Sure. It's by no means a proper way to do authentication, but was the only way we found to get it to work without a proper Oauth API. Essentially we have to manage users in our system and the MM system separately. First, you need an API token from an authorized user. The flow basically works like this:
- User registers on our platform (proprietary login)
- On registration, we hit the Mattermost API to create a user/password, then we store this encrypted in our DB. This API isn't documented, but you can sniff all the calls in a network console pretty easily.
- On login, we use the stored/encrypted credentials to hit the MM API to log the user in and get an auth token.
- Set the MMTOKEN cookie to that auth token. Since MM uses the cookie for auth, the user is now logged in.
Since we used different domains, we had to set the cookie to the base domain path so it would be accessible to write from our app and then accessible on the subdomain for MM. I recommend SSL and encryption across the board since user/passwords are being send across the wire. Also, there is the pain of keeping passwords in sync across your platform and MM you need to account for.
Hope that helps!