[ HumanjavaEnterprises/nostr-auth-middleware ] fix: JWT algorithm pinning, timing-safe comparisons, timestamp validation, challenge store

HIGH fixes:
- Pin JWT to HS256 in both sign() and verify() (prevents algorithm confusion)
- Constant-time API key comparison via crypto.timingSafeEqual (2 locations)
- Event timestamp validation: reject >5min old or >60s future events
- In-memory challenge store when Supabase unavailable (was completely
  bypassing challenge verification without it)
- Browser fetches challenges from server instead of generating locally

https://github.com/HumanjavaEnterprises/nostr-auth-middleware/commit/712422b9112ee64366950e100356839a840e0e87