Gate /api/orgs/[orgId]/members behind JWT instead of Actor-Wallet-Address header

[greatest0fallt1me]

Description

app/api/orgs/[orgId]/members/route.ts documents that it should be JWT-gated but uses the unauthenticated Actor-Wallet-Address header as a stand-in for identity, so any caller can spoof an owner address and add members. This is a server-side authorization (RBAC) bug on a privileged org-management endpoint.

Requirements and Context

• Replace header trust with tryAuthenticateRequest from app/lib/auth.ts; derive the actor wallet from the verified JWT sub.
• Keep the owner-only AuthZ rule for POST and add it to GET (members list should require org membership).
• Return 401 for missing/invalid token, 403 for non-owner, using the shared error envelope.
• Must be secure, tested, and documented
• Should be efficient and easy to review

Suggested Execution

1. Fork the repo and create a branch

   git checkout -b bug/org-members-jwt-authz

2. Implement changes
   • app/api/orgs/[orgId]/members/route.ts
   • Reuse app/lib/auth.ts and app/lib/org-db.ts
3. Test and commit
   • npm test -- app/api/orgs
   • Cover edge cases: spoofed header, valid non-owner JWT, valid owner JWT
   • Include test output and notes in the PR

Example commit message

fix: require verified JWT for org members endpoint

Acceptance Criteria

• Spoofed Actor-Wallet-Address no longer grants access
• Owner-only enforced via JWT sub for member add
• Members list requires authenticated org member
• Coverage ≥ 90% for the route

Guidelines

• Minimum 90% test coverage including spoofing attempts
• Clear documentation and inline comments
• Timeframe: 96 hours

[greatKhalifa-code]

@greatKhalifa-code has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello maintainer ill like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @greatKhalifa-code to this issue.

[drips-wave]

Congratulations, @greatKhalifa-code! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @greatKhalifa-code: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊