Skip to content

Auth: Challenge Endpoint (POST /auth/challenge) #6

Description

@codebestia

Background

Sign In With Stellar requires the wallet to sign a server-generated message. The backend must issue a time-limited, single-use challenge string tied to the requesting wallet address. This is the first step of the two-step auth flow.

Proposed Steps

  1. Create POST /auth/challenge route
  2. Accept { address: string } in the request body
  3. Validate that address is a valid Stellar public key (using StrKey.isValidEd25519PublicKey from @stellar/stellar-sdk)
  4. Generate a cryptographically random nonce (crypto.randomBytes(32).toString('hex'))
  5. Persist an AuthNonce record with expiresAt = now + 5 minutes
  6. Return a structured challenge message that the wallet will sign
  7. Clean up expired nonces on each call

Acceptance Criteria

  • POST /auth/challenge with a valid Stellar address returns 200 with { message, nonce, expiresAt }
  • POST /auth/challenge with an invalid address returns 400 with a clear error
  • Nonce is persisted to AuthNonce table
  • Expired nonces are cleaned up before each new challenge is generated
  • The challenge message format is deterministic and matches what the frontend signs

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions