My question revolves around how one secures the username/password authentication over REST for those initial phases.
I've been just handling traditional logins in the old client/server, non-REST model, and then, on login, setting a cookie with the token, that I then use to authenticate the other application interactions.
For username/password over REST, is SSL good enough? I don't know, and I've never wanted to guess and be wrong. I've looked it up a couple of times, but advice on the subject ranges broadly between "don't ever do that" and "sure, it's fine."
https://news.ycombinator.com/item?id=6858572
> is SSL good enough
In my opinion, no.
It will protect the password from potential MITM attack (assuming the user hasn't accepted a bad SSL certificate & you are checking that the cert is valid).
However, if someone MITMs your app for the purpose of reverse engineering, they will very easily see that the username/password API call is available & there will be nothing tangibly stopping them from using it.
By using a client SSL certificate in addition to the normal server-side SSL for 'restricted endpoints', other apps will not be able to replicate the request & it will also not be visible even in MITM attacks where the certificate is trusted.
If the private key for your client SSL certificate is leaked/found/reverse engineered/disassembled though, that protection is gone. Assuming it is actually compiled into your binary though, this is not trivial.
