purely in the E2E test infrastructure (mock server configuration). They do not affect any app source code, UI components, state management, or runtime behavior. No performance impact is expected.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud