I am working on a vehicle renting system prototype. We are using Particle Electrons with asset tracker shield attached to all the vehicles in the fleet. We will have our own app server connecting to Particle cloud and a smartphone app that would talk to both our server and Particle cloud. This mobile app will be used by our customers to locate vehicles w.r.t. their location and rent it through the app. Once the renting starts, customer will be able to control certain aspects of the vehicle, e.g. locking/unlocking, trip location updates etc.
Ideally and as Particle recommends, communication between device and app should happen directly and not through our app server. The problem I am facing is with choosing a suitable auth. method. From documentation, I read about simple and two-legged auth. methods. Now both methods require that we attach a device with customers, whereas, the system we are developing is about renting vehicles and one customer can rent different vehicles from time to time. So to enable the app communicate directly with Particle cloud/device and be able to unclaim and claim another device is mandatory. Documentation does not talk about such a scenario. I am thinking about using two-legged auth. but do not want to permanently attach one device (in our case this means one vehicle) to one customer.
Now I read in forums that you can claim/unclaim devices through new APIs (not mentioned in docs though). I would like to know, if it is the right way to proceed, given the requirements of our project. I am thinking, when a customers rents a vehicle, we will claim corresponding device for that customer and once the renting ends, unclaim it from customer and claim it with a system user of ours. What you guys think?
Your help is much appreciated.