Backend: Add wallet-signature-based auth for campaign creation/management

[CelestinaBeing]

Summary

Write operations (POST/PUT/DELETE campaigns) are protected by API key auth, but there is no way for a wallet-owning campaign creator to authenticate using their Stellar key pair. On mainnet, campaign creation should be permissioned by wallet signature — not a shared API key — so only the campaign operator (who controls the admin key for the linked contract) can manage their campaign.

Problem

Current auth model:

• API key is a shared secret, not tied to any individual identity
• No way to verify that the caller owns the admin key of the referenced campaign contract
• A leaked API key grants full write access to all campaigns

Acceptance Criteria

• Add a challenge-response signature auth flow:
  1. GET /api/v1/auth/challenge returns a time-limited nonce (60s TTL) for a given wallet address
  2. Client signs the nonce with Freighter using the wallet's keypair
  3. POST /api/v1/auth/verify validates the signature against the public key, returns a short-lived JWT (15 min) or session token
• Protect POST/PUT/DELETE campaign routes with either API key OR wallet JWT
• Store challenge nonces in Redis (or in-memory with TTL) — not in SQLite
• Add wallet address to audit log entries when wallet auth is used
• Add unit tests for challenge generation, signature verification (using @stellar/stellar-sdk), and token issuance
• Document the auth flow in backend/openapi.yaml and backend/README.md

References

• backend/src/middleware/apiKeyAuth.js
• backend/src/index.js — route registration
• frontend/src/stellar.js — wallet signing

[laxjovial]

@laxjovial has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I’d appreciate the opportunity to work on this, kindly assign to me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @laxjovial to this issue.

[charliechinedu19-netizen]

@charliechinedu19-netizen has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

hey gm, i'd love to take on this task real quick

ℹ️ Repo Maintainers: To accept this application, review their application or assign @charliechinedu19-netizen to this issue.

[Dataguru-tech]

@Dataguru-tech has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi maintainer, I would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Dataguru-tech to this issue.

[drips-wave]

Congratulations, @Dataguru-tech! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @Dataguru-tech: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @Dataguru-tech as part of the Stellar Wave Program's 5th Wave 🥳

😎 @Dataguru-tech: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.