Fix Login: Appwrite-Session ohne secret auf dem Server

session.secret wird ohne API-Key nicht zurückgegeben. Login nutzt
daher session.userId und die Admin Users API statt account.get().

Co-authored-by: Cursor <cursoragent@cursor.com>

server/services/appwriteAdmin.js

@@ -1,4 +1,4 @@
-import { Client, Account, Databases, ID, Query } from 'node-appwrite'
+import { Client, Account, Databases, ID, Query, Users } from 'node-appwrite'
 import { config } from '../config.js'
 
 export function createAdminClient() {
@@ -10,6 +10,7 @@ export function createAdminClient() {
   return {
     client,
     databases: new Databases(client),
+    users: new Users(client),
   }
 }
 

server/services/appwriteClient.js

@@ -1,70 +1,44 @@
-import { createUserClient } from './appwriteAdmin.js'
-
-const DEBUG_LOG = (location, message, data, hypothesisId) => {
-  // #region agent log
-  fetch('http://127.0.0.1:7281/ingest/30e8e71c-b377-4e72-84f9-593826c6d234', {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'X-Debug-Session-Id': '80bbfc' },
-    body: JSON.stringify({
-      sessionId: '80bbfc',
-      location,
-      message,
-      data,
-      hypothesisId,
-      timestamp: Date.now(),
-    }),
-  }).catch(() => {})
-  // #endregion
-}
+import { createUserClient, createAdminClient } from './appwriteAdmin.js'
 
+/**
+ * Appwrite liefert session.secret nur bei Requests mit API-Key.
+ * Server-seitiger E-Mail-Login nutzt daher userId aus der Session + Admin Users API.
+ */
 export async function loginWithAppwrite(email, password) {
-  const { client, account } = createUserClient()
+  const { account } = createUserClient()
 
   let session
   try {
     session = await account.createEmailPasswordSession(email, password)
-    DEBUG_LOG('appwriteClient.js:session', 'createEmailPasswordSession ok', {
-      hasSecret: Boolean(session?.secret),
-      sessionId: session?.$id || null,
-    }, 'H1')
   } catch (err) {
-    DEBUG_LOG('appwriteClient.js:session', 'createEmailPasswordSession fail', {
-      code: err?.code,
-      type: err?.type,
-      message: err?.message?.slice(0, 120),
-    }, 'H1')
     const message = err?.message || 'Anmeldung fehlgeschlagen'
     const error = new Error(message)
     error.status = 401
     throw error
   }
 
-  if (session?.secret) {
-    client.setSession(session.secret)
-    DEBUG_LOG('appwriteClient.js:setSession', 'setSession applied', { hasSessionHeader: true }, 'H2')
-  } else {
-    DEBUG_LOG('appwriteClient.js:setSession', 'no session.secret', {}, 'H2')
+  const userId = session?.userId
+  if (!userId) {
+    const error = new Error('Appwrite-Session ohne Benutzer-ID')
+    error.status = 500
+    throw error
   }
 
+  const { users } = createAdminClient()
   let user
   try {
-    user = await account.get()
-    DEBUG_LOG('appwriteClient.js:get', 'account.get ok', { userId: user?.$id || null }, 'H2')
+    user = await users.get(userId)
   } catch (err) {
-    DEBUG_LOG('appwriteClient.js:get', 'account.get fail', {
-      code: err?.code,
-      message: err?.message?.slice(0, 120),
-    }, 'H2')
-    const message = err?.message || 'Anmeldung fehlgeschlagen'
+    const message = err?.message || 'Benutzer konnte nicht geladen werden'
     const error = new Error(message)
-    error.status = err?.message?.includes('scopes') ? 401 : 500
+    error.status = 500
     throw error
   }
 
   try {
-    await account.deleteSession('current')
+    await users.deleteSession(userId, session.$id)
   } catch {
-    // Portal nutzt eigene Session; Appwrite-Session wird nicht persistiert
+    // Portal nutzt eigene Cookie-Session; Appwrite-Session wird nicht persistiert
   }
 
   return user