From e45b0e34c91a29a5e19951215a0c76321e59a510 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Mon, 4 Aug 2025 09:41:13 +0200
Subject: [PATCH 01/12] =?UTF-8?q?add=20=C2=B4unique=C2=B4=20constraint=20i?=
 =?UTF-8?q?n=20db=20init=20script=20for=20username?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/init/init_db.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/init/init_db.ts b/src/init/init_db.ts
index 559708b..b057c3c 100644
--- a/src/init/init_db.ts
+++ b/src/init/init_db.ts
@@ -5,7 +5,7 @@ const db = new Database('./src/lib/data/tatort.db');
 
 let createSQLStmt = `CREATE TABLE IF NOT EXISTS users
         (id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL,
+            name TEXT NOT NULL UNIQUE,
             pw TEXT NOT NULL)`;
 db.exec(createSQLStmt);
 

From 26b94938a99a6f9ba191ad55dc377ef8560c0737 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Wed, 6 Aug 2025 08:37:24 +0200
Subject: [PATCH 02/12] user list and possibility of adding new users
 implemented on FE and BE

---
 src/lib/server/userService.ts                 |  36 ++++
 src/routes/(angemeldet)/+page.svelte          |  12 ++
 .../(angemeldet)/user-management/+page.svelte | 180 ++++++++++++++++++
 src/routes/api/users/+server.ts               |  25 +++
 4 files changed, 253 insertions(+)
 create mode 100644 src/lib/server/userService.ts
 create mode 100644 src/routes/(angemeldet)/user-management/+page.svelte
 create mode 100644 src/routes/api/users/+server.ts

diff --git a/src/lib/server/userService.ts b/src/lib/server/userService.ts
new file mode 100644
index 0000000..80c41ae
--- /dev/null
+++ b/src/lib/server/userService.ts
@@ -0,0 +1,36 @@
+import { db } from '$lib/server/dbService';
+
+export const getUsers = (): { userId: string; userName: string }[] => {
+	const getUsersSQLStmt = `SELECT id, name
+													 FROM users;`;
+	const statement = db.prepare(getUsersSQLStmt);
+	const result = statement.all() as { id: string; name: string }[];
+	const userList: { userId: string; userName: string }[] = [];
+
+	for (const resultItem of result) {
+		const user = { userId: resultItem.id, userName: resultItem.name };
+		userList.push(user);
+	}
+
+	return userList;
+};
+
+export const addUser = (userName: string, userPassword: string): number => {
+	const addUserSQLStmt = `INSERT into users(name, pw)
+													values (?, ?)`;
+	const statement = db.prepare(addUserSQLStmt);
+
+	let rowCount;
+	try {
+		const info = statement.run(userName, userPassword);
+		rowCount = info.changes;
+	} catch (error) {
+		console.log(error);
+		rowCount = 0;
+	}
+
+	return rowCount;
+};
+
+export const deleteUser = () => {
+};
diff --git a/src/routes/(angemeldet)/+page.svelte b/src/routes/(angemeldet)/+page.svelte
index 6287a40..16f5d0a 100644
--- a/src/routes/(angemeldet)/+page.svelte
+++ b/src/routes/(angemeldet)/+page.svelte
@@ -42,6 +42,18 @@
 				<p class="mt-1 text-gray-600">Fügen Sie einem Tatort Bilder hinzu.</p>
 			</div>
 		{/if}
+		<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
+			<div
+				class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
+			>
+				<FileRect class=" group-hover:text-indigo-600" {outline} />
+			</div>
+			<a href="/user-management" class="mt-6 block font-semibold text-gray-900">
+				Benutzerverwaltung
+				<span class="absolute inset-0"></span>
+			</a>
+			<p class="mt-1 text-gray-600">Füge neue Benutzer hinzu oder entferne welche.</p>
+		</div>
 	</div>
 </div>
 
diff --git a/src/routes/(angemeldet)/user-management/+page.svelte b/src/routes/(angemeldet)/user-management/+page.svelte
new file mode 100644
index 0000000..ebff868
--- /dev/null
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -0,0 +1,180 @@
+<script lang="ts">
+    import {onMount} from 'svelte';
+    import Button from "$lib/components/Button.svelte";
+
+    import jsSHA from 'jssha'
+
+    const {data} = $props();
+
+    let userName = $state('')
+    let userPassword = $state('')
+    let userList = $state([])
+    let addUserError = $state(false);
+    let addUserSuccess = $state(false);
+    const currentUser: string = data.id;
+
+    onMount(async () => {
+        userList = await getUsers();
+    })
+
+    async function getUsers() {
+        const URL = "/api/users"
+        const response = await fetch(URL);
+
+        return await response.json();
+    }
+
+    async function addUser() {
+        if (userName == "") {
+            alert("Der Benutzername darf nicht leer sein.")
+            return;
+        }
+
+        if (userPassword == "") {
+            alert("Das Passwort darf nicht leer sein.")
+            return;
+        }
+
+        const URL = "/api/users";
+        const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
+        const userData = {userName: userName, userPassword: hashedUserPassword}
+
+        const response = await fetch(URL, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify(userData)
+        })
+
+        if (response.ok) {
+            userList = await getUsers();
+            addUserSuccess = true;
+            resetInput();
+        } else {
+            addUserError = true;
+        }
+    }
+
+    function resetInput() {
+        userName = "";
+        userPassword = "";
+        addUserError = false;
+        setInterval(() => {
+            addUserSuccess = false;
+        }, 5000);
+    }
+
+    async function deleteUser() {
+
+    }
+
+</script>
+
+<h1 class="flex justify-center text-3xl md:text-4xl font-bold text-gray-800 dark:text-white tracking-tight mb-4">
+    Benutzerverwaltung
+</h1>
+
+<h1 class="flex justify-center text-lg md:text-xl font-medium text-gray-800 dark:text-white tracking-tight mb-2">
+    Benutzerliste
+</h1>
+
+<div class="w-1/4 mx-auto">
+    <table class="min-w-full border border-gray-300 rounded overflow-hidden">
+        <thead class="bg-gray-100 dark:bg-gray-700">
+        <tr>
+            <th class="text-left px-4 py-2">Benutzername</th>
+            <th class="text-center px-4 py-2">Entfernen</th>
+        </tr>
+        </thead>
+        <tbody>
+        {#each userList as user}
+            <tr class="border-t border-gray-200 dark:border-gray-600">
+                <td class="px-4 py-2 text-gray-800 dark:text-white">{user.userName}</td>
+                <td class="px-4 py-2 text-center">
+                    <button
+                            class="text-red-600 hover:text-red-800 focus:outline-none focus:ring-2 focus:ring-red-500 rounded-full p-1 transition"
+                            on:click={() => removeUser(user.id)}
+                            aria-label="Delete user"
+                    >
+                        {#if !(user.userName != currentUser)}
+                            <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24"
+                                 stroke="currentColor">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                      d="M6 18L18 6M6 6l12 12"/>
+                            </svg>
+                        {/if}
+                    </button>
+                </td>
+            </tr>
+        {/each}
+        </tbody>
+    </table>
+</div>
+
+<h1 style="margin-top: 50px;"
+    class="flex justify-center text-lg md:text-xl font-medium text-gray-800 dark:text-white tracking-tight mb-2">
+    Neuer Nutzer
+</h1>
+
+<div class="mx-auto flex justify-center">
+    <form>
+        <div class="form-group">
+            <label for="username">Benutzername</label>
+            <input bind:value={userName} type="text" id="username" placeholder="Namen eingeben"/>
+        </div>
+
+        <div class="form-group">
+            <label for="password">Passwort</label>
+            <input bind:value={userPassword} type="password" id="password" placeholder="Passwort vergeben"/>
+        </div>
+    </form>
+</div>
+
+<div class="mx-auto flex flex-col items-center space-y-4" style="margin-top: 20px;">
+    {#if addUserError}
+        <div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
+             role="alert">
+            <svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
+                 stroke="currentColor">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                      d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z"/>
+            </svg>
+            <span class="text-sm font-medium">Der Benutzer konnte nicht hinzugefügt werden.</span>
+        </div>
+    {/if}
+    {#if addUserSuccess}
+        <div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
+             role="alert">
+            <svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
+                 stroke="currentColor">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                      d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z"/>
+            </svg>
+            <span class="text-sm font-medium">Der Benutzer wurde hinzugefügt.</span>
+        </div>
+    {/if}
+
+    <Button on:click={addUser}>Benutzer hinzufügen</Button>
+</div>
+
+<style>
+    .form-group {
+        display: flex;
+        flex-direction: column;
+        margin-bottom: 15px;
+    }
+
+    label {
+        margin-bottom: 5px;
+        font-weight: bold;
+    }
+
+    input[type="text"],
+    input[type="password"] {
+        padding: 8px;
+        font-size: 16px;
+        border: 1px solid #ccc;
+        border-radius: 4px;
+    }
+</style>
\ No newline at end of file
diff --git a/src/routes/api/users/+server.ts b/src/routes/api/users/+server.ts
new file mode 100644
index 0000000..c14b677
--- /dev/null
+++ b/src/routes/api/users/+server.ts
@@ -0,0 +1,25 @@
+import { json } from '@sveltejs/kit';
+import { addUser, getUsers } from '$lib/server/userService';
+
+export function GET({ locals }) {
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	const users_list = getUsers();
+
+	return new Response(JSON.stringify(users_list));
+}
+
+export async function POST({ request, locals }) {
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	const data = await request.json();
+	const userName = data.userName;
+	const userPassword = data.userPassword;
+	const rowCount = addUser(userName, userPassword);
+
+	return new Response(null, { status: rowCount == 1 ? 200 : 400 });
+}

From dd06c93b1c261dfab1438e796bad87ae2159983d Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Wed, 6 Aug 2025 09:58:00 +0200
Subject: [PATCH 03/12] fix currentUser fetching from loaded data

---
 src/routes/(angemeldet)/user-management/+page.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/(angemeldet)/user-management/+page.svelte b/src/routes/(angemeldet)/user-management/+page.svelte
index ebff868..a0478a9 100644
--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -11,7 +11,7 @@
     let userList = $state([])
     let addUserError = $state(false);
     let addUserSuccess = $state(false);
-    const currentUser: string = data.id;
+    const currentUser: string = data.user.id;
 
     onMount(async () => {
         userList = await getUsers();

From 4f0526c71f26f9a4c784f7f3c41b66f24a4c25cf Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Wed, 6 Aug 2025 09:59:18 +0200
Subject: [PATCH 04/12] rename loop item variable for userlist-user

---
 src/routes/(angemeldet)/user-management/+page.svelte | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/routes/(angemeldet)/user-management/+page.svelte b/src/routes/(angemeldet)/user-management/+page.svelte
index a0478a9..24fa530 100644
--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -88,16 +88,16 @@
         </tr>
         </thead>
         <tbody>
-        {#each userList as user}
+        {#each userList as userItem}
             <tr class="border-t border-gray-200 dark:border-gray-600">
-                <td class="px-4 py-2 text-gray-800 dark:text-white">{user.userName}</td>
+                <td class="px-4 py-2 text-gray-800 dark:text-white">{userItem.userName}</td>
                 <td class="px-4 py-2 text-center">
                     <button
                             class="text-red-600 hover:text-red-800 focus:outline-none focus:ring-2 focus:ring-red-500 rounded-full p-1 transition"
-                            on:click={() => removeUser(user.id)}
+                            on:click={() => deleteUser(userItem.userId)}
                             aria-label="Delete user"
                     >
-                        {#if !(user.userName != currentUser)}
+                        {#if (userItem.userName != currentUser)}
                             <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24"
                                  stroke="currentColor">
                                 <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"

From 7e87a01c59be1c6dcfab28e79c5149454d815d5c Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Wed, 6 Aug 2025 11:44:48 +0200
Subject: [PATCH 05/12] rename userList variable to CamelCase

---
 src/routes/api/users/+server.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/api/users/+server.ts b/src/routes/api/users/+server.ts
index c14b677..ff164e3 100644
--- a/src/routes/api/users/+server.ts
+++ b/src/routes/api/users/+server.ts
@@ -6,9 +6,9 @@ export function GET({ locals }) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
 
-	const users_list = getUsers();
+	const userList = getUsers();
 
-	return new Response(JSON.stringify(users_list));
+	return new Response(JSON.stringify(userList));
 }
 
 export async function POST({ request, locals }) {

From cbea96f892f0f268d3d6ab5fde0068418d0427b1 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Wed, 6 Aug 2025 11:52:39 +0200
Subject: [PATCH 06/12] implement deletion of admin user, frontend and backend

---
 src/lib/server/userService.ts                 | 20 ++++++++++++++++++-
 .../(angemeldet)/user-management/+page.svelte | 15 +++++++++++++-
 src/routes/api/users/[user]/+server.ts        | 13 ++++++++++++
 3 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 src/routes/api/users/[user]/+server.ts

diff --git a/src/lib/server/userService.ts b/src/lib/server/userService.ts
index 80c41ae..3e78f5b 100644
--- a/src/lib/server/userService.ts
+++ b/src/lib/server/userService.ts
@@ -32,5 +32,23 @@ export const addUser = (userName: string, userPassword: string): number => {
 	return rowCount;
 };
 
-export const deleteUser = () => {
+export const deleteUser = (userId: string) => {
+	// make sure to not delete the last entry
+	const deleteUserSQLStmt = `DELETE
+														 FROM users
+														 WHERE id = ?
+															 AND (SELECT COUNT(*) FROM users) > 1;`;
+
+	const statement = db.prepare(deleteUserSQLStmt);
+
+	let rowCount;
+	try {
+		const info = statement.run(userId);
+		rowCount = info.changes;
+	} catch (error) {
+		console.log(error);
+		rowCount = 0;
+	}
+
+	return rowCount;
 };
diff --git a/src/routes/(angemeldet)/user-management/+page.svelte b/src/routes/(angemeldet)/user-management/+page.svelte
index 24fa530..d9875c8 100644
--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -65,8 +65,21 @@
         }, 5000);
     }
 
-    async function deleteUser() {
+    async function deleteUser(userId: number) {
+        const URL = `/api/users/${userId}`;
 
+        const response = await fetch(URL, {
+            method: 'DELETE',
+            headers: {
+                'Content-Type': 'application/json'
+            }
+        })
+
+        if (response.status == 204) {
+            userList = await getUsers();
+        } else {
+            alert("Nutzer konnte nicht gelöscht werden")
+        }
     }
 
 </script>
diff --git a/src/routes/api/users/[user]/+server.ts b/src/routes/api/users/[user]/+server.ts
new file mode 100644
index 0000000..704ae19
--- /dev/null
+++ b/src/routes/api/users/[user]/+server.ts
@@ -0,0 +1,13 @@
+import { json } from '@sveltejs/kit';
+import { deleteUser } from '$lib/server/userService';
+
+export async function DELETE({ params, locals }) {
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	const userId = params.user;
+	const rowCount = deleteUser(userId);
+
+	return new Response(null, { status: rowCount == 1 ? 204 : 400 });
+}

From 885ad40543625bcb34c5892d8516bf2ea50b8c39 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 7 Aug 2025 07:57:28 +0200
Subject: [PATCH 07/12] add typing for userList and change userId parameter
 type

---
 src/routes/(angemeldet)/user-management/+page.svelte | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/(angemeldet)/user-management/+page.svelte b/src/routes/(angemeldet)/user-management/+page.svelte
index d9875c8..8bef7e4 100644
--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -8,7 +8,7 @@
 
     let userName = $state('')
     let userPassword = $state('')
-    let userList = $state([])
+    let userList: { userId: string; userName: string }[] = $state([])
     let addUserError = $state(false);
     let addUserSuccess = $state(false);
     const currentUser: string = data.user.id;
@@ -65,7 +65,7 @@
         }, 5000);
     }
 
-    async function deleteUser(userId: number) {
+    async function deleteUser(userId: string) {
         const URL = `/api/users/${userId}`;
 
         const response = await fetch(URL, {

From 61363cc400b28ceb1881367c259da5623836ac12 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 7 Aug 2025 08:00:30 +0200
Subject: [PATCH 08/12] check if new account data is non-empty

---
 src/routes/api/users/+server.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/routes/api/users/+server.ts b/src/routes/api/users/+server.ts
index ff164e3..b825346 100644
--- a/src/routes/api/users/+server.ts
+++ b/src/routes/api/users/+server.ts
@@ -19,6 +19,11 @@ export async function POST({ request, locals }) {
 	const data = await request.json();
 	const userName = data.userName;
 	const userPassword = data.userPassword;
+
+	if (!userName || !userPassword) {
+		return json({ error: 'Missing input' }, { status: 400 });
+	}
+
 	const rowCount = addUser(userName, userPassword);
 
 	return new Response(null, { status: rowCount == 1 ? 200 : 400 });

From ef0b981d848a9e1ffefdc19761d97a1c4f71dfcb Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Tue, 19 Aug 2025 12:24:51 +0200
Subject: [PATCH 09/12] fix user not found during auth

---
 src/lib/auth.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index c31d5ec..4529d6e 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -7,7 +7,6 @@ import config from '$lib/config';
 const SECRET = config.jwt.secret;
 const EXPIRES_IN = config.jwt.expiresIn;
 
-
 export function createToken(userData) {
 	return jwt.sign(userData, SECRET, { expiresIn: EXPIRES_IN });
 }
@@ -24,6 +23,10 @@ export function authenticate(user, password) {
 
 	const getUserSQLStmt = 'SELECT name, pw FROM users WHERE name = ?';
 	const row = db.prepare(getUserSQLStmt).get(user);
+
+	if (!row) {
+		return null;
+	}
 	const storedPW = row.pw;
 
 	if (hashedPW && hashedPW === storedPW) {

From 9d54a0fdb8bb11cabf8d063c5fcd179dd3c1a9ab Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Tue, 19 Aug 2025 12:56:28 +0200
Subject: [PATCH 10/12] refactor addUser API endpoint to return user object if
 successful

---
 src/lib/server/userService.ts   | 13 +++++--------
 src/routes/api/users/+server.ts |  8 ++++++--
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/lib/server/userService.ts b/src/lib/server/userService.ts
index 3e78f5b..a8fb0b7 100644
--- a/src/lib/server/userService.ts
+++ b/src/lib/server/userService.ts
@@ -15,21 +15,18 @@ export const getUsers = (): { userId: string; userName: string }[] => {
 	return userList;
 };
 
-export const addUser = (userName: string, userPassword: string): number => {
+export const addUser = (userName: string, userPassword: string) => {
 	const addUserSQLStmt = `INSERT into users(name, pw)
 													values (?, ?)`;
 	const statement = db.prepare(addUserSQLStmt);
 
-	let rowCount;
+	let rowInfo;
 	try {
-		const info = statement.run(userName, userPassword);
-		rowCount = info.changes;
+		rowInfo = statement.run(userName, userPassword);
+		return rowInfo;
 	} catch (error) {
-		console.log(error);
-		rowCount = 0;
+		console.error('ERROR: ', error);
 	}
-
-	return rowCount;
 };
 
 export const deleteUser = (userId: string) => {
diff --git a/src/routes/api/users/+server.ts b/src/routes/api/users/+server.ts
index b825346..7eaece3 100644
--- a/src/routes/api/users/+server.ts
+++ b/src/routes/api/users/+server.ts
@@ -24,7 +24,11 @@ export async function POST({ request, locals }) {
 		return json({ error: 'Missing input' }, { status: 400 });
 	}
 
-	const rowCount = addUser(userName, userPassword);
+	const rowInfo = addUser(userName, userPassword);
 
-	return new Response(null, { status: rowCount == 1 ? 200 : 400 });
+	if (rowInfo?.changes == 1) {
+		return json({ userId: rowInfo.lastInsertRowid, userName: userName }, { status: 201 });
+	} else {
+		return new Response(null, { status: 400 });
+	}
 }

From 723ec0773df5aef9afd5e4d5674ff18b7a802e3a Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Tue, 19 Aug 2025 13:19:23 +0200
Subject: [PATCH 11/12] add error handling and formatting

---
 .../(angemeldet)/user-management/+page.svelte | 288 ++++++++++--------
 1 file changed, 154 insertions(+), 134 deletions(-)

diff --git a/src/routes/(angemeldet)/user-management/+page.svelte b/src/routes/(angemeldet)/user-management/+page.svelte
index 8bef7e4..957326c 100644
--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -1,174 +1,194 @@
 <script lang="ts">
-    import {onMount} from 'svelte';
-    import Button from "$lib/components/Button.svelte";
+	import { onMount } from 'svelte';
+	import Button from '$lib/components/Button.svelte';
 
-    import jsSHA from 'jssha'
+	import jsSHA from 'jssha';
 
-    const {data} = $props();
+	const { data } = $props();
 
-    let userName = $state('')
-    let userPassword = $state('')
-    let userList: { userId: string; userName: string }[] = $state([])
-    let addUserError = $state(false);
-    let addUserSuccess = $state(false);
-    const currentUser: string = data.user.id;
+	let userName = $state('');
+	let userPassword = $state('');
+	let userList: { userId: string; userName: string }[] = $state([]);
+	let addUserError = $state(false);
+	let addUserSuccess = $state(false);
+	const currentUser: string = data.user.id;
 
-    onMount(async () => {
-        userList = await getUsers();
-    })
+	onMount(async () => {
+		try {
+			userList = await getUsers();
+		} catch (error) {
+			console.log(`An error occured while retrieving users: ${error}`);
+		}
+	});
 
-    async function getUsers() {
-        const URL = "/api/users"
-        const response = await fetch(URL);
+	async function getUsers() {
+		const URL = '/api/users';
 
-        return await response.json();
-    }
+		try {
+			const response = await fetch(URL);
+			return await response.json();
+		} catch (error) {
+			console.log(`Error fetching users: ${error}`);
+			return null;
+		}
+	}
 
-    async function addUser() {
-        if (userName == "") {
-            alert("Der Benutzername darf nicht leer sein.")
-            return;
-        }
+	async function addUser() {
+		if (userName == '') {
+			alert('Der Benutzername darf nicht leer sein.');
+			return;
+		}
 
-        if (userPassword == "") {
-            alert("Das Passwort darf nicht leer sein.")
-            return;
-        }
+		if (userPassword == '') {
+			alert('Das Passwort darf nicht leer sein.');
+			return;
+		}
 
-        const URL = "/api/users";
-        const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
-        const userData = {userName: userName, userPassword: hashedUserPassword}
+		const URL = '/api/users';
+		const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
+		const userData = { userName: userName, userPassword: hashedUserPassword };
 
-        const response = await fetch(URL, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            body: JSON.stringify(userData)
-        })
+		try {
+			const response = await fetch(URL, {
+				method: 'POST',
+				headers: {
+					'Content-Type': 'application/json'
+				},
+				body: JSON.stringify(userData)
+			});
 
-        if (response.ok) {
-            userList = await getUsers();
-            addUserSuccess = true;
-            resetInput();
-        } else {
-            addUserError = true;
-        }
-    }
+			if (response.ok) {
+				const newUser = await response.json();
+				userList = [...userList, newUser];
+				addUserSuccess = true;
+				resetInput();
+			} else {
+				addUserError = true;
+			}
+		} catch (error) {
+			console.log(`Error creating user: ${error}`);
+			addUserError = true;
+		}
+	}
 
-    function resetInput() {
-        userName = "";
-        userPassword = "";
-        addUserError = false;
-        setInterval(() => {
-            addUserSuccess = false;
-        }, 5000);
-    }
+	function resetInput() {
+		userName = '';
+		userPassword = '';
+		addUserError = false;
+		setInterval(() => {
+			addUserSuccess = false;
+		}, 5000);
+	}
 
-    async function deleteUser(userId: string) {
-        const URL = `/api/users/${userId}`;
+	async function deleteUser(userId: string) {
+		const URL = `/api/users/${userId}`;
 
-        const response = await fetch(URL, {
-            method: 'DELETE',
-            headers: {
-                'Content-Type': 'application/json'
-            }
-        })
+		try {
+			const response = await fetch(URL, {
+				method: 'DELETE',
+				headers: {
+					'Content-Type': 'application/json'
+				}
+			});
 
-        if (response.status == 204) {
-            userList = await getUsers();
-        } else {
-            alert("Nutzer konnte nicht gelöscht werden")
-        }
-    }
+			if (response.status == 204) {
+				userList = await getUsers();
+			} else {
+				alert('Nutzer konnte nicht gelöscht werden');
+			}
+
+		} catch (error) {
+			console.log(`Error deleting users: ${error}`);
+		}
+	}
 
 </script>
 
 <h1 class="flex justify-center text-3xl md:text-4xl font-bold text-gray-800 dark:text-white tracking-tight mb-4">
-    Benutzerverwaltung
+	Benutzerverwaltung
 </h1>
 
 <h1 class="flex justify-center text-lg md:text-xl font-medium text-gray-800 dark:text-white tracking-tight mb-2">
-    Benutzerliste
+	Benutzerliste
 </h1>
 
 <div class="w-1/4 mx-auto">
-    <table class="min-w-full border border-gray-300 rounded overflow-hidden">
-        <thead class="bg-gray-100 dark:bg-gray-700">
-        <tr>
-            <th class="text-left px-4 py-2">Benutzername</th>
-            <th class="text-center px-4 py-2">Entfernen</th>
-        </tr>
-        </thead>
-        <tbody>
-        {#each userList as userItem}
-            <tr class="border-t border-gray-200 dark:border-gray-600">
-                <td class="px-4 py-2 text-gray-800 dark:text-white">{userItem.userName}</td>
-                <td class="px-4 py-2 text-center">
-                    <button
-                            class="text-red-600 hover:text-red-800 focus:outline-none focus:ring-2 focus:ring-red-500 rounded-full p-1 transition"
-                            on:click={() => deleteUser(userItem.userId)}
-                            aria-label="Delete user"
-                    >
-                        {#if (userItem.userName != currentUser)}
-                            <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24"
-                                 stroke="currentColor">
-                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                      d="M6 18L18 6M6 6l12 12"/>
-                            </svg>
-                        {/if}
-                    </button>
-                </td>
-            </tr>
-        {/each}
-        </tbody>
-    </table>
+	<table class="min-w-full border border-gray-300 rounded overflow-hidden">
+		<thead class="bg-gray-100 dark:bg-gray-700">
+		<tr>
+			<th class="text-left px-4 py-2">Benutzername</th>
+			<th class="text-center px-4 py-2">Entfernen</th>
+		</tr>
+		</thead>
+		<tbody>
+		{#each userList as userItem}
+			<tr class="border-t border-gray-200 dark:border-gray-600">
+				<td class="px-4 py-2 text-gray-800 dark:text-white">{userItem.userName}</td>
+				<td class="px-4 py-2 text-center">
+					<button
+						class="text-red-600 hover:text-red-800 focus:outline-none focus:ring-2 focus:ring-red-500 rounded-full p-1 transition"
+						on:click={() => deleteUser(userItem.userId)}
+						aria-label="Delete user"
+					>
+						{#if (userItem.userName != currentUser)}
+							<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24"
+									 stroke="currentColor">
+								<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+											d="M6 18L18 6M6 6l12 12" />
+							</svg>
+						{/if}
+					</button>
+				</td>
+			</tr>
+		{/each}
+		</tbody>
+	</table>
 </div>
 
 <h1 style="margin-top: 50px;"
-    class="flex justify-center text-lg md:text-xl font-medium text-gray-800 dark:text-white tracking-tight mb-2">
-    Neuer Nutzer
+		class="flex justify-center text-lg md:text-xl font-medium text-gray-800 dark:text-white tracking-tight mb-2">
+	Neuer Nutzer
 </h1>
 
 <div class="mx-auto flex justify-center">
-    <form>
-        <div class="form-group">
-            <label for="username">Benutzername</label>
-            <input bind:value={userName} type="text" id="username" placeholder="Namen eingeben"/>
-        </div>
+	<form>
+		<div class="form-group">
+			<label for="username">Benutzername</label>
+			<input bind:value={userName} type="text" id="username" placeholder="Namen eingeben" />
+		</div>
 
-        <div class="form-group">
-            <label for="password">Passwort</label>
-            <input bind:value={userPassword} type="password" id="password" placeholder="Passwort vergeben"/>
-        </div>
-    </form>
+		<div class="form-group">
+			<label for="password">Passwort</label>
+			<input bind:value={userPassword} type="password" id="password" placeholder="Passwort vergeben" />
+		</div>
+	</form>
 </div>
 
 <div class="mx-auto flex flex-col items-center space-y-4" style="margin-top: 20px;">
-    {#if addUserError}
-        <div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
-             role="alert">
-            <svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
-                 stroke="currentColor">
-                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                      d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z"/>
-            </svg>
-            <span class="text-sm font-medium">Der Benutzer konnte nicht hinzugefügt werden.</span>
-        </div>
-    {/if}
-    {#if addUserSuccess}
-        <div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
-             role="alert">
-            <svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
-                 stroke="currentColor">
-                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                      d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z"/>
-            </svg>
-            <span class="text-sm font-medium">Der Benutzer wurde hinzugefügt.</span>
-        </div>
-    {/if}
+	{#if addUserError}
+		<div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
+				 role="alert">
+			<svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
+					 stroke="currentColor">
+				<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+							d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z" />
+			</svg>
+			<span class="text-sm font-medium">Der Benutzer konnte nicht hinzugefügt werden.</span>
+		</div>
+	{/if}
+	{#if addUserSuccess}
+		<div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
+				 role="alert">
+			<svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
+					 stroke="currentColor">
+				<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+							d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z" />
+			</svg>
+			<span class="text-sm font-medium">Der Benutzer wurde hinzugefügt.</span>
+		</div>
+	{/if}
 
-    <Button on:click={addUser}>Benutzer hinzufügen</Button>
+	<Button on:click={addUser}>Benutzer hinzufügen</Button>
 </div>
 
 <style>

From ec15095da3098c1f6e7d567fe537733ac0136615 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 21 Aug 2025 10:52:29 +0200
Subject: [PATCH 12/12] remove jssha and add bcrypt for password hashing with
 salt

---
 package-lock.json                             | 45 ++++++++++++++-----
 package.json                                  |  2 +-
 src/init/init_db.ts                           |  5 ++-
 src/lib/auth.ts                               |  8 ++--
 .../(angemeldet)/user-management/+page.svelte |  3 +-
 src/routes/api/users/+server.ts               |  6 ++-
 6 files changed, 48 insertions(+), 21 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c3e8588..9e00d04 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12,9 +12,9 @@
 				"@sveltejs/adapter-node": "^5.2.12",
 				"@tailwindcss/forms": "^0.5.10",
 				"autoprefixer": "^10.4.21",
+				"bcrypt": "^6.0.0",
 				"better-sqlite3": "^12.2.0",
 				"jsonwebtoken": "^9.0.2",
-				"jssha": "^3.3.1",
 				"minio": "^8.0.5",
 				"postcss": "^8.5.4",
 				"sqlite3": "^5.1.7",
@@ -2483,6 +2483,29 @@
 			],
 			"license": "MIT"
 		},
+		"node_modules/bcrypt": {
+			"version": "6.0.0",
+			"resolved": "https://registry.npmjs.org/bcrypt/-/bcrypt-6.0.0.tgz",
+			"integrity": "sha512-cU8v/EGSrnH+HnxV2z0J7/blxH8gq7Xh2JFT6Aroax7UohdmiJJlxApMxtKfuI7z68NvvVcmR78k2LbT6efhRg==",
+			"hasInstallScript": true,
+			"license": "MIT",
+			"dependencies": {
+				"node-addon-api": "^8.3.0",
+				"node-gyp-build": "^4.8.4"
+			},
+			"engines": {
+				"node": ">= 18"
+			}
+		},
+		"node_modules/bcrypt/node_modules/node-addon-api": {
+			"version": "8.5.0",
+			"resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-8.5.0.tgz",
+			"integrity": "sha512-/bRZty2mXUIFY/xU5HLvveNHlswNJej+RnxBjOMkidWfwZzgTbPG1E3K5TOxRLOR+5hX7bSofy8yf1hZevMS8A==",
+			"license": "MIT",
+			"engines": {
+				"node": "^18 || ^20 || >= 21"
+			}
+		},
 		"node_modules/better-sqlite3": {
 			"version": "12.2.0",
 			"resolved": "https://registry.npmjs.org/better-sqlite3/-/better-sqlite3-12.2.0.tgz",
@@ -4617,15 +4640,6 @@
 				"npm": ">=6"
 			}
 		},
-		"node_modules/jssha": {
-			"version": "3.3.1",
-			"resolved": "https://registry.npmjs.org/jssha/-/jssha-3.3.1.tgz",
-			"integrity": "sha512-VCMZj12FCFMQYcFLPRm/0lOBbLi8uM2BhXPTqw3U4YAfs4AZfiApOoBLoN8cQE60Z50m1MYMTQVCfgF/KaCVhQ==",
-			"license": "BSD-3-Clause",
-			"engines": {
-				"node": "*"
-			}
-		},
 		"node_modules/jwa": {
 			"version": "1.4.2",
 			"resolved": "https://registry.npmjs.org/jwa/-/jwa-1.4.2.tgz",
@@ -5309,6 +5323,17 @@
 				"node": ">= 10.12.0"
 			}
 		},
+		"node_modules/node-gyp-build": {
+			"version": "4.8.4",
+			"resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.8.4.tgz",
+			"integrity": "sha512-LA4ZjwlnUblHVgq0oBF3Jl/6h/Nvs5fzBLwdEF4nuxnFdsfajde4WfxtJr3CaiH+F6ewcIB/q4jQ4UzPyid+CQ==",
+			"license": "MIT",
+			"bin": {
+				"node-gyp-build": "bin.js",
+				"node-gyp-build-optional": "optional.js",
+				"node-gyp-build-test": "build-test.js"
+			}
+		},
 		"node_modules/node-releases": {
 			"version": "2.0.19",
 			"resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.19.tgz",
diff --git a/package.json b/package.json
index 9d7f33c..4742a0c 100644
--- a/package.json
+++ b/package.json
@@ -47,9 +47,9 @@
 		"@sveltejs/adapter-node": "^5.2.12",
 		"@tailwindcss/forms": "^0.5.10",
 		"autoprefixer": "^10.4.21",
+		"bcrypt": "^6.0.0",
 		"better-sqlite3": "^12.2.0",
 		"jsonwebtoken": "^9.0.2",
-		"jssha": "^3.3.1",
 		"minio": "^8.0.5",
 		"postcss": "^8.5.4",
 		"sqlite3": "^5.1.7",
diff --git a/src/init/init_db.ts b/src/init/init_db.ts
index b057c3c..394bb58 100644
--- a/src/init/init_db.ts
+++ b/src/init/init_db.ts
@@ -1,5 +1,5 @@
 import Database from 'better-sqlite3';
-import jsSHA from 'jssha';
+import bcrypt from 'bcrypt';
 
 const db = new Database('./src/lib/data/tatort.db');
 
@@ -11,7 +11,8 @@ db.exec(createSQLStmt);
 
 // check if there are any users; if not add one default admin one
 const userPassword = 'A-InnoHUB_2025!';
-const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
+const saltRounds = 12;
+const hashedUserPassword = bcrypt.hashSync(userPassword, saltRounds);
 const checkInsertSQLStmt = `INSERT INTO users (name, pw) SELECT 'admin', '${hashedUserPassword}'
                     WHERE NOT EXISTS (SELECT * FROM users);`;
 
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 4529d6e..8895111 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,5 +1,5 @@
 import jwt from 'jsonwebtoken';
-import jsSHA from 'jssha';
+import bcrypt from 'bcrypt';
 import { db } from '$lib/server/dbService';
 
 import config from '$lib/config';
@@ -18,9 +18,6 @@ export function decryptToken(token: string) {
 export function authenticate(user, password) {
 	let JWTToken;
 
-	// hash user password
-	const hashedPW = new jsSHA('SHA-512', 'TEXT').update(password).getHash('HEX');
-
 	const getUserSQLStmt = 'SELECT name, pw FROM users WHERE name = ?';
 	const row = db.prepare(getUserSQLStmt).get(user);
 
@@ -29,7 +26,8 @@ export function authenticate(user, password) {
 	}
 	const storedPW = row.pw;
 
-	if (hashedPW && hashedPW === storedPW) {
+	const isValid = bcrypt.compareSync(password, storedPW)
+	if (isValid) {
 		JWTToken = createToken({ id: user, admin: true });
 	}
 
diff --git a/src/routes/(angemeldet)/user-management/+page.svelte b/src/routes/(angemeldet)/user-management/+page.svelte
index 957326c..d0d1874 100644
--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -45,8 +45,7 @@
 		}
 
 		const URL = '/api/users';
-		const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
-		const userData = { userName: userName, userPassword: hashedUserPassword };
+		const userData = { userName: userName, userPassword: userPassword };
 
 		try {
 			const response = await fetch(URL, {
diff --git a/src/routes/api/users/+server.ts b/src/routes/api/users/+server.ts
index 7eaece3..7bf820c 100644
--- a/src/routes/api/users/+server.ts
+++ b/src/routes/api/users/+server.ts
@@ -1,5 +1,8 @@
 import { json } from '@sveltejs/kit';
 import { addUser, getUsers } from '$lib/server/userService';
+import bcrypt from 'bcrypt';
+
+const saltRounds = 12;
 
 export function GET({ locals }) {
 	if (!locals.user) {
@@ -24,7 +27,8 @@ export async function POST({ request, locals }) {
 		return json({ error: 'Missing input' }, { status: 400 });
 	}
 
-	const rowInfo = addUser(userName, userPassword);
+	const hashedPassword = bcrypt.hashSync(userPassword, saltRounds);
+	const rowInfo = addUser(userName, hashedPassword);
 
 	if (rowInfo?.changes == 1) {
 		return json({ userId: rowInfo.lastInsertRowid, userName: userName }, { status: 201 });