Confluence REST API token authentication

I'm looking to build an internal helper app using the Jira REST API.  Basically to automate/make easier some things that are a pain in Jira (WHy you can't have either fixVersions or Components globally I do not understand!)

The docs are quite against using cookie-based auth with the REST API.  However, my requirements are that:

• The user of my app has to log in/authenticate themselves.  They should do so using their Jira credentials
• The app then runs as that suer, so has pemrissions, etc. appropriate to that user and any actions are seen as being by that user.

I don't really see why cookie-based isn't actually the most secure here?  As I see it the options are

• OAUTH. I understand that you can impersonate a user when using OAUTH authenticaiton (https://community.atlassian.com/t5/Answers-Developer-Questions/How-do-you-impersonate-a-user-with-JIRA-oauth/qaq-p/476116).  But the problems I see are:
  • Impersonation isn't authentication
  • I guess I could authenticate by posting to auth/session, but then I'd have to implement session handling directly myself to keep track of which user it is for that session - all the drawbacks of cookie-based authentication and extra work
• Basic Authentication.  I guess this would be as the correct user, but it means I have to have a session (again, all the drawbacks) and also store the users password in that session, which should be a definite no-no

Is there something I'm missing, or are the docs just missing this use case when they recommend not using cookie-based?

Know about their current Jira session so they don't need to re-authenticate would be best of course, but if I want that I guess I need to bit the bullet and write a proper plugin, isntead of a quick, external, helper app :)

I'm probably going to go ahead and implement with cookies, just wondering what if anything I've msised here.