Improve SIWE logic to use dynamic, user-specific nonce - backend

[joelamouche]

This could be done at the same time as #108 or seprately. If you chose to just do the backend, let's not merge this in order to not break the code, and have the front end implementer branch out of this

Specs:

• Add new migration to add login_nonce NUMBER column to profiles table
• Create new get_login_nonce_by_wallet_address method in profile_repository (domain) to get a user's login nonce with their wallet address
• Add get_login_nonce_by_wallet_address method implementation in postgres_profile_repository (infrastructure) to get a user's login nonce with their wallet address
• Add a get_login_nonce query in the application layer
• Add a /nonce/:wallet_address public GET endpoint and handler that uses the get_user_login_nonce
• Update the ethereum_address_verification_service implementation (verify_signature method) to use the current nonce for the given user instead of the constant nonce - and increment the nonce (see discussion)

In next ticket #108

• Update the frontend to call the /nonce/:wallet_address GET endpoint to get the nonce and sign it instead of the constant nonce

[tusharshah21]

Hey @joelamouche I recently created a SIWE for my project, would like to do the same, can you assign it to me?

[joelamouche]

Sure @tusharshah21 but what would be the plan? The reason I didn't add this to the wave is that we haven't speced it out fully. What do you propose?

[tusharshah21]

Hey @joelamouche ,
Plan is to implement a proper nonce-based flow like SIWE:

• Backend generates & stores nonce → frontend signs it → backend verifies & invalidates.
• For mutation requests, we can also include the method + payload in the signed message to ensure integrity.

Does that sound good?

[joelamouche]

Okay sounds good. But our backend is in rust, are you confortable with that?
Also, do you want to take care of the front end modifications as well in the same PR or should I work on this in a parallel ticket?

[tusharshah21]

Naah works for me in the same, as the test would be done parallel mate! Regarding Rust could be dicy but you are there for any help, so yup I could cover it easily

[joelamouche]

Okay good luck then!

[oscarwroche]

Specs:

• Add new migration to add login_nonce NUMBER column to profiles table
• Create new get_login_nonce_by_wallet_address method in profile_repository (domain) to get a user's login nonce with their wallet address
• Add get_login_nonce_by_wallet_address method implementation in postgres_profile_repository (infrastructure) to get a user's login nonce with their wallet address
• Add a get_login_nonce query in the application layer
• Add a /nonce/:wallet_address public GET endpoint and handler that uses the get_user_login_nonce
• Update the ethereum_address_verification_service implementation (verify_signature method) to use the current nonce for the given user instead of the constant nonce - and increment the nonce (see discussion)
• Update the frontend to call the /nonce/:wallet_address GET endpoint to get the nonce and sign it instead of the constant nonce