Before I get started. I vomited at the sight of Moodle's OUTPUT API. I'm sorry, but those conditionals are too many states for my tiny brain to keep track of.
Now that I've stated my position, I'm currently making an activity that utilizes angular-ui as frontend. It talks to Moodle beautifully via REST. At first, I didn't use Moodle's Web Services API, but used the PHP Framework, Slim, for the routing. That being said, even though slim feels more natural (well it feels like expressjs), I tried to convert the PHP-Javascript communication to Web Services, and I've managed to do this. Kinda.
The problem:
Web services needs token. To acquire token, the client needs username and password. To acquire username and password, Moodle must hand it in to Javascript. From here I can think of the following options:
1. User $PAGE->require->js_init_call('main_foo', array('username'=>$username, 'password'=>$password)); And you just posted the user's password in the DOM.
2. Use Slim to hand in username/password for start. And use Moodle's Web API for the rest.
3. Send token at start via $PAGE->require->js_init_call.
Well (1) IS NOT AN OPTION. And (2), although ugly (It feels like I'm gonna need UML sequence diagram to transfer knowledge), makes sense since Moodle's Web API can handle the capability check for the rest of the REST calls. Although I should mention the initialization, Slim handing password and username is susceptible to XSS attack. Last one, (3), I have no idea how to implement, but this is still a bad solution. Though not as bad as (1), this is still unacceptable. At least a session cookie changes each time. I could delete token each time to emulate session cookie, but that sounds wrong.
It seems that I should just use my original implementation with Slim, (I don't have to hand in sensitive information to the client, just some session cookies). But at the same time I'd really like to use Moodle's Web Services (those capability enforcements are a selling point). Can someone tell me a solution using Moodle's Web Service API.