# HG changeset patch
# User Sascha L. Teichmann <sascha.teichmann@intevation.de>
# Date 1535103371 -7200
# Node ID 2ac37419f593109db87e5d52bef4aed556183cc2
# Parent  27502291e564189de05b7f414eec99728a498511
Implemented wamos/issue114 (Improve code consistency: For login use json body, disallow GET).

diff -r 27502291e564 -r 2ac37419f593 client/package.json
--- a/client/package.json	Fri Aug 24 10:50:58 2018 +0200
+++ b/client/package.json	Fri Aug 24 11:36:11 2018 +0200
@@ -18,7 +18,6 @@
     "font-awesome": "^4.7.0",
     "locale2": "^2.2.0",
     "ol": "^5.0.0",
-    "qs": "^6.5.2",
     "vue": "^2.5.16",
     "vue-router": "^3.0.1",
     "vuex": "^3.0.1"
diff -r 27502291e564 -r 2ac37419f593 client/src/stores/user.js
--- a/client/src/stores/user.js	Fri Aug 24 10:50:58 2018 +0200
+++ b/client/src/stores/user.js	Fri Aug 24 11:36:11 2018 +0200
@@ -1,5 +1,4 @@
 import { HTTP } from "../lib/http";
-import qs from "qs";
 
 const User = {
   namespaced: true,
@@ -66,7 +65,7 @@
       // using POST is a bit more secure than GET
       return new Promise((resolve, reject) => {
         // axios will add the application/x-www-form-urlencoded header this way
-        HTTP.post("/login", qs.stringify(user))
+        HTTP.post("/login", user)
           .then(response => {
             commit("auth_success", response.data);
             resolve(response);
diff -r 27502291e564 -r 2ac37419f593 client/yarn.lock
--- a/client/yarn.lock	Fri Aug 24 10:50:58 2018 +0200
+++ b/client/yarn.lock	Fri Aug 24 11:36:11 2018 +0200
@@ -7261,7 +7261,7 @@
   version "6.5.1"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.1.tgz#349cdf6eef89ec45c12d7d5eb3fc0c870343a6d8"
 
-qs@^6.5.2, qs@~6.5.1, qs@~6.5.2:
+qs@~6.5.1, qs@~6.5.2:
   version "6.5.2"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.2.tgz#cb3ae806e8740444584ef154ce8ee98d403f3e36"
 
diff -r 27502291e564 -r 2ac37419f593 pkg/controllers/routes.go
--- a/pkg/controllers/routes.go	Fri Aug 24 10:50:58 2018 +0200
+++ b/pkg/controllers/routes.go	Fri Aug 24 11:36:11 2018 +0200
@@ -96,7 +96,7 @@
 
 	// Token handling: Login/Logout.
 	api.HandleFunc("/login", login).
-		Methods(http.MethodGet, http.MethodPost)
+		Methods(http.MethodPost)
 	api.Handle("/logout", auth.SessionMiddleware(http.HandlerFunc(logout))).
 		Methods(http.MethodGet, http.MethodPost)
 	api.Handle("/renew", auth.SessionMiddleware(http.HandlerFunc(renew))).
diff -r 27502291e564 -r 2ac37419f593 pkg/controllers/token.go
--- a/pkg/controllers/token.go	Fri Aug 24 10:50:58 2018 +0200
+++ b/pkg/controllers/token.go	Fri Aug 24 11:36:11 2018 +0200
@@ -47,9 +47,8 @@
 }
 
 func logout(rw http.ResponseWriter, req *http.Request) {
-	token, _ := auth.GetToken(req)
-	deleted := auth.ConnPool.Delete(token)
-	if !deleted {
+	token, ok := auth.GetToken(req)
+	if !ok || !auth.ConnPool.Delete(token) {
 		http.NotFound(rw, req)
 		return
 	}
@@ -59,19 +58,27 @@
 
 func login(rw http.ResponseWriter, req *http.Request) {
 
-	var (
-		user     = req.FormValue("user")
-		password = req.FormValue("password")
-	)
+	var input struct {
+		User     models.UserName `json:"user"`
+		Password string          `json:"password"`
+	}
+	defer req.Body.Close()
+	if err := json.NewDecoder(req.Body).Decode(&input); err != nil {
+		log.Printf("%v\n", err)
+		http.Error(rw, "error: "+err.Error(), http.StatusBadRequest)
+		return
+	}
 
-	if !models.UserName(user).IsValid() || password == "" {
+	if input.Password == "" {
 		http.Error(rw, "Invalid credentials", http.StatusBadRequest)
 		return
 	}
 
-	token, session, err := auth.GenerateSession(user, password)
+	token, session, err := auth.GenerateSession(
+		string(input.User),
+		input.Password)
 	if err != nil {
-		http.Error(rw, fmt.Sprintf("error: %v", err), http.StatusUnauthorized)
+		http.Error(rw, "error: "+err.Error(), http.StatusUnauthorized)
 		return
 	}
 
diff -r 27502291e564 -r 2ac37419f593 pkg/models/types.go
--- a/pkg/models/types.go	Fri Aug 24 10:50:58 2018 +0200
+++ b/pkg/models/types.go	Fri Aug 24 11:36:11 2018 +0200
@@ -88,15 +88,11 @@
 	if err := json.Unmarshal(data, &s); err != nil {
 		return err
 	}
-	if !emailRe.MatchString(s) {
-		return errNoEmailAddress
+	if user := UserName(s); user.IsValid() {
+		*u = user
+		return nil
 	}
-	user := UserName(s)
-	if !user.IsValid() {
-		return errNoValidUser
-	}
-	*u = user
-	return nil
+	return errNoValidUser
 }
 
 func (u *UserName) Scan(src interface{}) (err error) {