hide PIN during Anmeldung and within route guards

src/routes/anmeldung/+page.server.ts

@@ -1,3 +1,4 @@
+import { dev } from '$app/environment';
 import { loginUser, logoutUser } from '$lib/server/authService';
 import { redirect } from '@sveltejs/kit';
 import { ROUTE_NAMES } from '../index.js';
@@ -5,13 +6,21 @@ import { ROUTE_NAMES } from '../index.js';
 export const actions = {
 	login: ({ request, cookies }) => loginUser({ request, cookies }),
 	logout: (event) => logoutUser(event),
-	getVorgangByToken: async ({ request }) => {
+	getVorgangByToken: async ({ request, cookies }) => {
 		const data = await request.formData();
 		const vorgangToken = data.get('vorgang-token');
 		const vorgangPIN = data.get('vorgang-pin');
 
 		if (!vorgangToken || !vorgangPIN) return;
 
-		throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken, vorgangPIN));
+		const COOKIE_NAME = `token-${vorgangToken}`
+		cookies.set(COOKIE_NAME, vorgangPIN, {
+			path: '/',
+			httpOnly: true,
+			sameSite: 'strict',
+			secure: !dev
+		});
+
+		throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken));
 	}
 } as const;