v2.1.0 — Real-time collaboration, performance & security overhaul

Real-Time Collaboration (WebSocket): - WebSocket server with JWT auth and trip-based rooms - Live sync for all CRUD operations (places, assignments, days, notes, budget, packing, reservations, files) - Socket-based exclusion to prevent duplicate updates - Auto-reconnect with exponential backoff - Assignment move sync between days Performance: - 16 database indexes on all foreign key columns - N+1 query fix in places, assignments and days endpoints - Marker clustering (react-leaflet-cluster) with configurable radius - List virtualization (react-window) for places sidebar - useMemo for filtered places - SQLite WAL mode + busy_timeout for concurrent writes - Weather API: server-side cache (1h forecast, 15min current) + client sessionStorage - Google Places photos: persisted to DB after first fetch - Google Details: 3-tier cache (memory → sessionStorage → API) Security: - CORS auto-configuration (production: same-origin, dev: open) - API keys removed from /auth/me response - Admin-only endpoint for reading API keys - Path traversal prevention in cover image deletion - JWT secret persisted to file (survives restarts) - Avatar upload file extension whitelist - API key fallback: normal users use admin's key without exposure - Case-insensitive email login Dark Mode: - Fixed hardcoded colors across PackingList, Budget, ReservationModal, ReservationsPanel - Mobile map buttons and sidebar sheets respect dark mode - Cluster markers always dark UI/UX: - Redesigned login page with animated planes, stars and feature cards - Admin: create user functionality with CustomSelect - Mobile: day-picker popup for assigning places to days - Mobile: touch-friendly reorder buttons (32px targets) - Mobile: responsive text (shorter labels on small screens) - Packing list: index-based category colors - i18n: translated date picker placeholder, fixed German labels - Default map tile: CartoDB Light
2026-06-21 14:21:46 +00:00 · 2026-03-19 12:44:22 +01:00
parent f000943489
commit 74f19f3312
44 changed files with 1714 additions and 363 deletions
@@ -11,11 +11,42 @@ router.use(authenticate, adminOnly);
 // GET /api/admin/users
 router.get('/users', (req, res) => {
  const users = db.prepare(
-    'SELECT id, username, email, role, maps_api_key, unsplash_api_key, openweather_api_key, created_at, updated_at FROM users ORDER BY created_at DESC'
+    'SELECT id, username, email, role, created_at, updated_at FROM users ORDER BY created_at DESC'
  ).all();
  res.json({ users });
 });

+// POST /api/admin/users
+router.post('/users', (req, res) => {
+  const { username, email, password, role } = req.body;
+
+  if (!username?.trim() || !email?.trim() || !password?.trim()) {
+    return res.status(400).json({ error: 'Benutzername, E-Mail und Passwort sind erforderlich' });
+  }
+
+  if (role && !['user', 'admin'].includes(role)) {
+    return res.status(400).json({ error: 'Ungültige Rolle' });
+  }
+
+  const existingUsername = db.prepare('SELECT id FROM users WHERE username = ?').get(username.trim());
+  if (existingUsername) return res.status(409).json({ error: 'Benutzername bereits vergeben' });
+
+  const existingEmail = db.prepare('SELECT id FROM users WHERE email = ?').get(email.trim());
+  if (existingEmail) return res.status(409).json({ error: 'E-Mail bereits vergeben' });
+
+  const passwordHash = bcrypt.hashSync(password.trim(), 10);
+
+  const result = db.prepare(
+    'INSERT INTO users (username, email, password_hash, role) VALUES (?, ?, ?, ?)'
+  ).run(username.trim(), email.trim(), passwordHash, role || 'user');
+
+  const user = db.prepare(
+    'SELECT id, username, email, role, created_at, updated_at FROM users WHERE id = ?'
+  ).get(result.lastInsertRowid);
+
+  res.status(201).json({ user });
+});
+
 // PUT /api/admin/users/:id
 router.put('/users/:id', (req, res) => {
  const { username, email, role, password } = req.body;