Skip to content

Require signed auth for messages reads#27

Open
lawyered0 wants to merge 1 commit intoJejuNetwork:mainfrom
lawyered0:codex/messages-read-auth
Open

Require signed auth for messages reads#27
lawyered0 wants to merge 1 commit intoJejuNetwork:mainfrom
lawyered0:codex/messages-read-auth

Conversation

@lawyered0
Copy link

@lawyered0 lawyered0 commented Feb 7, 2026

Summary:

  • Require signed auth for read endpoints in /api/messages (skip nonce check)
  • Sign read requests in the Factory web client with a cached 4‑minute signature

Security:
Previously, a client could spoof x-wallet-address to read other users' conversations and message metadata. This change requires a wallet signature for message reads.

UX:
Read requests reuse a signed header for ~4 minutes to avoid repeated wallet prompts.

Testing:

  • Not run (auth plumbing changes only)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lawyered0