For now, only BasicAuth with expected details from config is used as proof of ownership of the entered url. This limits the use of the node by clients on my behalf, which is acceptable for MVP.

But don't discount BasicAuth. Despite its implementation limitations, it has a low learning threshold, is natively supported by all browsers, requires no HTML/CSS/JS at all, and eliminates the need for separate session design and logout button. It's the "fastest start" in authorization you'll ever get.