Social Login

The Social login flow that we'll be following is as follows (taken from SO):

1. User opens the app on the phone. Chooses a service with which to authenticate.
2. Authenticates via one the available services (Facebook, Twitter, foursquare, etc.) and gets some special access token.
3. Your app takes the token and sends it to your server.
4. Your server receives the token and validates it. It checks it against the service's API and (at least for Facebook and Twitter) get the corresponding user ID.
5. Assuming a valid ID, your server checks if user ID has already been used by some user. If so, it logs them in. If the user ID hasn't been created, your server creates its own user record associated with that user ID and logs the user in. In either case, the user ends up logged in and your server issues a session key to your app.
6. The session key is used for all further communication between your app and your server until the user logs out.

As a result - the application only requests the OAuth token for the particular social network, and the server handles the request of the user on the application's behalf.

Updated routes

Step 3 needs a route to send the token to the server. This route will use the token to create / update the Fitter user via Facebook. It will pass back a Fitter access_token.

/oauth/token  or /users if this is easier.
Params: facebook_access_token
Return: fitter_access_token

The application will then use the existing /user route to obtain the user using the access_token.