Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

server/api/auth/login.post.js

@@ -1,4 +1,7 @@
 import { readUsers, writeUsers, verifyPassword, generateToken, createSession, migrateUserRoles } from '../../utils/auth.js'
+import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
+import { getAuthCookieOptions } from '../../utils/cookies.js'
+import { writeAuditLog } from '../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -12,11 +15,33 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const ip = getClientIp(event)
+    const emailKey = String(email || '').trim().toLowerCase()
+
+    // Rate Limiting (IP + Account)
+    assertRateLimit(event, {
+      name: 'auth:login:ip',
+      keyParts: [ip],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 30,
+      lockoutMs: 15 * 60 * 1000
+    })
+    assertRateLimit(event, {
+      name: 'auth:login:account',
+      keyParts: [emailKey],
+      windowMs: 10 * 60 * 1000,
+      maxAttempts: 10,
+      lockoutMs: 30 * 60 * 1000
+    })
+
     // Find user
     const users = await readUsers()
     const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
 
     if (!user) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, reason: 'user_not_found' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
@@ -34,18 +59,27 @@ export default defineEventHandler(async (event) => {
     // Verify password
     const isValid = await verifyPassword(password, user.password)
     if (!isValid) {
+      await registerRateLimitFailure(event, { name: 'auth:login:ip', keyParts: [ip] })
+      await registerRateLimitFailure(event, { name: 'auth:login:account', keyParts: [emailKey] })
+      await writeAuditLog('auth.login.failed', { ip, email: emailKey, userId: user.id, reason: 'bad_password' })
       throw createError({
         statusCode: 401,
         message: 'Ungültige Anmeldedaten'
       })
     }
 
+    // Erfolg: Limiter zurücksetzen
+    registerRateLimitSuccess(event, { name: 'auth:login:ip', keyParts: [ip] })
+    registerRateLimitSuccess(event, { name: 'auth:login:account', keyParts: [emailKey] })
+
     // Generate token
     const token = generateToken(user)
 
     // Create session
     await createSession(user.id, token)
 
+    await writeAuditLog('auth.login.success', { ip, email: emailKey, userId: user.id })
+
     // Update last login
     user.lastLogin = new Date().toISOString()
     const updatedUsers = users.map(u => u.id === user.id ? user : u)
@@ -53,10 +87,7 @@ export default defineEventHandler(async (event) => {
 
     // Set cookie
     setCookie(event, 'auth_token', token, {
-      httpOnly: true,
-      secure: false, // Auch in Production false, da wir HTTPS über Apache terminieren
-      sameSite: 'lax',
-      maxAge: 60 * 60 * 24 * 7 // 7 days
+      ...getAuthCookieOptions()
     })
 
     // Migriere Rollen falls nötig