Feature/auth middleware 31

[Dayz-tech-co]

Summary

Implements backend authentication middleware for TaskChain using wallet signature verification, nonce replay protection, JWT sessions, and private-route guarding.

Problem

Task #31 requires secure auth middleware to:

• verify wallet signatures
• prevent replay attacks via nonce
• manage access/refresh sessions
• block unauthenticated access to private APIs

What Changed

• Added nonce issuance endpoint: POST /api/auth/nonce
• Added signature verification endpoint: POST /api/auth/verify
• Added refresh endpoint with token rotation: POST /api/auth/refresh
• Added logout endpoint: POST /api/auth/logout
• Added authenticated user endpoint: GET /api/auth/me
• Added reusable auth guard middleware (withAuth)
• Added JWT utilities (HS256), secure cookie handling, and refresh-token persistence
• Added Stellar wallet address + signature verification utilities
• Added DB migration for auth_nonces and auth_refresh_tokens
• Updated env template with JWT_SECRET

Security Notes

• Nonce TTL + one-time consumption to prevent replay
• Short-lived access token + longer refresh token
• Refresh token rotation + revocation tracking
• HttpOnly cookie strategy for session tokens
• Consistent 401 responses for invalid/expired/missing auth

Validation

• npm run lint ✅
• npm run build ✅

Migration / Setup

• Run: scripts/002-auth-tables.sql

• Set env vars:

  • DATABASE_URL
  • JWT_SECRET (32+ chars)

  Screenshots:

Linked Issue

• Closes [Feature]: User Authentication Middleware #31