Unauthenticated Proof Status Update Vulnerability

Description

The POST /update-proof-status endpoint in lensmint-public-server lacks any form of authentication.
It accepts requests to update the verification_status and proof_tx_hash for any given claim ID.

Impact

A malicious actor can bypass the entire Zero-Knowledge proof generation process.

They can:

• Take an unverified image's claim ID
• Call this endpoint
• Mark it as "verified" with a fake transaction hash

This completely undermines the device authenticity guarantees of the project.

Reproduction Steps

1. Start the lensmint-public-server locally on port 5001.

2. Locate any valid claim_id
   (for example from the check-claim endpoint or database).

3. Send a malicious POST request using curl:

curl -X POST http://localhost:5001/update-proof-status \
  -H "Content-Type: application/json" \
  -d '{
    "claim_id": "YOUR_TARGET_CLAIM_ID",
    "verification_status": "verified",
    "proof_tx_hash": "0xFakeTransactionHash12345"
  }'

4. The server will respond with:

{
  "success": true,
  "message": "Proof status updated"
}

5. Visit:

6. Observe that the UI now incorrectly displays the proof as "verified".

Suggested Fix

Implement authentication for the endpoint. Possible approaches:

API Key Authentication

Shared Secret Webhook between hardware-web3-service and the public server

Token-based authentication (JWT or similar)