Flow of events for API to validate requests from single page (JavaScript) app

Flow of events for API to validate requests from single page (JavaScript) app

I'm currently making an app that uses Laravel 4 for the server side API.
And the front end is 100% Angular.js based.
I'm pretty new to building apps this way and have been trying to work out
best practice for authenticating requests for restricted info. This
"http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services"
article definitely helped.
I'd love someone with experience to confirm this flow of events sounds
right (or not).
When the user needs to log in:
The user enters their credentials in the login form and this is submitted.
The server api validates the login.
If valid it creates an authentication token for the user which is set in a
session along with expiration time. If not, 401 returned.
If the user gets logged in the server now checks the logged in user has
the correct user level to access the requested data.
If not correct user level, 403 returned
Otherwise requested data is returned to the javascript app along with auth
token.
The returned auth token is stored in a client side cookie.
If a user has previously logged in:
Angular looks for an auth token stored in a cookie
If it doesn't exist the users is taken straight to the login page
If it does, the auth token is sent in a custom header to the server with
api request.
The server validates the token in the request header.
If it doesn't validate, or is expired the server returns a 401
(unauthorised).
If it does match, the next thing the server checks is if the logged in
user has the correct access level to access this information.
Also, the expiry time of the session is updated.
If it doesn't, 403 is returned.
Finally, if all ok the requested information is returned.
On logout:
Logout request sent
Cookie auth token deleted client side
Session deleted on server
Response returned, redirect to login