xmtpd icon indicating copy to clipboard operation
xmtpd copied to clipboard
verified publisher icon xmtp

JWTVerifier interceptor does not enforce auth

Open fbac opened this issue 1 month ago • 0 comments

When a request to the server carries the proper JWT, the auth interceptor sets: ctx = context.WithValue(ctx, constants.VerifiedNodeRequestCtxKey{}, true)

Afterwards, no handler actually checks the context value.

This means:

  • All endpoints are optionally authenticated - they accept both authenticated and unauthenticated requests.
  • The interceptor only validates tokens when they're present, but doesn't enforce their presence.
  • The VerifiedNodeRequestCtxKey context value exists but is unused (except in tests).

fbac avatar Oct 29 '25 05:10 fbac