Rails Authentication and Authorization without guarantee of browser sessions?

Right now, I am using the RESTful Authentication framework for authorizations with my rails application. This is all well开发者_开发问答 and good (though from my understanding, a little dated?), but now I need to authenticate a user who might not have an http session (such as from a application (not a browser) that is hitting my rails routes).

Specifically, I now have to support an iPhone application, that hits some of my restful routes to populate itself. However, this app needs to be authenticated, and just passing in a user name and password as parameters doesn't seem very secure. Not only is it not secure, it's not very clean (I would have to change all my calls referencing the current_user (stored in session) to manually setting the current user, as hits to my app without a browser doesn't seem to have session vars (or am I wrong about this?))

Any advice? Can RESTful Authentication do this? Is their an alternative framework (such as Authlogic, or OAuth or whatever) that can help me?

Devise appears able to do token-based authentication.

For security, only permit SSL connections. Redirect any non-SSL HTTP requests to the SSL version of the site. You can use the Rack middleware rack-ssl for this.

CanCan is pretty much the de facto authorization tool for Rails apps. You shouldn't try to re-invent the wheel in this case.

It plays well with both AuthLogic and RESTful Authentication, I believe. I don't have much experience with the latter.