fix 4

server/services/appwriteClient.js

@@ -1,5 +1,4 @@
 import { config } from '../config.js'
-import { deleteUserSession, getUserById } from './appwriteAdmin.js'
 
 const DEBUG_LOG = (location, message, data, hypothesisId) => {
   // #region agent log
@@ -45,9 +44,14 @@ async function appwriteFetch(path, { method = 'GET', body } = {}) {
 
   if (!response.ok) {
     const error = new Error(data?.message || `Appwrite ${response.status}`)
-    error.status = response.status === 401 ? 401 : response.status >= 500 ? 500 : 401
+    error.status = response.status
     error.code = data?.code
     error.type = data?.type
+    if (response.status === 429 || data?.type === 'general_rate_limit_exceeded') {
+      error.message =
+        'Zu viele Anmeldeversuche. Bitte warte einige Minuten, bevor du es erneut versuchst.'
+      error.status = 429
+    }
     throw error
   }
 
@@ -55,10 +59,33 @@ async function appwriteFetch(path, { method = 'GET', body } = {}) {
 }
 
 /**
- * Appwrite Auth per native fetch (Node 26 + node-appwrite-Agent ist inkompatibel).
- * session.secret fehlt serverseitig oft – userId aus Session + Users-API.
+ * Login via Appwrite Auth REST. userId kommt aus der Session – kein users.read nötig.
  */
+let appwriteLoginBlockedUntil = 0
+const APPWRITE_LOGIN_COOLDOWN_MS = 5 * 60 * 1000
+const APPWRITE_RATE_LIMIT_COOLDOWN_MS = 15 * 60 * 1000
+
+export function getLoginCooldownRemainingSec() {
+  const left = appwriteLoginBlockedUntil - Date.now()
+  return left > 0 ? Math.ceil(left / 1000) : 0
+}
+
+export function clearLoginCooldown() {
+  appwriteLoginBlockedUntil = 0
+}
+
 export async function loginWithAppwrite(email, password) {
+  const now = Date.now()
+  if (now < appwriteLoginBlockedUntil) {
+    const waitSec = Math.ceil((appwriteLoginBlockedUntil - now) / 1000)
+    DEBUG_LOG('appwriteClient.js:cooldown', 'login blocked locally', { waitSec }, 'H8')
+    const error = new Error(
+      `Zu viele Anmeldeversuche. Bitte warte noch ${waitSec} Sekunden.`
+    )
+    error.status = 429
+    throw error
+  }
+
   let session
   try {
     session = await appwriteFetch('/account/sessions/email', {
@@ -74,6 +101,9 @@ export async function loginWithAppwrite(email, password) {
       message: err?.message?.slice(0, 120),
       code: err?.code,
     }, 'H1')
+    if (err.status === 429) {
+      appwriteLoginBlockedUntil = Date.now() + APPWRITE_RATE_LIMIT_COOLDOWN_MS
+    }
     const error = new Error(err.message || 'Anmeldung fehlgeschlagen')
     error.status = err.status || 401
     throw error
@@ -85,32 +115,9 @@ export async function loginWithAppwrite(email, password) {
     throw error
   }
 
-  let user
-  try {
-    user = await getUserById(session.userId)
-    DEBUG_LOG('appwriteClient.js:getUser', 'users.get ok', { userId: user?.$id || null }, 'H6')
-  } catch (err) {
-    DEBUG_LOG('appwriteClient.js:getUser', 'users.get fail', {
-      message: err?.message?.slice(0, 120),
-      code: err?.code,
-    }, 'H7')
-    if (err?.message?.includes('not authorized')) {
-      const error = new Error(
-        'Server-API-Key: Scope users.read erforderlich (Appwrite Console).'
-      )
-      error.status = 500
-      throw error
-    }
-    user = { $id: session.userId, email, name: '' }
-  }
-
-  if (session.$id) {
-    try {
-      await deleteUserSession(session.userId, session.$id)
-    } catch {
-      // Portal nutzt eigene Cookie-Session
-    }
-  }
+  const user = { $id: session.userId, email, name: '' }
+  DEBUG_LOG('appwriteClient.js:user', 'using session userId', { userId: user.$id }, 'H7')
 
+  clearLoginCooldown()
   return user
 }