-
Notifications
You must be signed in to change notification settings - Fork 103
-
Hey some general question as I am also somewhat new to this.
so I have this setup:
export const frames = createFrames<AppFrameState>({ basePath: "/frames", baseUrl: appURL(), middleware: [ imagesWorkerMiddleware({ imagesRoute: "/images", secret: AppConfig.IMAGE_WORKER_SECRET, }), farcasterHubContext({ hubHttpUrl: AppConfig.HUB_HTTP_URL }), ], });
and then someone makes a request to my frame:
export const POST = frames(async (ctx) => { if (!ctx.message) { throw new Error("No message"); }
getting the "FID" from the ctx like this: const fid = ctx.message.requesterFid;
can the requesterFid be "faked" or can I be 100% be sure its the real owner of that FID calling my API?
maybe stupid Q sorry already in advance :-)
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 2 comments
-
Hi there. Not a stupid question! If the integrity of the data is important for your application be sure to check the ctx.message.isValid, which is added by the farcasterHubContext in your request handler. This will return false if the message fails hub verification for any reason e.g. the signature not matching the FID.
Beta Was this translation helpful? Give feedback.
All reactions
-
hey stephan thank you for the quick answer!
ah yeah true! so for anyone also looking:
if (!ctx.message.isValid) { throw new Error("Invalid message!"); }
this will make sure you have a valid message.
also the usual - first asking on the forum then looking it up:
https://framesjs.org/guides/security :-)
Beta Was this translation helpful? Give feedback.