Merge pull request #226 from Danielodingz/sig

feat: #151 Add Signature Verification for Wallet Login

Author: Baskarayelu

README.md

@@ -57,20 +57,25 @@ npm run build
 npm start
 ```
 
+### Authentication & Signature Verification
+
+RemitWise implements a nonce-based challenge-response authentication mechanism to verify genuine wallet ownership over the Stellar network.
+
+**Message Format and Verification Steps:**
+1. **Request Nonce:** The frontend calls `GET /api/auth/nonce?address=<STELLAR_PUBLIC_KEY>` to receive a securely generated random 32-byte hex string (nonce). This nonce is temporarily cached on the server.
+2. **Sign Nonce:** The client wallet (e.g., Freighter) is prompted to sign the raw nonce. The message to be signed is the byte representation of the hex nonce.
+3. **Submit Signature:** The client submits `{"address": "...", "signature": "..."}` to `POST /api/auth/login`. The signature should be base64-encoded.
+4. **Verification:** The backend converts the nonce to a Buffer and verifies the base64 signature against the supplied public address using `@stellar/stellar-sdk` (`Keypair.fromPublicKey(address).verify(nonceBuffer, signatureBuffer)`). Invalid signatures or missing/expired nonces will receive a `401 Unauthorized`.
+
 ### End-to-End Testing
 
 To run the Playwright end-to-end tests for authentication and protected routes:
 
 ```bash
-# Set required test environment variables
-export TEST_WALLET_ADDRESS="GDEMOXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
-export TEST_SIGNATURE="mock-signature"
-
 # Run tests
 npm run test:e2e
 ```
 
-
 ## Project Structure
 
 ```

app/api/auth/login/route.ts

@@ -1,21 +1,43 @@
 import { NextResponse } from 'next/server';
+import { Keypair } from '@stellar/stellar-sdk';
+import { getAndClearNonce } from '@/lib/auth-cache';
 
 export async function POST(request: Request) {
   try {
     const body = await request.json();
     const { address, signature } = body;
 
-    const testWallet = process.env.TEST_WALLET_ADDRESS || 'GDEMOXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
-    const testSignature = process.env.TEST_SIGNATURE || 'mock-signature';
+    if (!address || !signature) {
+      return NextResponse.json({ error: 'Address and signature are required' }, { status: 400 });
+    }
+
+
+
+    // Retrieve and clear nonce
+    const nonce = getAndClearNonce(address);
+    if (!nonce) {
+      return NextResponse.json({ error: 'Nonce expired or missing. Please request a new nonce.' }, { status: 401 });
+    }
+
+    // Verify signature
+    try {
+      const keypair = Keypair.fromPublicKey(address);
+      // Nonce is stored as hex String. Message to verify must match.
+      // Signature is assumed to be base64 from the client.
+      const isValid = keypair.verify(Buffer.from(nonce, 'hex'), Buffer.from(signature, 'base64'));
 
-    if (address === testWallet && signature === testSignature) {
-      const response = NextResponse.json({ success: true, token: 'mock-session-token' });
-      // Set a mock session cookie for subsequent protected requests
-      response.cookies.set('session', 'mock-session-cookie', { httpOnly: true, path: '/' });
-      return response;
+      if (!isValid) {
+        return NextResponse.json({ error: 'Invalid signature' }, { status: 401 });
+      }
+    } catch (verifError) {
+      return NextResponse.json({ error: 'Signature verification failed' }, { status: 401 });
     }
 
-    return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
+    const response = NextResponse.json({ success: true, token: 'mock-session-token' });
+    // Set a mock session cookie for subsequent protected requests
+    response.cookies.set('session', 'mock-session-cookie', { httpOnly: true, path: '/' });
+    return response;
+
   } catch (error) {
     return NextResponse.json({ error: 'Bad Request' }, { status: 400 });
 import { NextRequest } from 'next/server';
@@ -98,3 +120,4 @@ export async function POST(request: NextRequest) {
     );
   }
 }
+

app/api/auth/nonce/route.ts

@@ -0,0 +1,24 @@
+import { NextResponse } from 'next/server';
+import crypto from 'crypto';
+import { setNonce } from '@/lib/auth-cache';
+
+export async function GET(request: Request) {
+    try {
+        const { searchParams } = new URL(request.url);
+        const address = searchParams.get('address');
+
+        if (!address) {
+            return NextResponse.json({ error: 'Address is required' }, { status: 400 });
+        }
+
+        // Generate a secure random 32-byte nonce and convert to hex
+        const nonce = crypto.randomBytes(32).toString('hex');
+
+        // Store in our temporary cache
+        setNonce(address, nonce);
+
+        return NextResponse.json({ nonce });
+    } catch (error) {
+        return NextResponse.json({ error: 'Internal Server Error' }, { status: 500 });
+    }
+}

lib/auth-cache.ts

@@ -0,0 +1,24 @@
+export const nonceCache = new Map<string, { nonce: string; expiresAt: number }>();
+
+export const NONCE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+export function setNonce(address: string, nonce: string) {
+    nonceCache.set(address, {
+        nonce,
+        expiresAt: Date.now() + NONCE_TTL_MS,
+    });
+}
+
+export function getAndClearNonce(address: string): string | null {
+    const data = nonceCache.get(address);
+    if (!data) return null;
+
+    // Always delete the nonce after retrieving it to prevent replay attacks
+    nonceCache.delete(address);
+
+    if (Date.now() > data.expiresAt) {
+        return null; // Expired
+    }
+
+    return data.nonce;
+}

playwright-report/index.html

@@ -82,4 +82,4 @@
     <div id='root'></div>
   </body>
 </html>
-<script id="playwrightReportBase64" type="application/zip">data:application/zip;base64,UEsDBBQAAAgIAC2HWFxIg2bfCgMAAPsWAAAZAAAAZDc0OGFjNDAwZDA4Yjg1OTM1ZWYuanNvbu2Y0W7bNhSGX4U4N7uRbdmWLFvoTVa0WIFgyEWGAWuCgqaOLNYUKZBHkIMg77ACCwYM6MvlSQbKdlK7Wee1KdoZEg5gWRQ//oc6+gnqGnKp8FUGKWRJNOUiCsMsnM6n8WwcYw5B2/4zLxFS4DUVfVeh6JODAAgdOUhfX7dn/8joTRIxDnEeD8fxKImSWT7M0XeXpDzVFaZWGVNmITVrJBXM41jDlUJiXGeMC4HOscoaQkGYsZOzVxBAZc1bFLQRJwprSlmXEIAygpM0GtLrVv7H0pXUCGkUgDCqLjWks5sAstpuukUBcK0NtX99ipcBEF9szkxNwrRj1hpXVSvJy+FUQPoaTmoqUJNca2gTOLtX/lKZBi4DsOhqtZm9nXEdcUvnssWPwtGkF456o+h8GKdxko7i/jQJfwPfn+wVpKHvgNXmKWwm9EfMjUX2kzFLn+u/ExNPfFAxHE2Sx7gv5Ypqi+wC5tY0Du0FHIKfTffx0eQx/CmvtSjYhn0AeRZG++Tx7IF8GQAn4qIoUdPmAlprLKTwwv+m27HOryrsq3b4lL1YoaiJzxWyzKDTPxDDlXTEOLHBLw6tG5RczI1ZVtYMTuXccns1eM5FgW5Qul6l+FVj5aKgwbYk3xTIM4XOvXEFKtUbjsLpuhF726beuqnkoreaRI+3Xui72z/ubn8/3vjTp/iOnfrSZUoukZ3dTyc797Zg7IeXGu7Y29oRk9qRN4zM31BXGSfM+uzu9t0aeKaQO2S21owKZLlRyjRSL5gwZenfUDIsM41WhmdMY7OtDJeyneMe+FTHDlBXK/ZQPtucvgD4pAqfjXcfBi+/CPjXt661rxrvwa8ttSZIhwG4pawqzCDNuXJ40znT/y86Z+qc6Siic6Yji86ZOmc6ivikMwUPG8WTnNAeuL1N+sMo3tslhp/eIx4i4Vdjl2jZc4Vc19UhKuI9FeOn2mF79mSX/bkJ/teb25VhnUGJzvEFdsvEdxvdMtEtE0cR78F7jyNOtYMUci5V+/31oy+2e17me5nlvX3d/A1QSwMEFAAACAgALYdYXCYl3yl5AQAA4gIAAAsAAAByZXBvcnQuanNvbq1RTW+cMBD9K2jO7gpYNoBvuVTKpcqhUg7RHiZmCO4aG9ljbSPEf48MZLtS1Vtv8zTj9+UZRmLskBHkDKg4onlx/kI+gCwWAYHR8089Esiirou2ah7KtqxbAV30yNpZkEVTFNWhKUsBvTYUQL7O6/TUgYSurhpUVZ53efPWnNrjiXrYLn9g4gWMPBzCROrAAQQwBd440vRPjm8PtTrm9HYqjqeyruq2L3pKzzWbxBoGF02XGfeubXbVPGSJLruiMcQZ2i5DpSiEbPKOSTF12ePzEwiYvPtFindzavBu1HEEAcapPfEW72/rRlsCWQlQzsTRgmyX+6IqAWit4xWmiGcBjO/75CIrt2pGS7+n1VKygzyAfIXHyANZ1puHNcDzzfl3466QOC4gezSBBHgK0exFIjOqYSS74vNyXs7r1yY4AztGA7IQcJOVubh3kXa9wcvHuggXPU370U1wSZR31SWhP+X9fzkB5L3zX91Ne6XzImBENWhLW9RPUEsBAj8DFAAACAgALYdYXEiDZt8KAwAA+xYAABkAAAAAAAAAAAAAALSBAAAAAGQ3NDhhYzQwMGQwOGI4NTkzNWVmLmpzb25QSwECPwMUAAAICAAth1hcJiXfKXkBAADiAgAACwAAAAAAAAAAAAAAtIFBAwAAcmVwb3J0Lmpzb25QSwUGAAAAAAIAAgCAAAAA4wQAAAAA</script>
+<script id="playwrightReportBase64" type="application/zip">data:application/zip;base64,UEsDBBQAAAgIAIucWFyUj8a3jwcAAAA8AAAZAAAAZDc0OGFjNDAwZDA4Yjg1OTM1ZWYuanNvbu1bf1PbuBb9KhrNm2k7kxpbsvwjb3beQCltlxLYEgql8GaFrRBvbStry6U7LN99x8aQWLFjOzEEZuu/nDi+kq7OvTq6R7mGI89nH1zYh66pW9TRVdVVrQuL2JiwEexlzwc0YLAPaSLGSjxhjiJi2IOCxSKG/a/X2V2ljdeuY7ILmxL3AmHH1JGlWm76uif81Go85onvAp9feiG48sQYUPCd+p4LYu8ypCKJGKChC6jjsDgGk4gL5gjmgs2DD7AHJxH/gzki76IzjnjgJQHsQZ87VHg8hP3rbBDzA/C9kME+6UGH+0kQwr5904NuEuWvaRpCuAdpGHKRfZUO9rwHBb3M73giHJ61y35Msk6lHaJiDPtf4WYixiwU3m0vsiEc3Pd9x+dX8LwHIxYnfu7FuZZjQSMx9LIGkIqM1yp6jfShZvWx0ddURUPaKUxtiOgv2FfTF9gkn5HcuVtsxCMG3nP+LR1xrUVMUovTniBNtcvs7ng/sok5gxcRv4pZdAabmCdG0byGDa3M/EeahM4Y5LabWDaQbJmQqeXzHqRCUGccsFDkXzg8CQXsp+1/8yYT5sL+iPoxu2n1416ZTxweCvZDNPCJphCkF3tukzKPvIkYFQzklhvZtYp2rfX5Y0IvWSNnGLeInnbauI2DCm+kdptYxapkVdMfwxfLOm5Av3uX6fgEB2dwo4HnkIKIXRyjqWNt8SCbJkhzmiCRelM9hB6Mw/SzgH0IzhJV1S6+2moAgAH+zj9iOwB31/QXGxtAVcBO4o883wdinEKGT1gI7nMLiNifiRextPdTU2dhoRlzUTPYCOgV9WbeztBz9xEHyvTJJRf85d1HFLzYeDF99mr6xn8rewIKPbm71YL8Tpv2bnr9P3+IUDBj9/ZOlRuwZhuAs9h593aYYoZOvI10MjdCHjrsf9R1IxbHv7zb+vB5cHy8e3r0efjly8Fvx4cnAwPjvbeDreFweIJPhp/39rcHg/2Tjyf4N/Jp7+gN2j053G0AQVsxbCmTEaMbAKbReodAsgwCNVyPQKSAHSacMcg8BkYRDzIohuwKsNCdcK8aeppeAz2Hh/Es9LI2PrF4wsOYgSmkfimBTQvgplHCpg0Vnk3NXbIZYzM4/70KNf+5zu9ufn+EQFh8tQkTjZROyy1Xe1mYg1KXxYKKJH756lXpU8G32L33SIBUtc45hUB9m/UCnMHUTqP4MolEztSOwmuGAetLhddP+JenhSeGvwcKzlYhuZALlEDlOs/HN61hUu/fP2Ievmwbqtts5IXMbRixEgfviJFps5QMLxOxz2QaJPCUM7zZeKoOlXzeGjW0bGi0ioRqDnewf1gkcVltpBniDGmrg0yzI9ChVVkYasDCdAUcsGjEowBQRyTUz+tCSeyFlxkfuy8KVU0earsaZS087mo04bEo7DCKU/1iDj0YB73ZcHxSPAuVr3Pp5VJBp0Pozw5hFTaEkEKwXPHpBuYYrciGsFYP8804ZpEAcZLVNEdJDvMqSGO0KPEV8PtvIRJ4YTKpivJtKmjrCK/37xJE4j39zg4iPmGR+KsR3g0LS5m9I7zPpHVkLoP3ZzITEn7KV4nZkEq7WBUxs9M3m8jziK5N4NMxiiiZWcoeOt5ahdjC7cvSLhL8GwtrK2odxo3xILtmTFaNm+eLwLUiY03BML9jummA3M2RYFEz+S3DqilpNqXqR1thJbVsa63Y0gPpXVlP5CqxWarw+DxuLHchpJiqZFY3n5zEc96DLIp4lP/ulpXBPpzQOM6k4zmpWbKdWuDfYD+N2GwmFuruhulqF66GmG65SCcatm19XnePWCqfF+T3EHihpMB3IbRjq1JpV9VUK1iH0n7bcp28jIyulXZkynQOY7Q42Nso7ViV6wAaNsrMt1basTp3RABZz0BpR4quSz7RyjNPO6U9tStNpVZDzdevtCNFJ9JSo+nWAm80UtqRohuyK/RlF5pHcVyNWvrm43C4faofb++9O9zdMfZPt4e7R8bBEXq/NyCDd+bmr2+Hp1/I8f7mye7h0ZdPW7+ST7ufcaMJMDTJVYaBa5aspolWRytW6vRCCaNIhPTyWkT1du9fIvasuQant92FPwVhZYVCNyIS38Ma6Sh8iLpq+NjV4UPUn9Xpx40MUl6PBYur0yBPA+UjnBMhim/n9Pnw/vzqzYrFbl2zHqSIQVaV/slCsaVQ7B5Rz18g25D6mkJ3NW5d1daU3Vsh9zFqDromHRy0ag78Nq456Eg+7buumoOOJLJrdFJz0Im0odCf3rHSR6450AvHHBFLtQ1qGzZDF1Q3GtYc2I+JFzEX8AgEXpzpvRnT6OSMf2XpAVnqWgoPWbv1GqfVZdkhqzDKtMks3fYtF2cWQvJB69V32KldLBf31ldxaJz+LFmw08zSzNpih51ZJbLVmlO2691hL0vxEVZUQ5p1VPMPhqbZwDBXJPiGUU3wjbpj6D8Jfsc0ybAekOCvSN2xotrqg1B3c9VzKmbzcyo5dQdukv0npbA8V8WB+ZhnVp4HnzfnazRd8/kUb7LSV7PAN1zQSizXIPmh+HzZGEulk3Z8PjUr/xXvya2s3dL585t/AFBLAwQUAAAICACLnFhcYz9AVtkBAACZBQAACwAAAHJlcG9ydC5qc29u1ZQ7b9swEMe/CnEza+j92rIUyFJkKNAh8HAmzxZrihTIU5PC0HcvJDtN2sBoBw/tdkeQ/8dv4AkGYtTICN0JUPGE9osPRwoRumyWEBkDfzYDQZfWddqWTVq2VZtL0FNANt5Bl+VVlW6yQsLeWIrQPZ7W6V5DB7ouGlRFkuik2TVlm5e0h/PNT7jIAk7cb+JIasMRJDBFPmss01WND1rVtGux1LssV3WRNUmjl+eG7aIaez9ZLaw/GCeeDPcCxTe0RotoDg55CiTQaYFKUYxiDJ5JMWlx93APEsbgv5LiS0TVBz+YaQAJ1qtL7XPJ9wWscQRdKUF5Ow0OunZ+SytNsyyXgM55Xo+WslsJjIfL5CdWfvWl53ENtQRC7qF7hLuJe3JszinWCg8/s3+0/gkWhSN0HCaSEChO9sITmVH1A7l1387bWf4JclXrdKfTjIpGZ0WZ5m1bvIccaGH1C2snjPsN9y2o5s1VrElSVv8LVtypel82SVthW7WU7bCo/hIrPY8mkBY+iMHEaNxBOO/UTeiWV+lmTfKPsN2uf9KynoA9o4Uul6+uyzK51zWRsLd4/L5O8WjG8XL64jcvim/ILT6v7G7uJoFC8OEF23iheZolDKh64+hc9AdQSwECPwMUAAAICACLnFhclI/Gt48HAAAAPAAAGQAAAAAAAAAAAAAAtIEAAAAAZDc0OGFjNDAwZDA4Yjg1OTM1ZWYuanNvblBLAQI/AxQAAAgIAIucWFxjP0BW2QEAAJkFAAALAAAAAAAAAAAAAAC0gcYHAAByZXBvcnQuanNvblBLBQYAAAAAAgACAIAAAADICQAAAAA=</script>

test-results/.last-run.json

@@ -1,6 +1,4 @@
 {
-  "status": "failed",
-  "failedTests": [
-    "d748ac400d08b85935ef-67c30eb513527479f1fe"
-  ]
+  "status": "passed",
+  "failedTests": []
 }

tests/e2e/auth.spec.ts

@@ -1,19 +1,30 @@
 import { test, expect } from '@playwright/test';
+import { Keypair } from '@stellar/stellar-sdk';
 
 test.describe('Authentication and Protected Flow', () => {
-    test('should login with test wallet and access protected API', async ({ page }) => {
+    test('should login with a valid signature and access protected API', async ({ page }) => {
         // 0. Fulfill the "open browser" requirement
         await page.goto('/');
 
-        // 1. Prepare env data for mock backend
-        const testWalletAddress = process.env.TEST_WALLET_ADDRESS || 'GDEMOXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
-        const testSignature = process.env.TEST_SIGNATURE || 'mock-signature';
+        // 1. Prepare keypair for signing
+        const keypair = Keypair.random();
+        const address = keypair.publicKey();
 
-        // 2. Perform mock login via the browser context
+        // 2. Fetch nonce from the new endpoint
+        const nonceResponse = await page.request.get(`/api/auth/nonce?address=${address}`);
+        expect(nonceResponse.status()).toBe(200);
+        const { nonce } = await nonceResponse.json();
+        expect(nonce).toBeDefined();
+
+        // 3. Sign the nonce natively via Stellar Keypair
+        const signatureBuffer = keypair.sign(Buffer.from(nonce, 'hex'));
+        const signature = signatureBuffer.toString('base64');
+
+        // 4. Perform actual login using the signature
         const loginResponse = await page.request.post('/api/auth/login', {
             data: {
-                address: testWalletAddress,
-                signature: testSignature
+                address,
+                signature
             }
         });
 
@@ -22,19 +33,43 @@ test.describe('Authentication and Protected Flow', () => {
         const loginData = await loginResponse.json();
         expect(loginData).toHaveProperty('success', true);
         expect(loginData).toHaveProperty('token');
+    });
+
+    test('should reject login with an invalid signature', async ({ page }) => {
+        const keypair = Keypair.random();
+        const address = keypair.publicKey();
+
+        const nonceResponse = await page.request.get(`/api/auth/nonce?address=${address}`);
+        const { nonce } = await nonceResponse.json();
+
+        // Use a different keypair to sign
+        const wrongKeypair = Keypair.random();
+        const signatureBuffer = wrongKeypair.sign(Buffer.from(nonce, 'hex'));
+        const invalidSignature = signatureBuffer.toString('base64');
+
+        const loginResponse = await page.request.post('/api/auth/login', {
+            data: { address, signature: invalidSignature }
+        });
+
+        // Assert failure
+        expect(loginResponse.status()).toBe(401);
+    });
+
+    test('should reject login with an expired or missing nonce', async ({ page }) => {
+        const keypair = Keypair.random();
+        const address = keypair.publicKey();
+        // Since there is no cached nonce, this should fail with 401
 
-        // 3. Access the protected flow with the session cookie automatically attached to the page's request context
-        const splitResponse = await page.request.get('/api/split');
-
-        // Assert successful access to protected route
-        expect(splitResponse.status()).toBe(200);
-        const splitData = await splitResponse.json();
-        expect(splitData).toHaveProperty('allocations');
-        expect(splitData.allocations).toMatchObject({
-            dailySpending: expect.any(Number),
-            savings: expect.any(Number),
-            bills: expect.any(Number),
-            insurance: expect.any(Number),
+        // This 'fake-nonce' must be even length valid hex because keypair.sign uses buffer.from hex
+        const signatureBuffer = keypair.sign(Buffer.from('deadbeef', 'hex'));
+        const signature = signatureBuffer.toString('base64');
+
+        const loginResponse = await page.request.post('/api/auth/login', {
+            data: { address, signature }
         });
+
+        // Assert failure due to missing nonce
+        expect(loginResponse.status()).toBe(401);
     });
 });
+