Implement User Authentication

[hussu010]

• Ask the user to Connect Wallet.
• Fetch the user's accountNumber.
• Send a POST request to /api/v1/users/create to get the nonce of the user.

Body of the request:

{
accountNumber": "c22f224dac22c6d02e94936f8ac256736555dcf270649f090b201a1bede9c5c8"
}

Response:

{
    "_id": "6277bf9459056edfe3a657ce",
    "accountNumber": "c22f224dac22c6d02e94936f8ac256736555dcf270649f090b201a1bede9c5c8",
    "nonce": 768051,
    "createdAt": "2022-05-08T13:03:16.222Z",
    "updatedAt": "2022-05-08T13:03:16.222Z",
    "__v": 0
}

• Once we have the nonce, ask the user to sign the message Signing my leapchain nonce: NONCE.
• Once we have the signature, send a POST request to api/v1/auth endpoint with the body:

{
    "accountNumber": "22d0f0047b572a6acb6615f7aae646b0b96ddc58bfd54ed2775f885baeba3d6a",
    "signature": "0777ba24c5d916b271216afbfc4844813343dec58388a3732bafe92c6be16ced280ec8dfe43b2204d79c44a418e58307a992d130054482e6da6e5dad412dad00"
}

• If success, the response will be

{
    "user": {
        "_id": "625bfccbf6d2b7ed9f7a8da8",
        "accountNumber": "22d0f0047b572a6acb6615f7aae646b0b96ddc58bfd54ed2775f885baeba3d6a",
        "nonce": 353378,
        "createdAt": "2022-04-17T11:40:59.773Z",
        "updatedAt": "2022-05-13T12:42:06.834Z",
        "__v": 0
    },
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjViZmNjYmY2ZDJiN2VkOWY3YThkYTgiLCJpYXQiOjE2NTI0NDU3MjYsImV4cCI6MTY1NTAzNzcyNn0.FvcbVsc8-pfo20wsWjFeej-aGeI13af77Zq2eH8oGuE"
}

• Store the accessToken for JWT-based authentication.

PS: We are not using the JWT yet.

[jamessspanggg]

Are we missing some fields according to https://docs.google.com/document/d/1lOmcPgQFz6w-4JzLIYC6Tytw0_xedlpnBtdBZN6-Bqw/edit?

Some other follow up questions:

• POST to /api/v1/users: this is to create the user account right? perhaps /api/v1/users/create might be a more suitable endpoint?

Once we have the nonce, ask the user to sign the message Signing my leapchain nonce: NONCE.

• How are we performing the signing? is it via the https://thenewboston-developers.github.io/thenewboston-js/account.html#creating-signatures here? Also just to clarify, the signature is basically the account number signed with the nonce?

cc @hussu010 @mrbusysky

[mrbusysky]

Via keysign, also the backend should be verifying the signature, not the front end. @jamessspanggg the front end only handles the handshake method, and the post/get to backend. Plus the other stuff like storing data and so on in the local storage.

[hussu010]

Are we missing some fields according to https://docs.google.com/document/d/1lOmcPgQFz6w-4JzLIYC6Tytw0_xedlpnBtdBZN6-Bqw/edit?

We decided to have the API independent of anything else and later connect the discord bot to API if necessary.

POST to /api/v1/users: this is to create the user account right? perhaps /api/v1/users/create might be a more suitable endpoint?

Sure I'll update the naming in the next release.

How are we performing the signing? is it via the https://thenewboston-developers.github.io/thenewboston-js/account.html#creating-signatures here? Also just to clarify, the signature is basically the account number signed with the nonce?

Exactly. Here we will be using the Keysign for the signature. If we were using the library it'd be:

const account = new Account();
account.createSignature("Signing my leapchain nonce: 234323");

Let me know if anything is unclear.
cc: @mrbusysky @jamessspanggg

[mrbusysky]

WIP Prototype: #18

[mrbusysky]

This is semi done. But it will need some cleanup