Description
The wallet login endpoint (POST /api/auth/wallet-login) is completely non-functional because the walletLoginSchema at backend/controllers/authController.js:314 is defined as z.object({}) — an empty schema that validates zero fields. The handler destructures address, signature, and nonce from validationResult.data, but since the schema accepts any empty object, all three values resolve to undefined. This breaks nonce lookup in Redis, signature verification, and wallet address lookup in MongoDB.
The same z.object({}) issue affects wallet registration at the same line since both share the schema.
Steps to Reproduce
- Register a user with a wallet address via
POST /api/auth/wallet-register
- Try to login via
POST /api/auth/wallet-login with { address, signature, nonce }
- Observe the server receives
undefined for all three fields because z.object({}) strips them during validation
- Redis nonce lookup fails with
undefined key, nonce verification fails, wallet login returns an error
Expected Behavior
walletLoginSchema should validate address (string, required), signature (string, required), and nonce (string, required)- Nonce should be correctly retrieved from Redis and verified against the signature using
ethers.verifyMessage
- On successful verification, the user should be authenticated and receive JWT tokens
- Wallet registration flow should work end-to-end
Implementation Hints
Fix the schema at backend/controllers/authController.js line 314:
const walletLoginSchema = z.object({
address: z.string().min(1, "Wallet address is required"),
signature: z.string().min(1, "Signature is required"),
nonce: z.string().min(1, "Nonce is required"),
});Consider extracting a shared wallet schema since both walletRegister and walletLogin use the same base fields:
const walletFields = {
address: z.string().min(1).transform((v) => v.toLowerCase()),
signature: z.string().min(1),
nonce: z.string().min(1),
};
const walletLoginSchema = z.object(walletFields);Verify the fix by testing the full wallet auth flow:
- Generate nonce for wallet address
- Sign the nonce with the wallet private key
- Call wallet-login with address, signature, and nonce
- Confirm successful authentication
Affected Files
backend/controllers/authController.js (line 314)
Labels
type:bug, level:intermediate, GSSoC-26
Description
The wallet login endpoint (
POST /api/auth/wallet-login) is completely non-functional because thewalletLoginSchemaatbackend/controllers/authController.js:314is defined asz.object({})— an empty schema that validates zero fields. The handler destructuresaddress,signature, andnoncefromvalidationResult.data, but since the schema accepts any empty object, all three values resolve toundefined. This breaks nonce lookup in Redis, signature verification, and wallet address lookup in MongoDB.The same
z.object({})issue affects wallet registration at the same line since both share the schema.Steps to Reproduce
POST /api/auth/wallet-registerPOST /api/auth/wallet-loginwith{ address, signature, nonce }undefinedfor all three fields becausez.object({})strips them during validationundefinedkey, nonce verification fails, wallet login returns an errorExpected Behavior
walletLoginSchemashould validateaddress(string, required),signature(string, required), andnonce(string, required)ethers.verifyMessageImplementation Hints
Fix the schema at
backend/controllers/authController.jsline 314:Consider extracting a shared wallet schema since both
walletRegisterandwalletLoginuse the same base fields:Verify the fix by testing the full wallet auth flow:
Affected Files
backend/controllers/authController.js(line 314)Labels
type:bug,level:intermediate,GSSoC-26