class Api::V1::SessionsController < ApiController
  skip_before_filter :api_session_token_authenticate!, only: [:create]

  def create
    token = current_api_session_token(params[:token] || authorization_header)

    if params[:username]
      @user = User.confirmed.find_by_username(params[:username])
      token.user = @user if provided_valid_password? || provided_valid_api_key?
    end

    respond_with token
  end

  def show
    respond_with current_api_session_token
  end

  def destroy
    current_api_session_token.delete!

    render nothing: true, status: 204
  end

  private

  def provided_valid_password?
    params[:password] && UserAuthenticationService.authenticate_with_password!(@user, params[:password])
  end

  def provided_valid_api_key?
    params[:api_key] && UserAuthenticationService.authenticate_with_api_key!(@user, params[:api_key], current_api_session_token.token)
  end

  def api_session_token_url(token)
    api_v1_sessions_path(token)
  end
end