PHP serialization is evil. auth-api.php should not use it. At the very least it needs to use JSON instead.
Even better would be to turn this into a normal MW "action" api module
I'm tagging this as good first task . Its really more a "medium" task, however translating auth-api.php into a proper api module should be fairly straightforward, so i think it fits with the tag.