The most RESTful way I have seen is based on the OAuth client credentials flow, basically a /token endpoint that you post username/password to which returns an access token for this session. Every ajax request after that appends an Authorization bearer header with the token. You can store the token in a global variable to just keep it around until the page is refreshed/closed, use local storage to keep users logged in between sessions, or javascript cookies. If you don’t like the idea of tokens then you can just use the old cookie approach which is automatically send with any ajax request anyway.
As for facebook/google etc I normally follow the stackoverflow approach where I associate external userlogins to an account. Then use a fairly normal server based oauth dance (although you can replace all requests to the server with ajax requests with slight modifications, I just find it doesn’t really make much difference as you need redirects between you and the server anyway). I normally issue an encrypted cookie for a facebook login, which I then convert into a token using a similar method as above (just send the cookie with the request instead of username/password).