(define (web-handler continue)
  (let* ((request (current-request))
         (method (request-method request))
         (path (uri-path (request-uri request)))
         (authenticated? (request-authenticated? request)))
    (match (list method path authenticated?)
      ;; TODO: request to favicon.ico
      ;; NOTE: the default handler checks the request method for us
      ((_ ('/ "static" . args) _)
       ;; NOTE: normally, the default handler strips the root-path
       ;; prefix before serving the file, this trick undoes that
       (parameterize ((root-path "./"))
         (continue)))
      (('GET ('/ "logout") #t)
       (let ((cookie (session-cookie request)))
         (invalidate-session! (session-cookie request))
         (send-redirect "/login" cookie '((max-age . 0)))))
      (('GET ('/ "logout") #f)
       (send-redirect "/login"))
      (('GET ('/ "login") _)
       (send-html (login-page authenticated?)))
      (('POST ('/ "login") _)
       (process-login request))
      (('GET ('/ "") #t)
       (send-html (index-page authenticated?)))
      (('GET _ #t)
       ;; NOTE: default handler serves 404 for us
       (continue))
      (('GET _ #f)
       (send-redirect "/login"))
      ((_ _ _)
       (send-response code: 405)))))