Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

server/api/auth/login.post.js

@@ -1,4 +1,7 @@
 import { readUsers, writeUsers, verifyPassword, generateToken, createSession, migrateUserRoles } from '../../utils/auth.js'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { getAuthCookieOptions } from '../../utils/cookies.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,11 +15,33 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+
+    // Rate Limiting (IP + Account)
+    assertRateLimit(event, {
+      name: 'auth:login:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'auth:login:account',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 10,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     // Find user
     const users = await readUsers()
     const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
 
     if (!user) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, reason: 'user_not_found' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
@@ -34,18 +59,27 @@ export default defineEventHandler(async (event) => {
     // Verify password
     const isValid = await verifyPassword(password, user.password)
     if (!isValid) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, userId: user.id, reason: 'bad_password' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
       })
     }
 
+    // Erfolg: Limiter zurücksetzen
+    registerRateLimitSuccess(event, { name: 'auth:login:ip', keyParts: [ip] })
+    registerRateLimitSuccess(event, { name: 'auth:login:account', keyParts: [emailKey] })
+
     // Generate token
     const token = generateToken(user)
 
     // Create session
     await createSession(user.id, token)
 
+    await writeAuditLog('auth.login.success', { ip, email: emailKey, userId: user.id })
+
     // Update last login
     user.lastLogin = new Date().toISOString()
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
@@ -53,10 +87,7 @@ export default defineEventHandler(async (event) => {
 
     // Set cookie
     setCookie(event, 'auth_token', token, {
-      httpOnly: true,
-      secure: false, // Auch in Production false, da wir HTTPS über Apache terminieren
-      sameSite: 'lax',
-      maxAge: 60 * 60 * 24 * 7 // 7 days
+      ...getAuthCookieOptions()
     })
 
     // Migriere Rollen falls nötig

server/api/auth/passkeys/authentication-options.post.js

@@ -0,0 +1,19 @@
+import { generateAuthenticationOptions } from '@simplewebauthn/server'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { setAuthChallenge } from '../../../utils/webauthn-challenges.js'
+
+export default defineEventHandler(async (_event) => {
+  const { rpId } = getWebAuthnConfig()
+
+  // Username-less / discoverable credentials: allowCredentials absichtlich leer
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    userVerification: 'preferred'
+  })
+
+  setAuthChallenge(options.challenge)
+
+  return { success: true, options }
+})
+
+

server/api/auth/passkeys/list.get.js

@@ -0,0 +1,27 @@
+import { getUserFromToken } from '../../../utils/auth.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const passkeys = Array.isArray(user.passkeys) ? user.passkeys : []
+
+  return {
+    success: true,
+    passkeys: passkeys.map(pk => ({
+      id: pk.id,
+      name: pk.name || 'Passkey',
+      credentialId: pk.credentialId,
+      createdAt: pk.createdAt || null,
+      lastUsedAt: pk.lastUsedAt || null,
+      deviceType: pk.deviceType || null,
+      backedUp: pk.backedUp ?? null
+    }))
+  }
+})
+
+

server/api/auth/passkeys/login.post.js

@@ -0,0 +1,100 @@
+import { verifyAuthenticationResponse } from '@simplewebauthn/server'
+import { createSession, generateToken, migrateUserRoles, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { consumeAuthChallenge } from '../../../utils/webauthn-challenges.js'
+import { fromBase64Url, parseClientDataJSON } from '../../../utils/webauthn-encoding.js'
+import { getAuthCookieOptions } from '../../../utils/cookies.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+import { getClientIp } from '../../../utils/rate-limit.js'
+
+function findUserByCredentialId(users, credentialId) {
+  const cid = String(credentialId || '')
+  for (const u of users) {
+    const pks = Array.isArray(u.passkeys) ? u.passkeys : []
+    const match = pks.find(pk => pk && pk.credentialId === cid)
+    if (match) return { user: u, passkey: match }
+  }
+  return { user: null, passkey: null }
+}
+
+export default defineEventHandler(async (event) => {
+  const ip = getClientIp(event)
+  const body = await readBody(event)
+  const response = body?.credential
+  if (!response) {
+    throw createError({ statusCode: 400, statusMessage: 'Credential fehlt' })
+  }
+
+  // Challenge aus clientDataJSON holen
+  const clientData = parseClientDataJSON(response.response?.clientDataJSON)
+  const challenge = clientData?.challenge
+  if (!challenge) {
+    throw createError({ statusCode: 400, statusMessage: 'Ungültige Passkey-Antwort (Challenge fehlt)' })
+  }
+
+  if (!consumeAuthChallenge(challenge)) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, reason: 'unknown_or_expired_challenge' })
+    throw createError({ statusCode: 400, statusMessage: 'Login-Session abgelaufen. Bitte erneut versuchen.' })
+  }
+
+  const users = await readUsers()
+  const { user, passkey } = findUserByCredentialId(users, response.id)
+  if (!user || !passkey) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, reason: 'credential_not_found' })
+    throw createError({ statusCode: 401, statusMessage: 'Passkey unbekannt' })
+  }
+
+  const { origin, rpId, requireUV } = getWebAuthnConfig()
+
+  const authenticator = {
+    credentialID: fromBase64Url(passkey.credentialId),
+    credentialPublicKey: fromBase64Url(passkey.publicKey),
+    counter: Number(passkey.counter) || 0,
+    transports: passkey.transports || undefined
+  }
+
+  const verification = await verifyAuthenticationResponse({
+    response,
+    expectedChallenge: challenge,
+    expectedOrigin: origin,
+    expectedRPID: rpId,
+    authenticator,
+    requireUserVerification: requireUV
+  })
+
+  if (!verification.verified) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, userId: user.id, reason: 'verification_failed' })
+    throw createError({ statusCode: 401, statusMessage: 'Passkey-Login fehlgeschlagen' })
+  }
+
+  // Counter/lastUsed aktualisieren
+  passkey.counter = verification.authenticationInfo?.newCounter ?? passkey.counter
+  passkey.lastUsedAt = new Date().toISOString()
+  await writeUsers(users)
+
+  const token = generateToken(user)
+  await createSession(user.id, token)
+
+  setCookie(event, 'auth_token', token, { ...getAuthCookieOptions() })
+
+  await writeAuditLog('auth.passkey.login.success', { ip, userId: user.id })
+
+  const migratedUser = migrateUserRoles({ ...user })
+  const roles = Array.isArray(migratedUser.roles)
+    ? migratedUser.roles
+    : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
+
+  return {
+    success: true,
+    token,
+    user: {
+      id: user.id,
+      email: user.email,
+      name: user.name,
+      roles
+    },
+    role: roles[0] || 'mitglied'
+  }
+})
+
+

server/api/auth/passkeys/register.post.js

@@ -0,0 +1,93 @@
+import { verifyRegistrationResponse } from '@simplewebauthn/server'
+import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { clearRegistrationChallenge, getRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
+import { toBase64Url } from '../../../utils/webauthn-encoding.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const body = await readBody(event)
+  const response = body?.credential
+  if (!response) {
+    throw createError({ statusCode: 400, statusMessage: 'Credential fehlt' })
+  }
+
+  const expectedChallenge = getRegistrationChallenge(user.id)
+  if (!expectedChallenge) {
+    throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
+  }
+
+  const { origin, rpId, requireUV } = getWebAuthnConfig()
+
+  let verification
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge,
+      expectedOrigin: origin,
+      expectedRPID: rpId,
+      requireUserVerification: requireUV
+    })
+  } finally {
+    clearRegistrationChallenge(user.id)
+  }
+
+  const { verified, registrationInfo } = verification
+  if (!verified || !registrationInfo) {
+    await writeAuditLog('auth.passkey.registration.failed', { userId: user.id })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
+  }
+
+  const {
+    credentialID,
+    credentialPublicKey,
+    counter,
+    credentialDeviceType,
+    credentialBackedUp
+  } = registrationInfo
+
+  const credentialId = toBase64Url(credentialID)
+  const publicKey = toBase64Url(credentialPublicKey)
+
+  const users = await readUsers()
+  const idx = users.findIndex(u => u.id === user.id)
+  if (idx === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Benutzer nicht gefunden' })
+  }
+
+  const u = users[idx]
+  if (!Array.isArray(u.passkeys)) u.passkeys = []
+
+  // Duplikate verhindern
+  if (u.passkeys.some(pk => pk.credentialId === credentialId)) {
+    return { success: true, message: 'Passkey ist bereits registriert.' }
+  }
+
+  u.passkeys.push({
+    id: `${Date.now()}`,
+    credentialId,
+    publicKey,
+    counter: Number(counter) || 0,
+    transports: Array.isArray(response.transports) ? response.transports : undefined,
+    deviceType: credentialDeviceType,
+    backedUp: !!credentialBackedUp,
+    createdAt: new Date().toISOString(),
+    lastUsedAt: null,
+    name: body?.name ? String(body.name).slice(0, 80) : 'Passkey'
+  })
+
+  users[idx] = u
+  await writeUsers(users)
+
+  await writeAuditLog('auth.passkey.registered', { userId: user.id })
+  return { success: true, message: 'Passkey hinzugefügt.' }
+})
+
+

server/api/auth/passkeys/registration-options.post.js

@@ -0,0 +1,51 @@
+import { generateRegistrationOptions } from '@simplewebauthn/server'
+import { getUserFromToken, hasAnyRole } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { setRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  // Mindestens für Admin/Vorstand anbieten (und auch für Mitglieder ok)
+  if (!hasAnyRole(user, 'admin', 'vorstand', 'mitglied', 'newsletter')) {
+    throw createError({ statusCode: 403, statusMessage: 'Keine Berechtigung' })
+  }
+
+  const { rpId, rpName } = getWebAuthnConfig()
+
+  const existing = Array.isArray(user.passkeys) ? user.passkeys : []
+  const excludeCredentials = existing
+    .filter(pk => pk && pk.credentialId)
+    .map(pk => ({
+      id: pk.credentialId,
+      type: 'public-key',
+      transports: pk.transports || undefined
+    }))
+
+  const options = await generateRegistrationOptions({
+    rpName,
+    rpID: rpId,
+    userID: String(user.id),
+    userName: user.email,
+    // Keine Attestation-Daten speichern
+    attestationType: 'none',
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred'
+    },
+    excludeCredentials
+  })
+
+  setRegistrationChallenge(user.id, options.challenge)
+  await writeAuditLog('auth.passkey.registration.options', { userId: user.id })
+
+  return { success: true, options }
+})
+
+

server/api/auth/passkeys/remove.post.js

@@ -0,0 +1,39 @@
+import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const currentUser = token ? await getUserFromToken(token) : null
+
+  if (!currentUser) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const body = await readBody(event)
+  const credentialId = String(body?.credentialId || '')
+  if (!credentialId) {
+    throw createError({ statusCode: 400, statusMessage: 'credentialId fehlt' })
+  }
+
+  const users = await readUsers()
+  const idx = users.findIndex(u => u.id === currentUser.id)
+  if (idx === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Benutzer nicht gefunden' })
+  }
+
+  const user = users[idx]
+  const before = Array.isArray(user.passkeys) ? user.passkeys.length : 0
+  user.passkeys = (Array.isArray(user.passkeys) ? user.passkeys : []).filter(pk => pk.credentialId !== credentialId)
+  const after = user.passkeys.length
+  users[idx] = user
+  await writeUsers(users)
+
+  await writeAuditLog('auth.passkey.removed', { userId: currentUser.id })
+
+  return {
+    success: true,
+    removed: before !== after
+  }
+})
+
+

server/api/auth/register.post.js

@@ -1,5 +1,6 @@
 import { readUsers, writeUsers, hashPassword } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
+import { assertPasswordNotPwned } from '../../utils/hibp.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -21,6 +22,9 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Optional: Passwort gegen HIBP (k-Anonymity) prüfen
+    await assertPasswordNotPwned(password)
+
     // Check if user already exists
     const users = await readUsers()
     const existingUser = users.find(u => u.email.toLowerCase() === email.toLowerCase())

server/api/auth/reset-password.post.js

@@ -1,6 +1,8 @@
 import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
 import crypto from 'crypto'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -14,12 +16,34 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+
+    // Rate Limiting (IP + Account)
+    assertRateLimit(event, {
+      name: 'auth:reset:ip',
+      keyParts: [ip],
+      windowMs: 60 * 60 * 1000,
+      maxAttempts: 20,
+      lockoutMs: 30 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'auth:reset:account',
+      keyParts: [emailKey],
+      windowMs: 60 * 60 * 1000,
+      maxAttempts: 5,
+      lockoutMs: 60 * 60 * 1000
+    })
+
     // Find user
     const users = await readUsers()
     const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
 
     // Always return success (security: don't reveal if email exists)
     if (!user) {
+      await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: false })
       return {
         success: true,
         message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
@@ -36,6 +60,9 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
     await writeUsers(updatedUsers)
 
+    registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+    await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: true, userId: user.id })
+
     // Send email with temporary password
     const smtpUser = process.env.SMTP_USER
     const smtpPass = process.env.SMTP_PASS

server/api/cms/satzung-upload.post.js

@@ -4,6 +4,7 @@ import path from 'path'
 import { exec } from 'child_process'
 import { promisify } from 'util'
 import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { assertPdfMagicHeader } from '../../utils/upload-validation.js'
 
 const execAsync = promisify(exec)
 
@@ -74,6 +75,8 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
+    await fs.mkdir(path.join(process.cwd(), 'public', 'documents'), { recursive: true })
+
     // Multer-Middleware für File-Upload
     await new Promise((resolve, reject) => {
       upload.single('pdf')(event.node.req, event.node.res, (err) => {
@@ -90,6 +93,9 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Zusätzliche Validierung: Magic-Bytes prüfen (mimetype kann gespooft sein)
+    await assertPdfMagicHeader(file.path)
+
     // PDF-Text extrahieren mit pdftotext (falls verfügbar) oder Fallback
     let extractedText = ''
     

server/api/cms/upload-spielplan-pdf.post.js

@@ -2,6 +2,7 @@ import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
 import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { assertPdfMagicHeader } from '../../utils/upload-validation.js'
 
 // Multer-Konfiguration für PDF-Uploads
 const storage = multer.diskStorage({
@@ -10,8 +11,10 @@ const storage = multer.diskStorage({
     cb(null, uploadPath)
   },
   filename: (req, file, cb) => {
-    const type = req.body.type
-    const filename = `spielplan_${type}.pdf`
+    // WICHTIG: Validieren, bevor der Dateiname gebaut wird (sonst Pfad-/Filename-Injection möglich)
+    const type = String(req.body?.type || '').trim()
+    const safeType = ['gesamt', 'erwachsene', 'nachwuchs'].includes(type) ? type : 'invalid'
+    const filename = `spielplan_${safeType}.pdf`
     cb(null, filename)
   }
 })
@@ -85,6 +88,8 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    await assertPdfMagicHeader(file.path)
+
     if (!type || !['gesamt', 'erwachsene', 'nachwuchs'].includes(type)) {
       // Lösche die hochgeladene Datei
       await fs.unlink(file.path)

server/api/cms/users/approve.post.js

@@ -1,5 +1,6 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
 import nodemailer from 'nodemailer'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -41,6 +42,12 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.approved', {
+      actorUserId: currentUser.id,
+      targetUserId: userId,
+      roles: user.roles
+    })
+
     // Send approval email
     try {
       const smtpUser = process.env.SMTP_USER

server/api/cms/users/deactivate.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -36,6 +37,11 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.deactivated', {
+      actorUserId: currentUser.id,
+      targetUserId: userId
+    })
+
     return {
       success: true,
       message: 'Benutzer wurde deaktiviert'

server/api/cms/users/reject.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -20,6 +21,11 @@ export default defineEventHandler(async (event) => {
     
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.rejected', {
+      actorUserId: currentUser.id,
+      targetUserId: userId
+    })
+
     return {
       success: true,
       message: 'Registrierung wurde abgelehnt und gelöscht'

server/api/cms/users/update-role.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -39,10 +40,18 @@ export default defineEventHandler(async (event) => {
     migrateUserRoles(user)
     
     // Setze Rollen
+    const oldRoles = Array.isArray(user.roles) ? [...user.roles] : []
     user.roles = rolesArray
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.roles.updated', {
+      actorUserId: currentUser.id,
+      targetUserId: userId,
+      oldRoles,
+      newRoles: rolesArray
+    })
+
     return {
       success: true,
       message: 'Rolle wurde aktualisiert'

server/api/galerie/upload.post.js

@@ -4,6 +4,7 @@ import path from 'path'
 import sharp from 'sharp'
 import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'
+import { clamp } from '../../utils/upload-validation.js'
 
 // Handle both dev and production paths
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
@@ -155,10 +156,36 @@ export default defineEventHandler(async (event) => {
     const filename = `${titleSlug}_${randomUUID().substring(0, 8)}${ext}`
     const previewFilename = `preview_${filename}`
 
-    // Verschiebe die Datei zum neuen Namen
+    // Originalbild verarbeiten: re-encode (EXIF entfernen) + Pixel/DIM-Limit
     // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     const originalPath = path.join(GALERIE_DIR, 'originals', filename)
-    await fs.rename(file.path, originalPath)
+
+    const maxPixels = Number(process.env.IMAGE_MAX_PIXELS || 20_000_000) // 20MP
+    const maxDim = Number(process.env.IMAGE_MAX_DIM || 4000) // px
+
+    const meta = await sharp(file.path).metadata()
+    const w = meta.width || 0
+    const h = meta.height || 0
+
+    let pipeline = sharp(file.path).rotate()
+
+    if (w > 0 && h > 0) {
+      const pixels = w * h
+      if (pixels > maxPixels) {
+        const scale = Math.sqrt(maxPixels / pixels)
+        const nw = clamp(Math.floor(w * scale), 1, maxDim)
+        const nh = clamp(Math.floor(h * scale), 1, maxDim)
+        pipeline = pipeline.resize(nw, nh, { fit: 'inside', withoutEnlargement: true })
+      } else if (w > maxDim || h > maxDim) {
+        pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+      }
+    } else {
+      pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+    }
+
+    await pipeline.toFile(originalPath)
+    // Temp-Datei löschen
+    await fs.unlink(file.path).catch(() => {})
     
     // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     const previewPath = path.join(GALERIE_DIR, 'previews', previewFilename)

server/api/membership/generate-pdf.post.js

@@ -4,6 +4,7 @@ import { promisify } from 'util'
 import fs from 'fs/promises'
 import path from 'path'
 import { StandardFonts } from 'pdf-lib'
+import { getDownloadCookieOptionsWithMaxAge } from '../../utils/cookies.js'
 
 // const require = createRequire(import.meta.url) // Nicht verwendet
 const execAsync = promisify(exec)
@@ -702,10 +703,7 @@ export default defineEventHandler(async (event) => {
         // Download-Token setzen
         const downloadToken = Buffer.from(`${filename}:${Date.now()}`).toString('base64')
         setCookie(event, 'download_token', downloadToken, {
-          httpOnly: true,
-          secure: process.env.NODE_ENV === 'production',
-          sameSite: 'strict',
-          maxAge: 60 * 60 * 24 // 24 Stunden
+          ...getDownloadCookieOptionsWithMaxAge(60 * 60 * 24)
         })
 
         return {
@@ -775,10 +773,7 @@ export default defineEventHandler(async (event) => {
       // Download-Berechtigung für den Antragsteller setzen
       const downloadToken = Buffer.from(`${filename}:${Date.now()}`).toString('base64')
       setCookie(event, 'download_token', downloadToken, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === 'production',
-        sameSite: 'strict',
-        maxAge: 60 * 60 * 24 // 24 Stunden
+        ...getDownloadCookieOptionsWithMaxAge(60 * 60 * 24)
       })
       
       return {

server/api/newsletter/check-subscription.get.js

@@ -1,4 +1,5 @@
 import { readSubscribers } from '../../utils/newsletter.js'
+import { assertRateLimit, getClientIp } from '../../utils/rate-limit.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,6 +13,23 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+    assertRateLimit(event, {
+      name: 'newsletter:check:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 60,
+      lockoutMs: 10 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:check:email',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 10 * 60 * 1000
+    })
+
     const subscribers = await readSubscribers()
     const emailLower = email.toLowerCase()
     

server/api/newsletter/subscribe.post.js

@@ -4,6 +4,7 @@ import nodemailer from 'nodemailer'
 import crypto from 'crypto'
 import fs from 'fs/promises'
 import path from 'path'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
 // filename is always a hardcoded constant (e.g., 'newsletter-subscribers.json'), never user input
@@ -43,6 +44,23 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+    assertRateLimit(event, {
+      name: 'newsletter:subscribe:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:subscribe:email',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 8,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     if (!groupId) {
       throw createError({
         statusCode: 400,
@@ -79,6 +97,8 @@ export default defineEventHandler(async (event) => {
     
     if (existing) {
       if (existing.confirmed) {
+        await registerRateLimitFailure(event, { name: 'newsletter:subscribe:ip', keyParts: [ip] })
+        await registerRateLimitFailure(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         throw createError({
           statusCode: 409,
           statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
@@ -86,6 +106,7 @@ export default defineEventHandler(async (event) => {
       } else {
         // Bestätigungsmail erneut senden
         await sendConfirmationEmail(existing.email, existing.name || name, existing.confirmationToken, group.name)
+        registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         return {
           success: true,
           message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
@@ -105,6 +126,8 @@ export default defineEventHandler(async (event) => {
       if (existingEmail.groupIds.includes(groupId)) {
         // Bereits für diese Gruppe angemeldet
         if (existingEmail.confirmed) {
+          await registerRateLimitFailure(event, { name: 'newsletter:subscribe:ip', keyParts: [ip] })
+          await registerRateLimitFailure(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
           throw createError({
             statusCode: 409,
             statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
@@ -112,6 +135,7 @@ export default defineEventHandler(async (event) => {
         } else {
           // Bestätigungsmail erneut senden
           await sendConfirmationEmail(existingEmail.email, existingEmail.name || name, existingEmail.confirmationToken, group.name)
+          registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
           return {
             success: true,
             message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
@@ -131,6 +155,7 @@ export default defineEventHandler(async (event) => {
       
       if (existingEmail.confirmed) {
         // Bereits bestätigt - sofort aktiviert
+        registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         return {
           success: true,
           message: `Sie wurden erfolgreich für den Newsletter "${group.name}" angemeldet`
@@ -138,6 +163,7 @@ export default defineEventHandler(async (event) => {
       } else {
         // Bestätigungsmail senden
         await sendConfirmationEmail(existingEmail.email, existingEmail.name, existingEmail.confirmationToken, group.name)
+        registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
         return {
           success: true,
           message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'
@@ -167,6 +193,7 @@ export default defineEventHandler(async (event) => {
     // Bestätigungsmail senden
     await sendConfirmationEmail(email, name, confirmationToken, group.name)
 
+    registerRateLimitSuccess(event, { name: 'newsletter:subscribe:email', keyParts: [emailKey] })
     return {
       success: true,
       message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'

server/api/newsletter/unsubscribe-by-email.post.js

@@ -1,6 +1,7 @@
 import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
 import fs from 'fs/promises'
 import path from 'path'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
 // filename is always a hardcoded constant (e.g., 'newsletter-subscribers.json'), never user input
@@ -40,6 +41,23 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe:email',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 8,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     if (!groupId) {
       throw createError({
         statusCode: 400,
@@ -75,6 +93,8 @@ export default defineEventHandler(async (event) => {
 
     if (!subscriber) {
       // Nicht gefunden - aber trotzdem Erfolg zurückgeben (keine Information preisgeben)
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
       return {
         success: true,
         message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
@@ -89,6 +109,8 @@ export default defineEventHandler(async (event) => {
     // Prüfe ob für diese Gruppe angemeldet
     if (!subscriber.groupIds.includes(groupId)) {
       // Nicht für diese Gruppe angemeldet - aber trotzdem Erfolg zurückgeben
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
       return {
         success: true,
         message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
@@ -107,6 +129,7 @@ export default defineEventHandler(async (event) => {
 
     await writeSubscribers(subscribers)
 
+    registerRateLimitSuccess(event, { name: 'newsletter:unsubscribe:email', keyParts: [emailKey] })
     return {
       success: true,
       message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'

server/api/newsletter/unsubscribe.get.js

@@ -1,4 +1,5 @@
 import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,10 +13,28 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const tokenKey = String(token || '').trim()
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe-token:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 60,
+      lockoutMs: 10 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'newsletter:unsubscribe-token:token',
+      keyParts: [tokenKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 10,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     const subscribers = await readSubscribers()
     const subscriber = subscribers.find(s => s.unsubscribeToken === token)
 
     if (!subscriber) {
+      await registerRateLimitFailure(event, { name: 'newsletter:unsubscribe-token:token', keyParts: [tokenKey] })
       throw createError({
         statusCode: 404,
         statusMessage: 'Ungültiger Abmeldetoken'
@@ -40,6 +59,7 @@ export default defineEventHandler(async (event) => {
 
     await writeSubscribers(subscribers)
 
+    registerRateLimitSuccess(event, { name: 'newsletter:unsubscribe-token:token', keyParts: [tokenKey] })
     // Weiterleitung zur Abmelde-Bestätigungsseite
     return sendRedirect(event, '/newsletter/unsubscribed')
   } catch (error) {

server/api/personen/upload.post.js

@@ -4,6 +4,7 @@ import path from 'path'
 import sharp from 'sharp'
 import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'
+import { clamp } from '../../utils/upload-validation.js'
 
 // Handle both dev and production paths
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
@@ -125,9 +126,33 @@ export default defineEventHandler(async (event) => {
     const newPath = path.join(PERSONEN_DIR, sanitizedFilename)
 
     // Bild verarbeiten: EXIF-Orientierung korrigieren
-    await sharp(originalPath)
-      .rotate()
-      .toFile(newPath)
+    const maxPixels = Number(process.env.IMAGE_MAX_PIXELS || 20_000_000) // 20MP
+    const maxDim = Number(process.env.IMAGE_MAX_DIM || 2500) // px
+
+    const meta = await sharp(originalPath).metadata()
+    const w = meta.width || 0
+    const h = meta.height || 0
+
+    let pipeline = sharp(originalPath).rotate()
+
+    if (w > 0 && h > 0) {
+      const pixels = w * h
+      // Falls extrem groß: auf maxPixels runter skalieren
+      if (pixels > maxPixels) {
+        const scale = Math.sqrt(maxPixels / pixels)
+        const nw = clamp(Math.floor(w * scale), 1, maxDim)
+        const nh = clamp(Math.floor(h * scale), 1, maxDim)
+        pipeline = pipeline.resize(nw, nh, { fit: 'inside', withoutEnlargement: true })
+      } else if (w > maxDim || h > maxDim) {
+        pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+      }
+    } else {
+      // Unbekannte Dimensionen: dennoch hartes Größenlimit
+      pipeline = pipeline.resize(maxDim, maxDim, { fit: 'inside', withoutEnlargement: true })
+    }
+
+    // toFile re-encodiert => EXIF/Metadata wird entfernt (sofern nicht withMetadata() genutzt wird)
+    await pipeline.toFile(newPath)
 
     // Temporäre Datei löschen
     await fs.unlink(originalPath).catch(() => {

server/api/profile.put.js

@@ -1,4 +1,5 @@
 import { verifyToken, readUsers, writeUsers, verifyPassword, hashPassword, migrateUserRoles } from '../utils/auth.js'
+import { assertPasswordNotPwned } from '../utils/hibp.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -75,6 +76,7 @@ export default defineEventHandler(async (event) => {
         })
       }
 
+      await assertPasswordNotPwned(newPassword)
       user.password = await hashPassword(newPassword)
     }
 

server/api/spielplan/pdf.get.js

@@ -394,10 +394,10 @@ ${hallenListe.map(halle => {
       setHeader(event, 'Content-Disposition', `attachment; filename="spielplan_${team}.pdf"`)
       setHeader(event, 'Content-Length', pdfBuffer.length.toString())
       
-      // Füge Sicherheits-Header hinzu
+      // Füge Sicherheits-Header hinzu (global auch via server/middleware/security-headers.js)
       setHeader(event, 'X-Content-Type-Options', 'nosniff')
-      setHeader(event, 'X-Frame-Options', 'DENY')
-      setHeader(event, 'X-XSS-Protection', '1; mode=block')
+      setHeader(event, 'X-Frame-Options', 'SAMEORIGIN')
+      setHeader(event, 'X-XSS-Protection', '0')
       setHeader(event, 'Cache-Control', 'no-cache, no-store, must-revalidate')
       setHeader(event, 'Pragma', 'no-cache')
       setHeader(event, 'Expires', '0')