From 45bcce0fb252ec87ed7c75beb5f3abd6518eac43 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Wed, 1 Oct 2025 09:54:21 +0200
Subject: [PATCH] hide PIN during Anmeldung and within route guards

---
 src/routes/(token-based)/+layout.server.ts | 13 ++++++-------
 src/routes/anmeldung/+page.server.ts       | 13 +++++++++++--
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/routes/(token-based)/+layout.server.ts b/src/routes/(token-based)/+layout.server.ts
index 543cbb2..42713ba 100644
--- a/src/routes/(token-based)/+layout.server.ts
+++ b/src/routes/(token-based)/+layout.server.ts
@@ -1,12 +1,9 @@
-import {
-	vorgangPINValidation,
-	vorgangExists
-} from '$lib/server/vorgangService';
+import { vorgangPINValidation, vorgangExists } from '$lib/server/vorgangService';
 import { redirect } from '@sveltejs/kit';
 import type { PageServerLoad } from './list/[vorgang]/$types';
 import { ROUTE_NAMES } from '..';
 
-export const load: PageServerLoad = async ({ params, url, locals }) => {
+export const load: PageServerLoad = async ({ params, cookies, locals }) => {
 	if (locals.user) {
 		return {
 			user: locals.user
@@ -14,10 +11,12 @@ export const load: PageServerLoad = async ({ params, url, locals }) => {
 	}
 
 	const vorgangToken = params.vorgang;
-	const vorgangPIN = url.searchParams.get('pin');
+	const COOKIE_NAME = `token-${vorgangToken}`;
+	const vorgangPIN = cookies.get(COOKIE_NAME);
 
 	const isVorgangValid = vorgangExists(vorgangToken);
 	const isVorgangPINValid = vorgangPINValidation(vorgangToken, vorgangPIN);
 
-	if (!isVorgangValid || !isVorgangPINValid) throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken));
+	if (!isVorgangValid || !isVorgangPINValid)
+		throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken));
 };
diff --git a/src/routes/anmeldung/+page.server.ts b/src/routes/anmeldung/+page.server.ts
index bfe8d21..a4d6007 100644
--- a/src/routes/anmeldung/+page.server.ts
+++ b/src/routes/anmeldung/+page.server.ts
@@ -1,3 +1,4 @@
+import { dev } from '$app/environment';
 import { loginUser, logoutUser } from '$lib/server/authService';
 import { redirect } from '@sveltejs/kit';
 import { ROUTE_NAMES } from '../index.js';
@@ -5,13 +6,21 @@ import { ROUTE_NAMES } from '../index.js';
 export const actions = {
 	login: ({ request, cookies }) => loginUser({ request, cookies }),
 	logout: (event) => logoutUser(event),
-	getVorgangByToken: async ({ request }) => {
+	getVorgangByToken: async ({ request, cookies }) => {
 		const data = await request.formData();
 		const vorgangToken = data.get('vorgang-token');
 		const vorgangPIN = data.get('vorgang-pin');
 
 		if (!vorgangToken || !vorgangPIN) return;
 
-		throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken, vorgangPIN));
+		const COOKIE_NAME = `token-${vorgangToken}`
+		cookies.set(COOKIE_NAME, vorgangPIN, {
+			path: '/',
+			httpOnly: true,
+			sameSite: 'strict',
+			secure: !dev
+		});
+
+		throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken));
 	}
 } as const;