1. To start at the SSR don't need to bother - let the rendering always proceeds from the fact that the user is not authorized. Everything else you can load on the client if necessary.
What is the procedure of authentication is needed
- a rather strange issue, as it is for you to decide depending on what the conditions of the problem :) Assuming that you need to know what are the options, I can say that in General their 2 - standard for sites with cookies and sessions, or obtaining a token, and no further authorization on it, then there is a standard story for any REST API.
2. If you mean stateless authorization on the client using OAuth, that is a great library
for this. If you do not want to pull such a large dependency, and it is possible to implement - everything is quite simple. Can you tell more specifically if interested. On the backend you can take the ready decision of which pile to any language/framework/CMS.
3. Subtleties especially. Got the token or the session cookie and all. Then everything depends on what exactly you want to implement.
Everything about the process of confirmation email refers to the backend, so it's pretty basic, and SSR does not change anything. Again, there are plenty of ready-made solutions for any platform. OAuth can also give backend, but then you need to understand that then don't get this backend to use for stateless API.