TapTrust Federal — Client Playground

banking·Hard
time to bug
00:00
median 06:30
online.taptrustfederal.test
live

TapTrust Federal — Online Banking

The client-facing view of a fictional online bank. Accounts, transaction history, and a real transfer flow with real state transitions. TapTrust Federal also has a Teller console (a separate playground login) — some defects only show up when you compare what the two views disclose for the same account.

Accounts

Loading accounts…

Transfer

Investigate the API

Hit the TapTrust Federal REST API directly — same requests the client portal above makes, plus anything else in its own catalog. Runs from your browser using your own session; nothing here can reach another app or reveal the answer key.

API Console

Same-origin only · uses your own session
Headers & body (optional)

Architecture & Observability

A real system you investigate with the real tools a working QE/SDET uses: the service topology behind the API above, plus a synthetic operational log/trace feed for the same services.

Architecture Map

TapTrust Federal — service map
Client Web UI
Account dashboard + transfer form
Teller Console
Admin approval + ledger views
API Gateway
Next.js /api/banking/** route layer
accounts-service
Accounts, transactions, transfers
approvals-service
Transfer approval queue + decisions
ledger-store
In-memory customer/account/transaction ledger

Call graph

  • Client Web UI--REST/JSON-->API Gateway
  • Teller Console--REST/JSON-->API Gateway
  • API Gateway--routes-->accounts-service
  • API Gateway--routes-->approvals-service
  • accounts-service--read/write-->ledger-store
  • approvals-service--read/write-->ledger-store

Logs & Traces

Synthetic operational feed · same-origin services

Recent log lines (17)

2026-07-02T14:02:01.114Z [info] api-gateway GET /api/banking/accounts 200 (18ms)
2026-07-02T14:02:01.132Z [info] accounts-service listAccountsForCustomer(cust-1001) -> 2 rows (6ms)
2026-07-02T14:02:04.870Z [info] api-gateway GET /api/banking/transactions?accountId=acct-1001 200 (24ms)
2026-07-02T14:02:04.881Z [info] accounts-service getTransactionsForAccount(acct-1001, page=1) -> 12 rows (9ms)
2026-07-02T14:02:09.220Z [info] api-gateway POST /api/banking/transfers 200 (41ms)
2026-07-02T14:02:09.231Z [info] accounts-service submitTransfer(fromAccountId=acct-1001) accepted (33ms)
2026-07-02T14:02:09.244Z [info] ledger-store write account acct-1001 balance (3ms)
2026-07-02T14:02:09.247Z [info] ledger-store append transaction row (2ms)
2026-07-02T14:02:15.605Z [warn] api-gateway POST /api/banking/transfers 200 (requiresApproval=true, queued) (47ms)
2026-07-02T14:02:15.618Z [info] approvals-service enqueue approval for transfer above review threshold (5ms)
2026-07-02T14:02:22.003Z [info] api-gateway GET /api/banking/admin/approvals 200 (15ms)
2026-07-02T14:02:22.012Z [info] approvals-service listApprovalQueue() -> 3 rows (4ms)
2026-07-02T14:02:29.441Z [info] api-gateway POST /api/banking/admin/approvals/appr-5001/decision 200 (22ms)
2026-07-02T14:02:29.451Z [info] approvals-service decideApproval(appr-5001, approved) (12ms)
2026-07-02T14:02:29.458Z [info] ledger-store update approval-queue row status (2ms)
2026-07-02T14:02:35.902Z [error] api-gateway GET /api/banking/admin/customers 403 (session playground mismatch) (3ms)
2026-07-02T14:02:41.117Z [info] api-gateway GET /api/banking/accounts/acct-1002 200 (11ms)

Sample trace — POST /api/banking/transfers (45ms)

api-gateway · route POST /api/banking/transfers45ms
accounts-service · submitTransfer()37ms
ledger-store · write account balance8ms
ledger-store · append transaction row5ms
approvals-service · enqueue approval (conditional)4ms

Known Intentional Issues (14)

TT-FE-01medium

Transfer amount input silently truncates sub-cent precision instead of rejecting it

On the Transfer form, enter 10.005 as the amount and submit. Expect a validation error. Actual: the transfer submits successfully for a rounded amount with no warning.

TT-FE-02high

Account balance shown on the client dashboard does not refresh after a successful transfer

Note the checking account balance, transfer $10 out, and check the balance shown on the dashboard immediately after the success toast. Actual: balance is unchanged; a manual reload shows the correct lower balance.

TT-FE-03high

Transfer submit button is not disabled while a request is in flight, allowing duplicate submissions

On the Transfer form, fill valid fields and double-click Submit quickly. Inspect the network tab. Actual: two POST requests fire instead of one.

TT-FE-04high

Teller-only internal note field is included in the client-facing account payload

Log in as the client demo user, open the Accounts view, inspect the Network tab response for GET /api/banking/accounts. Actual: each account object includes an internalNote field with teller-only text.

TT-BE-01high

Concurrent transfers from the same account can both pass the balance check and overdraw the account

Fire two concurrent POST /api/banking/transfers requests from acct-3001 (balance $450.12) for $300 each. Expect the second to fail with insufficient funds. Actual: both succeed, leaving the account balance negative.

TT-BE-02high

Idempotency-Key header on the transfer endpoint is accepted but not enforced

POST /api/banking/transfers twice with the same body and the same Idempotency-Key header. Expect one transfer to post. Actual: two separate transactions are created and the balance is debited twice.

TT-BE-03medium

Repeated small transfers accumulate floating-point drift in the stored account balance

Transfer $0.10 out of acct-2001 ten times in a row via the API and sum the expected debit ($1.00). Compare the account's final balanceCents to balanceCents_before - 100. Actual: off by 1 cent after repeated transfers due to float round-trip.

TT-BE-04high

The teller approval-queue endpoint does not verify the caller holds the teller/admin playground session

Log in as the client demo user (not the teller). Send POST /api/banking/admin/approvals/appr-5001/decision with {"decision":"approved"} directly. Expect 403. Actual: 200, and the transfer is approved.

TT-BE-05high

Transfer endpoint accepts a negative amount and credits the sender instead of rejecting the request

POST /api/banking/transfers with amountCents: -5000. Expect 400. Actual: 200, and both accounts' balances increase.

TT-BE-06high

Transfer endpoint allows outbound transfers from an account still in pending_review (KYC-pending) status

POST /api/banking/transfers from acct-4001 (status pending_review) for $10. Expect 403. Actual: 200, and the transfer succeeds.

TT-API-01high

GET /api/banking/accounts/:id returns account data for an account the session's customer does not own

As the client demo user (owns acct-1001/acct-1002), GET /api/banking/accounts/acct-2001 (owned by a different customer). Expect 403/404. Actual: 200 with acct-2001's real balance.

TT-API-02medium

Transaction history pagination skips a page of results

GET /api/banking/transactions?accountId=acct-1001&page=1&pageSize=2 then page=2&pageSize=2. Expect page 2 to start where page 1 left off. Actual: one transaction is skipped between pages.

TT-API-03medium

Transfer endpoint ignores the account's overdraft limit and blocks any transfer exceeding the raw balance

POST /api/banking/transfers from acct-2001 (balance $968.30, overdraft limit $100.00) for $1000.00. Expect success (within overdraft). Actual: 400 insufficient funds.

TT-API-04medium

Teller ledger view shows a stale balance for an account after the teller's own approval action changes it

As the teller, approve appr-5001 (a pending wire from acct-3001), then look up acct-3001 in the Customer Lookup panel. Expect the reduced balance. Actual: the balance shown is unchanged from before the approval.

focus mode hides the rails — just you and the broken app