## Context Follow-up items from PR #52 code review — hardening the wallet-based social features (reviews, comments, reactions) on the platform server. ## Tasks ### Wallet Auth (wallet-auth.js) - [ ] Fixed `CHALLENGE_MESSAGE` with no nonce/expiry → migrate to EIP-4361 (Sign-In with Ethereum) ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481896)) - [ ] `verifyWalletSignature()` doesn't guard against array-typed Express headers ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481910)) - [ ] Nonce cache uses FIFO eviction instead of LRU ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929487813)) ### Route Consistency (routes/store.js) - [ ] DELETE `/reviews/:reviewId` ignores `:id` param — add `requireAppchain` middleware ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481929)) - [ ] DELETE `/comments/:commentId` ignores `:id` param — add `requireAppchain` middleware ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481817)) - [ ] `targetExists()` in reactions doesn't verify target belongs to `:id` deployment ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481940)) - [ ] `parentId` for comments not validated (can reference non-existent or cross-deployment comments) ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481951)) ### Schema & Docs - [ ] `schema.sql:152` — Comment says "max 3 per deployment" but API enforces 10 ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481746)) - [ ] `showroom-social-infra-guide.md:186` — Doc claims wallet-level rate limit but server only has IP-based ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481874)) ### Cleanup - [ ] `explore/[id]/page.tsx:7` — Remove unused `authApi` import ([review](https://github.com/tokamak-network/ethrex/pull/52#discussion_r2929481852)) ## Related - PR #52
Context
Follow-up items from PR #52 code review — hardening the wallet-based social features (reviews, comments, reactions) on the platform server.
Tasks
Wallet Auth (wallet-auth.js)
CHALLENGE_MESSAGEwith no nonce/expiry → migrate to EIP-4361 (Sign-In with Ethereum) (review)verifyWalletSignature()doesn't guard against array-typed Express headers (review)Route Consistency (routes/store.js)
/reviews/:reviewIdignores:idparam — addrequireAppchainmiddleware (review)/comments/:commentIdignores:idparam — addrequireAppchainmiddleware (review)targetExists()in reactions doesn't verify target belongs to:iddeployment (review)parentIdfor comments not validated (can reference non-existent or cross-deployment comments) (review)Schema & Docs
schema.sql:152— Comment says "max 3 per deployment" but API enforces 10 (review)showroom-social-infra-guide.md:186— Doc claims wallet-level rate limit but server only has IP-based (review)Cleanup
explore/[id]/page.tsx:7— Remove unusedauthApiimport (review)Related