BE-19: Signed Payloads for Client-to-Server Requests (Anti-Tamper)

[Cedarich]

Labels: backend, security, wave4
Complexity: 200 points
Branch: feat/be-signed-payloads
Summary
Add optional signed payload verification for sensitive requests (e.g., bids, refunds, disputes) to reduce tampering risk in untrusted clients.
Tasks

• Define signing scheme (timestamped payload + wallet signature).
• Add verification middleware and replay protection window.
• Apply to selected high-risk endpoints.
• Add tests with valid/invalid signatures and replay attempts.
  Acceptance Criteria
• Server rejects tampered payloads and replayed signatures.
• Verification errors are consistent and client-actionable.
• Sensitive endpoints can require signatures via config/flag.

---

[Stanley-Owoh]

@Stanley-Owoh has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Good day maintainer
how are you doing, please i would like to work on this issue, i will work on it immediately once its been assigned to me i will give you positive result, thank you

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Stanley-Owoh to this issue.

[drips-wave]

Congratulations, @Stanley-Owoh! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on April 29, 2026.

🧑‍💻 @Stanley-Owoh: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been marked as completed by a Drips Wave moderator for @Stanley-Owoh as part of the Stellar Wave Program's 4th Wave 🥳

Moderator's reason: [Auto-assessed] The PR has been open for over 31 hours without any maintainer objections and provides a thorough implementation of the signed payload verification system. It includes the required middleware, replay protection logic, configuration updates, and unit tests, effectively addressing all criteria specified in the issue.

😎 @Stanley-Owoh: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.

ℹ️ Note: This issue was marked complete via moderation. Points were issued even though the GitHub issue remains open.