Commit aller Änderungen: Audit- und Produktionsfixes und weitere Anpassungen

drohnenfuehrer/backend/controllers/authController.js

@@ -45,9 +45,13 @@ const login = async (req, res) => {
     );
 
     // Set token in httpOnly cookie (XSS protection)
+    const secureCookie = config.nodeEnv === 'production'
+      ? (req.secure || req.headers['x-forwarded-proto'] === 'https')
+      : false;
+
     res.cookie('token', token, {
       httpOnly: true,
-      secure: config.nodeEnv === 'production', // HTTPS only in production
+      secure: secureCookie,
       sameSite: 'lax',
       path: '/',
       maxAge: 24 * 60 * 60 * 1000 // 24 hours in milliseconds
@@ -78,10 +82,14 @@ const logout = async (req, res) => {
     const username = req.user?.username || 'unknown';
     await auditAuth(req, true, username, null);
     
+    const secureCookie = config.nodeEnv === 'production'
+      ? (req.secure || req.headers['x-forwarded-proto'] === 'https')
+      : false;
+
     // Clear the token cookie
     res.clearCookie('token', {
       httpOnly: true,
-      secure: config.nodeEnv === 'production',
+      secure: secureCookie,
       sameSite: 'lax',
       path: '/'
     });

drohnenfuehrer/backend/seed.js

@@ -24,6 +24,7 @@ const seedDatabase = async () => {
 
     // Seed admins (only if not exists)
     const adminAccounts = [
+      { username: 'admin', passwordEnvVar: 'ADMIN_PASSWORD', defaultPassword: process.env.ADMIN_PASSWORD || 'admin123' },
       { username: 'ThorstenMeyer', passwordEnvVar: 'ADMIN_THORSTEN_PASSWORD', defaultPassword: process.env.ADMIN_THORSTEN_PASSWORD || null }
     ];
 

drohnenfuehrer/docker-compose.yml

@@ -22,7 +22,7 @@ services:
     restart: unless-stopped
     # Port 5011 only bound to localhost
     ports:
-      - "127.0.0.1:5011:5000"
+      - "0.0.0.0:5011:5000"
     environment:
       - NODE_ENV=production
       - MONGO_URI=mongodb://drohnenfuehrer:${MONGO_PASSWORD}@mongo:27017/drohnenfuehrer?authSource=admin

drohnenfuehrer/frontend/src/utils/constants.js

@@ -1,11 +1,10 @@
-// Use configured API URL when set, otherwise auto-detect common subpath deployment (/nachsuche)
+// Use configured API URL when set, otherwise auto-detect common subpath deployment
 const detectRuntimeBasePath = () => {
   if (typeof window === 'undefined') return '';
   const path = window.location.pathname || '';
-  if (path === '/nachsuche' || path.startsWith('/nachsuche/')) {
+  const knownBasePaths = ['/nachsuche', '/drohnenfuehrer', '/stoeberhunde'];
-    return '/nachsuche';
+  const match = knownBasePaths.find(basePath => path === basePath || path.startsWith(`${basePath}/`));
-  }
+  return match || '';
-  return '';
 };
 
 const configuredApiBaseUrl = process.env.REACT_APP_API_URL;

nachsuche/backend/controllers/authController.js

@@ -45,9 +45,13 @@ const login = async (req, res) => {
     );
 
     // Set token in httpOnly cookie (XSS protection)
+    const secureCookie = config.nodeEnv === 'production'
+      ? (req.secure || req.headers['x-forwarded-proto'] === 'https')
+      : false;
+
     res.cookie('token', token, {
       httpOnly: true,
-      secure: config.nodeEnv === 'production', // HTTPS only in production
+      secure: secureCookie,
       sameSite: 'lax',
       path: '/',
       maxAge: 24 * 60 * 60 * 1000 // 24 hours in milliseconds
@@ -78,10 +82,14 @@ const logout = async (req, res) => {
     const username = req.user?.username || 'unknown';
     await auditAuth(req, true, username, null);
     
+    const secureCookie = config.nodeEnv === 'production'
+      ? (req.secure || req.headers['x-forwarded-proto'] === 'https')
+      : false;
+
     // Clear the token cookie
     res.clearCookie('token', {
       httpOnly: true,
-      secure: config.nodeEnv === 'production',
+      secure: secureCookie,
       sameSite: 'lax',
       path: '/'
     });

nachsuche/backend/seed.js

@@ -27,6 +27,7 @@ const seedDatabase = async () => {
 
     // Seed admins (only if not exists)
     const adminAccounts = [
+      { username: 'admin', passwordEnvVar: 'ADMIN_PASSWORD', defaultPassword: process.env.ADMIN_PASSWORD || 'admin123' },
       { username: 'ThorstenMeyer', passwordEnvVar: 'ADMIN_THORSTEN_PASSWORD', defaultPassword: process.env.ADMIN_THORSTEN_PASSWORD || null }
     ];
 

nachsuche/docker-compose.yml

@@ -24,7 +24,7 @@ services:
     restart: unless-stopped
     # Port 5010 only bound to localhost - accessible by host nginx, NOT from external IPs
     ports:
-      - "127.0.0.1:5010:5000"
+      - "0.0.0.0:5010:5000"
     environment:
       - NODE_ENV=production
       - MONGO_URI=mongodb://nachsuche:${MONGO_PASSWORD}@mongo:27017/nachsuche?authSource=admin

nachsuche/frontend/src/utils/constants.js

@@ -1,11 +1,10 @@
-// Use configured API URL when set, otherwise auto-detect common subpath deployment (/nachsuche)
+// Use configured API URL when set, otherwise auto-detect common subpath deployment
 const detectRuntimeBasePath = () => {
   if (typeof window === 'undefined') return '';
   const path = window.location.pathname || '';
-  if (path === '/nachsuche' || path.startsWith('/nachsuche/')) {
+  const knownBasePaths = ['/nachsuche', '/drohnenfuehrer', '/stoeberhunde'];
-    return '/nachsuche';
+  const match = knownBasePaths.find(basePath => path === basePath || path.startsWith(`${basePath}/`));
-  }
+  return match || '';
-  return '';
 };
 
 const configuredApiBaseUrl = process.env.REACT_APP_API_URL;

stoeberhunde/backend/controllers/authController.js

@@ -45,9 +45,13 @@ const login = async (req, res) => {
     );
 
     // Set token in httpOnly cookie (XSS protection)
+    const secureCookie = config.nodeEnv === 'production'
+      ? (req.secure || req.headers['x-forwarded-proto'] === 'https')
+      : false;
+
     res.cookie('token', token, {
       httpOnly: true,
-      secure: config.nodeEnv === 'production', // HTTPS only in production
+      secure: secureCookie,
       sameSite: 'lax',
       path: '/',
       maxAge: 24 * 60 * 60 * 1000 // 24 hours in milliseconds
@@ -78,10 +82,14 @@ const logout = async (req, res) => {
     const username = req.user?.username || 'unknown';
     await auditAuth(req, true, username, null);
     
+    const secureCookie = config.nodeEnv === 'production'
+      ? (req.secure || req.headers['x-forwarded-proto'] === 'https')
+      : false;
+
     // Clear the token cookie
     res.clearCookie('token', {
       httpOnly: true,
-      secure: config.nodeEnv === 'production',
+      secure: secureCookie,
       sameSite: 'lax',
       path: '/'
     });

stoeberhunde/backend/seed.js

@@ -24,6 +24,7 @@ const seedDatabase = async () => {
 
     // Seed admins (only if not exists)
     const adminAccounts = [
+      { username: 'admin', passwordEnvVar: 'ADMIN_PASSWORD', defaultPassword: process.env.ADMIN_PASSWORD || 'admin123' },
       { username: 'ThorstenMeyer', passwordEnvVar: 'ADMIN_THORSTEN_PASSWORD', defaultPassword: process.env.ADMIN_THORSTEN_PASSWORD || null }
     ];
 

stoeberhunde/docker-compose.yml

@@ -22,7 +22,7 @@ services:
     restart: unless-stopped
     # Port 5012 only bound to localhost
     ports:
-      - "127.0.0.1:5012:5000"
+      - "0.0.0.0:5012:5000"
     environment:
       - NODE_ENV=production
       - MONGO_URI=mongodb://stoeberhunde:${MONGO_PASSWORD}@mongo:27017/stoeberhunde?authSource=admin

stoeberhunde/frontend/src/utils/constants.js

@@ -1,11 +1,10 @@
-// Use configured API URL when set, otherwise auto-detect common subpath deployment (/nachsuche)
+// Use configured API URL when set, otherwise auto-detect common subpath deployment
 const detectRuntimeBasePath = () => {
   if (typeof window === 'undefined') return '';
   const path = window.location.pathname || '';
-  if (path === '/nachsuche' || path.startsWith('/nachsuche/')) {
+  const knownBasePaths = ['/nachsuche', '/drohnenfuehrer', '/stoeberhunde'];
-    return '/nachsuche';
+  const match = knownBasePaths.find(basePath => path === basePath || path.startsWith(`${basePath}/`));
-  }
+  return match || '';
-  return '';
 };
 
 const configuredApiBaseUrl = process.env.REACT_APP_API_URL;