var sanitize = require('mongo-sanitize');
let db = global['requireModule']('database');

module.exports = {
	path: "/authenticate",
	/**
	 * apps verify token
	 * @url /api/authenticate
	 * @method POST
	 * @POST ['applicationId', 'applicationSecret', 'userId', 'token']
	 */
	post: async (req, res) => {
		// check body variables
		if(!req.body.applicationId || !req.body.applicationSecret || !req.body.userId || !req.body.token) {
			return res.type('json').status(401).end(JSON.stringify({
				status: 401,
				message: [
					'msg.request.data.missing'
				]
			}));
		}

		let applicationId = sanitize(req.body.applicationId);
		let applicationSecret = sanitize(req.body.applicationSecret);
		let userId = sanitize(req.body.userId);
		let token = sanitize(req.body.token);

		let auth = await db.getAuth({
			aId: applicationId,
			aSecret: applicationSecret,
			uId: userId,
			token: token
		});

		// if database error
		if(auth.err) {
			// log error while debugging
			global['logs'].debug(auth.err);

			// database error
			return res.type('json').status(500).end(JSON.stringify({
				status: 500,
				message: [
					'msg.database.error'
				]
			}));
		}

		// no reply (user does not exist) or password is wrong
		if(!auth.reply || auth.reply === null || auth.reply.length == 0) {
			return res.type('json').status(401).end(JSON.stringify({
				status: 401,
				message: 'msg.auth.authentication.failed'
			}));
		// authentication granted
		} else {
			// no authorization, the clients are also resource servers and therefore handle data requests for themself
			return res.type('json').status(200).end(JSON.stringify({
				status: 200,
				message: 'msg.auth.authentication.successful'
			}));
		}
	}
};