harheimertc/server/api/auth/register.post.js

import { readUsers, writeUsers, hashPassword } from '../../utils/auth.js'
import { sendRegistrationNotification } from '../../utils/email-service.js'
import { assertPasswordNotPwned } from '../../utils/hibp.js'

export default defineEventHandler(async (event) => {
  try {
    const body = await readBody(event)
    const { name, email, phone, password, geburtsdatum, visibility } = body

    if (!name || !email || !password || !geburtsdatum) {
      throw createError({
        statusCode: 400,
        message: 'Name, E-Mail, Geburtsdatum und Passwort sind erforderlich'
      })
    }

    // Validate password length
    if (password.length < 8) {
      throw createError({
        statusCode: 400,
        message: 'Das Passwort muss mindestens 8 Zeichen lang sein'
      })
    }

    // Optional: Passwort gegen HIBP (k-Anonymity) prüfen
    await assertPasswordNotPwned(password)

    // Check if user already exists
    const users = await readUsers()
    const existingUser = users.find(u => u.email.toLowerCase() === email.toLowerCase())

    if (existingUser) {
      throw createError({
        statusCode: 409,
        message: 'Ein Benutzer mit dieser E-Mail-Adresse existiert bereits'
      })
    }

    // Hash password
    const hashedPassword = await hashPassword(password)

    // Create new user (inactive until approved)
    const newUser = {
      id: Date.now().toString(),
      email: email.toLowerCase(),
      password: hashedPassword,
      name,
      phone: phone || '',
      geburtsdatum,
      visibility: {
        showBirthday: visibility?.showBirthday !== undefined ? Boolean(visibility.showBirthday) : true
      },
      role: 'mitglied',
      active: false, // Requires admin approval
      created: new Date().toISOString(),
      lastLogin: null
    }

    users.push(newUser)
    await writeUsers(users)

    // Send notification to Vorstand/admin via central email service
    try {
      await sendRegistrationNotification({ name, email, phone })
    } catch (emailError) {
      console.error('Registrierungs-Benachrichtigung fehlgeschlagen:', emailError)
    }

    return {
      success: true,
      message: 'Registrierung erfolgreich. Sie erhalten eine E-Mail, sobald Ihr Zugang freigeschaltet wurde.'
    }
  } catch (error) {
    console.error('Registrierungs-Fehler:', error)
    throw error
  }
})