feat: email verification via Resend + admin user management

- Add email verification flow: register sends verify link, login blocks unverified accounts, 24h token expiry, resend endpoint (3/h rate limit). - Add mailer module using Resend with branded HTML + plaintext template. - Extend admin dashboard: verified-status column, toggle verify/unverify buttons, promote/demote admin role, delete any non-self user. - Migrate users table: email_verified, verify_token, verify_expires columns. - Load env via dotenv; add .env to gitignore.
2026-04-18 01:33:45 +02:00
parent b2de630983
commit 396148aea2
9 changed files with 374 additions and 37 deletions
@@ -220,5 +220,8 @@ try { db.exec(`ALTER TABLE users ADD COLUMN status TEXT NOT NULL DEFAULT 'pendin
 try { db.exec(`ALTER TABLE users ADD COLUMN subject TEXT`); } catch {}
 try { db.exec(`ALTER TABLE users ADD COLUMN totp_secret TEXT`); } catch {}
 try { db.exec(`ALTER TABLE users ADD COLUMN totp_enabled INTEGER DEFAULT 0`); } catch {}
+try { db.exec(`ALTER TABLE users ADD COLUMN email_verified INTEGER DEFAULT 0`); } catch {}
+try { db.exec(`ALTER TABLE users ADD COLUMN verify_token TEXT`); } catch {}
+try { db.exec(`ALTER TABLE users ADD COLUMN verify_expires TEXT`); } catch {}

 module.exports = db;
@@ -0,0 +1,114 @@
+const { Resend } = require('resend');
+
+const apiKey = process.env.RESEND_API_KEY;
+const MAIL_FROM = process.env.MAIL_FROM || 'noreply@info1.simon0x.xyz';
+const MAIL_FROM_NAME = process.env.MAIL_FROM_NAME || 'INFO1 Portal';
+const APP_URL = process.env.APP_URL || 'http://127.0.0.1:3010';
+
+if (!apiKey) {
+  console.warn('WARN: RESEND_API_KEY not set. Verification emails will fail.');
+}
+
+const resend = apiKey ? new Resend(apiKey) : null;
+
+function renderVerifyHtml(link) {
+  return `<!doctype html>
+<html lang="de">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>E-Mail bestätigen</title>
+</head>
+<body style="margin:0;padding:0;background:#f4f6f9;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Helvetica,Arial,sans-serif;-webkit-font-smoothing:antialiased;color:#111827">
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="background:#f4f6f9;padding:32px 16px">
+  <tr>
+    <td align="center">
+      <table role="presentation" width="520" cellpadding="0" cellspacing="0" border="0" style="max-width:520px;width:100%;background:#ffffff;border:1px solid #e5e7eb;border-radius:14px;box-shadow:0 4px 16px rgba(0,0,0,0.06),0 1px 4px rgba(0,0,0,0.04);overflow:hidden">
+        <tr>
+          <td style="padding:28px 32px 20px 32px;border-bottom:1px solid #f1f5f9">
+            <table role="presentation" cellpadding="0" cellspacing="0" border="0">
+              <tr>
+                <td style="vertical-align:middle">
+                  <div style="width:40px;height:40px;background:#2563eb;border-radius:9px;color:#ffffff;font-weight:800;font-size:15px;letter-spacing:-0.5px;text-align:center;line-height:40px">i1</div>
+                </td>
+                <td style="vertical-align:middle;padding-left:12px">
+                  <div style="font-size:10px;font-weight:500;color:#9ca3af;letter-spacing:0.3px;text-transform:uppercase">Klassenportal</div>
+                  <div style="font-size:17px;font-weight:700;color:#111827;letter-spacing:-0.3px;line-height:1.2">INFO1</div>
+                </td>
+              </tr>
+            </table>
+          </td>
+        </tr>
+        <tr>
+          <td style="padding:32px">
+            <h1 style="margin:0 0 14px 0;font-size:22px;font-weight:700;color:#111827;letter-spacing:-0.3px">E-Mail bestätigen</h1>
+            <p style="margin:0 0 20px 0;font-size:15px;line-height:1.55;color:#374151">
+              Willkommen beim INFO1-Klassenportal. Bitte bestätige deine E-Mail-Adresse, damit dein Konto aktiviert werden kann.
+            </p>
+            <table role="presentation" cellpadding="0" cellspacing="0" border="0" style="margin:8px 0 24px 0">
+              <tr>
+                <td style="background:#2563eb;border-radius:8px">
+                  <a href="${link}" style="display:inline-block;padding:13px 28px;color:#ffffff;font-size:15px;font-weight:600;text-decoration:none;letter-spacing:0.1px">
+                    E-Mail bestätigen
+                  </a>
+                </td>
+              </tr>
+            </table>
+            <p style="margin:0 0 8px 0;font-size:13px;color:#6b7280">Falls der Button nicht funktioniert, kopiere diesen Link in deinen Browser:</p>
+            <p style="margin:0 0 24px 0;padding:10px 12px;background:#f9fafb;border:1px solid #e5e7eb;border-radius:6px;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:12px;color:#374151;word-break:break-all">${link}</p>
+            <div style="padding:12px 14px;background:#fffbeb;border:1px solid #fde68a;border-radius:8px">
+              <p style="margin:0;font-size:13px;color:#92400e;line-height:1.5">
+                Dieser Link ist 24 Stunden gültig. Falls du diese Registrierung nicht angefordert hast, ignoriere bitte diese Nachricht.
+              </p>
+            </div>
+          </td>
+        </tr>
+        <tr>
+          <td style="padding:20px 32px 28px 32px;border-top:1px solid #f1f5f9;background:#fafbfc">
+            <p style="margin:0 0 6px 0;font-size:12px;color:#9ca3af;line-height:1.5">
+              Diese Nachricht wurde automatisch erzeugt. Antworten werden nicht gelesen.
+            </p>
+            <p style="margin:0;font-size:11px;color:#9ca3af;line-height:1.5">
+              INFO1 ist ein privates Klassenportal von Schülern für Schüler. Kein offizielles Angebot einer Schule oder eines Trägers.
+            </p>
+          </td>
+        </tr>
+      </table>
+      <p style="margin:16px 0 0 0;font-size:11px;color:#9ca3af">INFO1 Klassenportal</p>
+    </td>
+  </tr>
+</table>
+</body>
+</html>`;
+}
+
+function renderVerifyText(link) {
+  return [
+    'INFO1 Klassenportal',
+    '',
+    'E-Mail bestätigen',
+    '',
+    'Willkommen beim INFO1-Klassenportal. Bitte bestätige deine E-Mail-Adresse, damit dein Konto aktiviert werden kann.',
+    '',
+    'Zum Bestätigen diesen Link öffnen:',
+    link,
+    '',
+    'Der Link ist 24 Stunden gültig. Falls du diese Registrierung nicht angefordert hast, ignoriere bitte diese Nachricht.',
+    '',
+    'INFO1 ist ein privates Klassenportal von Schülern für Schüler. Kein offizielles Angebot einer Schule oder eines Trägers.',
+  ].join('\n');
+}
+
+async function sendVerifyMail(email, token) {
+  if (!resend) throw new Error('Mailer not configured');
+  const link = `${APP_URL}/api/verify?token=${encodeURIComponent(token)}`;
+  return resend.emails.send({
+    from: `${MAIL_FROM_NAME} <${MAIL_FROM}>`,
+    to: email,
+    subject: 'INFO1: E-Mail bestätigen',
+    html: renderVerifyHtml(link),
+    text: renderVerifyText(link),
+  });
+}
+
+module.exports = { sendVerifyMail };
@@ -1,4 +1,5 @@
 const express = require('express');
+const crypto = require('crypto');
 const bcrypt = require('bcryptjs');
 const rateLimit = require('express-rate-limit');
 const { generateSecret, generateURI, verifySync } = require('otplib');
@@ -6,6 +7,9 @@ const QRCode = require('qrcode');
 const db = require('./db');
 const { signToken, requireAuth, COOKIE_OPTIONS } = require('./auth');
 const { deleteUserFiles } = require('./files');
+const { sendVerifyMail } = require('./mailer');
+
+const VERIFY_TTL_MS = 24 * 60 * 60 * 1000;

 const router = express.Router();

@@ -35,11 +39,19 @@ const passwordChangeLimiter = rateLimit({
  validate: { keyGeneratorIpFallback: false },
 });

+const resendVerifyLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  max: 3,
+  message: { error: 'Zu viele Verifizierungsmails. Bitte 1 Stunde warten.' },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
 // --- AUTH ---
 const IFB_EMAIL_RE = /^[a-z]\.[a-z]{2,}@ifb-schulen\.com$/i;
 const VALID_SUBJECTS = ['Deutsch','Mathematik','Englisch','Informatik','Wirtschaft','Buchführung','BWL','VWL','Recht','Rechnungswesen','Sport','Religion','Geschichte','Gemeinschaftskunde','Physik','Chemie','Biologie','Sozialkunde','Ethik','Sonstiges'];

-router.post('/register', registerLimiter, (req, res) => {
+router.post('/register', registerLimiter, async (req, res) => {
  const { email, password, role, subject } = req.body;
  if (!email || !password) return res.status(400).json({ error: 'Alle Felder erforderlich' });
  if (!IFB_EMAIL_RE.test(email)) return res.status(403).json({ error: 'Ungültige E-Mail-Adresse' });
@@ -57,22 +69,33 @@ router.post('/register', registerLimiter, (req, res) => {
  }

  const hash = bcrypt.hashSync(password, 12);
+  const verifyToken = crypto.randomBytes(32).toString('hex');
+  const verifyExpires = new Date(Date.now() + VERIFY_TTL_MS).toISOString();
+
+  let userId;
  try {
-    const result = db.prepare('INSERT INTO users (username, email, password_hash, role, status, subject) VALUES (?, ?, ?, ?, ?, ?)').run(username, email.toLowerCase(), hash, safeRole, initialStatus, safeSubject);
-    if (safeRole === 'teacher') {
-      return res.json({ ok: true, pending: true });
-    }
-    const user = { id: result.lastInsertRowid, username, role: safeRole, subject: null };
-    const token = signToken(user);
-    res.cookie('token', token, COOKIE_OPTIONS);
-    res.json({ ok: true, pending: false });
+    const result = db.prepare(`
+      INSERT INTO users (username, email, password_hash, role, status, subject, email_verified, verify_token, verify_expires)
+      VALUES (?, ?, ?, ?, ?, ?, 0, ?, ?)
+    `).run(username, email.toLowerCase(), hash, safeRole, initialStatus, safeSubject, verifyToken, verifyExpires);
+    userId = result.lastInsertRowid;
  } catch (e) {
    if (e.message.includes('UNIQUE')) {
      if (e.message.includes('email')) return res.status(409).json({ error: 'Diese E-Mail-Adresse ist bereits registriert' });
      return res.status(409).json({ error: 'Benutzername bereits vergeben' });
    }
-    res.status(500).json({ error: 'Serverfehler' });
+    return res.status(500).json({ error: 'Serverfehler' });
  }
+
+  try {
+    await sendVerifyMail(email.toLowerCase(), verifyToken);
+  } catch (e) {
+    console.error('sendVerifyMail failed:', e);
+    db.prepare('DELETE FROM users WHERE id = ?').run(userId);
+    return res.status(500).json({ error: 'Verifizierungsmail konnte nicht gesendet werden. Bitte später erneut versuchen.' });
+  }
+
+  res.json({ ok: true, verify: true, pending: safeRole === 'teacher' });
 });

 router.post('/login', loginLimiter, (req, res) => {
@@ -81,6 +104,9 @@ router.post('/login', loginLimiter, (req, res) => {
  if (!user || !bcrypt.compareSync(password, user.password_hash)) {
    return res.status(401).json({ error: 'Falscher Benutzername oder Passwort' });
  }
+  if (!user.email_verified) {
+    return res.status(403).json({ error: 'E-Mail-Adresse nicht bestätigt. Bitte prüfe dein Postfach.', needVerify: true });
+  }
  if (user.status === 'pending') {
    return res.status(403).json({ error: 'Dein Konto wartet noch auf Freischaltung durch einen Administrator.' });
  }
@@ -108,6 +134,47 @@ router.post('/logout', (req, res) => {
  res.json({ ok: true });
 });

+router.get('/verify', (req, res) => {
+  const { token } = req.query;
+  const fail = (msg) => res.status(400).send(`
+    <!doctype html><meta charset="utf-8"><title>Verifizierung</title>
+    <div style="font-family:system-ui;max-width:480px;margin:48px auto;padding:24px;text-align:center">
+      <h2>Verifizierung fehlgeschlagen</h2>
+      <p>${msg}</p>
+      <p><a href="/login">Zum Login</a></p>
+    </div>
+  `);
+  if (!token || typeof token !== 'string') return fail('Ungültiger Link.');
+  const user = db.prepare('SELECT id, verify_expires, email_verified FROM users WHERE verify_token = ?').get(token);
+  if (!user) return fail('Token unbekannt oder bereits verwendet.');
+  if (user.email_verified) {
+    return res.redirect('/login?verified=1');
+  }
+  if (!user.verify_expires || new Date(user.verify_expires) < new Date()) {
+    return fail('Link abgelaufen. Bitte neue Verifizierungsmail anfordern.');
+  }
+  db.prepare('UPDATE users SET email_verified = 1, verify_token = NULL, verify_expires = NULL WHERE id = ?').run(user.id);
+  res.redirect('/login?verified=1');
+});
+
+router.post('/resend-verify', resendVerifyLimiter, async (req, res) => {
+  const { email } = req.body;
+  if (!email || !IFB_EMAIL_RE.test(email)) return res.status(400).json({ error: 'Ungültige E-Mail-Adresse' });
+  const user = db.prepare('SELECT id, email_verified FROM users WHERE email = ?').get(email.toLowerCase());
+  // Keine Info leaken: gleiche Antwort auch wenn User nicht existiert
+  if (!user || user.email_verified) return res.json({ ok: true });
+  const newToken = crypto.randomBytes(32).toString('hex');
+  const newExpires = new Date(Date.now() + VERIFY_TTL_MS).toISOString();
+  db.prepare('UPDATE users SET verify_token = ?, verify_expires = ? WHERE id = ?').run(newToken, newExpires, user.id);
+  try {
+    await sendVerifyMail(email.toLowerCase(), newToken);
+  } catch (e) {
+    console.error('sendVerifyMail failed:', e);
+    return res.status(500).json({ error: 'Mail konnte nicht gesendet werden' });
+  }
+  res.json({ ok: true });
+});
+
 router.get('/me', requireAuth, (req, res) => {
  const user = db.prepare('SELECT id, username, email, role, status, subject FROM users WHERE id = ?').get(req.user.id);
  if (!user || user.status !== 'active') return res.status(403).json({ error: 'Konto nicht aktiv' });
@@ -154,7 +221,7 @@ function logAdmin(adminId, action, targetId = null, details = null) {

 router.get('/admin/users', requireAuth, requireAdmin, (req, res) => {
  const { role, status } = req.query;
-  let sql = 'SELECT id, username, email, role, status, created_at FROM users';
+  let sql = 'SELECT id, username, email, role, status, email_verified, created_at FROM users';
  const params = [];
  const conditions = [];
  if (role) { conditions.push('role = ?'); params.push(role); }
@@ -183,19 +250,28 @@ router.post('/admin/teachers/:id/reject', requireAuth, requireAdmin, (req, res)
 });

 router.patch('/admin/users/:id', requireAuth, requireAdmin, (req, res) => {
-  const { role, status } = req.body;
+  const { role, status, email_verified } = req.body;
  const allowed_roles = ['student', 'teacher', 'admin'];
  const allowed_status = ['active', 'pending', 'banned', 'rejected'];
  if (role && !allowed_roles.includes(role)) return res.status(400).json({ error: 'Ungültige Rolle' });
  if (status && !allowed_status.includes(status)) return res.status(400).json({ error: 'Ungültiger Status' });
-  if (!role && !status) return res.status(400).json({ error: 'Keine Änderung angegeben' });
+  const hasEmailVerified = email_verified === 0 || email_verified === 1;
+  if (email_verified !== undefined && !hasEmailVerified) return res.status(400).json({ error: 'Ungültiger email_verified-Wert' });
+  if (!role && !status && !hasEmailVerified) return res.status(400).json({ error: 'Keine Änderung angegeben' });

  const target = db.prepare('SELECT id FROM users WHERE id = ?').get(req.params.id);
  if (!target) return res.status(404).json({ error: 'Benutzer nicht gefunden' });

  if (role) db.prepare('UPDATE users SET role = ? WHERE id = ?').run(role, req.params.id);
  if (status) db.prepare('UPDATE users SET status = ? WHERE id = ?').run(status, req.params.id);
-  logAdmin(req.user.id, 'user_update', Number(req.params.id), { role, status });
+  if (hasEmailVerified) {
+    if (email_verified === 1) {
+      db.prepare('UPDATE users SET email_verified = 1, verify_token = NULL, verify_expires = NULL WHERE id = ?').run(req.params.id);
+    } else {
+      db.prepare('UPDATE users SET email_verified = 0 WHERE id = ?').run(req.params.id);
+    }
+  }
+  logAdmin(req.user.id, 'user_update', Number(req.params.id), { role, status, email_verified });
  res.json({ ok: true });
 });