Fix SIWE auth configuration

[Markeljan]

Summary

• run the Auth.js SIWE handler on the Node.js runtime so it can access server-only features
• explicitly provide the Auth.js secret and trust the forwarded host to resolve the production configuration error

Testing

• npm run check

---

https://chatgpt.com/codex/tasks/task_e_68ea6da20ccc83229e76bd0f082d9765

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
w3gpt	Ready	Preview	Comment	Oct 11, 2025 3:19pm

[claude]

Claude finished @Markeljan's task —— View job

---

PR Review: Fix SIWE auth configuration

Review Checklist

• Read repository guidelines (CLAUDE.md)
• Analyze changed files and understand modifications
• Review code quality and best practices
• Check for potential bugs or issues
• Evaluate security considerations
• Assess performance implications
• Review test coverage considerations
• Provide comprehensive feedback

---

Review Summary

This PR makes minimal but crucial changes to fix SIWE (Sign-In with Ethereum) authentication configuration in production. The changes address two specific issues mentioned in the PR description.

✅ Positive Aspects

1. Targeted Fix: The changes are minimal and focused on the specific production configuration issues
2. Proper Runtime Selection: Switching from "edge" to "nodejs" runtime is correct for SIWE functionality that requires server-only features
3. Security Best Practices: Explicitly providing AUTH_SECRET and using trustHost: true are appropriate for production deployment

📝 Detailed Analysis

Changes Made:

File: app/api/auth/[...nextauth]/route.ts

- export const runtime = "edge"
+ export const runtime = "nodejs"

File: auth.ts

+ secret: process.env.AUTH_SECRET,
+ trustHost: true,

Code Quality & Best Practices

✅ Runtime Configuration

• Changing from "edge" to "nodejs" runtime is necessary for SIWE functionality
• Edge runtime has limitations that prevent certain cryptographic operations required by SIWE
• This aligns with Auth.js documentation for SIWE implementations

✅ Auth Secret Configuration

• Explicitly setting secret: process.env.AUTH_SECRET is good practice
• The environment variable is properly defined in .env.example
• Ensures consistent JWT signing/verification across deployments

✅ Trust Host Configuration

• trustHost: true is appropriate for production environments
• Allows Auth.js to trust the forwarded host headers from reverse proxies (like Vercel)
• The existing resolveDomain function already handles host resolution properly

Security Considerations

✅ Environment Variables

• AUTH_SECRET is properly externalized as an environment variable
• No secrets are hardcoded in the source code

⚠️ Minor Security Note

• trustHost: true should only be used when you trust your hosting environment
• Since this is deployed on Vercel, this is appropriate and safe

Performance Implications

⚠️ Runtime Performance

• Node.js runtime has slightly higher cold start times compared to Edge runtime
• However, this trade-off is necessary for SIWE cryptographic operations
• Impact should be minimal for authentication endpoints

Potential Issues

✅ No Major Issues Identified

• The changes are well-targeted and address the specific configuration problems
• The existing SIWE implementation in the authorize function looks robust with proper error handling
• Wallet address normalization and verification logic is implemented correctly

Test Coverage

⚠️ Testing Considerations

• The PR mentions running npm run check (Biome linting)
• Consider adding integration tests for SIWE authentication flow
• Test both successful authentication and various failure scenarios (invalid signature, wrong nonce, etc.)

🎯 Recommendations

1. Documentation: Consider adding a comment explaining why Node.js runtime is required for SIWE
2. Environment Validation: Consider adding runtime validation to ensure AUTH_SECRET is set
3. Monitoring: Add logging/metrics to monitor SIWE authentication success/failure rates in production

📊 Overall Assessment

This is a solid, focused fix that addresses specific production configuration issues. The changes are minimal, security-conscious, and technically sound. The SIWE implementation itself appears well-architected with proper error handling and security measures.

Recommendation: ✅ Approve - This PR successfully resolves the stated configuration issues without introducing new risks.

---

[Markeljan]

Closing as stale/obsolete. This PR targeted the older SIWE/Credentials auth setup, but current main now uses a different GitHub-based auth configuration, so these changes are no longer the right fix for the live codebase.