send salt on Session#create without srp ephemeral A

2 files changed, 16 insertions, 2 deletions

diff --git a/users/app/controllers/v1/sessions_controller.rb b/users/app/controllers/v1/sessions_controller.rb
index 0551ca9..9365d76 100644
--- a/users/app/controllers/v1/sessions_controller.rb
+++ b/users/app/controllers/v1/sessions_controller.rb
@@ -13,7 +13,12 @@ module V1
 
     def create
       logout if logged_in?
-      authenticate!
+      if params['A']
+        authenticate!
+      else
+        @user = User.find_by_login(params['login'])
+        render :json => {salt: @user.salt}
+      end
     end
 
     def update
diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb
index be085ce..535da52 100644
--- a/users/test/functional/v1/sessions_controller_test.rb
+++ b/users/test/functional/v1/sessions_controller_test.rb
@@ -7,7 +7,7 @@ class V1::SessionsControllerTest < ActionController::TestCase
 
   setup do
     @request.env['HTTP_HOST'] = 'api.lvh.me'
-    @user = stub :login => "me", :id => 123
+    @user = stub_record :user
     @client_hex = 'a123'
   end
 
@@ -36,6 +36,15 @@ class V1::SessionsControllerTest < ActionController::TestCase
     post :create, :login => @user.login, 'A' => @client_hex
   end
 
+  test "should send salt" do
+    User.expects(:find_by_login).with(@user.login).returns(@user)
+
+    post :create, :login => @user.login
+
+    assert_equal @user, assigns(:user)
+    assert_json_response salt: @user.salt
+  end
+
   test "should authorize" do
     request.env['warden'].expects(:authenticate!)
     @controller.expects(:current_user).returns(@user)