better notes, bugfixes
This commit is contained in:
Paul Liverman III
parent
f7d8fc8984
commit
aa279ac688
@ -1,4 +1,3 @@
|
||||
FROM guard13007/docker-lapis:latest
|
||||
|
||||
RUN luarocks install bcrypt
|
||||
RUN luarocks install lapis-console
|
||||
|
||||
29
app.moon
29
app.moon
@ -1,32 +1,26 @@
|
||||
lapis = require "lapis"
|
||||
console = require "lapis.console"
|
||||
bcrypt = require "bcrypt"
|
||||
config = require("lapis.config").get!
|
||||
|
||||
import Users from require "models"
|
||||
import api, abort, assert_model from require "helpers"
|
||||
|
||||
class extends lapis.Application
|
||||
[console: "/console/#{config.secret}"]: =>
|
||||
if Users\count! < 1 or @session.id == 1
|
||||
return console.make(env: "all")(@)
|
||||
else
|
||||
return status: 401, "401 - Unauthorized"
|
||||
|
||||
[authenticate: "/0/auth"]: api {
|
||||
POST: =>
|
||||
-- finds user by name or id (or creates by name), and returns the user,
|
||||
-- unless a password is not specified (or incorrect), or the password is too weak
|
||||
[authenticate: "/0/auth"]: respond_to {
|
||||
POST: api( =>
|
||||
-- find user by name or id if specified
|
||||
local user
|
||||
if @params.name
|
||||
user = Users\find name: @params.name
|
||||
elseif @params.id
|
||||
user = Users\find id: @params.id
|
||||
abort "No such user." unless user
|
||||
abort "Incorrect user name, id, or password." unless user
|
||||
|
||||
-- if a user by that name exists, see if the password is correct
|
||||
if user
|
||||
unless bcrypt.verify(@params.password, user.digest)
|
||||
abort "Incorrect password."
|
||||
abort "Incorrect user name, id, or password."
|
||||
-- else create a user
|
||||
elseif @params.password
|
||||
assert_valid(@params, {
|
||||
@ -34,8 +28,6 @@ class extends lapis.Application
|
||||
{ "password", exists: true, min_length: 8, max_length: 255 }
|
||||
})
|
||||
-- TODO passwords should be checked against known breached passwords
|
||||
-- TODO passwords should be required to follow a few other basic security checks
|
||||
-- actually, these are invalidated just by checking against breached passwords I think
|
||||
user = assert_model Users\create {
|
||||
name: @params.name
|
||||
digest: bcrypt.digest(@params.password, config.digest_rounds)
|
||||
@ -45,12 +37,15 @@ class extends lapis.Application
|
||||
abort "Must specify name or id, and password."
|
||||
|
||||
return name: user.name, id: user.id
|
||||
)
|
||||
}
|
||||
|
||||
[name: "/0/:id[%d]"]: api {
|
||||
GET: =>
|
||||
-- finds user by id and returns their name
|
||||
[name: "/0/:id[%d]"]: {
|
||||
GET: api(=>
|
||||
if user = Users\find id: @params.id
|
||||
return name: user.name
|
||||
else
|
||||
abort "No such user."
|
||||
abort "Incorrect user id."
|
||||
)
|
||||
}
|
||||
|
||||
10
helpers.moon
10
helpers.moon
@ -2,17 +2,17 @@ import json_params, capture_errors, yield_error, respond_to from require "lapis.
|
||||
import insert from table
|
||||
import max from math
|
||||
|
||||
api = (tab) ->
|
||||
api = (fn) =>
|
||||
json_params capture_errors {
|
||||
=>
|
||||
result = respond_to(tab)
|
||||
return json: result,
|
||||
result = fn(@)
|
||||
return json: result
|
||||
on_error: =>
|
||||
status = 400
|
||||
status = 400 -- most likely a bad request
|
||||
errors = {}
|
||||
for err in *@errors
|
||||
if "table" == type err
|
||||
status = max status, err[1]
|
||||
status = max status, err[1] -- the worst error will have a higher status number
|
||||
insert errors, err[2]
|
||||
else
|
||||
insert errors, err
|
||||
|
||||
Loading…
Reference in New Issue
Block a user