Add auth to real-time indexer endpoints to prevent DoS

[realproject7]

Problem

All four real-time indexer POST endpoints have no authentication:

• /api/index/trade
• /api/index/storyline
• /api/index/plot
• /api/index/donation

Anyone can spam these with arbitrary txHash values, causing excessive RPC calls (getReceiptWithRetry + getBlock + readContract per call). The cron routes correctly verify CRON_SECRET, but the real-time routes do not.

No data integrity risk (events are verified on-chain), but this is a DoS vector via RPC cost amplification.

Fix

Add CRON_SECRET or a separate INDEX_SECRET header check to all four real-time indexer routes. The frontend calls these after successful transactions, so the secret can be passed from the client (or use a lightweight API key).

Alternative: rate-limit by IP or require a valid recent tx hash (check tx exists and is < 5 min old before processing).

Files to modify

• src/app/api/index/trade/route.ts
• src/app/api/index/storyline/route.ts
• src/app/api/index/plot/route.ts
• src/app/api/index/donation/route.ts

Branch

task/636-indexer-auth

Acceptance criteria

• All four indexer endpoints require authentication
• Frontend passes auth token when calling indexers after tx
• Unauthenticated calls return 401
• Build passes

---

Self-Verification (T3)

• Run npm run dev, call POST /api/index/trade without auth header — verify 401 response
• Call POST /api/index/storyline without auth — verify 401
• Call POST /api/index/plot without auth — verify 401
• Call POST /api/index/donation without auth — verify 401
• Create a storyline via the UI — verify indexing still works (frontend passes auth)
• Make a trade via the UI — verify trade indexing still works
• Run npm run build — no errors

[realproject7]

T3 tools for verification: Use Chrome MCP or curl to test unauthenticated POST requests. Use the donor wallet to verify authenticated flows (create storyline, trade) still work.