better notes, bugfixes

app.moon

@@ -1,37 +1,51 @@
 lapis = require "lapis"
 bcrypt = require "bcrypt"
-config = require("lapis.config").get!
 
 import Users from require "models"
 import api, abort, assert_model from require "helpers"
 
 class extends lapis.Application
-  [authenticate: "/0/auth"]: api {
-    POST: =>
+  -- finds user by name or id (or creates by name), and returns the user,
+  --  unless a password is not specified (or incorrect), or the password is too weak
+  [authenticate: "/0/auth"]: respond_to {
+    POST: api( =>
+      -- find user by name or id if specified
       local user
       if @params.name
         user = Users\find name: @params.name
       elseif @params.id
         user = Users\find id: @params.id
-        abort "No such user." unless user
+        abort "Incorrect user name, id, or password." unless user
 
+      -- if a user by that name exists, see if the password is correct
       if user
         unless bcrypt.verify(@params.password, user.digest)
-          abort "Incorrect password."
+          abort "Incorrect user name, id, or password."
+      -- else create a user
       elseif @params.password
-        -- TODO create user with specified password
-        -- TODO constraints on password for security purposes
+        assert_valid(@params, {
+          { "name", exists: true, min_length: 1, max_length: 255, matches_pattern: "%w+" }
+          { "password", exists: true, min_length: 8, max_length: 255 }
+        })
+        -- TODO passwords should be checked against known breached passwords
         user = assert_model Users\create {
           name: @params.name
           digest: bcrypt.digest(@params.password, config.digest_rounds)
         }
+      -- if a password wasn't specified...
+      else
+        abort "Must specify name or id, and password."
 
       return name: user.name, id: user.id
+    )
   }
-  [name: "/0/:id[%d]"]: api {
-    GET: =>
+
+  -- finds user by id and returns their name
+  [name: "/0/:id[%d]"]: {
+    GET: api(=>
       if user = Users\find id: @params.id
         return name: user.name
       else
-        abort "No such user."
+        abort "Incorrect user id."
+    )
   }

config.moon

@@ -1,6 +1,7 @@
 config = require "lapis.config"
 
 postgres_password = os.getenv "POSTGRES_PASSWORD"
+secret_value = os.getenv "SESSION_SECRET"
 
 config "development", ->
   postgres ->
@@ -10,5 +11,6 @@ config "development", ->
     password postgres_password
   num_workers 2
   code_cache "on"
+  secret secret_value or "insecure"
 
   digest_rounds 12

create

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-docker build -t passwd0 .
-docker network create passwd-db
-docker run -d --restart always --name passwd-db --network passwd-db \
-  -v "$PWD/db":/var/lib/postgresql/data postgres:10.5-alpine
-docker run -d --restart always --name passwd0 --network passwd-db \
-  passwd0:latest
-docker network connect passwd0 web

helpers.moon

@@ -2,15 +2,17 @@ import json_params, capture_errors, yield_error, respond_to from require "lapis.
 import insert from table
 import max from math
 
-api = (tab) ->
+api = (fn) =>
   json_params capture_errors {
-    respond_to(tab),
+    =>
+      result = fn(@)
+      return json: result
     on_error: =>
-      status = 400
+      status = 400 -- most likely a bad request
       errors = {}
       for err in *@errors
         if "table" == type err
-          status = max status, err[1]
+          status = max status, err[1] -- the worst error will have a higher status number
           insert errors, err[2]
         else
           insert errors, err

models/Users.moon

@@ -1,4 +1,3 @@
 import Model from require "lapis.db.model"
 
 class Users extends Model
-  -- TODO constraints on usernames under 256 bytes, alphanumerics only