Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

server/api/auth/login.post.js

@@ -1,4 +1,7 @@
 import { readUsers, writeUsers, verifyPassword, generateToken, createSession, migrateUserRoles } from '../../utils/auth.js'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { getAuthCookieOptions } from '../../utils/cookies.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,11 +15,33 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+
+    // Rate Limiting (IP + Account)
+    assertRateLimit(event, {
+      name: 'auth:login:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'auth:login:account',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 10,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     // Find user
     const users = await readUsers()
     const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
 
     if (!user) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, reason: 'user_not_found' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
@@ -34,18 +59,27 @@ export default defineEventHandler(async (event) => {
     // Verify password
     const isValid = await verifyPassword(password, user.password)
     if (!isValid) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, userId: user.id, reason: 'bad_password' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
       })
     }
 
+    // Erfolg: Limiter zurücksetzen
+    registerRateLimitSuccess(event, { name: 'auth:login:ip', keyParts: [ip] })
+    registerRateLimitSuccess(event, { name: 'auth:login:account', keyParts: [emailKey] })
+
     // Generate token
     const token = generateToken(user)
 
     // Create session
     await createSession(user.id, token)
 
+    await writeAuditLog('auth.login.success', { ip, email: emailKey, userId: user.id })
+
     // Update last login
     user.lastLogin = new Date().toISOString()
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
@@ -53,10 +87,7 @@ export default defineEventHandler(async (event) => {
 
     // Set cookie
     setCookie(event, 'auth_token', token, {
-      httpOnly: true,
-      secure: false, // Auch in Production false, da wir HTTPS über Apache terminieren
-      sameSite: 'lax',
-      maxAge: 60 * 60 * 24 * 7 // 7 days
+      ...getAuthCookieOptions()
     })
 
     // Migriere Rollen falls nötig

server/api/auth/passkeys/authentication-options.post.js

@@ -0,0 +1,19 @@
+import { generateAuthenticationOptions } from '@simplewebauthn/server'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { setAuthChallenge } from '../../../utils/webauthn-challenges.js'
+
+export default defineEventHandler(async (_event) => {
+  const { rpId } = getWebAuthnConfig()
+
+  // Username-less / discoverable credentials: allowCredentials absichtlich leer
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    userVerification: 'preferred'
+  })
+
+  setAuthChallenge(options.challenge)
+
+  return { success: true, options }
+})
+
+

server/api/auth/passkeys/list.get.js

@@ -0,0 +1,27 @@
+import { getUserFromToken } from '../../../utils/auth.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const passkeys = Array.isArray(user.passkeys) ? user.passkeys : []
+
+  return {
+    success: true,
+    passkeys: passkeys.map(pk => ({
+      id: pk.id,
+      name: pk.name || 'Passkey',
+      credentialId: pk.credentialId,
+      createdAt: pk.createdAt || null,
+      lastUsedAt: pk.lastUsedAt || null,
+      deviceType: pk.deviceType || null,
+      backedUp: pk.backedUp ?? null
+    }))
+  }
+})
+
+

server/api/auth/passkeys/login.post.js

@@ -0,0 +1,100 @@
+import { verifyAuthenticationResponse } from '@simplewebauthn/server'
+import { createSession, generateToken, migrateUserRoles, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { consumeAuthChallenge } from '../../../utils/webauthn-challenges.js'
+import { fromBase64Url, parseClientDataJSON } from '../../../utils/webauthn-encoding.js'
+import { getAuthCookieOptions } from '../../../utils/cookies.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+import { getClientIp } from '../../../utils/rate-limit.js'
+
+function findUserByCredentialId(users, credentialId) {
+  const cid = String(credentialId || '')
+  for (const u of users) {
+    const pks = Array.isArray(u.passkeys) ? u.passkeys : []
+    const match = pks.find(pk => pk && pk.credentialId === cid)
+    if (match) return { user: u, passkey: match }
+  }
+  return { user: null, passkey: null }
+}
+
+export default defineEventHandler(async (event) => {
+  const ip = getClientIp(event)
+  const body = await readBody(event)
+  const response = body?.credential
+  if (!response) {
+    throw createError({ statusCode: 400, statusMessage: 'Credential fehlt' })
+  }
+
+  // Challenge aus clientDataJSON holen
+  const clientData = parseClientDataJSON(response.response?.clientDataJSON)
+  const challenge = clientData?.challenge
+  if (!challenge) {
+    throw createError({ statusCode: 400, statusMessage: 'Ungültige Passkey-Antwort (Challenge fehlt)' })
+  }
+
+  if (!consumeAuthChallenge(challenge)) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, reason: 'unknown_or_expired_challenge' })
+    throw createError({ statusCode: 400, statusMessage: 'Login-Session abgelaufen. Bitte erneut versuchen.' })
+  }
+
+  const users = await readUsers()
+  const { user, passkey } = findUserByCredentialId(users, response.id)
+  if (!user || !passkey) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, reason: 'credential_not_found' })
+    throw createError({ statusCode: 401, statusMessage: 'Passkey unbekannt' })
+  }
+
+  const { origin, rpId, requireUV } = getWebAuthnConfig()
+
+  const authenticator = {
+    credentialID: fromBase64Url(passkey.credentialId),
+    credentialPublicKey: fromBase64Url(passkey.publicKey),
+    counter: Number(passkey.counter) || 0,
+    transports: passkey.transports || undefined
+  }
+
+  const verification = await verifyAuthenticationResponse({
+    response,
+    expectedChallenge: challenge,
+    expectedOrigin: origin,
+    expectedRPID: rpId,
+    authenticator,
+    requireUserVerification: requireUV
+  })
+
+  if (!verification.verified) {
+    await writeAuditLog('auth.passkey.login.failed', { ip, userId: user.id, reason: 'verification_failed' })
+    throw createError({ statusCode: 401, statusMessage: 'Passkey-Login fehlgeschlagen' })
+  }
+
+  // Counter/lastUsed aktualisieren
+  passkey.counter = verification.authenticationInfo?.newCounter ?? passkey.counter
+  passkey.lastUsedAt = new Date().toISOString()
+  await writeUsers(users)
+
+  const token = generateToken(user)
+  await createSession(user.id, token)
+
+  setCookie(event, 'auth_token', token, { ...getAuthCookieOptions() })
+
+  await writeAuditLog('auth.passkey.login.success', { ip, userId: user.id })
+
+  const migratedUser = migrateUserRoles({ ...user })
+  const roles = Array.isArray(migratedUser.roles)
+    ? migratedUser.roles
+    : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
+
+  return {
+    success: true,
+    token,
+    user: {
+      id: user.id,
+      email: user.email,
+      name: user.name,
+      roles
+    },
+    role: roles[0] || 'mitglied'
+  }
+})
+
+

server/api/auth/passkeys/register.post.js

@@ -0,0 +1,93 @@
+import { verifyRegistrationResponse } from '@simplewebauthn/server'
+import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { clearRegistrationChallenge, getRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
+import { toBase64Url } from '../../../utils/webauthn-encoding.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const body = await readBody(event)
+  const response = body?.credential
+  if (!response) {
+    throw createError({ statusCode: 400, statusMessage: 'Credential fehlt' })
+  }
+
+  const expectedChallenge = getRegistrationChallenge(user.id)
+  if (!expectedChallenge) {
+    throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
+  }
+
+  const { origin, rpId, requireUV } = getWebAuthnConfig()
+
+  let verification
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge,
+      expectedOrigin: origin,
+      expectedRPID: rpId,
+      requireUserVerification: requireUV
+    })
+  } finally {
+    clearRegistrationChallenge(user.id)
+  }
+
+  const { verified, registrationInfo } = verification
+  if (!verified || !registrationInfo) {
+    await writeAuditLog('auth.passkey.registration.failed', { userId: user.id })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
+  }
+
+  const {
+    credentialID,
+    credentialPublicKey,
+    counter,
+    credentialDeviceType,
+    credentialBackedUp
+  } = registrationInfo
+
+  const credentialId = toBase64Url(credentialID)
+  const publicKey = toBase64Url(credentialPublicKey)
+
+  const users = await readUsers()
+  const idx = users.findIndex(u => u.id === user.id)
+  if (idx === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Benutzer nicht gefunden' })
+  }
+
+  const u = users[idx]
+  if (!Array.isArray(u.passkeys)) u.passkeys = []
+
+  // Duplikate verhindern
+  if (u.passkeys.some(pk => pk.credentialId === credentialId)) {
+    return { success: true, message: 'Passkey ist bereits registriert.' }
+  }
+
+  u.passkeys.push({
+    id: `${Date.now()}`,
+    credentialId,
+    publicKey,
+    counter: Number(counter) || 0,
+    transports: Array.isArray(response.transports) ? response.transports : undefined,
+    deviceType: credentialDeviceType,
+    backedUp: !!credentialBackedUp,
+    createdAt: new Date().toISOString(),
+    lastUsedAt: null,
+    name: body?.name ? String(body.name).slice(0, 80) : 'Passkey'
+  })
+
+  users[idx] = u
+  await writeUsers(users)
+
+  await writeAuditLog('auth.passkey.registered', { userId: user.id })
+  return { success: true, message: 'Passkey hinzugefügt.' }
+})
+
+

server/api/auth/passkeys/registration-options.post.js

@@ -0,0 +1,51 @@
+import { generateRegistrationOptions } from '@simplewebauthn/server'
+import { getUserFromToken, hasAnyRole } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { setRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  // Mindestens für Admin/Vorstand anbieten (und auch für Mitglieder ok)
+  if (!hasAnyRole(user, 'admin', 'vorstand', 'mitglied', 'newsletter')) {
+    throw createError({ statusCode: 403, statusMessage: 'Keine Berechtigung' })
+  }
+
+  const { rpId, rpName } = getWebAuthnConfig()
+
+  const existing = Array.isArray(user.passkeys) ? user.passkeys : []
+  const excludeCredentials = existing
+    .filter(pk => pk && pk.credentialId)
+    .map(pk => ({
+      id: pk.credentialId,
+      type: 'public-key',
+      transports: pk.transports || undefined
+    }))
+
+  const options = await generateRegistrationOptions({
+    rpName,
+    rpID: rpId,
+    userID: String(user.id),
+    userName: user.email,
+    // Keine Attestation-Daten speichern
+    attestationType: 'none',
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred'
+    },
+    excludeCredentials
+  })
+
+  setRegistrationChallenge(user.id, options.challenge)
+  await writeAuditLog('auth.passkey.registration.options', { userId: user.id })
+
+  return { success: true, options }
+})
+
+

server/api/auth/passkeys/remove.post.js

@@ -0,0 +1,39 @@
+import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const currentUser = token ? await getUserFromToken(token) : null
+
+  if (!currentUser) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const body = await readBody(event)
+  const credentialId = String(body?.credentialId || '')
+  if (!credentialId) {
+    throw createError({ statusCode: 400, statusMessage: 'credentialId fehlt' })
+  }
+
+  const users = await readUsers()
+  const idx = users.findIndex(u => u.id === currentUser.id)
+  if (idx === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Benutzer nicht gefunden' })
+  }
+
+  const user = users[idx]
+  const before = Array.isArray(user.passkeys) ? user.passkeys.length : 0
+  user.passkeys = (Array.isArray(user.passkeys) ? user.passkeys : []).filter(pk => pk.credentialId !== credentialId)
+  const after = user.passkeys.length
+  users[idx] = user
+  await writeUsers(users)
+
+  await writeAuditLog('auth.passkey.removed', { userId: currentUser.id })
+
+  return {
+    success: true,
+    removed: before !== after
+  }
+})
+
+

server/api/auth/register.post.js

@@ -1,5 +1,6 @@
 import { readUsers, writeUsers, hashPassword } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
+import { assertPasswordNotPwned } from '../../utils/hibp.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -21,6 +22,9 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Optional: Passwort gegen HIBP (k-Anonymity) prüfen
+    await assertPasswordNotPwned(password)
+
     // Check if user already exists
     const users = await readUsers()
     const existingUser = users.find(u => u.email.toLowerCase() === email.toLowerCase())

server/api/auth/reset-password.post.js

@@ -1,6 +1,8 @@
 import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
 import nodemailer from 'nodemailer'
 import crypto from 'crypto'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -14,12 +16,34 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+
+    // Rate Limiting (IP + Account)
+    assertRateLimit(event, {
+      name: 'auth:reset:ip',
+      keyParts: [ip],
+      windowMs: 60 * 60 * 1000,
+      maxAttempts: 20,
+      lockoutMs: 30 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'auth:reset:account',
+      keyParts: [emailKey],
+      windowMs: 60 * 60 * 1000,
+      maxAttempts: 5,
+      lockoutMs: 60 * 60 * 1000
+    })
+
     // Find user
     const users = await readUsers()
     const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
 
     // Always return success (security: don't reveal if email exists)
     if (!user) {
+      await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: false })
       return {
         success: true,
         message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
@@ -36,6 +60,9 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
     await writeUsers(updatedUsers)
 
+    registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
+    await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: true, userId: user.id })
+
     // Send email with temporary password
     const smtpUser = process.env.SMTP_USER
     const smtpPass = process.env.SMTP_PASS