Enhance authentication checks in CMS API endpoints; implement user role validation for admin and board access. Refactor Spielpläne API to remove unnecessary logging and improve error handling. Update tests to mock user authentication and ensure proper validation of file uploads.

server/api/cms/upload-spielplan-pdf.post.js

@@ -1,6 +1,7 @@
 import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
+import { getUserFromToken } from '../../utils/auth.js'
 
 // Multer-Konfiguration für PDF-Uploads
 const storage = multer.diskStorage({
@@ -31,12 +32,35 @@ const upload = multer({
 
 export default defineEventHandler(async (event) => {
   try {
-    // Prüfe Authentifizierung
-    const authHeader = getHeader(event, 'authorization')
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    let token = getCookie(event, 'auth_token')
+
+    if (!token) {
+      const authHeader = getHeader(event, 'authorization')
+      if (authHeader && authHeader.startsWith('Bearer ')) {
+        token = authHeader.substring(7).trim()
+      }
+    }
+
+    if (!token) {
       throw createError({
         statusCode: 401,
-        statusMessage: 'Nicht autorisiert'
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const currentUser = await getUserFromToken(token)
+
+    if (!currentUser) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
       })
     }