AngularJS - Server side index.html and authentication

I'm confused by the complexity proposed in the question.

When I think about user security for webAPI/RESTful projects (regardless of whither angularjs/flask are involved), I think of the following data exchange:

1. User (via their web browser) submits auth secrets (I.E. User and Password) to web server
2. Using the above, the Web Server:
   1. creates a non-forgable new secret which it can decode to identify the user (I.E. sign or encrypt a user-record, sessionID-that-includes-login-info, or user-ref-token)
   2. pushes that new secret into the User's web browser (I.E. make the user's web browser store it as a cookie)
3. All future HTTP/API/REST connections from the client (other then changing user auth secrets) are then done by including the web-server-secret/cookie, either by the client javascript pulling the cookie and including it in the URL/data-body or by letting the web server access the cookie by normal means

Your question seems to be asking about multiple layers of complexity beyond my base case and I don't understand what is necessitating this extra complexity (specifically your "The problem" text and your step #9). If this complexity is needed because of some facet of angular or flask (I.E.: if your having trouble with access to cookies, or your trying to mitigate some other security problem) please explain.