FR: Verify session on server

[carlbarrdahl]

Is your feature request related to a problem? Please describe.
It would be great if we could verify the user wallet on server-side.
I know the address can be gotten from the cookie but this could be changed by the client.

Describe the solution you would like

import { getSession } from "@account-kit/core"

async function handler(req, res) {
  const session = await getSession()
  // session.address = "0x..."
  await db.post.create({ data: {...body, owner: session.address } })
}

Describe alternatives you have considered

• Using NextAuth and have the SmartAccount wallet sign a message to create a session.
• Using Privy or Web3Auth that support this use-case

[moldy530]

Ah yea we've discussed this internally as well. Right now, you can use the signer returned from the useSigner or even the account returned from useAccount to signMessage and then verify the message signature on the server and that it matches the SCA address for your user.

The other thing we want to expose is a stampWhoAmi method on the signer itself. with that method you would be able to send the stamp to your backend and then call our whoami endpoint on the server which will return the user id + signer address for that stamp (if the stamp is valid).

[joacodf]

Hey @moldy530 , I'm in a similar situation and have a question about those options. I have an external backend (with Python) that needs to verify the session created by Account Kit. Do I need to call the whoami endpoint on every request, or should I create my own access_token for the following requests?

[moldy530]

I would create your own access_token for following requests yea:

1. stamp whoami and pass to backend
2. backend verifies whoami
3. issue an access token (http only cookie most likely)

if http only cookie is present, safely skip whoami check