# Copyright (C) 2024 Manuel Bustillo

class SessionsController < ApplicationController
  allow_unauthenticated_access only: :create
  rate_limit to: 10, within: 3.minutes, only: :create,
             with: -> { render json: { errors: ['Rate limit exceeded'] }, status: :too_many_requests }

  def create
    if user = User.authenticate_by(params.permit(:email_address, :password))
      start_new_session_for user
      render json: {}, status: :created
    else
      render json: { errors: ['Invalid email address or password'] }, status: :unauthorized
    end
  end

  def destroy
    terminate_session
    render json: {}, status: :ok
  end
end