User authentication (with backend verification)

[onbjerg]

Make it possible to sign in to Apiary using Web3. Signing in gives you the ability to persist your subscriptions across sessions.

I imagine the flow to be something like:

• Click "Sign in"
• A TOTP is sent from the server to the client
• The client signs the TOTP using Web3
• The signed TOTP is sent back to the server and verified
• A token is sent to the client that can be used for the remainder of the session

Another approach would be to possibly use the signed TOTP directly as the token.

If there are any other approaches I've missed then I'd like to hear them 👇

[onbjerg]

Another approach:

• Users are stored in the database with their public address and a random nonce
• Upon authentication users fetch their nonce
  • New users are created and a nonce is returned
  • Existing users just fetch their nonce
• The nonce is signed and sent back to the server in exchange for a session token
• The nonce is set to a new random number for next time

Pros:

• Easier to manage than TOTPs
• Simple design, technically and for the end-user

Cons:

• Theoretically possible that a user's nonce is set to the same number as a spent nonce at some point (can be mitigated)

[onbjerg]

Sort of already implemented and we can extend it if needed.