[BE-W3A-103] Web3 Signature Security and Auditing - Step 103

[Johnpii1]

close #457

Description
Added a hardened auth router via createAuthRouter with strict request boundaries using zod, injectable AuthRouteState, and secure session cookie defaults (sessionCookieOptions).
Implemented canonical Stellar address validation (sanitizeStellarAddress) using StrKey decode/encode and checksum checks, bounded signature decoding (extractSignatureBytes), SEP-53-style signature verification (verifyStellarSignature) and challenge construction (buildChallenge).
Enforced atomic one-time nonce consumption by checking auth_challenges.deleteMany(...) before minting sessions and added Redis-backed revocation helpers (isSessionRevoked, revokeSession) with a 1ms lookup budget and a getDefaultRedisClient helper.
Wired session endpoints: /challenge, /verify, /session, and /logout, updated package.json test script, and added comprehensive node:test coverage in backend/tests/auth.test.ts covering address checksums, signature verification, challenge freshness, Redis timing, and replay prevention.

Testing
Ran npm test which executed the new node:test suite and all tests passed (5/5 tests passed).
Attempted npm run build; this currently fails due to existing TypeScript/Prisma issues outside this change (missing PrismaClient export from @prisma/client and several pre-existing implicit any errors in other routes), so build is not green at repository level.

[vercel]

@Johnpii1 is attempting to deploy a commit to the mAzI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[drips-wave]

@Johnpii1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits