Add authentication system with login, password reset, and member area

server/api/auth/login.post.js

@@ -0,0 +1,69 @@
+import { readUsers, writeUsers, verifyPassword, generateToken, createSession } from '../../utils/auth.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const body = await readBody(event)
+    const { email, password } = body
+
+    if (!email || !password) {
+      throw createError({
+        statusCode: 400,
+        message: 'E-Mail und Passwort sind erforderlich'
+      })
+    }
+
+    // Find user
+    const users = await readUsers()
+    const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
+
+    if (!user) {
+      throw createError({
+        statusCode: 401,
+        message: 'Ungültige Anmeldedaten'
+      })
+    }
+
+    // Verify password
+    const isValid = await verifyPassword(password, user.password)
+    if (!isValid) {
+      throw createError({
+        statusCode: 401,
+        message: 'Ungültige Anmeldedaten'
+      })
+    }
+
+    // Generate token
+    const token = generateToken(user)
+
+    // Create session
+    await createSession(user.id, token)
+
+    // Update last login
+    user.lastLogin = new Date().toISOString()
+    const updatedUsers = users.map(u => u.id === user.id ? user : u)
+    await writeUsers(updatedUsers)
+
+    // Set cookie
+    setCookie(event, 'auth_token', token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 60 * 60 * 24 * 7 // 7 days
+    })
+
+    // Return user data (without password)
+    return {
+      success: true,
+      user: {
+        id: user.id,
+        email: user.email,
+        name: user.name,
+        role: user.role
+      }
+    }
+  } catch (error) {
+    console.error('Login-Fehler:', error)
+    throw error
+  }
+})
+

server/api/auth/logout.post.js

@@ -0,0 +1,26 @@
+import { deleteSession } from '../../utils/auth.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const token = getCookie(event, 'auth_token')
+
+    if (token) {
+      await deleteSession(token)
+    }
+
+    // Delete cookie
+    deleteCookie(event, 'auth_token')
+
+    return {
+      success: true,
+      message: 'Erfolgreich abgemeldet'
+    }
+  } catch (error) {
+    console.error('Logout-Fehler:', error)
+    throw createError({
+      statusCode: 500,
+      message: 'Abmeldung fehlgeschlagen'
+    })
+  }
+})
+

server/api/auth/reset-password.post.js

@@ -0,0 +1,82 @@
+import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
+import nodemailer from 'nodemailer'
+import crypto from 'crypto'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const body = await readBody(event)
+    const { email } = body
+
+    if (!email) {
+      throw createError({
+        statusCode: 400,
+        message: 'E-Mail-Adresse ist erforderlich'
+      })
+    }
+
+    // Find user
+    const users = await readUsers()
+    const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
+
+    // Always return success (security: don't reveal if email exists)
+    if (!user) {
+      return {
+        success: true,
+        message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
+      }
+    }
+
+    // Generate temporary password
+    const tempPassword = crypto.randomBytes(8).toString('hex')
+    const hashedPassword = await hashPassword(tempPassword)
+
+    // Update user password
+    user.password = hashedPassword
+    user.passwordResetRequired = true
+    const updatedUsers = users.map(u => u.id === user.id ? user : u)
+    await writeUsers(updatedUsers)
+
+    // Send email with temporary password
+    const transporter = nodemailer.createTransport({
+      host: process.env.SMTP_HOST || 'smtp.gmail.com',
+      port: process.env.SMTP_PORT || 587,
+      secure: false,
+      auth: {
+        user: process.env.SMTP_USER,
+        pass: process.env.SMTP_PASS
+      }
+    })
+
+    const mailOptions = {
+      from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
+      to: user.email,
+      subject: 'Passwort zurücksetzen - Harheimer TC',
+      html: `
+        <h2>Passwort zurücksetzen</h2>
+        <p>Hallo ${user.name},</p>
+        <p>Sie haben eine Anfrage zum Zurücksetzen Ihres Passworts gestellt.</p>
+        <p>Ihr temporäres Passwort lautet: <strong>${tempPassword}</strong></p>
+        <p>Bitte melden Sie sich damit an und ändern Sie Ihr Passwort im Mitgliederbereich.</p>
+        <br>
+        <p>Falls Sie diese Anfrage nicht gestellt haben, ignorieren Sie diese E-Mail.</p>
+        <br>
+        <p>Mit sportlichen Grüßen,<br>Ihr Harheimer TC</p>
+      `
+    }
+
+    await transporter.sendMail(mailOptions)
+
+    return {
+      success: true,
+      message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
+    }
+  } catch (error) {
+    console.error('Password-Reset-Fehler:', error)
+    // Don't reveal errors to prevent email enumeration
+    return {
+      success: true,
+      message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
+    }
+  }
+})
+

server/api/auth/status.get.js

@@ -0,0 +1,45 @@
+import { getUserFromToken } from '../../utils/auth.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const token = getCookie(event, 'auth_token')
+
+    if (!token) {
+      return {
+        isLoggedIn: false,
+        user: null,
+        role: null
+      }
+    }
+
+    const user = await getUserFromToken(token)
+
+    if (!user) {
+      deleteCookie(event, 'auth_token')
+      return {
+        isLoggedIn: false,
+        user: null,
+        role: null
+      }
+    }
+
+    return {
+      isLoggedIn: true,
+      user: {
+        id: user.id,
+        email: user.email,
+        name: user.name,
+        role: user.role
+      },
+      role: user.role
+    }
+  } catch (error) {
+    console.error('Auth-Status-Fehler:', error)
+    return {
+      isLoggedIn: false,
+      user: null,
+      role: null
+    }
+  }
+})
+

server/data/members.json

@@ -0,0 +1,12 @@
+[
+  {
+    "id": "1",
+    "name": "Admin",
+    "email": "admin@harheimertc.de",
+    "phone": "069-12345678",
+    "role": "admin",
+    "memberSince": "2020-01-01",
+    "active": true
+  }
+]
+

server/data/sessions.json

@@ -0,0 +1,2 @@
+[]
+

server/data/users.json

@@ -0,0 +1,13 @@
+[
+  {
+    "id": "1",
+    "email": "admin@harheimertc.de",
+    "password": "$2a$10$rKqW8x3k5vJ8pZ7mN9qL1OXxYzQ2wF3bH4cT6nR8sV9kL0mP1qW2e",
+    "name": "Admin",
+    "role": "admin",
+    "phone": "",
+    "created": "2025-10-21T00:00:00.000Z",
+    "lastLogin": null
+  }
+]
+

server/utils/auth.js

@@ -0,0 +1,125 @@
+import bcrypt from 'bcryptjs'
+import jwt from 'jsonwebtoken'
+import { promises as fs } from 'fs'
+import path from 'path'
+
+const JWT_SECRET = process.env.JWT_SECRET || 'harheimertc-secret-key-change-in-production'
+const USERS_FILE = path.join(process.cwd(), 'server/data/users.json')
+const SESSIONS_FILE = path.join(process.cwd(), 'server/data/sessions.json')
+
+// Read users from file
+export async function readUsers() {
+  try {
+    const data = await fs.readFile(USERS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    console.error('Fehler beim Lesen der Benutzerdaten:', error)
+    return []
+  }
+}
+
+// Write users to file
+export async function writeUsers(users) {
+  try {
+    await fs.writeFile(USERS_FILE, JSON.stringify(users, null, 2), 'utf-8')
+    return true
+  } catch (error) {
+    console.error('Fehler beim Schreiben der Benutzerdaten:', error)
+    return false
+  }
+}
+
+// Read sessions from file
+export async function readSessions() {
+  try {
+    const data = await fs.readFile(SESSIONS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    console.error('Fehler beim Lesen der Sessions:', error)
+    return []
+  }
+}
+
+// Write sessions to file
+export async function writeSessions(sessions) {
+  try {
+    await fs.writeFile(SESSIONS_FILE, JSON.stringify(sessions, null, 2), 'utf-8')
+    return true
+  } catch (error) {
+    console.error('Fehler beim Schreiben der Sessions:', error)
+    return false
+  }
+}
+
+// Hash password
+export async function hashPassword(password) {
+  const salt = await bcrypt.genSalt(10)
+  return await bcrypt.hash(password, salt)
+}
+
+// Verify password
+export async function verifyPassword(password, hash) {
+  return await bcrypt.compare(password, hash)
+}
+
+// Generate JWT token
+export function generateToken(user) {
+  return jwt.sign(
+    {
+      id: user.id,
+      email: user.email,
+      role: user.role
+    },
+    JWT_SECRET,
+    { expiresIn: '7d' }
+  )
+}
+
+// Verify JWT token
+export function verifyToken(token) {
+  try {
+    return jwt.verify(token, JWT_SECRET)
+  } catch (error) {
+    return null
+  }
+}
+
+// Get user from token
+export async function getUserFromToken(token) {
+  const decoded = verifyToken(token)
+  if (!decoded) return null
+
+  const users = await readUsers()
+  return users.find(u => u.id === decoded.id)
+}
+
+// Create session
+export async function createSession(userId, token) {
+  const sessions = await readSessions()
+  const session = {
+    id: Date.now().toString(),
+    userId,
+    token,
+    createdAt: new Date().toISOString(),
+    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString() // 7 days
+  }
+  sessions.push(session)
+  await writeSessions(sessions)
+  return session
+}
+
+// Delete session
+export async function deleteSession(token) {
+  const sessions = await readSessions()
+  const filtered = sessions.filter(s => s.token !== token)
+  await writeSessions(filtered)
+}
+
+// Clean expired sessions
+export async function cleanExpiredSessions() {
+  const sessions = await readSessions()
+  const now = new Date()
+  const valid = sessions.filter(s => new Date(s.expiresAt) > now)
+  await writeSessions(valid)
+}
+