Browse Source

better notes, bugfixes

Paul Liverman III 5 years ago
parent
commit
aa279ac688
3 changed files with 17 additions and 23 deletions
  1. 0
    1
      Dockerfile
  2. 12
    17
      app.moon
  3. 5
    5
      helpers.moon

+ 0
- 1
Dockerfile View File

@@ -1,4 +1,3 @@
1 1
 FROM guard13007/docker-lapis:latest
2 2
 
3 3
 RUN luarocks install bcrypt
4
-RUN luarocks install lapis-console

+ 12
- 17
app.moon View File

@@ -1,32 +1,26 @@
1 1
 lapis = require "lapis"
2
-console = require "lapis.console"
3 2
 bcrypt = require "bcrypt"
4
-config = require("lapis.config").get!
5 3
 
6 4
 import Users from require "models"
7 5
 import api, abort, assert_model from require "helpers"
8 6
 
9 7
 class extends lapis.Application
10
-  [console: "/console/#{config.secret}"]: =>
11
-    if Users\count! < 1 or @session.id == 1
12
-      return console.make(env: "all")(@)
13
-    else
14
-      return status: 401, "401 - Unauthorized"
15
-
16
-  [authenticate: "/0/auth"]: api {
17
-    POST: =>
8
+  -- finds user by name or id (or creates by name), and returns the user,
9
+  --  unless a password is not specified (or incorrect), or the password is too weak
10
+  [authenticate: "/0/auth"]: respond_to {
11
+    POST: api( =>
18 12
       -- find user by name or id if specified
19 13
       local user
20 14
       if @params.name
21 15
         user = Users\find name: @params.name
22 16
       elseif @params.id
23 17
         user = Users\find id: @params.id
24
-        abort "No such user." unless user
18
+        abort "Incorrect user name, id, or password." unless user
25 19
 
26 20
       -- if a user by that name exists, see if the password is correct
27 21
       if user
28 22
         unless bcrypt.verify(@params.password, user.digest)
29
-          abort "Incorrect password."
23
+          abort "Incorrect user name, id, or password."
30 24
       -- else create a user
31 25
       elseif @params.password
32 26
         assert_valid(@params, {
@@ -34,8 +28,6 @@ class extends lapis.Application
34 28
           { "password", exists: true, min_length: 8, max_length: 255 }
35 29
         })
36 30
         -- TODO passwords should be checked against known breached passwords
37
-        -- TODO passwords should be required to follow a few other basic security checks
38
-        --  actually, these are invalidated just by checking against breached passwords I think
39 31
         user = assert_model Users\create {
40 32
           name: @params.name
41 33
           digest: bcrypt.digest(@params.password, config.digest_rounds)
@@ -45,12 +37,15 @@ class extends lapis.Application
45 37
         abort "Must specify name or id, and password."
46 38
 
47 39
       return name: user.name, id: user.id
40
+    )
48 41
   }
49 42
 
50
-  [name: "/0/:id[%d]"]: api {
51
-    GET: =>
43
+  -- finds user by id and returns their name
44
+  [name: "/0/:id[%d]"]: {
45
+    GET: api(=>
52 46
       if user = Users\find id: @params.id
53 47
         return name: user.name
54 48
       else
55
-        abort "No such user."
49
+        abort "Incorrect user id."
50
+    )
56 51
   }

+ 5
- 5
helpers.moon View File

@@ -2,17 +2,17 @@ import json_params, capture_errors, yield_error, respond_to from require "lapis.
2 2
 import insert from table
3 3
 import max from math
4 4
 
5
-api = (tab) ->
5
+api = (fn) =>
6 6
   json_params capture_errors {
7 7
     =>
8
-      result = respond_to(tab)
9
-      return json: result,
8
+      result = fn(@)
9
+      return json: result
10 10
     on_error: =>
11
-      status = 400
11
+      status = 400 -- most likely a bad request
12 12
       errors = {}
13 13
       for err in *@errors
14 14
         if "table" == type err
15
-          status = max status, err[1]
15
+          status = max status, err[1] -- the worst error will have a higher status number
16 16
           insert errors, err[2]
17 17
         else
18 18
           insert errors, err