How to programmatically verify that a token account is associated to a NFT collection created using Candy Machine

[macadev]

Hi Metaplex team, I'll state my question as briefly as I can:

I'm working on a project where the token holders of an NFT collection will be able to interact with another Solana program I am creating. Logically, that other program will have to validate that the transactions it receives come from true owners of a specific NFT collection. This is how I'm thinking of performing that validation:

• Have the transaction contain the Token Account of the user
• Sign the transaction using the wallet that the 'owner' field of the Token Account points to
• Then the Solana program verifies the signature of the transaction using the public key in the 'owner' field of the Token Account
• The Solana program also verifies that the balance of the Token Account = 1

With the above all that has been accomplished is checking that the Token Account is truly owned by the person sending us the transaction and that it has balance = 1. The piece that I haven't been able to figure out is how to ensure that the Token Account is truly a part of a specific NFT collection. This is one way I can think of doing that:

• A Token Account points to the Mint Account associated with the NFT:

• Then that Mint Account has some fields that prove the authenticity of the NFT: the update authority and the mint authority as well

My Solana program could check that the update authority and the mint authority match some hardcoded accounts. Is validating this chain of relationships a safe way to prove that a Token Account is associated with a specific NFT? Is there an easier way to do this?

My concern is that since I don't understand the internals of the spl-token program and Metaplex's Candy Machine I'm not sure what parts of this can be easily spoofed to trick my program into thinking a Token Account is part of a valid NFT collection. It feels unsafe to me unless an expert tells me otherwise.

Thanks a ton for your help! I really appreciate it.

[DavidBarrick]

Were you able to figure out a solution to this yet? I'm trying to figure out the same problem.

[a-nickol]

Having the same concerns, here. I think mint authority is for every token different and update authority can probably be spoofed.

[stegaBOB]

You have to validate NFTs using the creator array within the on chain metadata. If the creator has verified=true in the creator array, that address must have signed off on it. Our docs provide a bit more information on this I believe. Our Discord is also a good resource to use. Thanks!