move API protection check into hooks, adjusting corresponding tests

src/hooks.server.ts

@@ -14,5 +14,15 @@ export const handle: Handle = async ({ event, resolve }) => {
 		event.cookies.delete('session', {path: ROUTE_NAMES.ROOT});
 		event.locals.user = null;
 	}
+
+	if (event.url.pathname.startsWith('/api')) {
+		if (!event.locals.user) {
+			return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+				status: 401,
+				headers: { 'Content-Type': 'application/json' }
+			});
+		}
+	}
+
 	return await resolve(event);
 }

src/routes/api/list/+server.ts

@@ -2,9 +2,6 @@ import { getVorgaenge } from '$lib/server/vorgangService';
 import { json } from '@sveltejs/kit';
 
 export async function GET({ locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 	const vorgaenge = getVorgaenge();
 
 	return new Response(JSON.stringify(vorgaenge), {

src/routes/api/list/[vorgang]/+server.ts

@@ -7,9 +7,6 @@ import {
 } from '$lib/server/vorgangService';
 
 export async function DELETE({ locals, params }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 	const vorgangToken = params.vorgang;
 
 	const object_list = await new Promise((resolve, reject) => {
@@ -34,9 +31,6 @@ export async function DELETE({ locals, params }) {
 }
 
 export async function HEAD({ locals, params }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 	try {
 		const vorgangName = params.vorgang;
 		const existing = vorgangNameExists(vorgangName);
@@ -51,9 +45,6 @@ export async function HEAD({ locals, params }) {
 }
 
 export async function GET({ params, locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 	try {
 		const vorgangToken = params.vorgang;
 		const crimesList = await getCrimesListByToken(vorgangToken);

src/routes/api/list/[vorgang]/[tatort]/+server.ts

@@ -2,9 +2,6 @@ import { BUCKET, client } from '$lib/minio';
 import { json } from '@sveltejs/kit';
 
 export async function GET({ locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 	const stream = client.listObjectsV2(BUCKET, '', true);
 	const result = new ReadableStream({
 		start(controller) {
@@ -28,9 +25,6 @@ export async function GET({ locals }) {
 }
 
 export async function DELETE({ locals, request }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 	const url_fragments = request.url.split('/');
 	const item = url_fragments.at(-1);
 	const vorgang = url_fragments.at(-2);

src/routes/api/users/+server.ts

@@ -5,9 +5,6 @@ import bcrypt from 'bcrypt';
 const saltRounds = 12;
 
 export function GET({ locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 
 	const userList = getUsers();
 
@@ -15,10 +12,6 @@ export function GET({ locals }) {
 }
 
 export async function POST({ request, locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
-
 	const data = await request.json();
 	const userName = data.userName;
 	const userPassword = data.userPassword;

src/routes/api/users/[user]/+server.ts

@@ -2,10 +2,6 @@ import { json } from '@sveltejs/kit';
 import { deleteUser } from '$lib/server/userService';
 
 export async function DELETE({ params, locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
-
 	const userId = params.user;
 	const rowCount = deleteUser(userId);