added name/password constraints, should be ready for usage

app.moon

@@ -8,6 +8,7 @@ import api, abort, assert_model from require "helpers"
 class extends lapis.Application
   [authenticate: "/0/auth"]: api {
     POST: =>
+      -- find user by name or id if specified
       local user
       if @params.name
         user = Users\find name: @params.name
@@ -15,16 +16,26 @@ class extends lapis.Application
         user = Users\find id: @params.id
         abort "No such user." unless user
 
+      -- if a user by that name exists, see if the password is correct
       if user
         unless bcrypt.verify(@params.password, user.digest)
           abort "Incorrect password."
+      -- else create a user
       elseif @params.password
-        -- TODO create user with specified password
+        assert_valid(@params, {
-        -- TODO constraints on password for security purposes
+          { "name", exists: true, min_length: 1, max_length: 255, matches_pattern: "%w+" }
+          { "password", exists: true, min_length: 8, max_length: 255 }
+        })
+        -- TODO passwords should be checked against known breached passwords
+        -- TODO passwords should be required to follow a few other basic security checks
+        --  actually, these are invalidated just by checking against breached passwords I think
         user = assert_model Users\create {
           name: @params.name
           digest: bcrypt.digest(@params.password, config.digest_rounds)
         }
+      -- if a password wasn't specified...
+      else
+        abort "Must specify name or id, and password."
 
       return name: user.name, id: user.id
   }

models/Users.moon

@@ -1,4 +1,3 @@
 import Model from require "lapis.db.model"
 
 class Users extends Model
-  -- TODO constraints on usernames under 256 bytes, alphanumerics only