From 05acb4dd61e5a84150c566912ff78243e17221fe Mon Sep 17 00:00:00 2001
From: Marcus Pasell <3690498+rickyrombo@users.noreply.github.com>
Date: Wed, 11 Feb 2026 19:50:40 -0800
Subject: [PATCH] Use the userId set in the basic auth

---
 api/auth_middleware.go | 19 +++++++++++--------
 api/request_helpers.go |  7 +++++++
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/api/auth_middleware.go b/api/auth_middleware.go
index d2aba765..788ee1bd 100644
--- a/api/auth_middleware.go
+++ b/api/auth_middleware.go
@@ -103,19 +103,22 @@ func (app *ApiServer) getAuthedWallet(c *fiber.Ctx) string {
 // - the user is not authorized to act on behalf of "myId"
 // - the user is not authorized to act on behalf of "myWallet"
 func (app *ApiServer) authMiddleware(c *fiber.Ctx) error {
-	wallet := app.recoverAuthorityFromSignatureHeaders(c)
-
-	if wallet == "" {
-		signer, _ := app.getApiSigner(c)
-		if signer != nil {
-			wallet = strings.ToLower(signer.Address)
-		}
+	var wallet string
+	var myId int32
+
+	signer, _ := app.getApiSigner(c)
+	if signer != nil {
+		wallet = strings.ToLower(signer.Address)
+		c.Locals("myId", signer.UserId)
+		myId = int32(signer.UserId)
+	} else {
+		wallet = app.recoverAuthorityFromSignatureHeaders(c)
+		myId = app.getMyId(c)
 	}
 
 	c.Locals("authedWallet", wallet)
 
 	// Not authorized to act on behalf of myId
-	myId := app.getMyId(c)
 	if myId != 0 && !app.isAuthorizedRequest(c.Context(), myId, wallet) {
 		return fiber.NewError(
 			fiber.StatusForbidden,
diff --git a/api/request_helpers.go b/api/request_helpers.go
index 7ba03e56..54e5ead3 100644
--- a/api/request_helpers.go
+++ b/api/request_helpers.go
@@ -14,6 +14,7 @@ import (
 
 // Signer holds the address, public key, and private key for signing transactions
 type Signer struct {
+	UserId     int
 	Address    string
 	PrivateKey *ecdsa.PrivateKey
 }
@@ -56,6 +57,11 @@ func (app *ApiServer) getApiSigner(c *fiber.Ctx) (*Signer, error) {
 		return nil, fmt.Errorf("invalid Basic Auth format")
 	}
 
+	userId, err := strconv.Atoi(parts[0])
+	if err != nil {
+		return nil, fmt.Errorf("invalid userId: %w", err)
+	}
+
 	// The private key is in the password field (parts[1])
 	privateKeyHex := strings.TrimPrefix(parts[1], "0x")
 
@@ -69,6 +75,7 @@ func (app *ApiServer) getApiSigner(c *fiber.Ctx) (*Signer, error) {
 	address := crypto.PubkeyToAddress(privateKey.PublicKey)
 
 	return &Signer{
+		UserId:     userId,
 		Address:    address.Hex(),
 		PrivateKey: privateKey,
 	}, nil