fix(update-backend): adjust file permissions and handle environment variables safely

- Updated the permission settings for the environment file to 640, ensuring it is readable only by the owner and the deploy group.
- Modified the sequelize configuration to safely handle missing environment variables, converting them to strings or setting them to undefined to prevent runtime errors.
[force-deploy]

backend/config/sequelize-cli.cjs

@@ -14,10 +14,11 @@ if (process.env.DB_SSL === '1' || process.env.PGSSLMODE === 'require') {
     : true;
 }
 
+// pg/SCRAM: password muss ein String sein; bei fehlender .env sonst undefined-Fallen vermeiden
 const shared = {
-  username: process.env.DB_USER,
+  username: process.env.DB_USER != null ? String(process.env.DB_USER) : undefined,
-  password: process.env.DB_PASS || '',
+  password: process.env.DB_PASS != null ? String(process.env.DB_PASS) : '',
-  database: process.env.DB_NAME,
+  database: process.env.DB_NAME != null ? String(process.env.DB_NAME) : undefined,
   host: process.env.DB_HOST || '127.0.0.1',
   port: Number.parseInt(process.env.DB_PORT || '5432', 10),
   dialect: 'postgres',

update-backend.sh

@@ -33,11 +33,14 @@ echo "Quelle: $SOURCE_ENV"
 echo "Ziel:   $TARGET_ENV"
 
 sudo -n ls -l "$SOURCE_ENV"
-sudo -n install -m 600 -o yourpart -g yourpart "$SOURCE_ENV" "$TARGET_ENV"
+# 640, Owner yourpart, Gruppe = Deploy-User: npm/db:migrate muss .env lesen (dotenv),
+# ohne die Datei weltlesbar zu machen.
+DEPLOY_GROUP="$(id -gn)"
+sudo -n install -m 640 -o yourpart -g "$DEPLOY_GROUP" "$SOURCE_ENV" "$TARGET_ENV"
 
 echo "Prüfe kopierte Datei..."
 ls -l "$TARGET_ENV"
-sudo -n head -n 1 "$TARGET_ENV" >/dev/null
+head -n 1 "$TARGET_ENV" >/dev/null
 
 echo "✓ .env-Datei wurde übernommen"