1.6 KiB
1.6 KiB
Status: done
11 — C6: Wallet binding ownership proof + binding overwrite safety
What to build
POST /v1/wallet/register binds a client Solana wallet to an API key for deposit attribution. Today any Bearer key can bind any wallet string without proving ownership. Prevent hijack and accidental overwrite.
Code refs:
packages/tracker/meshnet_tracker/server.py—_handle_wallet_register(~2625–2648)packages/tracker/meshnet_tracker/billing.py—bind_wallet(~153+),_wallet_bindings/ direct overwrite on apply (~351)
Require signed message from wallet pubkey (ed25519 via cryptography / solders). Reject rebinding without admin or signed release. Use explicit overwrite policy — today ~351 overwrites binding directly; gossip apply must reject conflicting binds instead of silently clobbering.
Test-first
- Red: bind wallet A with only API key, no signature — must fail after fix.
- Red: wallet already bound to key1; key2 cannot steal without proof.
- Green: valid signature binds; deposit watcher credits correct API key.
Acceptance criteria
- Wallet binding requires cryptographic proof of pubkey ownership
- One wallet → one API key (or documented admin override)
- Gossip
bindevents cannot overwrite existing binding via direct overwrite at~351 - Tests with deterministic keypairs (local adapter)
ADR links
Blocked by
02-a2-unified-auth-boundary_completed.md03-c5-starting-credit-zero_completed.md