class SessionsController < ApplicationController

  allow_unauthenticated_access only: %i[new create]
  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }


  def new
  end


  def create
    
    user = User.find_by(email_address: params[:email_address])

    if user&.authenticate(params[:password]) 
      session[:user_id] = user.id
      start_new_session_for(user)
      redirect_to root_path, notice: "Signed in!"
    else
      flash[:alert] = "Invalid email or password"
      render :new, status: :unprocessable_entity
    end
  end


  def destroy
    session.delete(:user_id)  
    reset_session              
    redirect_to root_path, notice: "Signed out!"
  end
end