fix: harden auth, admin, teacher, and e2ee endpoints

- Invalidate JWTs on password change/reset via token_version - Constant-time login compare against dummy hash to prevent user enum - Register validates subject against subjects table + user_subjects link - Last-admin guard on account delete and admin role/status PATCH - purgeUser unlinks teacher_materials storage files - 2FA setup/regenerate require password, setup blocks while enabled - Group sender keys: existing-distributor check + INSERT OR IGNORE - class_events: type whitelist, ISO date regex, end >= start check - Teacher absences DELETE: ownership check (teacher_id) - class_timetable POST: HHMM validation, overlap detection - class_timetable PUT: subject restricted to teacher list, HHMM + overlap - Register VALID_SUBJECTS removed; dynamic subjects from DB - /api/subjects made public (needed by register form)
2026-04-21 13:18:17 +02:00
parent 38d69c65a5
commit 0dd915eeb2
6 changed files with 988 additions and 103 deletions
@@ -223,8 +223,8 @@ footer a:hover { color: #2563eb; }
      <div id="login-step-2" style="display:none">
        <div class="field">
          <label for="l-totp">2FA-Code</label>
-          <input type="text" id="l-totp" autocomplete="one-time-code" placeholder="6-stelliger Code" maxlength="6" inputmode="numeric">
-          <span style="font-size:11px;color:#9ca3af;margin-top:2px">Code aus deiner Authenticator-App eingeben</span>
+          <input type="text" id="l-totp" autocomplete="one-time-code" placeholder="6-stelliger Code oder Wiederherstellungscode" maxlength="11">
+          <span style="font-size:11px;color:#9ca3af;margin-top:2px">Code aus der Authenticator-App oder einen Wiederherstellungscode (xxxxx-xxxxx) eingeben</span>
        </div>
        <button type="button" style="font-size:12px;color:#6b7280;background:none;border:none;cursor:pointer;padding:0;margin-top:4px" onclick="backToStep1()">← Zurück</button>
      </div>