//Login verifies a username and password combo
//this makes sure the user exists, that the password is correct, and that the user is active
//if user is allowed access, their data is saved to the session and they are redirected into the app
func Login(w http.ResponseWriter, r *http.Request) {
//get form values
username := r.FormValue("username")
password := r.FormValue("password")
//get user data
c := appengine.NewContext(r)
id, data, err := exists(c, username)
if err == ErrUserDoesNotExist {
notificationPage(w, "panel-danger", "Cannot Log In", "The username you provided does not exist.", "btn-default", "/", "Try Again")
return
}
//is user allowed access
if AllowedAccess(data) == false {
notificationPage(w, "panel-danger", "Cannot Log In", "You are not allowed access. Please contact an administrator.", "btn-default", "/", "Go Back")
return
}
//validate password
_, err = pwds.Verify(password, data.Password)
if err != nil {
notificationPage(w, "panel-danger", "Cannot Log In", "The password you provided is invalid.", "btn-default", "/", "Try Again")
return
}
//user validated
//save session data
session := sessionutils.Get(r)
if session.IsNew == false {
sessionutils.Destroy(w, r)
session = sessionutils.Get(r)
}
sessionutils.AddValue(session, "username", username)
sessionutils.AddValue(session, "user_id", id)
sessionutils.Save(session, w, r)
//show user main page
http.Redirect(w, r, "/main/", http.StatusFound)
return
}
//CreateAdmin saves the initial super-admin for the app
//this user is used to log in and create new users
//this user is created when the app is first deployed and used
// done this way b/c we don't want to set a default password/username in the code
func CreateAdmin(w http.ResponseWriter, r *http.Request) {
//make sure the admin user doesnt already exist
err := DoesAdminExist(r)
if err == nil {
notificationPage(w, "panel-danger", "Error", "The admin user already exists.", "btn-default", "/", "Go Back")
return
}
//get form values
pass1 := r.FormValue("password1")
pass2 := r.FormValue("password2")
//make sure they match
if doStringsMatch(pass1, pass2) == false {
notificationPage(w, "panel-danger", "Error", "The passwords id not match.", "btn-default", "/setup/", "Try Again")
return
}
//make sure the password is long enough
if len(pass1) < minPwdLength {
notificationPage(w, "panel-danger", "Error", "The password you provided is too short. It must me at least "+strconv.FormatInt(minPwdLength, 10)+" characters.", "btn-default", "/setup/", "Try Again")
return
}
//hash the password
hashedPwd := pwds.Create(pass1)
//create the user
u := User{
Username: adminUsername,
Password: hashedPwd,
AddCards: true,
RemoveCards: true,
ChargeCards: true,
ViewReports: true,
Administrator: true,
Active: true,
Created: timestamps.ISO8601(),
}
//save to datastore
c := appengine.NewContext(r)
incompleteKey := createNewUserKey(c)
completeKey, err := saveUser(c, incompleteKey, u)
if err != nil {
fmt.Fprint(w, err)
return
}
//save user to session
//this is how we authenticate users that are already signed in
//the user is automatically logged in as the administrator user
session := sessionutils.Get(r)
if session.IsNew == false {
notificationPage(w, "panel-danger", "Error", "An error occured while saving the admin user. Please clear your cookies and restart your browser.", "btn-default", "/setup/", "Try Again")
return
}
sessionutils.AddValue(session, "username", adminUsername)
sessionutils.AddValue(session, "user_id", completeKey.IntID())
sessionutils.Save(session, w, r)
//show user main page
http.Redirect(w, r, "/main/", http.StatusFound)
return
}