Sharkey/src/api/private/signin.ts

import * as express from 'express';
import * as bcrypt from 'bcryptjs';
import { default as User, IUser } from '../models/user';
import Signin from '../models/signin';
import serialize from '../serializers/signin';
import event from '../event';
import config from '../../conf';

export default async (req: express.Request, res: express.Response) => {
	res.header('Access-Control-Allow-Credentials', 'true');

	const username = req.body['username'];
	const password = req.body['password'];

	if (typeof username != 'string') {
		res.sendStatus(400);
		return;
	}

	if (typeof password != 'string') {
		res.sendStatus(400);
		return;
	}

	// Fetch user
	const user: IUser = await User.findOne({
		username_lower: username.toLowerCase()
	}, {
		fields: {
			data: false,
			profile: false
		}
	});

	if (user === null) {
		res.status(404).send({
			error: 'user not found'
		});
		return;
	}

	// Compare password
	const same = await bcrypt.compare(password, user.password);

	if (same) {
		const expires = 1000 * 60 * 60 * 24 * 365; // One Year
		res.cookie('i', user.token, {
			path: '/',
			domain: `.${config.host}`,
			secure: config.url.substr(0, 5) === 'https',
			httpOnly: false,
			expires: new Date(Date.now() + expires),
			maxAge: expires
		});

		res.sendStatus(204);
	} else {
		res.status(400).send({
			error: 'incorrect password'
		});
	}

	// Append signin history
	const record = await Signin.insert({
		created_at: new Date(),
		user_id: user._id,
		ip: req.ip,
		headers: req.headers,
		success: same
	});

	// Publish signin event
	event(user._id, 'signin', await serialize(record));
};