fix: Remove unused AuthNonce and add UsedChallenge pruning job

[Auwal007]

closes #359

Investigation Report

AuthNonce

• Used exclusively by app/app/api/auth/nonce/route.ts which inserts a new nonce row and serves it over the legacy endpoint.
• Was part of "legacy signature replay attack prevention" in the retired authentication flow.
• No active logic checks, consumes, or expires nonces.

UsedChallenge

• Part of SEP-10 active verification logic found in app/lib/wallet-auth.ts.
• Inserted during challenge verification to prevent reuse.
• Checked prior to verifying new challenges to prevent replay attacks.
• No existing pruning mechanism; therefore, rows are kept indefinitely causing unbounded growth.

Replay protection flow diagram

GET /api/auth/challenge -> generates SEP-10 transaction
[client signs transaction]
POST /api/auth/verify ->
    1. authenticateWalletWithChallenge() checks prisma.usedChallenge
    2. If challenge exists, abort (Replay detected).
    3. If valid, insert into prisma.usedChallenge.
    4. Sign and issue session JWT.

Justification for Deletion
Because /api/auth/nonce and AuthNonce are completely disconnected from the active authentication/verification strategy, they simply produce dead rows in the database upon unauthenticated invocations. Removing them immediately eliminates this vector for unbounded growth. The database footprint is decreased and dead paths are trimmed safely.

Code Changes Summary

• Removed: app/app/api/auth/nonce/route.ts
• Modified: app/prisma/schema.prisma - Removed AuthNonce model.
• Added: app/prisma/migrations/20260625150646_drop_auth_nonce/migration.sql - Safely drop the model.
• Added: app/app/api/cron/prune-auth/route.ts - New protected endpoint to purge challenges older than 20 minutes (exceeding the SEP-10 expiration).
• Modified: app/vercel.json - Scheduled /api/cron/prune-auth to execute securely on an hourly interval.
• Added: app/tests/api/cron-prune-auth.test.ts - Ensure the cron job is idempotent, effectively deletes stale rows, and requires CRON_SECRET authorization.

Migration Summary

The generated migration file correctly uses -- DropTable to delete the deprecated auth_nonces table along with its attached indexes. This removes the legacy schema objects. Data will be completely, permanently lost, which is explicitly expected as the records hold zero system value.

Security Assessment

• Replay protection remains unaffected: UsedChallenge rows verify transaction hashes and correctly bounce duplicate use requests inside the existing 15 minute transaction time boundary. The cron keeps them alive for 20 minutes padding to protect border edge-cases securely.
• No authentication bypass: The system continues utilizing JWT sessions generated after rigid verifyChallenge success.
• Cleanup job protections: The CRON_SECRET securely gates execution using isAuthorizedCron. Unauthorized access requests automatically reject with 401.
• Database growth bound: Instead of rows storing forever, the prune endpoint safely truncates stale items, directly countering unbounded expansion and assuring steady lookups.

[drips-wave]

@Auwal007 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[3m1n3nc3]

Please resolve failing CI