Skip to content

backend: harden SEP-10 auth and SEP-12 KYC rate limits#866

Merged
emdevelopa merged 1 commit into
emdevelopa:mainfrom
Abidoyesimze:feat/sep10-sep12-hardening-587-733
Jun 23, 2026
Merged

backend: harden SEP-10 auth and SEP-12 KYC rate limits#866
emdevelopa merged 1 commit into
emdevelopa:mainfrom
Abidoyesimze:feat/sep10-sep12-hardening-587-733

Conversation

@Abidoyesimze

Copy link
Copy Markdown

Summary

This PR implements backend system optimization for SEP-10 Authentication and SEP-12 KYC Integration across four related issues:

Key changes

  • backend/src/lib/sep10-auth.jsSep10AuthError, withSep10StoreRecovery, validateChallengeXdr, getHomeDomain(), structured verification codes
  • backend/src/lib/rate-limit.jscreateSep10ChallengeRateLimit / createSep10VerifyRateLimit factories
  • backend/src/routes/auth.js — Refactored to injectable createAuthRouter with wired rate limiters
  • backend/src/app.js — Redis store for SEP-10 rate limits (rl:sep10: prefix)
  • backend/SEP10_AUTH_SECURITY_AUDIT.md — Security audit findings and mitigations
  • backend/.env.example — SEP-10 and SEP-12 rate limit env vars

Closes #587
Closes #588
Closes #589
Closes #733

Test plan

  • npm --prefix backend test -- src/lib/sep10-auth.test.js src/routes/auth.routes.test.js src/lib/rate-limit.test.js src/routes/sep12.test.js (35 passed)
  • Challenge endpoint rate-limits repeated requests for the same account
  • Verify endpoint returns retryable 503 on transient store failures
  • SEP-12 write endpoints rate-limit repeated PUT requests per account
  • Confirm HOME_DOMAIN matches stellar.toml in staging

Security notes

  • Challenge XDR capped at 8 KB before parsing
  • Nonce replay protection rejects reused challenge transactions
  • Home domain validated consistently on challenge generation and verification
  • All challenge/verify attempts count toward rate limits (successful requests are not skipped)

Enhance SEP-10 error recovery, conduct security audit remediation,
and implement distributed rate limiting for challenge/verify flows.
Closes emdevelopa#587, emdevelopa#588, emdevelopa#589, emdevelopa#733.

Co-authored-by: Cursor <cursoragent@cursor.com>
@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown

@devsimze is attempting to deploy a commit to the Emmanuel's projects Team on Vercel.

A member of the Team first needs to authorize it.

@drips-wave

drips-wave Bot commented Jun 23, 2026

Copy link
Copy Markdown

@Abidoyesimze Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@emdevelopa emdevelopa merged commit acc4231 into emdevelopa:main Jun 23, 2026
1 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

3 participants