|
@@ -8,6 +8,7 @@ import api, abort, assert_model from require "helpers"
|
8
|
8
|
class extends lapis.Application
|
9
|
9
|
[authenticate: "/0/auth"]: api {
|
10
|
10
|
POST: =>
|
|
11
|
+ -- find user by name or id if specified
|
11
|
12
|
local user
|
12
|
13
|
if @params.name
|
13
|
14
|
user = Users\find name: @params.name
|
|
@@ -15,16 +16,26 @@ class extends lapis.Application
|
15
|
16
|
user = Users\find id: @params.id
|
16
|
17
|
abort "No such user." unless user
|
17
|
18
|
|
|
19
|
+ -- if a user by that name exists, see if the password is correct
|
18
|
20
|
if user
|
19
|
21
|
unless bcrypt.verify(@params.password, user.digest)
|
20
|
22
|
abort "Incorrect password."
|
|
23
|
+ -- else create a user
|
21
|
24
|
elseif @params.password
|
22
|
|
- -- TODO create user with specified password
|
23
|
|
- -- TODO constraints on password for security purposes
|
|
25
|
+ assert_valid(@params, {
|
|
26
|
+ { "name", exists: true, min_length: 1, max_length: 255, matches_pattern: "%w+" }
|
|
27
|
+ { "password", exists: true, min_length: 8, max_length: 255 }
|
|
28
|
+ })
|
|
29
|
+ -- TODO passwords should be checked against known breached passwords
|
|
30
|
+ -- TODO passwords should be required to follow a few other basic security checks
|
|
31
|
+ -- actually, these are invalidated just by checking against breached passwords I think
|
24
|
32
|
user = assert_model Users\create {
|
25
|
33
|
name: @params.name
|
26
|
34
|
digest: bcrypt.digest(@params.password, config.digest_rounds)
|
27
|
35
|
}
|
|
36
|
+ -- if a password wasn't specified...
|
|
37
|
+ else
|
|
38
|
+ abort "Must specify name or id, and password."
|
28
|
39
|
|
29
|
40
|
return name: user.name, id: user.id
|
30
|
41
|
}
|