Merge pull request 'b999_chrome_file_upload' (#47 ) from b999_chrome_file_upload into development

Reviewed-on: #47
add .GLD file verification for drag and drop
2025-12-16 13:24:37 +01:00 · 2025-12-16 13:20:18 +01:00 · 2025-12-16 12:54:28 +01:00 · 2025-12-16 09:43:49 +01:00 · 2025-12-16 09:23:22 +01:00 · 2025-12-15 12:19:11 +01:00
77 changed files with 3939 additions and 1785 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,8 @@ test-results
 node_modules
 config.json
 src/lib/data/tatort.db
 # Output
 .output
 .vercel
@@ -23,3 +25,6 @@ Thumbs.db
 # Vite
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
 # Jetbrains
 /.idea
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -8,11 +8,10 @@ RUN npm i --unsafe-perm
 COPY . ./
 COPY config_dev.json ./config.json
 RUN npm run build
 RUN npm run init-db
 # --- Production stage ---
 FROM node:24-alpine
 COPY --from=build /app .
 ENV HOST=0.0.0.0
 EXPOSE 3000
-CMD ["sh", "-c", "ORIGIN=https://tatort-dev.innovation-hub-niedersachsen.de node build/index.js"]
+CMD ["sh", "-c", "npm run init-db && ORIGIN=https://tatort-dev.innovation-hub-niedersachsen.de node build/index.js"]
--- a/Dockerfile.prod
+++ b/Dockerfile.prod
@@ -1,7 +1,5 @@
 # --- Build stage ---
 FROM node:22 AS build
 ENV NODE_ENV=production
 ENV ORIGIN=https://tatort.innovation-hub-niedersachsen.de
 WORKDIR /app
 COPY package*.json ./
 RUN npm ci
@@ -11,7 +9,13 @@ RUN npm run build
 # --- Production stage ---
 FROM node:22-alpine3.20
-COPY --from=build /app .
+WORKDIR /app
 ENV NODE_ENV=production
 ENV ORIGIN=https://tatort.innovation-hub-niedersachsen.de
 COPY --from=build /app/build ./build
 COPY --from=build /app/package*.json ./
 COPY --from=build /app/config.json ./config.json
 RUN npm ci --omit=dev
 ENV HOST=0.0.0.0
 EXPOSE 3000
-CMD ["sh", "-c", "ORIGIN=https://tatort.innovation-hub-niedersachsen.de node build/index.js"]
+CMD ["node", "build/index.js"]
--- a/8
+++ b/8
@@ -57,7 +57,7 @@ pipeline {
            }
        }
-        stage('Test & Security Audit') {
+        stage('Security Audit') {
            steps {
                script {
                    didRun = true
@@ -67,6 +67,12 @@ pipeline {
            }
        }
        stage('Run Tests') {
            steps {
                sh 'npm run test'
            }
        }
        stage('SonarQube Analysis') {
            steps {
                withSonarQubeEnv('sonarqube') {
--- a/config.json
+++ b/config.json
@@ -1,10 +1,10 @@
 {
 	"minio": {
-		"endPoint": "sws3.innovation-hub-niedersachsen.de",
+		"endPoint": "api-s3.innovation-hub-niedersachsen.de",
 		"port": 443,
 		"useSSL": true,
-		"accessKey": "wjpKrmaqXra99rX3D61H",
+		"accessKey": "AbCdEfGhIjKlMnOpQrSt",
-		"secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
+		"secretKey": "UvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWx"
 	},
 	"jwt": {
 		"secret": "@S2!q@@wXz$dCQ8JoVsHLpzaJ6JCfB",
--- a/config_dev.json
+++ b/config_dev.json
@@ -1,10 +1,10 @@
 {
 	"minio": {
-		"endPoint": "sws3.innovation-hub-niedersachsen.de",
+		"endPoint": "api-s3.innovation-hub-niedersachsen.de",
 		"port": 443,
 		"useSSL": true,
-		"accessKey": "wjpKrmaqXra99rX3D61H",
+		"accessKey": "AbCdEfGhIjKlMnOpQrSt",
-		"secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
+		"secretKey": "UvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWx"
 	},
 	"jwt": {
 		"secret": "@S2!q@@wXz$dCQ8JoVsHLpzaJ6JCfB",
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -13,7 +13,7 @@
 		"format": "prettier --write .",
 		"lint": "prettier --check . && eslint .",
 		"test:unit": "vitest",
-		"test": "npm run test:unit -- --run && npm run test:e2e",
+		"test": "npm run test:unit -- --run",
 		"init-db": "tsx ./src/init/init_db.ts"
 	},
 	"devDependencies": {
@@ -22,7 +22,7 @@
 		"@sveltejs/adapter-auto": "^4.0.0",
 		"@sveltejs/kit": "^2.21.3",
 		"@sveltejs/vite-plugin-svelte": "^5.1.0",
-		"@testing-library/jest-dom": "^6.6.3",
+		"@testing-library/jest-dom": "^6.8.0",
 		"@testing-library/svelte": "^5.2.8",
 		"@tsconfig/svelte": "^5.0.4",
 		"@types/better-sqlite3": "^7.6.13",
@@ -40,16 +40,16 @@
 		"typescript": "^5.8.3",
 		"typescript-eslint": "^8.34.0",
 		"vite": "^6.3.5",
-		"vitest": "^3.2.3"
+		"vitest": "^3.2.4"
 	},
 	"dependencies": {
 		"@google/model-viewer": "^4.1.0",
 		"@sveltejs/adapter-node": "^5.2.12",
 		"@tailwindcss/forms": "^0.5.10",
 		"autoprefixer": "^10.4.21",
 		"bcrypt": "^6.0.0",
 		"better-sqlite3": "^12.2.0",
 		"jsonwebtoken": "^9.0.2",
 		"jssha": "^3.3.1",
 		"minio": "^8.0.5",
 		"postcss": "^8.5.4",
 		"sqlite3": "^5.1.7",
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -1,5 +1,7 @@
 import { decryptToken } from '$lib/auth';
 import type { Handle } from '@sveltejs/kit';
 import { ROUTE_NAMES } from './routes';
 export const handle: Handle = async ({ event, resolve }) => {
 	const jwt = event.cookies.get('session');
@@ -9,8 +11,18 @@ export const handle: Handle = async ({ event, resolve }) => {
 			return resolve(event);
 		}
 	} catch (_) {
-		event.cookies.delete('session', {path: '/'});
+		event.cookies.delete('session', {path: ROUTE_NAMES.ROOT});
 		event.locals.user = null;
 	}
 	if (event.url.pathname.startsWith('/api')) {
 		if (!event.locals.user) {
 			return new Response(JSON.stringify({ error: 'Unauthorized' }), {
 				status: 401,
 				headers: { 'Content-Type': 'application/json' }
 			});
 		}
 	}
 	return await resolve(event);
 }
--- a/src/index.<SKIP>test.js
+++ b/src/index.<SKIP>test.js
--- a/src/init/init_db.ts
+++ b/src/init/init_db.ts
@@ -1,17 +1,27 @@
 import Database from 'better-sqlite3';
-import jsSHA from 'jssha';
+import fs from 'fs';
 import path from 'path';
 import { DB_FULLPATH } from '../routes';
-const db = new Database('./src/lib/data/tatort.db');
+const fullPath = DB_FULLPATH;
 const dir = path.dirname(fullPath);
 if (!fs.existsSync(dir)) {
 	fs.mkdirSync(dir);
 }
 const db = new Database(fullPath);
 let createSQLStmt = `CREATE TABLE IF NOT EXISTS users
        (id INTEGER PRIMARY KEY AUTOINCREMENT,
-            name TEXT NOT NULL,
+            name TEXT NOT NULL UNIQUE,
            pw TEXT NOT NULL)`;
 db.exec(createSQLStmt);
 // check if there are any users; if not add one default admin one
-const userPassword = 'A-InnoHUB_2025!';
+// const saltRounds = 12;
-const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
+// const hashedUserPassword = bcrypt.hashSync(userPasswordHashed, saltRounds);
 const hashedUserPassword = '$2b$12$d6bDzoDluXeCTuoxmWSVtOp5Cpian3mZm8qxzox6B37BIf6qtOnnG';
 const checkInsertSQLStmt = `INSERT INTO users (name, pw) SELECT 'admin', '${hashedUserPassword}'
                    WHERE NOT EXISTS (SELECT * FROM users);`;
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,5 +1,5 @@
 import jwt from 'jsonwebtoken';
-import jsSHA from 'jssha';
+import bcrypt from 'bcrypt';
 import { db } from '$lib/server/dbService';
 import config from '$lib/config';
@@ -7,7 +7,6 @@ import config from '$lib/config';
 const SECRET = config.jwt.secret;
 const EXPIRES_IN = config.jwt.expiresIn;
 export function createToken(userData) {
 	return jwt.sign(userData, SECRET, { expiresIn: EXPIRES_IN });
 }
@@ -19,14 +18,16 @@ export function decryptToken(token: string) {
 export function authenticate(user, password) {
 	let JWTToken;
 	// hash user password
 	const hashedPW = new jsSHA('SHA-512', 'TEXT').update(password).getHash('HEX');
 	const getUserSQLStmt = 'SELECT name, pw FROM users WHERE name = ?';
 	const row = db.prepare(getUserSQLStmt).get(user);
 	if (!row) {
 		return null;
 	}
 	const storedPW = row.pw;
-	if (hashedPW && hashedPW === storedPW) {
+	const isValid = bcrypt.compareSync(password, storedPW)
 	if (isValid) {
 		JWTToken = createToken({ id: user, admin: true });
 	}
--- a/src/lib/components/Button.svelte
+++ b/src/lib/components/Button.svelte
@@ -1,3 +1,31 @@
 <script lang="ts">
 	export let href = null;
 	export let type: 'button' | 'submit' | 'reset' = 'button';
 	export let size = 'md';
 	export let variant = 'primary';
 	export let fullWidth = false;
 	export let align = 'center';
 	export let disabled = false;
 	let classNames = '';
 	export { classNames as class };
 </script>
 {#if href}
 	<a on:click {href} class:w-full={fullWidth} class="button {variant} {size} {classNames} {align}"
 		><slot />
 	</a>
 {:else}
 	<button
 		on:click
 		{type}
 		{disabled}
 		class:w-full={fullWidth}
 		class="button {variant} {size} {classNames} {align}"
 	>
 		<slot />
 	</button>
 {/if}
 <style>
 	.button {
 		@apply inline-flex;
@@ -172,31 +200,3 @@
 		@apply justify-end;
 	}
 </style>
 <script lang="ts">
 	export let href = null;
 	export let type = 'button';
 	export let size = 'md';
 	export let variant = 'primary';
 	export let fullWidth = false;
 	export let align = 'center';
 	export let disabled = false;
 	let classNames = '';
 	export { classNames as class };
 </script>
 {#if href}
 	<a on:click {href} class:w-full={fullWidth} class="button {variant} {size} {classNames} {align}"
 		><slot />
 	</a>
 {:else}
 	<button
 		on:click
 		{type}
 		{disabled}
 		class:w-full={fullWidth}
 		class="button {variant} {size} {classNames} {align}"
 	>
 		<slot />
 	</button>
 {/if}
--- a/src/lib/components/EmptyList.svelte
+++ b/src/lib/components/EmptyList.svelte
@@ -0,0 +1,3 @@
 <p data-testid="empty-list" class="flex justify-center m-4">
 	In dieser Liste sind keine Einträge vorhanden
 </p>
--- a/src/lib/components/ExpandableForm.svelte
+++ b/src/lib/components/ExpandableForm.svelte
@@ -0,0 +1,54 @@
 <script lang="ts">
  import { fly, scale, fade } from 'svelte/transition';
  import { cubicOut } from 'svelte/easing';
  import { tick } from 'svelte';
  let expanded = false;
  let formContainer: HTMLDivElement;
  async function toggle() {
    expanded = !expanded;
    if (expanded) {
      // Wait for DOM to update
      await tick();
      // Scroll smoothly into view
      formContainer?.scrollIntoView({ behavior: 'smooth', block: 'start' });
    }
  }
 </script>
 <div data-testid="expand-container" class="flex flex-col items-center">
  <!-- + / × button -->
  <button
    data-testid="expand-button"
    class="flex items-center justify-center w-12 h-12 rounded-full bg-blue-600 text-white text-2xl font-bold hover:bg-blue-700 transition"
    on:click={toggle}
    aria-expanded={expanded}
    aria-label="Add item"
  >
    {#if expanded}
      ✕
    {:else}
      +
    {/if}
  </button>
  <!-- Expandable content below button -->
  {#if expanded}
    <div
      bind:this={formContainer}
      class="w-full mt-4 flex justify-center"
      transition:fade
    >
      <div
        in:fly={{ y: 10, duration: 200, easing: cubicOut }}
        out:scale={{ duration: 150 }}
        class="w-full max-w-2xl"
      >
        <slot />
      </div>
    </div>
  {/if}
 </div>
--- a/src/lib/components/Footer.svelte
+++ b/src/lib/components/Footer.svelte
@@ -1,6 +1,8 @@
 <script>
 	import Profile from "$lib/icons/Profile.svelte";
 	import { ROUTE_NAMES } from "../../routes";
    export let data;
 </script>
@@ -10,19 +12,19 @@
 					<div class="mx-auto max-w-7xl px-6 lg:px-8">
 						<div class="flex justify-between divide-x divide-gray-900/5 border-x border-gray-900/5">
 							<a
-								href="/list"
+								href="{ROUTE_NAMES.LIST}"
 								class="px-4 py-1 -ml-4 flex items-center justify-center gap-x-2.5 text-sm font-semibold leading-6 text-gray-500 hover:bg-gray-200 hover:text-gray-700"
 							>
 								&copy; 2023 Innovation Hub Niedersachen
 							</a>
 							<a
-								href="/"
+								href="{ROUTE_NAMES.ROOT}"
 								class="px-4 py-1 flex items-center justify-center gap-x-2.5 text-sm font-semibold leading-6 text-gray-500 hover:bg-gray-200 hover:text-gray-700"
 							>
 								back
 							</a>
 							<a
-								href="/"
+								href="{ROUTE_NAMES.ROOT}"
 								class="px-4 py-1 -mr-4 flex items-center justify-center gap-x-2.5 text-sm font-semibold leading-6 text-gray-500 hover:bg-gray-200 hover:text-gray-700"
 							>
 								<!--icon-->
--- a/src/lib/components/Header.svelte
+++ b/src/lib/components/Header.svelte
@@ -1,6 +1,8 @@
 <script lang="ts">
 	import Chevron from '$lib/icons/Chevron-right.svelte';
 	import { ROUTE_NAMES } from '../../routes';
 	export let data;
 </script>
@@ -11,7 +13,7 @@
 			aria-label="Global"
 		>
 			<div class="flex w-48">
-				<a href="/" class="-m-1.5 p-1.5 w-10">
+				<a href="{ROUTE_NAMES.ROOT}" class="-m-1.5 p-1.5 w-10">
 					<span class="sr-only">Tatort Niedersachen</span>
 					<img class="h-8 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
 				</a>
@@ -19,7 +21,7 @@
 			<h1 class="text-3xl text-slate-400 font-bold">Tatort</h1>
 			<div class="lg:flex lg:justify-end w-48">
 				{#if data.user}
-					<form method="POST" action="/anmeldung?/logout">
+					<form method="POST" action="{ROUTE_NAMES.LOGOUT}">
 						<input type="hidden" />
 						<button type="submit" class="text-sm font-semibold leading-6 text-gray-900"
 							><span
--- a/src/lib/components/NameItemEditor.svelte
+++ b/src/lib/components/NameItemEditor.svelte
@@ -0,0 +1,116 @@
 <script lang="ts">
 	import Check from '$lib/icons/Check.svelte';
 	import Edit from '$lib/icons/Edit.svelte';
 	import Trash from '$lib/icons/Trash.svelte';
 	import X from '$lib/icons/X.svelte';
 	import { tick } from 'svelte';
 	interface ListItem {
 		name: string;
 		token?: string;
 	}
 	// props, old syntax
 	export let list: ListItem[] = [];
 	export let currentName: string;
 	export let vorgangToken: string | null;
 	export let onSave: (n: string, o: string, t?: string) => unknown = () => {};
 	export let onDelete: ((n: string) => unknown) | null = () => {};
 	let localName = currentName;
 	let isEditing = false;
 	let inputRef: HTMLInputElement | null = null;
 	$: error = validateName(localName);
 	function validateName(name: string): string {
 		const trimmed = name?.trim() ?? '';
 		if (!trimmed) return 'Name darf nicht leer sein.';
 		if (list.some((item) => item.name === trimmed && item.name !== currentName)) {
 			return 'Name existiert bereits.';
 		}
 		return '';
 	}
 	async function startEdit() {
 		isEditing = true;
 		await tick();
 		inputRef?.focus();
 	}
 	function cancelEdit() {
 		localName = currentName;
 		isEditing = false;
 	}
 	function commitEdit() {
 		if (!error && localName != currentName) onSave(localName, currentName, vorgangToken);
 		// restore original value
 		if (error) { localName = currentName }
 		isEditing = false;
 	}
 	function handleKeydown(event: KeyboardEvent) {
 		if (event.key === 'Enter') commitEdit();
 		if (event.key === 'Escape') cancelEdit();
 	}
 	function handleDeleteClick() {
 		// vorgangToken defined when deleting Vorgang, otherwise Crime
 		onDelete(vorgangToken || currentName);
 	}
 </script>
 <div data-testid="test-nameItemEditor" class="flex flex-col gap-1">
  {#if isEditing}
    <div class="flex items-center gap-1">
      <input
        data-testid="test-input"
        bind:this={inputRef}
        bind:value={localName}
        onkeydown={handleKeydown}
        class="flex-1 border border-gray-300 rounded px-1.5 py-0.5 text-sm focus:outline-none focus:ring-1 focus:ring-blue-500"
      />
      <button
        data-testid="commit-button"
        disabled={!!error || localName === currentName}
        onclick={commitEdit}
        class="text-gray-500 hover:text-green-600 transition disabled:opacity-40"
      >
        <Check class="w-4 h-4" />
      </button>
      <button
        data-testid="cancel-button"
        onclick={cancelEdit}
        class="text-gray-500 hover:text-red-600 transition"
      >
        <X class="w-4 h-4" />
      </button>
    </div>
  {:else}
    <div class="flex items-center gap-1">
      <span class="text-sm font-medium text-gray-900 truncate">{localName}</span>
      <button
        data-testid="edit-button"
        onclick={startEdit}
        class="text-gray-500 hover:text-blue-600 transition"
      >
        <Edit class="w-4 h-4" />
      </button>
      {#if onDelete}
 		<button
 			data-testid="delete-button"
 			onclick={handleDeleteClick}
 			class="text-gray-500 hover:text-red-600 transition"
 		>
 			<Trash class="w-4 h-4" />
 		</button>
      {/if}
    </div>
  {/if}
  {#if error}
    <p class="text-xs text-red-500 mt-1">{error}</p>
  {/if}
 </div>
--- a/src/lib/data/tatort.db
+++ b/src/lib/data/tatort.db
--- a/src/lib/helper/vorgangNumberOccupied.ts
+++ b/src/lib/helper/vorgangNumberOccupied.ts
@@ -1,9 +1,9 @@
-import { client } from '$lib/minio';
+import { client, BUCKET } from '$lib/minio';
 export default async function vorgangNumberOccupied(vorgangNumber: string): Promise<boolean> {
 	const prefix = `${vorgangNumber}`;
 	const promise: Promise<boolean> = new Promise((resolve) => {
-		const stream = client.listObjectsV2('tatort', prefix, false, '');
+		const stream = client.listObjectsV2(BUCKET, prefix, false, '');
 		stream.on('data', () => {
 			stream.destroy();
 			resolve(true);
--- a/src/lib/icons/Profile.svelte
+++ b/src/lib/icons/Profile.svelte
@@ -1,4 +1,5 @@
 <svg
 	data-testid="profile-component"
 	xmlns="http://www.w3.org/2000/svg"
 	fill="none"
 	viewBox="0 0 24 24"
--- a/src/lib/minio.ts
+++ b/src/lib/minio.ts
@@ -7,6 +7,10 @@ import config from '$lib/config';
 /** export const client = new Minio.Client(config.minio); */
 export const client = new Client(config.minio);
-export const BUCKET = 'tatort';
+const isProd = process.env.NODE_ENV == 'production';
 const BUCKET = isProd ? 'tatort' : 'tatort-dev';
 export { BUCKET };
 export const TOKENFILENAME = '__perm__';
 export const CONFIGFILENAME = 'config.json';
--- a/src/lib/server/authService.ts
+++ b/src/lib/server/authService.ts
@@ -1,6 +1,7 @@
 import { dev } from '$app/environment';
 import { fail, redirect, type Cookies, type RequestEvent } from '@sveltejs/kit';
 import { authenticate } from '$lib/auth';
 import { ROUTE_NAMES } from '../../routes';
 const COOKIE_NAME = 'session';
@@ -11,19 +12,20 @@ export const loginUser = async ({ request, cookies }: { request: Request; cookie
 	const token = authenticate(user, password);
-	if (!token) return fail(400, { user, incorrect: true });
+	if (!token) return fail(400, { user, incorrect: true,
 								message: "Ungültige Zugangsdaten" });
 	cookies.set(COOKIE_NAME, token, {
-		path: '/',
+		path: ROUTE_NAMES.ROOT,
 		httpOnly: true,
 		sameSite: 'strict',
 		secure: !dev
 	});
-	return redirect(303, '/');
+	return redirect(303, ROUTE_NAMES.ROOT);
 };
 export const logoutUser = async (event: RequestEvent) => {
-	event.cookies.delete(COOKIE_NAME, { path: '/' });
+	event.cookies.delete(COOKIE_NAME, { path: ROUTE_NAMES.ROOT });
 	event.locals.user = null;
-	return { success: true };
+	return redirect(303, ROUTE_NAMES.ROOT);
 };
--- a/src/lib/server/dbService.ts
+++ b/src/lib/server/dbService.ts
@@ -1,3 +1,7 @@
 import Database from 'better-sqlite3';
 import { DB_FULLPATH } from '../../routes';
-export const db = new Database('./src/lib/data/tatort.db');
+// make sure the DB is initiated
 import '../../init/init_db'
 export const db = new Database(DB_FULLPATH);
--- a/src/lib/server/userService.ts
+++ b/src/lib/server/userService.ts
@@ -0,0 +1,51 @@
 import { db } from '$lib/server/dbService';
 export const getUsers = (): { userId: string; userName: string }[] => {
 	const getUsersSQLStmt = `SELECT id, name
 													 FROM users;`;
 	const statement = db.prepare(getUsersSQLStmt);
 	const result = statement.all() as { id: string; name: string }[];
 	const userList: { userId: string; userName: string }[] = [];
 	for (const resultItem of result) {
 		const user = { userId: resultItem.id, userName: resultItem.name };
 		userList.push(user);
 	}
 	return userList;
 };
 export const addUser = (userName: string, userPassword: string) => {
 	const addUserSQLStmt = `INSERT into users(name, pw)
 													values (?, ?)`;
 	const statement = db.prepare(addUserSQLStmt);
 	let rowInfo;
 	try {
 		rowInfo = statement.run(userName, userPassword);
 		return rowInfo;
 	} catch (error) {
 		console.error('ERROR: ', error);
 	}
 };
 export const deleteUser = (userId: string) => {
 	// make sure to not delete the last entry
 	const deleteUserSQLStmt = `DELETE
 														 FROM users
 														 WHERE id = ?
 															 AND (SELECT COUNT(*) FROM users) > 1;`;
 	const statement = db.prepare(deleteUserSQLStmt);
 	let rowCount;
 	try {
 		const info = statement.run(userId);
 		rowCount = info.changes;
 	} catch (error) {
 		console.log(error);
 		rowCount = 0;
 	}
 	return rowCount;
 };
--- a/src/lib/server/vorgangService.ts
+++ b/src/lib/server/vorgangService.ts
@@ -1,6 +1,7 @@
 import { fail } from '@sveltejs/kit';
 import { BUCKET, client, CONFIGFILENAME, TOKENFILENAME } from '$lib/minio';
 import { checkIfExactDirectoryExists, getContentOfTextObject } from './s3ClientService';
 import { v4 as uuidv4 } from 'uuid';
 import { db } from './dbService';
@@ -31,23 +32,60 @@ export const getCrimesListByToken = async (vorgangToken: string) => {
 * @param vorgangToken
 * @returns vorgangObj with keys `token`, `name`, `pin` || undefined
 */
-export const getVorgangByToken = (vorgangToken: string): {token: string, name:string, pin: string} | undefined => {
+export const getVorgangByToken = (
-	const getVorgangSQLStmt = `SELECT token, name, pin FROM cases WHERE token = ?`;
+	vorgangToken: string
 ): { token: string; name: string; pin: string } | undefined => {
 	const getVorgangSQLStmt = `SELECT token, name, pin
 														 FROM cases
 														 WHERE token = ?`;
 	const statement = db.prepare(getVorgangSQLStmt);
-	const result = statement.get(vorgangToken) as {token: string, name:string, pin: string} | undefined;
+	const result = statement.get(vorgangToken) as
 		| { token: string; name: string; pin: string }
 		| undefined;
 	return result;
 };
 /**
 * Create Vorgang, using a vorgangName and vorgangPIN
 * @param vorgangName
 * @param vorgangPIN
 * @returns {string || false} vorgangToken if successful
 */
 export const createVorgang = (vorgangName: string, vorgangPIN: string): string | boolean => {
 	const vorgangExists = vorgangNameExists(vorgangName);
 	if (vorgangExists) {
 		return false;
 	}
 	const vorgangToken = uuidv4();
 	const insertSQLStatement = `INSERT INTO cases (token, name, pin) VALUES (?, ?, ?)`;
 	const statement = db.prepare(insertSQLStatement);
 	const info = statement.run(vorgangToken, vorgangName, vorgangPIN);
 	if (info.changes) {
 		return vorgangToken;
 	} else {
 		return false;
 	}
 };
 /**
 * Get Vorgang
 * @param vorgangName
 * @returns vorgangObj with keys `token`, `name`, `pin` || undefined
 */
-export const getVorgangByName = (vorgangName: string): {token: string, name: string, pin: string} | undefined => {
+export const getVorgangByName = (
-	const getVorgangByNameSQLStmt = `SELECT token, name, pin FROM cases WHERE name = ?`;
+	vorgangName: string
 ): { token: string; name: string; pin: string } | undefined => {
 	const getVorgangByNameSQLStmt = `SELECT token, name, pin
 																	 FROM cases
 																	 WHERE name = ?`;
 	const statement = db.prepare(getVorgangByNameSQLStmt);
-	const result = statement.get(vorgangName) as {token: string, name: string, pin: string} | undefined;
+	const result = statement.get(vorgangName) as
 		| { token: string; name: string; pin: string }
 		| undefined;
 	return result;
 };
@@ -88,13 +126,22 @@ export const getListOfVorgänge = async () => {
 * Fetches list of vorgänge from database
 * @returns list with of available vorgaenge
 */
-export const getVorgaenge = (): {vorgangToken: string, vorgangName: string, vorgangPIN: string}[] => {
+export const getVorgaenge = (): {
-	const getVorgaengeSQLStmt = `SELECT token, name, pin from cases`;
+	vorgangToken: string;
 	vorgangName: string;
 	vorgangPIN: string;
 }[] => {
 	const getVorgaengeSQLStmt = `SELECT token, name, pin
 															 from cases`;
 	const statement = db.prepare(getVorgaengeSQLStmt);
 	const result = statement.all() as { token: string; name: string; pin: string }[];
-	const vorgaenge_list: {vorgangToken: string, vorgangName: string, vorgangPIN: string}[] = [];
+	const vorgaenge_list: { vorgangToken: string; vorgangName: string; vorgangPIN: string }[] = [];
 	for (const resultItem of result) {
-		const vorg = { vorgangToken: resultItem.token, vorgangName: resultItem.name, vorgangPIN: resultItem.pin };
+		const vorg = {
 			vorgangToken: resultItem.token,
 			vorgangName: resultItem.name,
 			vorgangPIN: resultItem.pin
 		};
 		vorgaenge_list.push(vorg);
 	}
@@ -187,3 +234,27 @@ export const vorgangPINValidation = function (vorgangToken: string, vorgangPIN:
 	return true;
 };
 /**
 * Change VorgangName or VorgangPIN
 * @param vorgangToken
 * @param newValue
 * @returns {int} number of affected lines
 */
 export const updateVorgangAttrByToken = function (vorgangToken: string,
 											newValue: string,
 											column: string) {
 	const renameSQLStmt = `UPDATE cases set ${column} = ? WHERE token = ?`;
 	const statement = db.prepare(renameSQLStmt);
 	let info;
 	try {
 		info = statement.run(newValue, vorgangToken);
 	} catch (err) {
 		console.log(`error: ${err}`)
 		return 0;
 	}
 	return info.changes;
 };
--- a/src/routes/(angemeldet)/+layout.server.ts
+++ b/src/routes/(angemeldet)/+layout.server.ts
@@ -1,10 +1,10 @@
-import { redirect, type ServerLoadEvent } from '@sveltejs/kit';
+import { type ServerLoadEvent } from '@sveltejs/kit';
 import type { PageServerLoad } from '../anmeldung/$types';
 export const load: PageServerLoad = (event: ServerLoadEvent) => {
-	if (!event.locals.user && event.url.pathname !== '/anmeldung') throw redirect(303, '/anmeldung');
+	if (event.locals.user) {
 		return {
 			user: event.locals.user
 		};
 	}
 };
--- a/src/routes/(angemeldet)/+layout.svelte
+++ b/src/routes/(angemeldet)/+layout.svelte
@@ -5,6 +5,8 @@
 	export let data;
 </script>
 {#if data.user?.admin}
 <div class="h-screen v-screen flex flex-col">
 	<div class="flex flex-col h-full">
 		<Header {data}/>
@@ -16,3 +18,10 @@
 	</div>
 </div>
 {:else}
 <div class="h-screen bg-white"><slot /></div>
 {/if}
--- a/src/routes/(angemeldet)/+page.server.ts
+++ b/src/routes/(angemeldet)/+page.server.ts
@@ -0,0 +1,6 @@
 import { loginUser, logoutUser } from '$lib/server/authService';
 export const actions = {
 	login: ({ request, cookies }) => loginUser({ request, cookies }),
 	logout: (event) => logoutUser(event),
 } as const;
--- a/src/routes/(angemeldet)/+page.svelte
+++ b/src/routes/(angemeldet)/+page.svelte
@@ -2,60 +2,108 @@
 	import AddProcess from '$lib/icons/Add-Process.svelte';
 	import FileRect from '$lib/icons/File-rect.svelte';
 	import ListIcon from '$lib/icons/List-icon.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import ArrowRight from '$lib/icons/Arrow-right.svelte';
 	import { ROUTE_NAMES } from '../index.js';
 	export let data;
 	export let form;
 	export let outline = true;
 </script>
 {#if data.user?.admin}
 <div
 	class=" inset-x-0 top-0 -z-10 h-full flex items-center justify-center bg-white shadow-lg ring-1 ring-gray-900/5"
 >
 	<div class="mx-auto flex justify-center max-w-7xl py-10 px-8 w-full">
 		{#if data.user.admin}
 			<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 				<div
 					class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
 				>
 					<ListIcon class=" group-hover:text-indigo-600" />
 				</div>
-				<a href="/list" class="mt-6 block font-semibold text-gray-900">
+				<a href="{ROUTE_NAMES.LIST}" class="mt-6 block font-semibold text-gray-900">
-					Liste
+					Vorgänge
 					<span class="absolute inset-0"></span>
 				</a>
 				<p class="mt-1 text-gray-600">
 					Verschaffe Dir einen Überblick über alle gespeicherten Tatorte.
 				</p>
 			</div>
 		{/if}
 		{#if data.user.admin}
 			<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 				<div
 					class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
 				>
 					<AddProcess class=" group-hover:text-indigo-600" />
 				</div>
 				<a href="/upload" class="mt-6 block font-semibold text-gray-900">
 					Hinzufügen
 					<span class="absolute inset-0"></span>
 				</a>
 				<p class="mt-1 text-gray-600">Fügen Sie einem Tatort Bilder hinzu.</p>
 			</div>
 		{/if}
 		<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 			<div
 				class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
 			>
 				<FileRect class=" group-hover:text-indigo-600" {outline} />
 			</div>
-			<a href="/view" class="mt-6 block font-semibold text-gray-900">
+			<a href="{ROUTE_NAMES.USERMGMT}" class="mt-6 block font-semibold text-gray-900">
-				Ansicht
+				Benutzerverwaltung
 				<span class="absolute inset-0"></span>
 			</a>
-			<p class="mt-1 text-gray-600">Schau Dir einen Tatort in der 3D Ansicht an.</p>
+			<p class="mt-1 text-gray-600">Füge neue Benutzer hinzu oder entferne welche.</p>
 		</div>
 	</div>
 </div>
 {:else}
 <div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
 	<div class="sm:mx-auto sm:w-full sm:max-w-sm">
 		<img class="mx-auto h-10 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
 		<h2 class="mt-10 text-center text-2xl font-bold leading-9 tracking-tight text-gray-900">
 			Willkommen beim 3D Tatort
 		</h2>
 	</div>
 	<div class="w-full max-w-sm mx-auto">
 		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
 			<div class="mt-10">
 <form action="{ROUTE_NAMES.LOGIN}" method="POST">
 						<div>
 							<label for="user" class="text-sm font-medium leading-6 text-gray-900">Name</label>
 							<div class="mt-2">
 								<input
 									id="user"
 									name="user"
 									type="text"
 									autocomplete="email"
 									required
 									class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
 								/>
 							</div>
 						</div>
 						<div>
 							<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
 								>Passwort</label
 							>
 							<div class="mt-2">
 								<input
 									id="password"
 									name="password"
 									type="password"
 									autocomplete="current-password"
 									required
 									class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
 								/>
 							</div>
 						</div>
 						{#if form?.incorrect}
 							<p class="block text-sm leading-6 text-red-900 mt-2">{form.message}</p>
 						{/if}
 						<div class="flex justify-end">
 							<Button type="submit" class="mt-5">Anmelden</Button>
 						</div>
 					</form>
 			</div>
 		</div>
 	</div>
 </div>
 {/if}
 <style>
 </style>
--- a/src/routes/(angemeldet)/list/+page.server.ts
+++ b/src/routes/(angemeldet)/list/+page.server.ts
@@ -1,10 +1,35 @@
-import { getVorgaenge } from '$lib/server/vorgangService';
+import { createVorgang, getVorgaenge } from '$lib/server/vorgangService';
 import type { PageServerLoad } from '../../(token-based)/view/$types';
 import { error, fail } from '@sveltejs/kit';
-export const load: PageServerLoad = async () => {
+export const load: PageServerLoad = async (event) => {
-	const vorgangList = await getVorgaenge();
+	if (!event.locals.user) {
 		error(404, 'Not Found')
 	}
 	const vorgangList = getVorgaenge();
 	return {
 		vorgangList
 	};
 };
 export const actions = {
 	default: async ({ request }: { request: Request }) => {
 		const data = await request.formData();
 		const vorgangName: string | null = data.get('vorgang') as string;
 		const vorgangPIN: string | null = data.get('pin') as string;
 		const err = {};
 		const token = createVorgang(vorgangName, vorgangPIN);
 		if (!token) {
 			err.message = "Der Vorgang konnte nicht angelegt werden"
 			return fail(400, err)
 		} else {
 			// success
 			return { token }
 		}
 	}
 };
--- a/src/routes/(angemeldet)/list/+page.svelte
+++ b/src/routes/(angemeldet)/list/+page.svelte
@@ -1,24 +1,94 @@
 <script lang="ts">
 	import ExpandableForm from '$lib/components/ExpandableForm.svelte';
 	import Trash from '$lib/icons/Trash.svelte';
 	import Folder from '$lib/icons/Folder.svelte';
-	import type { PageData } from '../$types';
+	import EmptyList from '$lib/components/EmptyList.svelte';
 	import NameItemEditor from '$lib/components/NameItemEditor.svelte';
 	import Alert from '$lib/components/Alert.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import Modal from '$lib/components/Modal/Modal.svelte';
 	import ModalTitle from '$lib/components/Modal/ModalTitle.svelte';
 	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
 	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
 	import { API_ROUTES, ROUTE_NAMES } from '../../index.js';
 	import { invalidateAll } from '$app/navigation';
-	export let data: PageData;
+	let { data, form } = $props();
-	const vorgangList = data.vorgangList;
+	let vorgangList = $state(data.vorgangList);
-	async function delete_item(ev: Event) {
+    // same as `vorgangList` but with one different property to be used
    // with ´NameItemEditor`
    const derivedList = $derived.by(
 		() => {
 			return vorgangList.map(
 				({ vorgangName, ...rest }) => (
 					{
 						name: vorgangName,
 						...rest
 					}
 				)
 			)
 		}
    );
 	let isEmptyList = vorgangList.length === 0;
 	let vorgangName = $state('');
 	let vorgangPIN = $state('');
 	let errorMsg = $state('');
 	// reset input fields when submission successful
 	$effect(() => {
 		if (form?.token) {
 			vorgangName = '';
 			vorgangPIN = '';
 			errorMsg = '';
 		}
 	});
 	async function submitVorgang(ev: Event) {
 		const isValid = inputValid(vorgangName, vorgangPIN);
 		if (!isValid) {
 			ev.preventDefault();
 			return;
 		}
 		// continue form action on server
 	}
 	/**
 	 * Check for required fields
 	 * @param vorgangName
 	 * @param vorgangPIN
 	 * @returns {boolean} Indicates whether input is valid
 	 */
 	function inputValid(vorgangName, vorgangPIN) {
 		if (!(vorgangName || vorgangPIN)) {
 			errorMsg = 'Bitte beide Felder ausfüllen.';
 			return false;
 		} else if (!vorgangName) {
 			errorMsg = 'Bitte einen Vorgangsnamen vergeben.';
 			return false;
 		} else if (!vorgangPIN) {
 			errorMsg = 'Bitte einen Vorgangs-PIN eingeben.';
 			return false;
 		}
 		const existing = vorgangList.some((vorg) => vorg.vorgangName === vorgangName);
 		if (existing) {
 			errorMsg = 'Der Name existiert bereits.';
 			return false;
 		}
 		return true;
 	}
 	async function deleteVorgang(vorgangToken: string) {
 		let delete_item = window.confirm('Bist du sicher?');
 		if (delete_item) {
-			const target = ev.currentTarget as HTMLElement | null;
+			let url = API_ROUTES.VORGANG(vorgangToken);
 			if (!target) return;
 			let filename = target.id.split('del__')[1];
 			// delete request
 			// --------------
 			let url = `/api/list/${filename}`;
 			try {
 				const response = await fetch(url, { method: 'DELETE' });
@@ -36,6 +106,46 @@
 			}
 		}
 	}
 	//Variablen für Modal
 	let open = $state(false);
 	let inProgress = $state(false);
 	let isError = $state(false);
 	async function handleSave(newName: string, oldName: string, vorgangToken: string) {
 		open = true;
 		inProgress = true;
 		isError = false;
 		try {
 			const res = await fetch(API_ROUTES.VORGANG(vorgangToken), {
 				method: 'PUT',
 				headers: {
 					'Content-Type': 'application/json'
 				},
 				body: JSON.stringify({ vorgangToken, oldName, newName })
 			});
 			if (!res.ok) {
 				throw new Error('Fehler beim Speichern');
 			}
 			await invalidateAll();
 			vorgangList = data.vorgangList;
 			open = false;
 		} catch (err) {
 			console.error('⚠️ Netzwerkfehler beim Speichern', err);
 			isError = true;
 		} finally {
 			inProgress = false;
 		}
 	}
 	 async function closeModal() {
 		open = false;
 		isError = false;
 	}
 </script>
 <div class="-z-10 bg-white">
@@ -44,37 +154,111 @@
 	</div>
 	<div class="mx-auto flex justify-center max-w-7xl h-full">
 		<ul role="list" class="divide-y divide-gray-100">
 			{#if isEmptyList}
 				<EmptyList></EmptyList>
 			{:else}
 				{#each vorgangList as vorgangItem}
-				<li>
+					<li data-testid="test-list-item">
-					<a href="/list/{vorgangItem.vorgangToken}?pin={vorgangItem.vorgangPIN}" class="flex justify-between gap-x-6 py-5">
+						<div class="flex items-center justify-center gap-3">
-						<div class="flex gap-x-4">
+						<a
-							<!-- Ordner -->
+						href="{ROUTE_NAMES.VORGANG(vorgangItem.vorgangToken)}"
-							<Folder />
+						class="flex flex-col items-center justify-center gap-2 py-4 rounded-lg hover:bg-gray-50 transition text-center"
 							<div class="min-w-0 flex-auto">
 								<span class="text-sm font-semibold leading-6 text-gray-900">{vorgangItem.vorgangName}</span>
 								<!-- Delete button -->
 								<button
 									style="padding: 2px"
 									id="del__{vorgangItem.vorgangToken}"
 									on:click|preventDefault={delete_item}
 									aria-label="Vorgang {vorgangItem.name} löschen"
 						>
-									<Trash />
+							<Folder class="w-6 h-6 text-gray-600" />
 								</button>
 							</div>
 						</div>
 						<div class="hidden sm:flex sm:flex-col sm:items-end">
 							<p class="text-sm leading-6 text-gray-900">Vorgang</p>
 						</div>
 						</a>
 							<NameItemEditor
 							list={derivedList}
 							currentName={vorgangItem.vorgangName}
 							vorgangToken={vorgangItem.vorgangToken}
 							onSave={handleSave}
 							onDelete={deleteVorgang}
 							/>
 						</div>
 					</li>
 				{/each}
 			{/if}
 		</ul>
 	</div>
 </div>
 <ExpandableForm>
 <form class="flex flex-col items-center" method="POST">
 	<div class="flex flex-col sm:flex-row sm:space-x-4 w-full max-w-lg">
 		<div class="flex-1">
 			<label for="vorgang" class="block text-sm font-medium leading-6 text-gray-900">
 				<span class="flex"> Vorgangsname </span>
 			</label>
 			<div class="mt-2">
 				<div
 					class="flex rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
 				>
 					<input
 						required
 						bind:value={vorgangName}
 						type="text"
 						name="vorgang"
 						id="vorgang"
 						class="block flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 sm:text-sm sm:leading-6"
 					/>
 				</div>
 			</div>
 		</div>
 		<div class="flex-1 mt-4 sm:mt-0">
 			<label for="pin" class="block text-sm font-medium leading-6 text-gray-900">
 				<span class="flex"> PIN </span>
 			</label>
 			<div class="mt-2">
 				<div
 					class="flex rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
 				>
 					<input
 						required
 						type="password"
 						bind:value={vorgangPIN}
 						name="pin"
 						id="pin"
 						class="block flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 sm:text-sm sm:leading-6"
 					/>
 				</div>
 			</div>
 		</div>
 	</div>
 	{#if errorMsg}
 		<p>{errorMsg}</p>
 	{/if}
 	{#if form?.message}
 		<p>{form.message}</p>
 	{/if}
 	<button
 		type="submit"
 		on:click={submitVorgang}
 		class="mt-4 bg-indigo-600 text-white px-6 py-2 rounded hover:bg-indigo-700 transition"
 	>
 		Neuen Vorgang hinzufügen
 	</button>
 </form>
 </ExpandableForm>
 <Modal {open}
 			><ModalTitle>Umbenennen</ModalTitle><ModalContent>
 				{#if inProgress}
 					<p class="py-2 mb-1">Vorgang läuft...</p>
 				{:else if isError}
 					<Alert class="w-full" type="error">Fehler beim Umbenennen</Alert>
 				{:else}
 					<Alert class="w-full">Umbenennen erfolgreich</Alert>
 				{/if}
 			</ModalContent>
 			<ModalFooter><Button disabled={inProgress} on:click={closeModal}>Ok</Button></ModalFooter>
 </Modal>
 <style>
 	ul {
 		min-width: 24rem;
 	}
 </style>
--- a/src/routes/(angemeldet)/tatorte/+page.server.ts
+++ b/src/routes/(angemeldet)/tatorte/+page.server.ts
@@ -1,37 +0,0 @@
 import { client } from '$lib/minio';
 import { fail } from '@sveltejs/kit';
 import vorgangNumberOccupied from '$lib/helper/vorgangNumberOccupied.js';
 /** @type {import('./$types').Actions} */
 export const actions = {
 	default: async ({ request }: {request: Request}) => {
 		const data = await request.formData();
 		const vorgangNumber = data.get('vorgangNumber');
 		const description = data.get('description');
 		if (!vorgangNumber) {
 			return fail(400, {
 				vorgangNumber,
 				description,
 				error: { vorgangNumber: 'Es muss eine Vorgangsnummer vorhanden sein.' }
 			});
 		}
 		if (await vorgangNumberOccupied(`${vorgangNumber}`)) {
 			return fail(400, {
 				vorgangNumber,
 				description,
 				error: { vorgangNumber: 'Die Vorgangsnummer wurde im System bereits angelegt.' }
 			});
 		}
 		const config = `${JSON.stringify({ vorgangNumber, description, version: 1 })}\n`;
 		await client.putObject('tatort', `${vorgangNumber}/config.json`, config, undefined, {
 			'Content-Type': 'application/json'
 		});
 		return { success: true };
 	}
 };
--- a/src/routes/(angemeldet)/tatorte/+page.svelte
+++ b/src/routes/(angemeldet)/tatorte/+page.svelte
@@ -1,115 +0,0 @@
 <script lang="ts">
 	import Alert from '$lib/components/Alert.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import Modal from '$lib/components/Modal/Modal.svelte';
 	import ModalTitle from '$lib/components/Modal/ModalTitle.svelte';
 	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
 	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
 	import Exclamation from '$lib/icons/Exclamation.svelte';
 	export let form;
 	let open = false;
 	$: open = form?.success ?? false;
 </script>
 <div class="mx-auto max-w-2xl">
 	<div class="flex flex-col items-center justify-center w-full">
 		<h1 class="text-xl">Neuer Vorgang</h1>
 	</div>
 	<form method="POST">
 		<div class="space-y-12">
 			<div class="border-b border-gray-900/10 pb-12">
 				<p class="mt-8 text-sm leading-6 text-gray-600">
 					This information will be displayed publicly so be careful what you share.
 				</p>
 				<div class="mt-10 grid grid-cols-1 gap-x-6 gap-y-8">
 					<div>
 						<label for="vorgangNumber" class="block text-sm font-medium leading-6 text-gray-900"
 							><span class="flex"
 								>{#if form?.error?.vorgangNumber}
 									<span class="inline-block mr-1"><Exclamation /></span>
 								{/if} Vorgangs-Nr.</span
 							></label
 						>
 						<div class="mt-2">
 							<div
 								class="flex rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
 							>
 								<input
 									value={form?.vorgangNumber ?? ''}
 									type="text"
 									name="vorgangNumber"
 									id="vorgangNumber"
 									class="block flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 text-sm leading-6"
 								/>
 							</div>
 						</div>
 						{#if form?.error?.vorgangNumber}
 							<p class="block text-sm leading-6 text-red-900 mt-2">{form.error.vorgangNumber}</p>
 						{/if}
 					</div>
 					<div>
 						<label for="description" class="block text-sm font-medium leading-6 text-gray-900"
 							><span class="flex"
 								>{#if form?.description}
 									<span class="inline-block mr-1"><Exclamation /></span>
 								{/if} Beschreibung</span
 							></label
 						>
 						<div class="mt-2">
 							<textarea
 								value={form?.description?.toString() ?? ''}
 								id="description"
 								name="description"
 								rows="3"
 								class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
 							></textarea>
 						</div>
 						{#if form?.error}
 							<p class="block text-sm leading-6 text-red-900 mt-2">{form.description}</p>
 						{/if}
 					</div>
 					<label for="vorgang-token">
 					<span >Zugangstoken (optional) </span>
 					</label>
 					<div class="mt-2">
 					<div
 					>
 						<input
 							type="text"
 							id="vorgang-token"
 						/>
 					</div>
 					</div>
 				</div>
 			</div>
 			<div class="mt-6 flex items-center justify-end gap-x-6">
 				<button type="button" class="text-sm font-semibold leading-6 text-gray-900">Cancel</button>
 				<Button
 					type="submit"
 					class="rounded-md bg-indigo-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600"
 					>Save</Button
 				>
 			</div>
 		</div>
 	</form>
 	<Modal {open}
 		><ModalTitle>vorgang anlegen</ModalTitle><ModalContent>
 			{#if form?.success}
 				<Alert class="w-full">Vorgang erfolgreich angelegt</Alert>
 			{:else}
 				<Alert class="w-full" type="error">Fehler beim Upload</Alert>
 			{/if}
 		</ModalContent>
 		<ModalFooter><Button on:click={() => (open = false)}>Ok</Button></ModalFooter>
 	</Modal>
 </div>
--- a/src/routes/(angemeldet)/upload/+page.server.ts
+++ b/src/routes/(angemeldet)/upload/+page.server.ts
@@ -1,10 +1,8 @@
 import { Readable } from 'stream';
-import { client } from '$lib/minio';
+import { BUCKET, client } from '$lib/minio';
-import { fail } from '@sveltejs/kit';
+import { fail, error } from '@sveltejs/kit';
 import { v4 as uuidv4 } from 'uuid';
-import { db } from '$lib/server/dbService';
+import { getVorgangByName } from '$lib/server/vorgangService';
 import { getVorgangByName, vorgangNameExists } from '$lib/server/vorgangService';
 const isRequiredFieldValid = (value: unknown) => {
 	if (value == null) return false;
@@ -17,29 +15,14 @@ const isRequiredFieldValid = (value: unknown) => {
 export const actions = {
 	url: async ({ request }: { request: Request }) => {
 		const data = await request.formData();
-		const vorgangName = data.get('vorgang');
+		const vorgangName: string | null = data.get('vorgang') as string;
-		const crimeName = data.get('name');
+		const crimeName: string | null = data.get('name') as string;
-		const type = data.get('type');
+		const type: string | null = data.get('type') as string;
-		const vorgangPIN = data.get('vorgangPIN');
+		const fileName: string | null = data.get('fileName') as string;
 		const fileName = data.get('fileName');
 		const vorgangExists = vorgangNameExists(vorgangName);
 		let vorgangToken;
 		if (!vorgangExists) {
 			vorgangToken = uuidv4();
 			const insertSQLStatement = `INSERT INTO cases (token, name, pin) VALUES (?, ?, ?)`;
 			const statement = db.prepare(insertSQLStatement);
 			statement.run(vorgangToken, vorgangName, vorgangPIN);
 		} else {
 		const vorgang = getVorgangByName(vorgangName);
 		vorgangToken = vorgang.token;
 			if (vorgang && vorgang.pin != vorgangPIN) {
 				const updateSQLStmt = `UPDATE cases SET pin = ? WHERE token = ?`;
 				const statement = db.prepare(updateSQLStmt);
 				statement.run(vorgangPIN, vorgangToken);
 			}
 		}
 		let objectName = `${vorgangToken}/${crimeName}`;
 		switch (type) {
@@ -51,7 +34,7 @@ export const actions = {
 					objectName += '.glb';
 		}
-		const url = await client.presignedPutObject('tatort', objectName);
+		const url = await client.presignedPutObject(BUCKET, objectName);
 		return { url };
 	},
@@ -60,7 +43,6 @@ export const actions = {
 		const data = Object.fromEntries(requestData);
 		const vorgang = data.vorgang;
 		const name = data.name;
 		const vorgangPIN = data.vorgangPIN;
 		let success = true;
 		const err = {};
 		if (isRequiredFieldValid(vorgang)) {
@@ -77,13 +59,6 @@ export const actions = {
 			success = false;
 		}
 		if (isRequiredFieldValid(vorgangPIN)) {
 			err.vorgangPIN = null;
 		} else {
 			err.vorgangPIN = 'Das Feld Zugangspasswort darf nicht leer bleiben.';
 			success = false;
 		}
 		if (success) return { success };
 		return fail(400, err);
@@ -95,7 +70,7 @@ export const actions = {
 		const vorgang = data.vorgang;
 		const name = data.name;
-		const url = await client.presignedPutObject('tatort', `${vorgang}/${name}`, 60);
+		const url = await client.presignedPutObject(BUCKET, `${vorgang}/${name}`, 60);
 		return { url };
 	},
@@ -106,7 +81,7 @@ export const actions = {
 		const stream = data.file.stream();
 		const metaData = { 'Content-Type': 'model-gtlf-binary', 'X-VorgangsNr': '4711' };
 		const result = new Promise((resolve, reject) => {
-			client.putObject('tatort', name, Readable.from(stream), metaData, function (err, etag) {
+			client.putObject(BUCKET, name, Readable.from(stream), metaData, function (err, etag) {
 				if (err) return reject(err);
 				resolve(etag);
 			});
@@ -123,3 +98,10 @@ export const actions = {
 		return { etag, error };
 	}
 };
 export const load: PageServerLoad = async (event) => {
 	if (!event.locals.user) {
 		error(404, 'Not found')
 	}
 };
--- a/src/routes/(angemeldet)/upload/+page.svelte
+++ b/src/routes/(angemeldet)/upload/+page.svelte
@@ -9,6 +9,7 @@
 	import shortenFileSize from '$lib/helper/shortenFileSize.js';
 	import Exclamation from '$lib/icons/Exclamation.svelte';
 	import FileRect from '$lib/icons/File-rect.svelte';
 	import { API_ROUTES, ROUTE_NAMES } from '../../index.js';
 	export let form;
@@ -43,7 +44,7 @@
 		data.append('vorgang', vorgang);
 		data.append('name', name);
 		data.append('vorgangPIN', vorgangPIN);
-		const response = await fetch('?/validate', { method: 'POST', body: data });
+		const response = await fetch(ROUTE_NAMES.UPLOAD_VALIDATE, { method: 'POST', body: data });
 		/** @type {import('@sveltejs/kit').ActionResult} */
 		const result = deserialize(await response.text());
@@ -76,7 +77,7 @@
 			data.append('type', files[0].type);
 			data.append('fileName', files[0].name);
 		}
-		const response = await fetch('?/url', { method: 'POST', body: data });
+		const response = await fetch(ROUTE_NAMES.UPLOAD_URL, { method: 'POST', body: data });
 		/** @type {import('@sveltejs/kit').ActionResult} */
 		const result = deserialize(await response.text());
 		if (result.type === 'success') return result.data?.url;
@@ -151,7 +152,6 @@
 		return true;
 	}
 	// `/(angemeldet)/view` return true or false
 	async function checkVorgangExists(vorgangName: string) {
 		if (vorgangName == '') {
 			vorgangPIN = vorgangPINOld;
@@ -159,7 +159,8 @@
 		}
 		try {
-			const url = `/api/list/${vorgangName}`;
+			// `HEAD` method
 			const url = API_ROUTES.VORGANG_NAME_EXIST(vorgangName);
 			const response = await fetch(url, { method: 'HEAD' });
 			if (response.status === 200) {
@@ -185,7 +186,7 @@
 	async function getVorgangPIN(vorgangName: string) {
 		if (vorgangName == '') return;
-		let url = `/api/list/${vorgangName}/vorgangPIN`;
+		let url = API_ROUTES.VORGANG_PIN(vorgangName);
 		const response = await fetch(url);
 		if (response.status == 200) {
--- a/src/routes/(angemeldet)/user-management/+page.server.ts
+++ b/src/routes/(angemeldet)/user-management/+page.server.ts
@@ -0,0 +1,8 @@
 import type { PageServerLoad } from '../../(token-based)/view/$types';
 import { error } from '@sveltejs/kit';
 export const load: PageServerLoad = async (event) => {
 	if (!event.locals.user) {
 		error(404, 'Not Found')
 	}
 };
--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -0,0 +1,211 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
 	import Button from '$lib/components/Button.svelte';
 	import { API_ROUTES } from '../../index.js';
 	const { data } = $props();
 	let userName = $state('');
 	let userPassword = $state('');
 	let userList: { userId: string; userName: string }[] = $state([]);
 	let addUserError = $state(false);
 	let addUserSuccess = $state(false);
 	const currentUser: string = data.user.id;
 	onMount(async () => {
 		try {
 			userList = await getUsers();
 		} catch (error) {
 			console.log(`An error occured while retrieving users: ${error}`);
 		}
 	});
 	async function getUsers() {
 		const URL = API_ROUTES.USERS;
 		try {
 			const response = await fetch(URL);
 			return await response.json();
 		} catch (error) {
 			console.log(`Error fetching users: ${error}`);
 			return null;
 		}
 	}
 	async function addUser() {
 		if (userName == '') {
 			alert('Der Benutzername darf nicht leer sein.');
 			return;
 		}
 		if (userPassword == '') {
 			alert('Das Passwort darf nicht leer sein.');
 			return;
 		}
 		const URL = API_ROUTES.USERS;
 		const userData = { userName: userName, userPassword: userPassword };
 		try {
 			const response = await fetch(URL, {
 				method: 'POST',
 				headers: {
 					'Content-Type': 'application/json'
 				},
 				body: JSON.stringify(userData)
 			});
 			if (response.ok) {
 				const newUser = await response.json();
 				userList = [...userList, newUser];
 				addUserSuccess = true;
 				resetInput();
 			} else {
 				addUserError = true;
 			}
 		} catch (error) {
 			console.log(`Error creating user: ${error}`);
 			addUserError = true;
 		}
 	}
 	function resetInput() {
 		userName = '';
 		userPassword = '';
 		addUserError = false;
 		setInterval(() => {
 			addUserSuccess = false;
 		}, 5000);
 	}
 	async function deleteUser(userId: string) {
 		const URL = API_ROUTES.USER(userId);
 		try {
 			const response = await fetch(URL, {
 				method: 'DELETE',
 				headers: {
 					'Content-Type': 'application/json'
 				}
 			});
 			if (response.status == 204) {
 				userList = await getUsers();
 			} else {
 				alert('Nutzer konnte nicht gelöscht werden');
 			}
 		} catch (error) {
 			console.log(`Error deleting users: ${error}`);
 		}
 	}
 </script>
 <h1 class="flex justify-center text-3xl md:text-4xl font-bold text-gray-800 dark:text-white tracking-tight mb-4">
 	Benutzerverwaltung
 </h1>
 <h1 class="flex justify-center text-lg md:text-xl font-medium text-gray-800 dark:text-white tracking-tight mb-2">
 	Benutzerliste
 </h1>
 <div class="w-1/4 mx-auto">
 	<table class="min-w-full border border-gray-300 rounded overflow-hidden">
 		<thead class="bg-gray-100 dark:bg-gray-700">
 		<tr>
 			<th class="text-left px-4 py-2">Benutzername</th>
 			<th class="text-center px-4 py-2">Entfernen</th>
 		</tr>
 		</thead>
 		<tbody>
 		{#each userList as userItem}
 			<tr class="border-t border-gray-200 dark:border-gray-600">
 				<td class="px-4 py-2 text-gray-800 dark:text-white">{userItem.userName}</td>
 				<td class="px-4 py-2 text-center">
 					<button
 						class="text-red-600 hover:text-red-800 focus:outline-none focus:ring-2 focus:ring-red-500 rounded-full p-1 transition"
 						on:click={() => deleteUser(userItem.userId)}
 						aria-label="Delete user"
 					>
 						{#if (userItem.userName != currentUser)}
 							<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24"
 									 stroke="currentColor">
 								<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
 											d="M6 18L18 6M6 6l12 12" />
 							</svg>
 						{/if}
 					</button>
 				</td>
 			</tr>
 		{/each}
 		</tbody>
 	</table>
 </div>
 <h1 style="margin-top: 50px;"
 		class="flex justify-center text-lg md:text-xl font-medium text-gray-800 dark:text-white tracking-tight mb-2">
 	Neuer Nutzer
 </h1>
 <div class="mx-auto flex justify-center">
 	<form>
 		<div class="form-group">
 			<label for="username">Benutzername</label>
 			<input bind:value={userName} type="text" id="username" placeholder="Namen eingeben" />
 		</div>
 		<div class="form-group">
 			<label for="password">Passwort</label>
 			<input bind:value={userPassword} type="password" id="password" placeholder="Passwort vergeben" />
 		</div>
 	</form>
 </div>
 <div class="mx-auto flex flex-col items-center space-y-4" style="margin-top: 20px;">
 	{#if addUserError}
 		<div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
 				 role="alert">
 			<svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
 					 stroke="currentColor">
 				<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
 							d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z" />
 			</svg>
 			<span class="text-sm font-medium">Der Benutzer konnte nicht hinzugefügt werden.</span>
 		</div>
 	{/if}
 	{#if addUserSuccess}
 		<div class="flex items-center bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700 p-4 rounded shadow-sm"
 				 role="alert">
 			<svg class="h-5 w-5 mr-3 text-yellow-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"
 					 stroke="currentColor">
 				<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
 							d="M12 9v2m0 4h.01M12 5a7 7 0 100 14 7 7 0 000-14z" />
 			</svg>
 			<span class="text-sm font-medium">Der Benutzer wurde hinzugefügt.</span>
 		</div>
 	{/if}
 	<Button on:click={addUser}>Benutzer hinzufügen</Button>
 </div>
 <style>
    .form-group {
        display: flex;
        flex-direction: column;
        margin-bottom: 15px;
    }
    label {
        margin-bottom: 5px;
        font-weight: bold;
    }
    input[type="text"],
    input[type="password"] {
        padding: 8px;
        font-size: 16px;
        border: 1px solid #ccc;
        border-radius: 4px;
    }
 </style>
--- a/src/routes/(token-based)/+layout.server.ts
+++ b/src/routes/(token-based)/+layout.server.ts
@@ -1,22 +1,22 @@
-import {
+import { vorgangPINValidation, vorgangExists } from '$lib/server/vorgangService';
 	vorgangPINValidation,
 	vorgangExists
 } from '$lib/server/vorgangService';
 import { redirect } from '@sveltejs/kit';
-import type { PageServerLoad } from './list/[vorgang]/$types';
+import type { LayoutServerLoad } from './$types';
 import { ROUTE_NAMES } from '..';
-export const load: PageServerLoad = async ({ params, url, locals }) => {
+export const load: LayoutServerLoad = async ({ params, cookies, locals }) => {
 	if (locals.user) {
 		return {
 			user: locals.user
 		};
 	}
-	const vorgangToken = params.vorgang;
+	const vorgangToken = params.vorgang ?? '';
-	const vorgangPIN = url.searchParams.get('pin');
+	const COOKIE_NAME = `token-${vorgangToken}`;
 	const vorgangPIN = cookies.get(COOKIE_NAME) ?? '';
 	const isVorgangValid = vorgangExists(vorgangToken);
 	const isVorgangPINValid = vorgangPINValidation(vorgangToken, vorgangPIN);
-	if (!isVorgangValid || !isVorgangPINValid) throw redirect(303, `/anmeldung?vorgang=${vorgangToken}`);
+	if (!isVorgangValid || !isVorgangPINValid)
 		throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken));
 };
--- a/src/routes/(token-based)/list/[vorgang]/+page.server.ts
+++ b/src/routes/(token-based)/list/[vorgang]/+page.server.ts
@@ -1,16 +1,23 @@
-import { getVorgangByToken, getCrimesListByToken } from '$lib/server/vorgangService';
+import { getCrimesListByToken, getVorgaenge } from '$lib/server/vorgangService.js';
 import type { PageServerLoad } from './$types';
 export const load: PageServerLoad = async ({ params, url }) => {
 	const vorgangList = getVorgaenge();
 	const vorgangToken = params.vorgang;
 	const vorgangPIN = url.searchParams.get('pin');
 	const crimesList = await getCrimesListByToken(vorgangToken);
-	const vorgang = getVorgangByToken(vorgangToken);
+	const vorgang = vorgangList.find((v) => v.vorgangToken === vorgangToken); //vorgang sollte ein eigener Typ werden, und dann kann man es hier vernünftig typisieren
 	if (!vorgang || !crimesList) {
 		throw new Error(`Fehlgeschlagen, es wurden keine Daten zum token gefunden`);
 	}
 	//Variabeln für NameItemEditor
 	const crimeNames: string[] = crimesList.map((l) => l.name);
 	return {
 		vorgang,
 		vorgangList,
 		crimesList,
-		vorgangPIN,
+		url,
-		vorgang
+		crimeNames
 	};
 	};
 }
--- a/src/routes/(token-based)/list/[vorgang]/+page.svelte
+++ b/src/routes/(token-based)/list/[vorgang]/+page.svelte
@@ -1,9 +1,9 @@
 <script lang="ts">
    import { fade } from 'svelte/transition';
 	import shortenFileSize from '$lib/helper/shortenFileSize';
 	import { page } from '$app/stores';
 	import timeElapsed from '$lib/helper/timeElapsed';
-
+	import { deserialize } from '$app/forms';
 	import ExpandableForm from '$lib/components/ExpandableForm.svelte';
 	import Alert from '$lib/components/Alert.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import Modal from '$lib/components/Modal/Modal.svelte';
@@ -11,271 +11,517 @@
 	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
 	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
 	import Cube from '$lib/icons/Cube.svelte';
-	import Edit from '$lib/icons/Edit.svelte';
+	import { invalidateAll } from '$app/navigation';
-	import Trash from '$lib/icons/Trash.svelte';
+	import NameItemEditor from '$lib/components/NameItemEditor.svelte';
 	import EmptyList from '$lib/components/EmptyList.svelte';
 	import FileRect from '$lib/icons/File-rect.svelte';
 	import Exclamation from '$lib/icons/Exclamation.svelte';
 	import { API_ROUTES, ROUTE_NAMES } from '../../../index.js';
-	/** export let data; */
+	//Seite für die Tatort-Liste
-	/** @type {import('./$types').PageData} */
+	let { data, form } = $props();
 	export let data;
 	interface ListItem {
 		//sollte Typ Vorgang sein, aber der einfachheit ist es noch ListItem, damit die Komponente NameItemEditor für Vorgang und Tatort eingesetzt werden kann
 		name: string;
 		size: number;
 		lastModified: string | number | Date;
 		show_button?: boolean;
 		prefix?: string;
 		// add other properties as needed
 	}
-	const vorgang = data.vorgang;
+	let crimesList = $state<ListItem[]>(data.crimesList);
-	const crimesList: ListItem[] = data.crimesList;
+	let vorgangName: string = data.vorgang.vorgangName;
-	const vorgangPIN: string = data.vorgangPIN;
+	const vorgangPIN: string = data.vorgang.vorgangPIN;
 	let vorgangToken: string = data.vorgang.vorgangToken;
 	let isEmptyList = $derived(crimesList.length === 0);
-	let open = false;
+	// File Upload Variablen
-	$: open;
+	let name = $state('');
-	let inProgress = false;
+	let formErrors: Record<string, any> | null = $state(null);
-	$: inProgress;
+	let etag: string | null = $state(null);
-	let err = false;
+	let files: FileList | null = $state(null);
-	$: err;
+	let fileInput = $state(null);
-	let rename_input;
+	// Model Variablen für Upload
-	$: rename_input;
+	let openUL = $state(false);
 	let inProgressUL = $state(form === null);
-	function uploadSuccessful() {
+	// Variablen für Copy-Funktion
-		open = false;
+    let copied = $state(false);
 	}
-	function defocus_element(i: number) {
+	async function buttonClick(event: MouseEvent) {
-		let item = crimesList[i];
+		if (!(await validateForm())) {
-		let text_field_id = `label__${item.name}`;
+			event.preventDefault();
 		let text_field = document.getElementById(text_field_id);
 		if (text_field) {
 			text_field.setAttribute('contenteditable', 'false');
 			text_field.textContent = item.name;
 		}
 		// reshow button
 		crimesList[i].show_button = true;
 			return;
 		}
 		const url = await getUrl();
 		openUL = true;
 		inProgressUL = true;
-	async function handle_input(ev: KeyboardEvent, i: number) {
+		fetch(url, { method: 'PUT', body: files[0] })
-		let item = crimesList[i];
+			.then((response) => {
-		if (ev.key == 'Escape') {
+				inProgressUL = false;
-			let text_field_id = `label__${item.name}`;
+				etag = '123';
-
+			})
-			let text_field = document.getElementById(text_field_id);
+			.catch((err) => {
-			if (text_field) {
+				inProgressUL = false;
-				text_field.setAttribute('contenteditable', 'false');
+				etag = null;
-				text_field.textContent = item.name;
+				console.log('ERROR', err);
 			});
 	}
-			// reshow button
+	async function validateForm() {
-			item.show_button = true;
+		let data = new FormData();
-			return;
+		data.append('vorgang', vorgangName);
-		}
+		data.append('name', name);
-		if (ev.key == 'Enter') {
+		const response = await fetch(ROUTE_NAMES.UPLOAD_VALIDATE, { method: 'POST', body: data });
-			let name_field = ev.currentTarget as HTMLElement | null;
+		const result = deserialize(await response.text());
 			let new_name = name_field
 				? name_field.textContent || (name_field as any).innerText || ''
 				: '';
-			if (new_name == '') {
+		let success = true;
-				alert('Bitte einen gültigen Namen eingeben.');
+		if (result.type === 'success') {
-				ev.preventDefault();
+			formErrors = null;
-				return;
+		} else {
 			if (result.type === 'failure' && result.data) formErrors = result.data;
 			success = false;
 		}
-			// actual upload
+		if (!files?.length) {
-			// -------------
+			formErrors = { file: 'Sie haben keine Datei ausgewählt.', ...formErrors };
 			success = false;
 		}
-			// to prevent from item being selected
+		if (!(await check_valid_glb_file())) {
-			ev.preventDefault();
+			formErrors = { file: 'Keine gültige .GLD-Datei', ...formErrors };
 			success = false;
 		}
 		return success;
 	}
-			// construct PUT URL
+	async function uploadSuccessful() {
-			const url = $page.url;
+		openUL = false;
 		name = '';
 		files = null;
 		fileInput.value = "";
 		await invalidateAll();
 		crimesList = data.crimesList;
 	}
-			let data_obj: { new_name: string; old_name: string } = { new_name: '', old_name: '' };
+	// `val` is hex string
-			data_obj['new_name'] = new_name;
+	function swap_endian(val) {
-			data_obj['old_name'] =
+		// from https://www.geeksforgeeks.org/bit-manipulation-swap-endianness-of-a-number/
 				ev.currentTarget && (ev.currentTarget as HTMLElement).id
 					? (ev.currentTarget as HTMLElement).id.split('__')[1]
 					: '';
 		let leftmost_byte = (val & eval(0x000000ff)) >> 0;
 		let left_middle_byte = (val & eval(0x0000ff00)) >> 8;
 		let right_middle_byte = (val & eval(0x00ff0000)) >> 16;
 		let rightmost_byte = (val & eval(0xff000000)) >> 24;
 		leftmost_byte <<= 24;
 		left_middle_byte <<= 16;
 		right_middle_byte <<= 8;
 		rightmost_byte <<= 0;
 		let res = leftmost_byte | left_middle_byte | right_middle_byte | rightmost_byte;
 		return res;
 	}
 	async function check_valid_glb_file() {
 		// GLD Header, magic value 0x46546C67, identifies data as binary glTF, 4 bytes
 		// little endian!
 		const GLD_MAGIC = 0x46546c67;
 		// big endian!
 		let file = files[0];
 		const fileHeader = file.slice(0, 4);
 		const buffer = await fileHeader.arrayBuffer();
 		console.log(fileHeader);
 		let headerBytes = new Uint8Array(buffer);
 		let fileHeaderHex = '0x' + headerBytes.toHex().toString();
 		if (GLD_MAGIC == swap_endian(fileHeaderHex)) {
 			return true;
 		} else {
 			return false;
 		}
 	}
 	async function getUrl() {
 		let data = new FormData();
 		data.append('vorgang', vorgangName);
 		data.append('name', name);
 		if (files?.length === 1) {
 			data.append('type', files[0].type);
 			data.append('fileName', files[0].name);
 		}
 		const response = await fetch(ROUTE_NAMES.UPLOAD_URL, { method: 'POST', body: data });
 		const result = deserialize(await response.text());
 		if (result.type === 'success') return result.data?.url;
 		return null;
 	}
 	//Variablen für Modal
 	let open = $state(false);
 	let inProgress = $state(false);
 	let isError = $state(false);
 	let admin = data?.user?.admin;
 	async function handleSave(newName: string, oldName: string) {
 		open = true;
 		inProgress = true;
 		isError = false;
 		try {
 			const res = await fetch(API_ROUTES.CRIME(vorgangToken, oldName), {
 				method: 'PUT',
 				headers: {
 					'Content-Type': 'application/json'
 				},
 				body: JSON.stringify({ vorgangToken, oldName, newName })
 			});
-			const response = await fetch(url, { method: 'PUT', body: JSON.stringify(data_obj) });
+			if (!res.ok) {
-
+				throw new Error('Fehler beim Speichern');
 			}
 			await invalidateAll();
 			crimesList = data.crimesList;
 			open = false;
 		} catch (err) {
 			console.error('⚠️ Netzwerkfehler beim Speichern', err);
 			isError = true;
 		} finally {
 			inProgress = false;
 			if (!response.ok) {
 				err = true;
 				if (response.status == 400) {
 					let json_res = await response.json();
 					return;
 		}
-				throw new Error(`Fehlgeschlagen: ${response.status}`);
+	}
-			} else {
+
-				uploadSuccessful();
+	async function savePIN(newVorgangPIN: string, oldVorgangPIN: string) {
 		open = true;
 		inProgress = true;
 		isError = false;
 		try {
 			const res = await fetch(API_ROUTES.VORGANG(vorgangToken), {
 				method: 'PUT',
 				headers: {
 					'Content-Type': 'application/json'
 				},
 				body: JSON.stringify({ vorgangToken, oldVorgangPIN, newVorgangPIN,
 										changePIN: true})
 			});
 			if (!res.ok) {
 				throw new Error('Fehler beim Speichern');
 			}
 			await invalidateAll();
 			crimesList = data.crimesList;
 			open = false;
 		} catch (err) {
 			console.error('⚠️ Netzwerkfehler beim Speichern', err);
 			isError = true;
 		} finally {
 			inProgress = false;
 		}
 	}
 	async function handleDelete(tatort: string) {
 		open = true;
 		inProgress = true;
 		isError = false;
 		let path = API_ROUTES.CRIME(vorgangToken, tatort)
 		try {
 			const res = await fetch(path, {
 				method: 'DELETE',
 				headers: {
 					'Content-Type': 'application/json'
 				},
 				body: JSON.stringify({ vorgangToken, tatort })
 			});
 			if (!res.ok) {
 				throw new Error('Fehler beim Löschen');
 			}
 			crimesList = crimesList.filter((i) => i.name !== tatort);
 			await invalidateAll();
 			console.log('🗑️ Erfolgreich gelöscht:', path);
 			open = false;
 		} catch (err) {
 			console.error('⚠️ Netzwerkfehler beim Speichern', err);
 			isError = true;
 		} finally {
 			inProgress = false;
 		}
 	}
 	async function copyAndOpenMail() {
 		const subject = 'Link zum Tatvorgang';
 		const link = data.url.origin + data.url.pathname;
 		const body = `Hallo,
 hier ist der Link zum Tatvorgang:
 ${link}
 Der Zugangs-PIN wird zur Sicherheit über einen zweiten Kommunikationskanal übermittelt.
 Mit freundlichen Grüßen,
 `;
    try {
        await navigator.clipboard.writeText(body);
        copied = true;
        // Kurz warten, dann Mail öffnen
        setTimeout(() => {
-					window.location.reload();
+            const mailtoLink = `mailto:?subject=${encodeURIComponent(subject)}`;
-				}, 500);
+            window.location.href = mailtoLink;
-			}
+        }, 1000);
-			// --- upload finished ---
+        setTimeout(() => copied = false, 2000);
-
+    } catch (err) {
-			return;
+        console.error('Clipboard-Fehler:', err);
        error = 'Konnte Text nicht kopieren. Bitte manuell markieren und kopieren.';
        }
    }
-	async function setClipboard(text) {
+	function closeModal() {
-		const type = "text/plain";
+		open = false;
-		const clipboardItemData = {
+		isError = false;
-			[type]: text,
+	}
 	// drag and drop functionality
 		let isDragging = $state(false);
 		async function handleDrop(event) {
 			event.preventDefault();
 			isDragging = false;
 			if (event.dataTransfer?.files?.length) {
 				files = event.dataTransfer.files;
 			}
 			if (!(await check_valid_glb_file())) {
 				formErrors = { file: 'Keine gültige .GLD-Datei' }
 				// reset form fields etc.
 				files = null;
 				fileInput.value = '';
 			} else {
 				formErrors = { ...formErrors, file: ''}
 			};
 		const clipboardItem = new ClipboardItem(clipboardItemData);
 		await navigator.clipboard.write([clipboardItem]);
 		}
 </script>
 <svelte:window
 	on:dragover|preventDefault
 	on:drop|preventDefault
 />
 {#if data.vorgang && crimesList}
 	<div class="-z-10 bg-white">
 		<div class="flex flex-col items-center justify-center w-full">
-		<h1 class="text-xl">Vorgang {vorgang.name}</h1>
+			<h1 class="text-xl">{vorgangName}</h1>
-		{#if data?.user?.admin}
+
-		Zugangs-PIN: {vorgang.pin}
+			{#if admin}
-		<Button on:click={() => setClipboard($page.url.toString().split('?')[0])}>Copy Link</Button>
+				<div class="flex items-center gap-2">
 				Zugangs-PIN:
 				<NameItemEditor
 				list={[]}
 				currentName={vorgangPIN}
 				onSave={savePIN}
 				onDelete={null}
 				/>
 				</div>
                <Button variant="secondary" on:click={copyAndOpenMail} disabled={isEmptyList}>Link kopieren und Mail verfassen</Button>
                {#if copied}
                <p transition:fade>✔ Kopiert! Per Ctrl+V einfügen.</p>
                {/if}
 			{/if}
 		</div>
 		<div class="mx-auto flex justify-center max-w-7xl h-full">
 			<ul class="divide-y divide-gray-100">
-			{#each crimesList as item, i}
+				{#if isEmptyList}
-				<li>
+					<EmptyList></EmptyList>
 					<a
 						href="/view/{$page.params.vorgang}/{item.name}?pin={vorgangPIN}"
 						class=" flex justify-between gap-x-6 py-5"
 						aria-label="zum 3D-modell"
 					>
 						<div class=" flex gap-x-4">
 							<Cube />
 							<div class="min-w-0 flex-auto">
 								{#if data?.user?.admin}
 									<span
 										id="label__{item.name}"
 										class="text-sm font-semibold leading-6 text-gray-900 inline-block min-w-1"
 										contenteditable={!item.show_button}
 										role="textbox"
 										tabindex="0"
 										aria-label="Dateiname bearbeiten"
 										on:focusout={() => {
 											defocus_element(i);
 										}}
 										on:keydown|stopPropagation={// event needed to identify ID
 										// TO-DO: check if event is needed or if index is sufficient
 										async (ev) => {
 											handle_input(ev, i);
 										}}>{item.name}</span
 									>
 									{#if item.show_button}
 										<button
 											style="padding: 2px"
 											id="edit__{item.name}"
 											aria-label="Datei umbenennen"
 											on:click|preventDefault={(ev) => {
 												let text_field_id = `label__${item.name}`;
 												let text_field = document.getElementById(text_field_id);
 												if (text_field) {
 													text_field.setAttribute('contenteditable', 'true');
 													text_field.focus();
 													text_field.textContent = '';
 												}
 												// hide button
 												item.show_button = false;
 											}}
 										>
 											<Edit />
 										</button>
 									{/if}
 									<button
 										style="padding: 2px"
 										id="del__{item.name}"
 										on:click|preventDefault={async (ev) => {
 											let delete_item = window.confirm('Bist du sicher?');
 											if (delete_item) {
 												// bucket: tatort, name: <vorgang>/item-name
 												let vorgang = $page.params.vorgang;
 												let filename = '';
 												if (ev && ev.currentTarget && (ev.currentTarget as HTMLElement).id) {
 													filename = (ev.currentTarget as HTMLElement).id.split('del__')[1];
 												}
 												// delete request
 												// --------------
 												let url = new URL($page.url);
 												url.pathname += `/${filename}`;
 												try {
 													const response = await fetch(`/api${url.pathname}`, { method: 'DELETE' });
 													if (response.status == 204) {
 														setTimeout(() => {
 															window.location.reload();
 														}, 500);
 													}
 												} catch (error) {
 													if (error instanceof Error) {
 														console.log(error.message);
 													} else {
 														console.log(error);
 													}
 												}
 											}
 										}}
 										aria-label="Datei löschen"
 									>
 										<Trash />
 									</button>
 				{:else}
-									<span class="text-sm font-semibold leading-6 text-gray-900 inline-block min-w-1"
+					{#each crimesList as item (item.name)}
-										>{item.name}</span
+					<li
 					data-testid="test-list-item"
 					class="flex items-center justify-between gap-6 py-4 px-2 hover:bg-gray-50 rounded-lg transition"
 					>
-								{/if}
+					<div class="flex items-center gap-4 flex-1">
-								<p class="mt-1 truncate text-xs leading-5 text-gray-500">
+						<a
-									{shortenFileSize(item.size)}
+						data-testid="crime-link"
-								</p>
+						href="{ROUTE_NAMES.CRIME(vorgangToken, item.name, vorgangPIN)}"
-							</div>
+						class="flex items-center justify-center w-8 h-8 text-gray-600 hover:text-blue-600 transition"
-						</div>
+						aria-label="{ROUTE_NAMES.CRIME(vorgangToken, item.name, vorgangPIN)}"
-						<div class="hidden sm:flex sm:flex-col sm:items-end">
+						title={item.name}
 							<p class="text-sm leading-6 text-gray-900">3D Tatort</p>
 							<p class="mt-1 text-xs leading-5 text-gray-500">
 								Zuletzt geändert <time datetime="2023-01-23T13:23Z"
 									>{timeElapsed(new Date(item.lastModified))}</time
 						>
-							</p>
+						<Cube class="w-5 h-5" />
 						</div>
 						</a>
 						<div class="flex flex-col flex-1 min-w-0">
 						{#if admin}
 							<NameItemEditor
 							list={crimesList}
 							currentName={item.name}
 							onSave={handleSave}
 							onDelete={handleDelete}
 							/>
 						{:else}
 							<p
 							data-testid="test-nameItem-p"
 							class="text-sm font-semibold leading-6 text-gray-900 truncate"
 							>
 							{item.name}
 							</p>
 						{/if}
 						<!-- size left, last modified right -->
 						<div class="flex items-center justify-between mt-1 text-xs leading-5 text-gray-500">
 							{#if item.size}
 							<span>{shortenFileSize(item.size)}</span>
 							{:else}
 							<span></span>
 							{/if}
 							{#if item.lastModified}
 							<span>
 								Zuletzt geändert
 								<time datetime={item.lastModified}>
 								{timeElapsed(new Date(item.lastModified))}
 								</time>
 							</span>
 							{/if}
 						</div>
 						</div>
 					</div>
 					</li>
 					{/each}
 				{/if}
 			</ul>
 		</div>
 		{#if admin}
 		<div class="flex justify-center my-4">
 		<ExpandableForm>
 			<div class="mx-auto max-w-2xl">
 				<div class="flex flex-col items-center space-y-6">
 					<!-- Name Input -->
 					<div class="w-full max-w-md">
 						<label for="name" class="block text-sm font-medium leading-6 text-gray-900">
 							<span class="flex">
 								{#if formErrors?.name}
 									<span class="inline-block mr-1"><Exclamation /></span>
 								{/if} Modellname
 							</span>
 						</label>
 						<div class="mt-2">
 							<div
 								class="flex rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
 							>
 								<input
 									bind:value={name}
 									type="text"
 									name="name"
 									id="name"
 									autocomplete={name}
 									class="block flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 sm:text-sm sm:leading-6"
 								/>
 							</div>
 						</div>
 						{#if formErrors?.name}
 							<p class="block text-sm leading-6 text-red-900 mt-2">{formErrors.name}</p>
 						{/if}
 					</div>
 					<!-- File Upload -->
 					<div class="w-full max-w-md">
 						<label for="file" class="block text-sm font-medium leading-6 text-gray-900">
 							<span class="flex">
 								{#if formErrors?.file}
 									<span class="inline-block mr-1"><Exclamation /></span>
 								{/if} Datei
 							</span>
 						</label>
 						<div
 							class="mt-2 flex justify-center rounded-lg border border-dashed px-6 py-10
 								{isDragging
 								? 'border-blue-500 bg-blue-50'
 								: 'border-gray-900/25'}"
 							on:dragover|preventDefault={() => (isDragging = true)}
 							on:dragleave={() => (isDragging = false)}
 							on:drop={handleDrop}
 						>
 							<div class="text-center">
 								<FileRect />
 								<div class="mt-4 flex text-sm leading-6 text-gray-600">
 									<label
 										for="file"
 										class="relative cursor-pointer rounded-md bg-white font-semibold text-indigo-600 focus-within:outline-none focus-within:ring-2 focus-within:ring-indigo-600 focus-within:ring-offset-2 hover:text-indigo-500"
 									>
 										<span>Wähle eine Datei aus</span>
 										<input id="file" bind:this={fileInput} bind:files name="file" type="file" class="sr-only" />
 									</label>
 									<p class="pl-1">oder ziehe sie ins Feld</p>
 								</div>
 								<p class="text-xs leading-5 text-gray-600">GLB Dateien bis zu 1GB</p>
 								{#if files?.length}
 									<div class="flex justify-center text-xs mt-2">
 										<p class="mx-2">Datei: <span class="font-bold">{files[0].name}</span></p>
 										<p class="mx-2">
 											Größe: <span class="font-bold">{shortenFileSize(files[0].size)}</span>
 										</p>
 									</div>
 								{/if}
 							</div>
 						</div>
 						{#if formErrors?.file}
 							<p class="block text-sm leading-6 text-red-900 mt-2">{formErrors.file}</p>
 						{/if}
 					</div>
 					<div class="mt-6 flex items-center justify-end gap-x-6">
 						<Button
 							on:click={buttonClick}
 							class="rounded-md bg-indigo-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600"
 						>
 							Hinzufügen
 						</Button>
 					</div>
 				</div>
 				</div>
 			</ExpandableForm>
 			</div>
 		{/if}
 		<Modal {open}
 			><ModalTitle>Umbenennen</ModalTitle><ModalContent>
 				{#if inProgress}
 					<p class="py-2 mb-1">Vorgang läuft...</p>
-			{/if}
+				{:else if isError}
 			{#if err}
 					<Alert class="w-full" type="error">Fehler beim Umbenennen</Alert>
 				{:else}
 					<Alert class="w-full">Umbenennen erfolgreich</Alert>
 				{/if}
 			</ModalContent>
-		<ModalFooter><Button disabled={inProgress} on:click={uploadSuccessful}>Ok</Button></ModalFooter>
+			<ModalFooter><Button disabled={inProgress} on:click={closeModal}>Ok</Button></ModalFooter>
 		</Modal>
 		<Modal open={openUL}
 			><ModalTitle>Upload</ModalTitle><ModalContent>
 				{#if inProgressUL}
 					<p class="py-2 mb-1">Upload läuft...</p>
 				{:else if etag}
 					<Alert class="w-full">Upload erfolgreich</Alert>
 				{:else}
 					<Alert class="w-full" type="error">Fehler beim Upload</Alert>
 				{/if}
 			</ModalContent>
 			<ModalFooter
 				><Button disabled={inProgressUL} on:click={uploadSuccessful}>Ok</Button></ModalFooter
 			>
 		</Modal>
 	</div>
 {/if}
 <style>
 	ul {
--- a/src/routes/(token-based)/list/[vorgang]/+server.ts
+++ b/src/routes/(token-based)/list/[vorgang]/+server.ts
@@ -1,35 +0,0 @@
 import { client } from '$lib/minio';
 import { json } from '@sveltejs/kit';
 // rename operation
 export async function PUT({ request }: {request: Request}) {
    const data = await request.json();
    // Vorgang
    const vorgang = request.url.split('/').at(-1);
    // prepare copy, incl. check if new name exists already
    const old_name = data["old_name"];
    const src_full_path = `/tatort/${vorgang}/${old_name}`;
    const new_name = `${vorgang}/${data["new_name"]}`;
    try {
        await client.statObject('tatort', new_name);
        return json({ msg: 'Die Datei existiert bereits.' }, { status: 400 });
    } catch (error) {
        // continue operation
        console.log(error, 'continue operation');
    }
    // actual copy operation
    await client.copyObject('tatort', new_name, src_full_path)
    // delete
    await client.removeObject('tatort', `${vorgang}/${old_name}`)
    // return success or failure
    return json({ success: 'success' }, { status: 200 });
 };
--- a/src/routes/(token-based)/view/+page.server.ts
+++ b/src/routes/(token-based)/view/+page.server.ts
@@ -1,11 +0,0 @@
 import { redirect } from '@sveltejs/kit';
 export const actions = {
 	default: async ({request}: {request: Request}) => {
 		const data = await request.formData();
 		const vorgangId = data.get('vorgang-id');
 		const vorgangToken = data.get('vorgang-token');
 		if( vorgangId && vorgangToken) throw redirect(303, `/list/${vorgangId}?token=${vorgangToken}`);
 	} 
 }
--- a/src/routes/(token-based)/view/+page.svelte
+++ b/src/routes/(token-based)/view/+page.svelte
@@ -1,39 +0,0 @@
 <script lang="ts">
 	import BaseInputField from '$lib/components/BaseInputField.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import ArrowRight from '$lib/icons/Arrow-right.svelte';
 	export let form;
 </script>
 <div class="mx-auto max-w-2xl">
 	<div class="flex flex-col items-center justify-center w-full">
 		<h1 class="text-xl">Vorgang ansehen</h1>
 	</div>
 	<p class="mt-8 mb-8 text-sm leading-6 text-gray-600">
 		Anhand der Vorgangsnummer werden Sie zu den Dateien des Vorgangs weitergeleitet und können sich
 		den Vorgang dann ansehen.
 	</p>
 	<form method="POST">
 		<BaseInputField
 			id="vorgang-id"
 			name="vorgang-id"
 			label="Vorgangskennung"
 			type="text"
 			value={form?.vorgangId}
 		/>
 		<div class="mt-5">
 			<BaseInputField
 				id="vorgang-token"
 				name="vorgang-token"
 				label="Zugangstoken"
 				type="text"
 				value={form?.vorgangToken}
 				error={form?.error?.message}
 			/>
 		</div>
 		<div class="flex justify-end pt-4">
 			<Button type="submit"><ArrowRight /></Button>
 		</div>
 	</form>
 </div>
--- a/src/routes/(token-based)/view/[vorgang]/[tatort]/+page.server.ts
+++ b/src/routes/(token-based)/view/[vorgang]/[tatort]/+page.server.ts
@@ -1,8 +1,8 @@
-import { client } from '$lib/minio';
+import { BUCKET, client } from '$lib/minio';
 import type { PageServerLoad } from './$types';
 export const load: PageServerLoad = async ({ params }) => {
 	const { vorgang, tatort } = params;
-	const url = await client.presignedUrl('GET', 'tatort', `${vorgang}/${tatort}`);
+	const url = await client.presignedUrl('GET', BUCKET, `${vorgang}/${tatort}`);
 	return { url };
-}
+};
--- a/src/routes/anmeldung/+page.server.ts
+++ b/src/routes/anmeldung/+page.server.ts
@@ -1,16 +1,35 @@
-import { loginUser, logoutUser } from '$lib/server/authService';
+import { dev } from '$app/environment';
-import { redirect } from '@sveltejs/kit';
+import { error, fail, redirect } from '@sveltejs/kit';
 import { ROUTE_NAMES } from '../index.js';
 import { vorgangPINValidation } from '$lib/server/vorgangService.js';
 export const actions = {
-	login: ({ request, cookies }) => loginUser({ request, cookies }),
+	default: async ({ request, cookies }) => {
 	logout: (event) => logoutUser(event),
 	getVorgangByToken: async ({ request }) => {
 		const data = await request.formData();
 		const vorgangToken = data.get('vorgang-token');
-		const vorgangPIN = data.get('vorgang-pin');
+		const vorgangPIN = data.get('vorgang-pin') as string;
-		if (!vorgangToken || !vorgangPIN) return;
+		if (!vorgangPIN) {
 			return fail(400, { message: 'Bitte einen PIN eingeben.'});
 		}
-		throw redirect(303, `/list/${vorgangToken}?pin=${vorgangPIN}`);
+		if (!vorgangPINValidation(vorgangToken, vorgangPIN)) {
 			return fail(400, { message: 'Falsche Zugangsdaten.'});
 		}
 		const COOKIE_NAME = `token-${vorgangToken}`;
 		cookies.set(COOKIE_NAME, vorgangPIN, {
 			path: '/',
 			httpOnly: true,
 			sameSite: 'strict',
 			secure: !dev
 		});
 		throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken));
 	}
 } as const;
 export const load: PageServerLoad = async ({ url }) => {
 	const vorgang = url.searchParams.get('vorgang');
 	if (!vorgang) error(404, "Not Found");
 };
--- a/src/routes/anmeldung/+page.svelte
+++ b/src/routes/anmeldung/+page.svelte
@@ -1,21 +1,15 @@
 <script lang="ts">
 	import BaseInputField from '$lib/components/BaseInputField.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import Modal from '$lib/components/Modal/Modal.svelte';
 	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
 	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
 	import ModalTitle from '$lib/components/Modal/ModalTitle.svelte';
 	import ArrowRight from '$lib/icons/Arrow-right.svelte';
 	import Login from '$lib/icons/Login.svelte';
 	export let form;
 	export let open = false;
 	import { page } from '$app/state';
 	import { ROUTE_NAMES } from '../index.js';
 	const vorgangToken = page.url.searchParams.get('vorgang');
 </script>
 {#if vorgangToken}
 <div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
 	<div class="sm:mx-auto sm:w-full sm:max-w-sm">
 		<img class="mx-auto h-10 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
@@ -27,14 +21,9 @@
 	<div class="w-full max-w-sm mx-auto">
 		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
 			<div class="mt-10">
-				<form action="?/getVorgangByToken" method="POST">
+
-					<BaseInputField
+					<form method="POST">
-						id="vorgang-token"
+						<input type="hidden" name="vorgang-token" value={vorgangToken} />
 						name="vorgang-token"
 						label="Vorgangskennung"
 						type="text"
 						value={vorgangToken}
 					/>
 						<div class="mt-5">
 							<BaseInputField
 								id="vorgang-pin"
@@ -45,55 +34,17 @@
 								error={form?.error?.message}
 							/>
 						</div>
 						{#if form?.message}
 							<p class="block text-sm leading-6 text-red-900 mt-2">{form.message}</p>
 						{/if}
 						<div class="flex justify-end pt-4">
 							<Button type="submit"><ArrowRight /></Button>
 						</div>
 					</form>
 			</div>
 		</div>
 		<div class="flex justify-end mt-10 px-3">
 			<Button on:click={() => (open = true)}><Login /></Button>
 		</div>
 	</div>
 </div>
 <Modal {open}>
 	<ModalTitle>Anmelden</ModalTitle>
 	<ModalContent class="flex justify-center">
 		<form action="?/login" method="POST">
 			<div>
 				<label for="user" class="text-sm font-medium leading-6 text-gray-900">Kennung</label>
 				<div class="mt-2">
 					<input
 						id="user"
 						name="user"
 						type="text"
 						autocomplete="email"
 						required
 						class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
 					/>
 				</div>
 			</div>
 			<div>
 				<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
 					>Passwort</label
 				>
 				<div class="mt-2">
 					<input
 						id="password"
 						name="password"
 						type="password"
 						autocomplete="current-password"
 						required
 						class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
 					/>
 			</div>
 		</div>
 			<div class="flex justify-end">
 				<Button type="submit" class="mt-5">Anmelden</Button>
 	</div>
-		</form>
+</div>
-	</ModalContent>
+{/if}
 	<ModalFooter><Button on:click={() => (open = false)}>Ok</Button></ModalFooter>
 </Modal>
--- a/src/routes/api/list/+server.ts
+++ b/src/routes/api/list/+server.ts
@@ -0,0 +1,9 @@
 import { getVorgaenge } from '$lib/server/vorgangService';
 export async function GET() {
 	const vorgaenge = getVorgaenge();
 	return new Response(JSON.stringify(vorgaenge), {
 		status: 200
 	});
 }
--- a/src/routes/api/list/[vorgang]/+server.ts
+++ b/src/routes/api/list/[vorgang]/+server.ts
@@ -1,12 +1,18 @@
-import { client } from '$lib/minio';
+import { BUCKET, client } from '$lib/minio';
-import { deleteVorgangByToken, vorgangNameExists } from '$lib/server/vorgangService';
+import { json } from '@sveltejs/kit';
 import {
 	deleteVorgangByToken,
 	getCrimesListByToken,
 	vorgangNameExists,
 	updateVorgangAttrByToken
 } from '$lib/server/vorgangService';
 export async function DELETE({ params }) {
 	const vorgangToken = params.vorgang;
 	const object_list = await new Promise((resolve, reject) => {
 		const res = [];
-		const items_str = client.listObjects('tatort', vorgangToken, true);
+		const items_str = client.listObjects(BUCKET, vorgangToken, true);
 		items_str.on('data', (obj) => {
 			res.push(obj.name);
@@ -19,7 +25,7 @@ export async function DELETE({ params }) {
 		});
 	});
-	await client.removeObjects('tatort', object_list);
+	await client.removeObjects(BUCKET, object_list);
 	deleteVorgangByToken(vorgangToken);
 	return new Response(null, { status: 204 });
@@ -38,3 +44,45 @@ export async function HEAD({ params }) {
 		return new Response(null, { status: 500 });
 	}
 }
 export async function GET({ params }) {
 	try {
 		const vorgangToken = params.vorgang;
 		const crimesList = await getCrimesListByToken(vorgangToken);
 		return new Response(JSON.stringify(crimesList), {
 			status: 200
 		});
 	} catch (err) {
 		console.error('Fehler im GET-Handler:', err);
 		return new Response(null, { status: 500 });
 	}
 }
 // change Vorgang properties
 export async function PUT({ request }) {
 	const data = await request.json();
 	const vorgangToken = data['vorgangToken'];
 	const changePIN = data['changePIN'];
 	let attrChanged;
 	let newValue;
 	if (changePIN) {
 		attrChanged = 'pin';
 		newValue = data['newVorgangPIN']
 	} else {
 		attrChanged = 'name';
 		newValue = data['newName']
 	}
 	const res = updateVorgangAttrByToken(vorgangToken, newValue, attrChanged);
 	if (!res) {
 		return json({ msg: 'Fehler beim Umbenennen' }, { status: 400 });
 	}
 	return json({ success: 'success' }, { status: 200 });
 }
--- a/src/routes/api/list/[vorgang]/[tatort]/+server.ts
+++ b/src/routes/api/list/[vorgang]/[tatort]/+server.ts
@@ -1,4 +1,5 @@
 import { BUCKET, client } from '$lib/minio';
 import { json } from '@sveltejs/kit';
 export async function GET() {
 	const stream = client.listObjectsV2(BUCKET, '', true);
@@ -23,8 +24,7 @@ export async function GET() {
 	});
 }
-
+export async function DELETE({ request }) {
 export async function DELETE({ request }: { request: Request }) {
 	const url_fragments = request.url.split('/');
 	const item = url_fragments.at(-1);
 	const vorgang = url_fragments.at(-2);
@@ -33,3 +33,31 @@ export async function DELETE({ request }: { request: Request }) {
 	return new Response(null, { status: 204 });
 }
 // rename operation for crimes
 export async function PUT({ params, request }) {
 	const data = await request.json();
 	const vorgangToken = params.vorgang;
 	// prepare copy, incl. check if new name exists already
 	const crimeOldName = data['oldName'];
 	const crimeS3FullBucketPathOld = `/${BUCKET}/${vorgangToken}/${crimeOldName}`;
 	const crimeNewName = `${vorgangToken}/${data['newName']}`;
 	if (!crimeOldName || !crimeNewName) {
 		return json({ msg: 'Der Name darf nicht leer sein.' }, { status: 400 });
 	}
 	try {
 		await client.statObject(BUCKET, crimeNewName);
 		return json({ msg: 'Die Datei existiert bereits.' }, { status: 400 });
 	} catch (error) {
 		console.log(error, 'continue operation');
 	}
 	await client.copyObject(BUCKET, crimeNewName, crimeS3FullBucketPathOld);
 	await client.removeObject(BUCKET, `${vorgangToken}/${crimeOldName}`);
 	return json({ success: 'success' }, { status: 200 });
 }
--- a/src/routes/api/user/+server.ts
+++ b/src/routes/api/user/+server.ts
@@ -0,0 +1,10 @@
 //Rollenabfrage ob Benutzer admin ist
 import { json } from "@sveltejs/kit";
 export async function GET({locals}) {
    const isAdmin = locals.user?.admin === true;
    const data = {admin: isAdmin}
    return json(data)
 }
--- a/src/routes/api/users/+server.ts
+++ b/src/routes/api/users/+server.ts
@@ -0,0 +1,31 @@
 import { json } from '@sveltejs/kit';
 import { addUser, getUsers } from '$lib/server/userService';
 import bcrypt from 'bcrypt';
 const saltRounds = 12;
 export function GET() {
 	const userList = getUsers();
 	return new Response(JSON.stringify(userList));
 }
 export async function POST({ request }) {
 	const data = await request.json();
 	const userName = data.userName;
 	const userPassword = data.userPassword;
 	if (!userName || !userPassword) {
 		return json({ error: 'Missing input' }, { status: 400 });
 	}
 	const hashedPassword = bcrypt.hashSync(userPassword, saltRounds);
 	const rowInfo = addUser(userName, hashedPassword);
 	if (rowInfo?.changes == 1) {
 		return json({ userId: rowInfo.lastInsertRowid, userName: userName }, { status: 201 });
 	} else {
 		return new Response(null, { status: 400 });
 	}
 }
--- a/src/routes/api/users/[user]/+server.ts
+++ b/src/routes/api/users/[user]/+server.ts
@@ -0,0 +1,8 @@
 import { deleteUser } from '$lib/server/userService';
 export async function DELETE({ params }) {
 	const userId = params.user;
 	const rowCount = deleteUser(userId);
 	return new Response(null, { status: rowCount == 1 ? 204 : 400 });
 }
--- a/src/routes/api/vorgang/[vorgang]/+server.ts
+++ b/src/routes/api/vorgang/[vorgang]/+server.ts
--- a/src/routes/api/vorgang/[vorgang]/vorgangPIN/+server.ts
+++ b/src/routes/api/vorgang/[vorgang]/vorgangPIN/+server.ts
@@ -4,7 +4,9 @@ import { db } from '$lib/server/dbService';
 export async function GET({ params }) {
 	const vorgangName = params.vorgang;
-	const getPINSQLStatement = `SELECT pin FROM cases WHERE name = ?;`;
+	const getPINSQLStatement = `SELECT pin
 															FROM cases
 															WHERE name = ?;`;
 	const row = db.prepare(getPINSQLStatement).get(vorgangName);
 	const vorgangPIN = row?.pin;
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@@ -0,0 +1,41 @@
 export const ROUTE_NAMES = {
 	ROOT: '/',
 	// (angemeldet)
 	LIST: '/list',
 	UPLOAD: '/upload',
 	// UPLOAD actions
 	UPLOAD_URL: '/upload?/url',
 	UPLOAD_VALIDATE: '/upload?/validate',
 	USERMGMT: '/user-management',
 	// (token-based)
 	VORGANG: (vorgangToken: string) => `/list/${vorgangToken}`,
 	CRIME: (vorgangToken: string, tatort: string) => `/view/${vorgangToken}/${tatort}`,
 	// Anmeldung: actions
 	ANMELDUNG: '/anmeldung',
 	LOGIN: '/?/login',
 	LOGOUT: '/?/logout',
 	ANMELDUNG_GET_VORGANG_BY_TOKEN: '/anmeldung?/getVorgangByToken',
 	ANMELDUNG_VORGANG_PARAM: (vorgangToken: string) => `/anmeldung?vorgang=${vorgangToken}`
 };
 export const API_ROUTES = {
 	LIST: '/api/list',
 	VORGANG: (vorgangToken: string) => `/api/list/${vorgangToken}`,
 	// via `HEAD` method
 	VORGANG_NAME_EXIST: (vorgangName: string) => `/api/list/${vorgangName}`,
 	VORGANG_PIN: (vorgangName: string) => `/api/vorgang/${vorgangName}/vorgangPIN`,
 	// Tatort
 	CRIME: (vorgangToken: string, crimeName: string) => `/api/list/${vorgangToken}/${crimeName}`,
 	// Users
 	USERS: '/api/users',
 	USER: (userId: string) => `/api/users/${userId}`
 };
 const isProd = process.env.NODE_ENV == 'production';
 export const DB_FULLPATH = !isProd ? './src/lib/data/tatort.db' : '/daten/tatort.db';
--- a/tailwind.config.cjs
+++ b/tailwind.config.cjs
--- a/tests/api/API_Protection.test.ts
+++ b/tests/api/API_Protection.test.ts
@@ -0,0 +1,37 @@
 import { describe, test, expect, vi } from 'vitest';
 import { handle } from '../../src/hooks.server';
 const event = {
    url: new URL("http://localhost/api/list"),
    cookies: { get: vi.fn(() => null) },
    locals: {user: null}
 };
 vi.mock('$lib/auth', () => ({
    decryptToken: vi.fn()
 }));
 describe('API-Endpoints: Zugangs-Mechanismus', () => {
    test('Unautorisierter Zugriff', async () => {
        const resolve = vi.fn();
        const response = await handle({ event, resolve });
        expect(response.status).toBe(401);
        const body = await response.json();
        expect(body.error).toBe('Unauthorized');
        expect(resolve).not.toHaveBeenCalled();
    });
    test('Authentifizierter Zugriff', async () => {
        event.locals = {user: { id: 'admin', admin: true }}
        const resolve = vi.fn(() => new Response('ok', { status: 200 }));
        const response = await handle({ event, resolve });
        expect(response.status).toBe(200);
        expect(await response.text()).toBe('ok');
        expect(resolve).toHaveBeenCalled();
    });
 })
--- a/tests/api/List.test.ts
+++ b/tests/api/List.test.ts
@@ -0,0 +1,49 @@
 import { describe, test, expect, vi } from 'vitest';
 import { GET } from '$root/routes/api/list/+server';
 import { getVorgaenge } from '$lib/server/vorgangService';
 // Mocks
 vi.mock('$lib/server/vorgangService', () => ({
 	getVorgaenge: vi.fn()
 }));
 const event = {
 	locals: {
 		user: { id: 'admin', admin: true }
 	}
 };
 describe('API-Endpoints: list', () => {
 	test('Leere Liste wenn keine Vorgänge existieren', async () => {
 		vi.mocked(getVorgaenge).mockReturnValueOnce([]);
 		const response = await GET(event);
 		expect(response.status).toBe(200);
 		const json = await response.json();
 		expect(json).toEqual([]);
 	});
 	test('Liste mit existierenden Vorgängen', async () => {
 		const testVorgaenge = [
 			{
 				vorgangToken: '19f1d34e-4f31-48e8-830f-c4e42c29085e',
 				vorgangName: 'xyz-123',
 				vorgangPIN: 'pin-123'
 			},
 			{
 				vorgangToken: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
 				vorgangName: 'vorgang-2',
 				vorgangPIN: 'pin-2'
 			}
 		];
 		vi.mocked(getVorgaenge).mockReturnValueOnce(testVorgaenge);
 		const response = await GET(event);
 		expect(response.status).toBe(200);
 		const json = await response.json();
 		expect(json).toEqual(testVorgaenge);
 	});
 });
--- a/tests/api/ListVorgang.test.ts
+++ b/tests/api/ListVorgang.test.ts
@@ -0,0 +1,122 @@
 import { describe, test, expect, vi } from 'vitest';
 import { DELETE, GET, HEAD } from '$root/routes/api/list/[vorgang]/+server';
 import {
 	getCrimesListByToken,
 	vorgangNameExists,
 	deleteVorgangByToken
 } from '$lib/server/vorgangService';
 import { BUCKET, client } from '$lib/minio';
 import { EventEmitter } from 'events';
 // Mocks
 vi.mock('$lib/server/vorgangService', () => ({
 	getCrimesListByToken: vi.fn(),
 	vorgangNameExists: vi.fn(),
 	deleteVorgangByToken: vi.fn()
 }));
 vi.mock('$lib/minio', () => ({
 	client: {
 		listObjects: vi.fn(),
 		removeObjects: vi.fn()
 	},
 	BUCKET: 'tatort-test'
 }));
 const MockEvent = {
 	params: { vorgang: '123' },
 	locals: {
 		user: { id: 'admin', admin: true }
 	}
 };
 describe('API-Endpoints: list/[vorgang]', () => {
 	test('Vorgang ohne Tatorte', async () => {
 		const testCrimesList = [];
 		vi.mocked(getCrimesListByToken).mockReturnValueOnce(testCrimesList);
 		const response = await GET(MockEvent);
 		expect(response.status).toBe(200);
 		const json = await response.json();
 		expect(json).toEqual(testCrimesList);
 	});
 	test('Vorgang mit Tatorte', async () => {
 		const testCrimesList = [
 			{
 				name: 'model-A',
 				lastModified: '2025-08-28T09:44:12.453Z',
 				etag: '558f35716f6af953f9bb5d75f6d77e6a',
 				size: 8947140,
 				prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
 				show_button: true
 			},
 			{
 				name: 'model-z',
 				lastModified: '2025-08-28T10:37:20.142Z',
 				etag: '43e3989c32c4682bee407baaf83b6fa0',
 				size: 35788560,
 				prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
 				show_button: true
 			}
 		];
 		vi.mocked(getCrimesListByToken).mockReturnValueOnce(testCrimesList);
 		const response = await GET(MockEvent);
 		expect(response.status).toBe(200);
 		const json = await response.json();
 		expect(json).toEqual(testCrimesList);
 	});
 	test('Vorgang existiert via HEAD', async () => {
 		const vorgangExists = true;
 		vi.mocked(vorgangNameExists).mockReturnValueOnce(vorgangExists);
 		const response = await HEAD(MockEvent);
 		expect(response.status).toBe(200);
 		const textContent = await response.text();
 		expect(textContent).toEqual('');
 	});
 	test('Vorgang existiert nicht via HEAD', async () => {
 		const vorgangExists = false;
 		vi.mocked(vorgangNameExists).mockReturnValueOnce(vorgangExists);
 		const response = await HEAD(MockEvent);
 		expect(response.status).toBe(404);
 		const textContent = await response.text();
 		expect(textContent).toEqual('');
 	});
 	test('Lösche Vorgang und dazugehörige S3 Objekte', async () => {
 		// Mock data
 		const fakeStream = new EventEmitter();
 		vi.mocked(client.listObjects).mockReturnValue(fakeStream);
 		vi.mocked(client.removeObjects).mockResolvedValue(undefined);
 		vi.mocked(deleteVorgangByToken).mockReturnValueOnce(undefined);
 		const responsePromise = DELETE(MockEvent);
 		const fakeCrimeNames = [
 			`${MockEvent.params.vorgang}/file1.glb`,
 			`${MockEvent.params.vorgang}/file2.glb`
 		];
 		// simulate data stream
 		fakeStream.emit('data', { name: fakeCrimeNames[0] });
 		fakeStream.emit('data', { name: fakeCrimeNames[1] });
 		fakeStream.emit('end');
 		const response = await responsePromise;
 		expect(client.removeObjects).toHaveBeenCalledWith(BUCKET, fakeCrimeNames);
 		expect(deleteVorgangByToken).toHaveBeenCalledWith(MockEvent.params.vorgang);
 		expect(response.status).toBe(204);
 	});
 });
--- a/tests/api/ListVorgangTatort.test.ts
+++ b/tests/api/ListVorgangTatort.test.ts
@@ -0,0 +1,98 @@
 import { describe, test, expect, vi } from 'vitest';
 import { DELETE, PUT } from '$root/routes/api/list/[vorgang]/[tatort]/+server';
 import { BUCKET, client } from '$lib/minio';
 import { baseData } from '../fixtures';
 // Mock data and methods
 const fakeVorgangToken = `c399423a-ba37-4fe1-bbdf-80e5881168ff`;
 const fakeCrimeOldName = `model-A`;
 const fakeCrimeNewName = 'model-Z';
 const fakeCrimePath = `${fakeVorgangToken}/${fakeCrimeOldName}`;
 const fullFakeCrimePath = `/${BUCKET}/${fakeCrimePath}`;
 const fakeCrimeAPIURL = `http://localhost:5173/api/list/${fakeCrimePath}`;
 vi.mock('$lib/minio', () => ({
 	client: {
 		removeObject: vi.fn(),
 		statObject: vi.fn(),
 		copyObject: vi.fn()
 	},
 	BUCKET: 'tatort'
 }));
 describe('API-Endpoints: list/[vorgang]/[tatort]', () => {
 	test('Löschen von Tatorten', async () => {
 		const request = new Request(fakeCrimeAPIURL);
 		const locals = { user: baseData.user }
 		const response = await DELETE({ locals, request });
 		expect(client.removeObject).toHaveBeenCalledWith(BUCKET, fakeCrimePath);
 		expect(response.status).toBe(204);
 		const responseBody = await response.text();
 		expect(responseBody).toBe('');
 	});
 	test('Umbennen von Tatorten: Erfolgreich', async () => {
 		const request = new Request(fakeCrimeAPIURL, {
 			method: 'PUT',
 			body: JSON.stringify({
 				oldName: fakeCrimeOldName,
 				newName: fakeCrimeNewName
 			})
 		});
 		const params = { vorgang: fakeVorgangToken };
 		const locals = { user: baseData.user }
 		// Mock Datei nicht gefunden
 		client.statObject.mockRejectedValueOnce(new Error('NotFound'));
 		const response = await PUT({ locals, params, request });
 		const fakeCrimeNewPath = `${fakeVorgangToken}/${fakeCrimeNewName}`;
 		expect(client.statObject).toHaveBeenCalledWith(BUCKET, fakeCrimeNewPath);
 		expect(client.copyObject).toHaveBeenCalledWith(BUCKET, fakeCrimeNewPath, fullFakeCrimePath);
 		expect(client.removeObject).toHaveBeenCalledWith(BUCKET, fakeCrimePath);
 		expect(response.status).toBe(200);
 	});
 	test('Umbennen von Tatorten: Fehlende(r) Name', async () => {
 		const request = new Request(fakeCrimeAPIURL, {
 			method: 'PUT',
 			body: JSON.stringify({
 				oldName: '',
 				newName: ''
 			})
 		});
 		const locals = { user: baseData.user }
 		const params = { vorgang: fakeVorgangToken };
 		const response = await PUT({ locals, params, request });
 		expect(response.status).toBe(400);
 	});
 	test('Umbennen von Tatorten: Existierender Name', async () => {
 		const request = new Request(fakeCrimeAPIURL, {
 			method: 'PUT',
 			body: JSON.stringify({
 				oldName: fakeCrimeOldName,
 				newName: fakeCrimeNewName
 			})
 		});
 		const params = { vorgang: fakeVorgangToken };
 		const locals = { user: baseData.user }
 		// Datei existiert bereits
 		client.statObject.mockResolvedValueOnce({});
 		const response = await PUT({ locals, params, request });
 		expect(response.status).toBe(400);
 		const fakeCrimeNewPath = `${fakeVorgangToken}/${fakeCrimeNewName}`;
 		expect(client.statObject).toHaveBeenCalledWith(BUCKET, fakeCrimeNewPath);
 		expect(client.copyObject).not.toHaveBeenCalled();
 		expect(client.removeObject).not.toHaveBeenCalled();
 	});
 });
--- a/tests/api/User.test.ts
+++ b/tests/api/User.test.ts
@@ -0,0 +1,40 @@
 import { describe, test, expect } from 'vitest';
 import { GET } from '$root/routes/api/user/+server';
 const id = 'admin';
 describe('API-Endpoints: User ist Admin', () => {
 	test('User ist Admin', async () => {
 		const admin = true;
 		const event = {
 			locals: {
 				user: { id, admin }
 			}
 		};
 		const fakeResult = { admin };
 		const response = await GET(event);
 		expect(response.status).toBe(200);
 		const json = await response.json();
 		expect(json).toEqual(fakeResult);
 	});
 	test('User ist kein Admin', async () => {
 		const admin = false;
 		const event = {
 			locals: {
 				user: { id, admin }
 			}
 		};
 		const fakeResult = { admin };
 		const response = await GET(event);
 		expect(response.status).toBe(200);
 		const json = await response.json();
 		expect(json).toEqual(fakeResult);
 	});
 });
--- a/tests/api/Users.test.ts
+++ b/tests/api/Users.test.ts
@@ -0,0 +1,148 @@
 import { describe, test, expect, vi, beforeEach } from 'vitest';
 import { GET, POST } from '$root/routes/api/users/+server';
 import bcrypt from 'bcrypt';
 import { addUser, getUsers } from '$lib/server/userService';
 vi.mock('$lib/server/userService', () => ({
 	addUser: vi.fn(),
 	getUsers: vi.fn()
 }));
 vi.mock('bcrypt', () => ({
 	default: {
 		hashSync: vi.fn()
 	}
 }));
 describe('API-Endpoint: Users', () => {
 	// [INFO] Test auf keine User nicht notwendig, da immer min. ein User vorhanden
 	// Mock eingelogter User bzw. stelle locals.user zur Verfügung
 	const fakeLoggedInUser = { id: 'admin', admin: true };
 	const mockLocals = {
 		user: fakeLoggedInUser
 	};
 	test('Rufe Liste aller User ab', async () => {
 		const fakeLoggedInUser = { id: 'admin', admin: true };
 		const event = {
 			locals: {
 				user: fakeLoggedInUser
 			}
 		};
 		const fakeResult = [{ userId: 42, userName: 'admin' }];
 		getUsers.mockReturnValueOnce(fakeResult);
 		const response = await GET(event);
 		expect(response.status).toBe(200);
 		const json = await response.json();
 		expect(json).toEqual(fakeResult);
 	});
 	test('Füge Benutzer hinzu: Erfolgreich', async () => {
 		// Mocke Parameter und Funktionen von Drittparteien
 		const fakeUsersAPIURL = `http://localhost:5173/api/users`;
 		const fakeUserID = 42;
 		const fakeUsername = 'admin';
 		const fakeUserPassword = 'pass-123';
 		const mockRequest = new Request(fakeUsersAPIURL, {
 			method: 'POST',
 			body: JSON.stringify({
 				userName: fakeUsername,
 				userPassword: fakeUserPassword
 			})
 		});
 		const mockedHash = 'mocked-hash';
 		bcrypt.hashSync.mockReturnValueOnce(mockedHash);
 		const mockedRowInfo = {
 			changes: 1,
 			lastInsertRowid: fakeUserID
 		};
 		addUser.mockReturnValueOnce(mockedRowInfo);
 		const response = await POST({
 			request: mockRequest,
 			locals: mockLocals
 		});
 		expect(response.status).toBe(201);
 		const fakeResult = { userId: fakeUserID, userName: fakeUsername };
 		const json = await response.json();
 		expect(json).toEqual(fakeResult);
 		expect(addUser).toHaveBeenCalledWith(fakeUsername, mockedHash);
 	});
 	test('Füge Benutzer hinzu: Fehlender Name oder Passwort', async () => {
 		// Mocke Parameter und Funktionen von Drittparteien
 		const fakeUsersAPIURL = `http://localhost:5173/api/users`;
 		const fakeUserID = 42;
 		const fakeUsername = '';
 		const fakeUserPassword = '';
 		const mockRequest = new Request(fakeUsersAPIURL, {
 			method: 'POST',
 			body: JSON.stringify({
 				userName: fakeUsername,
 				userPassword: fakeUserPassword
 			})
 		});
 		const response = await POST({
 			request: mockRequest,
 			locals: mockLocals
 		});
 		expect(response.status).toBe(400);
 		const errorMessage = { error: 'Missing input' };
 		const json = await response.json();
 		expect(json).toEqual(errorMessage);
 		expect(addUser).not.toHaveBeenCalled();
 	});
 	test('Füge Benutzer hinzu: Nicht erfolgreich, keine Datenbankänderung', async () => {
 		// Mocke Parameter und Funktionen von Drittparteien
 		const fakeUsersAPIURL = `http://localhost:5173/api/users`;
 		const fakeUserID = 42;
 		const fakeUsername = 'admin';
 		const fakeUserPassword = 'pass-123';
 		const mockRequest = new Request(fakeUsersAPIURL, {
 			method: 'POST',
 			body: JSON.stringify({
 				userName: fakeUsername,
 				userPassword: fakeUserPassword
 			})
 		});
 		const mockedHash = 'mocked-hash';
 		bcrypt.hashSync.mockReturnValueOnce(mockedHash);
 		const mockedRowInfo = {
 			changes: 0,
 			lastInsertRowid: fakeUserID
 		};
 		addUser.mockReturnValueOnce(mockedRowInfo);
 		const response = await POST({
 			request: mockRequest,
 			locals: mockLocals
 		});
 		expect(response.status).toBe(400);
 		const body = await response.text();
 		expect(body).toEqual('');
 		expect(addUser).toHaveBeenCalledWith(fakeUsername, mockedHash);
 	});
 });
--- a/tests/api/VorgangVorgangPIN.test.ts
+++ b/tests/api/VorgangVorgangPIN.test.ts
@@ -0,0 +1,45 @@
 import { describe, test, expect, vi } from 'vitest';
 import { GET } from '$root/routes/api/vorgang/[vorgang]/vorgangPIN/+server';
 import { db } from '$lib/server/dbService';
 import { baseData } from '../fixtures';
 const mockEvent = {
 	params: { vorgang: '123' },
 	locals: { user: baseData.user }
 };
 vi.mock('$lib/server/dbService', () => ({
 	db: {
 		prepare: vi.fn()
 	}
 }));
 describe('API-Endpoint: Vorgang-PIN', () => {
 	test('Vorgang PIN: Erfolgreich', async () => {
 		// only interested in PIN value
 		const mockPIN = 'pin-123';
 		const mockRow = { pin: mockPIN };
 		const getMock = vi.fn().mockReturnValue(mockRow);
 		db.prepare.mockReturnValue({ get: getMock });
 		const response = await GET(mockEvent);
 		expect(response.status).toBe(200);
 		const body = await response.text();
 		expect(body).toEqual(mockPIN);
 	});
 	test('Vorgang PIN: Nicht erfolgreich', async () => {
 		const mockRow = {};
 		const getMock = vi.fn().mockReturnValue(mockRow);
 		db.prepare.mockReturnValue({ get: getMock });
 		const response = await GET(mockEvent);
 		expect(response.status).toBe(404);
 		const body = await response.text();
 		expect(body).toEqual('');
 	});
 });
--- a/tests/components/EmptyList.view.test.ts
+++ b/tests/components/EmptyList.view.test.ts
@@ -0,0 +1,9 @@
 import { render, screen } from '@testing-library/svelte';
 import EmptyList from '$lib/components/EmptyList.svelte'
 import { describe, expect, it } from 'vitest';
 describe('Komponente: EmptyList', () => {
  it('zeigt Hinweistext "Keine Einträge"', () => {
    render(EmptyList);
    expect(screen.getByText(/keine Einträge/i)).toBeInTheDocument();  });
 });
--- a/tests/components/Footer.test.ts
+++ b/tests/components/Footer.test.ts
@@ -0,0 +1,47 @@
 import { render, screen } from '@testing-library/svelte';
 import { describe, test, expect } from 'vitest';
 import { ROUTE_NAMES } from '../../src/routes';
 import { baseData } from '../fixtures';
 import Footer from '$lib/components/Footer.svelte';
 describe('Footer component', () => {
 	test('Enthält Behörden-Name und entsprechenden Link', () => {
 		render(Footer);
 		const linkElement = screen.getByText('Innovation Hub', { exact: false });
 		expect(linkElement).toBeInTheDocument();
 		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.LIST);
 	});
 	test('Enthält Zurück-Button und entsprechenden Link', () => {
 		render(Footer);
 		const linkElement = screen.getByText('back');
 		expect(linkElement).toBeInTheDocument();
 		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
 	});
 	test('Enthält Profil-Icon und entsprechenden Link: angemeldet', () => {
 		render(Footer, { props: { data: baseData } });
 		const linkElement = screen.getByText('admin');
 		expect(linkElement).toBeInTheDocument();
 		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
 		// Check for presence of `Profile` component
 		const svg = screen.getByTestId('profile-component');
 		expect(svg).toBeTruthy();
 	});
 	test('Enthält Profil-Icon und entsprechenden Link: nicht angemeldet', () => {
 		const { container } = render(Footer, { props: { data: null } });
 		const links = container.querySelectorAll('a');
 		const linkElement = links[2]; // Index starts at 0
 		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
 		// User/View does not have any ID
 		const ID_displayElement = screen.queryByText('admin');
 		expect(ID_displayElement).not.toBeInTheDocument();
 		// Check for presence of `Profile` component
 		const svg = screen.getByTestId('profile-component');
 		expect(svg).toBeTruthy();
 	});
 });
--- a/tests/components/Header.test.ts
+++ b/tests/components/Header.test.ts
@@ -0,0 +1,22 @@
 import { render, screen } from '@testing-library/svelte';
 import { describe, test, expect } from 'vitest';
 import { ROUTE_NAMES } from '../../src/routes';
 import { baseData } from '../fixtures';
 import Header from '$lib/components/Header.svelte';
 describe('Header component', () => {
 	test('Enthält Landeswappen von NDS und entsprechenden Link', () => {
 		render(Header, { props: { data: baseData } });
 		const linkElement = screen.getByText('Tatort Niedersachen').closest('a');
 		expect(linkElement).toBeInTheDocument();
 		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.ROOT);
 	});
 	test('Form enthält korrekten Link', () => {
 		const { container } = render(Header, { props: { data: baseData } });
 		const formElement = container.querySelector('form');
 		expect(formElement).toBeInTheDocument();
 		expect(formElement).toHaveAttribute('action', ROUTE_NAMES.ANMELDUNG_LOGOUT);
 	});
 });
--- a/tests/components/NameItemEditor.test.ts
+++ b/tests/components/NameItemEditor.test.ts
@@ -0,0 +1,142 @@
 import { fireEvent, render, screen } from '@testing-library/svelte';
 import { describe, expect, it, test, vi } from 'vitest';
 import NameItemEditor from '$lib/components/NameItemEditor.svelte';
 import { baseData } from '../fixtures';
 const testCrimesListIndex = 0;
 const testItem = baseData.crimesList[testCrimesListIndex];
 const testCurrentName = testItem.name;
 const testLocalName = 'Fall-C';
 describe('NameItemEditor - Funktionalität', () => {
 	const onSave = vi.fn();
 	const onDelete = vi.fn();
 	const baseProps = {
 		list: baseData.crimesList,
 		currentName: testCurrentName,
 		onSave,
 		onDelete
 	};
 	test.todo('FocusIn nach Klick auf edit');
 	it('zeigt initial Edit/Delete Buttons und aktuellen Namen', () => {
 		render(NameItemEditor, { props: baseProps });
 		expect(screen.getByTestId('edit-button')).toBeInTheDocument();
 		expect(screen.getByTestId('delete-button')).toBeInTheDocument();
 		expect(screen.queryByTestId('commit-button')).toBeNull();
 		expect(screen.queryByTestId('cancel-button')).toBeNull();
 		expect(screen.getByText(testCurrentName)).toBeInTheDocument();
 	});
 	it('wechselt zu Commit/Cancel nach Klick auf Edit', async () => {
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		expect(screen.getByTestId('commit-button')).toBeInTheDocument();
 		expect(screen.getByTestId('cancel-button')).toBeInTheDocument();
 		expect(screen.queryByTestId('edit-button')).toBeNull();
 		expect(screen.queryByTestId('delete-button')).toBeNull();
 		expect(screen.getAllByRole('textbox')).toHaveLength(1);
 		expect(input).toHaveValue(testCurrentName);
 	});
 	it('zeigt Fehlermeldung bei leerem Namen', async () => {
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		await fireEvent.input(input, { target: { value: '' } });
 		expect(screen.getByText('Name darf nicht leer sein.')).toBeInTheDocument();
 		expect(onSave).not.toHaveBeenCalled();
 	});
 	it('entfernt Fehlermeldung live beim nächsten gültigen Tastendruck', async () => {
 		render(NameItemEditor, {
 			props: {
 				list: baseData.crimesList,
 				currentName: baseData.crimesList[0].name,
 				onSave: vi.fn(),
 				onDelete: vi.fn()
 			}
 		});
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		await fireEvent.input(input, { target: { value: '' } });
 		expect(screen.getByText('Name darf nicht leer sein.')).toBeInTheDocument();
 		await fireEvent.input(input, { target: { value: 'Fall-C' } });
 		expect(screen.queryByText('Name darf nicht leer sein.')).toBeNull();
 	});
 	it('zeigt Fehlermeldung bei Duplikat', async () => {
 		const duplicateName = baseData.crimesList[1].name;
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		await fireEvent.input(input, { target: { value: duplicateName } });
 		expect(screen.getByText('Name existiert bereits.')).toBeInTheDocument();
 		expect(onSave).not.toHaveBeenCalled();
 	});
 	it('ruft onSave korrekt auf bei gültigem Namen: Tatort/Crime', async () => {
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		await fireEvent.input(input, { target: { value: testLocalName } });
 		await fireEvent.click(screen.getByTestId('commit-button'));
 		expect(onSave).toHaveBeenCalledWith(testLocalName, testCurrentName, undefined);
 	});
 	it('ruft onDelete korrekt auf', async () => {
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('delete-button'));
 		expect(onDelete).toHaveBeenCalledWith(testCurrentName);
 	});
 	it('setzt Zustand zurück bei Cancel', async () => {
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		await fireEvent.input(input, { target: { value: 'Zwischentext' } });
 		await fireEvent.click(screen.getByTestId('cancel-button'));
 		expect(screen.getByText(testCurrentName)).toBeInTheDocument();
 		expect(screen.getByTestId('edit-button')).toBeInTheDocument();
 	});
 	it('triggert Save bei Enter-Taste: Tatort/Crime', async () => {
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		await fireEvent.input(input, { target: { value: 'ViaEnter' } });
 		await fireEvent.keyDown(input, { key: 'Enter' });
 		expect(onSave).toHaveBeenCalledWith('ViaEnter', testCurrentName, undefined);
 	});
 	it('bricht ab bei Escape-Taste', async () => {
 		render(NameItemEditor, { props: baseProps });
 		await fireEvent.click(screen.getByTestId('edit-button'));
 		const input = screen.getByTestId('test-input');
 		await fireEvent.input(input, { target: { value: 'Zwischentext' } });
 		await fireEvent.keyDown(input, { key: 'Escape' });
 		expect(screen.getByText(testCurrentName)).toBeInTheDocument();
 		expect(onSave).not.toHaveBeenCalled();
 	});
 });
--- a/tests/fixtures.ts
+++ b/tests/fixtures.ts
@@ -0,0 +1,53 @@
 const testUser = {
 	admin: true,
 	exp: 1757067123,
 	iat: 1757063523,
 	id: 'admin'
 };
 const testCrimesList = [
 	{
 		name: 'Fall-A',
 		lastModified: '2025-08-28T09:44:12.453Z',
 		etag: '558f35716f6af953f9bb5d75f6d77e6a',
 		size: 8947140,
 		prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
 		show_button: true
 	},
 	{
 		name: 'Fall-B',
 		lastModified: '2025-08-28T10:37:20.142Z',
 		etag: '43e3989c32c4682bee407baaf83b6fa0',
 		size: 35788560,
 		prefix: '7596e4d5-c51f-482d-a4aa-ff76434305fc',
 		show_button: true
 	}
 ];
 const testVorgangsList = [
 	{
 		vorgangName: 'vorgang-1',
 		vorgangPIN: 'pin-123',
 		vorgangToken: 'c322f26f-8c5e-4cb9-94b3-b5433bf5109e'
 	},
 	{
 		vorgangName: 'vorgang-2',
 		vorgangPIN: 'pin-2',
 		vorgangToken: 'cb0051bc-5f38-47b8-943c-9352d4d9c984'
 	}
 ];
 export const baseData = {
 	user: testUser,
 	vorgang: testVorgangsList[0],
 	vorgangList: testVorgangsList,
 	crimesList: testCrimesList,
 	url: `https://example.com/list/${testVorgangsList[0].vorgangToken}`,
 	crimeNames: ['modell-A', 'Fall-A']
 };
 export const mockEvent = {
 	locals: {
 		user: baseData.user
 	},
 	url: new URL(`https://example.com/anmeldung`)
 };
--- a/tests/views/Anmeldung.test.ts
+++ b/tests/views/Anmeldung.test.ts
@@ -0,0 +1,143 @@
 import { describe, it, expect, vi } from 'vitest';
 // import { actions } from '$root/routes/anmeldung/+page.server';
 // import { load } from '$root/routes/(token-based)/+layout.server'
 import { actions } from '../../src/routes/anmeldung/+page.server';
 import { load } from '../../src/routes/(token-based)/+layout.server';
 import { baseData } from '../fixtures';
 import { ROUTE_NAMES } from '../../src/routes';
 import { dev } from '$app/environment';
 import { vorgangExists, vorgangPINValidation } from '$lib/server/vorgangService';
 import type { Redirect } from '@sveltejs/kit';
 vi.mock('$lib/server/vorgangService', () => ({
 	vorgangExists: vi.fn(),
 	vorgangPINValidation: vi.fn()
 }));
 describe('Vorgang Anzeige via Token', () => {
 	it('Setze Cookie nach erfolgreicher Eingabe', async () => {
 		// Mock formData
 		const vorgObj = baseData.vorgang;
 		const formData = new FormData();
 		formData.set('vorgang-token', vorgObj.vorgangToken);
 		formData.set('vorgang-pin', vorgObj.vorgangPIN);
 		const mockRequest = {
 			formData: vi.fn().mockResolvedValue(formData)
 		};
 		vi.mocked(vorgangPINValidation).mockReturnValueOnce(true);
 		const cookiesSet = vi.fn();
 		const event = {
 			request: mockRequest,
 			cookies: {
 				set: cookiesSet
 			}
 		};
 		let thrownRedirect: Redirect | undefined;
 		try {
 			await actions.default(event);
 		} catch (e) {
 			thrownRedirect = e as Redirect;
 		}
 		// Redirect bei erfolgreicher Eingabe
 		expect(thrownRedirect?.status).toBe(303);
 		expect(thrownRedirect?.location).toBe(ROUTE_NAMES.VORGANG(vorgObj.vorgangToken));
 		// Cookie wurde gesetzt
 		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
 		expect(cookiesSet).toHaveBeenCalledWith(COOKIE_NAME, vorgObj.vorgangPIN, {
 			path: '/',
 			httpOnly: true,
 			sameSite: 'strict',
 			secure: !dev
 		});
 	});
 	it('Schlägt fehl wenn keine Daten übergeben werden', async () => {
 		const formData = new FormData(); // no data
 		const mockRequest = {
 			formData: vi.fn().mockResolvedValue(formData)
 		};
 		const cookiesSet = vi.fn();
 		const event = {
 			request: mockRequest,
 			cookies: {
 				set: cookiesSet
 			}
 		};
 		const result = await actions.default(event);
 		expect(result.status).toBe(400);
 		expect(result.data.message).toMatch(/PIN eingeben/i);
 		// Cookie wird nicht gesetzt
 		expect(cookiesSet).not.toHaveBeenCalled();
 	});
 	it.todo('Überprüfe was passiert, wenn Eingabe falsch, bzw. nicht im System passend gefunden');
 });
 describe('Teste Guard', () => {
 	it('Lese Cookie aus', async () => {
 		const vorgObj = baseData.vorgang;
 		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
 		const cookiesGet = vi.fn().mockImplementation((key: string) => {
 			if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
 			return undefined;
 		});
 		// mocked objects
 		const event = {
 			cookies: {
 				get: cookiesGet
 			},
 			locals: {},
 			params: { vorgang: vorgObj.vorgangToken }
 		};
 		vi.mocked(vorgangExists).mockReturnValueOnce(true);
 		vi.mocked(vorgangPINValidation).mockReturnValueOnce(true);
 		await load(event);
 		expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
 	});
 	it('Kein Cookie gesetzt', async () => {
 		const vorgObj = baseData.vorgang;
 		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
 		const cookiesGet = vi.fn().mockImplementation((key: string) => {
 			if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
 			return undefined;
 		});
 		// mocked objects
 		const event = {
 			cookies: {
 				get: cookiesGet
 			},
 			locals: {},
 			params: { vorgang: vorgObj.vorgangToken }
 		};
 		vi.mocked(vorgangExists).mockReturnValueOnce(true);
 		vi.mocked(vorgangPINValidation).mockReturnValueOnce(false);
 		let thrownRedirect;
 		try {
 			await load(event);
 			throw new Error('Function did not throw');
 		} catch (e) {
 			thrownRedirect = e;
 		}
 		expect(thrownRedirect?.status).toBe(303);
 		expect(thrownRedirect?.location).toBe(
 			ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgObj.vorgangToken)
 		);
 		expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
 	});
 });
--- a/tests/views/Home.view.test.ts
+++ b/tests/views/Home.view.test.ts
@@ -0,0 +1,23 @@
 import { render, screen } from '@testing-library/svelte';
 import { describe, expect, it } from 'vitest';
 import HomePage from '$root/routes/(angemeldet)/+page.svelte';
 import { ROUTE_NAMES } from '../../src/routes';
 import { baseData } from '../fixtures';
 describe('Home-Page View', () => {
 	it('Überprüfe Links', () => {
 		render(HomePage, { props: { data: baseData } });
 		let linkElement = screen.getByText('Vorgänge');
 		expect(linkElement).toBeInTheDocument();
 		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.LIST);
 		linkElement = screen.queryByText('Hinzufügen');
 		expect(linkElement).not.toBeInTheDocument();
 		linkElement = screen.getByText('Benutzerverwaltung');
 		expect(linkElement).toBeInTheDocument();
 		expect(linkElement).toHaveAttribute('href', ROUTE_NAMES.USERMGMT);
 	});
 });
--- a/tests/views/Layout.test.ts
+++ b/tests/views/Layout.test.ts
@@ -0,0 +1,24 @@
 import { describe, test, expect } from 'vitest';
 import { load } from '$root/routes/(angemeldet)/+layout.server';
 import { ROUTE_NAMES } from '../../src/routes';
 import { baseData, mockEvent } from '../fixtures';
 describe('+layout.server load(): Teste korrekte URL', () => {
 	test('Werfe keinen Redirect und gebe nichts zurück', async () => {
 		const mockEvent = {
 			locals: {
 				user: null
 			},
 			url: new URL(`https://example.com/not-anmeldung`)
 		};
 		const res = load(mockEvent);
 		expect(res).toBe(undefined);
 	});
 });
 describe('+layout.server load(): Teste erfolgreichen Pfad', () => {
 	test('Werfe kein Fehler', async () => {
 		const result = load(mockEvent);
 		expect(result).toEqual({ user: baseData.user });
 	});
 });
--- a/tests/views/TatortList.test.ts
+++ b/tests/views/TatortList.test.ts
@@ -0,0 +1,139 @@
 import { render, fireEvent, screen, within } from '@testing-library/svelte';
 import { describe, it, expect, vi, test } from 'vitest';
 import * as nav from '$app/navigation';
 import TatortListPage from '$root/routes/(token-based)/list/[vorgang]/+page.svelte';
 import { baseData } from '../fixtures';
 import { tick } from 'svelte';
 import { API_ROUTES } from '../../src/routes';
 vi.spyOn(nav, 'invalidateAll').mockResolvedValue();
 global.fetch = vi.fn().mockResolvedValue({ ok: true });
 async function clickPlusButton() {
  // mock animation features of the browser
  window.HTMLElement.prototype.scrollIntoView = vi.fn();
  window.HTMLElement.prototype.animate = vi.fn(() => ({
    finished: Promise.resolve(),
    cancel: vi.fn(),
  }))
  // button is visible
  const button = screen.getByRole('button', { name: /add item/i })
  expect(button).toBeInTheDocument();
  await fireEvent.click(button)
 }
 describe('Seite: Vorgangsansicht', () => {
  test.todo('Share Link disabled wenn Liste leer');
  describe('Szenario: Admin + Liste gefüllt - Funktionalität', () => {
    test.todo('Share Link Link generierung richtig');
    it('führt PUT-Request aus und aktualisiert UI nach onSave', async () => {
      const data = structuredClone(baseData);
      const oldName = data.crimesList[0].name;
      const newName = 'Fall-C';
      render(TatortListPage, { props: { data } });
      const listItem = screen.getAllByTestId('test-list-item')[0];
      expect(listItem).toHaveTextContent(oldName);
      await fireEvent.click(within(listItem).getByTestId('edit-button'));
      const input = within(listItem).getByTestId('test-input');
      await fireEvent.input(input, { target: { value: newName } });
      await fireEvent.click(within(listItem).getByTestId('commit-button'));
      await tick();
      expect(global.fetch).toHaveBeenCalledWith(
        `/api/list/${data.vorgang.vorgangToken}/${oldName}`,
        expect.objectContaining({
          method: 'PUT',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({
            vorgangToken: data.vorgang.vorgangToken,
            oldName,
            newName
          })
        })
      );
      expect(nav.invalidateAll).toHaveBeenCalled();
      expect(within(listItem).getByText(newName)).toBeInTheDocument();
    });
    it('führt DELETE-Request aus und entfernt Element aus UI', async () => {
      const testData = structuredClone(baseData);
      const oldName = testData.crimesList[0].name;
      const vorgang = testData.vorgang;
      render(TatortListPage, { props: { data: testData } });
      const initialItems = screen.getAllByTestId('test-list-item');
      expect(initialItems).toHaveLength(testData.crimesList.length);
      const listItem = screen.getAllByTestId('test-list-item')[0];
      expect(listItem).toHaveTextContent(oldName);
      const del = within(listItem).getByTestId('delete-button');
      expect(del).toBeInTheDocument()
      await fireEvent.click(within(listItem).getByTestId('delete-button'));
      await tick();
      let expectedPath = API_ROUTES.CRIME(vorgang.vorgangToken, oldName)
      expect(global.fetch).toHaveBeenCalledWith(
        expectedPath,
        expect.objectContaining({
         method: 'DELETE',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
           vorgangToken: testData.vorgang.vorgangToken,
           tatort: oldName
         })
        })
      );
      expect(nav.invalidateAll).toHaveBeenCalled();
      const updatedItems = screen.queryAllByTestId('test-list-item');
      expect(updatedItems).toHaveLength(testData.crimesList.length - 1);
      expect(screen.queryByText(oldName)).toBeNull();
    });
  });
 });
 describe('Hinzufügen Button', () => {
  it('Unexpandierter Button', () => {
    const testData = { ...baseData, vorgangList: [] };
    const { getByTestId } = render(TatortListPage, { props: { data: testData } });
    const container = getByTestId('expand-container')
    expect(container).toBeInTheDocument();
    // button is visible
    const button = within(container).getByRole('button')
    expect(button).toBeInTheDocument();
    // input fields are not visible
    let label = screen.queryByText('Modellname');
    expect(label).not.toBeInTheDocument();
  });
  it('Expandierter Button nach Klick', async () => {
    const testData = { ...baseData, vorgangList: [] };
    render(TatortListPage, { props: { data: testData } });
    await clickPlusButton();
    // input fields are visible
    let label = screen.queryByText('Modellname');
    expect(label).toBeInTheDocument();
  });
  it.todo('Check Validation: missing name', async () => {
    console.log(`test: input field validation`);
  });
  it.todo('Create Tatort successful', async () => {
    console.log(`test: tatort upload`);
  });
 });
--- a/tests/views/TatortList.view.test.ts
+++ b/tests/views/TatortList.view.test.ts
@@ -0,0 +1,115 @@
 import { render, screen, within } from '@testing-library/svelte';
 import { describe, expect, it, test } from 'vitest';
 import TatortListPage from '$root/routes/(token-based)/list/[vorgang]/+page.svelte';
 import { baseData } from '../fixtures';
 import { ROUTE_NAMES } from '../../src/routes';
 describe('Seite: Vorgangsansicht', () => {
 	test.todo('zeigt PIN und Share-Link, wenn Admin');
 	test.todo('zeigt PIN und Share-Link disabeld, wenn Liste leer');
 	describe('Szenario: Liste leer (unabhängig von Rolle)', () => {
 		it('zeigt Hinweistext bei leerer Liste', () => {
 			const testData = { ...baseData, crimesList: [] };
 			const { getByTestId } = render(TatortListPage, { props: { data: testData } });
 			expect(getByTestId('empty-list')).toBeInTheDocument();
 		});
 		it('zeigt keinen Listeneintrag', () => {
 			const items = screen.queryAllByTestId('test-list-item');
 			expect(items).toHaveLength(0);
 		});
 	});
 	describe('Szenario: Liste gefüllt (unabhängig von Rolle)', () => {
 		it('rendert mindestens ein Listenelement bei vorhandenen crimesList-Daten', () => {
 			const testData = { ...baseData };
 			const { queryAllByTestId } = render(TatortListPage, { props: { data: testData } });
 			const items = queryAllByTestId('test-list-item');
 			expect(items.length).toBeGreaterThan(0);
 		});
 		it('zeigt für jeden Eintrag einen Link', () => {
 			const testData = { ...baseData };
 			render(TatortListPage, { props: { data: testData } });
 			const links = screen.queryAllByTestId('crime-link');
 			expect(links).toHaveLength(testData.crimesList.length);
 		});
 		it('prüft href und title jedes Links', () => {
 			const testData = { ...baseData };
 			const { queryAllByTestId } = render(TatortListPage, { props: { data: testData } });
 			const items = queryAllByTestId('test-list-item');
 			items.forEach((item, i) => {
 				const link = within(item).getByRole('link');
 				const expectedHref = ROUTE_NAMES.CRIME(testData.vorgang.vorgangToken, testData.crimesList[i].name, testData.vorgang.vorgangPIN);
 				expect(link).toBeInTheDocument();
 				expect(link).toHaveAttribute('href', expectedHref);
 				expect(link).toHaveAttribute('title', testData.crimesList[i].name);
 			});
 		});
 		test.todo('testet zuletzt angezeigt, wenn item.lastModified');
 		test.todo('zeigt Dateigröße, wenn item.size vorhanden ist');
 	});
 	describe('Szenario: Admin + Liste gefüllt', () => {
 		const testData = { ...baseData, user: { ...baseData.user, admin: true } };
 		it('zeigt Listeneinträge mit Komponente NameItemEditor', () => {
 			const { getAllByTestId } = render(TatortListPage, { props: { data: testData } });
 			const items = getAllByTestId('test-nameItemEditor');
 			expect(items.length).toBeGreaterThan(0);
 		});
 		test.todo('Modal testen, wenn open');
 	});
 	describe('Szenario: Viewer + Liste gefüllt', () => {
 		const testData = { ...baseData, user: { ...baseData.user, admin: false } };
 		it('zeigt Listeneinträge mit p', () => {
 			render(TatortListPage, { props: { data: testData } });
 			const paragraphs = screen.queryAllByTestId('test-nameItem-p');
 			expect(paragraphs).toHaveLength(testData.crimesList.length);
 			paragraphs.forEach((p, i) => {
 				expect(p).toHaveTextContent(testData.crimesList[i].name);
 			});
 		});
 		test.todo('zeigt keinen Share-Link oder PIN');
 	});
 	describe('Teste Links auf Korrektheit', () => {
 		it('Überprüfe Links', () => {
 			const crimesListOneItem = baseData.crimesList.slice(0, 1);
 			const crimeObj = crimesListOneItem[0];
 			const vorgObj = baseData.vorgangList[0]
 			const expectedURL = ROUTE_NAMES.CRIME(vorgObj.vorgangToken, crimeObj.name, vorgObj.vorgangPIN)
 			render(TatortListPage, { props: { data: { ...baseData, crimesList: crimesListOneItem } } });
 			const listItem = screen.getByTestId("test-list-item");
 			const linkElement = within(listItem).getByRole('link');
 			expect(linkElement).toBeInTheDocument();
 			expect(linkElement).toHaveAttribute('href', expectedURL);
 		});
 	});
 	describe('PIN Anzeige & Button', () => {
 		it('Teste korrekte Anzeige von PIN Komponente', () => {
 			const testData = { ...baseData};
 			render(TatortListPage, { props: { data: testData } });
 			const vorgObj = baseData.vorgangList[0]
 			// PIN is being displayed within ´NameItemEditor´
 			let label = screen.queryByText(vorgObj.vorgangPIN);
 			expect(label).toBeInTheDocument();
 		});
 	});
 });
--- a/tests/views/VorgangList.view.test.ts
+++ b/tests/views/VorgangList.view.test.ts
@@ -0,0 +1,184 @@
 import { render, fireEvent, screen, within } from '@testing-library/svelte';
 import { describe, expect, it, vi } from 'vitest';
 import VorgangListPage from '$root/routes/(angemeldet)/list/+page.svelte';
 import { baseData } from '../fixtures';
 import { ROUTE_NAMES } from '../../src/routes';
 import { actions } from '../../src/routes/(angemeldet)/list/+page.server';
 import { createVorgang } from '$lib/server/vorgangService';
 // mock animation features of the browser
 window.HTMLElement.prototype.scrollIntoView = vi.fn();
 window.HTMLElement.prototype.animate = vi.fn(() => ({
 	finished: Promise.resolve(),
 													cancel: vi.fn(),
 }))
 describe('Vorgänge Liste Page EmptyList-Komponente View', () => {
 	it('zeigt EmptyList-Komponente an, wenn Liste leer ist', () => {
 		const testData = { ...baseData, vorgangList: [] };
 		const { getByTestId } = render(VorgangListPage, { props: { data: testData } });
 		expect(getByTestId('empty-list')).toBeInTheDocument();
 	});
 	it('zeigt Liste(mockData 2 Elemente) an, wenn Liste vorhanden ist', () => {
 		const testData = { ...baseData };
 		const { getAllByTestId } = render(VorgangListPage, { props: { data: testData } });
 		const items = getAllByTestId('test-list-item');
 		expect(items.length).toBeGreaterThan(0);
 	});
 });
 describe('Teste Links auf Korrektheit', () => {
 	it('Überprüfe Links', () => {
 		const vorgListOneItem = baseData.vorgangList.slice(0, 1);
 		const vorgObj = vorgListOneItem[0];
 		const expectedURL = ROUTE_NAMES.VORGANG(vorgObj.vorgangToken, vorgObj.vorgangPIN)
 		render(VorgangListPage, { props: { data: { ...baseData, vorgangList: vorgListOneItem } } });
 		const listItem = screen.getByTestId("test-list-item");
 		const linkElement = within(listItem).getByRole('link');
 		expect(linkElement).toBeInTheDocument();
 		expect(linkElement).toHaveAttribute('href', expectedURL);
 	});
 	it('Links enthalten keinen VorgangsPIN', () => {
 		const vorgListOneItem = baseData.vorgangList.slice(0, 1)
 		render(VorgangListPage, { props: { data: { ...baseData, vorgangList: vorgListOneItem } } });
 		const listItem = screen.getByTestId("test-list-item");
 		const linkElement = within(listItem).getByRole('link');
 		expect(linkElement.getAttribute('href')?.toLowerCase()).not.toContain('pin');
 	});
 });
 async function clickPlusButton() {
 	// button is visible
 	const button = screen.getByTestId('expand-button')
 	expect(button).toBeInTheDocument();
 	await fireEvent.click(button)
 }
 async function inputVorgang() {
 	const input = document.getElementById("vorgang");
 	input.value = 'test-vorgang';
 	// firing the event manually for Svelte
 	await fireEvent.input(input)
 	expect(input).toHaveValue('test-vorgang');
 }
 async function inputVorgangPIN() {
 	const input = document.getElementById("pin");
 	input.value = 'test-pin';
 	// firing the event manually for Svelte
 	await fireEvent.input(input)
 	expect(input).toHaveValue('test-pin');
 }
 describe('Hinzufügen Buton', () => {
 	it('Unexpandierter Button', () => {
 		const testData = { ...baseData, vorgangList: [] };
 		const { getByTestId } = render(VorgangListPage, { props: { data: testData } });
 		const container = getByTestId('expand-container')
 		expect(container).toBeInTheDocument();
 		// button is visible
 		const button = within(container).getByRole('button')
 		expect(button).toBeInTheDocument();
 		// input fields are not visible
 		let label = screen.queryByText('Vorgangsname');
 		expect(label).not.toBeInTheDocument();
 	});
 	it('Expandierter Button nach Klick', async () => {
 		const testData = { ...baseData, vorgangList: [] };
 		render(VorgangListPage, { props: { data: testData } });
 		await clickPlusButton()
 		// input fields are visible
 		let label = screen.queryByText('Vorgangsname');
 		expect(label).toBeInTheDocument();
 	});
 	it('Check Validation: missing PIN', async () => {
 		const testData = { ...baseData, vorgangList: [] };
 		render(VorgangListPage, { props: { data: testData } });
 		await clickPlusButton()
 		// input
 		inputVorgang();
 		// submit
 		const button = screen.getByText('Neuen Vorgang hinzufügen')
 		expect(button).toBeInTheDocument()
 		await fireEvent.click(button);
 		const errorMsg = 'Bitte einen Vorgangs-PIN eingeben.';
 		let para = await screen.getByText(errorMsg);
 		expect(para).toBeInTheDocument();
 	});
 	it('Create Vorgang successful', async () => {
 		const testData = { ...baseData, vorgangList: [] };
 		render(VorgangListPage, { props: { data: testData } });
 		await clickPlusButton();
 		// input fields are visible
 		let label = screen.queryByText('Vorgangsname');
 		expect(label).toBeInTheDocument();
 		inputVorgang();
 		inputVorgangPIN();
 		// emulate button click
 		const button = screen.getByText('Neuen Vorgang hinzufügen');
 		expect(button).toBeInTheDocument();
 		await fireEvent.click(button);
 		// no error message
 		label = screen.queryByText('Bitte');
 		expect(label).not.toBeInTheDocument();
 	});
 	it('Test default action', async () => {
 		vi.mock('$lib/server/vorgangService', () => ({
 			createVorgang: vi.fn(),
 		}));
 		const formData = new FormData(); // no data as we are mocking createVorgang
 		const mockRequest = {
 			formData: vi.fn().mockResolvedValue(formData)
 		};
 		const event = {
 			request: mockRequest,
 		};
 		const testVorgangToken = 'c322f26f-8c5e-4cb9-94b3-b5433bf5109e'
 		vi.mocked(createVorgang).mockReturnValueOnce(testVorgangToken);
 		const result = await actions.default(event);
 		expect(result).toEqual({ token: testVorgangToken });
 	});
 });
 describe('Vorgang-Operationen', () => {
 	it('Teste korrekte Anzeige von Vorgang-Input Komponente', () => {
 		const testData = { ...baseData};
 		const { getAllByTestId } = render(VorgangListPage, { props: { data: testData } });
 		let buttons = getAllByTestId('edit-button')
 		expect(buttons.length).toBeGreaterThan(1);
 	});
 });
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -1,19 +1,38 @@
 import { svelteTesting } from '@testing-library/svelte/vite';
 import { sveltekit } from '@sveltejs/kit/vite';
 import path from 'path';
 import { defineConfig } from 'vite';
 export default defineConfig({
 	plugins: [sveltekit()],
 	resolve: {
 		alias: {
 			$lib: path.resolve('./src/lib'),
 			$root: path.resolve(__dirname, './src')
 		}
 	},
 	test: {
-		workspace: [
+		projects: [
 			{
 				extends: './vite.config.ts',
 				plugins: [svelteTesting()],
 				test: {
-					name: 'client',
+					name: 'business-logic and API',
 					environment: 'jsdom',
 					clearMocks: true,
-					include: ['src/**/*.svelte.{test,spec}.{js,ts}'],
+					include: ['tests/**/*.{test,spec}.{js,ts}', 'src/**/*.svelte.{test,spec}.{js,ts}'],
 					exclude: ['src/lib/server/**', 'tests/**/*.view.{test,spec}.{js,ts}'],
 					setupFiles: ['./vitest-setup-client.ts']
 				}
 			},
 						{
 				extends: './vite.config.ts',
 				plugins: [svelteTesting()],
 				test: {
 					name: 'client-view',
 					environment: 'jsdom',
 					clearMocks: true,
 					include: ['tests/**/*.view.{test,spec}.{js,ts}', 'src/**/*.view.svelte.{test,spec}.{js,ts}'],
 					exclude: ['src/lib/server/**'],
 					setupFiles: ['./vitest-setup-client.ts']
 				}