rest - How can I authorize API access with just a Phone number and SMS Pin? -
i'm creating backend has rest api consumed mobile app. because app mobile we're not using email , password create account/login instead phone number , receive pin number sms message confirm own number.
after confirm user pin number, how should go authenticating future api requests?
my first thought create token , return app. second thought use oauth i'm getting confused method work phone number/sms login method (2/3 leg, grants, etc..). don't understand how might work when using oauth our own apps (as opposed oauth provider). token seems easier route.
if use token, bad use same token until user logged out? (over https). i'm assuming it's worth work make them expire little longer avg. user session.
unfortunately doesn't seem turn key solution works phone numbers. i'm using meteor expecting roll own node modules (by exposing connect on meteor server).
any appreciated!
have considered using twitter's digits? comes fabric package pretty great during our last app development. allows register , verify users through phone number via twitter services. package pretty simple install , beside server-side token validation, avoid lot of hassle.
and server side validation of login: