I’ve been finalising the architecture of the Elgg iPhone app I’m working on. It’s split into 3 components:
i-elgg : the iPhone/iPod Touch App, which acts as a dedicated Elgg client on the mobile device
i-elgg-s : the server side component that takes REST calls from the device and returns XML content for it to display
mobile : the Elgg plugin that lets you register your device ID and hook it to your Elgg account. That means you don’t have to use passwords from the device. It also means you can unregister the device if you lose it.
It’s a fairly big chunk of development as i-elgg is in Objective-C, i-elgg-s is in Ruby and mobile is in PHP. When I was writing i-elgg-s and testing it using PHP my head was almost exploding with the context switching! Forgetting to add ; to PHP code and using object.method instead of object->method.
I decided to bin passwords from the device and instead get the user to grab the device ID when they dock with iTunes and copy/paste it into the mobile plugin. When the device connects to i-elgg-s it sends its device ID and the username and gets an authentication token back. It then uses this token to authenticate all the other REST calls it makes for data. i-elgg-s trawls the tokens now and then, expiring them as required, in which case, the device will renew its token and continue. So if you lose your device and can’t get to a browser to unregister it in Elgg, anyone who finds the phone will hit a stale token and won’t be able to renew it as they won’t know your username. I’m thinking, for version 1, that when the device wants a new token, it asks you there and then for your username, rather than store it in the app preferences.