Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

server/api/cms/satzung-upload.post.js

@@ -4,6 +4,7 @@ import path from 'path'
 import { exec } from 'child_process'
 import { promisify } from 'util'
 import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { assertPdfMagicHeader } from '../../utils/upload-validation.js'
 
 const execAsync = promisify(exec)
 
@@ -74,6 +75,8 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
+    await fs.mkdir(path.join(process.cwd(), 'public', 'documents'), { recursive: true })
+
     // Multer-Middleware für File-Upload
     await new Promise((resolve, reject) => {
       upload.single('pdf')(event.node.req, event.node.res, (err) => {
@@ -90,6 +93,9 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Zusätzliche Validierung: Magic-Bytes prüfen (mimetype kann gespooft sein)
+    await assertPdfMagicHeader(file.path)
+
     // PDF-Text extrahieren mit pdftotext (falls verfügbar) oder Fallback
     let extractedText = ''
     

server/api/cms/upload-spielplan-pdf.post.js

@@ -2,6 +2,7 @@ import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
 import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { assertPdfMagicHeader } from '../../utils/upload-validation.js'
 
 // Multer-Konfiguration für PDF-Uploads
 const storage = multer.diskStorage({
@@ -10,8 +11,10 @@ const storage = multer.diskStorage({
     cb(null, uploadPath)
   },
   filename: (req, file, cb) => {
-    const type = req.body.type
-    const filename = `spielplan_${type}.pdf`
+    // WICHTIG: Validieren, bevor der Dateiname gebaut wird (sonst Pfad-/Filename-Injection möglich)
+    const type = String(req.body?.type || '').trim()
+    const safeType = ['gesamt', 'erwachsene', 'nachwuchs'].includes(type) ? type : 'invalid'
+    const filename = `spielplan_${safeType}.pdf`
     cb(null, filename)
   }
 })
@@ -85,6 +88,8 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    await assertPdfMagicHeader(file.path)
+
     if (!type || !['gesamt', 'erwachsene', 'nachwuchs'].includes(type)) {
       // Lösche die hochgeladene Datei
       await fs.unlink(file.path)

server/api/cms/users/approve.post.js

@@ -1,5 +1,6 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
 import nodemailer from 'nodemailer'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -41,6 +42,12 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.approved', {
+      actorUserId: currentUser.id,
+      targetUserId: userId,
+      roles: user.roles
+    })
+
     // Send approval email
     try {
       const smtpUser = process.env.SMTP_USER

server/api/cms/users/deactivate.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -36,6 +37,11 @@ export default defineEventHandler(async (event) => {
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.deactivated', {
+      actorUserId: currentUser.id,
+      targetUserId: userId
+    })
+
     return {
       success: true,
       message: 'Benutzer wurde deaktiviert'

server/api/cms/users/reject.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -20,6 +21,11 @@ export default defineEventHandler(async (event) => {
     
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.rejected', {
+      actorUserId: currentUser.id,
+      targetUserId: userId
+    })
+
     return {
       success: true,
       message: 'Registrierung wurde abgelehnt und gelöscht'

server/api/cms/users/update-role.post.js

@@ -1,4 +1,5 @@
 import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -39,10 +40,18 @@ export default defineEventHandler(async (event) => {
     migrateUserRoles(user)
     
     // Setze Rollen
+    const oldRoles = Array.isArray(user.roles) ? [...user.roles] : []
     user.roles = rolesArray
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 
+    await writeAuditLog('cms.user.roles.updated', {
+      actorUserId: currentUser.id,
+      targetUserId: userId,
+      oldRoles,
+      newRoles: rolesArray
+    })
+
     return {
       success: true,
       message: 'Rolle wurde aktualisiert'