From 69422d1f92fd2a2bf037144748f52276b0c3fd69 Mon Sep 17 00:00:00 2001
From: mina <mina.zarkesh@polizei.niedersachsen.de>
Date: Mon, 13 Oct 2025 13:01:12 +0200
Subject: [PATCH 01/11] refactoring UUID Anzeige, noch keine Tests angepasst

---
 src/routes/anmeldung/+page.server.ts |   8 +-
 src/routes/anmeldung/+page.svelte    | 128 +++++++++++----------------
 2 files changed, 57 insertions(+), 79 deletions(-)

diff --git a/src/routes/anmeldung/+page.server.ts b/src/routes/anmeldung/+page.server.ts
index a4d6007..6d08a07 100644
--- a/src/routes/anmeldung/+page.server.ts
+++ b/src/routes/anmeldung/+page.server.ts
@@ -8,12 +8,10 @@ export const actions = {
 	logout: (event) => logoutUser(event),
 	getVorgangByToken: async ({ request, cookies }) => {
 		const data = await request.formData();
-		const vorgangToken = data.get('vorgang-token');
-		const vorgangPIN = data.get('vorgang-pin');
+		const vorgangToken = data.get('vorgang-token') as string;
+		const vorgangPIN = data.get('vorgang-pin') as string;
 
-		if (!vorgangToken || !vorgangPIN) return;
-
-		const COOKIE_NAME = `token-${vorgangToken}`
+		const COOKIE_NAME = `token-${vorgangToken}`;
 		cookies.set(COOKIE_NAME, vorgangPIN, {
 			path: '/',
 			httpOnly: true,
diff --git a/src/routes/anmeldung/+page.svelte b/src/routes/anmeldung/+page.svelte
index b2a1d24..a957757 100644
--- a/src/routes/anmeldung/+page.svelte
+++ b/src/routes/anmeldung/+page.svelte
@@ -1,17 +1,9 @@
 <script lang="ts">
 	import BaseInputField from '$lib/components/BaseInputField.svelte';
 	import Button from '$lib/components/Button.svelte';
-	import Modal from '$lib/components/Modal/Modal.svelte';
-	import ModalContent from '$lib/components/Modal/ModalContent.svelte';
-	import ModalFooter from '$lib/components/Modal/ModalFooter.svelte';
-	import ModalTitle from '$lib/components/Modal/ModalTitle.svelte';
 	import ArrowRight from '$lib/icons/Arrow-right.svelte';
-	import Login from '$lib/icons/Login.svelte';
 
 	export let form;
-
-	export let open = false;
-
 	import { page } from '$app/state';
 	import { ROUTE_NAMES } from '../index.js';
 	const vorgangToken = page.url.searchParams.get('vorgang');
@@ -28,73 +20,61 @@
 	<div class="w-full max-w-sm mx-auto">
 		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
 			<div class="mt-10">
-				<form action="{ROUTE_NAMES.ANMELDUNG_GET_VORGANG_BY_TOKEN}" method="POST">
-					<BaseInputField
-						id="vorgang-token"
-						name="vorgang-token"
-						label="Vorgangskennung"
-						type="text"
-						value={vorgangToken}
-					/>
-					<div class="mt-5">
-						<BaseInputField
-							id="vorgang-pin"
-							name="vorgang-pin"
-							label="Zugangs-PIN"
-							type="text"
-							value={form?.vorgangPIN}
-							error={form?.error?.message}
-						/>
-					</div>
-					<div class="flex justify-end pt-4">
-						<Button type="submit"><ArrowRight /></Button>
-					</div>
-				</form>
+				{#if vorgangToken}
+					<form action={ROUTE_NAMES.ANMELDUNG_GET_VORGANG_BY_TOKEN} method="POST">
+						<input type="hidden" name="vorgang-token" value={vorgangToken} />
+						<div class="mt-5">
+							<BaseInputField
+								id="vorgang-pin"
+								name="vorgang-pin"
+								label="Zugangs-PIN"
+								type="text"
+								value={form?.vorgangPIN}
+								error={form?.error?.message}
+							/>
+						</div>
+						<div class="flex justify-end pt-4">
+							<Button type="submit"><ArrowRight /></Button>
+						</div>
+					</form>
+				{:else}
+					<form action={ROUTE_NAMES.ANMELDUNG_LOGIN} method="POST">
+						<div>
+							<label for="user" class="text-sm font-medium leading-6 text-gray-900">Name</label>
+							<div class="mt-2">
+								<input
+									id="user"
+									name="user"
+									type="text"
+									autocomplete="email"
+									required
+									class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+
+						<div>
+							<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
+								>Passwort</label
+							>
+							<div class="mt-2">
+								<input
+									id="password"
+									name="password"
+									type="password"
+									autocomplete="current-password"
+									required
+									class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+
+						<div class="flex justify-end">
+							<Button type="submit" class="mt-5">Anmelden</Button>
+						</div>
+					</form>
+				{/if}
 			</div>
 		</div>
-		<div class="flex justify-end mt-10 px-3">
-			<Button on:click={() => (open = true)}><Login /></Button>
-		</div>
 	</div>
 </div>
-<Modal {open}>
-	<ModalTitle>Anmelden</ModalTitle>
-	<ModalContent class="flex justify-center">
-		<form action="{ROUTE_NAMES.ANMELDUNG_LOGIN}" method="POST">
-			<div>
-				<label for="user" class="text-sm font-medium leading-6 text-gray-900">Kennung</label>
-				<div class="mt-2">
-					<input
-						id="user"
-						name="user"
-						type="text"
-						autocomplete="email"
-						required
-						class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
-					/>
-				</div>
-			</div>
-
-			<div>
-				<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
-					>Passwort</label
-				>
-				<div class="mt-2">
-					<input
-						id="password"
-						name="password"
-						type="password"
-						autocomplete="current-password"
-						required
-						class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
-					/>
-				</div>
-			</div>
-
-			<div class="flex justify-end">
-				<Button type="submit" class="mt-5">Anmelden</Button>
-			</div>
-		</form>
-	</ModalContent>
-	<ModalFooter><Button on:click={() => (open = false)}>Ok</Button></ModalFooter>
-</Modal>
-- 
2.43.0


From 416118197b6cda5199e5ec12ce74803ce1c5e8a0 Mon Sep 17 00:00:00 2001
From: mina <mina.zarkesh@polizei.niedersachsen.de>
Date: Fri, 17 Oct 2025 12:12:07 +0200
Subject: [PATCH 02/11] test Login angepasst, return fail wenn formaDaten leer

---
 src/routes/anmeldung/+page.server.ts |   8 +-
 tests/views/Anmeldung.test.ts        | 214 +++++++++++++--------------
 2 files changed, 112 insertions(+), 110 deletions(-)

diff --git a/src/routes/anmeldung/+page.server.ts b/src/routes/anmeldung/+page.server.ts
index 6d08a07..36c8c1b 100644
--- a/src/routes/anmeldung/+page.server.ts
+++ b/src/routes/anmeldung/+page.server.ts
@@ -1,6 +1,6 @@
 import { dev } from '$app/environment';
 import { loginUser, logoutUser } from '$lib/server/authService';
-import { redirect } from '@sveltejs/kit';
+import { fail, redirect } from '@sveltejs/kit';
 import { ROUTE_NAMES } from '../index.js';
 
 export const actions = {
@@ -8,9 +8,13 @@ export const actions = {
 	logout: (event) => logoutUser(event),
 	getVorgangByToken: async ({ request, cookies }) => {
 		const data = await request.formData();
-		const vorgangToken = data.get('vorgang-token') as string;
+		const vorgangToken = data.get('vorgang-token');
 		const vorgangPIN = data.get('vorgang-pin') as string;
 
+		if (!vorgangToken || !vorgangPIN) {
+			return fail(400, { message: 'Token oder PIN fehlen' });
+		}
+
 		const COOKIE_NAME = `token-${vorgangToken}`;
 		cookies.set(COOKIE_NAME, vorgangPIN, {
 			path: '/',
diff --git a/tests/views/Anmeldung.test.ts b/tests/views/Anmeldung.test.ts
index 96cf9b3..4d95808 100644
--- a/tests/views/Anmeldung.test.ts
+++ b/tests/views/Anmeldung.test.ts
@@ -1,144 +1,142 @@
 import { describe, it, expect, vi } from 'vitest';
-import { actions } from '$root/routes/anmeldung/+page.server';
-import { load } from '$root/routes/(token-based)/+layout.server'
+// import { actions } from '$root/routes/anmeldung/+page.server';
+// import { load } from '$root/routes/(token-based)/+layout.server'
+import { actions } from '../../src/routes/anmeldung/+page.server';
+import { load } from '../../src/routes/(token-based)/+layout.server';
 
 import { baseData } from '../fixtures';
 import { ROUTE_NAMES } from '../../src/routes';
 import { dev } from '$app/environment';
 import { vorgangExists, vorgangPINValidation } from '$lib/server/vorgangService';
-import { Redirect } from '@sveltejs/kit';
+import type { Redirect } from '@sveltejs/kit';
 
 vi.mock('$lib/server/vorgangService', () => ({
 	vorgangExists: vi.fn(),
-  vorgangPINValidation: vi.fn(),
+	vorgangPINValidation: vi.fn()
 }));
 
 describe('Vorgang Anzeige via Token', () => {
-  it('Setze Cookie nach erfolgreicher Eingabe', async () => {
-    // Mock formData
-    const vorgObj = baseData.vorgang;
+	it('Setze Cookie nach erfolgreicher Eingabe', async () => {
+		// Mock formData
+		const vorgObj = baseData.vorgang;
 
-    const formData = new FormData();
-    formData.set('vorgang-token', vorgObj.vorgangToken);
-    formData.set('vorgang-pin', vorgObj.vorgangPIN);
+		const formData = new FormData();
+		formData.set('vorgang-token', vorgObj.vorgangToken);
+		formData.set('vorgang-pin', vorgObj.vorgangPIN);
 
-    const mockRequest = {
-      formData: vi.fn().mockResolvedValue(formData)
-    };
+		const mockRequest = {
+			formData: vi.fn().mockResolvedValue(formData)
+		};
 
-    const cookiesSet = vi.fn();
+		const cookiesSet = vi.fn();
 
-    const event = {
-      request: mockRequest,
-      cookies: {
-        set: cookiesSet
-      }
-    };
+		const event = {
+			request: mockRequest,
+			cookies: {
+				set: cookiesSet
+			}
+		};
 
-    let thrownRedirect: Redirect | undefined;
-    try {
-      await actions.getVorgangByToken(event);
-    } catch (e) {
-      thrownRedirect = e as Redirect;
-    }
+		let thrownRedirect: Redirect | undefined;
+		try {
+			await actions.getVorgangByToken(event);
+		} catch (e) {
+			thrownRedirect = e as Redirect;
+		}
 
-    // Redirect bei erfolgreicher Eingabe
-    expect(thrownRedirect?.status).toBe(303);
-    expect(thrownRedirect?.location).toBe(ROUTE_NAMES.VORGANG(vorgObj.vorgangToken));
+		// Redirect bei erfolgreicher Eingabe
+		expect(thrownRedirect?.status).toBe(303);
+		expect(thrownRedirect?.location).toBe(ROUTE_NAMES.VORGANG(vorgObj.vorgangToken));
 
-    // Cookie wurde gesetzt
-    const COOKIE_NAME = `token-${vorgObj.vorgangToken}`
-    expect(cookiesSet).toHaveBeenCalledWith(COOKIE_NAME, vorgObj.vorgangPIN, {
-      path: '/',
+		// Cookie wurde gesetzt
+		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
+		expect(cookiesSet).toHaveBeenCalledWith(COOKIE_NAME, vorgObj.vorgangPIN, {
+			path: '/',
 			httpOnly: true,
 			sameSite: 'strict',
 			secure: !dev
-    });
-  });
+		});
+	});
 
-  it('Schlägt fehl wenn keine Daten übergeben werden', async () => {
-    const formData = new FormData(); // no data
-
-    const mockRequest = {
-      formData: vi.fn().mockResolvedValue(formData)
-    };
-
-    const cookiesSet = vi.fn();
-
-    const event = {
-      request: mockRequest,
-      cookies: {
-        set: cookiesSet
-      }
-    };
-
-    const result = await actions.getVorgangByToken(event);
-
-    expect(result).toBeUndefined();
-
-    // Cookie wird nicht gesetzt
-    expect(cookiesSet).not.toHaveBeenCalled();
-  });
+	it('Schlägt fehl wenn keine Daten übergeben werden', async () => {
+		const formData = new FormData(); // no data
+		const mockRequest = {
+			formData: vi.fn().mockResolvedValue(formData)
+		};
+		const cookiesSet = vi.fn();
+		const event = {
+			request: mockRequest,
+			cookies: {
+				set: cookiesSet
+			}
+		};
+		const result = await actions.getVorgangByToken(event);
+		expect(result.status).toBe(400);
+		expect(result.data.message).toMatch(/fehlen|ungültig/i);
+		// Cookie wird nicht gesetzt
+		expect(cookiesSet).not.toHaveBeenCalled();
+	});
+	it.todo('Überprüfe was passiert, wenn Eingabe falsch, bzw. nicht im System passend gefunden');
 });
 
 describe('Teste Guard', () => {
-  it('Lese Cookie aus', async () => {
-    const vorgObj = baseData.vorgang;
+	it('Lese Cookie aus', async () => {
+		const vorgObj = baseData.vorgang;
 
-    const COOKIE_NAME = `token-${vorgObj.vorgangToken}`
-    const cookiesGet = vi.fn().mockImplementation((key: string) => {
-      if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
-      return undefined;
-    });
+		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
+		const cookiesGet = vi.fn().mockImplementation((key: string) => {
+			if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
+			return undefined;
+		});
 
+		// mocked objects
+		const event = {
+			cookies: {
+				get: cookiesGet
+			},
+			locals: {},
+			params: { vorgang: vorgObj.vorgangToken }
+		};
+		vi.mocked(vorgangExists).mockReturnValueOnce(true);
+		vi.mocked(vorgangPINValidation).mockReturnValueOnce(true);
 
-    // mocked objects
-    const event = {
-      cookies: {
-        get: cookiesGet
-      },
-      locals: {},
-      params: {vorgang: vorgObj.vorgangToken}
-    };
-    vi.mocked(vorgangExists).mockReturnValueOnce(true);
-    vi.mocked(vorgangPINValidation).mockReturnValueOnce(true);
+		await load(event);
 
-    await load(event);
+		expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
+	});
 
-    expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
-  });
+	it('Kein Cookie gesetzt', async () => {
+		const vorgObj = baseData.vorgang;
 
-  it('Kein Cookie gesetzt', async () => {
-    const vorgObj = baseData.vorgang;
+		const COOKIE_NAME = `token-${vorgObj.vorgangToken}`;
+		const cookiesGet = vi.fn().mockImplementation((key: string) => {
+			if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
+			return undefined;
+		});
 
-    const COOKIE_NAME = `token-${vorgObj.vorgangToken}`
-    const cookiesGet = vi.fn().mockImplementation((key: string) => {
-      if (key === COOKIE_NAME) return vorgObj.vorgangPIN;
-      return undefined;
-    });
+		// mocked objects
+		const event = {
+			cookies: {
+				get: cookiesGet
+			},
+			locals: {},
+			params: { vorgang: vorgObj.vorgangToken }
+		};
+		vi.mocked(vorgangExists).mockReturnValueOnce(true);
+		vi.mocked(vorgangPINValidation).mockReturnValueOnce(false);
 
+		let thrownRedirect;
+		try {
+			await load(event);
+			throw new Error('Function did not throw');
+		} catch (e) {
+			thrownRedirect = e;
+		}
+		expect(thrownRedirect?.status).toBe(303);
+		expect(thrownRedirect?.location).toBe(
+			ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgObj.vorgangToken)
+		);
 
-    // mocked objects
-    const event = {
-      cookies: {
-        get: cookiesGet
-      },
-      locals: {},
-      params: {vorgang: vorgObj.vorgangToken}
-    };
-    vi.mocked(vorgangExists).mockReturnValueOnce(true);
-    vi.mocked(vorgangPINValidation).mockReturnValueOnce(false);
-
-    let thrownRedirect;
-    try {
-      await load(event);
-      throw new Error('Function did not throw')
-    } catch (e) {
-      thrownRedirect = e;
-    }
-    expect(thrownRedirect?.status).toBe(303);
-    expect(thrownRedirect?.location).toBe(ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgObj.vorgangToken));
-
-    expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
-  });
+		expect(cookiesGet).toHaveBeenCalledWith(COOKIE_NAME);
+	});
 });
-- 
2.43.0


From e26b36121a0a459efab086627d9742dc4c87ea8c Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Wed, 29 Oct 2025 12:34:38 +0100
Subject: [PATCH 03/11] refactor homepage for admin-user and login mask if not
 logged in

---
 src/lib/server/authService.ts             |  2 +-
 src/routes/(angemeldet)/+layout.server.ts | 10 ++--
 src/routes/(angemeldet)/+layout.svelte    |  9 +++
 src/routes/(angemeldet)/+page.server.ts   |  5 ++
 src/routes/(angemeldet)/+page.svelte      | 67 +++++++++++++++++++++--
 tests/views/Layout.test.ts                |  9 +--
 6 files changed, 85 insertions(+), 17 deletions(-)
 create mode 100644 src/routes/(angemeldet)/+page.server.ts

diff --git a/src/lib/server/authService.ts b/src/lib/server/authService.ts
index c4e2e4e..124fcad 100644
--- a/src/lib/server/authService.ts
+++ b/src/lib/server/authService.ts
@@ -26,5 +26,5 @@ export const loginUser = async ({ request, cookies }: { request: Request; cookie
 export const logoutUser = async (event: RequestEvent) => {
 	event.cookies.delete(COOKIE_NAME, { path: ROUTE_NAMES.ROOT });
 	event.locals.user = null;
-	return { success: true };
+	return redirect(303, ROUTE_NAMES.ROOT);
 };
diff --git a/src/routes/(angemeldet)/+layout.server.ts b/src/routes/(angemeldet)/+layout.server.ts
index cdde090..2976237 100644
--- a/src/routes/(angemeldet)/+layout.server.ts
+++ b/src/routes/(angemeldet)/+layout.server.ts
@@ -4,9 +4,9 @@ import type { PageServerLoad } from '../anmeldung/$types';
 import { ROUTE_NAMES } from '..';
 
 export const load: PageServerLoad = (event: ServerLoadEvent) => {
-	if (!event.locals.user && event.url.pathname !== ROUTE_NAMES.ANMELDUNG)
-		throw redirect(303, ROUTE_NAMES.ANMELDUNG);
-	return {
-		user: event.locals.user
-	};
+	if (event.locals.user) {
+		return {
+			user: event.locals.user
+		};
+	}
 };
diff --git a/src/routes/(angemeldet)/+layout.svelte b/src/routes/(angemeldet)/+layout.svelte
index a3a4cd5..13b94eb 100644
--- a/src/routes/(angemeldet)/+layout.svelte
+++ b/src/routes/(angemeldet)/+layout.svelte
@@ -5,6 +5,8 @@
 	export let data;
 </script>
 
+{#if data.user?.admin}
+
 <div class="h-screen v-screen flex flex-col">
 	<div class="flex flex-col h-full">
 		<Header {data}/>
@@ -16,3 +18,10 @@
 
 	</div>
 </div>
+
+{:else}
+
+<div class="h-screen bg-white"><slot /></div>
+
+
+{/if}
\ No newline at end of file
diff --git a/src/routes/(angemeldet)/+page.server.ts b/src/routes/(angemeldet)/+page.server.ts
new file mode 100644
index 0000000..bcbb46d
--- /dev/null
+++ b/src/routes/(angemeldet)/+page.server.ts
@@ -0,0 +1,5 @@
+import { loginUser } from '$lib/server/authService';
+
+export const actions = {
+	default: ({ request, cookies }) => loginUser({ request, cookies }),
+} as const;
diff --git a/src/routes/(angemeldet)/+page.svelte b/src/routes/(angemeldet)/+page.svelte
index 12431c8..34a1d67 100644
--- a/src/routes/(angemeldet)/+page.svelte
+++ b/src/routes/(angemeldet)/+page.svelte
@@ -2,18 +2,21 @@
 	import AddProcess from '$lib/icons/Add-Process.svelte';
 	import FileRect from '$lib/icons/File-rect.svelte';
 	import ListIcon from '$lib/icons/List-icon.svelte';
+	import Button from '$lib/components/Button.svelte';
+	import ArrowRight from '$lib/icons/Arrow-right.svelte';
 
 	import { ROUTE_NAMES } from '../index.js';
 
 	export let data;
+	export let form;
 	export let outline = true;
 </script>
 
+{#if data.user?.admin}
 <div
 	class=" inset-x-0 top-0 -z-10 h-full flex items-center justify-center bg-white shadow-lg ring-1 ring-gray-900/5"
 >
 	<div class="mx-auto flex justify-center max-w-7xl py-10 px-8 w-full">
-		{#if data.user.admin}
 			<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 				<div
 					class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
@@ -28,8 +31,6 @@
 					Verschaffe Dir einen Überblick über alle gespeicherten Tatorte.
 				</p>
 			</div>
-		{/if}
-		{#if data.user.admin}
 			<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 				<div
 					class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
@@ -42,7 +43,6 @@
 				</a>
 				<p class="mt-1 text-gray-600">Fügen Sie einem Tatort Bilder hinzu.</p>
 			</div>
-		{/if}
 		<div class="group relative rounded-lg p-6 text-sm leading-6 hover:bg-gray-50 w-1/4">
 			<div
 				class="flex h-11 w-11 items-center justify-center rounded-lg bg-gray-50 group-hover:bg-white"
@@ -58,5 +58,64 @@
 	</div>
 </div>
 
+{:else}
+
+<div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
+	<div class="sm:mx-auto sm:w-full sm:max-w-sm">
+		<img class="mx-auto h-10 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
+
+		<h2 class="mt-10 text-center text-2xl font-bold leading-9 tracking-tight text-gray-900">
+			Willkommen beim 3D Tatort
+		</h2>
+	</div>
+	<div class="w-full max-w-sm mx-auto">
+		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
+			<div class="mt-10">
+
+<form method="POST">
+						<div>
+							<label for="user" class="text-sm font-medium leading-6 text-gray-900">Name</label>
+							<div class="mt-2">
+								<input
+									id="user"
+									name="user"
+									type="text"
+									autocomplete="email"
+									required
+									class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+
+						<div>
+							<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
+								>Passwort</label
+							>
+							<div class="mt-2">
+								<input
+									id="password"
+									name="password"
+									type="password"
+									autocomplete="current-password"
+									required
+									class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+						{#if form?.incorrect}
+						Wrong credentials
+						{/if}
+						<div class="flex justify-end">
+							<Button type="submit" class="mt-5">Anmelden</Button>
+						</div>
+					</form>
+			</div>
+		</div>
+	</div>
+</div>
+
+{/if}
+
 <style>
 </style>
+
diff --git a/tests/views/Layout.test.ts b/tests/views/Layout.test.ts
index 0f329ef..2dbc1f6 100644
--- a/tests/views/Layout.test.ts
+++ b/tests/views/Layout.test.ts
@@ -11,13 +11,8 @@ describe('+layout.server load(): Teste korrekte URL', () => {
 			},
 			url: new URL(`https://example.com/not-anmeldung`)
 		};
-		try {
-			load(mockEvent);
-			throw new Error('Expected load() to throw');
-		} catch (err) {
-			expect(err.status).toBe(303);
-			expect(err.location).toBe(ROUTE_NAMES.ANMELDUNG);
-		}
+		const res = load(mockEvent);
+		expect(res).toBe(undefined);
 	});
 });
 
-- 
2.43.0


From c857041e21e20a196c88166b9618030439a34bff Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 08:57:58 +0100
Subject: [PATCH 04/11] refactor viewer-login page with error messages and
 validation

---
 src/routes/anmeldung/+page.server.ts | 21 ++++++++-----
 src/routes/anmeldung/+page.svelte    | 46 +++++-----------------------
 2 files changed, 22 insertions(+), 45 deletions(-)

diff --git a/src/routes/anmeldung/+page.server.ts b/src/routes/anmeldung/+page.server.ts
index 36c8c1b..e5bc90c 100644
--- a/src/routes/anmeldung/+page.server.ts
+++ b/src/routes/anmeldung/+page.server.ts
@@ -1,18 +1,20 @@
 import { dev } from '$app/environment';
-import { loginUser, logoutUser } from '$lib/server/authService';
-import { fail, redirect } from '@sveltejs/kit';
+import { error, fail, redirect } from '@sveltejs/kit';
 import { ROUTE_NAMES } from '../index.js';
+import { vorgangPINValidation } from '$lib/server/vorgangService.js';
 
 export const actions = {
-	login: ({ request, cookies }) => loginUser({ request, cookies }),
-	logout: (event) => logoutUser(event),
-	getVorgangByToken: async ({ request, cookies }) => {
+	default: async ({ request, cookies }) => {
 		const data = await request.formData();
 		const vorgangToken = data.get('vorgang-token');
 		const vorgangPIN = data.get('vorgang-pin') as string;
 
-		if (!vorgangToken || !vorgangPIN) {
-			return fail(400, { message: 'Token oder PIN fehlen' });
+		if (!vorgangPIN) {
+			return fail(400, { message: 'Bitte einen PIN eingeben.'});
+		}
+
+		if (!vorgangPINValidation(vorgangToken, vorgangPIN)) {
+			return fail(400, { message: 'Falsche Zugangsdaten.'});
 		}
 
 		const COOKIE_NAME = `token-${vorgangToken}`;
@@ -26,3 +28,8 @@ export const actions = {
 		throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken));
 	}
 } as const;
+
+export const load: PageServerLoad = async ({ url }) => {
+	const vorgang = url.searchParams.get('vorgang');
+	if (!vorgang) error(404, "Not Found");
+};
\ No newline at end of file
diff --git a/src/routes/anmeldung/+page.svelte b/src/routes/anmeldung/+page.svelte
index a957757..5d774ee 100644
--- a/src/routes/anmeldung/+page.svelte
+++ b/src/routes/anmeldung/+page.svelte
@@ -9,6 +9,7 @@
 	const vorgangToken = page.url.searchParams.get('vorgang');
 </script>
 
+{#if vorgangToken}
 <div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
 	<div class="sm:mx-auto sm:w-full sm:max-w-sm">
 		<img class="mx-auto h-10 w-auto" src="/Landeswappen_NI.svg" alt="Landeswappen Niedersachsen" />
@@ -20,8 +21,8 @@
 	<div class="w-full max-w-sm mx-auto">
 		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
 			<div class="mt-10">
-				{#if vorgangToken}
-					<form action={ROUTE_NAMES.ANMELDUNG_GET_VORGANG_BY_TOKEN} method="POST">
+
+					<form method="POST">
 						<input type="hidden" name="vorgang-token" value={vorgangToken} />
 						<div class="mt-5">
 							<BaseInputField
@@ -33,48 +34,17 @@
 								error={form?.error?.message}
 							/>
 						</div>
+						{#if form?.message}
+							<p class="block text-sm leading-6 text-red-900 mt-2">{form.message}</p>
+						{/if}
+
 						<div class="flex justify-end pt-4">
 							<Button type="submit"><ArrowRight /></Button>
 						</div>
 					</form>
-				{:else}
-					<form action={ROUTE_NAMES.ANMELDUNG_LOGIN} method="POST">
-						<div>
-							<label for="user" class="text-sm font-medium leading-6 text-gray-900">Name</label>
-							<div class="mt-2">
-								<input
-									id="user"
-									name="user"
-									type="text"
-									autocomplete="email"
-									required
-									class="rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
-								/>
-							</div>
-						</div>
 
-						<div>
-							<label for="password" class="block text-sm font-medium leading-6 text-gray-900"
-								>Passwort</label
-							>
-							<div class="mt-2">
-								<input
-									id="password"
-									name="password"
-									type="password"
-									autocomplete="current-password"
-									required
-									class="block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6"
-								/>
-							</div>
-						</div>
-
-						<div class="flex justify-end">
-							<Button type="submit" class="mt-5">Anmelden</Button>
-						</div>
-					</form>
-				{/if}
 			</div>
 		</div>
 	</div>
 </div>
+{/if}
\ No newline at end of file
-- 
2.43.0


From 48fe999b5bf0f46be6b241f5fb3b4615092f9144 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 10:35:45 +0100
Subject: [PATCH 05/11] protect admin pages after refactoring

---
 src/routes/(angemeldet)/list/+page.server.ts            | 7 ++++++-
 src/routes/(angemeldet)/upload/+page.server.ts          | 9 ++++++++-
 src/routes/(angemeldet)/user-management/+page.server.ts | 8 ++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 src/routes/(angemeldet)/user-management/+page.server.ts

diff --git a/src/routes/(angemeldet)/list/+page.server.ts b/src/routes/(angemeldet)/list/+page.server.ts
index 2053a67..ab89231 100644
--- a/src/routes/(angemeldet)/list/+page.server.ts
+++ b/src/routes/(angemeldet)/list/+page.server.ts
@@ -1,7 +1,12 @@
 import { getVorgaenge } from '$lib/server/vorgangService';
 import type { PageServerLoad } from '../../(token-based)/view/$types';
+import { error } from '@sveltejs/kit';
+
+export const load: PageServerLoad = async (event) => {
+	if (!event.locals.user) {
+		error(404, 'Not Found')
+	}
 
-export const load: PageServerLoad = async () => {
 	const vorgangList = getVorgaenge();
 
 	return {
diff --git a/src/routes/(angemeldet)/upload/+page.server.ts b/src/routes/(angemeldet)/upload/+page.server.ts
index dfa143c..8155608 100644
--- a/src/routes/(angemeldet)/upload/+page.server.ts
+++ b/src/routes/(angemeldet)/upload/+page.server.ts
@@ -1,6 +1,6 @@
 import { Readable } from 'stream';
 import { BUCKET, client } from '$lib/minio';
-import { fail } from '@sveltejs/kit';
+import { fail, error } from '@sveltejs/kit';
 import { v4 as uuidv4 } from 'uuid';
 
 import { db } from '$lib/server/dbService';
@@ -123,3 +123,10 @@ export const actions = {
 		return { etag, error };
 	}
 };
+
+
+export const load: PageServerLoad = async (event) => {
+	if (!event.locals.user) {
+		error(404, 'Not found')
+	}
+};
\ No newline at end of file
diff --git a/src/routes/(angemeldet)/user-management/+page.server.ts b/src/routes/(angemeldet)/user-management/+page.server.ts
new file mode 100644
index 0000000..0b4a194
--- /dev/null
+++ b/src/routes/(angemeldet)/user-management/+page.server.ts
@@ -0,0 +1,8 @@
+import type { PageServerLoad } from '../../(token-based)/view/$types';
+import { error } from '@sveltejs/kit';
+
+export const load: PageServerLoad = async (event) => {
+	if (!event.locals.user) {
+		error(404, 'Not Found')
+	}
+};
-- 
2.43.0


From 23f2feeefb98636dfc22ea419575dbb34e5f6c12 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 10:36:50 +0100
Subject: [PATCH 06/11] remove ununsed import

---
 src/routes/(angemeldet)/+layout.server.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/(angemeldet)/+layout.server.ts b/src/routes/(angemeldet)/+layout.server.ts
index 2976237..192a087 100644
--- a/src/routes/(angemeldet)/+layout.server.ts
+++ b/src/routes/(angemeldet)/+layout.server.ts
@@ -1,4 +1,4 @@
-import { redirect, type ServerLoadEvent } from '@sveltejs/kit';
+import { type ServerLoadEvent } from '@sveltejs/kit';
 import type { PageServerLoad } from '../anmeldung/$types';
 
 import { ROUTE_NAMES } from '..';
-- 
2.43.0


From 349d2cea6ae89b22803d583bd049b178625cf8ac Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 10:38:11 +0100
Subject: [PATCH 07/11] named actions for logging in and out

---
 src/routes/(angemeldet)/+page.server.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/routes/(angemeldet)/+page.server.ts b/src/routes/(angemeldet)/+page.server.ts
index bcbb46d..058a07d 100644
--- a/src/routes/(angemeldet)/+page.server.ts
+++ b/src/routes/(angemeldet)/+page.server.ts
@@ -1,5 +1,6 @@
-import { loginUser } from '$lib/server/authService';
+import { loginUser, logoutUser } from '$lib/server/authService';
 
 export const actions = {
-	default: ({ request, cookies }) => loginUser({ request, cookies }),
+	login: ({ request, cookies }) => loginUser({ request, cookies }),
+	logout: (event) => logoutUser(event),
 } as const;
-- 
2.43.0


From 793ddb17d6f32157e2b566aece5a527936bc6010 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 10:56:23 +0100
Subject: [PATCH 08/11] magic strings for login and logout

---
 src/lib/components/Header.svelte     | 2 +-
 src/routes/(angemeldet)/+page.svelte | 2 +-
 src/routes/index.ts                  | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/components/Header.svelte b/src/lib/components/Header.svelte
index eb3d1d9..f6e49e0 100644
--- a/src/lib/components/Header.svelte
+++ b/src/lib/components/Header.svelte
@@ -21,7 +21,7 @@
 			<h1 class="text-3xl text-slate-400 font-bold">Tatort</h1>
 			<div class="lg:flex lg:justify-end w-48">
 				{#if data.user}
-					<form method="POST" action="{ROUTE_NAMES.ANMELDUNG_LOGOUT}">
+					<form method="POST" action="{ROUTE_NAMES.LOGOUT}">
 						<input type="hidden" />
 						<button type="submit" class="text-sm font-semibold leading-6 text-gray-900"
 							><span
diff --git a/src/routes/(angemeldet)/+page.svelte b/src/routes/(angemeldet)/+page.svelte
index 34a1d67..d6900ec 100644
--- a/src/routes/(angemeldet)/+page.svelte
+++ b/src/routes/(angemeldet)/+page.svelte
@@ -72,7 +72,7 @@
 		<div class="relative mt-5 bg-gray-50 rounded-xl shadow-xl p-3 pt-1">
 			<div class="mt-10">
 
-<form method="POST">
+<form action="{ROUTE_NAMES.LOGIN}" method="POST">
 						<div>
 							<label for="user" class="text-sm font-medium leading-6 text-gray-900">Name</label>
 							<div class="mt-2">
diff --git a/src/routes/index.ts b/src/routes/index.ts
index a8c3603..f7b5f00 100644
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@@ -16,8 +16,8 @@ export const ROUTE_NAMES = {
 
 	// Anmeldung: actions
 	ANMELDUNG: '/anmeldung',
-	ANMELDUNG_LOGIN: '/anmeldung?/login',
-	ANMELDUNG_LOGOUT: '/anmeldung?/logout',
+	LOGIN: '/?/login',
+	LOGOUT: '/?/logout',
 	ANMELDUNG_GET_VORGANG_BY_TOKEN: '/anmeldung?/getVorgangByToken',
 	ANMELDUNG_VORGANG_PARAM: (vorgangToken: string) => `/anmeldung?vorgang=${vorgangToken}`
 };
-- 
2.43.0


From 36273fd426d3a3c2b543a363973bf0b6e34c40f3 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 11:15:07 +0100
Subject: [PATCH 09/11] fix tests for refactoring of viewer
 Vorgang-PIN-validation

---
 tests/views/Anmeldung.test.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tests/views/Anmeldung.test.ts b/tests/views/Anmeldung.test.ts
index 4d95808..48fb893 100644
--- a/tests/views/Anmeldung.test.ts
+++ b/tests/views/Anmeldung.test.ts
@@ -27,6 +27,7 @@ describe('Vorgang Anzeige via Token', () => {
 		const mockRequest = {
 			formData: vi.fn().mockResolvedValue(formData)
 		};
+		vi.mocked(vorgangPINValidation).mockReturnValueOnce(true);
 
 		const cookiesSet = vi.fn();
 
@@ -39,7 +40,7 @@ describe('Vorgang Anzeige via Token', () => {
 
 		let thrownRedirect: Redirect | undefined;
 		try {
-			await actions.getVorgangByToken(event);
+			await actions.default(event);
 		} catch (e) {
 			thrownRedirect = e as Redirect;
 		}
@@ -70,9 +71,9 @@ describe('Vorgang Anzeige via Token', () => {
 				set: cookiesSet
 			}
 		};
-		const result = await actions.getVorgangByToken(event);
+		const result = await actions.default(event);
 		expect(result.status).toBe(400);
-		expect(result.data.message).toMatch(/fehlen|ungültig/i);
+		expect(result.data.message).toMatch(/PIN eingeben/i);
 		// Cookie wird nicht gesetzt
 		expect(cookiesSet).not.toHaveBeenCalled();
 	});
-- 
2.43.0


From 4fc6da850bc4d93ccd74261ca107c3f5bbd020d8 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 12:04:58 +0100
Subject: [PATCH 10/11] change invalid user login

---
 src/lib/server/authService.ts        | 3 ++-
 src/routes/(angemeldet)/+page.svelte | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/lib/server/authService.ts b/src/lib/server/authService.ts
index 124fcad..681f874 100644
--- a/src/lib/server/authService.ts
+++ b/src/lib/server/authService.ts
@@ -12,7 +12,8 @@ export const loginUser = async ({ request, cookies }: { request: Request; cookie
 
 	const token = authenticate(user, password);
 
-	if (!token) return fail(400, { user, incorrect: true });
+	if (!token) return fail(400, { user, incorrect: true,
+								message: "Ungültige Zugangsdaten" });
 
 	cookies.set(COOKIE_NAME, token, {
 		path: ROUTE_NAMES.ROOT,
diff --git a/src/routes/(angemeldet)/+page.svelte b/src/routes/(angemeldet)/+page.svelte
index d6900ec..0472302 100644
--- a/src/routes/(angemeldet)/+page.svelte
+++ b/src/routes/(angemeldet)/+page.svelte
@@ -103,7 +103,7 @@
 							</div>
 						</div>
 						{#if form?.incorrect}
-						Wrong credentials
+							<p class="block text-sm leading-6 text-red-900 mt-2">{form.message}</p>
 						{/if}
 						<div class="flex justify-end">
 							<Button type="submit" class="mt-5">Anmelden</Button>
-- 
2.43.0


From 332a3e5c15d2989ab3bb0b7011041111f8b78d09 Mon Sep 17 00:00:00 2001
From: Chi Cong Tran <chi-cong.tran@polizei.niedersachsen.de>
Date: Thu, 30 Oct 2025 12:16:21 +0100
Subject: [PATCH 11/11] change description of test case: load() now returns
 undefined if not logged-in

---
 tests/views/Layout.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/views/Layout.test.ts b/tests/views/Layout.test.ts
index 2dbc1f6..9b79b3a 100644
--- a/tests/views/Layout.test.ts
+++ b/tests/views/Layout.test.ts
@@ -4,7 +4,7 @@ import { ROUTE_NAMES } from '../../src/routes';
 import { baseData, mockEvent } from '../fixtures';
 
 describe('+layout.server load(): Teste korrekte URL', () => {
-	test('Werfe redirect zu /anmeldung wenn User nicht eingeloggt', async () => {
+	test('Werfe keinen Redirect und gebe nichts zurück', async () => {
 		const mockEvent = {
 			locals: {
 				user: null
-- 
2.43.0