Add: actually check user credentials

2 files changed, 16 insertions, 1 deletions

diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn
index f2a74f2..46d6236 100644
--- a/yarns/300-end-user-auth.yarn
+++ b/yarns/300-end-user-auth.yarn
@@ -26,6 +26,10 @@ User goes to the login URL and gets a login page.
     AND body has an HTML form with field password
 
     WHEN browser requests POST /auth, with form values
+    ... username=tomjon and password=wrong
+    THEN HTTP status code is 401 Unauthorized
+
+    WHEN browser requests POST /auth, with form values
     ... username=tomjon and password=hunter2
     THEN HTTP status code is 302 Found
     AND HTTP Location header is https://facade/callback?code=123
diff --git a/yarns/lib.py b/yarns/lib.py
index 56707ba..7d83c08 100644
--- a/yarns/lib.py
+++ b/yarns/lib.py
@@ -181,9 +181,11 @@ def start_qvisqve():
     os.mkdir(store)
     os.mkdir(os.path.join(store, 'client'))
     os.mkdir(os.path.join(store, 'application'))
+    os.mkdir(os.path.join(store, 'user'))
+
+    sh = qvisqve_secrets.SecretHasher()
 
     if V['client_id'] and V['client_secret']:
-        sh = qvisqve_secrets.SecretHasher()
         client = {
             'hashed_secret': sh.hash(V['client_secret']),
             'allowed_scopes': V['allowed_scopes'],
@@ -202,6 +204,15 @@ def start_qvisqve():
         with open(filename, 'w') as f:
             yaml.safe_dump(spec, stream=f)
 
+    users = V['users']
+    for name in users or []:
+        filename = os.path.join(store, 'user', name)
+        spec = {
+            'hashed_secret': sh.hash(users[name]),
+        }
+        with open(filename, 'w') as f:
+            yaml.safe_dump(spec, stream=f)
+
     config = {
         'gunicorn': 'background',
         'gunicorn-log': 'gunicorn.log',