knso/Webklar-Kundenbereich
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix 4

Browse Source
This commit is contained in:
KNSO
2026-05-23 01:18:44 +02:00
parent 3f2572ca59
commit 3840ecf494
8 changed files with 344 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
server/index.js
View File

@@ -2,6 +2,7 @@ import express from 'express'
import path from 'node:path'
import { fileURLToPath } from 'node:url'
import { config, assertServerConfig, WOMS_DATABASE_ID } from './config.js'
import { verifyDatabaseAccess } from './services/appwriteAdmin.js'
import { sessionMiddleware } from './middleware/session.js'
import authRoutes from './routes/auth.js'
import projectsRoutes from './routes/projects.js'
@@ -22,12 +23,14 @@ app.use('/api/projects', projectsRoutes)
app.use('/api/features', featuresRoutes)
app.use('/webhook', giteaWebhookRoutes)
app.get('/api/health', (_req, res) => {
app.get('/api/health', async (_req, res) => {
const dbAccess = await verifyDatabaseAccess()
res.json({
ok: true,
ok: dbAccess.ok,
service: 'webklar-kundenbereich',
databaseId: WOMS_DATABASE_ID,
endpoint: config.appwrite.endpoint,
appwriteDbAccess: dbAccess,
})
})
@@ -47,6 +50,13 @@ app.get('/', (_req, res) => {
const server = app.listen(config.port, () => {
console.log(`Webklar Kundenbereich läuft auf Port ${config.port}`)
verifyDatabaseAccess().then((result) => {
if (result.ok) return
console.error(
'[startup] APPWRITE_API_KEY: Kein Lesezugriff auf woms-database. In Appwrite Console neuen API-Key mit Scopes databases.read + databases.write anlegen und in .env eintragen.'
)
if (result.reason) console.error(`[startup] Appwrite: ${result.reason}`)
})
})
server.on('error', (err) => {

41
server/routes/auth.js
View File

@@ -6,10 +6,9 @@ import {
getPortalAccessByCustomerId,
updateDocument,
} from '../services/appwriteAdmin.js'
import { loginWithAppwrite } from '../services/appwriteClient.js'
import { loginWithAppwrite, getLoginCooldownRemainingSec } from '../services/appwriteClient.js'
import {
clearPortalSession,
requireSession,
setPortalSession,
} from '../middleware/session.js'
@@ -65,6 +64,14 @@ async function validatePortalAccess(appwriteUserId, email) {
return { customer, portalAccess }
}
router.get('/login-status', (_req, res) => {
const retryAfterSeconds = getLoginCooldownRemainingSec()
res.json({
blocked: retryAfterSeconds > 0,
retryAfterSeconds,
})
})
router.post('/login', async (req, res) => {
const { email, password } = req.body || {}
if (!email || !password) {
@@ -93,6 +100,14 @@ router.post('/login', async (req, res) => {
return res.json({ success: true, customer: sanitizeCustomer(customer) })
} catch (err) {
const status = err.status || 500
if (status === 429) {
return res.status(429).json({
error:
err.message ||
'Zu viele Anmeldeversuche. Bitte warte einige Minuten, bevor du es erneut versuchst.',
retryAfterSeconds: getLoginCooldownRemainingSec(),
})
}
if (err?.message?.includes('not authorized')) {
return res.status(500).json({
error:
@@ -108,14 +123,28 @@ router.post('/logout', (_req, res) => {
res.json({ success: true })
})
router.get('/me', requireSession, async (req, res) => {
router.get('/me', async (req, res) => {
const raw = req.signedCookies?.[config.cookieName]
if (!raw) {
return res.json({ authenticated: false })
}
try {
const customer = await getCustomerByAppwriteUserId(req.session.appwriteUserId)
const session = JSON.parse(raw)
if (!session.customerId || !session.appwriteUserId) {
return res.json({ authenticated: false })
}
const customer = await getCustomerByAppwriteUserId(session.appwriteUserId)
if (!customer) {
clearPortalSession(res)
return res.status(403).json({ error: 'Kundenkonto nicht gefunden' })
return res.json({ authenticated: false })
}
return res.json({ customer: sanitizeCustomer(customer) })
return res.json({
authenticated: true,
customer: sanitizeCustomer(customer),
})
} catch (err) {
return res.status(500).json({ error: err.message || 'Fehler beim Laden' })
}

48
server/services/appwriteAdmin.js
View File

@@ -16,6 +16,15 @@ function adminHeaders() {
}
}
function formatRequestBody(body, method) {
if (!body || method === 'GET' || method === 'DELETE') return body
if (body.data !== undefined) return body
const { documentId, ...fields } = body
const payload = { data: fields }
if (documentId) payload.documentId = documentId
return payload
}
async function adminFetch(path, { method = 'GET', body, queries = [] } = {}) {
if (!config.appwrite.apiKey) {
const error = new Error('APPWRITE_API_KEY fehlt in .env')
@@ -28,10 +37,12 @@ async function adminFetch(path, { method = 'GET', body, queries = [] } = {}) {
url.searchParams.append('queries[]', q)
}
const requestBody = formatRequestBody(body, method)
const response = await fetch(url.toString(), {
method,
headers: adminHeaders(),
body: body ? JSON.stringify(body) : undefined,
body: requestBody ? JSON.stringify(requestBody) : undefined,
})
const text = await response.text()
@@ -48,6 +59,23 @@ async function adminFetch(path, { method = 'GET', body, queries = [] } = {}) {
const error = new Error(data?.message || `Appwrite ${response.status}`)
error.status = response.status >= 500 ? 500 : response.status
error.code = data?.code
error.type = data?.type
if (response.status === 401 && data?.type === 'user_unauthorized') {
// #region agent log
fetch('http://127.0.0.1:7281/ingest/30e8e71c-b377-4e72-84f9-593826c6d234', {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'X-Debug-Session-Id': '80bbfc' },
body: JSON.stringify({
sessionId: '80bbfc',
location: 'appwriteAdmin.js:adminFetch',
message: 'API key unauthorized',
data: { path, status: response.status, type: data?.type, code: data?.code },
hypothesisId: 'H9',
timestamp: Date.now(),
}),
}).catch(() => {})
// #endregion
}
throw error
}
@@ -142,6 +170,24 @@ export async function upsertWebsiteProjectByRepo(repoFullName, data) {
})
}
export async function verifyDatabaseAccess() {
if (!config.appwrite.apiKey) {
return { ok: false, reason: 'APPWRITE_API_KEY fehlt' }
}
try {
await listDocuments(config.collections.customers, [Query.limit(1)])
return { ok: true }
} catch (err) {
return {
ok: false,
reason: err.message,
code: err.code,
type: err.type,
status: err.status,
}
}
}
export function createAdminClient() {
return { usesNativeFetch: true, databaseId: WOMS_DATABASE_ID }
}

67
server/services/appwriteClient.js
View File

@@ -1,5 +1,4 @@
import { config } from '../config.js'
import { deleteUserSession, getUserById } from './appwriteAdmin.js'
const DEBUG_LOG = (location, message, data, hypothesisId) => {
// #region agent log
@@ -45,9 +44,14 @@ async function appwriteFetch(path, { method = 'GET', body } = {}) {
if (!response.ok) {
const error = new Error(data?.message || `Appwrite ${response.status}`)
error.status = response.status === 401 ? 401 : response.status >= 500 ? 500 : 401
error.status = response.status
error.code = data?.code
error.type = data?.type
if (response.status === 429 || data?.type === 'general_rate_limit_exceeded') {
error.message =
'Zu viele Anmeldeversuche. Bitte warte einige Minuten, bevor du es erneut versuchst.'
error.status = 429
}
throw error
}
@@ -55,10 +59,33 @@ async function appwriteFetch(path, { method = 'GET', body } = {}) {
}
/**
* Appwrite Auth per native fetch (Node 26 + node-appwrite-Agent ist inkompatibel).
* session.secret fehlt serverseitig oft userId aus Session + Users-API.
* Login via Appwrite Auth REST. userId kommt aus der Session kein users.read nötig.
*/
let appwriteLoginBlockedUntil = 0
const APPWRITE_LOGIN_COOLDOWN_MS = 5 * 60 * 1000
const APPWRITE_RATE_LIMIT_COOLDOWN_MS = 15 * 60 * 1000
export function getLoginCooldownRemainingSec() {
const left = appwriteLoginBlockedUntil - Date.now()
return left > 0 ? Math.ceil(left / 1000) : 0
}
export function clearLoginCooldown() {
appwriteLoginBlockedUntil = 0
}
export async function loginWithAppwrite(email, password) {
const now = Date.now()
if (now < appwriteLoginBlockedUntil) {
const waitSec = Math.ceil((appwriteLoginBlockedUntil - now) / 1000)
DEBUG_LOG('appwriteClient.js:cooldown', 'login blocked locally', { waitSec }, 'H8')
const error = new Error(
`Zu viele Anmeldeversuche. Bitte warte noch ${waitSec} Sekunden.`
)
error.status = 429
throw error
}
let session
try {
session = await appwriteFetch('/account/sessions/email', {
@@ -74,6 +101,9 @@ export async function loginWithAppwrite(email, password) {
message: err?.message?.slice(0, 120),
code: err?.code,
}, 'H1')
if (err.status === 429) {
appwriteLoginBlockedUntil = Date.now() + APPWRITE_RATE_LIMIT_COOLDOWN_MS
}
const error = new Error(err.message || 'Anmeldung fehlgeschlagen')
error.status = err.status || 401
throw error
@@ -85,32 +115,9 @@ export async function loginWithAppwrite(email, password) {
throw error
}
let user
try {
user = await getUserById(session.userId)
DEBUG_LOG('appwriteClient.js:getUser', 'users.get ok', { userId: user?.$id || null }, 'H6')
} catch (err) {
DEBUG_LOG('appwriteClient.js:getUser', 'users.get fail', {
message: err?.message?.slice(0, 120),
code: err?.code,
}, 'H7')
if (err?.message?.includes('not authorized')) {
const error = new Error(
'Server-API-Key: Scope users.read erforderlich (Appwrite Console).'
)
error.status = 500
throw error
}
user = { $id: session.userId, email, name: '' }
}
if (session.$id) {
try {
await deleteUserSession(session.userId, session.$id)
} catch {
// Portal nutzt eigene Cookie-Session
}
}
const user = { $id: session.userId, email, name: '' }
DEBUG_LOG('appwriteClient.js:user', 'using session userId', { userId: user.$id }, 'H7')
clearLoginCooldown()
return user
}