+function auth_admin(request, response, next) {
+ /* If there is no user associated with this session, redirect to the login
+ * page (and set a "next" query parameter so we can come back here).
+ */
+ if (! request.session.user) {
+ response.redirect(302, "/login?next=" + request.path);
+ return;
+ }
+
+ /* If the user is logged in but not authorized to view the page then
+ * we return that error. */
+ if (request.session.user.role !== "admin") {
+ response.status(401).send("Unauthorized");
+ return;
+ }
+ next();
+}
+
+app.get('/logout', (request, response) => {
+ request.session.user = undefined;
+ request.session.destroy();
+
+ response.send("You are now logged out.");
+});
+
+app.get('/login', (request, response) => {
+ if (request.session.user) {
+ response.send("Welcome, " + request.session.user + ".");
+ return;
+ }
+
+ response.render('login.html');
+});
+
+app.post('/login', async (request, response) => {
+ const username = request.body.username;
+ const password = request.body.password;
+ const user = lmno_config.users[username];
+ if (! user) {
+ response.sendStatus(404);
+ return;
+ }
+ const match = await bcrypt.compare(password, user.password_hash_bcrypt);
+ if (! match) {
+ response.sendStatus(404);
+ return;
+ }
+ request.session.user = { username: user.username, role: user.role };
+ response.sendStatus(200);
+ return;
+});
+
+/* API to set uer profile information */
+app.put('/profile', (request, response) => {
+ const nickname = request.body.nickname;
+ if (nickname) {
+ request.session.nickname = nickname;
+ request.session.save();
+ }
+ response.send();
+});
+
+/* An admin page (only available to admin users, of course) */
+app.get('/admin/', auth_admin, (request, response) => {
+ let active = [];
+ let idle = [];
+
+ for (let id in lmno.games) {
+ if (lmno.games[id].clients.length)
+ active.push(lmno.games[id]);
+ else
+ idle.push(lmno.games[id]);
+ }
+ response.render('admin.html', { test: "foobar", games: { active: active, idle: idle}});
+});
+
+