You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: backend/docs/AUTHENTICATION.md
+12-11Lines changed: 12 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,31 +1,32 @@
1
-
# Authentication Middleware (SEP-10)
1
+
# Authentication Middleware (SEP-10 + JWT)
2
2
3
-
FlowFi API uses Stellar signed transactions for authentication, following the SEP-10 (Stellar Web Authentication) pattern.
3
+
FlowFi API uses the Stellar SEP-10 challenge flow to authenticate wallets, then issues a JWT for subsequent API requests.
4
4
5
5
## Overview
6
6
7
-
The authentication middleware verifies that requests come from legitimate Stellar wallet owners by validating signed transactions. This provides secure, wallet-based authentication without traditional username/password schemes.
7
+
Authentication is performed in two phases:
8
8
9
-
## How It Works
9
+
1. Client requests a challenge from `/v1/auth/challenge`
10
+
2. Client signs the challenge transaction and submits it to `/v1/auth/verify`
11
+
3. Server verifies the nonce and returns a JWT
12
+
4. Client uses `Authorization: Bearer <JWT>` for authenticated endpoints
10
13
11
-
1.**Client Side**: The client creates a Stellar transaction, signs it with their private key, and encodes it as XDR
12
-
2.**Server Side**: The middleware extracts the Bearer token, decodes the XDR, and verifies the signature
13
-
3.**User Attachment**: If valid, the user's public key is attached to `req.user`
14
+
This simplifies clients and standardizes authentication across all protected routes.
14
15
15
16
## Using the Middleware
16
17
17
18
### Protected Routes
18
19
19
-
Apply `authMiddleware` to any route that requires authentication:
20
+
Apply `requireAuth` to any route that requires authentication:
0 commit comments