Browse Source

added name/password constraints, should be ready for usage

Paul Liverman III 5 years ago
parent
commit
ae8cd46e04
2 changed files with 13 additions and 3 deletions
  1. 13
    2
      app.moon
  2. 0
    1
      models/Users.moon

+ 13
- 2
app.moon View File

@@ -8,6 +8,7 @@ import api, abort, assert_model from require "helpers"
8 8
 class extends lapis.Application
9 9
   [authenticate: "/0/auth"]: api {
10 10
     POST: =>
11
+      -- find user by name or id if specified
11 12
       local user
12 13
       if @params.name
13 14
         user = Users\find name: @params.name
@@ -15,16 +16,26 @@ class extends lapis.Application
15 16
         user = Users\find id: @params.id
16 17
         abort "No such user." unless user
17 18
 
19
+      -- if a user by that name exists, see if the password is correct
18 20
       if user
19 21
         unless bcrypt.verify(@params.password, user.digest)
20 22
           abort "Incorrect password."
23
+      -- else create a user
21 24
       elseif @params.password
22
-        -- TODO create user with specified password
23
-        -- TODO constraints on password for security purposes
25
+        assert_valid(@params, {
26
+          { "name", exists: true, min_length: 1, max_length: 255, matches_pattern: "%w+" }
27
+          { "password", exists: true, min_length: 8, max_length: 255 }
28
+        })
29
+        -- TODO passwords should be checked against known breached passwords
30
+        -- TODO passwords should be required to follow a few other basic security checks
31
+        --  actually, these are invalidated just by checking against breached passwords I think
24 32
         user = assert_model Users\create {
25 33
           name: @params.name
26 34
           digest: bcrypt.digest(@params.password, config.digest_rounds)
27 35
         }
36
+      -- if a password wasn't specified...
37
+      else
38
+        abort "Must specify name or id, and password."
28 39
 
29 40
       return name: user.name, id: user.id
30 41
   }

+ 0
- 1
models/Users.moon View File

@@ -1,4 +1,3 @@
1 1
 import Model from require "lapis.db.model"
2 2
 
3 3
 class Users extends Model
4
-  -- TODO constraints on usernames under 256 bytes, alphanumerics only