After many time playing, i achieved what i was looking for, first i dropped the use of a optional login, and used the normal logging method which worked well, the use of the injected token worked also, i just wanted to use community auth as the auth provider for this "api" and achieved it like this:
first i changed the LOGIN_PAGE constant to be something like this api/failed <-- if the login attemps is failed of there is not login at all (which is detected with a token which is provided in the login) you will be redirected to this page where a code error is shown.
the the in the route for LOGIN_PAGE i have something like this api/bad_login
where the code print the error code resides.
in the login controller i have this:
PHP Code:
public function login(){
if( $this->verify_min_level( 1 ) ){
$userID=$this->auth_user_id;
$salt_bytes = openssl_random_pseudo_bytes(16);
$salt_hex = bin2hex($salt_bytes);
//some code which is the final verion of the code there
//this is encripted in client side
echo json_encode( $new_user_data );
}
//this makes community auth work in this "api" mode
$CI =& get_instance();
$_POST['login_token']=$CI->tokens->token();
if( strtolower( $_SERVER['REQUEST_METHOD'] ) == 'post' )
{
$this->require_min_level(1);
}
$this->setup_login_form();
}
public function bad_login(){
//functions to output errors...
//...
}
And that made it works, then in the pages to update the user info, the client provides the login token and the UUID and email in case of match it access is granted, if case of missmatch(also in partial matches, this mean if email matches but login not or token not, and same for all other data ) access is denied and all the tokens emails and UUID related to that device are deleted form database and client proceed to delete all the saved(encrypted info) and redirect to the login (static page) in client
