1 files changed, 21 insertions, 8 deletions

diff --git a/src/server/Secure.hs b/src/server/Secure.hs
index 1fef713..8565098 100644
--- a/src/server/Secure.hs
+++ b/src/server/Secure.hs
@@ -8,13 +8,15 @@ import Web.Scotty
 
 import Network.HTTP.Types.Status (forbidden403)
 
-import Database.Persist (Entity)
+import Database.Persist (Entity, entityVal)
 
-import Model.Database (User, runDb)
 import Model.User (getUser)
+import Model.SignIn (getSignInToken, isLastValidToken)
+import Model.Database
 
 import Control.Monad.IO.Class (liftIO)
 
+import Data.Text (Text)
 import qualified Data.Text as T
 import qualified Data.Text.IO as TIO
 
@@ -22,17 +24,28 @@ import qualified LoginSession
 
 loggedAction :: (Entity User -> ActionM ()) -> ActionM ()
 loggedAction action = do
-  maybeLogin <- LoginSession.get
-  case maybeLogin of
-    Just login -> do
-      maybeUser <- liftIO . runDb $ getUser login
+  maybeToken <- LoginSession.get
+  case maybeToken of
+    Just token -> do
+      maybeUser <- liftIO . runDb . getUserFromToken $ token
       case maybeUser of
         Just user ->
           action user
         Nothing -> do
           status forbidden403
-          liftIO . TIO.putStrLn . T.concat $ ["Could not find the user which login is ", login]
-          html "Could not find a user from your login"
+          html "You are not authorized to logged in"
     Nothing -> do
       status forbidden403
       html "You need to be logged in to perform this action"
+
+getUserFromToken :: Text -> Persist (Maybe (Entity User))
+getUserFromToken token = do
+  mbSignIn <- fmap entityVal <$> getSignInToken token
+  case mbSignIn of
+    Just signIn -> do
+      isValid <- isLastValidToken signIn
+      if isValid
+        then getUser (signInEmail signIn)
+        else return Nothing
+    Nothing ->
+      return Nothing