feat: implement authentication flow

Backend:
- AppConfig, AppError, AppState modules for shared infrastructure
- JWT creation/verification with HS256 (jsonwebtoken crate)
- Session management: SHA-256 token hashing, DB-backed sessions
- Auth middleware: AuthUser, RequireHost, RequireAdmin extractors
- POST /api/v1/join: name-only registration, 4-digit PIN + bcrypt hash
- POST /api/v1/recover: PIN-based recovery with 3-attempt lockout (15 min)
- POST /api/v1/admin/login: bcrypt password verification
- DELETE /api/v1/session: logout (session invalidation)
- Migration 006: user PIN lockout columns (failed_pin_attempts, pin_locked_until)
- Models: Event, User (with role enum), Session with all CRUD methods

Frontend:
- api.ts: typed fetch wrapper with automatic Bearer token injection
- auth.ts: JWT/PIN localStorage management with Svelte store
- /join: name entry form with PIN display modal and copy button
- /recover: name + PIN recovery form with saved PIN pre-fill
- /feed: placeholder gallery page with logout
- Root layout: auth initialization on mount
- Root page: redirect to /join or /feed based on auth state

All responses use German language strings as specified.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/auth/handlers.rs

@@ -0,0 +1,232 @@
+use axum::extract::State;
+use axum::http::StatusCode;
+use axum::Json;
+use chrono::{Duration, Utc};
+use rand::Rng;
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+use crate::auth::jwt;
+use crate::auth::middleware::AuthUser;
+use crate::error::AppError;
+use crate::models::event::Event;
+use crate::models::session::Session;
+use crate::models::user::{User, UserRole};
+use crate::state::AppState;
+
+#[derive(Deserialize)]
+pub struct JoinRequest {
+    pub display_name: String,
+}
+
+#[derive(Serialize)]
+pub struct JoinResponse {
+    pub jwt: String,
+    pub pin: String,
+    pub user_id: Uuid,
+    pub is_new: bool,
+}
+
+pub async fn join(
+    State(state): State<AppState>,
+    Json(body): Json<JoinRequest>,
+) -> Result<(StatusCode, Json<JoinResponse>), AppError> {
+    let display_name = body.display_name.trim();
+    if display_name.is_empty() || display_name.len() > 50 {
+        return Err(AppError::BadRequest(
+            "Name muss zwischen 1 und 50 Zeichen lang sein.".into(),
+        ));
+    }
+
+    let event = Event::find_or_create(
+        &state.pool,
+        &state.config.event_slug,
+        &state.config.event_name,
+    )
+    .await?;
+
+    // Generate a 4-digit PIN
+    let pin: String = format!("{:04}", rand::rng().random_range(0..10000u32));
+    let pin_hash =
+        bcrypt::hash(&pin, 12).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+
+    let user = User::create(&state.pool, event.id, display_name, &pin_hash).await?;
+
+    let token = jwt::create_token(
+        user.id,
+        event.id,
+        user.role.clone(),
+        &state.config.jwt_secret,
+        state.config.session_expiry_days,
+    )
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+
+    let token_hash = jwt::hash_token(&token);
+    let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
+    Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
+
+    Ok((
+        StatusCode::CREATED,
+        Json(JoinResponse {
+            jwt: token,
+            pin,
+            user_id: user.id,
+            is_new: true,
+        }),
+    ))
+}
+
+#[derive(Deserialize)]
+pub struct RecoverRequest {
+    pub display_name: String,
+    pub pin: String,
+}
+
+#[derive(Serialize)]
+pub struct RecoverResponse {
+    pub jwt: String,
+    pub user_id: Uuid,
+}
+
+pub async fn recover(
+    State(state): State<AppState>,
+    Json(body): Json<RecoverRequest>,
+) -> Result<Json<RecoverResponse>, AppError> {
+    let display_name = body.display_name.trim();
+
+    let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
+
+    let users =
+        User::find_by_event_and_name(&state.pool, event.id, display_name).await?;
+
+    if users.is_empty() {
+        return Err(AppError::NotFound(
+            "Kein Benutzer mit diesem Namen gefunden.".into(),
+        ));
+    }
+
+    for user in &users {
+        // Check PIN lockout
+        if let Some(locked_until) = user.pin_locked_until {
+            if Utc::now() < locked_until {
+                return Err(AppError::TooManyRequests(
+                    "Zu viele Versuche. Bitte warte 15 Minuten.".into(),
+                ));
+            }
+        }
+
+        let pin_matches = bcrypt::verify(&body.pin, &user.recovery_pin_hash)
+            .unwrap_or(false);
+
+        if pin_matches {
+            // Reset failed attempts on success
+            User::reset_pin_attempts(&state.pool, user.id).await?;
+
+            let token = jwt::create_token(
+                user.id,
+                event.id,
+                user.role.clone(),
+                &state.config.jwt_secret,
+                state.config.session_expiry_days,
+            )
+            .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+
+            let token_hash = jwt::hash_token(&token);
+            let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
+            Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
+
+            return Ok(Json(RecoverResponse {
+                jwt: token,
+                user_id: user.id,
+            }));
+        }
+
+        // Wrong PIN — increment failure count
+        let attempts = User::increment_failed_pin(&state.pool, user.id).await?;
+        if attempts >= 3 {
+            let lockout = Utc::now() + Duration::minutes(15);
+            User::lock_pin(&state.pool, user.id, lockout).await?;
+        }
+    }
+
+    Err(AppError::Unauthorized("PIN ist falsch.".into()))
+}
+
+#[derive(Deserialize)]
+pub struct AdminLoginRequest {
+    pub password: String,
+}
+
+#[derive(Serialize)]
+pub struct AdminLoginResponse {
+    pub jwt: String,
+}
+
+pub async fn admin_login(
+    State(state): State<AppState>,
+    Json(body): Json<AdminLoginRequest>,
+) -> Result<Json<AdminLoginResponse>, AppError> {
+    if state.config.admin_password_hash.is_empty() {
+        return Err(AppError::Forbidden(
+            "Admin-Login ist nicht konfiguriert.".into(),
+        ));
+    }
+
+    let valid = bcrypt::verify(&body.password, &state.config.admin_password_hash)
+        .unwrap_or(false);
+
+    if !valid {
+        return Err(AppError::Unauthorized("Falsches Passwort.".into()));
+    }
+
+    let event = Event::find_or_create(
+        &state.pool,
+        &state.config.event_slug,
+        &state.config.event_name,
+    )
+    .await?;
+
+    // Find or create the admin user for this event
+    let admin_name = "Admin";
+    let users = User::find_by_event_and_name(&state.pool, event.id, admin_name).await?;
+    let admin_user = if let Some(u) = users.into_iter().find(|u| u.role == UserRole::Admin) {
+        u
+    } else {
+        // Create admin user with a dummy PIN (admin authenticates via password)
+        let dummy_hash = bcrypt::hash("0000", 4)
+            .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+        let user = User::create(&state.pool, event.id, admin_name, &dummy_hash).await?;
+        sqlx::query("UPDATE \"user\" SET role = 'admin' WHERE id = $1")
+            .bind(user.id)
+            .execute(&state.pool)
+            .await?;
+        User::find_by_id(&state.pool, user.id)
+            .await?
+            .ok_or_else(|| AppError::Internal(anyhow::anyhow!("admin user creation failed")))?
+    };
+
+    let token = jwt::create_token(
+        admin_user.id,
+        event.id,
+        UserRole::Admin,
+        &state.config.jwt_secret,
+        1, // Admin sessions expire after 1 day
+    )
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+
+    let token_hash = jwt::hash_token(&token);
+    let expires_at = Utc::now() + Duration::days(1);
+    Session::create(&state.pool, admin_user.id, &token_hash, expires_at).await?;
+
+    Ok(Json(AdminLoginResponse { jwt: token }))
+}
+
+pub async fn logout(
+    State(state): State<AppState>,
+    auth: AuthUser,
+) -> Result<StatusCode, AppError> {
+    Session::delete_by_token_hash(&state.pool, &auth.token_hash).await?;
+    Ok(StatusCode::NO_CONTENT)
+}

backend/src/auth/jwt.rs

@@ -0,0 +1,53 @@
+use chrono::{Duration, Utc};
+use jsonwebtoken::{DecodingKey, EncodingKey, Header, Validation};
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use uuid::Uuid;
+
+use crate::models::user::UserRole;
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Claims {
+    pub sub: Uuid,
+    pub event_id: Uuid,
+    pub role: UserRole,
+    pub exp: i64,
+    pub iat: i64,
+}
+
+pub fn create_token(
+    user_id: Uuid,
+    event_id: Uuid,
+    role: UserRole,
+    secret: &str,
+    expiry_days: i64,
+) -> Result<String, jsonwebtoken::errors::Error> {
+    let now = Utc::now();
+    let claims = Claims {
+        sub: user_id,
+        event_id,
+        role,
+        iat: now.timestamp(),
+        exp: (now + Duration::days(expiry_days)).timestamp(),
+    };
+    jsonwebtoken::encode(
+        &Header::default(),
+        &claims,
+        &EncodingKey::from_secret(secret.as_bytes()),
+    )
+}
+
+pub fn verify_token(token: &str, secret: &str) -> Result<Claims, jsonwebtoken::errors::Error> {
+    let data = jsonwebtoken::decode::<Claims>(
+        token,
+        &DecodingKey::from_secret(secret.as_bytes()),
+        &Validation::default(),
+    )?;
+    Ok(data.claims)
+}
+
+pub fn hash_token(token: &str) -> String {
+    let mut hasher = Sha256::new();
+    hasher.update(token.as_bytes());
+    format!("{:x}", hasher.finalize())
+}

backend/src/auth/middleware.rs

@@ -0,0 +1,96 @@
+use axum::extract::{FromRequestParts, State};
+use axum::http::request::Parts;
+use uuid::Uuid;
+
+use crate::auth::jwt;
+use crate::error::AppError;
+use crate::models::session::Session;
+use crate::models::user::UserRole;
+use crate::state::AppState;
+
+#[derive(Debug, Clone)]
+pub struct AuthUser {
+    pub user_id: Uuid,
+    pub event_id: Uuid,
+    pub role: UserRole,
+    pub token_hash: String,
+}
+
+impl FromRequestParts<AppState> for AuthUser {
+    type Rejection = AppError;
+
+    async fn from_request_parts(
+        parts: &mut Parts,
+        state: &AppState,
+    ) -> Result<Self, Self::Rejection> {
+        let header = parts
+            .headers
+            .get("authorization")
+            .and_then(|v| v.to_str().ok())
+            .ok_or_else(|| AppError::Unauthorized("Token fehlt.".into()))?;
+
+        let token = header
+            .strip_prefix("Bearer ")
+            .ok_or_else(|| AppError::Unauthorized("Ungültiges Token-Format.".into()))?;
+
+        let claims = jwt::verify_token(token, &state.config.jwt_secret)
+            .map_err(|_| AppError::Unauthorized("Token ungültig oder abgelaufen.".into()))?;
+
+        let token_hash = jwt::hash_token(token);
+
+        let session = Session::find_by_token_hash(&state.pool, &token_hash)
+            .await
+            .map_err(|e| AppError::Internal(e.into()))?
+            .ok_or_else(|| AppError::Unauthorized("Sitzung nicht gefunden oder abgelaufen.".into()))?;
+
+        // Update last_seen_at in the background (fire-and-forget)
+        let pool = state.pool.clone();
+        let session_id = session.id;
+        tokio::spawn(async move {
+            let _ = Session::touch(&pool, session_id).await;
+        });
+
+        Ok(Self {
+            user_id: claims.sub,
+            event_id: claims.event_id,
+            role: claims.role,
+            token_hash,
+        })
+    }
+}
+
+/// Extractor that requires at least Host role.
+pub struct RequireHost(pub AuthUser);
+
+impl FromRequestParts<AppState> for RequireHost {
+    type Rejection = AppError;
+
+    async fn from_request_parts(
+        parts: &mut Parts,
+        state: &AppState,
+    ) -> Result<Self, Self::Rejection> {
+        let auth = AuthUser::from_request_parts(parts, state).await?;
+        match auth.role {
+            UserRole::Host | UserRole::Admin => Ok(Self(auth)),
+            _ => Err(AppError::Forbidden("Nur für Hosts und Admins.".into())),
+        }
+    }
+}
+
+/// Extractor that requires Admin role.
+pub struct RequireAdmin(pub AuthUser);
+
+impl FromRequestParts<AppState> for RequireAdmin {
+    type Rejection = AppError;
+
+    async fn from_request_parts(
+        parts: &mut Parts,
+        state: &AppState,
+    ) -> Result<Self, Self::Rejection> {
+        let auth = AuthUser::from_request_parts(parts, state).await?;
+        match auth.role {
+            UserRole::Admin => Ok(Self(auth)),
+            _ => Err(AppError::Forbidden("Nur für Admins.".into())),
+        }
+    }
+}

backend/src/auth/mod.rs

@@ -0,0 +1,3 @@
+pub mod handlers;
+pub mod jwt;
+pub mod middleware;