feat(auth): implement Android refresh token handling and session management

- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints.
- Implemented new tests for login, logout, and refresh functionalities specific to Android clients.
- Enhanced password reset logging with normalization and masking of email addresses.
- Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs.
- Introduced a new utility for managing password reset logs with retention policies.
- Added tests for password reset log utilities to ensure proper functionality and privacy compliance.
- Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.

server/api/auth/login.post.js

@@ -1,4 +1,4 @@
-import { readUsers, writeUsers, verifyPassword, generateToken, createSession, migrateUserRoles } from '../../utils/auth.js'
+import { readUsers, writeUsers, verifyPassword, generateToken, generateAndroidAccessToken, createSession, createRefreshSession, migrateUserRoles } from '../../utils/auth.js'
 import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 import { getAuthCookieOptions } from '../../utils/cookies.js'
 import { writeAuditLog } from '../../utils/audit-log.js'
@@ -7,6 +7,7 @@ export default defineEventHandler(async (event) => {
   try {
     const body = await readBody(event)
     const { email, password } = body
+    const isAndroidClient = body.client === 'android'
 
     if (!email || !password) {
       throw createError({
@@ -72,11 +73,15 @@ export default defineEventHandler(async (event) => {
     registerRateLimitSuccess(event, { name: 'auth:login:ip', keyParts: [ip] })
     registerRateLimitSuccess(event, { name: 'auth:login:account', keyParts: [emailKey] })
 
-    // Generate token
-    const token = generateToken(user)
-
-    // Create session
-    await createSession(user.id, token)
+    let token
+    let refreshSession = null
+    if (isAndroidClient) {
+      refreshSession = await createRefreshSession(user.id, body.deviceName)
+      token = generateAndroidAccessToken(user, refreshSession.session.id)
+    } else {
+      token = generateToken(user)
+      await createSession(user.id, token)
+    }
 
     await writeAuditLog('auth.login.success', { ip, email: emailKey, userId: user.id })
 
@@ -85,10 +90,13 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
     await writeUsers(updatedUsers)
 
-    // Set cookie
-    setCookie(event, 'auth_token', token, {
-      ...getAuthCookieOptions()
-    })
+    if (isAndroidClient) {
+      deleteCookie(event, 'auth_token')
+    } else {
+      setCookie(event, 'auth_token', token, {
+        ...getAuthCookieOptions()
+      })
+    }
 
     // Migriere Rollen falls nötig
     const migratedUser = migrateUserRoles({ ...user })
@@ -98,6 +106,9 @@ export default defineEventHandler(async (event) => {
     return {
       success: true,
       token: token, // Token auch im Body für externe API-Clients
+      accessToken: isAndroidClient ? token : undefined,
+      refreshToken: refreshSession?.refreshToken,
+      sessionId: refreshSession?.session.id,
       user: {
         id: user.id,
         email: user.email,
@@ -112,4 +123,3 @@ export default defineEventHandler(async (event) => {
     throw error
   }
 })
-

server/api/auth/logout.post.js

@@ -1,12 +1,17 @@
-import { deleteSession } from '../../utils/auth.js'
+import { deleteSession, revokeRefreshSession } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
     const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace(/^Bearer\s+/i, '')
+    const body = await readBody(event)
+    const refreshToken = body?.refreshToken
 
     if (token) {
       await deleteSession(token)
     }
+    if (refreshToken) {
+      await revokeRefreshSession(refreshToken)
+    }
 
     // Delete cookie
     deleteCookie(event, 'auth_token')

server/api/auth/passkeys/login.post.js

@@ -65,7 +65,7 @@ export default defineEventHandler(async (event) => {
     })
   }
 
-  const { origin, rpId, requireUV } = getWebAuthnConfig()
+  const { origins, rpId, requireUV } = getWebAuthnConfig()
 
   const authenticator = {
     credentialID: fromBase64Url(passkey.credentialId),
@@ -74,14 +74,20 @@ export default defineEventHandler(async (event) => {
     transports: passkey.transports || undefined
   }
 
-  const verification = await verifyAuthenticationResponse({
-    response,
-    expectedChallenge: challenge,
-    expectedOrigin: origin,
-    expectedRPID: rpId,
-    authenticator,
-    requireUserVerification: requireUV
-  })
+  let verification
+  try {
+    verification = await verifyAuthenticationResponse({
+      response,
+      expectedChallenge: challenge,
+      expectedOrigin: origins,
+      expectedRPID: rpId,
+      authenticator,
+      requireUserVerification: requireUV
+    })
+  } catch {
+    await writeAuditLog('auth.passkey.login.failed', { ip, userId: user.id, reason: 'verification_error' })
+    throw createError({ statusCode: 401, statusMessage: 'Passkey-Login fehlgeschlagen' })
+  }
 
   if (!verification.verified) {
     await writeAuditLog('auth.passkey.login.failed', { ip, userId: user.id, reason: 'verification_failed' })
@@ -118,4 +124,3 @@ export default defineEventHandler(async (event) => {
   }
 })
 
-

server/api/auth/passkeys/recovery/complete.post.js

@@ -62,15 +62,21 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 400, statusMessage: 'Ungültiger oder abgelaufener Token' })
   }
 
-  const { origin, rpId, requireUV } = getWebAuthnConfig()
+  const { origins, rpId, requireUV } = getWebAuthnConfig()
 
-  const verification = await verifyRegistrationResponse({
-    response,
-    expectedChallenge: challenge,
-    expectedOrigin: origin,
-    expectedRPID: rpId,
-    requireUserVerification: requireUV
-  })
+  let verification
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge: challenge,
+      expectedOrigin: origins,
+      expectedRPID: rpId,
+      requireUserVerification: requireUV
+    })
+  } catch {
+    await writeAuditLog('auth.passkey.recovery.complete.failed', { ip, reason: 'verification_error', userId })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
+  }
 
   const { verified, registrationInfo } = verification
   if (!verified || !registrationInfo) {
@@ -117,4 +123,3 @@ export default defineEventHandler(async (event) => {
   await writeAuditLog('auth.passkey.recovery.complete.success', { ip, userId: user.id })
   return { success: true, message: 'Passkey hinzugefügt. Sie können sich jetzt mit dem neuen Passkey anmelden.' }
 })
-

server/api/auth/passkeys/register.post.js

@@ -37,17 +37,20 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
   }
 
-  const { origin, rpId, requireUV } = getWebAuthnConfig()
+  const { origins, rpId, requireUV } = getWebAuthnConfig()
 
   let verification
   try {
     verification = await verifyRegistrationResponse({
       response,
       expectedChallenge,
-      expectedOrigin: origin,
+      expectedOrigin: origins,
       expectedRPID: rpId,
       requireUserVerification: requireUV
     })
+  } catch {
+    await writeAuditLog('auth.passkey.registration.failed', { userId: user.id, reason: 'verification_error' })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
   } finally {
     clearRegistrationChallenge(user.id)
   }
@@ -103,4 +106,3 @@ export default defineEventHandler(async (event) => {
   return { success: true, message: 'Passkey hinzugefügt.' }
 })
 
-

server/api/auth/refresh.post.js

@@ -0,0 +1,47 @@
+import { generateAndroidAccessToken, getUserById, revokeRefreshSession, rotateRefreshSession } from '../../utils/auth.js'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const ip = getClientIp(event)
+  const body = await readBody(event)
+  const refreshToken = body?.refreshToken
+
+  if (!refreshToken) {
+    throw createError({ statusCode: 400, message: 'Refresh-Token fehlt' })
+  }
+
+  assertRateLimit(event, {
+    name: 'auth:refresh:ip',
+    keyParts: [ip],
+    windowMs: 10 * 60 * 1000,
+    maxAttempts: 60,
+    lockoutMs: 15 * 60 * 1000
+  })
+
+  const rotated = await rotateRefreshSession(refreshToken)
+  if (rotated.status !== 'rotated') {
+    await registerRateLimitFailure(event, { name: 'auth:refresh:ip', keyParts: [ip], delayBaseMs: 100 })
+    await writeAuditLog('auth.refresh.failed', { ip, reason: rotated.status })
+    throw createError({ statusCode: 401, message: 'Sitzung ist nicht mehr gültig' })
+  }
+
+  const user = await getUserById(rotated.session.userId)
+  if (!user || user.active === false) {
+    await revokeRefreshSession(rotated.refreshToken, 'inactive_or_missing_user')
+    await writeAuditLog('auth.refresh.failed', { ip, userId: rotated.session.userId, reason: 'inactive_or_missing_user' })
+    throw createError({ statusCode: 401, message: 'Sitzung ist nicht mehr gültig' })
+  }
+
+  const accessToken = generateAndroidAccessToken(user, rotated.session.id)
+  registerRateLimitSuccess(event, { name: 'auth:refresh:ip', keyParts: [ip] })
+  await writeAuditLog('auth.refresh.success', { ip, userId: user.id, sessionId: rotated.session.id })
+
+  return {
+    success: true,
+    token: accessToken,
+    accessToken,
+    refreshToken: rotated.refreshToken,
+    sessionId: rotated.session.id
+  }
+})

server/api/auth/register-passkey.post.js

@@ -96,7 +96,7 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 409, message: 'Ein Benutzer mit dieser E-Mail-Adresse existiert bereits' })
   }
 
-  const { origin, rpId, requireUV } = getWebAuthnConfig()
+  const { origin, origins, rpId, requireUV } = getWebAuthnConfig()
   
   // Debug: Prüfe die tatsächliche Origin aus der Response
   const clientData = response?.response?.clientDataJSON
@@ -117,13 +117,11 @@ export default defineEventHandler(async (event) => {
   }
   
   console.log('[DEBUG] WebAuthn config for verification', {
-    expectedOrigin: origin,
-    expectedOriginType: typeof origin,
-    expectedOriginLength: origin?.length,
+    expectedOrigins: origins,
     actualOriginFromResponse: actualOrigin,
     rpId,
     requireUV,
-    originMatch: origin === actualOrigin,
+    originMatch: origins.includes(actualOrigin),
     webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
     baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
   })
@@ -140,7 +138,7 @@ export default defineEventHandler(async (event) => {
 
   console.log('[DEBUG] Verifying registration response...')
   console.log('[DEBUG] Verification parameters', {
-    expectedOrigin: origin,
+    expectedOrigins: origins,
     expectedRPID: rpId,
     hasChallenge: !!challenge,
     challengeLength: challenge?.length,
@@ -155,7 +153,7 @@ export default defineEventHandler(async (event) => {
     verification = await verifyRegistrationResponse({
       response,
       expectedChallenge: challenge,
-      expectedOrigin: origin,
+      expectedOrigin: origins,
       expectedRPID: rpId,
       requireUserVerification: requireUV
     })
@@ -165,11 +163,12 @@ export default defineEventHandler(async (event) => {
       error: verifyError,
       message: verifyError?.message,
       cause: verifyError?.cause?.message,
-      expectedOrigin: origin,
+      expectedOrigins: origins,
       actualOriginFromResponse: actualOrigin,
       stack: verifyError?.stack
     })
-    throw verifyError
+    await writeAuditLog('auth.passkey.prereg.failed', { email, reason: 'verification_error' })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
   }
 
   const verifyDuration = Date.now() - verifyStart
@@ -308,4 +307,3 @@ export default defineEventHandler(async (event) => {
     message: 'Registrierung erfolgreich. Sie erhalten eine E-Mail, sobald Ihr Zugang freigeschaltet wurde.'
   }
 })
-

server/api/auth/reset-password.post.js

@@ -1,77 +1,102 @@
-import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
+import { readUsers, hashPassword, writeUsers, revokeRefreshSessionsForUser } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
 import crypto from 'crypto'
 import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 import { writeAuditLog } from '../../utils/audit-log.js'
+import { maskResetEmail, normalizeResetEmail, writePasswordResetLog } from '../../utils/password-reset-log.js'
 
 export default defineEventHandler(async (event) => {
+  const requestId = crypto.randomUUID()
+  let emailKey = ''
+  let ip = ''
+
+  const logStep = async (step, status, detail = {}) => {
+    try {
+      await writePasswordResetLog({ requestId, email: emailKey, ip, step, status, ...detail })
+    } catch (logError) {
+      console.error('Password-Reset-Diagnoselog-Fehler:', logError)
+    }
+  }
+
   try {
     const body = await readBody(event)
     const { email } = body
 
-    if (!email) {
+    emailKey = normalizeResetEmail(email)
+    ip = getClientIp(event)
+    await logStep('request_received', 'started')
+
+    if (!emailKey) {
+      await logStep('request_validation', 'failed', { reason: 'email_missing' })
       throw createError({
         statusCode: 400,
         message: 'E-Mail-Adresse ist erforderlich'
       })
     }
 
-    const ip = getClientIp(event)
-    const emailKey = String(email || '').trim().toLowerCase()
-
     // Rate Limiting (IP + Account)
-    assertRateLimit(event, {
-      name: 'auth:reset:ip',
-      keyParts: [ip],
-      windowMs: 60 * 60 * 1000,
-      maxAttempts: 20,
-      lockoutMs: 30 * 60 * 1000
-    })
-    assertRateLimit(event, {
-      name: 'auth:reset:account',
-      keyParts: [emailKey],
-      windowMs: 60 * 60 * 1000,
-      maxAttempts: 5,
-      lockoutMs: 60 * 60 * 1000
-    })
+    await logStep('rate_limit', 'checking')
+    try {
+      assertRateLimit(event, {
+        name: 'auth:reset:ip',
+        keyParts: [ip],
+        windowMs: 60 * 60 * 1000,
+        maxAttempts: 20,
+        lockoutMs: 30 * 60 * 1000
+      })
+      assertRateLimit(event, {
+        name: 'auth:reset:account',
+        keyParts: [emailKey],
+        windowMs: 60 * 60 * 1000,
+        maxAttempts: 5,
+        lockoutMs: 60 * 60 * 1000
+      })
+    } catch (error) {
+      await logStep('rate_limit', 'failed', { error })
+      throw error
+    }
+    await logStep('rate_limit', 'passed')
 
     // Find user
-    const users = await readUsers()
-    const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
+    let users
+    try {
+      users = await readUsers()
+    } catch (error) {
+      await logStep('user_lookup', 'failed', { error })
+      throw error
+    }
+    const user = users.find(u => normalizeResetEmail(u.email) === emailKey)
 
     // Always return success (security: don't reveal if email exists)
     if (!user) {
+      await logStep('user_lookup', 'not_found')
       await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
       await registerRateLimitFailure(event, { name: 'auth:reset:account', keyParts: [emailKey] })
-      await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: false })
+      await writeAuditLog('auth.reset.request', { ip, emailMasked: maskResetEmail(emailKey), userFound: false, requestId })
+      await logStep('request_completed', 'no_account')
       return {
         success: true,
         message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
       }
     }
+    await logStep('user_lookup', 'found', { userId: user.id })
 
     // Generate temporary password
     const tempPassword = crypto.randomBytes(8).toString('hex')
     const hashedPassword = await hashPassword(tempPassword)
-
-    // Update user password
-    user.password = hashedPassword
-    user.passwordResetRequired = true
-    const updatedUsers = users.map(u => u.id === user.id ? user : u)
-    await writeUsers(updatedUsers)
-
-    registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
-    await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: true, userId: user.id })
+    await logStep('temporary_password', 'generated', { userId: user.id })
 
     // Send email with temporary password
     const smtpUser = process.env.SMTP_USER
     const smtpPass = process.env.SMTP_PASS
     
     if (!smtpUser || !smtpPass) {
+      await logStep('mail_configuration', 'failed', { userId: user.id, reason: 'smtp_credentials_missing' })
       console.warn('SMTP-Credentials fehlen! E-Mail-Versand wird übersprungen.')
       console.warn(`SMTP_USER=${smtpUser ? 'gesetzt' : 'FEHLT'}, SMTP_PASS=${smtpPass ? 'gesetzt' : 'FEHLT'}`)
-      // Continue without sending email - security: don't reveal if email exists
+      throw new Error('SMTP-Konfiguration fuer Passwort-Reset fehlt')
     } else {
+      await logStep('mail_configuration', 'passed', { userId: user.id })
       const transporter = nodemailer.createTransport({
         host: process.env.SMTP_HOST || 'smtp.gmail.com',
         port: process.env.SMTP_PORT || 587,
@@ -99,15 +124,50 @@ export default defineEventHandler(async (event) => {
         `
       }
 
-      await transporter.sendMail(mailOptions)
+      await logStep('mail_send', 'started', { userId: user.id })
+      try {
+        await transporter.sendMail(mailOptions)
+      } catch (error) {
+        await logStep('mail_send', 'failed', { userId: user.id, error })
+        throw error
+      }
+      await logStep('mail_send', 'completed', { userId: user.id })
     }
 
+    // Erst nach erfolgreichem Versand das zugesandte Passwort aktivieren.
+    user.password = hashedPassword
+    user.passwordResetRequired = true
+    const updatedUsers = users.map(u => u.id === user.id ? user : u)
+    let passwordStored = false
+    try {
+      passwordStored = await writeUsers(updatedUsers)
+    } catch (error) {
+      await logStep('password_storage', 'failed', { userId: user.id, error })
+      throw error
+    }
+    if (!passwordStored) {
+      await logStep('password_storage', 'failed', { userId: user.id, reason: 'write_failed' })
+      throw new Error('Passwort konnte nach E-Mail-Versand nicht gespeichert werden')
+    }
+    await logStep('password_storage', 'completed', { userId: user.id })
+    try {
+      await revokeRefreshSessionsForUser(user.id, 'password_reset')
+    } catch (error) {
+      await logStep('session_revocation', 'failed', { userId: user.id, error })
+      throw error
+    }
+    await logStep('session_revocation', 'completed', { userId: user.id })
+
+    registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+    await writeAuditLog('auth.reset.request', { ip, emailMasked: maskResetEmail(emailKey), userFound: true, userId: user.id, requestId })
+    await logStep('request_completed', 'success', { userId: user.id })
     return {
       success: true,
       message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
     }
   } catch (error) {
-    console.error('Password-Reset-Fehler:', error)
+    await logStep('request_completed', 'failed', { error })
+    console.error('Password-Reset-Fehler:', { requestId, code: error?.code || error?.name || 'Error' })
     // Don't reveal errors to prevent email enumeration
     return {
       success: true,
@@ -115,4 +175,3 @@ export default defineEventHandler(async (event) => {
     }
   }
 })
-