Merge pull request #101 from MeshJS/API

Author: QSchlegel

package-lock.json

@@ -61,6 +61,7 @@
     "geist": "^1.3.0",
     "idb-keyval": "^6.2.1",
     "jsonld": "^8.3.3",
+    "jsonwebtoken": "^9.0.2",
     "lucide-react": "^0.439.0",
     "next": "^14.2.4",
     "next-auth": "^4.24.7",
@@ -86,6 +87,7 @@
     "@types/eslint": "^8.56.10",
     "@types/formidable": "^3.4.5",
     "@types/jsonld": "^1.5.15",
+    "@types/jsonwebtoken": "^9.0.9",
     "@types/node": "^20.14.10",
     "@types/react": "^18.3.3",
     "@types/react-dom": "^18.3.0",

package.json

@@ -0,0 +1,12 @@
+-- CreateTable
+CREATE TABLE "Nonce" (
+    "id" TEXT NOT NULL,
+    "address" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "Nonce_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Nonce_address_key" ON "Nonce"("address");

prisma/migrations/20250606104833_add_nonce/migration.sql

@@ -72,3 +72,10 @@ model NewWallet {
   numRequiredSigners  Int?
   ownerAddress        String
 }
+
+model Nonce {
+  id        String   @id @default(cuid())
+  address   String   @unique
+  value     String
+  createdAt DateTime @default(now())
+}

prisma/schema.prisma

@@ -0,0 +1,13 @@
+import { verify } from "jsonwebtoken";
+
+export function verifyJwt(token: string): { address: string } | null {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) throw new Error("JWT_SECRET not set");
+
+  try {
+    const payload = verify(token, secret) as { address: string };
+    return payload;
+  } catch (err) {
+    return null;
+  }
+}

src/lib/verifyJwt.ts

@@ -1,17 +1,29 @@
 import type { NextApiRequest, NextApiResponse } from "next";
-import { getServerAuthSession } from "@/server/auth";
 import { db } from "@/server/db";
+import { verifyJwt } from "@/lib/verifyJwt";
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
   if (req.method !== "POST") {
     return res.status(405).json({ error: "Method Not Allowed" });
   }
 
-  const session = await getServerAuthSession({ req, res });
-  if (!session || !session.user) {
-    return res.status(401).json({ error: "Unauthorized." });
+  const authHeader = req.headers.authorization;
+  const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+  if (!token) {
+    return res.status(401).json({ error: "Unauthorized - Missing token" });
+  }
+
+  const payload = verifyJwt(token);
+  if (!payload) {
+    return res.status(401).json({ error: "Invalid or expired token" });
   }
 
+  const session = {
+    user: { id: payload.address },
+    expires: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+  };
+
 
 //JSON.stringify(txBuilder.meshTxBuilderBody),
 
@@ -26,6 +38,10 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
   if (!address ) {
     return res.status(400).json({ error: "Missing required field address!" });
   }
+  // Optionally check that the address matches the session user.id for security
+  if (session.user.id !== address) {
+    return res.status(403).json({ error: "Address mismatch" });
+  }
   if (!txCbor ) {
     return res.status(400).json({ error: "Missing required field txCbor!" });
   }