This will need, at a minimum: POST to create a session, DELETE to destroy a session. We'll probably send passwords in cleartext and hash them on the server for security reasons.
We may want to consider some sort of scheme for hashing user names as well so that a man in the middle can't easily associate a cleartext password with a username.
Scalatra has a nice built-in framework, called Scentry, for handling authentication. I should probably look into Scentry before we start writing this spec.
This will need, at a minimum:
POST
to create a session,DELETE
to destroy a session. We'll probably send passwords in cleartext and hash them on the server for security reasons.