Performing authorized (through facebook) REST requests to my node.js server on a PhoneGap app

Since this issue is about three technologies I'd like to quickly introduce each of them:

• node.js: javascript on the server side (consider it my webserver)
• PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS.
• facebook authentication: using everyauth to let my users login with their facebook account

The objective: I need my PhoneGap application to communicate with my server using a REST based protocol. Many of these requests may only be made when the user has logged in to my server, using their Facebook account. Thus, the user needs to login and then go to the logged in state of the PhoneGap application.

The issue: When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". When the user then accepts the login, the server will know, and so far everything is good. The problem is that

1. the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state)
2. The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself

Cause of the issue: the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain.

Suggested approach #1: a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap. The issue here is that 开发者_StackOverflow社区the server does not act as an authentication middle-man. Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. This seems like a severe vulnerability.

How should I tackle this issue?

---

With the ChildBrowser plug-in, a PhoneGap app can monitor location changes from the authentication site.

We used this approach to integrate a PhoneGap app with a node.js openid module

---

I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here) for a PhoneGap / Android app. I know this doesn't include custom registration with a nodejs server; it allows access to Twitter REST only. AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app.

With jsOauth library, the auth token key/secret are stored for you and sent with every request.

Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone.

Tut. using PhoneGap / Android Facebook plugin in next on my list. Thanks for link to everyauth!