auth.rxbn.de/bin/web/routes/api/login.js

var sanitize = require('mongo-sanitize');
let db = global['requireModule']('database');

module.exports = {
	path: "/login",
	/**
	 * login a user
	 * @url /api/login
	 * @method POST
	 * @POST ['email', 'password']
	 * @TODO add new activity 'action.user.login'
	 */
	post: async (req, res) => {
		// if user is logged in (existing session); FAIL
		if(req.session.user) {
			return res.type('json').end(JSON.stringify({
				status: 401,
				message: 'msg.auth.logout.required'
			}));
		}

		// check body variables
		if(!req.body.email || !req.body.password) {
			return res.type('json').status(401).end(JSON.stringify({
				status: 401,
				message: [
					'msg.request.data.missing',
					'msg.auth.login.failed'
				]
			}));
		}
		let email = sanitize(req.body.email);
		let pass = sanitize(req.body.password);

		// database query: get user by email
		user = await db.getUser(email);

		// if database error
		if(user.err) {
			// log error while debugging
			global['logs'].debug(user.err);

			// login failed because of database error
			return res.type('json').status(500).end(JSON.stringify({
				status: 500,
				message: [
					'msg.database.error',
					'msg.auth.login.failed'
				]
			}));
		}

		// no reply (user does not exist) or password is wrong
		if(!user.reply || user.reply === null || user.reply.length == 0 || user.reply.length > 1 || !global['requireModule']('auth').validateHash(user.reply.passhash, pass)) {
			return res.type('json').status(401).end(JSON.stringify({
				status: 401,
				message: 'msg.auth.login.failed'
			}));
		// do login
		} else {
			// add cookies; login
			// new activity 'action.user.login'

			// add session data
			req.session.user = {
				'id': user.reply._id,
				'group': user.reply.group
			};

			return res.type('json').end(JSON.stringify({
				status: 200,
				message: 'msg.auth.login.successful',
				type: 'form' // TODO: types - { form, access_app}
			}));
		}

	}
};