From 36e5b05e399252e905db661e05efebaed32fae45 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 24 Sep 2025 09:18:08 +0200
Subject: [PATCH] =?UTF-8?q?Entferne=20Debug-Logging=20aus=20der=20SMTP-Kon?=
 =?UTF-8?q?figuration=20und=20sch=C3=BCtze=20sensible=20Benutzerdaten=20in?=
 =?UTF-8?q?=20den=20Benutzer-Controller-Methoden.=20F=C3=BCge=20sichere=20?=
 =?UTF-8?q?R=C3=BCckgaben=20ohne=20Passw=C3=B6rter=20hinzu=20und=20verbess?=
 =?UTF-8?q?ere=20die=20Fehlerprotokollierung=20f=C3=BCr=20Benutzeroperatio?=
 =?UTF-8?q?nen.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config/email.js               | 13 ---------
 controllers/userController.js | 54 +++++++++++++++++++++++++++++++----
 2 files changed, 49 insertions(+), 18 deletions(-)

diff --git a/config/email.js b/config/email.js
index 1feb88e..bc5b4c4 100644
--- a/config/email.js
+++ b/config/email.js
@@ -12,19 +12,6 @@ const smtpConfig = {
 };
 
 // Debug-Logging der SMTP-Konfiguration
-console.log('=== SMTP CONFIGURATION DEBUG ===');
-console.log('Host:', smtpConfig.host);
-console.log('Port:', smtpConfig.port);
-console.log('Secure:', smtpConfig.secure);
-console.log('User:', smtpConfig.auth.user);
-console.log('Pass:', smtpConfig.auth.pass.replace(/./g, '*')); // Passwort maskieren
-console.log('Environment Variables:');
-console.log('  SMTP_HOST:', process.env.SMTP_HOST || 'undefined');
-console.log('  SMTP_PORT:', process.env.SMTP_PORT || 'undefined');
-console.log('  SMTP_USER:', process.env.SMTP_USER || 'undefined');
-console.log('  SMTP_PASS:', process.env.SMTP_PASS ? '***' : 'undefined');
-console.log('================================');
-
 const transporter = nodemailer.createTransport(smtpConfig);
 
 // E-Mail-Template für Passwort-Reset
diff --git a/controllers/userController.js b/controllers/userController.js
index 8417681..43f56d2 100644
--- a/controllers/userController.js
+++ b/controllers/userController.js
@@ -2,22 +2,29 @@ const { User } = require('../models');
 
 exports.getAllUsers = async (req, res) => {
   try {
-    const users = await User.findAll({order: [['name', 'ASC']]});
+    const users = await User.findAll({
+      order: [['name', 'ASC']],
+      attributes: ['id', 'name', 'email', 'active', 'created_at'] // Passwort ausschließen
+    });
     res.status(200).json(users);
   } catch (error) {
+    console.error('Error fetching users:', error);
     res.status(500).json({ message: 'Error fetching users' });
   }
 };
 
 exports.getUserById = async (req, res) => {
   try {
-    const user = await User.findByPk(req.params.id);
+    const user = await User.findByPk(req.params.id, {
+      attributes: ['id', 'name', 'email', 'active', 'created_at'] // Passwort ausschließen
+    });
     if (user) {
       res.status(200).json(user);
     } else {
       res.status(404).json({ message: 'User not found' });
     }
   } catch (error) {
+    console.error('Error fetching user:', error);
     res.status(500).json({ message: 'Error fetching user' });
   }
 };
@@ -25,8 +32,19 @@ exports.getUserById = async (req, res) => {
 exports.createUser = async (req, res) => {
   try {
     const user = await User.create(req.body);
-    res.status(201).json(user);
+    
+    // Sichere User-Daten zurückgeben (ohne Passwort)
+    const safeUser = {
+      id: user.id,
+      name: user.name,
+      email: user.email,
+      active: user.active,
+      created_at: user.created_at
+    };
+    
+    res.status(201).json(safeUser);
   } catch (error) {
+    console.error('Error creating user:', error);
     res.status(500).json({ message: 'Error creating user' });
   }
 };
@@ -35,12 +53,37 @@ exports.updateUser = async (req, res) => {
   try {
     const user = await User.findByPk(req.params.id);
     if (user) {
-      await user.update(req.body);
-      res.status(200).json(user);
+      // Erstelle eine Kopie der Request-Daten ohne sensible Felder
+      const updateData = { ...req.body };
+      
+      // Entferne sensible Felder, die niemals über diese Route geändert werden dürfen
+      delete updateData.password;
+      delete updateData.id;
+      delete updateData.created_at;
+      
+      // Setze updated_at auf aktuelle Zeit
+      updateData.updated_at = new Date();
+      
+      // Logging für Debugging
+      console.log('Updating user:', req.params.id, 'with data:', updateData);
+      
+      await user.update(updateData);
+      
+      // Sichere User-Daten zurückgeben (ohne Passwort)
+      const safeUser = {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+        active: user.active,
+        created_at: user.created_at
+      };
+      
+      res.status(200).json(safeUser);
     } else {
       res.status(404).json({ message: 'User not found' });
     }
   } catch (error) {
+    console.error('Error updating user:', error);
     res.status(500).json({ message: 'Error updating user' });
   }
 };
@@ -55,6 +98,7 @@ exports.deleteUser = async (req, res) => {
       res.status(404).json({ message: 'User not found' });
     }
   } catch (error) {
+    console.error('Error deleting user:', error);
     res.status(500).json({ message: 'Error deleting user' });
   }
 };