Login (use JWT and Refresh token)

[PaulFidika]

Implement the JWT / Refresh token authorization scheme that HelloTello is using inside of NestJS. The only difference will be that users will be connecting their wallet and signing a message, rather than returning a username and password. I demonstrate how to do this here:

https://github.com/Untitled-Pay/Untitled-Pay/blob/balance/packages/client/src/components/SignButton/index.tsx

However, this is all client-side code, and needs to be run in a trusted environment (our NestJS server). I'd propose this:

• the client-app makes a request to the NestJS server for a message to sign, providing the pubkey
• the NestJS server returns a message of the format ${display message} \n \n nonce: ${nonce} as a Uint8Array. The NestJS server stores this message in memory. (If you want NestJS to be stateless, you could have NestJS add the pubkey + expiry date (keep it short, under 5 mins) to the message, and then sign the message with a secret it controls. Then return that message along with its own signature.)
• the client app prompts the user to sign the message, and returns the signature and pubkey to NestJS
• NestJS finds the message it sent corresponding to that pubkey from memory. (Or if NestJS is stateless, it determines that the message is legitimate by comparing the message to its own signature.) If NestJS didn't verify the legitimacy of the message that was signed, we could signin as pubkey123 using any message for which we have the corresponding signature. NestJS compares the message, pubkey, and signature to determine if the user signature is valid or not. If it is valid, NestJS returns a JWT + refresh token (or whatever authorization method you want to use).

Would it be possible to build this as a library so that other NestJS users could import and add to their auth flows easily, maybe with something as simple as a decorator?