pull down to refresh

I'm saving the nostr profile to the database, but I'm wondreing if this is a sane way to login just with a nip05. seems like anyone could generate a token and impersonate the user.
How can I do stuff in a hybrid nostr/database app with a nostr profile object and ensure people can't hack their account?
The approach we used (eg for https://js.nquiz.io) was based on Nostr Passport Auth - https://github.com/nosdav/passport-nostr
Basically you just use a signed note in the request header. No tokens needed! Just verify the event at backend with each request (signed, within a date range, comes from the correct domain etc)
reply
I'm not using express though. Nor am I using passport.
I can get the nip05 but I don't know how to authenticate a user (ie: a signin). is there some kind of secret token that getalby gives me back somehow?
I'm using ndk
reply
you don't need to use their library - check the implementation, it's just a few lines of code
You literally just sign an event and stick it in the auth header. This proves to backend that you control the private key, and that you are logging in to X website at X time.
This approach works with all signing mechanisms (nsecbunker, extensions, local key, signing device).