As the author, I can tell you how we've designed it (I'd welcome any other critique - it's all open source too, so you can look under the covers).
(1) Users sign in on the www.pageforest.com domain only. Applications are not given access to a users's credentials.
(2) Users must specifically grant access to each application for an app to write data on
their behalf.
(3) We create an app-specific authentication token in the app sub-domain you are signed in to.
(4) To protect against cross-side request forgery (CSRF), we require the REFERER to be from the application domain (and NOT from the /docs sub-directory) for authenticated requests.
(5) Our authentication cookies are HTTP-Only. This makes is impossible for injected javascript to
access the authentication cookie.
(6) Our app-based authentication cookies expire in 24 hours. Users can get a new cookie by re-authorizing the app from www.pageforest.com.
(7) We don't require ssl use for sign-in. This is probably our biggest security hole. But apps can be used on an SSL domain at https://appid.pageforest.appspot.com.
(8) We never transmit a user's password over the web - we use a challenge/response protocol that hashes the username/password on the client, and only sends the SHA1 of the user's response to a challenge.
I should add that since your application's assets are publicly viewable, there is no way for your app to store a secret key. Also, all your source code is visible to anyone wanting to look at it. This may preclude those that want to keep their code a trade secret.
