fix

design 2.0
2026-05-28 06:57:54 +02:00 · 2026-05-25 16:49:13 +02:00 · 2026-05-25 16:47:15 +02:00 · 2026-05-25 16:23:22 +02:00 · 2026-05-23 01:18:44 +02:00 · 2026-05-23 00:36:45 +02:00
13 changed files with 1041 additions and 98 deletions
--- a/.env.example
+++ b/.env.example
@@ -6,6 +6,7 @@ APPWRITE_ENDPOINT=https://ticket.webklar.com/v1
 APPWRITE_PROJECT_ID=6a1058610003c5a13a05
 # Fest: nur woms-database (Ticketsystem). Wird bei abweichendem Wert ignoriert.
 # APPWRITE_DATABASE_ID=woms-database
+# API-Key Scopes (Appwrite 1.8): databases.read/write, collections.read/write, documents.read/write
 APPWRITE_API_KEY=

 APPWRITE_COLLECTION_CUSTOMERS=customers
--- a/package.json
+++ b/package.json
@@ -6,7 +6,9 @@
  "main": "server/index.js",
  "scripts": {
    "start": "node server/index.js",
-    "dev": "node --watch server/index.js"
+    "dev": "node --watch server/index.js",
+    "setup:check": "node scripts/portal-setup.mjs --check",
+    "setup:link": "node scripts/portal-setup.mjs --link"
  },
  "engines": {
    "node": ">=18"
--- a/public/app.js
+++ b/public/app.js
@@ -6,7 +6,14 @@ async function api(path, options = {}) {
  })
  const data = await response.json().catch(() => ({}))
  if (!response.ok) {
-    throw new Error(data.error || `Fehler ${response.status}`)
+    const fallback =
+      response.status === 502
+        ? 'Server nicht erreichbar (502). Bitte kurz warten und Seite neu laden – ggf. läuft ein Update auf project.webklar.com.'
+        : `Fehler ${response.status}`
+    const err = new Error(data.error || fallback)
+    err.status = response.status
+    if (data.retryAfterSeconds) err.retryAfterSeconds = data.retryAfterSeconds
+    throw err
  }
  return data
 }
@@ -64,9 +71,41 @@ async function initLoginPage() {
  const errorEl = document.getElementById('login-error')
  const btn = document.getElementById('login-btn')

+  async function applyCooldown(seconds) {
+    if (seconds <= 0) return
+    showError(
+      errorEl,
+      `Zu viele Anmeldeversuche. Bitte warte noch ${seconds} Sekunden (ca. ${Math.ceil(seconds / 60)} Min.).`
+    )
+    btn.disabled = true
+    const tick = setInterval(async () => {
+      const status = await fetch('/api/auth/login-status').then((r) => r.json()).catch(() => ({}))
+      const left = status.retryAfterSeconds || 0
+      if (left <= 0) {
+        clearInterval(tick)
+        hideError(errorEl)
+        btn.disabled = false
+        return
+      }
+      showError(
+        errorEl,
+        `Zu viele Anmeldeversuche. Bitte warte noch ${left} Sekunden (ca. ${Math.ceil(left / 60)} Min.).`
+      )
+    }, 1000)
+  }
+
+  try {
+    const status = await fetch('/api/auth/login-status').then((r) => r.json())
+    if (status.blocked) {
+      await applyCooldown(status.retryAfterSeconds)
+    }
+  } catch {
+    /* ignore */
+  }
+
  try {
    const me = await api('/api/auth/me')
-    if (me.customer) {
+    if (me.authenticated && me.customer) {
      window.location.href = '/dashboard.html'
      return
    }
@@ -76,8 +115,12 @@ async function initLoginPage() {

  form?.addEventListener('submit', async (e) => {
    e.preventDefault()
+    if (btn.disabled) return
    errorEl.classList.add('hidden')
    btn.disabled = true
+    btn.classList.add('is-loading')
+    btn.setAttribute('aria-busy', 'true')
+    let cooldownActive = false
    try {
      await api('/api/auth/login', {
        method: 'POST',
@@ -87,10 +130,17 @@ async function initLoginPage() {
        }),
      })
      window.location.href = '/dashboard.html'
+      return
    } catch (err) {
      showError(errorEl, err.message)
+      if (err.status === 429) {
+        cooldownActive = true
+        await applyCooldown(err.retryAfterSeconds || 900)
+      }
    } finally {
-      btn.disabled = false
+      btn.classList.remove('is-loading')
+      btn.removeAttribute('aria-busy')
+      if (!cooldownActive) btn.disabled = false
    }
  })
 }
@@ -109,12 +159,17 @@ async function initDashboardPage() {
  })

  try {
-    const [{ customer }, { projects }, { features }] = await Promise.all([
+    const [{ authenticated, customer }, { projects }, { features }] = await Promise.all([
      api('/api/auth/me'),
      api('/api/projects'),
      api('/api/features'),
    ])

+    if (!authenticated || !customer) {
+      window.location.href = '/login.html'
+      return
+    }
+
    meta.textContent = customer.name ? `${customer.name} (${customer.email})` : customer.email
    loading.classList.add('hidden')

@@ -130,7 +185,7 @@ async function initDashboardPage() {
    }
  } catch (err) {
    loading.classList.add('hidden')
-    if (err.message.includes('401') || err.message.includes('Nicht angemeldet')) {
+    if (err.status === 401 || err.message.includes('Nicht angemeldet')) {
      window.location.href = '/login.html'
      return
    }
--- a/public/dashboard.html
+++ b/public/dashboard.html
@@ -4,22 +4,31 @@
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>Meine Projekte – Webklar Kundenbereich</title>
-  <link rel="stylesheet" href="/style.css">
+  <link rel="stylesheet" href="/login.css">
 </head>
-<body>
-  <header>
-    <h1>Meine Website-Projekte</h1>
-    <div>
-      <span class="meta" id="customer-meta"></span>
-      <button type="button" class="link-btn" id="logout-btn">Abmelden</button>
+<body class="portal-page dashboard-page">
+  <div class="dot-background" aria-hidden="true">
+    <div class="dot-pattern"></div>
+    <div class="dot-fade"></div>
+  </div>
+
+  <header class="portal-header">
+    <a class="portal-logo" href="/dashboard.html">Webklar</a>
+    <div class="portal-header-actions">
+      <span class="portal-meta" id="customer-meta"></span>
+      <button type="button" class="portal-btn-outline" id="logout-btn">Abmelden</button>
    </div>
  </header>
-  <main>
+
+  <main class="portal-main dashboard-content-reveal">
+    <h1 class="portal-title">Meine Website-Projekte</h1>
+
    <p id="load-error" class="error hidden"></p>
-    <p id="loading" class="muted">Projekte werden geladen…</p>
+    <p id="loading" class="muted portal-status">Projekte werden geladen…</p>
    <ul id="projects" class="projects hidden"></ul>
-    <p id="empty" class="card hidden">Noch keine Website-Projekte zugewiesen.</p>
+    <p id="empty" class="portal-card hidden portal-status">Noch keine Website-Projekte zugewiesen.</p>
  </main>
+
  <script src="/app.js"></script>
  <script>
    initDashboardPage();
--- a/public/login.css
+++ b/public/login.css
@@ -0,0 +1,597 @@
+/* Webklar Portal – gemeinsames Theme (Login + Dashboard) */
+
+.portal-page,
+.login-page {
+  --primary: #9d3dfe;
+  --error: #f9191d;
+  --ease-out: cubic-bezier(0.16, 1, 0.3, 1);
+  --input-size: 50px;
+  --input-gap: 10px;
+  --input-radius: 20px;
+  --glass: rgba(255, 255, 255, 0.25);
+  --glass-border: rgba(255, 255, 255, 0.12);
+  min-height: 100svh;
+  margin: 0;
+  background: #0a0a0a;
+  color: #fff;
+  font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+  overflow-x: hidden;
+  line-height: 1.5;
+}
+
+@media (min-width: 62em) {
+  .portal-page,
+  .login-page {
+    --input-size: 64px;
+    --input-gap: 5px;
+    --input-radius: 25px;
+  }
+}
+
+.portal-page:not(.dashboard-page):not(.login-page)::before {
+  content: '';
+  position: fixed;
+  inset: 0;
+  z-index: 0;
+  pointer-events: none;
+  background:
+    radial-gradient(circle at 50% 45%, rgba(157, 61, 254, 0.35) 0%, transparent 55%),
+    radial-gradient(ellipse 80% 50% at 50% 50%, #1a1030 0%, #0a0a0a 70%);
+}
+
+.portal-bg {
+  position: fixed;
+  inset: 0;
+  z-index: 0;
+  background: #0a0a0a;
+}
+
+/* Aceternity Dot Background (CSS-Port für Dashboard) */
+
+.dashboard-page {
+  background: #000;
+}
+
+.dashboard-page::before {
+  display: none;
+}
+
+.dot-background {
+  position: fixed;
+  inset: 0;
+  z-index: 0;
+  overflow: hidden;
+  background: #000;
+  pointer-events: none;
+}
+
+.dot-pattern {
+  position: absolute;
+  inset: 0;
+  background-size: 20px 20px;
+  background-image: radial-gradient(#404040 1px, transparent 1px);
+}
+
+.dot-fade {
+  position: absolute;
+  inset: 0;
+  pointer-events: none;
+  background: #000;
+  -webkit-mask-image: radial-gradient(ellipse at center, transparent 20%, #000);
+  mask-image: radial-gradient(ellipse at center, transparent 20%, #000);
+}
+
+.dashboard-content-reveal {
+  animation: login-reveal 0.8s cubic-bezier(0.16, 1, 0.3, 1) 0.15s both;
+}
+
+@media (prefers-reduced-motion: reduce) {
+  .dashboard-content-reveal {
+    animation: none;
+  }
+}
+
+/* Aceternity Aurora Background (CSS-Port für Vanilla HTML) */
+
+.login-page {
+  background: #09090b;
+}
+
+.aurora-background {
+  position: fixed;
+  inset: 0;
+  z-index: 0;
+  overflow: hidden;
+  background: #09090b;
+  pointer-events: none;
+}
+
+.aurora-beams {
+  position: absolute;
+  inset: -10px;
+  opacity: 0.55;
+  filter: blur(12px);
+  will-change: transform, background-position;
+  --blue-300: #93c5fd;
+  --blue-400: #60a5fa;
+  --blue-500: #3b82f6;
+  --indigo-300: #a5b4fc;
+  --violet-200: #ddd6fe;
+  --aurora: repeating-linear-gradient(
+    100deg,
+    var(--blue-500) 10%,
+    var(--indigo-300) 15%,
+    var(--blue-300) 20%,
+    var(--violet-200) 25%,
+    var(--blue-400) 30%
+  );
+  --dark-gradient: repeating-linear-gradient(
+    100deg,
+    #000 0%,
+    #000 7%,
+    transparent 10%,
+    transparent 12%,
+    #000 16%
+  );
+  background-image: var(--dark-gradient), var(--aurora);
+  background-size: 300% 200%, 300% 200%;
+  background-position: 50% 50%, 50% 50%;
+  -webkit-mask-image: radial-gradient(ellipse at 100% 0%, #000 10%, transparent 70%);
+  mask-image: radial-gradient(ellipse at 100% 0%, #000 10%, transparent 70%);
+  animation: aurora-drift 60s linear infinite;
+}
+
+.aurora-beams::after {
+  content: '';
+  position: absolute;
+  inset: 0;
+  background-image: var(--dark-gradient), var(--aurora);
+  background-size: 200% 100%, 200% 100%;
+  background-attachment: fixed;
+  background-position: 50% 50%, 50% 50%;
+  animation: aurora-drift 60s linear infinite reverse;
+}
+
+@keyframes aurora-drift {
+  0% {
+    background-position: 50% 50%, 50% 50%;
+  }
+  100% {
+    background-position: 350% 50%, 350% 50%;
+  }
+}
+
+.login-content-reveal {
+  animation: login-reveal 0.8s cubic-bezier(0.16, 1, 0.3, 1) 0.3s both;
+}
+
+@keyframes login-reveal {
+  from {
+    opacity: 0;
+    transform: translateY(40px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+@media (prefers-reduced-motion: reduce) {
+  .aurora-beams,
+  .aurora-beams::after {
+    animation: none;
+  }
+
+  .login-content-reveal {
+    animation: none;
+  }
+}
+
+.portal-header,
+.login-header {
+  position: fixed;
+  top: 0;
+  left: 0;
+  z-index: 2;
+  width: 100%;
+  padding: 24px;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 1rem;
+  flex-wrap: wrap;
+  box-sizing: border-box;
+  pointer-events: none;
+}
+
+.portal-header > *,
+.login-header > * {
+  pointer-events: auto;
+}
+
+@media (min-width: 62em) {
+  .portal-header,
+  .login-header {
+    padding: 42px 50px;
+  }
+}
+
+.portal-logo,
+.login-logo {
+  text-decoration: none;
+  color: #fff;
+  font-size: 1.125rem;
+  font-weight: 700;
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+  transition: color 0.25s var(--ease-out);
+}
+
+.portal-logo:hover,
+.portal-logo:focus-visible,
+.login-logo:hover,
+.login-logo:focus-visible {
+  color: var(--primary);
+}
+
+.portal-header-actions {
+  display: flex;
+  align-items: center;
+  gap: 1rem;
+  flex-wrap: wrap;
+}
+
+.portal-meta {
+  font-size: 0.875rem;
+  color: rgba(255, 255, 255, 0.65);
+}
+
+.portal-btn-outline {
+  border: 1px solid var(--glass-border);
+  background: var(--glass);
+  backdrop-filter: blur(10px);
+  -webkit-backdrop-filter: blur(10px);
+  color: #fff;
+  border-radius: 32px;
+  padding: 10px 24px;
+  font-size: 0.8125rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+  cursor: pointer;
+  transition:
+    color 0.25s var(--ease-out),
+    background-color 0.25s var(--ease-out),
+    border-color 0.25s var(--ease-out);
+}
+
+.portal-btn-outline:hover {
+  background: #fff;
+  color: #1c1c1c;
+  border-color: #fff;
+}
+
+.portal-main,
+.login-main {
+  position: relative;
+  z-index: 1;
+  min-height: 100svh;
+  box-sizing: border-box;
+}
+
+.login-main {
+  display: flex;
+  justify-content: flex-end;
+  align-items: stretch;
+}
+
+.portal-main {
+  padding: 100px 24px 60px;
+  max-width: 900px;
+  margin: 0 auto;
+}
+
+@media (min-width: 62em) {
+  .portal-main {
+    padding: 140px 50px 80px;
+  }
+}
+
+.portal-title {
+  margin: 0 0 2rem;
+  font-size: 0.8125rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.1em;
+  text-align: center;
+  color: #fff;
+}
+
+@media (min-width: 62em) {
+  .portal-title {
+    font-size: 1rem;
+  }
+}
+
+.login-panel {
+  width: 100%;
+  max-width: 730px;
+  min-height: 100svh;
+  padding: 60px 40px;
+  display: flex;
+  flex-direction: column;
+  justify-content: center;
+  box-sizing: border-box;
+}
+
+@media (min-width: 62em) {
+  .login-panel {
+    padding: 164px 40px;
+  }
+}
+
+.AuthForm {
+  width: 100%;
+  max-width: 420px;
+  margin: 0 auto;
+}
+
+.AuthForm .login-section {
+  margin-bottom: 0;
+}
+
+.auth-label {
+  text-align: center;
+  margin: 0 0 50px;
+  font-size: 0.8125rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.1em;
+  line-height: 1;
+  color: #fff;
+}
+
+@media (min-width: 62em) {
+  .auth-label {
+    font-size: 1rem;
+  }
+}
+
+.login-form {
+  display: flex;
+  flex-direction: column;
+  gap: var(--input-gap);
+}
+
+.auth-input {
+  color: #fff;
+  background-color: var(--glass);
+  padding-inline: 40px;
+  backdrop-filter: blur(10px);
+  -webkit-backdrop-filter: blur(10px);
+  border-radius: var(--input-radius);
+  width: 100%;
+  height: var(--input-size);
+  border: none;
+  margin: 0;
+  box-sizing: border-box;
+  font-size: 1rem;
+  font-family: inherit;
+}
+
+.auth-input::placeholder {
+  color: #fff;
+  opacity: 0.5;
+}
+
+.auth-input:focus {
+  outline: 2px solid rgba(157, 61, 254, 0.6);
+  outline-offset: 2px;
+}
+
+.auth-input.invalid {
+  border: 2px solid var(--error);
+}
+
+.login-form .error,
+.portal-page .error {
+  text-align: center;
+  margin: 0;
+  font-size: 0.875rem;
+  color: #fca5a5;
+}
+
+.auth-button {
+  width: 100%;
+  height: var(--input-size);
+  margin-top: var(--input-gap);
+  border: none;
+  border-radius: 32px;
+  background: #fff;
+  color: #1c1c1c;
+  font-size: 1rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  cursor: pointer;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 10px;
+  position: relative;
+  transition:
+    color 0.25s var(--ease-out),
+    background-color 0.25s var(--ease-out),
+    transform 0.25s var(--ease-out);
+}
+
+.auth-button svg {
+  width: 12px;
+  height: 12px;
+  flex-shrink: 0;
+}
+
+.auth-button:hover:not(:disabled) {
+  background: #1c1c1c;
+  color: #fff;
+}
+
+.auth-button:active:not(:disabled) {
+  transform: scale(0.98);
+}
+
+.auth-button:disabled {
+  opacity: 0.65;
+  cursor: not-allowed;
+}
+
+.auth-button.is-loading .button-label {
+  opacity: 0;
+}
+
+.auth-button .loading-spinner {
+  display: none;
+  width: 22px;
+  height: 22px;
+}
+
+.auth-button.is-loading .loading-spinner {
+  display: block;
+  position: absolute;
+}
+
+.loading-spinner {
+  animation: login-spin 1s linear infinite;
+}
+
+@keyframes login-spin {
+  to {
+    transform: rotate(360deg);
+  }
+}
+
+.login-hint {
+  text-align: center;
+  margin: 50px 0 0;
+  font-size: 0.875rem;
+  line-height: 1.5;
+  color: rgba(255, 255, 255, 0.55);
+  max-width: 420px;
+  margin-inline: auto;
+}
+
+.portal-page .muted {
+  color: rgba(255, 255, 255, 0.55);
+  font-size: 0.9rem;
+}
+
+.portal-page .hidden {
+  display: none !important;
+}
+
+/* Dashboard */
+
+.projects {
+  list-style: none;
+  padding: 0;
+  margin: 0;
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+}
+
+.project-card,
+.portal-card {
+  background: var(--glass);
+  backdrop-filter: blur(10px);
+  -webkit-backdrop-filter: blur(10px);
+  border: 1px solid var(--glass-border);
+  border-radius: var(--input-radius);
+  padding: 1.5rem 1.75rem;
+  margin: 0;
+}
+
+.project-card h2 {
+  margin: 0 0 1rem;
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: #fff;
+}
+
+.project-card dl {
+  margin: 0;
+  display: grid;
+  grid-template-columns: 8rem 1fr;
+  gap: 0.35rem 1rem;
+}
+
+.project-card dt {
+  color: rgba(255, 255, 255, 0.5);
+  font-size: 0.8125rem;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+}
+
+.project-card dd {
+  margin: 0;
+  color: #fff;
+  word-break: break-word;
+}
+
+.project-card a {
+  color: var(--primary);
+  text-decoration: none;
+  transition: opacity 0.2s var(--ease-out);
+}
+
+.project-card a:hover {
+  opacity: 0.85;
+  text-decoration: underline;
+}
+
+.feature-tags {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 0.5rem;
+  margin-top: 1rem;
+}
+
+.feature-tag {
+  background: rgba(157, 61, 254, 0.25);
+  border: 1px solid rgba(157, 61, 254, 0.45);
+  border-radius: 999px;
+  padding: 0.25rem 0.75rem;
+  font-size: 0.75rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+  color: #fff;
+}
+
+.portal-status {
+  text-align: center;
+  padding: 2rem 1rem;
+}
+
+@media (max-width: 48em) {
+  .login-main {
+    justify-content: center;
+  }
+
+  .login-panel {
+    max-width: none;
+    padding: 100px 24px 60px;
+  }
+
+  .project-card dl {
+    grid-template-columns: 1fr;
+    gap: 0.15rem;
+  }
+
+  .project-card dt {
+    margin-top: 0.5rem;
+  }
+
+  .project-card dt:first-of-type {
+    margin-top: 0;
+  }
+}
--- a/public/login.html
+++ b/public/login.html
@@ -4,23 +4,60 @@
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>Anmelden – Webklar Kundenbereich</title>
-  <link rel="stylesheet" href="/style.css">
+  <link rel="stylesheet" href="/login.css">
 </head>
-<body>
-  <header><h1>Webklar Kundenbereich</h1></header>
-  <main>
-    <form id="login-form" class="card">
-      <label>E-Mail
-        <input type="email" name="email" id="email" required autocomplete="username">
-      </label>
-      <label>Passwort
-        <input type="password" name="password" id="password" required autocomplete="current-password">
-      </label>
-      <p id="login-error" class="error hidden"></p>
-      <button type="submit" id="login-btn">Anmelden</button>
-    </form>
-    <p class="muted">Zugangsdaten erhältst du von Webklar. Passwortänderungen erfolgen über das Ticketsystem.</p>
+<body class="portal-page login-page">
+  <div class="aurora-background" aria-hidden="true">
+    <div class="aurora-beams"></div>
+  </div>
+
+  <header class="portal-header login-header">
+    <a class="portal-logo login-logo" href="/login.html">Webklar</a>
+  </header>
+
+  <main class="login-main">
+    <div class="login-panel">
+      <div class="AuthForm login-content-reveal">
+        <div class="login-section">
+          <p class="auth-label">Anmelden</p>
+          <form id="login-form" class="login-form" novalidate>
+            <input
+              class="auth-input"
+              type="email"
+              name="email"
+              id="email"
+              placeholder="E-Mail"
+              required
+              autocomplete="username"
+            >
+            <input
+              class="auth-input"
+              type="password"
+              name="password"
+              id="password"
+              placeholder="Passwort"
+              required
+              autocomplete="current-password"
+            >
+            <p id="login-error" class="error hidden"></p>
+            <button type="submit" id="login-btn" class="auth-button login-button">
+              <span class="button-label">Anmelden</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 11 10" aria-hidden="true">
+                <path fill="currentColor" d="m4.56 8.352 1.824-1.84q.224-.225.144-.4-.064-.192-.384-.192H0V3.76h6.128q.32 0 .4-.176.08-.192-.144-.416l-1.84-1.84L5.84 0l4.848 4.848L5.856 9.68z"></path>
+              </svg>
+              <svg class="loading-spinner" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" aria-hidden="true">
+                <path stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 12a9 9 0 1 1-6.219-8.56"></path>
+              </svg>
+            </button>
+          </form>
+        </div>
+        <p class="login-hint">
+          Zugangsdaten erhältst du von Webklar. Passwortänderungen erfolgen über das Ticketsystem.
+        </p>
+      </div>
+    </div>
  </main>
+
  <script src="/app.js"></script>
  <script>
    initLoginPage();
--- a/scripts/portal-setup.mjs
+++ b/scripts/portal-setup.mjs
@@ -0,0 +1,158 @@
+#!/usr/bin/env node
+/**
+ * Portal-Setup: API-Key prüfen, Kunde verknüpfen, Portal-Zugang aktivieren.
+ *
+ * Usage:
+ *   node scripts/portal-setup.mjs --check
+ *   node scripts/portal-setup.mjs --link --email kenso@webklar.com --appwrite-user-id 6a10d87f0003f576f126
+ */
+import 'dotenv/config'
+import { randomUUID } from 'node:crypto'
+import { config, WOMS_DATABASE_ID } from '../server/config.js'
+import {
+  getCustomerByEmail,
+  getPortalAccessByCustomerId,
+  listDocuments,
+  updateDocument,
+  Query,
+  verifyDatabaseAccess,
+} from '../server/services/appwriteAdmin.js'
+
+function parseArgs(argv) {
+  const args = { check: false, link: false, email: '', appwriteUserId: '' }
+  for (let i = 2; i < argv.length; i++) {
+    const a = argv[i]
+    if (a === '--check') args.check = true
+    else if (a === '--link') args.link = true
+    else if (a === '--email') args.email = argv[++i] || ''
+    else if (a === '--appwrite-user-id') args.appwriteUserId = argv[++i] || ''
+  }
+  return args
+}
+
+async function adminPost(collectionId, data) {
+  const path = `/databases/${config.appwrite.databaseId}/collections/${collectionId}/documents`
+  const url = `${config.appwrite.endpoint}${path}`
+  const response = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-Appwrite-Project': config.appwrite.projectId,
+      'X-Appwrite-Key': config.appwrite.apiKey,
+    },
+    body: JSON.stringify({ documentId: randomUUID(), data }),
+  })
+  const text = await response.text()
+  const body = text ? JSON.parse(text) : {}
+  if (!response.ok) throw new Error(body.message || `HTTP ${response.status}`)
+  return body
+}
+
+async function checkCollections() {
+  const names = [
+    config.collections.customers,
+    config.collections.customerPortalAccess,
+    config.collections.websiteProjects,
+    config.collections.portalFeatures,
+  ]
+  const missing = []
+  for (const id of names) {
+    const url = `${config.appwrite.endpoint}/databases/${config.appwrite.databaseId}/collections/${id}`
+    const response = await fetch(url, {
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Appwrite-Project': config.appwrite.projectId,
+        'X-Appwrite-Key': config.appwrite.apiKey,
+      },
+    })
+    if (!response.ok) missing.push(id)
+  }
+  return missing
+}
+
+async function linkCustomer(email, appwriteUserId) {
+  const customer = await getCustomerByEmail(email)
+  if (!customer) {
+    throw new Error(`Kein Kunde mit E-Mail "${email}" in customers gefunden.`)
+  }
+
+  await updateDocument(config.collections.customers, customer.$id, {
+    appwriteUserId,
+    portalAccessEnabled: true,
+    customerStatus: customer.customerStatus || 'active',
+    updatedAt: new Date().toISOString(),
+  })
+
+  let portalAccess = await getPortalAccessByCustomerId(customer.$id)
+  if (portalAccess) {
+    await updateDocument(config.collections.customerPortalAccess, portalAccess.$id, {
+      enabled: true,
+      appwriteUserId,
+      passwordSet: true,
+    })
+  } else {
+    portalAccess = await adminPost(config.collections.customerPortalAccess, {
+      customerId: customer.$id,
+      enabled: true,
+      appwriteUserId,
+      passwordSet: true,
+    })
+  }
+
+  return { customerId: customer.$id, portalAccessId: portalAccess.$id }
+}
+
+async function main() {
+  const args = parseArgs(process.argv)
+
+  console.log(`Endpoint:  ${config.appwrite.endpoint}`)
+  console.log(`Database:  ${WOMS_DATABASE_ID}`)
+  console.log(`Project:   ${config.appwrite.projectId}`)
+  console.log('')
+
+  const access = await verifyDatabaseAccess()
+  if (!access.ok) {
+    console.error('❌ APPWRITE_API_KEY: Kein Zugriff auf woms-database.')
+    console.error(`   Appwrite: ${access.reason}`)
+    console.error('   Benötigt: Scopes databases.read + databases.write')
+    process.exit(1)
+  }
+  console.log('✅ API-Key: databases.read OK')
+
+  const sample = await listDocuments(config.collections.customers, [Query.limit(1)])
+  console.log(`✅ Collection "${config.collections.customers}": ${sample.length >= 0 ? 'erreichbar' : '?'}`)
+
+  const missing = await checkCollections()
+  if (missing.length) {
+    console.warn(`⚠️  Fehlende Collections: ${missing.join(', ')}`)
+    console.warn('   Siehe APPWRITE_SCHEMA.md – im Ticketsystem/Appwrite Console anlegen.')
+  } else {
+    console.log('✅ Alle Portal-Collections vorhanden')
+  }
+
+  if (args.link) {
+    if (!args.email || !args.appwriteUserId) {
+      console.error('❌ --link erfordert --email und --appwrite-user-id')
+      process.exit(1)
+    }
+    const result = await linkCustomer(args.email.trim(), args.appwriteUserId.trim())
+    console.log('')
+    console.log('✅ Kunde verknüpft:')
+    console.log(`   customerId:       ${result.customerId}`)
+    console.log(`   appwriteUserId:     ${args.appwriteUserId}`)
+    console.log(`   portalAccessId:     ${result.portalAccessId}`)
+    console.log('   portalAccessEnabled: true')
+    console.log('   customerPortalAccess.enabled: true')
+  }
+
+  if (!args.check && !args.link) {
+    console.log('')
+    console.log('Nur Check ausgeführt. Für Verknüpfung:')
+    console.log('  node scripts/portal-setup.mjs --link --email USER@example.com --appwrite-user-id USER_ID')
+  }
+}
+
+main().catch((err) => {
+  console.error('❌', err.message)
+  process.exit(1)
+})
--- a/server/index.js
+++ b/server/index.js
@@ -2,6 +2,7 @@ import express from 'express'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
 import { config, assertServerConfig, WOMS_DATABASE_ID } from './config.js'
+import { verifyDatabaseAccess } from './services/appwriteAdmin.js'
 import { sessionMiddleware } from './middleware/session.js'
 import authRoutes from './routes/auth.js'
 import projectsRoutes from './routes/projects.js'
@@ -14,6 +15,7 @@ const publicDir = path.join(__dirname, '..', 'public')
 assertServerConfig()

 const app = express()
+app.set('trust proxy', 1)
 app.use(sessionMiddleware())
 app.use(express.json({ limit: '2mb' }))

@@ -22,12 +24,14 @@ app.use('/api/projects', projectsRoutes)
 app.use('/api/features', featuresRoutes)
 app.use('/webhook', giteaWebhookRoutes)

-app.get('/api/health', (_req, res) => {
+app.get('/api/health', async (_req, res) => {
+  const dbAccess = await verifyDatabaseAccess()
  res.json({
-    ok: true,
+    ok: dbAccess.ok,
    service: 'webklar-kundenbereich',
    databaseId: WOMS_DATABASE_ID,
    endpoint: config.appwrite.endpoint,
+    appwriteDbAccess: dbAccess,
  })
 })

@@ -45,14 +49,28 @@ app.get('/', (_req, res) => {
  res.redirect('/login.html')
 })

-const server = app.listen(config.port, () => {
+app.use((err, _req, res, _next) => {
+  console.error('[server] Unbehandelter Fehler:', err)
+  if (!res.headersSent) {
+    res.status(500).json({ error: err.message || 'Interner Serverfehler' })
+  }
+})
+
+const server = app.listen(config.port, '0.0.0.0', () => {
  console.log(`Webklar Kundenbereich läuft auf Port ${config.port}`)
+  verifyDatabaseAccess().then((result) => {
+    if (result.ok) return
+    console.error(
+      '[startup] APPWRITE_API_KEY: Kein Lesezugriff auf woms-database. In Appwrite Console neuen API-Key mit Scopes databases.read + databases.write anlegen und in .env eintragen.'
+    )
+    if (result.reason) console.error(`[startup] Appwrite: ${result.reason}`)
+  })
 })

 server.on('error', (err) => {
  if (err.code === 'EADDRINUSE') {
    console.error(
-      `[server] Port ${config.port} ist bereits belegt. Alten Prozess beenden: lsof -i :${config.port} dann kill <PID>, oder PORT=3001 in .env setzen.`
+      `[server] Port ${config.port} ist bereits belegt. Windows: netstat -ano | findstr :${config.port} → taskkill /PID <PID> /F. Oder in .env einen anderen PORT setzen (z. B. PORT=3002).`
    )
    process.exit(1)
  }
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -2,13 +2,13 @@ import { Router } from 'express'
 import { config } from '../config.js'
 import {
  getCustomerByAppwriteUserId,
+  getCustomerByEmail,
  getPortalAccessByCustomerId,
  updateDocument,
 } from '../services/appwriteAdmin.js'
-import { loginWithAppwrite } from '../services/appwriteClient.js'
+import { loginWithAppwrite, getLoginCooldownRemainingSec } from '../services/appwriteClient.js'
 import {
  clearPortalSession,
-  requireSession,
  setPortalSession,
 } from '../middleware/session.js'

@@ -28,10 +28,15 @@ function sanitizeCustomer(customer) {
  }
 }

-async function validatePortalAccess(appwriteUserId) {
-  const customer = await getCustomerByAppwriteUserId(appwriteUserId)
+async function validatePortalAccess(appwriteUserId, email) {
+  let customer = await getCustomerByAppwriteUserId(appwriteUserId)
+  if (!customer && email) {
+    customer = await getCustomerByEmail(email)
+  }
  if (!customer) {
-    const error = new Error('Kein Kundenkonto für diesen Login gefunden.')
+    const error = new Error(
+      `Kein Kundenkonto für diesen Login gefunden. Im Ticketsystem customers.appwriteUserId auf "${appwriteUserId}" setzen (E-Mail: ${email}).`
+    )
    error.status = 403
    throw error
  }
@@ -59,22 +64,13 @@ async function validatePortalAccess(appwriteUserId) {
  return { customer, portalAccess }
 }

-const DEBUG_LOG = (location, message, data, hypothesisId) => {
-  // #region agent log
-  fetch('http://127.0.0.1:7281/ingest/30e8e71c-b377-4e72-84f9-593826c6d234', {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'X-Debug-Session-Id': '80bbfc' },
-    body: JSON.stringify({
-      sessionId: '80bbfc',
-      location,
-      message,
-      data,
-      hypothesisId,
-      timestamp: Date.now(),
-    }),
-  }).catch(() => {})
-  // #endregion
-}
+router.get('/login-status', (_req, res) => {
+  const retryAfterSeconds = getLoginCooldownRemainingSec()
+  res.json({
+    blocked: retryAfterSeconds > 0,
+    retryAfterSeconds,
+  })
+})

 router.post('/login', async (req, res) => {
  const { email, password } = req.body || {}
@@ -84,12 +80,7 @@ router.post('/login', async (req, res) => {

  try {
    const user = await loginWithAppwrite(email.trim(), password)
-    DEBUG_LOG('auth.js:login', 'appwrite user ok', { userId: user.$id }, 'H3')
-    const { customer, portalAccess } = await validatePortalAccess(user.$id)
-    DEBUG_LOG('auth.js:login', 'portal validation ok', {
-      customerId: customer.$id,
-      portalAccessEnabled: Boolean(customer.portalAccessEnabled),
-    }, 'H4')
+    const { customer, portalAccess } = await validatePortalAccess(user.$id, email.trim())

    setPortalSession(res, {
      customerId: customer.$id,
@@ -109,10 +100,20 @@ router.post('/login', async (req, res) => {
    return res.json({ success: true, customer: sanitizeCustomer(customer) })
  } catch (err) {
    const status = err.status || 500
-    DEBUG_LOG('auth.js:login', 'login failed', {
-      status,
-      message: err?.message?.slice(0, 120),
-    }, status === 403 ? 'H4' : status === 401 ? 'H1' : 'H5')
+    if (status === 429) {
+      return res.status(429).json({
+        error:
+          err.message ||
+          'Zu viele Anmeldeversuche. Bitte warte einige Minuten, bevor du es erneut versuchst.',
+        retryAfterSeconds: getLoginCooldownRemainingSec(),
+      })
+    }
+    if (err?.message?.includes('not authorized')) {
+      return res.status(500).json({
+        error:
+          'Server-Konfiguration: APPWRITE_API_KEY benötigt databases.read für woms-database (customers, customerPortalAccess).',
+      })
+    }
    return res.status(status).json({ error: err.message || 'Anmeldung fehlgeschlagen' })
  }
 })
@@ -122,14 +123,28 @@ router.post('/logout', (_req, res) => {
  res.json({ success: true })
 })

-router.get('/me', requireSession, async (req, res) => {
+router.get('/me', async (req, res) => {
+  const raw = req.signedCookies?.[config.cookieName]
+  if (!raw) {
+    return res.json({ authenticated: false })
+  }
+
  try {
-    const customer = await getCustomerByAppwriteUserId(req.session.appwriteUserId)
+    const session = JSON.parse(raw)
+    if (!session.customerId || !session.appwriteUserId) {
+      return res.json({ authenticated: false })
+    }
+
+    const customer = await getCustomerByAppwriteUserId(session.appwriteUserId)
    if (!customer) {
      clearPortalSession(res)
-      return res.status(403).json({ error: 'Kundenkonto nicht gefunden' })
+      return res.json({ authenticated: false })
    }
-    return res.json({ customer: sanitizeCustomer(customer) })
+
+    return res.json({
+      authenticated: true,
+      customer: sanitizeCustomer(customer),
+    })
  } catch (err) {
    return res.status(500).json({ error: err.message || 'Fehler beim Laden' })
  }
--- a/server/routes/features.js
+++ b/server/routes/features.js
@@ -1,4 +1,5 @@
 import { Router } from 'express'
+import { config } from '../config.js'
 import { listDocuments, Query } from '../services/appwriteAdmin.js'
 import { getSessionCustomerId, requireSession } from '../middleware/session.js'

--- a/server/routes/projects.js
+++ b/server/routes/projects.js
@@ -1,4 +1,5 @@
 import { Router } from 'express'
+import { config } from '../config.js'
 import { listDocuments, Query } from '../services/appwriteAdmin.js'
 import { getSessionCustomerId, requireSession } from '../middleware/session.js'

--- a/server/services/appwriteAdmin.js
+++ b/server/services/appwriteAdmin.js
@@ -16,6 +16,15 @@ function adminHeaders() {
  }
 }

+function formatRequestBody(body, method) {
+  if (!body || method === 'GET' || method === 'DELETE') return body
+  if (body.data !== undefined) return body
+  const { documentId, ...fields } = body
+  const payload = { data: fields }
+  if (documentId) payload.documentId = documentId
+  return payload
+}
+
 async function adminFetch(path, { method = 'GET', body, queries = [] } = {}) {
  if (!config.appwrite.apiKey) {
    const error = new Error('APPWRITE_API_KEY fehlt in .env')
@@ -28,10 +37,12 @@ async function adminFetch(path, { method = 'GET', body, queries = [] } = {}) {
    url.searchParams.append('queries[]', q)
  }

+  const requestBody = formatRequestBody(body, method)
+
  const response = await fetch(url.toString(), {
    method,
    headers: adminHeaders(),
-    body: body ? JSON.stringify(body) : undefined,
+    body: requestBody ? JSON.stringify(requestBody) : undefined,
  })

  const text = await response.text()
@@ -48,6 +59,7 @@ async function adminFetch(path, { method = 'GET', body, queries = [] } = {}) {
    const error = new Error(data?.message || `Appwrite ${response.status}`)
    error.status = response.status >= 500 ? 500 : response.status
    error.code = data?.code
+    error.type = data?.type
    throw error
  }

@@ -95,6 +107,15 @@ export async function getCustomerByAppwriteUserId(appwriteUserId) {
  return docs[0] || null
 }

+export async function getCustomerByEmail(email) {
+  if (!email) return null
+  const docs = await listDocuments(config.collections.customers, [
+    Query.equal('email', email.trim()),
+    Query.limit(1),
+  ])
+  return docs[0] || null
+}
+
 export async function getPortalAccessByCustomerId(customerId) {
  const docs = await listDocuments(config.collections.customerPortalAccess, [
    Query.equal('customerId', customerId),
@@ -133,7 +154,24 @@ export async function upsertWebsiteProjectByRepo(repoFullName, data) {
  })
 }

-/** @deprecated Nur für Kompatibilität – nutzt native fetch */
+export async function verifyDatabaseAccess() {
+  if (!config.appwrite.apiKey) {
+    return { ok: false, reason: 'APPWRITE_API_KEY fehlt' }
+  }
+  try {
+    await listDocuments(config.collections.customers, [Query.limit(1)])
+    return { ok: true }
+  } catch (err) {
+    return {
+      ok: false,
+      reason: err.message,
+      code: err.code,
+      type: err.type,
+      status: err.status,
+    }
+  }
+}
+
 export function createAdminClient() {
  return { usesNativeFetch: true, databaseId: WOMS_DATABASE_ID }
 }
--- a/server/services/appwriteClient.js
+++ b/server/services/appwriteClient.js
@@ -1,5 +1,4 @@
 import { config } from '../config.js'
-import { deleteUserSession, getUserById } from './appwriteAdmin.js'

 const DEBUG_LOG = (location, message, data, hypothesisId) => {
  // #region agent log
@@ -45,9 +44,14 @@ async function appwriteFetch(path, { method = 'GET', body } = {}) {

  if (!response.ok) {
    const error = new Error(data?.message || `Appwrite ${response.status}`)
-    error.status = response.status === 401 ? 401 : response.status >= 500 ? 500 : 401
+    error.status = response.status
    error.code = data?.code
    error.type = data?.type
+    if (response.status === 429 || data?.type === 'general_rate_limit_exceeded') {
+      error.message =
+        'Zu viele Anmeldeversuche. Bitte warte einige Minuten, bevor du es erneut versuchst.'
+      error.status = 429
+    }
    throw error
  }

@@ -55,10 +59,33 @@ async function appwriteFetch(path, { method = 'GET', body } = {}) {
 }

 /**
- * Appwrite Auth per native fetch (Node 26 + node-appwrite-Agent ist inkompatibel).
- * Session.secret wird serverseitig oft nicht zurückgegeben – userId aus Session nutzen.
+ * Login via Appwrite Auth REST. userId kommt aus der Session – kein users.read nötig.
 */
+let appwriteLoginBlockedUntil = 0
+const APPWRITE_LOGIN_COOLDOWN_MS = 5 * 60 * 1000
+const APPWRITE_RATE_LIMIT_COOLDOWN_MS = 15 * 60 * 1000
+
+export function getLoginCooldownRemainingSec() {
+  const left = appwriteLoginBlockedUntil - Date.now()
+  return left > 0 ? Math.ceil(left / 1000) : 0
+}
+
+export function clearLoginCooldown() {
+  appwriteLoginBlockedUntil = 0
+}
+
 export async function loginWithAppwrite(email, password) {
+  const now = Date.now()
+  if (now < appwriteLoginBlockedUntil) {
+    const waitSec = Math.ceil((appwriteLoginBlockedUntil - now) / 1000)
+    DEBUG_LOG('appwriteClient.js:cooldown', 'login blocked locally', { waitSec }, 'H8')
+    const error = new Error(
+      `Zu viele Anmeldeversuche. Bitte warte noch ${waitSec} Sekunden.`
+    )
+    error.status = 429
+    throw error
+  }
+
  let session
  try {
    session = await appwriteFetch('/account/sessions/email', {
@@ -66,7 +93,6 @@ export async function loginWithAppwrite(email, password) {
      body: { email, password },
    })
    DEBUG_LOG('appwriteClient.js:session', 'createEmailPasswordSession ok', {
-      hasSecret: Boolean(session?.secret),
      hasUserId: Boolean(session?.userId),
      sessionId: session?.$id || null,
    }, 'H6')
@@ -75,38 +101,23 @@ export async function loginWithAppwrite(email, password) {
      message: err?.message?.slice(0, 120),
      code: err?.code,
    }, 'H1')
+    if (err.status === 429) {
+      appwriteLoginBlockedUntil = Date.now() + APPWRITE_RATE_LIMIT_COOLDOWN_MS
+    }
    const error = new Error(err.message || 'Anmeldung fehlgeschlagen')
    error.status = err.status || 401
    throw error
  }

  if (!session?.userId) {
-    DEBUG_LOG('appwriteClient.js:session', 'no userId in session', {
-      sessionKeys: session ? Object.keys(session).filter((k) => !k.startsWith('provider')) : [],
-    }, 'H6')
    const error = new Error('Appwrite-Session ohne userId.')
    error.status = 500
    throw error
  }

-  let user
-  try {
-    user = await getUserById(session.userId)
-    DEBUG_LOG('appwriteClient.js:getUser', 'users.get ok', { userId: user?.$id || null }, 'H6')
-  } catch (err) {
-    DEBUG_LOG('appwriteClient.js:getUser', 'users.get fail, fallback', {
-      message: err?.message?.slice(0, 80),
-    }, 'H6')
-    user = { $id: session.userId, email, name: '' }
-  }
-
-  if (session.$id) {
-    try {
-      await deleteUserSession(session.userId, session.$id)
-    } catch {
-      // Portal nutzt eigene Session; Appwrite-Session optional aufräumen
-    }
-  }
+  const user = { $id: session.userId, email, name: '' }
+  DEBUG_LOG('appwriteClient.js:user', 'using session userId', { userId: user.$id }, 'H7')

+  clearLoginCooldown()
  return user
 }
Author	SHA1	Message	Date
Kenso Grimm	cff72eb528	fix	2026-05-28 06:57:54 +02:00
Kenso Grimm	901ab1adae	fix	2026-05-25 16:49:13 +02:00
Kenso Grimm	bbcc5dc05e	design 2.0	2026-05-25 16:47:15 +02:00
Kenso Grimm	d83bc33fd9	design	2026-05-25 16:23:22 +02:00
KNSO	3840ecf494	fix 4	2026-05-23 01:18:44 +02:00
KNSO	3f2572ca59	fix 3	2026-05-23 00:36:45 +02:00
root	bd59243e2c	Fix Login: Appwrite-Session ohne secret auf dem Server session.secret wird ohne API-Key nicht zurückgegeben. Login nutzt daher session.userId und die Admin Users API statt account.get(). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 22:16:31 +00:00