123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 |
- lapis = require "lapis"
- bcrypt = require "bcrypt"
-
- import Users from require "models"
- import api, abort, assert_model from require "helpers"
-
- class extends lapis.Application
- -- finds user by name or id (or creates by name), and returns the user,
- -- unless a password is not specified (or incorrect), or the password is too weak
- [authenticate: "/0/auth"]: respond_to {
- POST: api( =>
- -- find user by name or id if specified
- local user
- if @params.name
- user = Users\find name: @params.name
- elseif @params.id
- user = Users\find id: @params.id
- abort "Incorrect user name, id, or password." unless user
-
- -- if a user by that name exists, see if the password is correct
- if user
- unless bcrypt.verify(@params.password, user.digest)
- abort "Incorrect user name, id, or password."
- -- else create a user
- elseif @params.password
- assert_valid(@params, {
- { "name", exists: true, min_length: 1, max_length: 255, matches_pattern: "%w+" }
- { "password", exists: true, min_length: 8, max_length: 255 }
- })
- -- TODO passwords should be checked against known breached passwords
- user = assert_model Users\create {
- name: @params.name
- digest: bcrypt.digest(@params.password, config.digest_rounds)
- }
- -- if a password wasn't specified...
- else
- abort "Must specify name or id, and password."
-
- return name: user.name, id: user.id
- )
- }
-
- -- finds user by id and returns their name
- [name: "/0/:id[%d]"]: {
- GET: api(=>
- if user = Users\find id: @params.id
- return name: user.name
- else
- abort "Incorrect user id."
- )
- }
|