Add authentication to Leaderboard backend with wallet-based sessions

[AryanGodara]

Linked Issues

• closes NOISSUE

Description

This PR implements authentication functionality for the leaderboard backend, enabling users to authenticate using wallet signatures. The implementation includes:

• Added an auth_sessions table to store user sessions
• Created an AuthRepository with methods for challenge generation, signature verification, and session management
• Implemented authentication routes for challenge requests, signature verification, session management, and user info retrieval
• Added middleware to validate authentication tokens
• Updated environment variables to support authentication configuration

The authentication flow follows a challenge-response pattern where users request a challenge message, sign it with their wallet, and submit the signature to verify their identity and create a session.

Toggle Checklist

Checklist

Basics

• B1. I have applied the proper label & proper branch name (e.g. norswap/build-system-caching).
• B2. This PR is not so big that it should be split & addresses only one concern.
• B3. The PR targets the lowest branch it can (ideally master).

Reminder: PR review guidelines

Correctness

• C1. Builds and passes tests.
• C2. The code is properly parameterized & compatible with different environments (e.g. local,
  testnet, mainnet, standalone wallet, ...).
• C3. I have manually tested my changes & connected features.

Tested in Chrome with local development environment. Verified authentication flow with wallet signature and session management.

Tested scenarios:

• Challenge request and signature verification

• Session creation and validation

• User info retrieval

• Session listing and logout

• C4. I have performed a thorough self-review of my code after submitting the PR,
  and have updated the code & comments accordingly.

Architecture & Documentation

• D1. I made it easy to reason locally about the code, by (1) using proper abstraction boundaries,
  (2) commenting these boundaries correctly, (3) adding inline comments for context when needed.
• D2. All public-facing APIs are documented in the docs.
  Public APIS and meaningful (non-local) internal APIs are properly documented in code comments.
• D3. If appropriate, the general architecture of the code is documented in a code comment or
  in a Markdown document.
• D4. An appropriate Changeset has been generated (and committed) with make changeset for
  breaking and meaningful changes in packages (not required for cleanups & refactors).

[AryanGodara]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Add authentication to Leaderboard backend with wallet-based sessions #753 👈 (View in Graphite)
• Add swarm leaderboard backend with DB #669 : 1 other dependent PR (#708 )
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[not-reed]

this should include a unique nonce to protect against replay attacks i believe. don't need to follow the SIWE spec exactly i don't think, but the rational is good here, and its a good guide to follow https://eips.ethereum.org/EIPS/eip-4361#message-fields & https://docs.login.xyz/

[AryanGodara]

Finally implemented this. After hrs of going through and implemented the ERC, found out that viem already had helper functions for this stuff 🫠

[not-reed]

but i bet you understand it better now 😁

[not-reed]

likely this should be a env variable :)

[AryanGodara]

Yessir, refactored the env.ts and cookieCOnfig 🫡

[not-reed]

if this happened, then i think something catastrophic happened right? maybe want to clear the cookie and log them out or handle this in some way

... does this want to be part of the requireAuth middleware even?

[AryanGodara]

I don't think this should ever happen. Maybe I should add more logging around it to know if it does.

But since user: User | undefined after fetching it from the repository, I can't not add this line of if (!user); residual habit from writing in golang 😅

[AryanGodara]

I've added requireAuth to it, just so authenticated users can fetch themselves. I don't have any usecase for this endpoint right now. It's just present as a stub for now

[not-reed]

i suspected that was the case :) yeah if something supposedly impossible happens like this, but you have a check anyways to fix types or whatever, should probably log when things go sideways, just in case 👍

[not-reed]

you could add a whereExists('users.id', '=', 'auth_sessions.user_id') (i probably have the wrong syntax here) so that deleted users sessions are automatically invalidated

[AryanGodara]

Updated this, added an innerJoin, so that it makes sure the user still exists when fetching the session related to it

[not-reed]

you are taking first already, why not update and fetch in one go & save a query?

Suggested change

	await this.db
	.updateTable("auth_sessions")
	.set({ last_used_at: new Date().toISOString() })
	.where("id", "=", sessionId)
	.executeTakeFirstOrThrow()
	const session = await this.db
	.updateTable("auth_sessions")
	.set({ last_used_at: new Date().toISOString() })
	.where("id", "=", sessionId)
	.returningAll()
	.executeTakeFirstOrThrow()

• this works well in postres, unsure about sqlite

[AryanGodara]

For this and the above comment, here's my new implementation :-

    async verifySession(sessionId: AuthSessionTableId): Promise<AuthSession | undefined> {
        try {
            // First check if the session exists and belongs to an existing user
            const session = await this.db
                .selectFrom("auth_sessions")
                .innerJoin("users", "users.id", "auth_sessions.user_id")
                .where("auth_sessions.id", "=", sessionId)
                .select(["auth_sessions.id", "auth_sessions.user_id", "auth_sessions.primary_wallet", 
                         "auth_sessions.created_at", "auth_sessions.last_used_at"])
                .executeTakeFirst()

            if (!session) {
                return undefined
            }

            // Update the last_used_at timestamp
            const currentTime = new Date().toISOString()
            
            // We don't need the result of this update since we already have the session data
            // and the only thing that changed is the last_used_at timestamp, which isn't usually
            // needed by the application logic
            await this.db
                .updateTable("auth_sessions")
                .set({ last_used_at: currentTime })
                .where("id", "=", sessionId)
                .executeTakeFirstOrThrow()

            // Return the session with the updated timestamp
            // The session object already has the correct types from the database schema
            // so we need to preserve those types
            return {
                ...session,
                last_used_at: new Date(currentTime) // Convert string to Date to match expected type
            }
        } catch (error) {
            console.error("Error verifying session:", error)
            return undefined
        }
    }

[not-reed]

my comment was more that i think you can do it all in a single more efficient query :) I probably have syntax slightly wrong, and it simply might not work with sqlite, but something like this should have the same result I think?

    async verifySession(sessionId: AuthSessionTableId): Promise<AuthSession | undefined> {
        try {
           const session = await this.db
                .updateTable("auth_sessions")
                .set({ last_used_at: new Date().toISOString() })
                .where("id", "=", sessionId)
                .where(({ exists, selectFrom }) => 
                    exists(
                        selectFrom('users')
                            .select('users.id')
                            .whereRef('users.id', '=', 'auth_sessions.user_id')
                    )
                )
                .returning([
                    "auth_sessions.id", 
                    "auth_sessions.user_id", 
                    "auth_sessions.primary_wallet", 
                    "auth_sessions.created_at",
                    "auth_sessions.last_used_at"
                ])
                .executeTakeFirstOrThrow()

            return session
        } catch (error) {
            console.error("Error verifying session:", error)
            return undefined
        }
    }

[not-reed]

instead of throwing, i think execute can return the number of rows deleted. and you can return true/false from that

[not-reed]

would be nice if this was a join and a single query

[cloudflare-workers-and-pages]

Deploying happychain with    Cloudflare Pages

Latest commit:	4f63489
Status:	✅  Deploy successful!
Preview URL:	https://e0a44d65.happychain.pages.dev
Branch Preview URL:	https://aryan-leaderboard-auth.happychain.pages.dev

View logs

[not-reed]

not a bit deal, but this might be nicer as a template string. (maybe this doesn't play as nice with the docs though? not sure)

Suggested change

	"happychain.app wants you to sign in with your Ethereum account:\n0xBC5F85819B9b970c956f80c1Ab5EfbE73c818eaa\n\nSign this message to authenticate with HappyChain Leaderboard. This will not trigger a blockchain transaction or cost any gas fees.\n\nURI: https://happychain.app/login\nVersion: 1\nChain ID: 216\nNonce: 7f8e9d1c6b3a2e5f4d7c8b9a1e3f5d7c\nIssued At: 2025-05-23T09:30:00.000Z\nExpiration Time: 2025-05-23T09:35:00.000Z",
	message: `
	happychain.app wants you to sign in with your Ethereum account:
	0xBC5F85819B9b970c956f80c1Ab5EfbE73c818eaa
	Sign this message to authenticate with HappyChain Leaderboard. This will not trigger a blockchain transaction or cost any gas fees.
	URI: https://happychain.app/login
	Version: 1
	Chain ID: 216
	Nonce: 7f8e9d1c6b3a2e5f4d7c8b9a1e3f5d7c
	Issued At: 2025-05-23T09:30:00.000Z
	Expiration Time: 2025-05-23T09:35:00.000Z",

also out of curiosity is happychain.app correct?

[AryanGodara]

I might be wrong, but there was some rule that we can't use \n or 0xa0 or whatever character it is, inside this message.

And yeah, the happychain.app and other values are all stub😅, they're mostly optional too

[not-reed]

you are using \n not me 😅 but doesn't matter haha, was just a thought as i was reading through. its fine 🤝

[AryanGodara]

Will change this😭🙇🏻‍♂️🙇🏻‍♂️

[not-reed]

haha idk, mine might not work