fix: sign For You feed request to fix 403 from discovery

[dylanjeffers]

Summary

The For You feed on web RC was returning empty / blank because the discovery-node request was reaching the server unsigned, getting back 403 "You are not authorized to make this request authedWallet= myId=<N>".

Root cause

The OpenAPI swagger spec for /v1/users/{id}/feed/for-you is missing the Encoded-Data-Message and Encoded-Data-Signature header parameters that the analogous /v1/users/{id}/feed endpoint declares. Compare the generated SDK methods:

• getUserFeedRaw reads params.encodedDataMessage / params.encodedDataSignature into headerParameters before calling this.request(...) — these match what the addRequestSignatureMiddleware would inject, so the headers are always present.
• getUserForYouFeedRaw has no auth-header handling at all — relies entirely on middleware-injected headers.

The signing middleware (addRequestSignatureMiddleware) is supposed to populate those headers at request time, and should apply to both endpoints since both call this.request(). In practice the For You call is going out without them — symptom verified by the 403 response with empty authedWallet=.

Rather than chase the middleware behavior, this PR signs explicitly at the call site so the headers are guaranteed present.

What changed

• packages/common/src/api/tan-query/lineups/useForYouFeed.ts: sign with sdk.services.audiusWalletClient.signMessage and pass Encoded-Data-Message / Encoded-Data-Signature via the SDK method's initOverrides. The request-signature middleware sees the headers already present and skips its injection — no double-signing.

Test plan

• On release-candidate.audius.co (signed in), open For You tab and verify it loads tracks instead of showing empty / skeleton state.
• DevTools Network: inspect the GET /v1/users/{id}/feed/for-you request — confirm Encoded-Data-Message and Encoded-Data-Signature headers are present, and response is 200 with track data.
• Following tab still works (regression check — same shared hook pattern).
• Mobile RC: For You feed loads after OTA picks up the bundle.

Follow-ups (not in this PR)

• The swagger spec for /feed/for-you should declare the Encoded-Data-* header parameters so the next SDK regenerate brings the generated method in line with getUserFeedRaw. Once that lands, this hook-level patch can be reverted.
• staging.audius.co is serving a Dec 2025 build because the staging deploy pipeline was retired (Drop staging #13540) but DNS still points at the orphaned worker. Worth tombstoning or redirecting separately.

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: a447bb1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

🌐 Web preview ready

Preview URL: https://audius-web-preview-pr-14300.audius.workers.dev

Unique preview for this PR (deployed from this branch).
Workflow run

[dylanjeffers]

Closing — fixing this on the API side instead. The root cause was the global authMiddleware in the Go API returning 403 for any request with user_id query param that wasn't wallet-signed, even though the For You handler itself uses tryGetAuthedWallet (optional) and doesn't actually need the auth.

API fix: AudiusProject/api#804 — exempts /users/:userId/feed/for-you from the strict user_id-must-match-wallet check. Once that's deployed, the web call will succeed without any client change, so this hook-level signing patch isn't needed.

Reverting the client-side patch keeps useForYouFeed.ts symmetric with useFeed.ts (no manual signing, relies on the SDK's request-signature middleware as designed).