fix(security): secure api key generation with session validation

[Shreyassp002]

Category: Security
Priority: P0
What: Implemented server-side session cookie verification in getAuthContext using @supabase/ssr to ensure the requested x-wallet-address matches the authenticated user's session metadata.
Why: The endpoint previously relied solely on the unvalidated x-wallet-address header combined with createServerClient() (which bypasses RLS), allowing an attacker to generate, view, or revoke API keys for any merchant, leading to a complete compromise of the v1 API access.
Impact: Prevents unauthorized generation and revocation of API keys by enforcing that the caller actually owns the wallet address via a valid Supabase session cookie.
Verification: Ran npm run lint and npm run build successfully. Verified that getAuthContext strictly matches the walletAddress against the user.user_metadata?.wallet_address from the session.

---

PR created automatically by Jules for task 3598519831060995355 started by @Shreyassp002

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
flash-protocol	Ready	Preview, Comment	Apr 14, 2026 4:23pm

[github-actions]

⚡ Flash Review

Metric	Value
Files Reviewed	1
Risk Level	🔴 High
Issues Found	🚨 1 Critical · ⚠️ 0 Warnings · 💡 0 Suggestions

---

🚨 Critical (must fix before merge)

• src/app/api/v1/auth/api-keys/route.ts:L13 — createSSRClient might not correctly handle session cookies in API routes; createServerClient is generally preferred here.

---

✅ What's good: Appreciate the focus on securing API key generation, which is crucial for Flash Protocol's integrity.

---

_{⚡ Powered by Flash Review · Report Issue}

⚠️ Note: 1 file(s) could not be reviewed due to API errors.

[github-actions]

⚡ Flash Review

The use of createSSRClient in an API route (/api/v1/*) might be problematic. createSSRClient is typically designed for Server Components or getServerSideProps contexts, where it implicitly handles cookies. In API routes, createServerClient (from @supabase/auth-helpers-nextjs) is usually preferred, explicitly passing cookies() from next/headers to ensure the session cookie is correctly read from the NextRequest. If createSSRClient isn't specifically configured to handle NextRequest cookies in this context, supabaseSsr.auth.getUser() might incorrectly return null, leading to authentication failures for legitimate users.

Fix: Verify that createSSRClient is robustly implemented to read session cookies from NextRequest in API routes. If not, consider using createServerClient with cookies() from next/headers for consistency and reliability in API authentication.

[Shreyassp002]

Closing: the fix assumes Supabase Auth sessions exist, but this app uses wallet-based auth (Reown AppKit + Wagmi). supabaseSsr.auth.getUser() would always return null, breaking API key generation for all users. The underlying x-wallet-address trust issue is real but requires an architectural fix across all internal routes, not a single-route patch with the wrong auth mechanism.