I'm building a user authentication solution matching near accounts to my own generated access tokens. I want to verify in my node.js backend (using Nearlib?) if a near access key (stored in local storage in browser) matches the near account provided. This is to prove that the request is actually sent by the account owner.
So if I have:
accountID: "myAccount",
near_access_token: "ed25519:{...}"
I'm also assuming that the correct near access token to use here is under nearlib:keystore:klopt:default.
I want to verify in my node.js backend (using Nearlib?) if a near access key (stored in local storage in browser) matches the near account provided.
You should be able to get list of access keys for given account using account.getAccessKeys() call https://github.com/nearprotocol/nearlib/blob/master/src.ts/account.ts#L202
Then you can check whether key pair in key store has same public key.
This is to prove that the request is actually sent by the account owner.
If you want to prove that request is sent by the account owner – you need to verify signature though.
See e.g. this code in account helper micro-service: https://github.com/nearprotocol/near-contract-helper/blob/19ac6ce05a0d44f0e389c85b30bc2b6a9190caac/app.js#L97
In that case securityCode had to be signed by account (when setting up account recovery). In your case instead of signing securityCode you want to sign the request.
You should be able to sign request using Signer.signMessage API https://github.com/nearprotocol/nearlib/blob/master/src.ts/signer.ts#L38