passwd0/app.moon

lapis = require "lapis"
bcrypt = require "bcrypt"

import Users from require "models"
import api, abort, assert_model from require "helpers"

class extends lapis.Application
  -- finds user by name or id (or creates by name), and returns the user,
  --  unless a password is not specified (or incorrect), or the password is too weak
  [authenticate: "/0/auth"]: respond_to {
    POST: api( =>
      -- find user by name or id if specified
      local user
      if @params.name
        user = Users\find name: @params.name
      elseif @params.id
        user = Users\find id: @params.id
        abort "Incorrect user name, id, or password." unless user

      -- if a user by that name exists, see if the password is correct
      if user
        unless bcrypt.verify(@params.password, user.digest)
          abort "Incorrect user name, id, or password."
      -- else create a user
      elseif @params.password
        assert_valid(@params, {
          { "name", exists: true, min_length: 1, max_length: 255, matches_pattern: "%w+" }
          { "password", exists: true, min_length: 8, max_length: 255 }
        })
        -- TODO passwords should be checked against known breached passwords
        user = assert_model Users\create {
          name: @params.name
          digest: bcrypt.digest(@params.password, config.digest_rounds)
        }
      -- if a password wasn't specified...
      else
        abort "Must specify name or id, and password."

      return name: user.name, id: user.id
    )
  }

  -- finds user by id and returns their name
  [name: "/0/:id[%d]"]: {
    GET: api(=>
      if user = Users\find id: @params.id
        return name: user.name
      else
        abort "Incorrect user id."
    )
  }