I did something similar:
- User enters npub to authorize
- Server visually displays one-time code and also send encrypted DMs to user 
- User visually confirms DM code is same and replies ‘OK’ if satisfied. 
- Server listens for decrypted DM ‘OK’ from npub where event.created_at > DM sent event created at.
- If ‘OK’, sets a status login ok for one time query
- Browser client polls for one time status, if login True, session cookie is set for logged in, status is cleared. 

I had this all working for NIP-04, upgrading to NIP-17.