I am working on a basic game which is semi-blockchain game. I am distributing rewards using defender relay. I have onlyAdmin Reward Distributing function on smart contract whose admin is relay address and from frontend I am calling API when user clicks reward function and from frontend i am passing amount as parameter but i am very unsure about security of it, what will be best practice to implement defender for my use case? Environment
I am using Next.js.
I think any parameter passed from the front-end is inherently untrustworthy (a malicious user could easily access/change the parameter). I would recommend doing this processing server-side. So if user takes a (verifiable) action on the front-end, that should be validated on the back end and then the call to the Relay happens on the backend with whatever amount that action maps to. Hope that's helpful.
you can use https://github.com/nextauthjs/next-auth in the nextjs for that sign in for the wallet user, and in the backend check your database about the address match with the reward that not claimed or amount if assert so you can the relayer webhook.
Have others alternatives for siwe (sign in with ethereum) in nextjs too.
User Sign msg using wallet -> goes to backend nexjs -> verifiy things -> call webhook.
Environment
Code to reproduce