|
@@ -1,32 +1,26 @@
|
1
|
1
|
lapis = require "lapis"
|
2
|
|
-console = require "lapis.console"
|
3
|
2
|
bcrypt = require "bcrypt"
|
4
|
|
-config = require("lapis.config").get!
|
5
|
3
|
|
6
|
4
|
import Users from require "models"
|
7
|
5
|
import api, abort, assert_model from require "helpers"
|
8
|
6
|
|
9
|
7
|
class extends lapis.Application
|
10
|
|
- [console: "/console/#{config.secret}"]: =>
|
11
|
|
- if Users\count! < 1 or @session.id == 1
|
12
|
|
- return console.make(env: "all")(@)
|
13
|
|
- else
|
14
|
|
- return status: 401, "401 - Unauthorized"
|
15
|
|
-
|
16
|
|
- [authenticate: "/0/auth"]: api {
|
17
|
|
- POST: =>
|
|
8
|
+ -- finds user by name or id (or creates by name), and returns the user,
|
|
9
|
+ -- unless a password is not specified (or incorrect), or the password is too weak
|
|
10
|
+ [authenticate: "/0/auth"]: respond_to {
|
|
11
|
+ POST: api( =>
|
18
|
12
|
-- find user by name or id if specified
|
19
|
13
|
local user
|
20
|
14
|
if @params.name
|
21
|
15
|
user = Users\find name: @params.name
|
22
|
16
|
elseif @params.id
|
23
|
17
|
user = Users\find id: @params.id
|
24
|
|
- abort "No such user." unless user
|
|
18
|
+ abort "Incorrect user name, id, or password." unless user
|
25
|
19
|
|
26
|
20
|
-- if a user by that name exists, see if the password is correct
|
27
|
21
|
if user
|
28
|
22
|
unless bcrypt.verify(@params.password, user.digest)
|
29
|
|
- abort "Incorrect password."
|
|
23
|
+ abort "Incorrect user name, id, or password."
|
30
|
24
|
-- else create a user
|
31
|
25
|
elseif @params.password
|
32
|
26
|
assert_valid(@params, {
|
|
@@ -34,8 +28,6 @@ class extends lapis.Application
|
34
|
28
|
{ "password", exists: true, min_length: 8, max_length: 255 }
|
35
|
29
|
})
|
36
|
30
|
-- TODO passwords should be checked against known breached passwords
|
37
|
|
- -- TODO passwords should be required to follow a few other basic security checks
|
38
|
|
- -- actually, these are invalidated just by checking against breached passwords I think
|
39
|
31
|
user = assert_model Users\create {
|
40
|
32
|
name: @params.name
|
41
|
33
|
digest: bcrypt.digest(@params.password, config.digest_rounds)
|
|
@@ -45,12 +37,15 @@ class extends lapis.Application
|
45
|
37
|
abort "Must specify name or id, and password."
|
46
|
38
|
|
47
|
39
|
return name: user.name, id: user.id
|
|
40
|
+ )
|
48
|
41
|
}
|
49
|
42
|
|
50
|
|
- [name: "/0/:id[%d]"]: api {
|
51
|
|
- GET: =>
|
|
43
|
+ -- finds user by id and returns their name
|
|
44
|
+ [name: "/0/:id[%d]"]: {
|
|
45
|
+ GET: api(=>
|
52
|
46
|
if user = Users\find id: @params.id
|
53
|
47
|
return name: user.name
|
54
|
48
|
else
|
55
|
|
- abort "No such user."
|
|
49
|
+ abort "Incorrect user id."
|
|
50
|
+ )
|
56
|
51
|
}
|