There is a much simpler solution:
Use SSL sitewide, and then use your framework's standard session tracking.
That's all you need to do.
In more detail, the user initially logs in by supplying their username and password; it gets POSTed to the server, who can check its validity. If the authentication is successful, your server code sets a flag in the session state remembering that the user has successfully authenticated and remembering the user's username. All subsequent requests will be over the same session, so you can easily authenticate them and allow them to proceed.
(Still more detail: Each time you receive a request, you check the session state to see whether the user has successfully authenticated and is authorized to perform this action. If yes, you allow the request and perform the action; if no, you redirect the user to a login page or present some other error message.)
Notice that this meets all of your requirements. It does not require a database lookup on each request. It is compatible with a RESTful API. It is compatible with a single-page app. You don't need to code up anything fancy: you just use your framework's existing support for sessions (usually, it uses a session cookie with a unique session ID, and some mechanism to store state on the server side associated with that session ID).
As part of using SSL sitewide, you should set the secure flag on your session ID cookie, to protect it from eavesdropping (this will ensure it will never be sent over HTTP). You should also enable HSTS, to tell the browser to always use SSL on your site. Search this site for more information on how to deploy SSL sitewide.
You should not rely upon the client's IP address to be static. It may change, e.g., if the client is mobile and moves from one wireless network to another. Therefore, it is best to avoid using the client's IP address for anything.