Skip to content

[Backend] Stellar signature auth to protect private API routes #15

Open
Open
[Backend] Stellar signature auth to protect private API routes#15
Labels
backendNode.js / Express / Supabase worksecuritySecurity-critical — needs careful review
@Gbangbolaoluwagbemiga

Description

@Gbangbolaoluwagbemiga
Gbangbolaoluwagbemiga
opened on May 17, 2026

Problem

Backend routes are publicly accessible — any caller can read/write messages for any Stellar address.

Solution

Stellar challenge-response authentication:

  1. `GET /auth/challenge?address=G...` — return signed nonce + expiry
  2. Client signs with Stellar wallet (Freighter / WalletsKit)
  3. `POST /auth/verify` — backend verifies signature, returns JWT
  4. Protected routes require `Authorization: Bearer `

Protected routes

  • `POST /messages` — only sender
  • `GET /inbox/:address` — only that address
  • `GET /notifications/:address` — only that address

Acceptance criteria

  • Unauthenticated requests → `401`
  • JWT expires after 1 hour
  • Frontend silently refreshes on expiry
  • Tests for challenge, verification, and expired JWT

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendNode.js / Express / Supabase worksecuritySecurity-critical — needs careful review

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions