To prevent accidental posting I have inserted a prompt with just Post and Cancel buttons. There is also a check to see if the draft is empty and throw an error if it is.
The right author ID is now passed as part of the post data to ensure it is assigned to my posting account rather than the admin account. Each post submitted by this method should be as because of the credentials used to connect but better safe than sorry.
And, one more thing (just because I can!) As the authentication requires a base64 encoded version of the WordPress username and password I even created an action to generate that string for me.