Skip to content

Secure Wallet Endpoints with JWT Authentication [wallet - service]Β #136

Open
#156
Open
Secure Wallet Endpoints with JWT Authentication [wallet - service]#136
#156
Assignees
davedumto
Labels
onlydust-waveContribute to awesome OSS repos during OnlyDust's open source week
@salazarsebas

Description

@salazarsebas
salazarsebas
opened on Sep 4, 2025

πŸ”‘ Secure Wallet Endpoints with JWT Authentication πŸ› οΈ

πŸ“ Description

Secure wallet-related API endpoints in the Stellar wallet service by applying JWT authentication middleware. This will ensure that only users with valid JWTs, issued after successful WebAuthn authentication, can access sensitive wallet operations such as account creation and management. The implementation will protect the /wallet/* endpoints to enhance the security of the service.

🎯 Objective

Apply the JWT middleware from src/auth/jwt.js to secure the /wallet/* endpoints in services/stellar-wallet/src/routes/wallet.js, with a unit test to verify access control.

πŸ—‚ Structure

  • Directory: services/stellar-wallet
  • Files:
    • src/routes/wallet.js (updated)
    • tests/routes/wallet.test.js (updated)
  • Expected structure: 
    services/stellar-wallet
β”œβ”€β”€ src
β”‚   β”œβ”€β”€ index.js
β”‚   β”œβ”€β”€ stellar
β”‚   β”‚   β”œβ”€β”€ client.js
β”‚   β”‚   β”œβ”€β”€ keys.js
β”‚   β”‚   └── fund.js
β”‚   β”œβ”€β”€ db
β”‚   β”‚   └── kyc.js
β”‚   β”œβ”€β”€ routes
β”‚   β”‚   β”œβ”€β”€ kyc.js
β”‚   β”‚   β”œβ”€β”€ kyc-verify.js
β”‚   β”‚   β”œβ”€β”€ kyc-status.js
β”‚   β”‚   β”œβ”€β”€ auth-register.js
β”‚   β”‚   β”œβ”€β”€ auth-verify.js
β”‚   β”‚   β”œβ”€β”€ auth-login.js
β”‚   β”‚   └── wallet.js
β”‚   β”œβ”€β”€ kyc
β”‚   β”‚   └── validate.js
β”‚   β”œβ”€β”€ soroban
β”‚   β”‚   β”œβ”€β”€ client.js
β”‚   β”‚   β”œβ”€β”€ kyc-contract.rs
β”‚   β”‚   └── deploy.js
β”‚   └── auth
β”‚       β”œβ”€β”€ webauthn.js
β”‚       └── jwt.js
β”œβ”€β”€ config
β”‚   └── db.sqlite
β”œβ”€β”€ tests
β”‚   β”œβ”€β”€ stellar
β”‚   β”‚   β”œβ”€β”€ client.test.js
β”‚   β”‚   β”œβ”€β”€ keys.test.js
β”‚   β”‚   └── fund.test.js
β”‚   β”œβ”€β”€ db
β”‚   β”‚   └── kyc.test.js
β”‚   β”œβ”€β”€ routes
β”‚   β”‚   β”œβ”€β”€ kyc.test.js
β”‚   β”‚   β”œβ”€β”€ kyc-verify.test.js
β”‚   β”‚   β”œβ”€β”€ kyc-status.test.js
β”‚   β”‚   β”œβ”€β”€ auth-register.test.js
β”‚   β”‚   β”œβ”€β”€ auth-verify.test.js
β”‚   β”‚   β”œβ”€β”€ auth-login.test.js
β”‚   β”‚   └── wallet.test.js
β”‚   β”œβ”€β”€ kyc
β”‚   β”‚   └── validate.test.js
β”‚   β”œβ”€β”€ soroban
β”‚   β”‚   β”œβ”€β”€ client.test.js
β”‚   β”‚   └── deploy.test.js
β”‚   └── auth
β”‚       └── jwt.test.js
β”œβ”€β”€ package.json
β”œβ”€β”€ .env.example
β”œβ”€β”€ .eslintrc.json
β”œβ”€β”€ .eslintignore
β”œβ”€β”€ .prettierrc.json
β”œβ”€β”€ .prettierignore
β”œβ”€β”€ .gitignore

βœ… Requirements

  • Create a branch named feat/secure-wallet-endpoints for this task.
  • Update src/routes/wallet.js to apply the jwtMiddleware from src/auth/jwt.js (Issue 20) to the POST /wallet/create endpoint.
  • Ensure the middleware checks for a valid JWT in the Authorization: Bearer <token> header.
  • Return HTTP 401 with a JSON error message (e.g., { error: "Unauthorized" }) if the JWT is missing or invalid.
  • Return HTTP 403 with a JSON error message (e.g., { error: "Forbidden" }) if the user_id in the JWT does not match the user_id in the request body.
  • Update src/index.js to apply jwtMiddleware to all /wallet/* routes for consistency.
  • Update the unit test in tests/routes/wallet.test.js to verify:
    • Requests with a valid JWT and matching user_id succeed (HTTP 201 for POST /wallet/create).
    • Requests without a JWT return HTTP 401.
    • Requests with a valid JWT but mismatched user_id return HTTP 403.
  • Mock the JWT middleware and SQLite database in the unit test to avoid external dependencies.
  • Ensure the code adheres to ESLint and Prettier rules (from Issue 3).
  • Commit changes to the feat/secure-wallet-endpoints branch with a message like feat: secure wallet endpoints.
  • Verify that the CI pipeline (from Issue 1) passes, with linting and test jobs succeeding.

πŸ† Expected Outcomes

  • src/routes/wallet.js applies jwtMiddleware to the POST /wallet/create endpoint.
  • /wallet/* routes are protected by jwtMiddleware in src/index.js.
  • Valid JWTs with matching user_id allow access to the POST /wallet/create endpoint.
  • Missing or invalid JWTs return HTTP 401 with a JSON error message.
  • Mismatched user_id returns HTTP 403 with a JSON error message.
  • Updated unit test in tests/routes/wallet.test.js confirms access control behavior.
  • Code passes ESLint and Prettier checks.
  • Changes are committed to the feat/secure-wallet-endpoints branch with a descriptive lowercase commit message.
  • CI pipeline runs successfully, with linting passing for updated src/routes/wallet.js and tests/routes/wallet.test.js, and the unit test passing.

πŸ”— References

πŸ“‹ Notes

  • The jwtMiddleware should extract and validate the JWT from the Authorization: Bearer <token> header.
  • The user_id in the JWT payload must match the user_id in the request body to prevent unauthorized access.
  • Mocking the JWT middleware and SQLite database in tests ensures reliable CI execution.
  • Ensure error messages are consistent with other endpoints (e.g., JSON format { error: "message" }).
  • Commit messages must be in lowercase and start with feat, change, fix, chore, or refactor.
  • The CI pipeline should validate the updated code, ensuring ESLint passes and the unit test executes successfully.

Metadata

Metadata

Assignees

Labels

onlydust-waveContribute to awesome OSS repos during OnlyDust's open source week

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions