Merge pull request 'b999_chrome_file_upload' (#47) from b999_chrome_file_upload into development

Reviewed-on: #47

Dockerfile.dev

@@ -8,11 +8,10 @@ RUN npm i --unsafe-perm
 COPY . ./
 COPY config_dev.json ./config.json
 RUN npm run build
-RUN npm run init-db
 
 # --- Production stage ---
 FROM node:24-alpine
 COPY --from=build /app .
 ENV HOST=0.0.0.0
 EXPOSE 3000
-CMD ["sh", "-c", "ORIGIN=https://tatort-dev.innovation-hub-niedersachsen.de node build/index.js"]
+CMD ["sh", "-c", "npm run init-db && ORIGIN=https://tatort-dev.innovation-hub-niedersachsen.de node build/index.js"]

Dockerfile.prod

@@ -1,7 +1,5 @@
 # --- Build stage ---
 FROM node:22 AS build
-ENV NODE_ENV=production
-ENV ORIGIN=https://tatort.innovation-hub-niedersachsen.de
 WORKDIR /app
 COPY package*.json ./
 RUN npm ci
@@ -11,7 +9,13 @@ RUN npm run build
 
 # --- Production stage ---
 FROM node:22-alpine3.20
-COPY --from=build /app .
+WORKDIR /app
+ENV NODE_ENV=production
+ENV ORIGIN=https://tatort.innovation-hub-niedersachsen.de
+COPY --from=build /app/build ./build
+COPY --from=build /app/package*.json ./
+COPY --from=build /app/config.json ./config.json
+RUN npm ci --omit=dev
 ENV HOST=0.0.0.0
 EXPOSE 3000
-CMD ["sh", "-c", "ORIGIN=https://tatort.innovation-hub-niedersachsen.de node build/index.js"]
+CMD ["node", "build/index.js"]

Jenkinsfile

@@ -57,7 +57,7 @@ pipeline {
             }
         }
 
-        stage('Test & Security Audit') {
+        stage('Security Audit') {
             steps {
                 script {
                     didRun = true
@@ -67,6 +67,12 @@ pipeline {
             }
         }
 
+        stage('Run Tests') {
+            steps {
+                sh 'npm run test'
+            }
+        }
+
         stage('SonarQube Analysis') {
             steps {
                 withSonarQubeEnv('sonarqube') {

config.json

@@ -1,10 +1,10 @@
 {
 	"minio": {
-		"endPoint": "sws3.innovation-hub-niedersachsen.de",
+		"endPoint": "api-s3.innovation-hub-niedersachsen.de",
 		"port": 443,
 		"useSSL": true,
-		"accessKey": "wjpKrmaqXra99rX3D61H",
-		"secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
+		"accessKey": "AbCdEfGhIjKlMnOpQrSt",
+		"secretKey": "UvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWx"
 	},
 	"jwt": {
 		"secret": "@S2!q@@wXz$dCQ8JoVsHLpzaJ6JCfB",
@@ -14,4 +14,4 @@
 		"admin": { "password": "A-InnoHUB_2025!", "admin": true },
 		"user": { "password": "U-InnoHUB_2025!", "admin": false }
 	}
-}
+}

config_dev.json

@@ -1,10 +1,10 @@
 {
 	"minio": {
-		"endPoint": "sws3.innovation-hub-niedersachsen.de",
+		"endPoint": "api-s3.innovation-hub-niedersachsen.de",
 		"port": 443,
 		"useSSL": true,
-		"accessKey": "wjpKrmaqXra99rX3D61H",
-		"secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
+		"accessKey": "AbCdEfGhIjKlMnOpQrSt",
+		"secretKey": "UvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWx"
 	},
 	"jwt": {
 		"secret": "@S2!q@@wXz$dCQ8JoVsHLpzaJ6JCfB",
@@ -14,4 +14,4 @@
 		"admin": { "password": "A-InnoHUB_2025!", "admin": true },
 		"user": { "password": "U-InnoHUB_2025!", "admin": false }
 	}
-}
+}

config_prod.json

@@ -14,4 +14,4 @@
 		"admin": { "password": "A-InnoHUB_2025!", "admin": true },
 		"user": { "password": "U-InnoHUB_2025!", "admin": false }
 	}
-}
+}

package.json

@@ -13,7 +13,7 @@
 		"format": "prettier --write .",
 		"lint": "prettier --check . && eslint .",
 		"test:unit": "vitest",
-		"test": "npm run test:unit -- --run && npm run test:e2e",
+		"test": "npm run test:unit -- --run",
 		"init-db": "tsx ./src/init/init_db.ts"
 	},
 	"devDependencies": {
@@ -22,7 +22,7 @@
 		"@sveltejs/adapter-auto": "^4.0.0",
 		"@sveltejs/kit": "^2.21.3",
 		"@sveltejs/vite-plugin-svelte": "^5.1.0",
-		"@testing-library/jest-dom": "^6.6.3",
+		"@testing-library/jest-dom": "^6.8.0",
 		"@testing-library/svelte": "^5.2.8",
 		"@tsconfig/svelte": "^5.0.4",
 		"@types/better-sqlite3": "^7.6.13",
@@ -40,7 +40,7 @@
 		"typescript": "^5.8.3",
 		"typescript-eslint": "^8.34.0",
 		"vite": "^6.3.5",
-		"vitest": "^3.2.3"
+		"vitest": "^3.2.4"
 	},
 	"dependencies": {
 		"@google/model-viewer": "^4.1.0",

src/hooks.server.ts

@@ -1,5 +1,7 @@
 import { decryptToken } from '$lib/auth';
 import type { Handle } from '@sveltejs/kit';
+import { ROUTE_NAMES } from './routes';
+
 
 export const handle: Handle = async ({ event, resolve }) => {
 	const jwt = event.cookies.get('session');
@@ -9,8 +11,18 @@ export const handle: Handle = async ({ event, resolve }) => {
 			return resolve(event);
 		}
 	} catch (_) {
-		event.cookies.delete('session', {path: '/'});
+		event.cookies.delete('session', {path: ROUTE_NAMES.ROOT});
 		event.locals.user = null;
 	}
+
+	if (event.url.pathname.startsWith('/api')) {
+		if (!event.locals.user) {
+			return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+				status: 401,
+				headers: { 'Content-Type': 'application/json' }
+			});
+		}
+	}
+
 	return await resolve(event);
 }

src/init/init_db.ts

@@ -1,8 +1,9 @@
 import Database from 'better-sqlite3';
 import fs from 'fs';
 import path from 'path';
+import { DB_FULLPATH } from '../routes';
 
-const fullPath = './src/lib/data/tatort.db';
+const fullPath = DB_FULLPATH;
 const dir = path.dirname(fullPath);
 
 if (!fs.existsSync(dir)) {

src/lib/components/EmptyList.svelte

@@ -1 +1,3 @@
-<p class="flex justify-center m-4">In dieser Liste sind keine Einträge vorhanden</p>
+<p data-testid="empty-list" class="flex justify-center m-4">
+	In dieser Liste sind keine Einträge vorhanden
+</p>

src/lib/components/ExpandableForm.svelte

@@ -0,0 +1,54 @@
+<script lang="ts">
+  import { fly, scale, fade } from 'svelte/transition';
+  import { cubicOut } from 'svelte/easing';
+  import { tick } from 'svelte';
+
+  let expanded = false;
+  let formContainer: HTMLDivElement;
+
+  async function toggle() {
+    expanded = !expanded;
+
+    if (expanded) {
+      // Wait for DOM to update
+      await tick();
+
+      // Scroll smoothly into view
+      formContainer?.scrollIntoView({ behavior: 'smooth', block: 'start' });
+    }
+  }
+</script>
+
+<div data-testid="expand-container" class="flex flex-col items-center">
+  <!-- + / × button -->
+  <button
+    data-testid="expand-button"
+    class="flex items-center justify-center w-12 h-12 rounded-full bg-blue-600 text-white text-2xl font-bold hover:bg-blue-700 transition"
+    on:click={toggle}
+    aria-expanded={expanded}
+    aria-label="Add item"
+  >
+    {#if expanded}
+      ✕
+    {:else}
+      +
+    {/if}
+  </button>
+
+  <!-- Expandable content below button -->
+  {#if expanded}
+    <div
+      bind:this={formContainer}
+      class="w-full mt-4 flex justify-center"
+      transition:fade
+    >
+      <div
+        in:fly={{ y: 10, duration: 200, easing: cubicOut }}
+        out:scale={{ duration: 150 }}
+        class="w-full max-w-2xl"
+      >
+        <slot />
+      </div>
+    </div>
+  {/if}
+</div>

src/lib/components/Footer.svelte

@@ -1,6 +1,8 @@
 <script>
 	import Profile from "$lib/icons/Profile.svelte";
 
+	import { ROUTE_NAMES } from "../../routes";
+
     export let data;
 </script>
 
@@ -10,19 +12,19 @@
 					<div class="mx-auto max-w-7xl px-6 lg:px-8">
 						<div class="flex justify-between divide-x divide-gray-900/5 border-x border-gray-900/5">
 							<a
-								href="/list"
+								href="{ROUTE_NAMES.LIST}"
 								class="px-4 py-1 -ml-4 flex items-center justify-center gap-x-2.5 text-sm font-semibold leading-6 text-gray-500 hover:bg-gray-200 hover:text-gray-700"
 							>
 								&copy; 2023 Innovation Hub Niedersachen
 							</a>
 							<a
-								href="/"
+								href="{ROUTE_NAMES.ROOT}"
 								class="px-4 py-1 flex items-center justify-center gap-x-2.5 text-sm font-semibold leading-6 text-gray-500 hover:bg-gray-200 hover:text-gray-700"
 							>
 								back
 							</a>
 							<a
-								href="/"
+								href="{ROUTE_NAMES.ROOT}"
 								class="px-4 py-1 -mr-4 flex items-center justify-center gap-x-2.5 text-sm font-semibold leading-6 text-gray-500 hover:bg-gray-200 hover:text-gray-700"
 							>
 								<!--icon-->

src/lib/components/Header.svelte

@@ -1,6 +1,8 @@
 <script lang="ts">
 	import Chevron from '$lib/icons/Chevron-right.svelte';
 
+	import { ROUTE_NAMES } from '../../routes';
+
 	export let data;
 </script>
 
@@ -11,7 +13,7 @@
 			aria-label="Global"
 		>
 			<div class="flex w-48">
-				<a href="/" class="-m-1.5 p-1.5 w-10">
+				<a href="{ROUTE_NAMES.ROOT}" class="-m-1.5 p-1.5 w-10">
 					<span class="sr-only">Tatort Niedersachen</span>
 					<img class="h-8 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
 				</a>
@@ -19,7 +21,7 @@
 			<h1 class="text-3xl text-slate-400 font-bold">Tatort</h1>
 			<div class="lg:flex lg:justify-end w-48">
 				{#if data.user}
-					<form method="POST" action="/anmeldung?/logout">
+					<form method="POST" action="{ROUTE_NAMES.LOGOUT}">
 						<input type="hidden" />
 						<button type="submit" class="text-sm font-semibold leading-6 text-gray-900"
 							><span

src/lib/components/NameItemEditor.svelte

@@ -1,90 +1,116 @@
 <script lang="ts">
+	import Check from '$lib/icons/Check.svelte';
 	import Edit from '$lib/icons/Edit.svelte';
 	import Trash from '$lib/icons/Trash.svelte';
+	import X from '$lib/icons/X.svelte';
 	import { tick } from 'svelte';
 
 	interface ListItem {
 		name: string;
 		token?: string;
-		// add other properties as needed
 	}
-	let {
-		list,
-		editedName = $bindable(),
-		currentName,
-		onSave = () => {},
-		onDelete = () => {}
-	} = $props();
 
-	let localName = $state(currentName);
-	let wasCancelled = $state(false);
+	// props, old syntax
+	export let list: ListItem[] = [];
+	export let currentName: string;
+	export let vorgangToken: string | null;
+	export let onSave: (n: string, o: string, t?: string) => unknown = () => {};
+	export let onDelete: ((n: string) => unknown) | null = () => {};
 
-	let error: string = $derived(validateName(localName));
-	let isEditing = $state(false);
-	let inputRef: HTMLInputElement;
+	let localName = currentName;
+	let isEditing = false;
+	let inputRef: HTMLInputElement | null = null;
 
-	function validateName(name: string) {
-		const trimmed = name.trim();
+	$: error = validateName(localName);
 
-		if (!trimmed) {
-			return 'Name darf nicht leer sein.';
+	function validateName(name: string): string {
+		const trimmed = name?.trim() ?? '';
+		if (!trimmed) return 'Name darf nicht leer sein.';
+		if (list.some((item) => item.name === trimmed && item.name !== currentName)) {
+			return 'Name existiert bereits.';
 		}
-
-		const duplicate = list.some(
-			(item: ListItem) => item.name === trimmed && item.name !== currentName
-		);
-
-		if (duplicate) return 'Name existiert bereits.';
-
 		return '';
 	}
 
-	function commitIfValid() {
-		if (!error && !wasCancelled && localName != currentName) {
-			const trimmedName: string = localName.trim();
-			inputRef?.blur();
-			isEditing = false;
-			onSave(trimmedName, currentName);
-		} else {
-			localName = currentName;
-			resetEdit();
-		}
-	}
-
-	function resetEdit() {
-		wasCancelled = false;
-		inputRef?.blur();
-		isEditing = false;
-	}
-
-	function handleKeydown(event: KeyboardEvent) {
-		if (event.key === 'Enter') {
-			event.preventDefault();
-			commitIfValid();
-		} else if (event.key === 'Escape') {
-			event.preventDefault();
-			localName = currentName;
-			resetEdit();
-		}
-	}
-
 	async function startEdit() {
 		isEditing = true;
 		await tick();
 		inputRef?.focus();
 	}
+
+	function cancelEdit() {
+		localName = currentName;
+		isEditing = false;
+	}
+
+	function commitEdit() {
+		if (!error && localName != currentName) onSave(localName, currentName, vorgangToken);
+		// restore original value
+		if (error) { localName = currentName }
+		
+		isEditing = false;
+	}
+
+	function handleKeydown(event: KeyboardEvent) {
+		if (event.key === 'Enter') commitEdit();
+		if (event.key === 'Escape') cancelEdit();
+	}
+
+	function handleDeleteClick() {
+		// vorgangToken defined when deleting Vorgang, otherwise Crime
+		onDelete(vorgangToken || currentName);
+	}
 </script>
 
-<div>
-	<input
-		bind:this={inputRef}
-		bind:value={localName}
-		onblur={commitIfValid}
-		onkeydown={handleKeydown}
-	/>
-	<button onclick={startEdit}><Edit /></button>
-	<button onclick={() => onDelete(currentName)}><Trash /></button>
-	{#if error}
-		<p style="color: red;">{error}</p>
-	{/if}
+<div data-testid="test-nameItemEditor" class="flex flex-col gap-1">
+  {#if isEditing}
+    <div class="flex items-center gap-1">
+      <input
+        data-testid="test-input"
+        bind:this={inputRef}
+        bind:value={localName}
+        onkeydown={handleKeydown}
+        class="flex-1 border border-gray-300 rounded px-1.5 py-0.5 text-sm focus:outline-none focus:ring-1 focus:ring-blue-500"
+      />
+      <button
+        data-testid="commit-button"
+        disabled={!!error || localName === currentName}
+        onclick={commitEdit}
+        class="text-gray-500 hover:text-green-600 transition disabled:opacity-40"
+      >
+        <Check class="w-4 h-4" />
+      </button>
+      <button
+        data-testid="cancel-button"
+        onclick={cancelEdit}
+        class="text-gray-500 hover:text-red-600 transition"
+      >
+        <X class="w-4 h-4" />
+      </button>
+    </div>
+  {:else}
+    <div class="flex items-center gap-1">
+      <span class="text-sm font-medium text-gray-900 truncate">{localName}</span>
+      <button
+        data-testid="edit-button"
+        onclick={startEdit}
+        class="text-gray-500 hover:text-blue-600 transition"
+      >
+        <Edit class="w-4 h-4" />
+      </button>
+      {#if onDelete}
+		<button
+			data-testid="delete-button"
+			onclick={handleDeleteClick}
+			class="text-gray-500 hover:text-red-600 transition"
+		>
+			<Trash class="w-4 h-4" />
+		</button>
+      {/if}
+    </div>
+  {/if}
+
+  {#if error}
+    <p class="text-xs text-red-500 mt-1">{error}</p>
+  {/if}
 </div>

src/lib/helper/vorgangNumberOccupied.ts

@@ -1,9 +1,9 @@
-import { client } from '$lib/minio';
+import { client, BUCKET } from '$lib/minio';
 
-export default async function vorgangNumberOccupied (vorgangNumber: string): Promise<boolean> {
+export default async function vorgangNumberOccupied(vorgangNumber: string): Promise<boolean> {
 	const prefix = `${vorgangNumber}`;
 	const promise: Promise<boolean> = new Promise((resolve) => {
-		const stream = client.listObjectsV2('tatort', prefix, false, '');
+		const stream = client.listObjectsV2(BUCKET, prefix, false, '');
 		stream.on('data', () => {
 			stream.destroy();
 			resolve(true);

src/lib/icons/Profile.svelte

@@ -1,4 +1,5 @@
 <svg
+	data-testid="profile-component"
 	xmlns="http://www.w3.org/2000/svg"
 	fill="none"
 	viewBox="0 0 24 24"

src/lib/minio.ts

@@ -7,6 +7,10 @@ import config from '$lib/config';
 /** export const client = new Minio.Client(config.minio); */
 export const client = new Client(config.minio);
 
-export const BUCKET = 'tatort';
+const isProd = process.env.NODE_ENV == 'production';
+const BUCKET = isProd ? 'tatort' : 'tatort-dev';
+
+export { BUCKET };
+
 export const TOKENFILENAME = '__perm__';
 export const CONFIGFILENAME = 'config.json';

src/lib/server/authService.ts

@@ -1,6 +1,7 @@
 import { dev } from '$app/environment';
 import { fail, redirect, type Cookies, type RequestEvent } from '@sveltejs/kit';
 import { authenticate } from '$lib/auth';
+import { ROUTE_NAMES } from '../../routes';
 
 const COOKIE_NAME = 'session';
 
@@ -11,19 +12,20 @@ export const loginUser = async ({ request, cookies }: { request: Request; cookie
 
 	const token = authenticate(user, password);
 
-	if (!token) return fail(400, { user, incorrect: true });
+	if (!token) return fail(400, { user, incorrect: true,
+								message: "Ungültige Zugangsdaten" });
 
 	cookies.set(COOKIE_NAME, token, {
-		path: '/',
+		path: ROUTE_NAMES.ROOT,
 		httpOnly: true,
 		sameSite: 'strict',
 		secure: !dev
 	});
-	return redirect(303, '/');
+	return redirect(303, ROUTE_NAMES.ROOT);
 };
 
 export const logoutUser = async (event: RequestEvent) => {
-	event.cookies.delete(COOKIE_NAME, { path: '/' });
+	event.cookies.delete(COOKIE_NAME, { path: ROUTE_NAMES.ROOT });
 	event.locals.user = null;
-	return { success: true };
+	return redirect(303, ROUTE_NAMES.ROOT);
 };

src/lib/server/dbService.ts

@@ -1,12 +1,7 @@
 import Database from 'better-sqlite3';
-import fs from 'fs';
-import path from 'path';
+import { DB_FULLPATH } from '../../routes';
 
-const fullPath = './src/lib/data/tatort.db';
-const dir = path.dirname(fullPath);
+// make sure the DB is initiated
+import '../../init/init_db'
 
-if (!fs.existsSync(dir)) {
-	fs.mkdirSync(dir);
-}
-
-export const db = new Database(fullPath);
+export const db = new Database(DB_FULLPATH);

src/lib/server/vorgangService.ts

@@ -1,6 +1,7 @@
 import { fail } from '@sveltejs/kit';
 import { BUCKET, client, CONFIGFILENAME, TOKENFILENAME } from '$lib/minio';
 import { checkIfExactDirectoryExists, getContentOfTextObject } from './s3ClientService';
+import { v4 as uuidv4 } from 'uuid';
 
 import { db } from './dbService';
 
@@ -45,6 +46,31 @@ export const getVorgangByToken = (
 	return result;
 };
 
+/**
+ * Create Vorgang, using a vorgangName and vorgangPIN
+ * @param vorgangName
+ * @param vorgangPIN
+ * @returns {string || false} vorgangToken if successful
+ */
+export const createVorgang = (vorgangName: string, vorgangPIN: string): string | boolean => {
+	const vorgangExists = vorgangNameExists(vorgangName);
+	if (vorgangExists) {
+		return false;
+	}
+
+	const vorgangToken = uuidv4();
+
+	const insertSQLStatement = `INSERT INTO cases (token, name, pin) VALUES (?, ?, ?)`;
+	const statement = db.prepare(insertSQLStatement);
+	const info = statement.run(vorgangToken, vorgangName, vorgangPIN);
+
+	if (info.changes) {
+		return vorgangToken;
+	} else {
+		return false;
+	}
+};
+
 /**
  * Get Vorgang
  * @param vorgangName
@@ -208,3 +234,27 @@ export const vorgangPINValidation = function (vorgangToken: string, vorgangPIN:
 
 	return true;
 };
+
+/**
+ * Change VorgangName or VorgangPIN
+ * @param vorgangToken
+ * @param newValue
+ * @returns {int} number of affected lines
+ */
+export const updateVorgangAttrByToken = function (vorgangToken: string,
+											newValue: string,
+											column: string) {
+	const renameSQLStmt = `UPDATE cases set ${column} = ? WHERE token = ?`;
+	const statement = db.prepare(renameSQLStmt);
+
+	let info;
+	
+	try {
+		info = statement.run(newValue, vorgangToken);
+	} catch (err) {
+		console.log(`error: ${err}`)
+		return 0;
+	}
+
+	return info.changes;
+};

src/routes/(angemeldet)/+layout.server.ts

@@ -1,10 +1,10 @@
-import { redirect, type ServerLoadEvent } from '@sveltejs/kit';
+import { type ServerLoadEvent } from '@sveltejs/kit';
 import type { PageServerLoad } from '../anmeldung/$types';
 
 export const load: PageServerLoad = (event: ServerLoadEvent) => {
-	if (!event.locals.user && event.url.pathname !== '/anmeldung') throw redirect(303, '/anmeldung');
-	return {
-		user: event.locals.user
-		
-	};
-}
+	if (event.locals.user) {
+		return {
+			user: event.locals.user
+		};
+	}
+};

src/routes/(angemeldet)/+layout.svelte

@@ -5,6 +5,8 @@
 	export let data;
 </script>
 
+{#if data.user?.admin}
+
 <div class="h-screen v-screen flex flex-col">
 	<div class="flex flex-col h-full">
 		<Header {data}/>
@@ -16,3 +18,10 @@
 
 	</div>
 </div>
+
+{:else}
+
+<div class="h-screen bg-white"><slot /></div>
+
+
+{/if}

src/routes/(angemeldet)/+page.server.ts

@@ -0,0 +1,6 @@
+import { loginUser, logoutUser } from '$lib/server/authService';
+
+export const actions = {
+	login: ({ request, cookies }) => loginUser({ request, cookies }),
+	logout: (event) => logoutUser(event),
+} as const;

src/routes/(angemeldet)/+page.svelte

@@ -2,23 +2,28 @@
 	import AddProcess from '$lib/icons/Add-Process.svelte';
 	import FileRect from '$lib/icons/File-rect.svelte';
 	import ListIcon from '$lib/icons/List-icon.svelte';
+	import Button from '$lib/components/Button.svelte';
+	import ArrowRight from '$lib/icons/Arrow-right.svelte';
+
+	import { ROUTE_NAMES } from '../index.js';
 
 	export let data;
+	export let form;
 	export let outline = true;
 </script>
 
+{#if data.user?.admin}
 <div
 	class=" inset-x-0 top-0 -z-10 h-full flex items-center justify-center bg-white shadow-lg ring-1 ring-gray-900/5"
 >
 	<div class="mx-auto flex justify-center max-w-7xl py-10 px-8 w-full">
-		{#if data.user.admin}
 			<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 				<div
 					class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
 				>
 					<ListIcon class=" group-hover:text-indigo-600" />
 				</div>
-				<a href="/list" class="mt-6 block font-semibold text-gray-900">
+				<a href="{ROUTE_NAMES.LIST}" class="mt-6 block font-semibold text-gray-900">
 					Vorgänge
 					<span class="absolute inset-0"></span>
 				</a>
@@ -26,28 +31,13 @@
 					Verschaffe Dir einen Überblick über alle gespeicherten Tatorte.
 				</p>
 			</div>
-		{/if}
-		{#if data.user.admin}
-			<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
-				<div
-					class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
-				>
-					<AddProcess class=" group-hover:text-indigo-600" />
-				</div>
-				<a href="/upload" class="mt-6 block font-semibold text-gray-900">
-					Hinzufügen
-					<span class="absolute inset-0"></span>
-				</a>
-				<p class="mt-1 text-gray-600">Fügen Sie einem Tatort Bilder hinzu.</p>
-			</div>
-		{/if}
 		<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 			<div
 				class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
 			>
 				<FileRect class=" group-hover:text-indigo-600" {outline} />
 			</div>
-			<a href="/user-management" class="mt-6 block font-semibold text-gray-900">
+			<a href="{ROUTE_NAMES.USERMGMT}" class="mt-6 block font-semibold text-gray-900">
 				Benutzerverwaltung
 				<span class="absolute inset-0"></span>
 			</a>
@@ -56,5 +46,64 @@
 	</div>
 </div>
 
+{:else}
+
+<div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
+	<div class="sm:mx-auto sm:w-full sm:max-w-sm">
+		<img class="mx-auto h-10 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
+
+		<h2 class="mt-10 text-center text-2xl font-bold leading-9 tracking-tight text-gray-900">
+			Willkommen beim 3D Tatort
+		</h2>
+	</div>
+	<div class="w-full max-w-sm mx-auto">
+		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
+			<div class="mt-10">
+
+<form action="{ROUTE_NAMES.LOGIN}" method="POST">
+						<div>
+							<label for="user" class="text-sm font-medium leading-6 text-gray-900">Name</label>
+							<div class="mt-2">
+								<input
+									id="user"
+									name="user"
+									type="text"
+									autocomplete="email"
+									required
+									class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+
+						<div>
+							<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
+								>Passwort</label
+							>
+							<div class="mt-2">
+								<input
+									id="password"
+									name="password"
+									type="password"
+									autocomplete="current-password"
+									required
+									class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+						{#if form?.incorrect}
+							<p class="block text-sm leading-6 text-red-900 mt-2">{form.message}</p>
+						{/if}
+						<div class="flex justify-end">
+							<Button type="submit" class="mt-5">Anmelden</Button>
+						</div>
+					</form>
+			</div>
+		</div>
+	</div>
+</div>
+
+{/if}
+
 <style>
 </style>
+

src/routes/(angemeldet)/list/+page.server.ts

@@ -1,10 +1,35 @@
-import { getVorgaenge } from '$lib/server/vorgangService';
+import { createVorgang, getVorgaenge } from '$lib/server/vorgangService';
 import type { PageServerLoad } from '../../(token-based)/view/$types';
+import { error, fail } from '@sveltejs/kit';
+
+export const load: PageServerLoad = async (event) => {
+	if (!event.locals.user) {
+		error(404, 'Not Found')
+	}
 
-export const load: PageServerLoad = async () => {
 	const vorgangList = getVorgaenge();
 
 	return {
 		vorgangList
 	};
 };
+
+
+export const actions = {
+	default: async ({ request }: { request: Request }) => {
+		const data = await request.formData();
+		const vorgangName: string | null = data.get('vorgang') as string;
+		const vorgangPIN: string | null = data.get('pin') as string;
+
+		const err = {};
+
+		const token = createVorgang(vorgangName, vorgangPIN);
+		if (!token) {
+			err.message = "Der Vorgang konnte nicht angelegt werden"
+			return fail(400, err)
+		} else {
+			// success
+			return { token }
+		}
+	}
+};

src/routes/(angemeldet)/list/+page.svelte

@@ -1,25 +1,95 @@
 <script lang="ts">
+	import ExpandableForm from '$lib/components/ExpandableForm.svelte';
 	import Trash from '$lib/icons/Trash.svelte';
 	import Folder from '$lib/icons/Folder.svelte';
 	import EmptyList from '$lib/components/EmptyList.svelte';
-	import type { PageData } from '../$types';
+	import NameItemEditor from '$lib/components/NameItemEditor.svelte';
+	import Alert from '$lib/components/Alert.svelte';
+	import Button from '$lib/components/Button.svelte';
+	import Modal from '$lib/components/Modal/Modal.svelte';
+	import ModalTitle from '$lib/components/Modal/ModalTitle.svelte';
+	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
+	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
+	import { API_ROUTES, ROUTE_NAMES } from '../../index.js';
+	import { invalidateAll } from '$app/navigation';
 
-	// let { data } = $props();
-	export let data: PageData;
-	let vorgangList = data.vorgangList;
+	let { data, form } = $props();
 
+	let vorgangList = $state(data.vorgangList);
+    
+    // same as `vorgangList` but with one different property to be used
+    // with ´NameItemEditor`
+    const derivedList = $derived.by(
+		() => {
+			return vorgangList.map(
+				({ vorgangName, ...rest }) => (
+					{
+						name: vorgangName,
+						...rest
+					}
+				)
+			)
+		}
+    );
+	
 	let isEmptyList = vorgangList.length === 0;
 
-	async function delete_item(ev: Event) {
+	let vorgangName = $state('');
+	let vorgangPIN = $state('');
+	let errorMsg = $state('');
+
+	// reset input fields when submission successful
+	$effect(() => {
+		if (form?.token) {
+			vorgangName = '';
+			vorgangPIN = '';
+			errorMsg = '';
+		}
+	});
+
+	async function submitVorgang(ev: Event) {
+		const isValid = inputValid(vorgangName, vorgangPIN);
+		if (!isValid) {
+			ev.preventDefault();
+			return;
+		}
+
+		// continue form action on server
+	}
+
+	/**
+	 * Check for required fields
+	 * @param vorgangName
+	 * @param vorgangPIN
+	 * @returns {boolean} Indicates whether input is valid
+	 */
+	function inputValid(vorgangName, vorgangPIN) {
+		if (!(vorgangName || vorgangPIN)) {
+			errorMsg = 'Bitte beide Felder ausfüllen.';
+			return false;
+		} else if (!vorgangName) {
+			errorMsg = 'Bitte einen Vorgangsnamen vergeben.';
+			return false;
+		} else if (!vorgangPIN) {
+			errorMsg = 'Bitte einen Vorgangs-PIN eingeben.';
+			return false;
+		}
+
+		const existing = vorgangList.some((vorg) => vorg.vorgangName === vorgangName);
+		if (existing) {
+			errorMsg = 'Der Name existiert bereits.';
+			return false;
+		}
+
+		return true;
+	}
+
+	async function deleteVorgang(vorgangToken: string) {
 		let delete_item = window.confirm('Bist du sicher?');
 
 		if (delete_item) {
-			const target = ev.currentTarget as HTMLElement | null;
-			if (!target) return;
-			let filename = target.id.split('del__')[1];
-
-			let url = `/api/list/${filename}`;
-
+			let url = API_ROUTES.VORGANG(vorgangToken);
+			
 			try {
 				const response = await fetch(url, { method: 'DELETE' });
 				if (response.status == 204) {
@@ -36,6 +106,46 @@
 			}
 		}
 	}
+	
+	//Variablen für Modal
+	let open = $state(false);
+	let inProgress = $state(false);
+	let isError = $state(false);
+
+	async function handleSave(newName: string, oldName: string, vorgangToken: string) {
+		open = true;
+		inProgress = true;
+		isError = false;
+		try {
+			const res = await fetch(API_ROUTES.VORGANG(vorgangToken), {
+				method: 'PUT',
+				headers: {
+					'Content-Type': 'application/json'
+				},
+				body: JSON.stringify({ vorgangToken, oldName, newName })
+			});
+
+			if (!res.ok) {
+				throw new Error('Fehler beim Speichern');
+			}
+			await invalidateAll();
+			vorgangList = data.vorgangList;
+			open = false;
+		} catch (err) {
+			console.error('⚠️ Netzwerkfehler beim Speichern', err);
+			isError = true;
+		} finally {
+			inProgress = false;
+		}
+	}
+	
+	
+	
+	 async function closeModal() {
+		open = false;
+		isError = false;
+	}
+	
 </script>
 
 <div class="-z-10 bg-white">
@@ -48,31 +158,22 @@
 				<EmptyList></EmptyList>
 			{:else}
 				{#each vorgangList as vorgangItem}
-					<li>
+					<li data-testid="test-list-item">
+						<div class="flex items-center justify-center gap-3">
 						<a
-							href="/list/{vorgangItem.vorgangToken}?pin={vorgangItem.vorgangPIN}"
-							class="flex justify-between gap-x-6 py-5"
+						href="{ROUTE_NAMES.VORGANG(vorgangItem.vorgangToken)}"
+						class="flex flex-col items-center justify-center gap-2 py-4 rounded-lg hover:bg-gray-50 transition text-center"
 						>
-							<div class="flex gap-x-4">
-								<Folder />
-								<div class="min-w-0 flex-auto">
-									<span class="text-sm font-semibold leading-6 text-gray-900"
-										>{vorgangItem.vorgangName}</span
-									>
-									<button
-										style="padding: 2px"
-										id="del__{vorgangItem.vorgangToken}"
-										on:click|preventDefault={delete_item}
-										aria-label="Vorgang {vorgangItem.name} löschen"
-									>
-										<Trash />
-									</button>
-								</div>
-							</div>
-							<div class="hidden sm:flex sm:flex-col sm:items-end">
-								<p class="text-sm leading-6 text-gray-900">Vorgang</p>
-							</div>
+							<Folder class="w-6 h-6 text-gray-600" />
 						</a>
+							<NameItemEditor
+							list={derivedList}
+							currentName={vorgangItem.vorgangName}
+							vorgangToken={vorgangItem.vorgangToken}
+							onSave={handleSave}
+							onDelete={deleteVorgang}
+							/>
+						</div>
 					</li>
 				{/each}
 			{/if}
@@ -80,8 +181,84 @@
 	</div>
 </div>
 
+
+<ExpandableForm>
+<form class="flex flex-col items-center" method="POST">
+	<div class="flex flex-col sm:flex-row sm:space-x-4 w-full max-w-lg">
+		<div class="flex-1">
+			<label for="vorgang" class="block text-sm font-medium leading-6 text-gray-900">
+				<span class="flex"> Vorgangsname </span>
+			</label>
+			<div class="mt-2">
+				<div
+					class="flex rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
+				>
+					<input
+						required
+						bind:value={vorgangName}
+						type="text"
+						name="vorgang"
+						id="vorgang"
+						class="block flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 sm:text-sm sm:leading-6"
+					/>
+				</div>
+			</div>
+		</div>
+
+		<div class="flex-1 mt-4 sm:mt-0">
+			<label for="pin" class="block text-sm font-medium leading-6 text-gray-900">
+				<span class="flex"> PIN </span>
+			</label>
+			<div class="mt-2">
+				<div
+					class="flex rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
+				>
+					<input
+						required
+						type="password"
+						bind:value={vorgangPIN}
+						name="pin"
+						id="pin"
+						class="block flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 sm:text-sm sm:leading-6"
+					/>
+				</div>
+			</div>
+		</div>
+	</div>
+
+	{#if errorMsg}
+		<p>{errorMsg}</p>
+	{/if}
+	{#if form?.message}
+		<p>{form.message}</p>
+	{/if}
+	<button
+		type="submit"
+		on:click={submitVorgang}
+		class="mt-4 bg-indigo-600 text-white px-6 py-2 rounded hover:bg-indigo-700 transition"
+	>
+		Neuen Vorgang hinzufügen
+	</button>
+</form>
+
+</ExpandableForm>
+
+<Modal {open}
+			><ModalTitle>Umbenennen</ModalTitle><ModalContent>
+				{#if inProgress}
+					<p class="py-2 mb-1">Vorgang läuft...</p>
+				{:else if isError}
+					<Alert class="w-full" type="error">Fehler beim Umbenennen</Alert>
+				{:else}
+					<Alert class="w-full">Umbenennen erfolgreich</Alert>
+				{/if}
+			</ModalContent>
+			<ModalFooter><Button disabled={inProgress} on:click={closeModal}>Ok</Button></ModalFooter>
+</Modal>
+
 <style>
 	ul {
 		min-width: 24rem;
 	}
 </style>
+

src/routes/(angemeldet)/list/+page.ts

@@ -1,12 +0,0 @@
-
-
-// export async function load({fetch}){
-//     const  vorgangResponse = await fetch(`/api/list`);
-//      const vorgangList = await vorgangResponse.json();
-
-//      return {
-
-//       vorgangList,
-
-//      }
-// }

src/routes/(angemeldet)/upload/+page.server.ts

@@ -1,10 +1,8 @@
 import { Readable } from 'stream';
-import { client } from '$lib/minio';
-import { fail } from '@sveltejs/kit';
-import { v4 as uuidv4 } from 'uuid';
+import { BUCKET, client } from '$lib/minio';
+import { fail, error } from '@sveltejs/kit';
 
-import { db } from '$lib/server/dbService';
-import { getVorgangByName, vorgangNameExists } from '$lib/server/vorgangService';
+import { getVorgangByName } from '$lib/server/vorgangService';
 
 const isRequiredFieldValid = (value: unknown) => {
 	if (value == null) return false;
@@ -17,29 +15,14 @@ const isRequiredFieldValid = (value: unknown) => {
 export const actions = {
 	url: async ({ request }: { request: Request }) => {
 		const data = await request.formData();
-		const vorgangName: string | null  = data.get('vorgang') as string;
+		const vorgangName: string | null = data.get('vorgang') as string;
 		const crimeName: string | null = data.get('name') as string;
-		const type: string | null  = data.get('type') as string;
-		const vorgangPIN: string | null  = data.get('vorgangPIN') as string;
+		const type: string | null = data.get('type') as string;
 		const fileName: string | null = data.get('fileName') as string;
 
-		const vorgangExists = vorgangNameExists(vorgangName);
 		let vorgangToken;
-
-		if (!vorgangExists) {
-			vorgangToken = uuidv4();
-			const insertSQLStatement = `INSERT INTO cases (token, name, pin) VALUES (?, ?, ?)`;
-			const statement = db.prepare(insertSQLStatement);
-			statement.run(vorgangToken, vorgangName, vorgangPIN);
-		} else {
-			const vorgang = getVorgangByName(vorgangName);
-			vorgangToken = vorgang.token;
-			if (vorgang && vorgang.pin != vorgangPIN) {
-				const updateSQLStmt = `UPDATE cases SET pin = ? WHERE token = ?`;
-				const statement = db.prepare(updateSQLStmt);
-				statement.run(vorgangPIN, vorgangToken);
-			}
-		}
+		const vorgang = getVorgangByName(vorgangName);
+		vorgangToken = vorgang.token;
 
 		let objectName = `${vorgangToken}/${crimeName}`;
 		switch (type) {
@@ -51,7 +34,7 @@ export const actions = {
 					objectName += '.glb';
 		}
 
-		const url = await client.presignedPutObject('tatort', objectName);
+		const url = await client.presignedPutObject(BUCKET, objectName);
 
 		return { url };
 	},
@@ -60,7 +43,6 @@ export const actions = {
 		const data = Object.fromEntries(requestData);
 		const vorgang = data.vorgang;
 		const name = data.name;
-		const vorgangPIN = data.vorgangPIN;
 		let success = true;
 		const err = {};
 		if (isRequiredFieldValid(vorgang)) {
@@ -77,13 +59,6 @@ export const actions = {
 			success = false;
 		}
 
-		if (isRequiredFieldValid(vorgangPIN)) {
-			err.vorgangPIN = null;
-		} else {
-			err.vorgangPIN = 'Das Feld Zugangspasswort darf nicht leer bleiben.';
-			success = false;
-		}
-
 		if (success) return { success };
 
 		return fail(400, err);
@@ -95,7 +70,7 @@ export const actions = {
 		const vorgang = data.vorgang;
 		const name = data.name;
 
-		const url = await client.presignedPutObject('tatort', `${vorgang}/${name}`, 60);
+		const url = await client.presignedPutObject(BUCKET, `${vorgang}/${name}`, 60);
 
 		return { url };
 	},
@@ -106,7 +81,7 @@ export const actions = {
 		const stream = data.file.stream();
 		const metaData = { 'Content-Type': 'model-gtlf-binary', 'X-VorgangsNr': '4711' };
 		const result = new Promise((resolve, reject) => {
-			client.putObject('tatort', name, Readable.from(stream), metaData, function (err, etag) {
+			client.putObject(BUCKET, name, Readable.from(stream), metaData, function (err, etag) {
 				if (err) return reject(err);
 				resolve(etag);
 			});
@@ -123,3 +98,10 @@ export const actions = {
 		return { etag, error };
 	}
 };
+
+
+export const load: PageServerLoad = async (event) => {
+	if (!event.locals.user) {
+		error(404, 'Not found')
+	}
+};

src/routes/(angemeldet)/upload/+page.svelte

@@ -9,6 +9,7 @@
 	import shortenFileSize from '$lib/helper/shortenFileSize.js';
 	import Exclamation from '$lib/icons/Exclamation.svelte';
 	import FileRect from '$lib/icons/File-rect.svelte';
+	import { API_ROUTES, ROUTE_NAMES } from '../../index.js';
 
 	export let form;
 
@@ -43,7 +44,7 @@
 		data.append('vorgang', vorgang);
 		data.append('name', name);
 		data.append('vorgangPIN', vorgangPIN);
-		const response = await fetch('?/validate', { method: 'POST', body: data });
+		const response = await fetch(ROUTE_NAMES.UPLOAD_VALIDATE, { method: 'POST', body: data });
 		/** @type {import('@sveltejs/kit').ActionResult} */
 		const result = deserialize(await response.text());
 
@@ -76,7 +77,7 @@
 			data.append('type', files[0].type);
 			data.append('fileName', files[0].name);
 		}
-		const response = await fetch('?/url', { method: 'POST', body: data });
+		const response = await fetch(ROUTE_NAMES.UPLOAD_URL, { method: 'POST', body: data });
 		/** @type {import('@sveltejs/kit').ActionResult} */
 		const result = deserialize(await response.text());
 		if (result.type === 'success') return result.data?.url;
@@ -151,7 +152,6 @@
 		return true;
 	}
 
-	// `/(angemeldet)/view` return true or false
 	async function checkVorgangExists(vorgangName: string) {
 		if (vorgangName == '') {
 			vorgangPIN = vorgangPINOld;
@@ -159,7 +159,8 @@
 		}
 
 		try {
-			const url = `/api/list/${vorgangName}`;
+			// `HEAD` method
+			const url = API_ROUTES.VORGANG_NAME_EXIST(vorgangName);
 			const response = await fetch(url, { method: 'HEAD' });
 
 			if (response.status === 200) {
@@ -185,7 +186,7 @@
 	async function getVorgangPIN(vorgangName: string) {
 		if (vorgangName == '') return;
 
-		let url = `/api/vorgang/${vorgangName}/vorgangPIN`;
+		let url = API_ROUTES.VORGANG_PIN(vorgangName);
 		const response = await fetch(url);
 
 		if (response.status == 200) {

src/routes/(angemeldet)/user-management/+page.server.ts

@@ -0,0 +1,8 @@
+import type { PageServerLoad } from '../../(token-based)/view/$types';
+import { error } from '@sveltejs/kit';
+
+export const load: PageServerLoad = async (event) => {
+	if (!event.locals.user) {
+		error(404, 'Not Found')
+	}
+};

src/routes/(angemeldet)/user-management/+page.svelte

@@ -1,6 +1,7 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
 	import Button from '$lib/components/Button.svelte';
+	import { API_ROUTES } from '../../index.js';
 
 	const { data } = $props();
 
@@ -20,7 +21,7 @@
 	});
 
 	async function getUsers() {
-		const URL = '/api/users';
+		const URL = API_ROUTES.USERS;
 
 		try {
 			const response = await fetch(URL);
@@ -42,7 +43,7 @@
 			return;
 		}
 
-		const URL = '/api/users';
+		const URL = API_ROUTES.USERS;
 		const userData = { userName: userName, userPassword: userPassword };
 
 		try {
@@ -78,7 +79,7 @@
 	}
 
 	async function deleteUser(userId: string) {
-		const URL = `/api/users/${userId}`;
+		const URL = API_ROUTES.USER(userId);
 
 		try {
 			const response = await fetch(URL, {

src/routes/(token-based)/+layout.server.ts

@@ -1,22 +1,22 @@
-import {
-	vorgangPINValidation,
-	vorgangExists
-} from '$lib/server/vorgangService';
+import { vorgangPINValidation, vorgangExists } from '$lib/server/vorgangService';
 import { redirect } from '@sveltejs/kit';
-import type { PageServerLoad } from './list/[vorgang]/$types';
+import type { LayoutServerLoad } from './$types';
+import { ROUTE_NAMES } from '..';
 
-export const load: PageServerLoad = async ({ params, url, locals }) => {
+export const load: LayoutServerLoad = async ({ params, cookies, locals }) => {
 	if (locals.user) {
 		return {
 			user: locals.user
 		};
 	}
 
-	const vorgangToken = params.vorgang;
-	const vorgangPIN = url.searchParams.get('pin');
+	const vorgangToken = params.vorgang ?? '';
+	const COOKIE_NAME = `token-${vorgangToken}`;
+	const vorgangPIN = cookies.get(COOKIE_NAME) ?? '';
 
 	const isVorgangValid = vorgangExists(vorgangToken);
 	const isVorgangPINValid = vorgangPINValidation(vorgangToken, vorgangPIN);
 
-	if (!isVorgangValid || !isVorgangPINValid) throw redirect(303, `/anmeldung?vorgang=${vorgangToken}`);
+	if (!isVorgangValid || !isVorgangPINValid)
+		throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken));
 };

src/routes/(token-based)/list/[vorgang]/+page.server.ts

@@ -0,0 +1,23 @@
+import { getCrimesListByToken, getVorgaenge } from '$lib/server/vorgangService.js';
+import type { PageServerLoad } from './$types';
+
+export const load: PageServerLoad = async ({ params, url }) => {
+	const vorgangList = getVorgaenge();
+	const vorgangToken = params.vorgang;
+	const crimesList = await getCrimesListByToken(vorgangToken);
+	const vorgang = vorgangList.find((v) => v.vorgangToken === vorgangToken); //vorgang sollte ein eigener Typ werden, und dann kann man es hier vernünftig typisieren
+	if (!vorgang || !crimesList) {
+		throw new Error(`Fehlgeschlagen, es wurden keine Daten zum token gefunden`);
+	}
+
+	//Variabeln für NameItemEditor
+	const crimeNames: string[] = crimesList.map((l) => l.name);
+
+	return {
+		vorgang,
+		vorgangList,
+		crimesList,
+		url,
+		crimeNames
+	};
+}

src/routes/(token-based)/list/[vorgang]/+page.svelte

@@ -1,7 +1,9 @@
 <script lang="ts">
+    import { fade } from 'svelte/transition';
 	import shortenFileSize from '$lib/helper/shortenFileSize';
 	import timeElapsed from '$lib/helper/timeElapsed';
-
+	import { deserialize } from '$app/forms';
+	import ExpandableForm from '$lib/components/ExpandableForm.svelte';
 	import Alert from '$lib/components/Alert.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import Modal from '$lib/components/Modal/Modal.svelte';
@@ -9,12 +11,15 @@
 	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
 	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
 	import Cube from '$lib/icons/Cube.svelte';
-	import { invalidate, invalidateAll } from '$app/navigation';
+	import { invalidateAll } from '$app/navigation';
 	import NameItemEditor from '$lib/components/NameItemEditor.svelte';
 	import EmptyList from '$lib/components/EmptyList.svelte';
+	import FileRect from '$lib/icons/File-rect.svelte';
+	import Exclamation from '$lib/icons/Exclamation.svelte';
+	import { API_ROUTES, ROUTE_NAMES } from '../../../index.js';
 
 	//Seite für die Tatort-Liste
-	let { data } = $props();
+	let { data, form } = $props();
 
 	interface ListItem {
 		//sollte Typ Vorgang sein, aber der einfachheit ist es noch ListItem, damit die Komponente NameItemEditor für Vorgang und Tatort eingesetzt werden kann
@@ -26,53 +31,195 @@
 		// add other properties as needed
 	}
 
+	let crimesList = $state<ListItem[]>(data.crimesList);
 	let vorgangName: string = data.vorgang.vorgangName;
-	let crimesList: ListItem[] = $state(data.crimesList);
 	const vorgangPIN: string = data.vorgang.vorgangPIN;
 	let vorgangToken: string = data.vorgang.vorgangToken;
 	let isEmptyList = $derived(crimesList.length === 0);
 
+	// File Upload Variablen
+	let name = $state('');
+	let formErrors: Record<string, any> | null = $state(null);
+	let etag: string | null = $state(null);
+	let files: FileList | null = $state(null);
+	let fileInput = $state(null);
+
+	// Model Variablen für Upload
+	let openUL = $state(false);
+	let inProgressUL = $state(form === null);
+	
+	// Variablen für Copy-Funktion
+    let copied = $state(false);
+
+	async function buttonClick(event: MouseEvent) {
+		if (!(await validateForm())) {
+			event.preventDefault();
+			return;
+		}
+		const url = await getUrl();
+		openUL = true;
+		inProgressUL = true;
+
+		fetch(url, { method: 'PUT', body: files[0] })
+			.then((response) => {
+				inProgressUL = false;
+				etag = '123';
+			})
+			.catch((err) => {
+				inProgressUL = false;
+				etag = null;
+				console.log('ERROR', err);
+			});
+	}
+
+	async function validateForm() {
+		let data = new FormData();
+		data.append('vorgang', vorgangName);
+		data.append('name', name);
+		const response = await fetch(ROUTE_NAMES.UPLOAD_VALIDATE, { method: 'POST', body: data });
+		const result = deserialize(await response.text());
+
+		let success = true;
+		if (result.type === 'success') {
+			formErrors = null;
+		} else {
+			if (result.type === 'failure' && result.data) formErrors = result.data;
+			success = false;
+		}
+
+		if (!files?.length) {
+			formErrors = { file: 'Sie haben keine Datei ausgewählt.', ...formErrors };
+			success = false;
+		}
+
+		if (!(await check_valid_glb_file())) {
+			formErrors = { file: 'Keine gültige .GLD-Datei', ...formErrors };
+			success = false;
+		}
+		return success;
+	}
+
+	async function uploadSuccessful() {
+		openUL = false;
+		name = '';
+		files = null;
+		fileInput.value = "";
+		await invalidateAll();
+		crimesList = data.crimesList;
+	}
+
+	// `val` is hex string
+	function swap_endian(val) {
+		// from https://www.geeksforgeeks.org/bit-manipulation-swap-endianness-of-a-number/
+
+		let leftmost_byte = (val & eval(0x000000ff)) >> 0;
+		let left_middle_byte = (val & eval(0x0000ff00)) >> 8;
+		let right_middle_byte = (val & eval(0x00ff0000)) >> 16;
+		let rightmost_byte = (val & eval(0xff000000)) >> 24;
+
+		leftmost_byte <<= 24;
+		left_middle_byte <<= 16;
+		right_middle_byte <<= 8;
+		rightmost_byte <<= 0;
+
+		let res = leftmost_byte | left_middle_byte | right_middle_byte | rightmost_byte;
+
+		return res;
+	}
+
+	async function check_valid_glb_file() {
+		// GLD Header, magic value 0x46546C67, identifies data as binary glTF, 4 bytes
+		// little endian!
+		const GLD_MAGIC = 0x46546c67;
+
+		// big endian!
+		let file = files[0];
+		const fileHeader = file.slice(0, 4);
+		const buffer = await fileHeader.arrayBuffer();
+		console.log(fileHeader);
+		let headerBytes = new Uint8Array(buffer);
+		let fileHeaderHex = '0x' + headerBytes.toHex().toString();
+
+		if (GLD_MAGIC == swap_endian(fileHeaderHex)) {
+			return true;
+		} else {
+			return false;
+		}
+	}
+
+	async function getUrl() {
+		let data = new FormData();
+		data.append('vorgang', vorgangName);
+		data.append('name', name);
+		if (files?.length === 1) {
+			data.append('type', files[0].type);
+			data.append('fileName', files[0].name);
+		}
+		const response = await fetch(ROUTE_NAMES.UPLOAD_URL, { method: 'POST', body: data });
+		const result = deserialize(await response.text());
+		if (result.type === 'success') return result.data?.url;
+
+		return null;
+	}
+
 	//Variablen für Modal
 	let open = $state(false);
 	let inProgress = $state(false);
 	let isError = $state(false);
 
-	//Variable um nur admin UI anzuzeigen
 	let admin = data?.user?.admin;
 
 	async function handleSave(newName: string, oldName: string) {
 		open = true;
 		inProgress = true;
+		isError = false;
 		try {
-			const res = await fetch(`/api/list/${vorgangToken}/${oldName}`, {
+			const res = await fetch(API_ROUTES.CRIME(vorgangToken, oldName), {
 				method: 'PUT',
 				headers: {
 					'Content-Type': 'application/json'
 				},
 				body: JSON.stringify({ vorgangToken, oldName, newName })
-			})
-				.then(() => {
-					inProgress = false;
-				})
-				.catch((err) => {
-					inProgress = false;
-					isError = true;
-					console.log('ERROR', err);
-				});
+			});
 
 			if (!res.ok) {
-				const msg = await res.text();
-				console.error('❌ Fehler beim Umbenennen:', msg);
-				isError = true;
-				inProgress = false;
-			} else {
-				await invalidateAll();
-				crimesList = data.crimesList;
-				open = false;
-				inProgress = false;
+				throw new Error('Fehler beim Speichern');
 			}
+			await invalidateAll();
+			crimesList = data.crimesList;
+			open = false;
 		} catch (err) {
-			console.error('⚠️ Netzwerkfehler:', err);
+			console.error('⚠️ Netzwerkfehler beim Speichern', err);
+			isError = true;
+		} finally {
+			inProgress = false;
+		}
+	}
+
+	async function savePIN(newVorgangPIN: string, oldVorgangPIN: string) {
+		open = true;
+		inProgress = true;
+		isError = false;
+		try {
+			const res = await fetch(API_ROUTES.VORGANG(vorgangToken), {
+				method: 'PUT',
+				headers: {
+					'Content-Type': 'application/json'
+				},
+				body: JSON.stringify({ vorgangToken, oldVorgangPIN, newVorgangPIN,
+										changePIN: true})
+			});
+
+			if (!res.ok) {
+				throw new Error('Fehler beim Speichern');
+			}
+			await invalidateAll();
+			crimesList = data.crimesList;
+			open = false;
+		} catch (err) {
+			console.error('⚠️ Netzwerkfehler beim Speichern', err);
+			isError = true;
+		} finally {
 			inProgress = false;
 		}
 	}
@@ -80,45 +227,35 @@
 	async function handleDelete(tatort: string) {
 		open = true;
 		inProgress = true;
-		let url = new URL(data.url);
-		url.pathname += `/${tatort}`;
-		console.log('Delete tatort: ', `/api${url.pathname}`, url.pathname);
+		isError = false;
+		let path = API_ROUTES.CRIME(vorgangToken, tatort)
 
 		try {
-			const res = await fetch(`/api${url.pathname}`, {
+			const res = await fetch(path, {
 				method: 'DELETE',
 				headers: {
 					'Content-Type': 'application/json'
 				},
 				body: JSON.stringify({ vorgangToken, tatort })
-			})
-				.then(() => {
-					inProgress = false;
-				})
-				.catch((err) => {
-					isError = true;
-					inProgress = false;
-					console.log('ERROR', err);
-				});
-			if (!res.ok) {
-				const msg = await res.text();
-				console.error('❌ Fehler beim Löschen:', msg);
-			} else {
-				console.log('🗑️ Erfolgreich gelöscht:', url.pathname);
-				await invalidateAll();
+			});
 
-				crimesList = data.crimesList;
+			if (!res.ok) {
+				throw new Error('Fehler beim Löschen');
 			}
+			crimesList = crimesList.filter((i) => i.name !== tatort);
+			await invalidateAll();
+			console.log('🗑️ Erfolgreich gelöscht:', path);
+			open = false;
 		} catch (err) {
+			console.error('⚠️ Netzwerkfehler beim Speichern', err);
 			isError = true;
+		} finally {
 			inProgress = false;
-			console.error('⚠️ Netzwerkfehler beim Löschen:', err);
 		}
 	}
 
-	function constructMailToLink() {
+	async function copyAndOpenMail() {
 		const subject = 'Link zum Tatvorgang';
-
 		const link = data.url.origin + data.url.pathname;
 		const body = `Hallo,
 
@@ -130,27 +267,75 @@ Der Zugangs-PIN wird zur Sicherheit über einen zweiten Kommunikationskanal übe
 Mit freundlichen Grüßen,
 `;
 
-		const mailtoLink = `mailto:?subject=${encodeURIComponent(subject)}&body=${encodeURIComponent(body)}`;
+    try {
+        await navigator.clipboard.writeText(body);
+        
+        copied = true;
 
-		return mailtoLink;
-	}
+        // Kurz warten, dann Mail öffnen
+        setTimeout(() => {
+            const mailtoLink = `mailto:?subject=${encodeURIComponent(subject)}`;
+            window.location.href = mailtoLink;
+        }, 1000);
+        
+        setTimeout(() => copied = false, 2000);
+    } catch (err) {
+        console.error('Clipboard-Fehler:', err);
+        error = 'Konnte Text nicht kopieren. Bitte manuell markieren und kopieren.';
+        }
+    }
 
 	function closeModal() {
 		open = false;
 		isError = false;
 	}
+
+	// drag and drop functionality
+		let isDragging = $state(false);
+
+		async function handleDrop(event) {
+			event.preventDefault();
+			isDragging = false;
+
+			if (event.dataTransfer?.files?.length) {
+				files = event.dataTransfer.files;
+			}
+			if (!(await check_valid_glb_file())) {
+				formErrors = { file: 'Keine gültige .GLD-Datei' }
+				// reset form fields etc.
+				files = null;
+				fileInput.value = '';
+			} else {
+				formErrors = { ...formErrors, file: ''}
+			};
+		}
+
 </script>
 
-{#if data.vorgang && data.crimesList}
+<svelte:window
+	on:dragover|preventDefault
+	on:drop|preventDefault
+/>
+
+{#if data.vorgang && crimesList}
 	<div class="-z-10 bg-white">
 		<div class="flex flex-col items-center justify-center w-full">
-			<h1 class="text-xl">Vorgang {vorgangName}</h1>
+			<h1 class="text-xl">{vorgangName}</h1>
 
 			{#if admin}
-				Zugangs-PIN: {vorgangPIN}
-				<a class="pt-2 pb-6" href={constructMailToLink()}
-					><Button disabled={isEmptyList}>Share Link</Button></a
-				>
+				<div class="flex items-center gap-2">
+				Zugangs-PIN:
+				<NameItemEditor
+				list={[]}
+				currentName={vorgangPIN}
+				onSave={savePIN}
+				onDelete={null}
+				/>
+				</div>
+                <Button variant="secondary" on:click={copyAndOpenMail} disabled={isEmptyList}>Link kopieren und Mail verfassen</Button>
+                {#if copied}
+                <p transition:fade>✔ Kopiert! Per Ctrl+V einfügen.</p>
+                {/if}
 			{/if}
 		</div>
 		<div class="mx-auto flex justify-center max-w-7xl h-full">
@@ -158,54 +343,156 @@ Mit freundlichen Grüßen,
 				{#if isEmptyList}
 					<EmptyList></EmptyList>
 				{:else}
-					{#each data.crimesList as item, crimeListItemIndex}
-						<li>
-							<div class=" flex gap-x-4">
-								<a
-									href="/view/{vorgangToken}/{item.name}?pin={vorgangPIN}"
-									class=" flex justify-between gap-x-6 py-5"
-									aria-label="/view/{vorgangToken}/{item.name}?pin={vorgangPIN}"
-									title={item.name}
-								>
-									<Cube />
-								</a>
-								<div class="min-w-0 flex-auto">
-									{#if admin}
-										<NameItemEditor
-											list={data.crimesList}
-											editedName={data.crimeNames[crimeListItemIndex]}
-											currentName={item.name}
-											onSave={handleSave}
-											onDelete={handleDelete}
-										></NameItemEditor>
-									{:else}
-										<span class="text-sm font-semibold leading-6 text-gray-900 inline-block min-w-1"
-											>{item.name}</span
-										>
-									{/if}
-									{#if item.size}
-										<p class="mt-1 truncate text-xs leading-5 text-gray-500">
-											{shortenFileSize(item.size)}
-										</p>
-									{/if}
-								</div>
-							</div>
-							<div class="hidden sm:flex sm:flex-col sm:items-end">
-								<p class="text-sm leading-6 text-gray-900">3D Tatort</p>
-								{#if item.lastModified}
-									<p class="mt-1 text-xs leading-5 text-gray-500">
-										Zuletzt geändert <time datetime="2023-01-23T13:23Z"
-											>{timeElapsed(new Date(item.lastModified))}</time
-										>
-									</p>
-								{/if}
-							</div>
-						</li>
+					{#each crimesList as item (item.name)}
+					<li
+					data-testid="test-list-item"
+					class="flex items-center justify-between gap-6 py-4 px-2 hover:bg-gray-50 rounded-lg transition"
+					>
+					<div class="flex items-center gap-4 flex-1">
+						<a
+						data-testid="crime-link"
+						href="{ROUTE_NAMES.CRIME(vorgangToken, item.name, vorgangPIN)}"
+						class="flex items-center justify-center w-8 h-8 text-gray-600 hover:text-blue-600 transition"
+						aria-label="{ROUTE_NAMES.CRIME(vorgangToken, item.name, vorgangPIN)}"
+						title={item.name}
+						>
+						<Cube class="w-5 h-5" />
+						</a>
+
+						<div class="flex flex-col flex-1 min-w-0">
+						{#if admin}
+							<NameItemEditor
+							list={crimesList}
+							currentName={item.name}
+							onSave={handleSave}
+							onDelete={handleDelete}
+							/>
+						{:else}
+							<p
+							data-testid="test-nameItem-p"
+							class="text-sm font-semibold leading-6 text-gray-900 truncate"
+							>
+							{item.name}
+							</p>
+						{/if}
+
+						<!-- size left, last modified right -->
+						<div class="flex items-center justify-between mt-1 text-xs leading-5 text-gray-500">
+							{#if item.size}
+							<span>{shortenFileSize(item.size)}</span>
+							{:else}
+							<span></span>
+							{/if}
+							{#if item.lastModified}
+							<span>
+								Zuletzt geändert
+								<time datetime={item.lastModified}>
+								{timeElapsed(new Date(item.lastModified))}
+								</time>
+							</span>
+							{/if}
+						</div>
+						</div>
+					</div>
+					</li>
 					{/each}
 				{/if}
 			</ul>
 		</div>
 
+		{#if admin}
+		<div class="flex justify-center my-4">
+		<ExpandableForm>
+			<div class="mx-auto max-w-2xl">
+				<div class="flex flex-col items-center space-y-6">
+					<!-- Name Input -->
+					<div class="w-full max-w-md">
+						<label for="name" class="block text-sm font-medium leading-6 text-gray-900">
+							<span class="flex">
+								{#if formErrors?.name}
+									<span class="inline-block mr-1"><Exclamation /></span>
+								{/if} Modellname
+							</span>
+						</label>
+						<div class="mt-2">
+							<div
+								class="flex rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
+							>
+								<input
+									bind:value={name}
+									type="text"
+									name="name"
+									id="name"
+									autocomplete={name}
+									class="block flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+						{#if formErrors?.name}
+							<p class="block text-sm leading-6 text-red-900 mt-2">{formErrors.name}</p>
+						{/if}
+					</div>
+
+					<!-- File Upload -->
+					<div class="w-full max-w-md">
+						<label for="file" class="block text-sm font-medium leading-6 text-gray-900">
+							<span class="flex">
+								{#if formErrors?.file}
+									<span class="inline-block mr-1"><Exclamation /></span>
+								{/if} Datei
+							</span>
+						</label>
+						<div
+							class="mt-2 flex justify-center rounded-lg border border-dashed px-6 py-10
+								{isDragging
+								? 'border-blue-500 bg-blue-50'
+								: 'border-gray-900/25'}"
+							on:dragover|preventDefault={() => (isDragging = true)}
+							on:dragleave={() => (isDragging = false)}
+							on:drop={handleDrop}
+						>
+							<div class="text-center">
+								<FileRect />
+								<div class="mt-4 flex text-sm leading-6 text-gray-600">
+									<label
+										for="file"
+										class="relative cursor-pointer rounded-md bg-white font-semibold text-indigo-600 focus-within:outline-none focus-within:ring-2 focus-within:ring-indigo-600 focus-within:ring-offset-2 hover:text-indigo-500"
+									>
+										<span>Wähle eine Datei aus</span>
+										<input id="file" bind:this={fileInput} bind:files name="file" type="file" class="sr-only" />
+									</label>
+									<p class="pl-1">oder ziehe sie ins Feld</p>
+								</div>
+								<p class="text-xs leading-5 text-gray-600">GLB Dateien bis zu 1GB</p>
+								{#if files?.length}
+									<div class="flex justify-center text-xs mt-2">
+										<p class="mx-2">Datei: <span class="font-bold">{files[0].name}</span></p>
+										<p class="mx-2">
+											Größe: <span class="font-bold">{shortenFileSize(files[0].size)}</span>
+										</p>
+									</div>
+								{/if}
+							</div>
+						</div>
+						{#if formErrors?.file}
+							<p class="block text-sm leading-6 text-red-900 mt-2">{formErrors.file}</p>
+						{/if}
+					</div>
+
+					<div class="mt-6 flex items-center justify-end gap-x-6">
+						<Button
+							on:click={buttonClick}
+							class="rounded-md bg-indigo-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600"
+						>
+							Hinzufügen
+						</Button>
+					</div>
+				</div>
+				</div>
+			</ExpandableForm>
+			</div>
+		{/if}
+
 		<Modal {open}
 			><ModalTitle>Umbenennen</ModalTitle><ModalContent>
 				{#if inProgress}
@@ -218,6 +505,21 @@ Mit freundlichen Grüßen,
 			</ModalContent>
 			<ModalFooter><Button disabled={inProgress} on:click={closeModal}>Ok</Button></ModalFooter>
 		</Modal>
+
+		<Modal open={openUL}
+			><ModalTitle>Upload</ModalTitle><ModalContent>
+				{#if inProgressUL}
+					<p class="py-2 mb-1">Upload läuft...</p>
+				{:else if etag}
+					<Alert class="w-full">Upload erfolgreich</Alert>
+				{:else}
+					<Alert class="w-full" type="error">Fehler beim Upload</Alert>
+				{/if}
+			</ModalContent>
+			<ModalFooter
+				><Button disabled={inProgressUL} on:click={uploadSuccessful}>Ok</Button></ModalFooter
+			>
+		</Modal>
 	</div>
 {/if}
 

src/routes/(token-based)/list/[vorgang]/+page.ts

@@ -1,24 +0,0 @@
-
-export async function load({fetch, params, url}){
-    const  vorgangResponse = await fetch(`/api/list`);
-     const vorgangList = await vorgangResponse.json()
-     const vorgangToken = params.vorgang;
-         const crimesListResponse = await fetch(`/api/list/${vorgangToken}`)
-         const crimesList = await crimesListResponse.json();
-    const vorgang = vorgangList.find(v => v.vorgangToken === vorgangToken); //vorgang sollte ein eigener Typ werden, und dann kann man es hier vernünftig typisieren
-    if(!vorgang || !crimesList){
-  	throw new Error(`Fehlgeschlagen, es wurden keine Daten zum token gefunden`);
-    }
-
-	//Variabeln für NameItemEditor
-	const crimeNames: string[] = crimesList.map((l) => l.name);
-
-
-     return {
-      vorgang,
-      vorgangList,
-      crimesList,
-      url,
-      crimeNames
-     }
-}

src/routes/(token-based)/view/[vorgang]/[tatort]/+page.server.ts

@@ -1,8 +1,8 @@
-import { client } from '$lib/minio';
+import { BUCKET, client } from '$lib/minio';
 import type { PageServerLoad } from './$types';
 
 export const load: PageServerLoad = async ({ params }) => {
 	const { vorgang, tatort } = params;
-	const url = await client.presignedUrl('GET', 'tatort', `${vorgang}/${tatort}`);
+	const url = await client.presignedUrl('GET', BUCKET, `${vorgang}/${tatort}`);
 	return { url };
-}
+};

src/routes/anmeldung/+page.server.ts

@@ -1,16 +1,35 @@
-import { loginUser, logoutUser } from '$lib/server/authService';
-import { redirect } from '@sveltejs/kit';
+import { dev } from '$app/environment';
+import { error, fail, redirect } from '@sveltejs/kit';
+import { ROUTE_NAMES } from '../index.js';
+import { vorgangPINValidation } from '$lib/server/vorgangService.js';
 
 export const actions = {
-	login: ({ request, cookies }) => loginUser({ request, cookies }),
-	logout: (event) => logoutUser(event),
-	getVorgangByToken: async ({ request }) => {
+	default: async ({ request, cookies }) => {
 		const data = await request.formData();
 		const vorgangToken = data.get('vorgang-token');
-		const vorgangPIN = data.get('vorgang-pin');
+		const vorgangPIN = data.get('vorgang-pin') as string;
 
-		if (!vorgangToken || !vorgangPIN) return;
+		if (!vorgangPIN) {
+			return fail(400, { message: 'Bitte einen PIN eingeben.'});
+		}
 
-		throw redirect(303, `/list/${vorgangToken}?pin=${vorgangPIN}`);
+		if (!vorgangPINValidation(vorgangToken, vorgangPIN)) {
+			return fail(400, { message: 'Falsche Zugangsdaten.'});
+		}
+
+		const COOKIE_NAME = `token-${vorgangToken}`;
+		cookies.set(COOKIE_NAME, vorgangPIN, {
+			path: '/',
+			httpOnly: true,
+			sameSite: 'strict',
+			secure: !dev
+		});
+
+		throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken));
 	}
 } as const;
+
+export const load: PageServerLoad = async ({ url }) => {
+	const vorgang = url.searchParams.get('vorgang');
+	if (!vorgang) error(404, "Not Found");
+};

src/routes/anmeldung/+page.svelte

@@ -1,21 +1,15 @@
 <script lang="ts">
 	import BaseInputField from '$lib/components/BaseInputField.svelte';
 	import Button from '$lib/components/Button.svelte';
-	import Modal from '$lib/components/Modal/Modal.svelte';
-	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
-	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
-	import ModalTitle from '$lib/components/Modal/ModalTitle.svelte';
 	import ArrowRight from '$lib/icons/Arrow-right.svelte';
-	import Login from '$lib/icons/Login.svelte';
 
 	export let form;
-
-	export let open = false;
-
 	import { page } from '$app/state';
+	import { ROUTE_NAMES } from '../index.js';
 	const vorgangToken = page.url.searchParams.get('vorgang');
 </script>
 
+{#if vorgangToken}
 <div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
 	<div class="sm:mx-auto sm:w-full sm:max-w-sm">
 		<img class="mx-auto h-10 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
@@ -27,73 +21,30 @@
 	<div class="w-full max-w-sm mx-auto">
 		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
 			<div class="mt-10">
-				<form action="?/getVorgangByToken" method="POST">
-					<BaseInputField
-						id="vorgang-token"
-						name="vorgang-token"
-						label="Vorgangskennung"
-						type="text"
-						value={vorgangToken}
-					/>
-					<div class="mt-5">
-						<BaseInputField
-							id="vorgang-pin"
-							name="vorgang-pin"
-							label="Zugangs-PIN"
-							type="text"
-							value={form?.vorgangPIN}
-							error={form?.error?.message}
-						/>
-					</div>
-					<div class="flex justify-end pt-4">
-						<Button type="submit"><ArrowRight /></Button>
-					</div>
-				</form>
+
+					<form method="POST">
+						<input type="hidden" name="vorgang-token" value={vorgangToken} />
+						<div class="mt-5">
+							<BaseInputField
+								id="vorgang-pin"
+								name="vorgang-pin"
+								label="Zugangs-PIN"
+								type="text"
+								value={form?.vorgangPIN}
+								error={form?.error?.message}
+							/>
+						</div>
+						{#if form?.message}
+							<p class="block text-sm leading-6 text-red-900 mt-2">{form.message}</p>
+						{/if}
+
+						<div class="flex justify-end pt-4">
+							<Button type="submit"><ArrowRight /></Button>
+						</div>
+					</form>
+
 			</div>
 		</div>
-		<div class="flex justify-end mt-10 px-3">
-			<Button on:click={() => (open = true)}><Login /></Button>
-		</div>
 	</div>
 </div>
-<Modal {open}>
-	<ModalTitle>Anmelden</ModalTitle>
-	<ModalContent class="flex justify-center">
-		<form action="?/login" method="POST">
-			<div>
-				<label for="user" class="text-sm font-medium leading-6 text-gray-900">Kennung</label>
-				<div class="mt-2">
-					<input
-						id="user"
-						name="user"
-						type="text"
-						autocomplete="email"
-						required
-						class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
-					/>
-				</div>
-			</div>
-
-			<div>
-				<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
-					>Passwort</label
-				>
-				<div class="mt-2">
-					<input
-						id="password"
-						name="password"
-						type="password"
-						autocomplete="current-password"
-						required
-						class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
-					/>
-				</div>
-			</div>
-
-			<div class="flex justify-end">
-				<Button type="submit" class="mt-5">Anmelden</Button>
-			</div>
-		</form>
-	</ModalContent>
-	<ModalFooter><Button on:click={() => (open = false)}>Ok</Button></ModalFooter>
-</Modal>
+{/if}

src/routes/api/list/+server.ts

@@ -1,14 +1,9 @@
 import { getVorgaenge } from '$lib/server/vorgangService';
-import { json } from '@sveltejs/kit';
-
-export async function GET({ locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
 
+export async function GET() {
 	const vorgaenge = getVorgaenge();
 
 	return new Response(JSON.stringify(vorgaenge), {
 		status: 200
 	});
-}
+}

src/routes/api/list/[vorgang]/+server.ts

@@ -1,17 +1,18 @@
-import { client } from '$lib/minio';
+import { BUCKET, client } from '$lib/minio';
+import { json } from '@sveltejs/kit';
 import {
 	deleteVorgangByToken,
 	getCrimesListByToken,
-	vorgangNameExists
+	vorgangNameExists,
+	updateVorgangAttrByToken
 } from '$lib/server/vorgangService';
-import { json } from '@sveltejs/kit';
 
 export async function DELETE({ params }) {
 	const vorgangToken = params.vorgang;
 
 	const object_list = await new Promise((resolve, reject) => {
 		const res = [];
-		const items_str = client.listObjects('tatort', vorgangToken, true);
+		const items_str = client.listObjects(BUCKET, vorgangToken, true);
 
 		items_str.on('data', (obj) => {
 			res.push(obj.name);
@@ -24,7 +25,7 @@ export async function DELETE({ params }) {
 		});
 	});
 
-	await client.removeObjects('tatort', object_list);
+	await client.removeObjects(BUCKET, object_list);
 	deleteVorgangByToken(vorgangToken);
 
 	return new Response(null, { status: 204 });
@@ -44,11 +45,7 @@ export async function HEAD({ params }) {
 	}
 }
 
-export async function GET({ params, locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
-
+export async function GET({ params }) {
 	try {
 		const vorgangToken = params.vorgang;
 		const crimesList = await getCrimesListByToken(vorgangToken);
@@ -61,3 +58,31 @@ export async function GET({ params, locals }) {
 		return new Response(null, { status: 500 });
 	}
 }
+
+// change Vorgang properties
+export async function PUT({ request }) {
+	const data = await request.json();
+	
+	const vorgangToken = data['vorgangToken'];
+
+	const changePIN = data['changePIN'];
+
+	let attrChanged;
+	let newValue;
+	
+	if (changePIN) {
+		attrChanged = 'pin';
+		newValue = data['newVorgangPIN']
+	} else {
+		attrChanged = 'name';
+		newValue = data['newName']
+	}
+
+	const res = updateVorgangAttrByToken(vorgangToken, newValue, attrChanged);
+	
+	if (!res) {
+		return json({ msg: 'Fehler beim Umbenennen' }, { status: 400 });
+	}
+
+	return json({ success: 'success' }, { status: 200 });
+}

src/routes/api/list/[vorgang]/[tatort]/+server.ts

@@ -24,7 +24,7 @@ export async function GET() {
 	});
 }
 
-export async function DELETE({ request }: { request: Request }) {
+export async function DELETE({ request }) {
 	const url_fragments = request.url.split('/');
 	const item = url_fragments.at(-1);
 	const vorgang = url_fragments.at(-2);
@@ -40,10 +40,9 @@ export async function PUT({ params, request }) {
 
 	const vorgangToken = params.vorgang;
 
-
 	// prepare copy, incl. check if new name exists already
 	const crimeOldName = data['oldName'];
-	const crimeS3FullBucketPathOld = `/tatort/${vorgangToken}/${crimeOldName}`;
+	const crimeS3FullBucketPathOld = `/${BUCKET}/${vorgangToken}/${crimeOldName}`;
 	const crimeNewName = `${vorgangToken}/${data['newName']}`;
 
 	if (!crimeOldName || !crimeNewName) {
@@ -51,14 +50,14 @@ export async function PUT({ params, request }) {
 	}
 
 	try {
-		await client.statObject('tatort', crimeNewName);
+		await client.statObject(BUCKET, crimeNewName);
 		return json({ msg: 'Die Datei existiert bereits.' }, { status: 400 });
 	} catch (error) {
 		console.log(error, 'continue operation');
 	}
 
-	await client.copyObject('tatort', crimeNewName, crimeS3FullBucketPathOld);
-	await client.removeObject('tatort', `${vorgangToken}/${crimeOldName}`);
+	await client.copyObject(BUCKET, crimeNewName, crimeS3FullBucketPathOld);
+	await client.removeObject(BUCKET, `${vorgangToken}/${crimeOldName}`);
 
 	return json({ success: 'success' }, { status: 200 });
 }

src/routes/api/users/+server.ts

@@ -4,21 +4,14 @@ import bcrypt from 'bcrypt';
 
 const saltRounds = 12;
 
-export function GET({ locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
+export function GET() {
 
 	const userList = getUsers();
 
 	return new Response(JSON.stringify(userList));
 }
 
-export async function POST({ request, locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
-
+export async function POST({ request }) {
 	const data = await request.json();
 	const userName = data.userName;
 	const userPassword = data.userPassword;

src/routes/api/users/[user]/+server.ts

@@ -1,11 +1,6 @@
-import { json } from '@sveltejs/kit';
 import { deleteUser } from '$lib/server/userService';
 
-export async function DELETE({ params, locals }) {
-	if (!locals.user) {
-		return json({ error: 'Unauthorized' }, { status: 401 });
-	}
-
+export async function DELETE({ params }) {
 	const userId = params.user;
 	const rowCount = deleteUser(userId);
 

src/routes/index.ts

@@ -0,0 +1,41 @@
+export const ROUTE_NAMES = {
+	ROOT: '/',
+
+	// (angemeldet)
+	LIST: '/list',
+	UPLOAD: '/upload',
+	// UPLOAD actions
+	UPLOAD_URL: '/upload?/url',
+	UPLOAD_VALIDATE: '/upload?/validate',
+
+	USERMGMT: '/user-management',
+
+	// (token-based)
+	VORGANG: (vorgangToken: string) => `/list/${vorgangToken}`,
+	CRIME: (vorgangToken: string, tatort: string) => `/view/${vorgangToken}/${tatort}`,
+
+	// Anmeldung: actions
+	ANMELDUNG: '/anmeldung',
+	LOGIN: '/?/login',
+	LOGOUT: '/?/logout',
+	ANMELDUNG_GET_VORGANG_BY_TOKEN: '/anmeldung?/getVorgangByToken',
+	ANMELDUNG_VORGANG_PARAM: (vorgangToken: string) => `/anmeldung?vorgang=${vorgangToken}`
+};
+
+export const API_ROUTES = {
+	LIST: '/api/list',
+	VORGANG: (vorgangToken: string) => `/api/list/${vorgangToken}`,
+	// via `HEAD` method
+	VORGANG_NAME_EXIST: (vorgangName: string) => `/api/list/${vorgangName}`,
+	VORGANG_PIN: (vorgangName: string) => `/api/vorgang/${vorgangName}/vorgangPIN`,
+
+	// Tatort
+	CRIME: (vorgangToken: string, crimeName: string) => `/api/list/${vorgangToken}/${crimeName}`,
+
+	// Users
+	USERS: '/api/users',
+	USER: (userId: string) => `/api/users/${userId}`
+};
+
+const isProd = process.env.NODE_ENV == 'production';
+export const DB_FULLPATH = !isProd ? './src/lib/data/tatort.db' : '/daten/tatort.db';

tests/api/API_Protection.test.ts

@@ -0,0 +1,37 @@
+import { describe, test, expect, vi } from 'vitest';
+import { handle } from '../../src/hooks.server';
+
+const event = {
+    url: new URL("http://localhost/api/list"),
+    cookies: { get: vi.fn(() => null) },
+    locals: {user: null}
+};
+
+vi.mock('$lib/auth', () => ({
+    decryptToken: vi.fn()
+}));
+
+describe('API-Endpoints: Zugangs-Mechanismus', () => {
+    test('Unautorisierter Zugriff', async () => {
+        const resolve = vi.fn();
+
+        const response = await handle({ event, resolve });
+
+        expect(response.status).toBe(401);
+        const body = await response.json();
+        expect(body.error).toBe('Unauthorized');
+        expect(resolve).not.toHaveBeenCalled();
+    });
+
+    test('Authentifizierter Zugriff', async () => {
+        event.locals = {user: { id: 'admin', admin: true }}
+
+        const resolve = vi.fn(() => new Response('ok', { status: 200 }));
+
+        const response = await handle({ event, resolve });
+
+        expect(response.status).toBe(200);
+        expect(await response.text()).toBe('ok');
+        expect(resolve).toHaveBeenCalled();
+    });
+})

tests/api/List.test.ts

@@ -0,0 +1,49 @@
+import { describe, test, expect, vi } from 'vitest';
+import { GET } from '$root/routes/api/list/+server';
+import { getVorgaenge } from '$lib/server/vorgangService';
+
+// Mocks
+vi.mock('$lib/server/vorgangService', () => ({
+	getVorgaenge: vi.fn()
+}));
+
+const event = {
+	locals: {
+		user: { id: 'admin', admin: true }
+	}
+};
+
+describe('API-Endpoints: list', () => {
+	test('Leere Liste wenn keine Vorgänge existieren', async () => {
+		vi.mocked(getVorgaenge).mockReturnValueOnce([]);
+
+		const response = await GET(event);
+		expect(response.status).toBe(200);
+
+		const json = await response.json();
+		expect(json).toEqual([]);
+	});
+
+	test('Liste mit existierenden Vorgängen', async () => {
+		const testVorgaenge = [
+			{
+				vorgangToken: '19f1d34e-4f31-48e8-830f-c4e42c29085e',
+				vorgangName: 'xyz-123',
+				vorgangPIN: 'pin-123'
+			},
+			{
+				vorgangToken: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
+				vorgangName: 'vorgang-2',
+				vorgangPIN: 'pin-2'
+			}
+		];
+
+		vi.mocked(getVorgaenge).mockReturnValueOnce(testVorgaenge);
+
+		const response = await GET(event);
+		expect(response.status).toBe(200);
+
+		const json = await response.json();
+		expect(json).toEqual(testVorgaenge);
+	});
+});

tests/api/ListVorgang.test.ts

@@ -0,0 +1,122 @@
+import { describe, test, expect, vi } from 'vitest';
+import { DELETE, GET, HEAD } from '$root/routes/api/list/[vorgang]/+server';
+import {
+	getCrimesListByToken,
+	vorgangNameExists,
+	deleteVorgangByToken
+} from '$lib/server/vorgangService';
+import { BUCKET, client } from '$lib/minio';
+import { EventEmitter } from 'events';
+
+// Mocks
+vi.mock('$lib/server/vorgangService', () => ({
+	getCrimesListByToken: vi.fn(),
+	vorgangNameExists: vi.fn(),
+	deleteVorgangByToken: vi.fn()
+}));
+
+vi.mock('$lib/minio', () => ({
+	client: {
+		listObjects: vi.fn(),
+		removeObjects: vi.fn()
+	},
+	BUCKET: 'tatort-test'
+}));
+
+const MockEvent = {
+	params: { vorgang: '123' },
+	locals: {
+		user: { id: 'admin', admin: true }
+	}
+};
+
+describe('API-Endpoints: list/[vorgang]', () => {
+	test('Vorgang ohne Tatorte', async () => {
+		const testCrimesList = [];
+
+		vi.mocked(getCrimesListByToken).mockReturnValueOnce(testCrimesList);
+
+		const response = await GET(MockEvent);
+		expect(response.status).toBe(200);
+
+		const json = await response.json();
+		expect(json).toEqual(testCrimesList);
+	});
+
+	test('Vorgang mit Tatorte', async () => {
+		const testCrimesList = [
+			{
+				name: 'model-A',
+				lastModified: '2025-08-28T09:44:12.453Z',
+				etag: '558f35716f6af953f9bb5d75f6d77e6a',
+				size: 8947140,
+				prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
+				show_button: true
+			},
+			{
+				name: 'model-z',
+				lastModified: '2025-08-28T10:37:20.142Z',
+				etag: '43e3989c32c4682bee407baaf83b6fa0',
+				size: 35788560,
+				prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
+				show_button: true
+			}
+		];
+
+		vi.mocked(getCrimesListByToken).mockReturnValueOnce(testCrimesList);
+
+		const response = await GET(MockEvent);
+		expect(response.status).toBe(200);
+
+		const json = await response.json();
+		expect(json).toEqual(testCrimesList);
+	});
+
+	test('Vorgang existiert via HEAD', async () => {
+		const vorgangExists = true;
+		vi.mocked(vorgangNameExists).mockReturnValueOnce(vorgangExists);
+
+		const response = await HEAD(MockEvent);
+		expect(response.status).toBe(200);
+
+		const textContent = await response.text();
+		expect(textContent).toEqual('');
+	});
+
+	test('Vorgang existiert nicht via HEAD', async () => {
+		const vorgangExists = false;
+		vi.mocked(vorgangNameExists).mockReturnValueOnce(vorgangExists);
+		const response = await HEAD(MockEvent);
+
+		expect(response.status).toBe(404);
+		const textContent = await response.text();
+
+		expect(textContent).toEqual('');
+	});
+
+	test('Lösche Vorgang und dazugehörige S3 Objekte', async () => {
+		// Mock data
+		const fakeStream = new EventEmitter();
+		vi.mocked(client.listObjects).mockReturnValue(fakeStream);
+		vi.mocked(client.removeObjects).mockResolvedValue(undefined);
+		vi.mocked(deleteVorgangByToken).mockReturnValueOnce(undefined);
+
+		const responsePromise = DELETE(MockEvent);
+		const fakeCrimeNames = [
+			`${MockEvent.params.vorgang}/file1.glb`,
+			`${MockEvent.params.vorgang}/file2.glb`
+		];
+
+		// simulate data stream
+		fakeStream.emit('data', { name: fakeCrimeNames[0] });
+		fakeStream.emit('data', { name: fakeCrimeNames[1] });
+		fakeStream.emit('end');
+
+		const response = await responsePromise;
+
+		expect(client.removeObjects).toHaveBeenCalledWith(BUCKET, fakeCrimeNames);
+		expect(deleteVorgangByToken).toHaveBeenCalledWith(MockEvent.params.vorgang);
+
+		expect(response.status).toBe(204);
+	});
+});

tests/api/ListVorgangTatort.test.ts

@@ -0,0 +1,98 @@
+import { describe, test, expect, vi } from 'vitest';
+import { DELETE, PUT } from '$root/routes/api/list/[vorgang]/[tatort]/+server';
+import { BUCKET, client } from '$lib/minio';
+import { baseData } from '../fixtures';
+
+// Mock data and methods
+const fakeVorgangToken = `c399423a-ba37-4fe1-bbdf-80e5881168ff`;
+const fakeCrimeOldName = `model-A`;
+const fakeCrimeNewName = 'model-Z';
+const fakeCrimePath = `${fakeVorgangToken}/${fakeCrimeOldName}`;
+const fullFakeCrimePath = `/${BUCKET}/${fakeCrimePath}`;
+const fakeCrimeAPIURL = `http://localhost:5173/api/list/${fakeCrimePath}`;
+
+vi.mock('$lib/minio', () => ({
+	client: {
+		removeObject: vi.fn(),
+		statObject: vi.fn(),
+		copyObject: vi.fn()
+	},
+	BUCKET: 'tatort'
+}));
+
+describe('API-Endpoints: list/[vorgang]/[tatort]', () => {
+	test('Löschen von Tatorten', async () => {
+		const request = new Request(fakeCrimeAPIURL);
+		const locals = { user: baseData.user }
+		const response = await DELETE({ locals, request });
+
+		expect(client.removeObject).toHaveBeenCalledWith(BUCKET, fakeCrimePath);
+
+		expect(response.status).toBe(204);
+		const responseBody = await response.text();
+		expect(responseBody).toBe('');
+	});
+
+	test('Umbennen von Tatorten: Erfolgreich', async () => {
+		const request = new Request(fakeCrimeAPIURL, {
+			method: 'PUT',
+			body: JSON.stringify({
+				oldName: fakeCrimeOldName,
+				newName: fakeCrimeNewName
+			})
+		});
+		const params = { vorgang: fakeVorgangToken };
+		const locals = { user: baseData.user }
+
+		// Mock Datei nicht gefunden
+		client.statObject.mockRejectedValueOnce(new Error('NotFound'));
+
+		const response = await PUT({ locals, params, request });
+
+		const fakeCrimeNewPath = `${fakeVorgangToken}/${fakeCrimeNewName}`;
+		expect(client.statObject).toHaveBeenCalledWith(BUCKET, fakeCrimeNewPath);
+		expect(client.copyObject).toHaveBeenCalledWith(BUCKET, fakeCrimeNewPath, fullFakeCrimePath);
+		expect(client.removeObject).toHaveBeenCalledWith(BUCKET, fakeCrimePath);
+
+		expect(response.status).toBe(200);
+	});
+
+	test('Umbennen von Tatorten: Fehlende(r) Name', async () => {
+		const request = new Request(fakeCrimeAPIURL, {
+			method: 'PUT',
+			body: JSON.stringify({
+				oldName: '',
+				newName: ''
+			})
+		});
+		const locals = { user: baseData.user }
+		const params = { vorgang: fakeVorgangToken };
+
+		const response = await PUT({ locals, params, request });
+		expect(response.status).toBe(400);
+	});
+
+	test('Umbennen von Tatorten: Existierender Name', async () => {
+		const request = new Request(fakeCrimeAPIURL, {
+			method: 'PUT',
+			body: JSON.stringify({
+				oldName: fakeCrimeOldName,
+				newName: fakeCrimeNewName
+			})
+		});
+		const params = { vorgang: fakeVorgangToken };
+		const locals = { user: baseData.user }
+
+		// Datei existiert bereits
+		client.statObject.mockResolvedValueOnce({});
+
+		const response = await PUT({ locals, params, request });
+
+		expect(response.status).toBe(400);
+
+		const fakeCrimeNewPath = `${fakeVorgangToken}/${fakeCrimeNewName}`;
+		expect(client.statObject).toHaveBeenCalledWith(BUCKET, fakeCrimeNewPath);
+		expect(client.copyObject).not.toHaveBeenCalled();
+		expect(client.removeObject).not.toHaveBeenCalled();
+	});
+});

tests/api/User.test.ts

@@ -0,0 +1,40 @@
+import { describe, test, expect } from 'vitest';
+import { GET } from '$root/routes/api/user/+server';
+
+const id = 'admin';
+
+describe('API-Endpoints: User ist Admin', () => {
+	test('User ist Admin', async () => {
+		const admin = true;
+		const event = {
+			locals: {
+				user: { id, admin }
+			}
+		};
+
+		const fakeResult = { admin };
+
+		const response = await GET(event);
+		expect(response.status).toBe(200);
+
+		const json = await response.json();
+		expect(json).toEqual(fakeResult);
+	});
+
+	test('User ist kein Admin', async () => {
+		const admin = false;
+		const event = {
+			locals: {
+				user: { id, admin }
+			}
+		};
+
+		const fakeResult = { admin };
+
+		const response = await GET(event);
+		expect(response.status).toBe(200);
+
+		const json = await response.json();
+		expect(json).toEqual(fakeResult);
+	});
+});

tests/api/Users.test.ts

@@ -0,0 +1,148 @@
+import { describe, test, expect, vi, beforeEach } from 'vitest';
+import { GET, POST } from '$root/routes/api/users/+server';
+import bcrypt from 'bcrypt';
+
+import { addUser, getUsers } from '$lib/server/userService';
+
+vi.mock('$lib/server/userService', () => ({
+	addUser: vi.fn(),
+	getUsers: vi.fn()
+}));
+
+vi.mock('bcrypt', () => ({
+	default: {
+		hashSync: vi.fn()
+	}
+}));
+
+describe('API-Endpoint: Users', () => {
+	// [INFO] Test auf keine User nicht notwendig, da immer min. ein User vorhanden
+
+	// Mock eingelogter User bzw. stelle locals.user zur Verfügung
+	const fakeLoggedInUser = { id: 'admin', admin: true };
+	const mockLocals = {
+		user: fakeLoggedInUser
+	};
+
+	test('Rufe Liste aller User ab', async () => {
+		const fakeLoggedInUser = { id: 'admin', admin: true };
+		const event = {
+			locals: {
+				user: fakeLoggedInUser
+			}
+		};
+
+		const fakeResult = [{ userId: 42, userName: 'admin' }];
+		getUsers.mockReturnValueOnce(fakeResult);
+
+		const response = await GET(event);
+		expect(response.status).toBe(200);
+
+		const json = await response.json();
+		expect(json).toEqual(fakeResult);
+	});
+
+	test('Füge Benutzer hinzu: Erfolgreich', async () => {
+		// Mocke Parameter und Funktionen von Drittparteien
+		const fakeUsersAPIURL = `http://localhost:5173/api/users`;
+		const fakeUserID = 42;
+		const fakeUsername = 'admin';
+		const fakeUserPassword = 'pass-123';
+
+		const mockRequest = new Request(fakeUsersAPIURL, {
+			method: 'POST',
+			body: JSON.stringify({
+				userName: fakeUsername,
+				userPassword: fakeUserPassword
+			})
+		});
+
+		const mockedHash = 'mocked-hash';
+		bcrypt.hashSync.mockReturnValueOnce(mockedHash);
+
+		const mockedRowInfo = {
+			changes: 1,
+			lastInsertRowid: fakeUserID
+		};
+		addUser.mockReturnValueOnce(mockedRowInfo);
+
+		const response = await POST({
+			request: mockRequest,
+			locals: mockLocals
+		});
+
+		expect(response.status).toBe(201);
+
+		const fakeResult = { userId: fakeUserID, userName: fakeUsername };
+		const json = await response.json();
+		expect(json).toEqual(fakeResult);
+
+		expect(addUser).toHaveBeenCalledWith(fakeUsername, mockedHash);
+	});
+
+	test('Füge Benutzer hinzu: Fehlender Name oder Passwort', async () => {
+		// Mocke Parameter und Funktionen von Drittparteien
+		const fakeUsersAPIURL = `http://localhost:5173/api/users`;
+		const fakeUserID = 42;
+		const fakeUsername = '';
+		const fakeUserPassword = '';
+
+		const mockRequest = new Request(fakeUsersAPIURL, {
+			method: 'POST',
+			body: JSON.stringify({
+				userName: fakeUsername,
+				userPassword: fakeUserPassword
+			})
+		});
+
+		const response = await POST({
+			request: mockRequest,
+			locals: mockLocals
+		});
+
+		expect(response.status).toBe(400);
+
+		const errorMessage = { error: 'Missing input' };
+		const json = await response.json();
+		expect(json).toEqual(errorMessage);
+
+		expect(addUser).not.toHaveBeenCalled();
+	});
+
+	test('Füge Benutzer hinzu: Nicht erfolgreich, keine Datenbankänderung', async () => {
+		// Mocke Parameter und Funktionen von Drittparteien
+		const fakeUsersAPIURL = `http://localhost:5173/api/users`;
+		const fakeUserID = 42;
+		const fakeUsername = 'admin';
+		const fakeUserPassword = 'pass-123';
+
+		const mockRequest = new Request(fakeUsersAPIURL, {
+			method: 'POST',
+			body: JSON.stringify({
+				userName: fakeUsername,
+				userPassword: fakeUserPassword
+			})
+		});
+
+		const mockedHash = 'mocked-hash';
+		bcrypt.hashSync.mockReturnValueOnce(mockedHash);
+
+		const mockedRowInfo = {
+			changes: 0,
+			lastInsertRowid: fakeUserID
+		};
+		addUser.mockReturnValueOnce(mockedRowInfo);
+
+		const response = await POST({
+			request: mockRequest,
+			locals: mockLocals
+		});
+
+		expect(response.status).toBe(400);
+
+		const body = await response.text();
+		expect(body).toEqual('');
+
+		expect(addUser).toHaveBeenCalledWith(fakeUsername, mockedHash);
+	});
+});

tests/api/VorgangVorgangPIN.test.ts

@@ -0,0 +1,45 @@
+import { describe, test, expect, vi } from 'vitest';
+import { GET } from '$root/routes/api/vorgang/[vorgang]/vorgangPIN/+server';
+import { db } from '$lib/server/dbService';
+import { baseData } from '../fixtures';
+
+const mockEvent = {
+	params: { vorgang: '123' },
+	locals: { user: baseData.user }
+};
+
+vi.mock('$lib/server/dbService', () => ({
+	db: {
+		prepare: vi.fn()
+	}
+}));
+
+describe('API-Endpoint: Vorgang-PIN', () => {
+	test('Vorgang PIN: Erfolgreich', async () => {
+		// only interested in PIN value
+		const mockPIN = 'pin-123';
+		const mockRow = { pin: mockPIN };
+
+		const getMock = vi.fn().mockReturnValue(mockRow);
+
+		db.prepare.mockReturnValue({ get: getMock });
+		const response = await GET(mockEvent);
+		expect(response.status).toBe(200);
+
+		const body = await response.text();
+		expect(body).toEqual(mockPIN);
+	});
+
+	test('Vorgang PIN: Nicht erfolgreich', async () => {
+		const mockRow = {};
+
+		const getMock = vi.fn().mockReturnValue(mockRow);
+
+		db.prepare.mockReturnValue({ get: getMock });
+		const response = await GET(mockEvent);
+		expect(response.status).toBe(404);
+
+		const body = await response.text();
+		expect(body).toEqual('');
+	});
+});

tests/components/EmptyList.view.test.ts

@@ -0,0 +1,9 @@
+import { render, screen } from '@testing-library/svelte';
+import EmptyList from '$lib/components/EmptyList.svelte'
+import { describe, expect, it } from 'vitest';
+
+describe('Komponente: EmptyList', () => {
+  it('zeigt Hinweistext "Keine Einträge"', () => {
+    render(EmptyList);
+    expect(screen.getByText(/keine Einträge/i)).toBeInTheDocument();  });
+});

tests/components/Footer.test.ts

@@ -0,0 +1,47 @@
+import { render, screen } from '@testing-library/svelte';
+import { describe, test, expect } from 'vitest';
+
+import { ROUTE_NAMES } from '../../src/routes';
+import { baseData } from '../fixtures';
+
+import Footer from '$lib/components/Footer.svelte';
+
+describe('Footer component', () => {
+	test('Enthält Behörden-Name und entsprechenden Link', () => {
+		render(Footer);
+		const linkElement = screen.getByText('Innovation Hub', { exact: false });
+		expect(linkElement).toBeInTheDocument();
+		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.LIST);
+	});
+	test('Enthält Zurück-Button und entsprechenden Link', () => {
+		render(Footer);
+		const linkElement = screen.getByText('back');
+		expect(linkElement).toBeInTheDocument();
+		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
+	});
+	test('Enthält Profil-Icon und entsprechenden Link: angemeldet', () => {
+		render(Footer, { props: { data: baseData } });
+		const linkElement = screen.getByText('admin');
+		expect(linkElement).toBeInTheDocument();
+		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
+
+		// Check for presence of `Profile` component
+		const svg = screen.getByTestId('profile-component');
+		expect(svg).toBeTruthy();
+	});
+	test('Enthält Profil-Icon und entsprechenden Link: nicht angemeldet', () => {
+		const { container } = render(Footer, { props: { data: null } });
+
+		const links = container.querySelectorAll('a');
+		const linkElement = links[2]; // Index starts at 0
+		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
+
+		// User/View does not have any ID
+		const ID_displayElement = screen.queryByText('admin');
+		expect(ID_displayElement).not.toBeInTheDocument();
+
+		// Check for presence of `Profile` component
+		const svg = screen.getByTestId('profile-component');
+		expect(svg).toBeTruthy();
+	});
+});

tests/components/Header.test.ts

@@ -0,0 +1,22 @@
+import { render, screen } from '@testing-library/svelte';
+import { describe, test, expect } from 'vitest';
+
+import { ROUTE_NAMES } from '../../src/routes';
+import { baseData } from '../fixtures';
+
+import Header from '$lib/components/Header.svelte';
+
+describe('Header component', () => {
+	test('Enthält Landeswappen von NDS und entsprechenden Link', () => {
+		render(Header, { props: { data: baseData } });
+		const linkElement = screen.getByText('Tatort Niedersachen').closest('a');
+		expect(linkElement).toBeInTheDocument();
+		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
+	});
+	test('Form enthält korrekten Link', () => {
+		const { container } = render(Header, { props: { data: baseData } });
+		const formElement = container.querySelector('form');
+		expect(formElement).toBeInTheDocument();
+		expect(formElement).toHaveAttribute('action', ROUTE_NAMES.ANMELDUNG_LOGOUT);
+	});
+});

tests/components/NameItemEditor.test.ts

@@ -0,0 +1,142 @@
+import { fireEvent, render, screen } from '@testing-library/svelte';
+import { describe, expect, it, test, vi } from 'vitest';
+import NameItemEditor from '$lib/components/NameItemEditor.svelte';
+import { baseData } from '../fixtures';
+
+const testCrimesListIndex = 0;
+const testItem = baseData.crimesList[testCrimesListIndex];
+const testCurrentName = testItem.name;
+const testLocalName = 'Fall-C';
+
+describe('NameItemEditor - Funktionalität', () => {
+	const onSave = vi.fn();
+	const onDelete = vi.fn();
+	const baseProps = {
+		list: baseData.crimesList,
+		currentName: testCurrentName,
+		onSave,
+		onDelete
+	};
+
+	test.todo('FocusIn nach Klick auf edit');
+
+	it('zeigt initial Edit/Delete Buttons und aktuellen Namen', () => {
+		render(NameItemEditor, { props: baseProps });
+
+		expect(screen.getByTestId('edit-button')).toBeInTheDocument();
+		expect(screen.getByTestId('delete-button')).toBeInTheDocument();
+		expect(screen.queryByTestId('commit-button')).toBeNull();
+		expect(screen.queryByTestId('cancel-button')).toBeNull();
+		expect(screen.getByText(testCurrentName)).toBeInTheDocument();
+	});
+
+	it('wechselt zu Commit/Cancel nach Klick auf Edit', async () => {
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('edit-button'));
+		const input = screen.getByTestId('test-input');
+
+		expect(screen.getByTestId('commit-button')).toBeInTheDocument();
+		expect(screen.getByTestId('cancel-button')).toBeInTheDocument();
+		expect(screen.queryByTestId('edit-button')).toBeNull();
+		expect(screen.queryByTestId('delete-button')).toBeNull();
+		expect(screen.getAllByRole('textbox')).toHaveLength(1);
+		expect(input).toHaveValue(testCurrentName);
+	});
+
+	it('zeigt Fehlermeldung bei leerem Namen', async () => {
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('edit-button'));
+
+		const input = screen.getByTestId('test-input');
+		await fireEvent.input(input, { target: { value: '' } });
+
+		expect(screen.getByText('Name darf nicht leer sein.')).toBeInTheDocument();
+		expect(onSave).not.toHaveBeenCalled();
+	});
+
+	it('entfernt Fehlermeldung live beim nächsten gültigen Tastendruck', async () => {
+		render(NameItemEditor, {
+			props: {
+				list: baseData.crimesList,
+				currentName: baseData.crimesList[0].name,
+				onSave: vi.fn(),
+				onDelete: vi.fn()
+			}
+		});
+
+		await fireEvent.click(screen.getByTestId('edit-button'));
+		const input = screen.getByTestId('test-input');
+
+		await fireEvent.input(input, { target: { value: '' } });
+		expect(screen.getByText('Name darf nicht leer sein.')).toBeInTheDocument();
+
+		await fireEvent.input(input, { target: { value: 'Fall-C' } });
+
+		expect(screen.queryByText('Name darf nicht leer sein.')).toBeNull();
+	});
+
+	it('zeigt Fehlermeldung bei Duplikat', async () => {
+		const duplicateName = baseData.crimesList[1].name;
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('edit-button'));
+
+		const input = screen.getByTestId('test-input');
+		await fireEvent.input(input, { target: { value: duplicateName } });
+
+		expect(screen.getByText('Name existiert bereits.')).toBeInTheDocument();
+		expect(onSave).not.toHaveBeenCalled();
+	});
+
+	it('ruft onSave korrekt auf bei gültigem Namen: Tatort/Crime', async () => {
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('edit-button'));
+
+		const input = screen.getByTestId('test-input');
+		await fireEvent.input(input, { target: { value: testLocalName } });
+		await fireEvent.click(screen.getByTestId('commit-button'));
+
+		expect(onSave).toHaveBeenCalledWith(testLocalName, testCurrentName, undefined);
+	});
+
+	it('ruft onDelete korrekt auf', async () => {
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('delete-button'));
+
+		expect(onDelete).toHaveBeenCalledWith(testCurrentName);
+	});
+
+	it('setzt Zustand zurück bei Cancel', async () => {
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('edit-button'));
+
+		const input = screen.getByTestId('test-input');
+		await fireEvent.input(input, { target: { value: 'Zwischentext' } });
+		await fireEvent.click(screen.getByTestId('cancel-button'));
+
+		expect(screen.getByText(testCurrentName)).toBeInTheDocument();
+		expect(screen.getByTestId('edit-button')).toBeInTheDocument();
+	});
+
+	it('triggert Save bei Enter-Taste: Tatort/Crime', async () => {
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('edit-button'));
+
+		const input = screen.getByTestId('test-input');
+		await fireEvent.input(input, { target: { value: 'ViaEnter' } });
+		await fireEvent.keyDown(input, { key: 'Enter' });
+
+		expect(onSave).toHaveBeenCalledWith('ViaEnter', testCurrentName, undefined);
+	});
+
+	it('bricht ab bei Escape-Taste', async () => {
+		render(NameItemEditor, { props: baseProps });
+		await fireEvent.click(screen.getByTestId('edit-button'));
+
+		const input = screen.getByTestId('test-input');
+		await fireEvent.input(input, { target: { value: 'Zwischentext' } });
+		await fireEvent.keyDown(input, { key: 'Escape' });
+
+		expect(screen.getByText(testCurrentName)).toBeInTheDocument();
+		expect(onSave).not.toHaveBeenCalled();
+	});
+});

tests/fixtures.ts

@@ -0,0 +1,53 @@
+const testUser = {
+	admin: true,
+	exp: 1757067123,
+	iat: 1757063523,
+	id: 'admin'
+};
+const testCrimesList = [
+	{
+		name: 'Fall-A',
+		lastModified: '2025-08-28T09:44:12.453Z',
+		etag: '558f35716f6af953f9bb5d75f6d77e6a',
+		size: 8947140,
+		prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
+		show_button: true
+	},
+	{
+		name: 'Fall-B',
+		lastModified: '2025-08-28T10:37:20.142Z',
+		etag: '43e3989c32c4682bee407baaf83b6fa0',
+		size: 35788560,
+		prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
+		show_button: true
+	}
+];
+
+const testVorgangsList = [
+	{
+		vorgangName: 'vorgang-1',
+		vorgangPIN: 'pin-123',
+		vorgangToken: 'c322f26f-8c5e-4cb9-94b3-b5433bf5109e'
+	},
+	{
+		vorgangName: 'vorgang-2',
+		vorgangPIN: 'pin-2',
+		vorgangToken: 'cb0051bc-5f38-47b8-943c-9352d4d9c984'
+	}
+];
+
+export const baseData = {
+	user: testUser,
+	vorgang: testVorgangsList[0],
+	vorgangList: testVorgangsList,
+	crimesList: testCrimesList,
+	url: `https://example.com/list/${testVorgangsList[0].vorgangToken}`,
+	crimeNames: ['modell-A', 'Fall-A']
+};
+
+export const mockEvent = {
+	locals: {
+		user: baseData.user
+	},
+	url: new URL(`https://example.com/anmeldung`)
+};

tests/views/Anmeldung.test.ts

@@ -0,0 +1,143 @@
+import { describe, it, expect, vi } from 'vitest';
+// import { actions } from '$root/routes/anmeldung/+page.server';
+// import { load } from '$root/routes/(token-based)/+layout.server'
+import { actions } from '../../src/routes/anmeldung/+page.server';
+import { load } from '../../src/routes/(token-based)/+layout.server';
+
+import { baseData } from '../fixtures';
+import { ROUTE_NAMES } from '../../src/routes';
+import { dev } from '$app/environment';
+import { vorgangExists, vorgangPINValidation } from '$lib/server/vorgangService';
+import type { Redirect } from '@sveltejs/kit';
+
+vi.mock('$lib/server/vorgangService', () => ({
+	vorgangExists: vi.fn(),
+	vorgangPINValidation: vi.fn()
+}));
+
+describe('Vorgang Anzeige via Token', () => {
+	it('Setze Cookie nach erfolgreicher Eingabe', async () => {
+		// Mock formData
+		const vorgObj = baseData.vorgang;
+
+		const formData = new FormData();
+		formData.set('vorgang-token', vorgObj.vorgangToken);
+		formData.set('vorgang-pin', vorgObj.vorgangPIN);
+
+		const mockRequest = {
+			formData: vi.fn().mockResolvedValue(formData)
+		};
+		vi.mocked(vorgangPINValidation).mockReturnValueOnce(true);
+
+		const cookiesSet = vi.fn();
+
+		const event = {
+			request: mockRequest,
+			cookies: {
+				set: cookiesSet
+			}
+		};
+
+		let thrownRedirect: Redirect | undefined;
+		try {
+			await actions.default(event);
+		} catch (e) {
+			thrownRedirect = e as Redirect;
+		}
+
+		// Redirect bei erfolgreicher Eingabe
+		expect(thrownRedirect?.status).toBe(303);
+		expect(thrownRedirect?.location).toBe(ROUTE_NAMES.VORGANG(vorgObj.vorgangToken));
+
+		// Cookie wurde gesetzt
+		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
+		expect(cookiesSet).toHaveBeenCalledWith(COOKIE_NAME, vorgObj.vorgangPIN, {
+			path: '/',
+			httpOnly: true,
+			sameSite: 'strict',
+			secure: !dev
+		});
+	});
+
+	it('Schlägt fehl wenn keine Daten übergeben werden', async () => {
+		const formData = new FormData(); // no data
+		const mockRequest = {
+			formData: vi.fn().mockResolvedValue(formData)
+		};
+		const cookiesSet = vi.fn();
+		const event = {
+			request: mockRequest,
+			cookies: {
+				set: cookiesSet
+			}
+		};
+		const result = await actions.default(event);
+		expect(result.status).toBe(400);
+		expect(result.data.message).toMatch(/PIN eingeben/i);
+		// Cookie wird nicht gesetzt
+		expect(cookiesSet).not.toHaveBeenCalled();
+	});
+	it.todo('Überprüfe was passiert, wenn Eingabe falsch, bzw. nicht im System passend gefunden');
+});
+
+describe('Teste Guard', () => {
+	it('Lese Cookie aus', async () => {
+		const vorgObj = baseData.vorgang;
+
+		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
+		const cookiesGet = vi.fn().mockImplementation((key: string) => {
+			if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
+			return undefined;
+		});
+
+		// mocked objects
+		const event = {
+			cookies: {
+				get: cookiesGet
+			},
+			locals: {},
+			params: { vorgang: vorgObj.vorgangToken }
+		};
+		vi.mocked(vorgangExists).mockReturnValueOnce(true);
+		vi.mocked(vorgangPINValidation).mockReturnValueOnce(true);
+
+		await load(event);
+
+		expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
+	});
+
+	it('Kein Cookie gesetzt', async () => {
+		const vorgObj = baseData.vorgang;
+
+		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
+		const cookiesGet = vi.fn().mockImplementation((key: string) => {
+			if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
+			return undefined;
+		});
+
+		// mocked objects
+		const event = {
+			cookies: {
+				get: cookiesGet
+			},
+			locals: {},
+			params: { vorgang: vorgObj.vorgangToken }
+		};
+		vi.mocked(vorgangExists).mockReturnValueOnce(true);
+		vi.mocked(vorgangPINValidation).mockReturnValueOnce(false);
+
+		let thrownRedirect;
+		try {
+			await load(event);
+			throw new Error('Function did not throw');
+		} catch (e) {
+			thrownRedirect = e;
+		}
+		expect(thrownRedirect?.status).toBe(303);
+		expect(thrownRedirect?.location).toBe(
+			ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgObj.vorgangToken)
+		);
+
+		expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
+	});
+});

tests/views/Home.view.test.ts

@@ -0,0 +1,23 @@
+import { render, screen } from '@testing-library/svelte';
+import { describe, expect, it } from 'vitest';
+
+import HomePage from '$root/routes/(angemeldet)/+page.svelte';
+
+import { ROUTE_NAMES } from '../../src/routes';
+import { baseData } from '../fixtures';
+
+describe('Home-Page View', () => {
+	it('Überprüfe Links', () => {
+		render(HomePage, { props: { data: baseData } });
+		let linkElement = screen.getByText('Vorgänge');
+		expect(linkElement).toBeInTheDocument();
+		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.LIST);
+
+		linkElement = screen.queryByText('Hinzufügen');
+		expect(linkElement).not.toBeInTheDocument();
+
+		linkElement = screen.getByText('Benutzerverwaltung');
+		expect(linkElement).toBeInTheDocument();
+		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.USERMGMT);
+	});
+});

tests/views/Layout.test.ts

@@ -0,0 +1,24 @@
+import { describe, test, expect } from 'vitest';
+import { load } from '$root/routes/(angemeldet)/+layout.server';
+import { ROUTE_NAMES } from '../../src/routes';
+import { baseData, mockEvent } from '../fixtures';
+
+describe('+layout.server load(): Teste korrekte URL', () => {
+	test('Werfe keinen Redirect und gebe nichts zurück', async () => {
+		const mockEvent = {
+			locals: {
+				user: null
+			},
+			url: new URL(`https://example.com/not-anmeldung`)
+		};
+		const res = load(mockEvent);
+		expect(res).toBe(undefined);
+	});
+});
+
+describe('+layout.server load(): Teste erfolgreichen Pfad', () => {
+	test('Werfe kein Fehler', async () => {
+		const result = load(mockEvent);
+		expect(result).toEqual({ user: baseData.user });
+	});
+});

tests/views/TatortList.test.ts

@@ -0,0 +1,139 @@
+import { render, fireEvent, screen, within } from '@testing-library/svelte';
+import { describe, it, expect, vi, test } from 'vitest';
+import * as nav from '$app/navigation';
+import TatortListPage from '$root/routes/(token-based)/list/[vorgang]/+page.svelte';
+import { baseData } from '../fixtures';
+import { tick } from 'svelte';
+import { API_ROUTES } from '../../src/routes';
+
+vi.spyOn(nav, 'invalidateAll').mockResolvedValue();
+global.fetch = vi.fn().mockResolvedValue({ ok: true });
+
+async function clickPlusButton() {
+  // mock animation features of the browser
+
+  window.HTMLElement.prototype.scrollIntoView = vi.fn();
+  window.HTMLElement.prototype.animate = vi.fn(() => ({
+    finished: Promise.resolve(),
+    cancel: vi.fn(),
+  }))
+
+  // button is visible
+  const button = screen.getByRole('button', { name: /add item/i })
+  expect(button).toBeInTheDocument();
+
+  await fireEvent.click(button)
+}
+
+describe('Seite: Vorgangsansicht', () => {
+  test.todo('Share Link disabled wenn Liste leer');
+  describe('Szenario: Admin + Liste gefüllt - Funktionalität', () => {
+    test.todo('Share Link Link generierung richtig');
+
+    it('führt PUT-Request aus und aktualisiert UI nach onSave', async () => {
+      const data = structuredClone(baseData);
+      const oldName = data.crimesList[0].name;
+      const newName = 'Fall-C';
+
+      render(TatortListPage, { props: { data } });
+      const listItem = screen.getAllByTestId('test-list-item')[0];
+      expect(listItem).toHaveTextContent(oldName);
+
+      await fireEvent.click(within(listItem).getByTestId('edit-button'));
+      const input = within(listItem).getByTestId('test-input');
+      await fireEvent.input(input, { target: { value: newName } });
+
+      await fireEvent.click(within(listItem).getByTestId('commit-button'));
+      await tick();
+
+      expect(global.fetch).toHaveBeenCalledWith(
+        `/api/list/${data.vorgang.vorgangToken}/${oldName}`,
+        expect.objectContaining({
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            vorgangToken: data.vorgang.vorgangToken,
+            oldName,
+            newName
+          })
+        })
+      );
+
+      expect(nav.invalidateAll).toHaveBeenCalled();
+      expect(within(listItem).getByText(newName)).toBeInTheDocument();
+    });
+
+    it('führt DELETE-Request aus und entfernt Element aus UI', async () => {
+      const testData = structuredClone(baseData);
+      const oldName = testData.crimesList[0].name;
+      const vorgang = testData.vorgang;
+
+      render(TatortListPage, { props: { data: testData } });
+      const initialItems = screen.getAllByTestId('test-list-item');
+      expect(initialItems).toHaveLength(testData.crimesList.length);
+
+      const listItem = screen.getAllByTestId('test-list-item')[0];
+      expect(listItem).toHaveTextContent(oldName);
+      const del = within(listItem).getByTestId('delete-button');
+      expect(del).toBeInTheDocument()
+      await fireEvent.click(within(listItem).getByTestId('delete-button'));
+      await tick();
+
+      let expectedPath = API_ROUTES.CRIME(vorgang.vorgangToken, oldName)
+      expect(global.fetch).toHaveBeenCalledWith(
+        expectedPath,
+        expect.objectContaining({
+         method: 'DELETE',
+         headers: { 'Content-Type': 'application/json' },
+         body: JSON.stringify({
+           vorgangToken: testData.vorgang.vorgangToken,
+           tatort: oldName
+         })
+        })
+      );
+      expect(nav.invalidateAll).toHaveBeenCalled();
+      const updatedItems = screen.queryAllByTestId('test-list-item');
+      expect(updatedItems).toHaveLength(testData.crimesList.length - 1);
+      expect(screen.queryByText(oldName)).toBeNull();
+    });
+  });
+});
+
+
+describe('Hinzufügen Button', () => {
+  it('Unexpandierter Button', () => {
+    const testData = { ...baseData, vorgangList: [] };
+    const { getByTestId } = render(TatortListPage, { props: { data: testData } });
+
+    const container = getByTestId('expand-container')
+    expect(container).toBeInTheDocument();
+
+    // button is visible
+    const button = within(container).getByRole('button')
+    expect(button).toBeInTheDocument();
+
+    // input fields are not visible
+    let label = screen.queryByText('Modellname');
+    expect(label).not.toBeInTheDocument();
+  });
+
+  it('Expandierter Button nach Klick', async () => {
+
+    const testData = { ...baseData, vorgangList: [] };
+    render(TatortListPage, { props: { data: testData } });
+
+    await clickPlusButton();
+
+    // input fields are visible
+    let label = screen.queryByText('Modellname');
+    expect(label).toBeInTheDocument();
+  });
+
+  it.todo('Check Validation: missing name', async () => {
+    console.log(`test: input field validation`);
+  });
+
+  it.todo('Create Tatort successful', async () => {
+    console.log(`test: tatort upload`);
+  });
+});

tests/views/TatortList.view.test.ts

@@ -0,0 +1,115 @@
+import { render, screen, within } from '@testing-library/svelte';
+import { describe, expect, it, test } from 'vitest';
+import TatortListPage from '$root/routes/(token-based)/list/[vorgang]/+page.svelte';
+import { baseData } from '../fixtures';
+import { ROUTE_NAMES } from '../../src/routes';
+
+describe('Seite: Vorgangsansicht', () => {
+	test.todo('zeigt PIN und Share-Link, wenn Admin');
+	test.todo('zeigt PIN und Share-Link disabeld, wenn Liste leer');
+
+	describe('Szenario: Liste leer (unabhängig von Rolle)', () => {
+		it('zeigt Hinweistext bei leerer Liste', () => {
+			const testData = { ...baseData, crimesList: [] };
+			const { getByTestId } = render(TatortListPage, { props: { data: testData } });
+
+			expect(getByTestId('empty-list')).toBeInTheDocument();
+		});
+
+		it('zeigt keinen Listeneintrag', () => {
+			const items = screen.queryAllByTestId('test-list-item');
+
+			expect(items).toHaveLength(0);
+		});
+	});
+
+	describe('Szenario: Liste gefüllt (unabhängig von Rolle)', () => {
+		it('rendert mindestens ein Listenelement bei vorhandenen crimesList-Daten', () => {
+			const testData = { ...baseData };
+			const { queryAllByTestId } = render(TatortListPage, { props: { data: testData } });
+			const items = queryAllByTestId('test-list-item');
+
+			expect(items.length).toBeGreaterThan(0);
+		});
+
+		it('zeigt für jeden Eintrag einen Link', () => {
+			const testData = { ...baseData };
+			render(TatortListPage, { props: { data: testData } });
+			const links = screen.queryAllByTestId('crime-link');
+
+			expect(links).toHaveLength(testData.crimesList.length);
+		});
+
+		it('prüft href und title jedes Links', () => {
+			const testData = { ...baseData };
+			const { queryAllByTestId } = render(TatortListPage, { props: { data: testData } });
+			const items = queryAllByTestId('test-list-item');
+
+			items.forEach((item, i) => {
+				const link = within(item).getByRole('link');
+				const expectedHref = ROUTE_NAMES.CRIME(testData.vorgang.vorgangToken, testData.crimesList[i].name, testData.vorgang.vorgangPIN);
+
+				expect(link).toBeInTheDocument();
+				expect(link).toHaveAttribute('href', expectedHref);
+				expect(link).toHaveAttribute('title', testData.crimesList[i].name);
+			});
+		});
+
+		test.todo('testet zuletzt angezeigt, wenn item.lastModified');
+		test.todo('zeigt Dateigröße, wenn item.size vorhanden ist');
+	});
+
+	describe('Szenario: Admin + Liste gefüllt', () => {
+		const testData = { ...baseData, user: { ...baseData.user, admin: true } };
+		it('zeigt Listeneinträge mit Komponente NameItemEditor', () => {
+			const { getAllByTestId } = render(TatortListPage, { props: { data: testData } });
+			const items = getAllByTestId('test-nameItemEditor');
+
+			expect(items.length).toBeGreaterThan(0);
+		});
+
+		test.todo('Modal testen, wenn open');
+	});
+
+	describe('Szenario: Viewer + Liste gefüllt', () => {
+		const testData = { ...baseData, user: { ...baseData.user, admin: false } };
+		it('zeigt Listeneinträge mit p', () => {
+			render(TatortListPage, { props: { data: testData } });
+			const paragraphs = screen.queryAllByTestId('test-nameItem-p');
+
+			expect(paragraphs).toHaveLength(testData.crimesList.length);
+			paragraphs.forEach((p, i) => {
+				expect(p).toHaveTextContent(testData.crimesList[i].name);
+			});
+		});
+
+		test.todo('zeigt keinen Share-Link oder PIN');
+	});
+
+	describe('Teste Links auf Korrektheit', () => {
+		it('Überprüfe Links', () => {
+			const crimesListOneItem = baseData.crimesList.slice(0, 1);
+			const crimeObj = crimesListOneItem[0];
+			const vorgObj = baseData.vorgangList[0]
+			const expectedURL = ROUTE_NAMES.CRIME(vorgObj.vorgangToken, crimeObj.name, vorgObj.vorgangPIN)
+
+			render(TatortListPage, { props: { data: { ...baseData, crimesList: crimesListOneItem } } });
+			const listItem = screen.getByTestId("test-list-item");
+			const linkElement = within(listItem).getByRole('link');
+			expect(linkElement).toBeInTheDocument();
+			expect(linkElement).toHaveAttribute('href', expectedURL);
+		});
+	});
+
+	describe('PIN Anzeige & Button', () => {
+		it('Teste korrekte Anzeige von PIN Komponente', () => {
+			const testData = { ...baseData};
+			render(TatortListPage, { props: { data: testData } });
+			const vorgObj = baseData.vorgangList[0]
+
+			// PIN is being displayed within ´NameItemEditor´
+			let label = screen.queryByText(vorgObj.vorgangPIN);
+			expect(label).toBeInTheDocument();
+		});
+	});
+});

tests/views/VorgangList.view.test.ts

@@ -0,0 +1,184 @@
+import { render, fireEvent, screen, within } from '@testing-library/svelte';
+import { describe, expect, it, vi } from 'vitest';
+import VorgangListPage from '$root/routes/(angemeldet)/list/+page.svelte';
+import { baseData } from '../fixtures';
+import { ROUTE_NAMES } from '../../src/routes';
+import { actions } from '../../src/routes/(angemeldet)/list/+page.server';
+import { createVorgang } from '$lib/server/vorgangService';
+
+// mock animation features of the browser
+
+window.HTMLElement.prototype.scrollIntoView = vi.fn();
+window.HTMLElement.prototype.animate = vi.fn(() => ({
+	finished: Promise.resolve(),
+													cancel: vi.fn(),
+}))
+
+describe('Vorgänge Liste Page EmptyList-Komponente View', () => {
+	it('zeigt EmptyList-Komponente an, wenn Liste leer ist', () => {
+		const testData = { ...baseData, vorgangList: [] };
+		const { getByTestId } = render(VorgangListPage, { props: { data: testData } });
+
+		expect(getByTestId('empty-list')).toBeInTheDocument();
+	});
+
+	it('zeigt Liste(mockData 2 Elemente) an, wenn Liste vorhanden ist', () => {
+		const testData = { ...baseData };
+		const { getAllByTestId } = render(VorgangListPage, { props: { data: testData } });
+		const items = getAllByTestId('test-list-item');
+
+		expect(items.length).toBeGreaterThan(0);
+	});
+});
+
+describe('Teste Links auf Korrektheit', () => {
+	it('Überprüfe Links', () => {
+		const vorgListOneItem = baseData.vorgangList.slice(0, 1);
+		const vorgObj = vorgListOneItem[0];
+		const expectedURL = ROUTE_NAMES.VORGANG(vorgObj.vorgangToken, vorgObj.vorgangPIN)
+
+		render(VorgangListPage, { props: { data: { ...baseData, vorgangList: vorgListOneItem } } });
+		const listItem = screen.getByTestId("test-list-item");
+		const linkElement = within(listItem).getByRole('link');
+		expect(linkElement).toBeInTheDocument();
+		expect(linkElement).toHaveAttribute('href', expectedURL);
+	});
+
+	it('Links enthalten keinen VorgangsPIN', () => {
+		const vorgListOneItem = baseData.vorgangList.slice(0, 1)
+
+		render(VorgangListPage, { props: { data: { ...baseData, vorgangList: vorgListOneItem } } });
+		const listItem = screen.getByTestId("test-list-item");
+		const linkElement = within(listItem).getByRole('link');
+		expect(linkElement.getAttribute('href')?.toLowerCase()).not.toContain('pin');
+	});
+});
+
+async function clickPlusButton() {
+	// button is visible
+	const button = screen.getByTestId('expand-button')
+	expect(button).toBeInTheDocument();
+
+	await fireEvent.click(button)
+}
+
+async function inputVorgang() {
+	const input = document.getElementById("vorgang");
+	input.value = 'test-vorgang';
+	// firing the event manually for Svelte
+	await fireEvent.input(input)
+
+	expect(input).toHaveValue('test-vorgang');
+}
+
+async function inputVorgangPIN() {
+	const input = document.getElementById("pin");
+	input.value = 'test-pin';
+	// firing the event manually for Svelte
+	await fireEvent.input(input)
+
+	expect(input).toHaveValue('test-pin');
+}
+
+
+describe('Hinzufügen Buton', () => {
+	it('Unexpandierter Button', () => {
+		const testData = { ...baseData, vorgangList: [] };
+		const { getByTestId } = render(VorgangListPage, { props: { data: testData } });
+
+		const container = getByTestId('expand-container')
+		expect(container).toBeInTheDocument();
+
+		// button is visible
+		const button = within(container).getByRole('button')
+		expect(button).toBeInTheDocument();
+
+		// input fields are not visible
+		let label = screen.queryByText('Vorgangsname');
+		expect(label).not.toBeInTheDocument();
+	});
+
+	it('Expandierter Button nach Klick', async () => {
+
+		const testData = { ...baseData, vorgangList: [] };
+		render(VorgangListPage, { props: { data: testData } });
+
+		await clickPlusButton()
+
+		// input fields are visible
+		let label = screen.queryByText('Vorgangsname');
+		expect(label).toBeInTheDocument();
+	});
+
+	it('Check Validation: missing PIN', async () => {
+
+		const testData = { ...baseData, vorgangList: [] };
+		render(VorgangListPage, { props: { data: testData } });
+
+		await clickPlusButton()
+
+		// input
+		inputVorgang();
+
+		// submit
+		const button = screen.getByText('Neuen Vorgang hinzufügen')
+		expect(button).toBeInTheDocument()
+		await fireEvent.click(button);
+		const errorMsg = 'Bitte einen Vorgangs-PIN eingeben.';
+		let para = await screen.getByText(errorMsg);
+		expect(para).toBeInTheDocument();
+	});
+
+	it('Create Vorgang successful', async () => {
+
+		const testData = { ...baseData, vorgangList: [] };
+		render(VorgangListPage, { props: { data: testData } });
+
+		await clickPlusButton();
+
+		// input fields are visible
+		let label = screen.queryByText('Vorgangsname');
+		expect(label).toBeInTheDocument();
+
+		inputVorgang();
+		inputVorgangPIN();
+
+		// emulate button click
+		const button = screen.getByText('Neuen Vorgang hinzufügen');
+		expect(button).toBeInTheDocument();
+		await fireEvent.click(button);
+
+		// no error message
+		label = screen.queryByText('Bitte');
+		expect(label).not.toBeInTheDocument();
+	});
+
+	it('Test default action', async () => {
+		vi.mock('$lib/server/vorgangService', () => ({
+			createVorgang: vi.fn(),
+		}));
+
+		const formData = new FormData(); // no data as we are mocking createVorgang
+		const mockRequest = {
+			formData: vi.fn().mockResolvedValue(formData)
+		};
+		const event = {
+			request: mockRequest,
+		};
+
+		const testVorgangToken = 'c322f26f-8c5e-4cb9-94b3-b5433bf5109e'
+		vi.mocked(createVorgang).mockReturnValueOnce(testVorgangToken);
+		const result = await actions.default(event);
+		expect(result).toEqual({ token: testVorgangToken });
+	});
+});
+
+describe('Vorgang-Operationen', () => {
+	it('Teste korrekte Anzeige von Vorgang-Input Komponente', () => {
+		const testData = { ...baseData};
+		const { getAllByTestId } = render(VorgangListPage, { props: { data: testData } });
+
+		let buttons = getAllByTestId('edit-button')
+		expect(buttons.length).toBeGreaterThan(1);
+	});
+});

vite.config.ts

@@ -1,19 +1,38 @@
 import { svelteTesting } from '@testing-library/svelte/vite';
 import { sveltekit } from '@sveltejs/kit/vite';
+import path from 'path';
 import { defineConfig } from 'vite';
 
 export default defineConfig({
 	plugins: [sveltekit()],
+	resolve: {
+		alias: {
+			$lib: path.resolve('./src/lib'),
+			$root: path.resolve(__dirname, './src')
+		}
+	},
 	test: {
-		workspace: [
+		projects: [
 			{
 				extends: './vite.config.ts',
 				plugins: [svelteTesting()],
 				test: {
-					name: 'client',
+					name: 'business-logic and API',
 					environment: 'jsdom',
 					clearMocks: true,
-					include: ['src/**/*.svelte.{test,spec}.{js,ts}'],
+					include: ['tests/**/*.{test,spec}.{js,ts}', 'src/**/*.svelte.{test,spec}.{js,ts}'],
+					exclude: ['src/lib/server/**', 'tests/**/*.view.{test,spec}.{js,ts}'],
+					setupFiles: ['./vitest-setup-client.ts']
+				}
+			},
+						{
+				extends: './vite.config.ts',
+				plugins: [svelteTesting()],
+				test: {
+					name: 'client-view',
+					environment: 'jsdom',
+					clearMocks: true,
+					include: ['tests/**/*.view.{test,spec}.{js,ts}', 'src/**/*.view.svelte.{test,spec}.{js,ts}'],
 					exclude: ['src/lib/server/**'],
 					setupFiles: ['./vitest-setup-client.ts']
 				}