From f72d1265897604d1cb69fa5bc0468cb292162c84 Mon Sep 17 00:00:00 2001
From: Jan Philipp Timme <jan.philipp@timme.it>
Date: Mon, 16 Sep 2013 18:21:52 +0200
Subject: [PATCH] [TASK] Finish implementing /session API.

---
 app.js | 74 ++++++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 57 insertions(+), 17 deletions(-)

diff --git a/app.js b/app.js
index 7e86b97..0d698f6 100644
--- a/app.js
+++ b/app.js
@@ -67,7 +67,7 @@ app.use("/", express.static(__dirname + '/static'));
 app.use("/session", function(req, res) {
 	res.setHeader("Content-Type", "application/json");
 
-	//refresh session
+	//refresh session and return login status
 	if(req.method == "GET") {
 		if(req.session.data.login == true) {
 			if(new Date() - req.session.data.lastActivity < 5 * 60 * 1000) {
@@ -77,37 +77,77 @@ app.use("/session", function(req, res) {
 			}
 		}
 		res.send(200, JSON.stringify({
+			"success": true,
 			"login": req.session.data.login
 		}));
 	}
 
 	//check user credentials, update session data
 	if(req.method == "PUT") {
+		//already logged in?
 		if(req.session.data.login == true) {
 			res.send(200, JSON.stringify({
-				"success": false
-			}));
-		}
-		var params = req.body;
-		if(tools.reqParamsGiven() == false) {
-			res.send(200, JSON.stringify({
-				"login": req.session.data.login
+				"success": false,
+				"error": "You are already logged in!"
 			}));
 			return;
 		}
-		req.session.data.login = true;
-		req.session.data.lastActivity = new Date();
-		res.send(200, JSON.stringify({
-			"login": req.session.data.login
-		}));
+
+		var params = req.body;
+		//username or password missing?
+		if(tools.reqParamsGiven(["username", "password"], params) == false) {
+			res.send(200, JSON.stringify({
+				"success": false,
+				"error": "Insufficient parameters given! Need: username, password"
+			}));
+			return;
+		}
+		//check if user exists
+		db.get(params.username, function (err, doc) {
+			if(!err && doc.type == "user") {
+				//user exists, verify password
+				scrypt.verifyHash(user.auth, params.password, function(err, match) {
+					if(err || match == false) {
+						res.send(200, JSON.stringify({
+							"success": false,
+							"error": "Invalid login credentials!"
+						}));
+						return;
+					}
+					if(!err && match == true) {
+						req.session.data.login = true;
+						req.session.data.lastActivity = new Date();
+						res.send(200, JSON.stringify({
+							"success": true
+						}));
+						return;
+					}
+				});
+			} else {
+				//user does not exist.
+				res.send(200, JSON.stringify({
+					"success": false,
+					"error": "Invalid login credentials!"
+				}));
+				return;
+			}
+		});
 	}
 
 	//destroy the session
 	if(req.method == "DELETE") {
-		req.session.data.login = false;
-		res.send(200, JSON.stringify({
-			"login": req.session.data.login
-		}));
+		//only do logout if login exists
+		if(req.session.data.login == false) {
+			res.send(200, JSON.stringify({
+				"success": false,
+				"error": "Cannot log you out, you are not logged in!"
+			}));
+		} else {
+			req.session.data.login = false;
+			res.send(200, JSON.stringify({
+				"success": true
+			}));
+		}
 	}
 });