Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

server/api/auth/login.post.js

@@ -1,4 +1,7 @@
 import { readUsers, writeUsers, verifyPassword, generateToken, createSession, migrateUserRoles } from '../../utils/auth.js'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { getAuthCookieOptions } from '../../utils/cookies.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,11 +15,33 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+
+    // Rate Limiting (IP + Account)
+    assertRateLimit(event, {
+      name: 'auth:login:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'auth:login:account',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 10,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     // Find user
     const users = await readUsers()
     const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
 
     if (!user) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, reason: 'user_not_found' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
@@ -34,18 +59,27 @@ export default defineEventHandler(async (event) => {
     // Verify password
     const isValid = await verifyPassword(password, user.password)
     if (!isValid) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, userId: user.id, reason: 'bad_password' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
       })
     }
 
+    // Erfolg: Limiter zurücksetzen
+    registerRateLimitSuccess(event, { name: 'auth:login:ip', keyParts: [ip] })
+    registerRateLimitSuccess(event, { name: 'auth:login:account', keyParts: [emailKey] })
+
     // Generate token
     const token = generateToken(user)
 
     // Create session
     await createSession(user.id, token)
 
+    await writeAuditLog('auth.login.success', { ip, email: emailKey, userId: user.id })
+
     // Update last login
     user.lastLogin = new Date().toISOString()
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
@@ -53,10 +87,7 @@ export default defineEventHandler(async (event) => {
 
     // Set cookie
     setCookie(event, 'auth_token', token, {
-      httpOnly: true,
-      secure: false, // Auch in Production false, da wir HTTPS über Apache terminieren
-      sameSite: 'lax',
-      maxAge: 60 * 60 * 24 * 7 // 7 days
+      ...getAuthCookieOptions()
     })
 
     // Migriere Rollen falls nötig

server/api/auth/passkeys/authentication-options.post.js

@@ -0,0 +1,19 @@
+import { generateAuthenticationOptions } from '@simplewebauthn/server'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { setAuthChallenge } from '../../../utils/webauthn-challenges.js'
+
+export default defineEventHandler(async (_event) => {
+  const { rpId } = getWebAuthnConfig()
+
+  // Username-less / discoverable credentials: allowCredentials absichtlich leer
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    userVerification: 'preferred'
+  })
+
+  setAuthChallenge(options.challenge)
+
+  return { success: true, options }
+})
+
+

server/api/auth/passkeys/list.get.js

@@ -0,0 +1,27 @@
+import { getUserFromToken } from '../../../utils/auth.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const passkeys = Array.isArray(user.passkeys) ? user.passkeys : []
+
+  return {
+    success: true,
+    passkeys: passkeys.map(pk => ({
+      id: pk.id,
+      name: pk.name || 'Passkey',
+      credentialId: pk.credentialId,
+      createdAt: pk.createdAt || null,
+      lastUsedAt: pk.lastUsedAt || null,
+      deviceType: pk.deviceType || null,
+      backedUp: pk.backedUp ?? null
+    }))
+  }
+})
+
+

server/api/auth/passkeys/login.post.js

@@ -0,0 +1,100 @@
+import { verifyAuthenticationResponse } from '@simplewebauthn/server'
+import { createSession, generateToken, migrateUserRoles, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { consumeAuthChallenge } from '../../../utils/webauthn-challenges.js'
+import { fromBase64Url, parseClientDataJSON } from '../../../utils/webauthn-encoding.js'
+import { getAuthCookieOptions } from '../../../utils/cookies.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+import { getClientIp } from '../../../utils/rate-limit.js'
+
+function findUserByCredentialId(users, credentialId) {
+  const cid = String(credentialId || '')
+  for (const u of users) {
+    const pks = Array.isArray(u.passkeys) ? u.passkeys : []
+    const match = pks.find(pk => pk && pk.credentialId === cid)
+    if (match) return { user: u, passkey: match }
+  }
+  return { user: null, passkey: null }
+}
+
+export default defineEventHandler(async (event) => {
+  const ip = getClientIp(event)
+  const body = await readBody(event)
+  const response = body?.credential
+  if (!response) {
+    throw createError({ statusCode: 400, statusMessage: 'Credential fehlt' })
+  }
+
+  // Challenge aus clientDataJSON holen
+  const clientData = parseClientDataJSON(response.response?.clientDataJSON)
+  const challenge = clientData?.challenge
+  if (!challenge) {
+    throw createError({ statusCode: 400, statusMessage: 'Ungültige Passkey-Antwort (Challenge fehlt)' })
+  }
+
+  if (!consumeAuthChallenge(challenge)) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, reason: 'unknown_or_expired_challenge' })
+    throw createError({ statusCode: 400, statusMessage: 'Login-Session abgelaufen. Bitte erneut versuchen.' })
+  }
+
+  const users = await readUsers()
+  const { user, passkey } = findUserByCredentialId(users, response.id)
+  if (!user || !passkey) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, reason: 'credential_not_found' })
+    throw createError({ statusCode: 401, statusMessage: 'Passkey unbekannt' })
+  }
+
+  const { origin, rpId, requireUV } = getWebAuthnConfig()
+
+  const authenticator = {
+    credentialID: fromBase64Url(passkey.credentialId),
+    credentialPublicKey: fromBase64Url(passkey.publicKey),
+    counter: Number(passkey.counter) || 0,
+    transports: passkey.transports || undefined
+  }
+
+  const verification = await verifyAuthenticationResponse({
+    response,
+    expectedChallenge: challenge,
+    expectedOrigin: origin,
+    expectedRPID: rpId,
+    authenticator,
+    requireUserVerification: requireUV
+  })
+
+  if (!verification.verified) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, userId: user.id, reason: 'verification_failed' })
+    throw createError({ statusCode: 401, statusMessage: 'Passkey-Login fehlgeschlagen' })
+  }
+
+  // Counter/lastUsed aktualisieren
+  passkey.counter = verification.authenticationInfo?.newCounter ?? passkey.counter
+  passkey.lastUsedAt = new Date().toISOString()
+  await writeUsers(users)
+
+  const token = generateToken(user)
+  await createSession(user.id, token)
+
+  setCookie(event, 'auth_token', token, { ...getAuthCookieOptions() })
+
+  await writeAuditLog('auth.passkey.login.success', { ip, userId: user.id })
+
+  const migratedUser = migrateUserRoles({ ...user })
+  const roles = Array.isArray(migratedUser.roles)
+    ? migratedUser.roles
+    : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
+
+  return {
+    success: true,
+    token,
+    user: {
+      id: user.id,
+      email: user.email,
+      name: user.name,
+      roles
+    },
+    role: roles[0] || 'mitglied'
+  }
+})
+
+

server/api/auth/passkeys/register.post.js

@@ -0,0 +1,93 @@
+import { verifyRegistrationResponse } from '@simplewebauthn/server'
+import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { clearRegistrationChallenge, getRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
+import { toBase64Url } from '../../../utils/webauthn-encoding.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const body = await readBody(event)
+  const response = body?.credential
+  if (!response) {
+    throw createError({ statusCode: 400, statusMessage: 'Credential fehlt' })
+  }
+
+  const expectedChallenge = getRegistrationChallenge(user.id)
+  if (!expectedChallenge) {
+    throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
+  }
+
+  const { origin, rpId, requireUV } = getWebAuthnConfig()
+
+  let verification
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge,
+      expectedOrigin: origin,
+      expectedRPID: rpId,
+      requireUserVerification: requireUV
+    })
+  } finally {
+    clearRegistrationChallenge(user.id)
+  }
+
+  const { verified, registrationInfo } = verification
+  if (!verified || !registrationInfo) {
+    await writeAuditLog('auth.passkey.registration.failed', { userId: user.id })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
+  }
+
+  const {
+    credentialID,
+    credentialPublicKey,
+    counter,
+    credentialDeviceType,
+    credentialBackedUp
+  } = registrationInfo
+
+  const credentialId = toBase64Url(credentialID)
+  const publicKey = toBase64Url(credentialPublicKey)
+
+  const users = await readUsers()
+  const idx = users.findIndex(u => u.id === user.id)
+  if (idx === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Benutzer nicht gefunden' })
+  }
+
+  const u = users[idx]
+  if (!Array.isArray(u.passkeys)) u.passkeys = []
+
+  // Duplikate verhindern
+  if (u.passkeys.some(pk => pk.credentialId === credentialId)) {
+    return { success: true, message: 'Passkey ist bereits registriert.' }
+  }
+
+  u.passkeys.push({
+    id: `${Date.now()}`,
+    credentialId,
+    publicKey,
+    counter: Number(counter) || 0,
+    transports: Array.isArray(response.transports) ? response.transports : undefined,
+    deviceType: credentialDeviceType,
+    backedUp: !!credentialBackedUp,
+    createdAt: new Date().toISOString(),
+    lastUsedAt: null,
+    name: body?.name ? String(body.name).slice(0, 80) : 'Passkey'
+  })
+
+  users[idx] = u
+  await writeUsers(users)
+
+  await writeAuditLog('auth.passkey.registered', { userId: user.id })
+  return { success: true, message: 'Passkey hinzugefügt.' }
+})
+
+

server/api/auth/passkeys/registration-options.post.js

@@ -0,0 +1,51 @@
+import { generateRegistrationOptions } from '@simplewebauthn/server'
+import { getUserFromToken, hasAnyRole } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { setRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  // Mindestens für Admin/Vorstand anbieten (und auch für Mitglieder ok)
+  if (!hasAnyRole(user, 'admin', 'vorstand', 'mitglied', 'newsletter')) {
+    throw createError({ statusCode: 403, statusMessage: 'Keine Berechtigung' })
+  }
+
+  const { rpId, rpName } = getWebAuthnConfig()
+
+  const existing = Array.isArray(user.passkeys) ? user.passkeys : []
+  const excludeCredentials = existing
+    .filter(pk => pk && pk.credentialId)
+    .map(pk => ({
+      id: pk.credentialId,
+      type: 'public-key',
+      transports: pk.transports || undefined
+    }))
+
+  const options = await generateRegistrationOptions({
+    rpName,
+    rpID: rpId,
+    userID: String(user.id),
+    userName: user.email,
+    // Keine Attestation-Daten speichern
+    attestationType: 'none',
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred'
+    },
+    excludeCredentials
+  })
+
+  setRegistrationChallenge(user.id, options.challenge)
+  await writeAuditLog('auth.passkey.registration.options', { userId: user.id })
+
+  return { success: true, options }
+})
+
+

server/api/auth/passkeys/remove.post.js

@@ -0,0 +1,39 @@
+import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const currentUser = token ? await getUserFromToken(token) : null
+
+  if (!currentUser) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const body = await readBody(event)
+  const credentialId = String(body?.credentialId || '')
+  if (!credentialId) {
+    throw createError({ statusCode: 400, statusMessage: 'credentialId fehlt' })
+  }
+
+  const users = await readUsers()
+  const idx = users.findIndex(u => u.id === currentUser.id)
+  if (idx === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Benutzer nicht gefunden' })
+  }
+
+  const user = users[idx]
+  const before = Array.isArray(user.passkeys) ? user.passkeys.length : 0
+  user.passkeys = (Array.isArray(user.passkeys) ? user.passkeys : []).filter(pk => pk.credentialId !== credentialId)
+  const after = user.passkeys.length
+  users[idx] = user
+  await writeUsers(users)
+
+  await writeAuditLog('auth.passkey.removed', { userId: currentUser.id })
+
+  return {
+    success: true,
+    removed: before !== after
+  }
+})
+
+

server/api/auth/register.post.js

@@ -1,5 +1,6 @@
 import { readUsers, writeUsers, hashPassword } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
+import { assertPasswordNotPwned } from '../../utils/hibp.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -21,6 +22,9 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Optional: Passwort gegen HIBP (k-Anonymity) prüfen
+    await assertPasswordNotPwned(password)
+
     // Check if user already exists
     const users = await readUsers()
     const existingUser = users.find(u => u.email.toLowerCase() === email.toLowerCase())

server/api/auth/reset-password.post.js

@@ -1,6 +1,8 @@
 import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
 import crypto from 'crypto'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -14,12 +16,34 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+
+    // Rate Limiting (IP + Account)
+    assertRateLimit(event, {
+      name: 'auth:reset:ip',
+      keyParts: [ip],
+      windowMs: 60 * 60 * 1000,
+      maxAttempts: 20,
+      lockoutMs: 30 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'auth:reset:account',
+      keyParts: [emailKey],
+      windowMs: 60 * 60 * 1000,
+      maxAttempts: 5,
+      lockoutMs: 60 * 60 * 1000
+    })
+
     // Find user
     const users = await readUsers()
     const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
 
     // Always return success (security: don't reveal if email exists)
     if (!user) {
+      await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: false })
       return {
         success: true,
         message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
@@ -36,6 +60,9 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
     await writeUsers(updatedUsers)
 
+    registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+    await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: true, userId: user.id })
+
     // Send email with temporary password
     const smtpUser = process.env.SMTP_USER
     const smtpPass = process.env.SMTP_PASS

server/api/cms/satzung-upload.post.js

@@ -4,6 +4,7 @@ import path from 'path'
 import { exec } from 'child_process'
 import { promisify } from 'util'
 import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { assertPdfMagicHeader } from '../../utils/upload-validation.js'
 
 const execAsync = promisify(exec)
 
@@ -74,6 +75,8 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
+    await fs.mkdir(path.join(process.cwd(), 'public', 'documents'), { recursive: true })
+
     // Multer-Middleware für File-Upload
     await new Promise((resolve, reject) => {
       upload.single('pdf')(event.node.req, event.node.res, (err) => {
@@ -90,6 +93,9 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Zusätzliche Validierung: Magic-Bytes prüfen (mimetype kann gespooft sein)
+    await assertPdfMagicHeader(file.path)
+
     // PDF-Text extrahieren mit pdftotext (falls verfügbar) oder Fallback
     let extractedText = ''
     

server/api/cms/upload-spielplan-pdf.post.js

@@ -2,6 +2,7 @@ import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
 import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { assertPdfMagicHeader } from '../../utils/upload-validation.js'
 
 // Multer-Konfiguration für PDF-Uploads
 const storage = multer.diskStorage({
@@ -10,8 +11,10 @@ const storage = multer.diskStorage({
     cb(null, uploadPath)
   },
   filename: (req, file, cb) => {
-    const type = req.body.type
-    const filename = `spielplan_${type}.pdf`
+    // WICHTIG: Validieren, bevor der Dateiname gebaut wird (sonst Pfad-/Filename-Injection möglich)
+    const type = String(req.body?.type || '').trim()
+    const safeType = ['gesamt', 'erwachsene', 'nachwuchs'].includes(type) ? type : 'invalid'
+    const filename = `spielplan_${safeType}.pdf`
     cb(null, filename)
   }
 })
@@ -85,6 +88,8 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    await assertPdfMagicHeader(file.path)
+
     if (!type || !['gesamt', 'erwachsene', 'nachwuchs'].includes(type)) {
       // Lösche die hochgeladene Datei
       await fs.unlink(file.path)

server/api/cms/users/approve.post.js

@@ -1,5 +1,6 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
 import nodemailer from 'nodemailer'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -41,6 +42,12 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.approved', {
+      actorUserId: currentUser.id,
+      targetUserId: userId,
+      roles: user.roles
+    })
+
     // Send approval email
     try {
       const smtpUser = process.env.SMTP_USER

server/api/cms/users/deactivate.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -36,6 +37,11 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.deactivated', {
+      actorUserId: currentUser.id,
+      targetUserId: userId
+    })
+
     return {
       success: true,
       message: 'Benutzer wurde deaktiviert'

server/api/cms/users/reject.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -20,6 +21,11 @@ export default defineEventHandler(async (event) => {
     
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.rejected', {
+      actorUserId: currentUser.id,
+      targetUserId: userId
+    })
+
     return {
       success: true,
       message: 'Registrierung wurde abgelehnt und gelöscht'

server/api/cms/users/update-role.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -39,10 +40,18 @@ export default defineEventHandler(async (event) => {
     migrateUserRoles(user)
     
     // Setze Rollen
+    const oldRoles = Array.isArray(user.roles) ? [...user.roles] : []
     user.roles = rolesArray
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.roles.updated', {
+      actorUserId: currentUser.id,
+      targetUserId: userId,
+      oldRoles,
+      newRoles: rolesArray
+    })
+
     return {
       success: true,
       message: 'Rolle wurde aktualisiert'

server/api/galerie/upload.post.js

@@ -4,6 +4,7 @@ import path from 'path'
 import sharp from 'sharp'
 import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'
+import { clamp } from '../../utils/upload-validation.js'
 
 // Handle both dev and production paths
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
@@ -155,10 +156,36 @@ export default defineEventHandler(async (event) => {
     const filename = `${titleSlug}_${randomUUID().substring(0, 8)}${ext}`
     const previewFilename = `preview_${filename}`
 
-    // Verschiebe die Datei zum neuen Namen
+    // Originalbild verarbeiten: re-encode (EXIF entfernen) + Pixel/DIM-Limit
     // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     const originalPath = path.join(GALERIE_DIR, 'originals', filename)
-    await fs.rename(file.path, originalPath)
+
+    const maxPixels = Number(process.env.IMAGE_MAX_PIXELS || 20_000_000) // 20MP
+    const maxDim = Number(process.env.IMAGE_MAX_DIM || 4000) // px
+
+    const meta = await sharp(file.path).metadata()
+    const w = meta.width || 0
+    const h = meta.height || 0
+
+    let pipeline = sharp(file.path).rotate()
+
+    if (w > 0 && h > 0) {
+      const pixels = w * h
+      if (pixels > maxPixels) {
+        const scale = Math.sqrt(maxPixels / pixels)
+        const nw = clamp(Math.floor(w * scale), 1, maxDim)
+        const nh = clamp(Math.floor(h * scale), 1, maxDim)
+        pipeline = pipeline.resize(nw, nh, { fit: 'inside', withoutEnlargement: true })
+      } else if (w > maxDim || h > maxDim) {
+        pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+      }
+    } else {
+      pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+    }
+
+    await pipeline.toFile(originalPath)
+    // Temp-Datei löschen
+    await fs.unlink(file.path).catch(() => {})
     
     // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     const previewPath = path.join(GALERIE_DIR, 'previews', previewFilename)

server/api/membership/generate-pdf.post.js

@@ -4,6 +4,7 @@ import { promisify } from 'util'
 import fs from 'fs/promises'
 import path from 'path'
 import { StandardFonts } from 'pdf-lib'
+import { getDownloadCookieOptionsWithMaxAge } from '../../utils/cookies.js'
 
 // const require = createRequire(import.meta.url) // Nicht verwendet
 const execAsync = promisify(exec)
@@ -702,10 +703,7 @@ export default defineEventHandler(async (event) => {
         // Download-Token setzen
         const downloadToken = Buffer.from(`${filename}:${Date.now()}`).toString('base64')
         setCookie(event, 'download_token', downloadToken, {
-          httpOnly: true,
-          secure: process.env.NODE_ENV === 'production',
-          sameSite: 'strict',
-          maxAge: 60 * 60 * 24 // 24 Stunden
+          ...getDownloadCookieOptionsWithMaxAge(60 * 60 * 24)
         })
 
         return {
@@ -775,10 +773,7 @@ export default defineEventHandler(async (event) => {
       // Download-Berechtigung für den Antragsteller setzen
       const downloadToken = Buffer.from(`${filename}:${Date.now()}`).toString('base64')
       setCookie(event, 'download_token', downloadToken, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === 'production',
-        sameSite: 'strict',
-        maxAge: 60 * 60 * 24 // 24 Stunden
+        ...getDownloadCookieOptionsWithMaxAge(60 * 60 * 24)
       })
       
       return {

server/api/newsletter/check-subscription.get.js

@@ -1,4 +1,5 @@
 import { readSubscribers } from '../../utils/newsletter.js'
+import { assertRateLimit, getClientIp } from '../../utils/rate-limit.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,6 +13,23 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+    assertRateLimit(event, {
+      name: 'newsletter:check:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 60,
+      lockoutMs: 10 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:check:email',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 10 * 60 * 1000
+    })
+
     const subscribers = await readSubscribers()
     const emailLower = email.toLowerCase()
     

server/api/newsletter/subscribe.post.js

@@ -4,6 +4,7 @@ import nodemailer from 'nodemailer'
 import crypto from 'crypto'
 import fs from 'fs/promises'
 import path from 'path'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
 // filename is always a hardcoded constant (e.g., 'newsletter-subscribers.json'), never user input
@@ -43,6 +44,23 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+    assertRateLimit(event, {
+      name: 'newsletter:subscribe:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:subscribe:email',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 8,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     if (!groupId) {
       throw createError({
         statusCode: 400,
@@ -79,6 +97,8 @@ export default defineEventHandler(async (event) => {
     
     if (existing) {
       if (existing.confirmed) {
+        await registerRateLimitFailure(event, { name: 'newsletter:subscribe:ip', keyParts: [ip] })
+        await registerRateLimitFailure(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         throw createError({
           statusCode: 409,
           statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
@@ -86,6 +106,7 @@ export default defineEventHandler(async (event) => {
       } else {
         // Bestätigungsmail erneut senden
         await sendConfirmationEmail(existing.email, existing.name || name, existing.confirmationToken, group.name)
+        registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         return {
           success: true,
           message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
@@ -105,6 +126,8 @@ export default defineEventHandler(async (event) => {
       if (existingEmail.groupIds.includes(groupId)) {
         // Bereits für diese Gruppe angemeldet
         if (existingEmail.confirmed) {
+          await registerRateLimitFailure(event, { name: 'newsletter:subscribe:ip', keyParts: [ip] })
+          await registerRateLimitFailure(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
           throw createError({
             statusCode: 409,
             statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
@@ -112,6 +135,7 @@ export default defineEventHandler(async (event) => {
         } else {
           // Bestätigungsmail erneut senden
           await sendConfirmationEmail(existingEmail.email, existingEmail.name || name, existingEmail.confirmationToken, group.name)
+          registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
           return {
             success: true,
             message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
@@ -131,6 +155,7 @@ export default defineEventHandler(async (event) => {
       
       if (existingEmail.confirmed) {
         // Bereits bestätigt - sofort aktiviert
+        registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         return {
           success: true,
           message: `Sie wurden erfolgreich für den Newsletter "${group.name}" angemeldet`
@@ -138,6 +163,7 @@ export default defineEventHandler(async (event) => {
       } else {
         // Bestätigungsmail senden
         await sendConfirmationEmail(existingEmail.email, existingEmail.name, existingEmail.confirmationToken, group.name)
+        registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         return {
           success: true,
           message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'
@@ -167,6 +193,7 @@ export default defineEventHandler(async (event) => {
     // Bestätigungsmail senden
     await sendConfirmationEmail(email, name, confirmationToken, group.name)
 
+    registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
     return {
       success: true,
       message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'

server/api/newsletter/unsubscribe-by-email.post.js

@@ -1,6 +1,7 @@
 import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
 import fs from 'fs/promises'
 import path from 'path'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
 // filename is always a hardcoded constant (e.g., 'newsletter-subscribers.json'), never user input
@@ -40,6 +41,23 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe:email',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 8,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     if (!groupId) {
       throw createError({
         statusCode: 400,
@@ -75,6 +93,8 @@ export default defineEventHandler(async (event) => {
 
     if (!subscriber) {
       // Nicht gefunden - aber trotzdem Erfolg zurückgeben (keine Information preisgeben)
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
       return {
         success: true,
         message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
@@ -89,6 +109,8 @@ export default defineEventHandler(async (event) => {
     // Prüfe ob für diese Gruppe angemeldet
     if (!subscriber.groupIds.includes(groupId)) {
       // Nicht für diese Gruppe angemeldet - aber trotzdem Erfolg zurückgeben
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
       return {
         success: true,
         message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
@@ -107,6 +129,7 @@ export default defineEventHandler(async (event) => {
 
     await writeSubscribers(subscribers)
 
+    registerRateLimitSuccess(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
     return {
       success: true,
       message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'

server/api/newsletter/unsubscribe.get.js

@@ -1,4 +1,5 @@
 import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,10 +13,28 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const tokenKey = String(token || '').trim()
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe-token:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 60,
+      lockoutMs: 10 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe-token:token',
+      keyParts: [tokenKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 10,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     const subscribers = await readSubscribers()
     const subscriber = subscribers.find(s => s.unsubscribeToken === token)
 
     if (!subscriber) {
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe-token:token', keyParts: [tokenKey] })
       throw createError({
         statusCode: 404,
         statusMessage: 'Ungültiger Abmeldetoken'
@@ -40,6 +59,7 @@ export default defineEventHandler(async (event) => {
 
     await writeSubscribers(subscribers)
 
+    registerRateLimitSuccess(event, { name: 'newsletter:unsubscribe-token:token', keyParts: [tokenKey] })
     // Weiterleitung zur Abmelde-Bestätigungsseite
     return sendRedirect(event, '/newsletter/unsubscribed')
   } catch (error) {

server/api/personen/upload.post.js

@@ -4,6 +4,7 @@ import path from 'path'
 import sharp from 'sharp'
 import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'
+import { clamp } from '../../utils/upload-validation.js'
 
 // Handle both dev and production paths
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
@@ -125,9 +126,33 @@ export default defineEventHandler(async (event) => {
     const newPath = path.join(PERSONEN_DIR, sanitizedFilename)
 
     // Bild verarbeiten: EXIF-Orientierung korrigieren
-    await sharp(originalPath)
-      .rotate()
-      .toFile(newPath)
+    const maxPixels = Number(process.env.IMAGE_MAX_PIXELS || 20_000_000) // 20MP
+    const maxDim = Number(process.env.IMAGE_MAX_DIM || 2500) // px
+
+    const meta = await sharp(originalPath).metadata()
+    const w = meta.width || 0
+    const h = meta.height || 0
+
+    let pipeline = sharp(originalPath).rotate()
+
+    if (w > 0 && h > 0) {
+      const pixels = w * h
+      // Falls extrem groß: auf maxPixels runter skalieren
+      if (pixels > maxPixels) {
+        const scale = Math.sqrt(maxPixels / pixels)
+        const nw = clamp(Math.floor(w * scale), 1, maxDim)
+        const nh = clamp(Math.floor(h * scale), 1, maxDim)
+        pipeline = pipeline.resize(nw, nh, { fit: 'inside', withoutEnlargement: true })
+      } else if (w > maxDim || h > maxDim) {
+        pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+      }
+    } else {
+      // Unbekannte Dimensionen: dennoch hartes Größenlimit
+      pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+    }
+
+    // toFile re-encodiert => EXIF/Metadata wird entfernt (sofern nicht withMetadata() genutzt wird)
+    await pipeline.toFile(newPath)
 
     // Temporäre Datei löschen
     await fs.unlink(originalPath).catch(() => {

server/api/profile.put.js

@@ -1,4 +1,5 @@
 import { verifyToken, readUsers, writeUsers, verifyPassword, hashPassword, migrateUserRoles } from '../utils/auth.js'
+import { assertPasswordNotPwned } from '../utils/hibp.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -75,6 +76,7 @@ export default defineEventHandler(async (event) => {
         })
       }
 
+      await assertPasswordNotPwned(newPassword)
       user.password = await hashPassword(newPassword)
     }
 

server/api/spielplan/pdf.get.js

@@ -394,10 +394,10 @@ ${hallenListe.map(halle => {
       setHeader(event, 'Content-Disposition', `attachment; filename="spielplan_${team}.pdf"`)
       setHeader(event, 'Content-Length', pdfBuffer.length.toString())
       
-      // Füge Sicherheits-Header hinzu
+      // Füge Sicherheits-Header hinzu (global auch via server/middleware/security-headers.js)
       setHeader(event, 'X-Content-Type-Options', 'nosniff')
-      setHeader(event, 'X-Frame-Options', 'DENY')
-      setHeader(event, 'X-XSS-Protection', '1; mode=block')
+      setHeader(event, 'X-Frame-Options', 'SAMEORIGIN')
+      setHeader(event, 'X-XSS-Protection', '0')
       setHeader(event, 'Cache-Control', 'no-cache, no-store, must-revalidate')
       setHeader(event, 'Pragma', 'no-cache')
       setHeader(event, 'Expires', '0')

server/middleware/security-headers.js

@@ -0,0 +1,50 @@
+/**
+ * Globale Security-Header für Nitro (Nuxt 3).
+ *
+ * Apache setzt ggf. bereits Header – diese Middleware dient als "Default",
+ * damit die App auch ohne Reverse-Proxy sauber gehärtet ist.
+ *
+ * CSP ist optional und sollte zuerst im Report-Only Modus getestet werden.
+ * Siehe ENV:
+ * - CSP_ENABLED=true|false
+ * - CSP_REPORT_ONLY=true|false
+ * - CSP_VALUE="..."
+ */
+
+export default defineEventHandler((event) => {
+  // Grundsätzlich sinnvolle Header
+  setHeader(event, 'X-Content-Type-Options', 'nosniff')
+  setHeader(event, 'Referrer-Policy', 'strict-origin-when-cross-origin')
+  setHeader(event, 'Permissions-Policy', 'geolocation=(), microphone=(), camera=()')
+
+  // X-Frame-Options: SAMEORIGIN (DENY wäre strenger, verhindert aber iFrames komplett)
+  setHeader(event, 'X-Frame-Options', 'SAMEORIGIN')
+
+  // Legacy-Header (optional; moderne Browser verlassen sich primär auf CSP)
+  setHeader(event, 'X-XSS-Protection', '0')
+
+  // Optional: CSP
+  const cspEnabled = (process.env.CSP_ENABLED || '').toLowerCase() === 'true'
+  if (cspEnabled) {
+    const reportOnly = (process.env.CSP_REPORT_ONLY || 'true').toLowerCase() !== 'false'
+    const cspValue =
+      process.env.CSP_VALUE ||
+      [
+        "default-src 'self'",
+        "base-uri 'self'",
+        "object-src 'none'",
+        "frame-ancestors 'self'",
+        // Nuxt lädt Fonts ggf. von Google (siehe nuxt.config.js)
+        "font-src 'self' https://fonts.gstatic.com data:",
+        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+        // Script: Nuxt kann in Dev eval nutzen; diese CSP ist primär für Produktion gedacht.
+        "script-src 'self'",
+        "img-src 'self' data: blob:",
+        "connect-src 'self'"
+      ].join('; ')
+
+    setHeader(event, reportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy', cspValue)
+  }
+})
+
+

server/utils/audit-log.js

@@ -0,0 +1,35 @@
+import fs from 'fs/promises'
+import path from 'path'
+
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    // nosemgrep
+    return path.join(cwd, '../server/data', filename)
+  }
+  // nosemgrep
+  return path.join(cwd, 'server/data', filename)
+}
+
+const AUDIT_LOG_FILE = getDataPath('audit.log.jsonl')
+
+function safeStr(v, max = 500) {
+  return String(v == null ? '' : v).slice(0, max)
+}
+
+export async function writeAuditLog(eventType, data = {}) {
+  const enabled = (process.env.AUDIT_LOG_ENABLED || 'true').toLowerCase() !== 'false'
+  if (!enabled) return
+
+  const entry = {
+    ts: new Date().toISOString(),
+    type: safeStr(eventType, 100),
+    data
+  }
+
+  await fs.mkdir(path.dirname(AUDIT_LOG_FILE), { recursive: true })
+  await fs.appendFile(AUDIT_LOG_FILE, JSON.stringify(entry) + '\n', 'utf-8')
+}
+
+

server/utils/auth.js

@@ -117,7 +117,7 @@ export async function readUsers() {
     }
     
     return users
-  } catch (_error) {
+  } catch (error) {
     if (error.code === 'ENOENT') {
       return []
     }
@@ -133,7 +133,7 @@ export async function writeUsers(users) {
     const encryptedData = encryptObject(users, encryptionKey)
     await fs.writeFile(USERS_FILE, encryptedData, 'utf-8')
     return true
-  } catch (_error) {
+  } catch (error) {
     console.error('Fehler beim Schreiben der Benutzerdaten:', error)
     return false
   }
@@ -183,7 +183,7 @@ export async function readSessions() {
       await writeSessions(sessions)
       return sessions
     }
-  } catch (_error) {
+  } catch (error) {
     if (error.code === 'ENOENT') {
       return []
     }
@@ -199,7 +199,7 @@ export async function writeSessions(sessions) {
     const encryptedData = encryptObject(sessions, encryptionKey)
     await fs.writeFile(SESSIONS_FILE, encryptedData, 'utf-8')
     return true
-  } catch (_error) {
+  } catch (error) {
     console.error('Fehler beim Schreiben der Sessions:', error)
     return false
   }

server/utils/cookies.js

@@ -0,0 +1,46 @@
+function isProduction() {
+  return process.env.NODE_ENV === 'production'
+}
+
+export function getCookieSecureDefault() {
+  // In Produktion: immer Secure (auch wenn HTTPS via Apache terminiert).
+  // In Dev: default false, damit Login über http://localhost funktioniert.
+  if (process.env.COOKIE_SECURE === 'true') return true
+  if (process.env.COOKIE_SECURE === 'false') return false
+  return isProduction()
+}
+
+export function getSameSiteDefault() {
+  // Erwartung aus Security-Feedback: Strict. In Dev ggf. Lax, damit SSO/Flows nicht nerven.
+  const v = (process.env.COOKIE_SAMESITE || '').toLowerCase().trim()
+  if (v === 'strict' || v === 'lax' || v === 'none') return v
+  return isProduction() ? 'strict' : 'lax'
+}
+
+export function getAuthCookieOptions() {
+  return {
+    httpOnly: true,
+    secure: getCookieSecureDefault(),
+    sameSite: getSameSiteDefault(),
+    maxAge: 60 * 60 * 24 * 7 // 7 days
+  }
+}
+
+export function getDownloadCookieOptions() {
+  // Download-Token ist kurzlebig; SameSite strict ist ok.
+  return {
+    httpOnly: true,
+    secure: getCookieSecureDefault(),
+    sameSite: 'strict',
+    maxAge: 60 * 60 * 24 // 24 Stunden
+  }
+}
+
+export function getDownloadCookieOptionsWithMaxAge(maxAgeSeconds) {
+  return {
+    ...getDownloadCookieOptions(),
+    maxAge: Number(maxAgeSeconds) || getDownloadCookieOptions().maxAge
+  }
+}
+
+

server/utils/encryption.js

@@ -1,9 +1,16 @@
 import crypto from 'crypto'
 
 // Verschlüsselungskonfiguration
-const ALGORITHM = 'aes-256-cbc'
-const IV_LENGTH = 16
+// v1 (legacy): aes-256-cbc (ohne Authentizitätsschutz)
+const LEGACY_ALGORITHM = 'aes-256-cbc'
+const LEGACY_IV_LENGTH = 16
+
+// v2 (default): aes-256-gcm (AEAD, state-of-the-art)
+const ALGORITHM = 'aes-256-gcm'
+const IV_LENGTH = 12
+const AUTH_TAG_LENGTH = 16
 const SALT_LENGTH = 32
+const VERSION_PREFIX = 'v2:'
 
 /**
  * Generiert einen Schlüssel aus einem Passwort und Salt
@@ -12,35 +19,87 @@ function deriveKey(password, salt) {
   return crypto.pbkdf2Sync(password, salt, 100000, 32, 'sha512')
 }
 
+function encryptV2GCM(text, password) {
+  // Salt generieren
+  const salt = crypto.randomBytes(SALT_LENGTH)
+
+  // Schlüssel ableiten
+  const key = deriveKey(password, salt)
+
+  // IV generieren (12 bytes ist Best Practice für GCM)
+  const iv = crypto.randomBytes(IV_LENGTH)
+
+  // Cipher erstellen
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+
+  // Verschlüsseln
+  const encrypted = Buffer.concat([
+    cipher.update(text, 'utf8'),
+    cipher.final()
+  ])
+
+  // Auth-Tag holen
+  const tag = cipher.getAuthTag()
+
+  // Salt + IV + Tag + Ciphertext kombinieren
+  const combined = Buffer.concat([salt, iv, tag, encrypted])
+
+  return `${VERSION_PREFIX}${combined.toString('base64')}`
+}
+
+function decryptLegacyCBC(encryptedData, password) {
+  // Base64 dekodieren
+  const combined = Buffer.from(encryptedData, 'base64')
+
+  // Komponenten extrahieren (v1: salt(32) + iv(16) + ciphertext)
+  const salt = combined.subarray(0, SALT_LENGTH)
+  const iv = combined.subarray(SALT_LENGTH, SALT_LENGTH + LEGACY_IV_LENGTH)
+  const encrypted = combined.subarray(SALT_LENGTH + LEGACY_IV_LENGTH)
+
+  // Schlüssel ableiten
+  const key = deriveKey(password, salt)
+
+  // Decipher erstellen
+  const decipher = crypto.createDecipheriv(LEGACY_ALGORITHM, key, iv)
+
+  // Entschlüsseln
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ])
+
+  return decrypted.toString('utf8')
+}
+
+function decryptV2GCM(encryptedData, password) {
+  const b64 = encryptedData.slice(VERSION_PREFIX.length)
+  const combined = Buffer.from(b64, 'base64')
+
+  // v2: salt(32) + iv(12) + tag(16) + ciphertext
+  const salt = combined.subarray(0, SALT_LENGTH)
+  const iv = combined.subarray(SALT_LENGTH, SALT_LENGTH + IV_LENGTH)
+  const tagStart = SALT_LENGTH + IV_LENGTH
+  const tag = combined.subarray(tagStart, tagStart + AUTH_TAG_LENGTH)
+  const encrypted = combined.subarray(tagStart + AUTH_TAG_LENGTH)
+
+  const key = deriveKey(password, salt)
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv)
+  decipher.setAuthTag(tag)
+
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ])
+
+  return decrypted.toString('utf8')
+}
+
 /**
  * Verschlüsselt einen Text
  */
 export function encrypt(text, password) {
   try {
-    // Salt generieren
-    const salt = crypto.randomBytes(SALT_LENGTH)
-    
-    // Schlüssel ableiten
-    const key = deriveKey(password, salt)
-    
-    // IV generieren
-    const iv = crypto.randomBytes(IV_LENGTH)
-    
-    // Cipher erstellen
-    const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
-    
-    // Verschlüsseln
-    let encrypted = cipher.update(text, 'utf8', 'hex')
-    encrypted += cipher.final('hex')
-    
-    // Salt + IV + Verschlüsselter Text kombinieren
-    const combined = Buffer.concat([
-      salt,
-      iv,
-      Buffer.from(encrypted, 'hex')
-    ])
-    
-    return combined.toString('base64')
+    return encryptV2GCM(text, password)
   } catch (error) {
     console.error('Verschlüsselungsfehler:', error)
     throw new Error('Fehler beim Verschlüsseln der Daten')
@@ -52,25 +111,12 @@ export function encrypt(text, password) {
  */
 export function decrypt(encryptedData, password) {
   try {
-    // Base64 dekodieren
-    const combined = Buffer.from(encryptedData, 'base64')
-    
-    // Komponenten extrahieren
-    const salt = combined.subarray(0, SALT_LENGTH)
-    const iv = combined.subarray(SALT_LENGTH, SALT_LENGTH + IV_LENGTH)
-    const encrypted = combined.subarray(SALT_LENGTH + IV_LENGTH)
-    
-    // Schlüssel ableiten
-    const key = deriveKey(password, salt)
-    
-    // Decipher erstellen
-    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv)
-    
-    // Entschlüsseln
-    let decrypted = decipher.update(encrypted, null, 'utf8')
-    decrypted += decipher.final('utf8')
-    
-    return decrypted
+    if (typeof encryptedData === 'string' && encryptedData.startsWith(VERSION_PREFIX)) {
+      return decryptV2GCM(encryptedData, password)
+    }
+
+    // Fallback: legacy CBC ohne Prefix
+    return decryptLegacyCBC(encryptedData, password)
   } catch (error) {
     console.error('Entschlüsselungsfehler:', error)
     throw new Error('Fehler beim Entschlüsseln der Daten')

server/utils/hibp.js

@@ -0,0 +1,95 @@
+import crypto from 'crypto'
+
+const cache = globalThis.__HTC_HIBP_CACHE__ || new Map()
+globalThis.__HTC_HIBP_CACHE__ = cache
+
+function nowMs() {
+  return Date.now()
+}
+
+function sha1UpperHex(input) {
+  return crypto.createHash('sha1').update(String(input), 'utf8').digest('hex').toUpperCase()
+}
+
+function parseRangeResponse(text) {
+  // Format: "SUFFIX:COUNT" per line
+  const map = new Map()
+  for (const line of String(text || '').split('\n')) {
+    const trimmed = line.trim()
+    if (!trimmed) continue
+    const [suffix, count] = trimmed.split(':')
+    if (suffix && count) map.set(suffix.trim().toUpperCase(), Number(count.trim()) || 0)
+  }
+  return map
+}
+
+async function fetchWithTimeout(url, { timeoutMs = 4000, headers = {} } = {}) {
+  const ctrl = new AbortController()
+  const t = setTimeout(() => ctrl.abort(), timeoutMs)
+  try {
+    return await fetch(url, { headers, signal: ctrl.signal })
+  } finally {
+    clearTimeout(t)
+  }
+}
+
+/**
+ * Prüft Passwort gegen HIBP Pwned Passwords (k-Anonymity).
+ * Gibt zurück: { pwned: boolean, count: number }
+ */
+export async function checkPasswordPwned(password) {
+  const enabled = (process.env.HIBP_ENABLED || '').toLowerCase() === 'true'
+  if (!enabled) return { pwned: false, count: 0 }
+
+  const hash = sha1UpperHex(password)
+  const prefix = hash.slice(0, 5)
+  const suffix = hash.slice(5)
+
+  // Cache pro Prefix (TTL)
+  const ttlMs = Number(process.env.HIBP_CACHE_TTL_MS || 6 * 60 * 60 * 1000) // 6h
+  const cached = cache.get(prefix)
+  const now = nowMs()
+  if (cached && cached.expiresAt > now && cached.map) {
+    const count = cached.map.get(suffix) || 0
+    return { pwned: count > 0, count }
+  }
+
+  const ua = process.env.HIBP_USER_AGENT || 'harheimertc'
+  const url = `https://api.pwnedpasswords.com/range/${prefix}`
+  const res = await fetchWithTimeout(url, {
+    timeoutMs: Number(process.env.HIBP_TIMEOUT_MS || 4000),
+    headers: {
+      'User-Agent': ua,
+      // HIBP empfiehlt optional diesen Header für Padding; wir schalten ihn per default ein.
+      'Add-Padding': 'true'
+    }
+  })
+
+  if (!res.ok) {
+    const failClosed = (process.env.HIBP_FAIL_CLOSED || '').toLowerCase() === 'true'
+    if (failClosed) {
+      throw createError({ statusCode: 503, statusMessage: 'Passwortprüfung derzeit nicht verfügbar. Bitte später erneut versuchen.' })
+    }
+    // fail-open
+    return { pwned: false, count: 0 }
+  }
+
+  const text = await res.text()
+  const map = parseRangeResponse(text)
+  cache.set(prefix, { expiresAt: now + ttlMs, map })
+
+  const count = map.get(suffix) || 0
+  return { pwned: count > 0, count }
+}
+
+export async function assertPasswordNotPwned(password) {
+  const { pwned } = await checkPasswordPwned(password)
+  if (pwned) {
+    throw createError({
+      statusCode: 400,
+      message: 'Dieses Passwort wurde in bekannten Datenleaks gefunden. Bitte wählen Sie ein anderes Passwort.'
+    })
+  }
+}
+
+

server/utils/rate-limit.js

@@ -0,0 +1,131 @@
+/**
+ * Sehr einfache In-Memory Rate-Limits für Nitro/h3.
+ *
+ * Hinweis: In-Memory ist pro Prozess/Instance. Für horizontale Skalierung
+ * sollte das auf Redis o.ä. umgestellt werden (siehe Doku).
+ */
+
+const buckets = globalThis.__HTC_RATE_LIMIT_BUCKETS__ || new Map()
+// Persist across hot reloads
+globalThis.__HTC_RATE_LIMIT_BUCKETS__ = buckets
+
+function nowMs() {
+  return Date.now()
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+export function getClientIp(event) {
+  const xff = getHeader(event, 'x-forwarded-for')
+  if (xff) {
+    // First IP in list is original client
+    const first = xff.split(',')[0]?.trim()
+    if (first) return first
+  }
+
+  const realIp = getHeader(event, 'x-real-ip')
+  if (realIp) return realIp.trim()
+
+  return event?.node?.req?.socket?.remoteAddress || 'unknown'
+}
+
+function getBucket(key) {
+  let b = buckets.get(key)
+  if (!b) {
+    b = {
+      windowStart: nowMs(),
+      count: 0,
+      consecutiveFails: 0,
+      lockedUntil: 0
+    }
+    buckets.set(key, b)
+  }
+  return b
+}
+
+function normalizeKeyPart(part) {
+  return String(part || '')
+    .trim()
+    .toLowerCase()
+    .replace(/\s+/g, ' ')
+    .slice(0, 200)
+}
+
+function buildKey(name, keyParts) {
+  const parts = (Array.isArray(keyParts) ? keyParts : [keyParts]).map(normalizeKeyPart)
+  return `${name}:${parts.join(':')}`
+}
+
+function resetWindowIfNeeded(bucket, windowMs, now) {
+  if (now - bucket.windowStart >= windowMs) {
+    bucket.windowStart = now
+    bucket.count = 0
+    // consecutiveFails bleibt bewusst erhalten (Backoff für "nervige" Clients)
+  }
+}
+
+export function assertRateLimit(event, options) {
+  const {
+    name,
+    keyParts,
+    windowMs = 10 * 60 * 1000,
+    maxAttempts = 10,
+    lockoutMs = 15 * 60 * 1000,
+    statusCode = 429,
+    message = 'Zu viele Versuche. Bitte später erneut versuchen.'
+  } = options || {}
+
+  const key = buildKey(name, keyParts)
+  const bucket = getBucket(key)
+  const now = nowMs()
+
+  if (bucket.lockedUntil && bucket.lockedUntil > now) {
+    const retryAfterSec = Math.ceil((bucket.lockedUntil - now) / 1000)
+    setHeader(event, 'Retry-After', String(retryAfterSec))
+    throw createError({ statusCode, statusMessage: message })
+  }
+
+  resetWindowIfNeeded(bucket, windowMs, now)
+
+  if (bucket.count >= maxAttempts) {
+    bucket.lockedUntil = now + lockoutMs
+    const retryAfterSec = Math.ceil(lockoutMs / 1000)
+    setHeader(event, 'Retry-After', String(retryAfterSec))
+    throw createError({ statusCode, statusMessage: message })
+  }
+
+  // Count the attempt
+  bucket.count += 1
+}
+
+export async function registerRateLimitFailure(event, options) {
+  const {
+    name,
+    keyParts,
+    delayBaseMs = 300,
+    delayMaxMs = 5000
+  } = options || {}
+
+  const key = buildKey(name, keyParts)
+  const bucket = getBucket(key)
+  bucket.consecutiveFails = Math.min((bucket.consecutiveFails || 0) + 1, 30)
+
+  // Exponential backoff: base * 2^(n-1)
+  const delay = Math.min(delayBaseMs * Math.pow(2, bucket.consecutiveFails - 1), delayMaxMs)
+  await sleep(delay)
+}
+
+export function registerRateLimitSuccess(_event, options) {
+  const { name, keyParts } = options || {}
+  const key = buildKey(name, keyParts)
+  const bucket = getBucket(key)
+  bucket.consecutiveFails = 0
+  // Nach Erfolg darf es "frisch" starten
+  bucket.count = 0
+  bucket.windowStart = nowMs()
+  bucket.lockedUntil = 0
+}
+
+

server/utils/upload-validation.js

@@ -0,0 +1,21 @@
+import fs from 'fs/promises'
+
+export async function assertPdfMagicHeader(filePath) {
+  const fh = await fs.open(filePath, 'r')
+  try {
+    const buf = Buffer.alloc(5)
+    await fh.read(buf, 0, 5, 0)
+    const header = buf.toString('utf8')
+    if (header !== '%PDF-') {
+      throw createError({ statusCode: 400, statusMessage: 'Ungültige Datei: kein PDF' })
+    }
+  } finally {
+    await fh.close()
+  }
+}
+
+export function clamp(n, min, max) {
+  return Math.max(min, Math.min(max, n))
+}
+
+

server/utils/webauthn-challenges.js

@@ -0,0 +1,46 @@
+const regChallenges = globalThis.__HTC_WEBAUTHN_REG_CHALLENGES__ || new Map()
+const authChallenges = globalThis.__HTC_WEBAUTHN_AUTH_CHALLENGES__ || new Map()
+globalThis.__HTC_WEBAUTHN_REG_CHALLENGES__ = regChallenges
+globalThis.__HTC_WEBAUTHN_AUTH_CHALLENGES__ = authChallenges
+
+function nowMs() {
+  return Date.now()
+}
+
+function cleanup(map) {
+  const now = nowMs()
+  for (const [k, v] of map.entries()) {
+    if (!v || !v.expiresAt || v.expiresAt <= now) map.delete(k)
+  }
+}
+
+export function setRegistrationChallenge(userId, challenge, ttlMs = 5 * 60 * 1000) {
+  cleanup(regChallenges)
+  regChallenges.set(String(userId), { challenge, expiresAt: nowMs() + ttlMs })
+}
+
+export function getRegistrationChallenge(userId) {
+  cleanup(regChallenges)
+  const v = regChallenges.get(String(userId))
+  return v?.challenge || null
+}
+
+export function clearRegistrationChallenge(userId) {
+  regChallenges.delete(String(userId))
+}
+
+export function setAuthChallenge(challenge, ttlMs = 5 * 60 * 1000) {
+  cleanup(authChallenges)
+  authChallenges.set(String(challenge), { expiresAt: nowMs() + ttlMs })
+}
+
+export function consumeAuthChallenge(challenge) {
+  cleanup(authChallenges)
+  const key = String(challenge)
+  const v = authChallenges.get(key)
+  if (!v) return false
+  authChallenges.delete(key)
+  return true
+}
+
+

server/utils/webauthn-config.js

@@ -0,0 +1,26 @@
+function deriveFromBaseUrl() {
+  const base = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
+  try {
+    const u = new URL(base)
+    return {
+      origin: `${u.protocol}//${u.host}`,
+      rpId: u.hostname
+    }
+  } catch {
+    return { origin: 'http://localhost:3100', rpId: 'localhost' }
+  }
+}
+
+export function getWebAuthnConfig() {
+  const derived = deriveFromBaseUrl()
+
+  const rpId = process.env.WEBAUTHN_RP_ID || derived.rpId
+  const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
+  const origin = process.env.WEBAUTHN_ORIGIN || derived.origin
+
+  const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'
+
+  return { rpId, rpName, origin, requireUV }
+}
+
+

server/utils/webauthn-encoding.js

@@ -0,0 +1,34 @@
+export function toBase64Url(buf) {
+  if (buf == null) return ''
+  if (typeof buf === 'string') return buf
+  const b = Buffer.isBuffer(buf) ? buf : Buffer.from(buf)
+  // Node supports 'base64url' on recent versions; keep fallback for safety.
+  try {
+    return b.toString('base64url')
+  } catch {
+    return b
+      .toString('base64')
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=+$/g, '')
+  }
+}
+
+export function fromBase64Url(s) {
+  if (!s) return Buffer.alloc(0)
+  // Node supports 'base64url' on recent versions; keep fallback for safety.
+  try {
+    return Buffer.from(String(s), 'base64url')
+  } catch {
+    let v = String(s).replace(/-/g, '+').replace(/_/g, '/')
+    while (v.length % 4) v += '='
+    return Buffer.from(v, 'base64')
+  }
+}
+
+export function parseClientDataJSON(clientDataJSONB64Url) {
+  const json = fromBase64Url(clientDataJSONB64Url).toString('utf8')
+  return JSON.parse(json)
+}
+
+