feat: implement upload pipeline with compression and SSE

Backend: - POST /api/v1/upload: multipart file upload with caption + hashtags - Validates file size against DB config limits (image/video separate) - Checks user ban status and event upload lock - Saves original to disk under {media_path}/originals/{slug}/ - Tracks user total_upload_bytes for quota enforcement - Extracts hashtags from caption text and explicit CSV field - Upserts hashtags and links them to uploads - PATCH /api/v1/upload/{id}: edit caption and hashtags (owner only) - DELETE /api/v1/upload/{id}: soft-delete (owner only) - GET /api/v1/stream: SSE endpoint with 30s keepalive - Broadcasts new-upload events to all connected clients - Uses tokio broadcast channel for fan-out Services: - CompressionWorker: Tokio semaphore-bounded (concurrency=2) background processor - Images: resize to 800px wide JPEG preview via image crate - PNG originals: lossless compression via oxipng - Videos: ffmpeg thumbnail extraction (1 frame at 1s, scaled to 800px) - Updates upload record with preview_path/thumbnail_path on completion Models: - Upload with full CRUD (create, find, update caption, soft delete, set paths) - Hashtag with upsert, link/unlink, extract_hashtags() text parser - UploadDto for API serialization with like/comment counts Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat: implement authentication flow
2026-03-31 21:48:59 +02:00 · 2026-03-31 21:44:03 +02:00
30 changed files with 1750 additions and 11 deletions
--- a/backend/Cargo.lock
+++ b/backend/Cargo.lock
@@ -894,15 +894,19 @@ dependencies = [
 "bcrypt",
 "chrono",
 "dotenvy",
 "futures",
 "image",
 "jsonwebtoken",
 "minijinja",
 "oxipng",
 "rand 0.9.2",
 "serde",
 "serde_json",
 "sha2",
 "sqlx",
 "sysinfo",
 "tokio",
 "tokio-stream",
 "tower",
 "tower-http",
 "tower_governor",
@@ -3251,6 +3255,7 @@ dependencies = [
 "futures-core",
 "pin-project-lite",
 "tokio",
 "tokio-util",
 ]
 [[package]]
--- a/backend/Cargo.toml
+++ b/backend/Cargo.toml
@@ -16,6 +16,10 @@ jsonwebtoken = "9"
 bcrypt = "0.15"
 uuid = { version = "1", features = ["v4", "serde"] }
 chrono = { version = "0.4", features = ["serde"] }
 tokio-stream = { version = "0.1", features = ["sync"] }
 futures = "0.3"
 sha2 = "0.10"
 rand = "0.9"
 anyhow = "1"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
--- a/backend/migrations/006_user_pin_lockout.down.sql
+++ b/backend/migrations/006_user_pin_lockout.down.sql
@@ -0,0 +1,2 @@
 ALTER TABLE "user" DROP COLUMN IF EXISTS pin_locked_until;
 ALTER TABLE "user" DROP COLUMN IF EXISTS failed_pin_attempts;
--- a/backend/migrations/006_user_pin_lockout.up.sql
+++ b/backend/migrations/006_user_pin_lockout.up.sql
@@ -0,0 +1,2 @@
 ALTER TABLE "user" ADD COLUMN failed_pin_attempts SMALLINT NOT NULL DEFAULT 0;
 ALTER TABLE "user" ADD COLUMN pin_locked_until TIMESTAMPTZ;
--- a/backend/src/auth/handlers.rs
+++ b/backend/src/auth/handlers.rs
@@ -0,0 +1,232 @@
 use axum::extract::State;
 use axum::http::StatusCode;
 use axum::Json;
 use chrono::{Duration, Utc};
 use rand::Rng;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 use crate::auth::jwt;
 use crate::auth::middleware::AuthUser;
 use crate::error::AppError;
 use crate::models::event::Event;
 use crate::models::session::Session;
 use crate::models::user::{User, UserRole};
 use crate::state::AppState;
 #[derive(Deserialize)]
 pub struct JoinRequest {
    pub display_name: String,
 }
 #[derive(Serialize)]
 pub struct JoinResponse {
    pub jwt: String,
    pub pin: String,
    pub user_id: Uuid,
    pub is_new: bool,
 }
 pub async fn join(
    State(state): State<AppState>,
    Json(body): Json<JoinRequest>,
 ) -> Result<(StatusCode, Json<JoinResponse>), AppError> {
    let display_name = body.display_name.trim();
    if display_name.is_empty() || display_name.len() > 50 {
        return Err(AppError::BadRequest(
            "Name muss zwischen 1 und 50 Zeichen lang sein.".into(),
        ));
    }
    let event = Event::find_or_create(
        &state.pool,
        &state.config.event_slug,
        &state.config.event_name,
    )
    .await?;
    // Generate a 4-digit PIN
    let pin: String = format!("{:04}", rand::rng().random_range(0..10000u32));
    let pin_hash =
        bcrypt::hash(&pin, 12).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
    let user = User::create(&state.pool, event.id, display_name, &pin_hash).await?;
    let token = jwt::create_token(
        user.id,
        event.id,
        user.role.clone(),
        &state.config.jwt_secret,
        state.config.session_expiry_days,
    )
    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
    let token_hash = jwt::hash_token(&token);
    let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
    Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
    Ok((
        StatusCode::CREATED,
        Json(JoinResponse {
            jwt: token,
            pin,
            user_id: user.id,
            is_new: true,
        }),
    ))
 }
 #[derive(Deserialize)]
 pub struct RecoverRequest {
    pub display_name: String,
    pub pin: String,
 }
 #[derive(Serialize)]
 pub struct RecoverResponse {
    pub jwt: String,
    pub user_id: Uuid,
 }
 pub async fn recover(
    State(state): State<AppState>,
    Json(body): Json<RecoverRequest>,
 ) -> Result<Json<RecoverResponse>, AppError> {
    let display_name = body.display_name.trim();
    let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
        .await?
        .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
    let users =
        User::find_by_event_and_name(&state.pool, event.id, display_name).await?;
    if users.is_empty() {
        return Err(AppError::NotFound(
            "Kein Benutzer mit diesem Namen gefunden.".into(),
        ));
    }
    for user in &users {
        // Check PIN lockout
        if let Some(locked_until) = user.pin_locked_until {
            if Utc::now() < locked_until {
                return Err(AppError::TooManyRequests(
                    "Zu viele Versuche. Bitte warte 15 Minuten.".into(),
                ));
            }
        }
        let pin_matches = bcrypt::verify(&body.pin, &user.recovery_pin_hash)
            .unwrap_or(false);
        if pin_matches {
            // Reset failed attempts on success
            User::reset_pin_attempts(&state.pool, user.id).await?;
            let token = jwt::create_token(
                user.id,
                event.id,
                user.role.clone(),
                &state.config.jwt_secret,
                state.config.session_expiry_days,
            )
            .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
            let token_hash = jwt::hash_token(&token);
            let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
            Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
            return Ok(Json(RecoverResponse {
                jwt: token,
                user_id: user.id,
            }));
        }
        // Wrong PIN — increment failure count
        let attempts = User::increment_failed_pin(&state.pool, user.id).await?;
        if attempts >= 3 {
            let lockout = Utc::now() + Duration::minutes(15);
            User::lock_pin(&state.pool, user.id, lockout).await?;
        }
    }
    Err(AppError::Unauthorized("PIN ist falsch.".into()))
 }
 #[derive(Deserialize)]
 pub struct AdminLoginRequest {
    pub password: String,
 }
 #[derive(Serialize)]
 pub struct AdminLoginResponse {
    pub jwt: String,
 }
 pub async fn admin_login(
    State(state): State<AppState>,
    Json(body): Json<AdminLoginRequest>,
 ) -> Result<Json<AdminLoginResponse>, AppError> {
    if state.config.admin_password_hash.is_empty() {
        return Err(AppError::Forbidden(
            "Admin-Login ist nicht konfiguriert.".into(),
        ));
    }
    let valid = bcrypt::verify(&body.password, &state.config.admin_password_hash)
        .unwrap_or(false);
    if !valid {
        return Err(AppError::Unauthorized("Falsches Passwort.".into()));
    }
    let event = Event::find_or_create(
        &state.pool,
        &state.config.event_slug,
        &state.config.event_name,
    )
    .await?;
    // Find or create the admin user for this event
    let admin_name = "Admin";
    let users = User::find_by_event_and_name(&state.pool, event.id, admin_name).await?;
    let admin_user = if let Some(u) = users.into_iter().find(|u| u.role == UserRole::Admin) {
        u
    } else {
        // Create admin user with a dummy PIN (admin authenticates via password)
        let dummy_hash = bcrypt::hash("0000", 4)
            .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
        let user = User::create(&state.pool, event.id, admin_name, &dummy_hash).await?;
        sqlx::query("UPDATE \"user\" SET role = 'admin' WHERE id = $1")
            .bind(user.id)
            .execute(&state.pool)
            .await?;
        User::find_by_id(&state.pool, user.id)
            .await?
            .ok_or_else(|| AppError::Internal(anyhow::anyhow!("admin user creation failed")))?
    };
    let token = jwt::create_token(
        admin_user.id,
        event.id,
        UserRole::Admin,
        &state.config.jwt_secret,
        1, // Admin sessions expire after 1 day
    )
    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
    let token_hash = jwt::hash_token(&token);
    let expires_at = Utc::now() + Duration::days(1);
    Session::create(&state.pool, admin_user.id, &token_hash, expires_at).await?;
    Ok(Json(AdminLoginResponse { jwt: token }))
 }
 pub async fn logout(
    State(state): State<AppState>,
    auth: AuthUser,
 ) -> Result<StatusCode, AppError> {
    Session::delete_by_token_hash(&state.pool, &auth.token_hash).await?;
    Ok(StatusCode::NO_CONTENT)
 }
--- a/backend/src/auth/jwt.rs
+++ b/backend/src/auth/jwt.rs
@@ -0,0 +1,53 @@
 use chrono::{Duration, Utc};
 use jsonwebtoken::{DecodingKey, EncodingKey, Header, Validation};
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
 use uuid::Uuid;
 use crate::models::user::UserRole;
 #[derive(Debug, Serialize, Deserialize)]
 pub struct Claims {
    pub sub: Uuid,
    pub event_id: Uuid,
    pub role: UserRole,
    pub exp: i64,
    pub iat: i64,
 }
 pub fn create_token(
    user_id: Uuid,
    event_id: Uuid,
    role: UserRole,
    secret: &str,
    expiry_days: i64,
 ) -> Result<String, jsonwebtoken::errors::Error> {
    let now = Utc::now();
    let claims = Claims {
        sub: user_id,
        event_id,
        role,
        iat: now.timestamp(),
        exp: (now + Duration::days(expiry_days)).timestamp(),
    };
    jsonwebtoken::encode(
        &Header::default(),
        &claims,
        &EncodingKey::from_secret(secret.as_bytes()),
    )
 }
 pub fn verify_token(token: &str, secret: &str) -> Result<Claims, jsonwebtoken::errors::Error> {
    let data = jsonwebtoken::decode::<Claims>(
        token,
        &DecodingKey::from_secret(secret.as_bytes()),
        &Validation::default(),
    )?;
    Ok(data.claims)
 }
 pub fn hash_token(token: &str) -> String {
    let mut hasher = Sha256::new();
    hasher.update(token.as_bytes());
    format!("{:x}", hasher.finalize())
 }
--- a/backend/src/auth/middleware.rs
+++ b/backend/src/auth/middleware.rs
@@ -0,0 +1,96 @@
 use axum::extract::{FromRequestParts, State};
 use axum::http::request::Parts;
 use uuid::Uuid;
 use crate::auth::jwt;
 use crate::error::AppError;
 use crate::models::session::Session;
 use crate::models::user::UserRole;
 use crate::state::AppState;
 #[derive(Debug, Clone)]
 pub struct AuthUser {
    pub user_id: Uuid,
    pub event_id: Uuid,
    pub role: UserRole,
    pub token_hash: String,
 }
 impl FromRequestParts<AppState> for AuthUser {
    type Rejection = AppError;
    async fn from_request_parts(
        parts: &mut Parts,
        state: &AppState,
    ) -> Result<Self, Self::Rejection> {
        let header = parts
            .headers
            .get("authorization")
            .and_then(|v| v.to_str().ok())
            .ok_or_else(|| AppError::Unauthorized("Token fehlt.".into()))?;
        let token = header
            .strip_prefix("Bearer ")
            .ok_or_else(|| AppError::Unauthorized("Ungültiges Token-Format.".into()))?;
        let claims = jwt::verify_token(token, &state.config.jwt_secret)
            .map_err(|_| AppError::Unauthorized("Token ungültig oder abgelaufen.".into()))?;
        let token_hash = jwt::hash_token(token);
        let session = Session::find_by_token_hash(&state.pool, &token_hash)
            .await
            .map_err(|e| AppError::Internal(e.into()))?
            .ok_or_else(|| AppError::Unauthorized("Sitzung nicht gefunden oder abgelaufen.".into()))?;
        // Update last_seen_at in the background (fire-and-forget)
        let pool = state.pool.clone();
        let session_id = session.id;
        tokio::spawn(async move {
            let _ = Session::touch(&pool, session_id).await;
        });
        Ok(Self {
            user_id: claims.sub,
            event_id: claims.event_id,
            role: claims.role,
            token_hash,
        })
    }
 }
 /// Extractor that requires at least Host role.
 pub struct RequireHost(pub AuthUser);
 impl FromRequestParts<AppState> for RequireHost {
    type Rejection = AppError;
    async fn from_request_parts(
        parts: &mut Parts,
        state: &AppState,
    ) -> Result<Self, Self::Rejection> {
        let auth = AuthUser::from_request_parts(parts, state).await?;
        match auth.role {
            UserRole::Host | UserRole::Admin => Ok(Self(auth)),
            _ => Err(AppError::Forbidden("Nur für Hosts und Admins.".into())),
        }
    }
 }
 /// Extractor that requires Admin role.
 pub struct RequireAdmin(pub AuthUser);
 impl FromRequestParts<AppState> for RequireAdmin {
    type Rejection = AppError;
    async fn from_request_parts(
        parts: &mut Parts,
        state: &AppState,
    ) -> Result<Self, Self::Rejection> {
        let auth = AuthUser::from_request_parts(parts, state).await?;
        match auth.role {
            UserRole::Admin => Ok(Self(auth)),
            _ => Err(AppError::Forbidden("Nur für Admins.".into())),
        }
    }
 }
--- a/backend/src/auth/mod.rs
+++ b/backend/src/auth/mod.rs
@@ -0,0 +1,3 @@
 pub mod handlers;
 pub mod jwt;
 pub mod middleware;
--- a/backend/src/config.rs
+++ b/backend/src/config.rs
@@ -0,0 +1,43 @@
 use std::path::PathBuf;
 use anyhow::{Context, Result};
 #[derive(Clone, Debug)]
 pub struct AppConfig {
    pub database_url: String,
    pub jwt_secret: String,
    pub session_expiry_days: i64,
    pub admin_password_hash: String,
    pub event_name: String,
    pub event_slug: String,
    pub media_path: PathBuf,
    pub app_port: u16,
 }
 impl AppConfig {
    pub fn from_env() -> Result<Self> {
        Ok(Self {
            database_url: std::env::var("DATABASE_URL")
                .context("DATABASE_URL must be set")?,
            jwt_secret: std::env::var("JWT_SECRET")
                .context("JWT_SECRET must be set")?,
            session_expiry_days: std::env::var("SESSION_EXPIRY_DAYS")
                .unwrap_or_else(|_| "30".to_string())
                .parse()
                .context("SESSION_EXPIRY_DAYS must be a number")?,
            admin_password_hash: std::env::var("ADMIN_PASSWORD_HASH")
                .unwrap_or_default(),
            event_name: std::env::var("EVENT_NAME")
                .unwrap_or_else(|_| "EventSnap".to_string()),
            event_slug: std::env::var("EVENT_SLUG")
                .context("EVENT_SLUG must be set")?,
            media_path: PathBuf::from(
                std::env::var("MEDIA_PATH").unwrap_or_else(|_| "/media".to_string()),
            ),
            app_port: std::env::var("APP_PORT")
                .unwrap_or_else(|_| "3000".to_string())
                .parse()
                .context("APP_PORT must be a number")?,
        })
    }
 }
--- a/backend/src/error.rs
+++ b/backend/src/error.rs
@@ -0,0 +1,65 @@
 use axum::http::StatusCode;
 use axum::response::{IntoResponse, Response};
 use serde_json::json;
 #[derive(Debug)]
 pub enum AppError {
    BadRequest(String),
    Unauthorized(String),
    Forbidden(String),
    NotFound(String),
    TooManyRequests(String),
    Internal(anyhow::Error),
 }
 impl AppError {
    fn status_and_code(&self) -> (StatusCode, &str) {
        match self {
            Self::BadRequest(_) => (StatusCode::BAD_REQUEST, "bad_request"),
            Self::Unauthorized(_) => (StatusCode::UNAUTHORIZED, "unauthorized"),
            Self::Forbidden(_) => (StatusCode::FORBIDDEN, "forbidden"),
            Self::NotFound(_) => (StatusCode::NOT_FOUND, "not_found"),
            Self::TooManyRequests(_) => (StatusCode::TOO_MANY_REQUESTS, "too_many_requests"),
            Self::Internal(_) => (StatusCode::INTERNAL_SERVER_ERROR, "internal_error"),
        }
    }
    fn message(&self) -> String {
        match self {
            Self::BadRequest(msg)
            | Self::Unauthorized(msg)
            | Self::Forbidden(msg)
            | Self::NotFound(msg)
            | Self::TooManyRequests(msg) => msg.clone(),
            Self::Internal(err) => {
                tracing::error!("internal error: {err:#}");
                "Ein interner Fehler ist aufgetreten.".to_string()
            }
        }
    }
 }
 impl IntoResponse for AppError {
    fn into_response(self) -> Response {
        let (status, code) = self.status_and_code();
        let message = self.message();
        let body = json!({
            "error": code,
            "message": message,
            "status": status.as_u16(),
        });
        (status, axum::Json(body)).into_response()
    }
 }
 impl From<anyhow::Error> for AppError {
    fn from(err: anyhow::Error) -> Self {
        Self::Internal(err)
    }
 }
 impl From<sqlx::Error> for AppError {
    fn from(err: sqlx::Error) -> Self {
        Self::Internal(err.into())
    }
 }
--- a/backend/src/handlers/mod.rs
+++ b/backend/src/handlers/mod.rs
@@ -0,0 +1,2 @@
 pub mod sse;
 pub mod upload;
--- a/backend/src/handlers/sse.rs
+++ b/backend/src/handlers/sse.rs
@@ -0,0 +1,33 @@
 use std::convert::Infallible;
 use std::time::Duration;
 use axum::extract::State;
 use axum::response::sse::{Event, KeepAlive, Sse};
 use futures::stream::Stream;
 use tokio_stream::wrappers::BroadcastStream;
 use tokio_stream::StreamExt;
 use crate::auth::middleware::AuthUser;
 use crate::error::AppError;
 use crate::state::AppState;
 pub async fn stream(
    State(state): State<AppState>,
    _auth: AuthUser,
 ) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, AppError> {
    let rx = state.sse_tx.subscribe();
    let stream = BroadcastStream::new(rx).filter_map(|msg| {
        match msg {
            Ok(sse_event) => Some(Ok(Event::default()
                .event(sse_event.event_type)
                .data(sse_event.data))),
            Err(_) => None, // Lagged — skip missed events
        }
    });
    Ok(Sse::new(stream).keep_alive(
        KeepAlive::new()
            .interval(Duration::from_secs(30))
            .text("ping"),
    ))
 }
--- a/backend/src/handlers/upload.rs
+++ b/backend/src/handlers/upload.rs
@@ -0,0 +1,237 @@
 use axum::extract::{Multipart, Path, State};
 use axum::http::StatusCode;
 use axum::Json;
 use serde::Deserialize;
 use uuid::Uuid;
 use crate::auth::middleware::AuthUser;
 use crate::error::AppError;
 use crate::models::hashtag::{self, Hashtag};
 use crate::models::upload::{Upload, UploadDto};
 use crate::models::user::User;
 use crate::state::AppState;
 pub async fn upload(
    State(state): State<AppState>,
    auth: AuthUser,
    mut multipart: Multipart,
 ) -> Result<(StatusCode, Json<UploadDto>), AppError> {
    // Check if user is banned
    let user = User::find_by_id(&state.pool, auth.user_id)
        .await?
        .ok_or_else(|| AppError::NotFound("Benutzer nicht gefunden.".into()))?;
    if user.is_banned {
        return Err(AppError::Forbidden("Du bist gesperrt.".into()));
    }
    // Check if uploads are locked
    let event = crate::models::event::Event::find_by_slug(&state.pool, &state.config.event_slug)
        .await?
        .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
    if event.uploads_locked_at.is_some() {
        return Err(AppError::Forbidden("Uploads sind gesperrt.".into()));
    }
    // Read config limits from DB
    let max_image_mb: i64 = get_config_i64(&state.pool, "max_image_size_mb", 20).await;
    let max_video_mb: i64 = get_config_i64(&state.pool, "max_video_size_mb", 500).await;
    let mut file_data: Option<Vec<u8>> = None;
    let mut file_name: Option<String> = None;
    let mut content_type: Option<String> = None;
    let mut caption: Option<String> = None;
    let mut hashtags_csv: Option<String> = None;
    while let Some(field) = multipart.next_field().await.map_err(|e| AppError::BadRequest(e.to_string()))? {
        let name = field.name().unwrap_or_default().to_string();
        match name.as_str() {
            "file" => {
                file_name = field.file_name().map(|s| s.to_string());
                content_type = field.content_type().map(|s| s.to_string());
                file_data = Some(
                    field.bytes().await
                        .map_err(|e| AppError::BadRequest(format!("Datei konnte nicht gelesen werden: {e}")))?
                        .to_vec(),
                );
            }
            "caption" => {
                caption = Some(
                    field.text().await
                        .map_err(|e| AppError::BadRequest(e.to_string()))?,
                );
            }
            "hashtags" => {
                hashtags_csv = Some(
                    field.text().await
                        .map_err(|e| AppError::BadRequest(e.to_string()))?,
                );
            }
            _ => {}
        }
    }
    let data = file_data.ok_or_else(|| AppError::BadRequest("Keine Datei hochgeladen.".into()))?;
    let mime = content_type.unwrap_or_else(|| "application/octet-stream".to_string());
    let size = data.len() as i64;
    // Validate file size
    let max_bytes = if mime.starts_with("video/") {
        max_video_mb * 1024 * 1024
    } else {
        max_image_mb * 1024 * 1024
    };
    if size > max_bytes {
        return Err(AppError::BadRequest(format!(
            "Datei ist zu groß. Maximum: {} MB.",
            max_bytes / (1024 * 1024)
        )));
    }
    // Determine file extension
    let ext = file_name
        .as_deref()
        .and_then(|n| n.rsplit('.').next())
        .unwrap_or(if mime.starts_with("video/") { "mp4" } else { "jpg" });
    let upload_id = Uuid::new_v4();
    let event_slug = &state.config.event_slug;
    let relative_path = format!("originals/{event_slug}/{upload_id}.{ext}");
    let absolute_path = state.config.media_path.join(&relative_path);
    // Ensure directory exists and write file
    if let Some(parent) = absolute_path.parent() {
        tokio::fs::create_dir_all(parent).await.map_err(|e| AppError::Internal(e.into()))?;
    }
    tokio::fs::write(&absolute_path, &data).await.map_err(|e| AppError::Internal(e.into()))?;
    // Update user's total upload bytes
    sqlx::query("UPDATE \"user\" SET total_upload_bytes = total_upload_bytes + $2 WHERE id = $1")
        .bind(auth.user_id)
        .bind(size)
        .execute(&state.pool)
        .await?;
    // Insert upload record
    let upload = Upload::create(
        &state.pool,
        auth.event_id,
        auth.user_id,
        &relative_path,
        &mime,
        size,
        caption.as_deref(),
    )
    .await?;
    // Process hashtags from caption and explicit CSV
    let mut tags: Vec<String> = Vec::new();
    if let Some(ref cap) = caption {
        tags.extend(hashtag::extract_hashtags(cap));
    }
    if let Some(ref csv) = hashtags_csv {
        for tag in csv.split(',') {
            let t = tag.trim().trim_start_matches('#').to_lowercase();
            if !t.is_empty() {
                tags.push(t);
            }
        }
    }
    tags.sort();
    tags.dedup();
    for tag in &tags {
        let h = Hashtag::upsert(&state.pool, auth.event_id, tag).await?;
        Hashtag::link_to_upload(&state.pool, upload.id, h.id).await?;
    }
    // Spawn compression task
    state
        .compression
        .process(upload.id, relative_path, mime.clone());
    // Broadcast SSE event
    let dto = UploadDto {
        id: upload.id,
        user_id: auth.user_id,
        uploader_name: user.display_name,
        preview_url: None,
        thumbnail_url: None,
        mime_type: mime,
        caption,
        hashtags: tags,
        like_count: 0,
        comment_count: 0,
        liked_by_me: false,
        created_at: upload.created_at,
    };
    let _ = state.sse_tx.send(crate::state::SseEvent {
        event_type: "new-upload".to_string(),
        data: serde_json::to_string(&dto).unwrap_or_default(),
    });
    Ok((StatusCode::CREATED, Json(dto)))
 }
 #[derive(Deserialize)]
 pub struct EditUploadRequest {
    pub caption: Option<String>,
    pub hashtags: Option<Vec<String>>,
 }
 pub async fn edit_upload(
    State(state): State<AppState>,
    auth: AuthUser,
    Path(upload_id): Path<Uuid>,
    Json(body): Json<EditUploadRequest>,
 ) -> Result<StatusCode, AppError> {
    let upload = Upload::find_by_id(&state.pool, upload_id)
        .await?
        .ok_or_else(|| AppError::NotFound("Upload nicht gefunden.".into()))?;
    if upload.user_id != auth.user_id {
        return Err(AppError::Forbidden("Nur eigene Uploads bearbeiten.".into()));
    }
    if let Some(ref caption) = body.caption {
        Upload::update_caption(&state.pool, upload_id, Some(caption)).await?;
    }
    if let Some(ref hashtags) = body.hashtags {
        Hashtag::unlink_all_from_upload(&state.pool, upload_id).await?;
        for tag in hashtags {
            let h = Hashtag::upsert(&state.pool, auth.event_id, tag).await?;
            Hashtag::link_to_upload(&state.pool, upload_id, h.id).await?;
        }
    }
    Ok(StatusCode::OK)
 }
 pub async fn delete_upload(
    State(state): State<AppState>,
    auth: AuthUser,
    Path(upload_id): Path<Uuid>,
 ) -> Result<StatusCode, AppError> {
    let upload = Upload::find_by_id(&state.pool, upload_id)
        .await?
        .ok_or_else(|| AppError::NotFound("Upload nicht gefunden.".into()))?;
    if upload.user_id != auth.user_id {
        return Err(AppError::Forbidden("Nur eigene Uploads löschen.".into()));
    }
    Upload::soft_delete(&state.pool, upload_id).await?;
    Ok(StatusCode::NO_CONTENT)
 }
 async fn get_config_i64(pool: &sqlx::PgPool, key: &str, default: i64) -> i64 {
    let row: Option<(String,)> =
        sqlx::query_as("SELECT value FROM config WHERE key = $1")
            .bind(key)
            .fetch_optional(pool)
            .await
            .unwrap_or(None);
    row.and_then(|r| r.0.parse().ok()).unwrap_or(default)
 }
--- a/backend/src/main.rs
+++ b/backend/src/main.rs
@@ -1,7 +1,19 @@
 use anyhow::Result;
 use axum::routing::{delete, get, patch, post};
 use axum::Router;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 mod auth;
 mod config;
 mod db;
 mod error;
 mod handlers;
 mod models;
 mod services;
 mod state;
 use config::AppConfig;
 use state::AppState;
 #[tokio::main]
 async fn main() -> Result<()> {
@@ -14,18 +26,34 @@ async fn main() -> Result<()> {
        .with(tracing_subscriber::fmt::layer())
        .init();
-    let database_url =
+    let config = AppConfig::from_env()?;
-        std::env::var("DATABASE_URL").expect("DATABASE_URL must be set");
+    let pool = db::create_pool(&config.database_url).await?;
-    let port: u16 = std::env::var("APP_PORT")
+    let state = AppState::new(pool, config.clone());
        .unwrap_or_else(|_| "3000".to_string())
        .parse()?;
-    let _pool = db::create_pool(&database_url).await?;
+    // Ensure media directories exist
    tokio::fs::create_dir_all(&config.media_path).await.ok();
-    let router = axum::Router::new()
+    let api = Router::new()
-        .route("/health", axum::routing::get(|| async { "ok" }));
+        // Auth
        .route("/api/v1/join", post(auth::handlers::join))
        .route("/api/v1/recover", post(auth::handlers::recover))
        .route("/api/v1/admin/login", post(auth::handlers::admin_login))
        .route("/api/v1/session", delete(auth::handlers::logout))
        // Upload
        .route("/api/v1/upload", post(handlers::upload::upload))
        .route(
            "/api/v1/upload/{id}",
            patch(handlers::upload::edit_upload).delete(handlers::upload::delete_upload),
        )
        // SSE
        .route("/api/v1/stream", get(handlers::sse::stream));
-    let listener = tokio::net::TcpListener::bind(("0.0.0.0", port)).await?;
+    let router = Router::new()
        .route("/health", get(|| async { "ok" }))
        .merge(api)
        .with_state(state);
    let listener = tokio::net::TcpListener::bind(("0.0.0.0", config.app_port)).await?;
    tracing::info!("listening on {}", listener.local_addr()?);
    axum::serve(listener, router).await?;
--- a/backend/src/models/event.rs
+++ b/backend/src/models/event.rs
@@ -0,0 +1,47 @@
 use chrono::{DateTime, Utc};
 use sqlx::PgPool;
 use uuid::Uuid;
 #[derive(Debug, sqlx::FromRow)]
 pub struct Event {
    pub id: Uuid,
    pub slug: String,
    pub name: String,
    pub cover_image_path: Option<String>,
    pub is_active: bool,
    pub uploads_locked_at: Option<DateTime<Utc>>,
    pub export_released_at: Option<DateTime<Utc>>,
    pub export_zip_ready: bool,
    pub export_html_ready: bool,
    pub created_at: DateTime<Utc>,
 }
 impl Event {
    pub async fn find_by_slug(pool: &PgPool, slug: &str) -> Result<Option<Self>, sqlx::Error> {
        sqlx::query_as::<_, Self>("SELECT * FROM event WHERE slug = $1")
            .bind(slug)
            .fetch_optional(pool)
            .await
    }
    pub async fn create(pool: &PgPool, slug: &str, name: &str) -> Result<Self, sqlx::Error> {
        sqlx::query_as::<_, Self>(
            "INSERT INTO event (slug, name) VALUES ($1, $2) RETURNING *",
        )
        .bind(slug)
        .bind(name)
        .fetch_one(pool)
        .await
    }
    pub async fn find_or_create(
        pool: &PgPool,
        slug: &str,
        name: &str,
    ) -> Result<Self, sqlx::Error> {
        if let Some(event) = Self::find_by_slug(pool, slug).await? {
            return Ok(event);
        }
        Self::create(pool, slug, name).await
    }
 }
--- a/backend/src/models/hashtag.rs
+++ b/backend/src/models/hashtag.rs
@@ -0,0 +1,77 @@
 use sqlx::PgPool;
 use uuid::Uuid;
 #[derive(Debug, sqlx::FromRow)]
 pub struct Hashtag {
    pub id: Uuid,
    pub event_id: Uuid,
    pub tag: String,
 }
 impl Hashtag {
    /// Upsert a hashtag (insert if not exists, return existing if it does).
    pub async fn upsert(pool: &PgPool, event_id: Uuid, tag: &str) -> Result<Self, sqlx::Error> {
        let normalized = tag.trim().trim_start_matches('#').to_lowercase();
        sqlx::query_as::<_, Self>(
            "INSERT INTO hashtag (event_id, tag) VALUES ($1, $2)
             ON CONFLICT (event_id, tag) DO UPDATE SET tag = EXCLUDED.tag
             RETURNING *",
        )
        .bind(event_id)
        .bind(&normalized)
        .fetch_one(pool)
        .await
    }
    pub async fn link_to_upload(
        pool: &PgPool,
        upload_id: Uuid,
        hashtag_id: Uuid,
    ) -> Result<(), sqlx::Error> {
        sqlx::query(
            "INSERT INTO upload_hashtag (upload_id, hashtag_id) VALUES ($1, $2)
             ON CONFLICT DO NOTHING",
        )
        .bind(upload_id)
        .bind(hashtag_id)
        .execute(pool)
        .await?;
        Ok(())
    }
    pub async fn unlink_all_from_upload(
        pool: &PgPool,
        upload_id: Uuid,
    ) -> Result<(), sqlx::Error> {
        sqlx::query("DELETE FROM upload_hashtag WHERE upload_id = $1")
            .bind(upload_id)
            .execute(pool)
            .await?;
        Ok(())
    }
    pub async fn tags_for_upload(
        pool: &PgPool,
        upload_id: Uuid,
    ) -> Result<Vec<String>, sqlx::Error> {
        let rows: Vec<(String,)> = sqlx::query_as(
            "SELECT h.tag FROM hashtag h
             JOIN upload_hashtag uh ON uh.hashtag_id = h.id
             WHERE uh.upload_id = $1
             ORDER BY h.tag",
        )
        .bind(upload_id)
        .fetch_all(pool)
        .await?;
        Ok(rows.into_iter().map(|r| r.0).collect())
    }
 }
 /// Extract #hashtags from text (caption or body).
 pub fn extract_hashtags(text: &str) -> Vec<String> {
    text.split_whitespace()
        .filter(|w| w.starts_with('#') && w.len() > 1)
        .map(|w| w.trim_start_matches('#').to_lowercase())
        .filter(|t| !t.is_empty())
        .collect()
 }
--- a/backend/src/models/mod.rs
+++ b/backend/src/models/mod.rs
@@ -0,0 +1,5 @@
 pub mod event;
 pub mod hashtag;
 pub mod session;
 pub mod upload;
 pub mod user;
--- a/backend/src/models/session.rs
+++ b/backend/src/models/session.rs
@@ -0,0 +1,64 @@
 use chrono::{DateTime, Utc};
 use sqlx::PgPool;
 use uuid::Uuid;
 #[derive(Debug, sqlx::FromRow)]
 pub struct Session {
    pub id: Uuid,
    pub user_id: Uuid,
    pub token_hash: String,
    pub expires_at: DateTime<Utc>,
    pub last_seen_at: DateTime<Utc>,
    pub created_at: DateTime<Utc>,
 }
 impl Session {
    pub async fn create(
        pool: &PgPool,
        user_id: Uuid,
        token_hash: &str,
        expires_at: DateTime<Utc>,
    ) -> Result<Self, sqlx::Error> {
        sqlx::query_as::<_, Self>(
            "INSERT INTO session (user_id, token_hash, expires_at)
             VALUES ($1, $2, $3)
             RETURNING *",
        )
        .bind(user_id)
        .bind(token_hash)
        .bind(expires_at)
        .fetch_one(pool)
        .await
    }
    pub async fn find_by_token_hash(
        pool: &PgPool,
        token_hash: &str,
    ) -> Result<Option<Self>, sqlx::Error> {
        sqlx::query_as::<_, Self>(
            "SELECT * FROM session WHERE token_hash = $1 AND expires_at > NOW()",
        )
        .bind(token_hash)
        .fetch_optional(pool)
        .await
    }
    pub async fn touch(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> {
        sqlx::query("UPDATE session SET last_seen_at = NOW() WHERE id = $1")
            .bind(id)
            .execute(pool)
            .await?;
        Ok(())
    }
    pub async fn delete_by_token_hash(
        pool: &PgPool,
        token_hash: &str,
    ) -> Result<(), sqlx::Error> {
        sqlx::query("DELETE FROM session WHERE token_hash = $1")
            .bind(token_hash)
            .execute(pool)
            .await?;
        Ok(())
    }
 }
--- a/backend/src/models/upload.rs
+++ b/backend/src/models/upload.rs
@@ -0,0 +1,117 @@
 use chrono::{DateTime, Utc};
 use serde::Serialize;
 use sqlx::PgPool;
 use uuid::Uuid;
 #[derive(Debug, sqlx::FromRow)]
 pub struct Upload {
    pub id: Uuid,
    pub event_id: Uuid,
    pub user_id: Uuid,
    pub original_path: String,
    pub preview_path: Option<String>,
    pub thumbnail_path: Option<String>,
    pub mime_type: String,
    pub original_size_bytes: i64,
    pub caption: Option<String>,
    pub created_at: DateTime<Utc>,
    pub deleted_at: Option<DateTime<Utc>>,
 }
 #[derive(Debug, Serialize)]
 pub struct UploadDto {
    pub id: Uuid,
    pub user_id: Uuid,
    pub uploader_name: String,
    pub preview_url: Option<String>,
    pub thumbnail_url: Option<String>,
    pub mime_type: String,
    pub caption: Option<String>,
    pub hashtags: Vec<String>,
    pub like_count: i64,
    pub comment_count: i64,
    pub liked_by_me: bool,
    pub created_at: DateTime<Utc>,
 }
 impl Upload {
    pub async fn create(
        pool: &PgPool,
        event_id: Uuid,
        user_id: Uuid,
        original_path: &str,
        mime_type: &str,
        original_size_bytes: i64,
        caption: Option<&str>,
    ) -> Result<Self, sqlx::Error> {
        sqlx::query_as::<_, Self>(
            "INSERT INTO upload (event_id, user_id, original_path, mime_type, original_size_bytes, caption)
             VALUES ($1, $2, $3, $4, $5, $6)
             RETURNING *",
        )
        .bind(event_id)
        .bind(user_id)
        .bind(original_path)
        .bind(mime_type)
        .bind(original_size_bytes)
        .bind(caption)
        .fetch_one(pool)
        .await
    }
    pub async fn find_by_id(pool: &PgPool, id: Uuid) -> Result<Option<Self>, sqlx::Error> {
        sqlx::query_as::<_, Self>(
            "SELECT * FROM upload WHERE id = $1 AND deleted_at IS NULL",
        )
        .bind(id)
        .fetch_optional(pool)
        .await
    }
    pub async fn set_preview_path(
        pool: &PgPool,
        id: Uuid,
        preview_path: &str,
    ) -> Result<(), sqlx::Error> {
        sqlx::query("UPDATE upload SET preview_path = $2 WHERE id = $1")
            .bind(id)
            .bind(preview_path)
            .execute(pool)
            .await?;
        Ok(())
    }
    pub async fn set_thumbnail_path(
        pool: &PgPool,
        id: Uuid,
        thumbnail_path: &str,
    ) -> Result<(), sqlx::Error> {
        sqlx::query("UPDATE upload SET thumbnail_path = $2 WHERE id = $1")
            .bind(id)
            .bind(thumbnail_path)
            .execute(pool)
            .await?;
        Ok(())
    }
    pub async fn soft_delete(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> {
        sqlx::query("UPDATE upload SET deleted_at = NOW() WHERE id = $1")
            .bind(id)
            .execute(pool)
            .await?;
        Ok(())
    }
    pub async fn update_caption(
        pool: &PgPool,
        id: Uuid,
        caption: Option<&str>,
    ) -> Result<(), sqlx::Error> {
        sqlx::query("UPDATE upload SET caption = $2 WHERE id = $1")
            .bind(id)
            .bind(caption)
            .execute(pool)
            .await?;
        Ok(())
    }
 }
--- a/backend/src/models/user.rs
+++ b/backend/src/models/user.rs
@@ -0,0 +1,102 @@
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use sqlx::PgPool;
 use uuid::Uuid;
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, sqlx::Type)]
 #[sqlx(type_name = "user_role", rename_all = "lowercase")]
 pub enum UserRole {
    Guest,
    Host,
    Admin,
 }
 #[derive(Debug, sqlx::FromRow)]
 pub struct User {
    pub id: Uuid,
    pub event_id: Uuid,
    pub display_name: String,
    pub role: UserRole,
    pub is_banned: bool,
    pub uploads_hidden: bool,
    pub recovery_pin_hash: String,
    pub total_upload_bytes: i64,
    pub failed_pin_attempts: i16,
    pub pin_locked_until: Option<DateTime<Utc>>,
    pub created_at: DateTime<Utc>,
 }
 impl User {
    pub async fn create(
        pool: &PgPool,
        event_id: Uuid,
        display_name: &str,
        pin_hash: &str,
    ) -> Result<Self, sqlx::Error> {
        sqlx::query_as::<_, Self>(
            "INSERT INTO \"user\" (event_id, display_name, recovery_pin_hash)
             VALUES ($1, $2, $3)
             RETURNING *",
        )
        .bind(event_id)
        .bind(display_name)
        .bind(pin_hash)
        .fetch_one(pool)
        .await
    }
    pub async fn find_by_id(pool: &PgPool, id: Uuid) -> Result<Option<Self>, sqlx::Error> {
        sqlx::query_as::<_, Self>("SELECT * FROM \"user\" WHERE id = $1")
            .bind(id)
            .fetch_optional(pool)
            .await
    }
    pub async fn find_by_event_and_name(
        pool: &PgPool,
        event_id: Uuid,
        display_name: &str,
    ) -> Result<Vec<Self>, sqlx::Error> {
        sqlx::query_as::<_, Self>(
            "SELECT * FROM \"user\" WHERE event_id = $1 AND display_name = $2",
        )
        .bind(event_id)
        .bind(display_name)
        .fetch_all(pool)
        .await
    }
    pub async fn increment_failed_pin(pool: &PgPool, id: Uuid) -> Result<i16, sqlx::Error> {
        let row: (i16,) = sqlx::query_as(
            "UPDATE \"user\"
             SET failed_pin_attempts = failed_pin_attempts + 1
             WHERE id = $1
             RETURNING failed_pin_attempts",
        )
        .bind(id)
        .fetch_one(pool)
        .await?;
        Ok(row.0)
    }
    pub async fn lock_pin(pool: &PgPool, id: Uuid, until: DateTime<Utc>) -> Result<(), sqlx::Error> {
        sqlx::query(
            "UPDATE \"user\" SET pin_locked_until = $2 WHERE id = $1",
        )
        .bind(id)
        .bind(until)
        .execute(pool)
        .await?;
        Ok(())
    }
    pub async fn reset_pin_attempts(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> {
        sqlx::query(
            "UPDATE \"user\" SET failed_pin_attempts = 0, pin_locked_until = NULL WHERE id = $1",
        )
        .bind(id)
        .execute(pool)
        .await?;
        Ok(())
    }
 }
--- a/backend/src/services/compression.rs
+++ b/backend/src/services/compression.rs
@@ -0,0 +1,139 @@
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use anyhow::{Context, Result};
 use sqlx::PgPool;
 use tokio::sync::Semaphore;
 use uuid::Uuid;
 use crate::models::upload::Upload;
 #[derive(Clone)]
 pub struct CompressionWorker {
    semaphore: Arc<Semaphore>,
    pool: PgPool,
    media_path: PathBuf,
 }
 impl CompressionWorker {
    pub fn new(pool: PgPool, media_path: PathBuf, concurrency: usize) -> Self {
        Self {
            semaphore: Arc::new(Semaphore::new(concurrency)),
            pool,
            media_path,
        }
    }
    /// Spawn a background task to process an uploaded file.
    pub fn process(&self, upload_id: Uuid, original_path: String, mime_type: String) {
        let worker = self.clone();
        tokio::spawn(async move {
            let _permit = worker.semaphore.acquire().await;
            if let Err(e) = worker.do_process(upload_id, &original_path, &mime_type).await {
                tracing::error!("compression failed for upload {upload_id}: {e:#}");
            }
        });
    }
    async fn do_process(
        &self,
        upload_id: Uuid,
        original_path: &str,
        mime_type: &str,
    ) -> Result<()> {
        let original = self.media_path.join(original_path);
        if mime_type.starts_with("image/") {
            let preview_rel = self.generate_image_preview(upload_id, &original, mime_type).await?;
            Upload::set_preview_path(&self.pool, upload_id, &preview_rel).await?;
            tracing::info!("preview generated for upload {upload_id}");
        } else if mime_type.starts_with("video/") {
            let thumb_rel = self.generate_video_thumbnail(upload_id, &original).await?;
            Upload::set_thumbnail_path(&self.pool, upload_id, &thumb_rel).await?;
            tracing::info!("thumbnail generated for upload {upload_id}");
        }
        Ok(())
    }
    async fn generate_image_preview(
        &self,
        upload_id: Uuid,
        original: &Path,
        mime_type: &str,
    ) -> Result<String> {
        let previews_dir = self.media_path.join("previews");
        tokio::fs::create_dir_all(&previews_dir).await?;
        let preview_filename = format!("{upload_id}.jpg");
        let preview_path = previews_dir.join(&preview_filename);
        let original = original.to_path_buf();
        let preview_path_clone = preview_path.clone();
        let mime_owned = mime_type.to_string();
        // Run blocking image operations in a spawn_blocking task
        tokio::task::spawn_blocking(move || -> Result<()> {
            let img = image::open(&original)
                .context("failed to open image")?;
            // Resize to max 800px wide, preserving aspect ratio
            let preview = img.resize(800, 800, image::imageops::FilterType::Lanczos3);
            preview.save_with_format(&preview_path_clone, image::ImageFormat::Jpeg)
                .context("failed to save preview")?;
            // If the original is PNG, try lossless compression in-place
            if mime_owned == "image/png" {
                let opts = oxipng::Options::from_preset(2);
                let _ = oxipng::optimize(
                    &oxipng::InFile::Path(original),
                    &oxipng::OutFile::Path {
                        path: None,
                        preserve_attrs: true,
                    },
                    &opts,
                );
            }
            Ok(())
        })
        .await??;
        Ok(format!("previews/{preview_filename}"))
    }
    async fn generate_video_thumbnail(
        &self,
        upload_id: Uuid,
        original: &Path,
    ) -> Result<String> {
        let thumbs_dir = self.media_path.join("thumbnails");
        tokio::fs::create_dir_all(&thumbs_dir).await?;
        let thumb_filename = format!("{upload_id}.jpg");
        let thumb_path = thumbs_dir.join(&thumb_filename);
        let output = tokio::process::Command::new("ffmpeg")
            .args([
                "-i",
                original.to_str().unwrap_or_default(),
                "-vframes",
                "1",
                "-ss",
                "00:00:01",
                "-vf",
                "scale=800:-1",
                "-y",
                thumb_path.to_str().unwrap_or_default(),
            ])
            .output()
            .await
            .context("failed to run ffmpeg")?;
        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            anyhow::bail!("ffmpeg failed: {stderr}");
        }
        Ok(format!("thumbnails/{thumb_filename}"))
    }
 }
--- a/backend/src/services/mod.rs
+++ b/backend/src/services/mod.rs
@@ -0,0 +1 @@
 pub mod compression;
--- a/backend/src/state.rs
+++ b/backend/src/state.rs
@@ -0,0 +1,33 @@
 use sqlx::PgPool;
 use tokio::sync::broadcast;
 use crate::config::AppConfig;
 use crate::services::compression::CompressionWorker;
 #[derive(Clone, Debug)]
 pub struct SseEvent {
    pub event_type: String,
    pub data: String,
 }
 #[derive(Clone)]
 pub struct AppState {
    pub pool: PgPool,
    pub config: AppConfig,
    pub sse_tx: broadcast::Sender<SseEvent>,
    pub compression: CompressionWorker,
 }
 impl AppState {
    pub fn new(pool: PgPool, config: AppConfig) -> Self {
        let (sse_tx, _) = broadcast::channel(256);
        let compression =
            CompressionWorker::new(pool.clone(), config.media_path.clone(), 2);
        Self {
            pool,
            config,
            sse_tx,
            compression,
        }
    }
 }
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -0,0 +1,57 @@
 import { getToken, clearAuth } from './auth';
 const BASE = '/api/v1';
 export class ApiError extends Error {
 	status: number;
 	code: string;
 	constructor(status: number, code: string, message: string) {
 		super(message);
 		this.status = status;
 		this.code = code;
 	}
 }
 async function request<T>(
 	method: string,
 	path: string,
 	body?: unknown
 ): Promise<T> {
 	const headers: Record<string, string> = {};
 	const token = getToken();
 	if (token) {
 		headers['Authorization'] = `Bearer ${token}`;
 	}
 	if (body !== undefined) {
 		headers['Content-Type'] = 'application/json';
 	}
 	const res = await fetch(`${BASE}${path}`, {
 		method,
 		headers,
 		body: body !== undefined ? JSON.stringify(body) : undefined
 	});
 	if (res.status === 204) {
 		return undefined as T;
 	}
 	const data = await res.json();
 	if (!res.ok) {
 		if (res.status === 401) {
 			clearAuth();
 		}
 		throw new ApiError(res.status, data.error ?? 'unknown', data.message ?? 'Fehler');
 	}
 	return data as T;
 }
 export const api = {
 	get: <T>(path: string) => request<T>('GET', path),
 	post: <T>(path: string, body?: unknown) => request<T>('POST', path, body),
 	patch: <T>(path: string, body?: unknown) => request<T>('PATCH', path, body),
 	delete: <T>(path: string) => request<T>('DELETE', path)
 };
--- a/frontend/src/lib/auth.ts
+++ b/frontend/src/lib/auth.ts
@@ -0,0 +1,44 @@
 import { writable } from 'svelte/store';
 import { browser } from '$app/environment';
 const TOKEN_KEY = 'eventsnap_jwt';
 const PIN_KEY = 'eventsnap_pin';
 const USER_ID_KEY = 'eventsnap_user_id';
 export const isAuthenticated = writable(false);
 export function getToken(): string | null {
 	if (!browser) return null;
 	return localStorage.getItem(TOKEN_KEY);
 }
 export function getPin(): string | null {
 	if (!browser) return null;
 	return localStorage.getItem(PIN_KEY);
 }
 export function getUserId(): string | null {
 	if (!browser) return null;
 	return localStorage.getItem(USER_ID_KEY);
 }
 export function setAuth(jwt: string, pin: string | null, userId: string): void {
 	if (!browser) return;
 	localStorage.setItem(TOKEN_KEY, jwt);
 	if (pin) localStorage.setItem(PIN_KEY, pin);
 	localStorage.setItem(USER_ID_KEY, userId);
 	isAuthenticated.set(true);
 }
 export function clearAuth(): void {
 	if (!browser) return;
 	localStorage.removeItem(TOKEN_KEY);
 	localStorage.removeItem(USER_ID_KEY);
 	// PIN is intentionally kept so the user can recover
 	isAuthenticated.set(false);
 }
 export function initAuth(): void {
 	if (!browser) return;
 	isAuthenticated.set(!!getToken());
 }
--- a/frontend/src/routes/+layout.svelte
+++ b/frontend/src/routes/+layout.svelte
@@ -1,8 +1,14 @@
 <script lang="ts">
 	import favicon from '$lib/assets/favicon.svg';
 	import '../app.css';
 	import { initAuth } from '$lib/auth';
 	import { onMount } from 'svelte';
 	let { children } = $props();
 	onMount(() => {
 		initAuth();
 	});
 </script>
 <svelte:head>
--- a/frontend/src/routes/+page.svelte
+++ b/frontend/src/routes/+page.svelte
@@ -1,2 +1,14 @@
-<h1>Welcome to SvelteKit</h1>
+<script lang="ts">
-<p>Visit <a href="https://svelte.dev/docs/kit">svelte.dev/docs/kit</a> to read the documentation</p>
+	import { goto } from '$app/navigation';
 	import { getToken } from '$lib/auth';
 	import { browser } from '$app/environment';
 	import { onMount } from 'svelte';
 	onMount(() => {
 		if (getToken()) {
 			goto('/feed');
 		} else {
 			goto('/join');
 		}
 	});
 </script>
--- a/frontend/src/routes/feed/+page.svelte
+++ b/frontend/src/routes/feed/+page.svelte
@@ -0,0 +1,37 @@
 <script lang="ts">
 	import { goto } from '$app/navigation';
 	import { getToken, clearAuth } from '$lib/auth';
 	import { api } from '$lib/api';
 	import { onMount } from 'svelte';
 	onMount(() => {
 		if (!getToken()) {
 			goto('/join');
 		}
 	});
 	async function handleLogout() {
 		try {
 			await api.delete('/session');
 		} catch {
 			// Ignore errors — clear local state regardless
 		}
 		clearAuth();
 		goto('/join');
 	}
 </script>
 <div class="min-h-screen bg-gray-50 p-4">
 	<div class="mx-auto max-w-2xl">
 		<div class="mb-6 flex items-center justify-between">
 			<h1 class="text-xl font-bold text-gray-900">Galerie</h1>
 			<button
 				onclick={handleLogout}
 				class="rounded-md bg-gray-200 px-3 py-1 text-sm text-gray-700 hover:bg-gray-300"
 			>
 				Abmelden
 			</button>
 		</div>
 		<p class="text-gray-600">Die Galerie wird bald hier angezeigt.</p>
 	</div>
 </div>
--- a/frontend/src/routes/join/+page.svelte
+++ b/frontend/src/routes/join/+page.svelte
@@ -0,0 +1,110 @@
 <script lang="ts">
 	import { goto } from '$app/navigation';
 	import { api, ApiError } from '$lib/api';
 	import { setAuth } from '$lib/auth';
 	let displayName = $state('');
 	let error = $state('');
 	let loading = $state(false);
 	let showPinModal = $state(false);
 	let pin = $state('');
 	let copied = $state(false);
 	async function handleJoin() {
 		if (!displayName.trim()) return;
 		loading = true;
 		error = '';
 		try {
 			const res = await api.post<{
 				jwt: string;
 				pin: string;
 				user_id: string;
 				is_new: boolean;
 			}>('/join', { display_name: displayName.trim() });
 			setAuth(res.jwt, res.pin, res.user_id);
 			pin = res.pin;
 			showPinModal = true;
 		} catch (e) {
 			if (e instanceof ApiError) {
 				error = e.message;
 			} else {
 				error = 'Ein Fehler ist aufgetreten.';
 			}
 		} finally {
 			loading = false;
 		}
 	}
 	function copyPin() {
 		navigator.clipboard.writeText(pin);
 		copied = true;
 		setTimeout(() => (copied = false), 2000);
 	}
 	function goToFeed() {
 		goto('/feed');
 	}
 </script>
 <div class="flex min-h-screen items-center justify-center bg-gray-50 px-4">
 	<div class="w-full max-w-sm">
 		<h1 class="mb-2 text-center text-2xl font-bold text-gray-900">Willkommen!</h1>
 		<p class="mb-6 text-center text-gray-600">Gib deinen Namen ein, um dem Event beizutreten.</p>
 		<form onsubmit={(e) => { e.preventDefault(); handleJoin(); }}>
 			<input
 				type="text"
 				bind:value={displayName}
 				placeholder="Dein Name"
 				maxlength={50}
 				class="mb-3 w-full rounded-lg border border-gray-300 px-4 py-3 text-lg focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-200"
 			/>
 			{#if error}
 				<p class="mb-3 text-sm text-red-600">{error}</p>
 			{/if}
 			<button
 				type="submit"
 				disabled={loading || !displayName.trim()}
 				class="w-full rounded-lg bg-blue-600 px-4 py-3 text-lg font-medium text-white transition hover:bg-blue-700 disabled:opacity-50"
 			>
 				{loading ? 'Wird geladen...' : 'Beitreten'}
 			</button>
 		</form>
 		<p class="mt-4 text-center text-sm text-gray-500">
 			Schon dabei?
 			<a href="/recover" class="text-blue-600 hover:underline">Mit PIN wiederherstellen</a>
 		</p>
 	</div>
 </div>
 {#if showPinModal}
 	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 px-4">
 		<div class="w-full max-w-sm rounded-xl bg-white p-6 shadow-lg">
 			<h2 class="mb-2 text-xl font-bold text-gray-900">Dein Wiederherstellungs-PIN</h2>
 			<p class="mb-4 text-sm text-gray-600">
 				Merke dir diesen PIN! Du brauchst ihn, um dein Konto auf einem anderen Gerät wiederherzustellen.
 			</p>
 			<div class="mb-4 flex items-center justify-center gap-3 rounded-lg bg-gray-100 p-4">
 				<span class="text-4xl font-mono font-bold tracking-widest text-gray-900">{pin}</span>
 				<button
 					onclick={copyPin}
 					class="rounded-md bg-gray-200 px-3 py-1 text-sm font-medium text-gray-700 hover:bg-gray-300"
 				>
 					{copied ? 'Kopiert!' : 'Kopieren'}
 				</button>
 			</div>
 			<button
 				onclick={goToFeed}
 				class="w-full rounded-lg bg-blue-600 px-4 py-3 font-medium text-white transition hover:bg-blue-700"
 			>
 				Weiter zur Galerie
 			</button>
 		</div>
 	</div>
 {/if}
--- a/frontend/src/routes/recover/+page.svelte
+++ b/frontend/src/routes/recover/+page.svelte
@@ -0,0 +1,83 @@
 <script lang="ts">
 	import { goto } from '$app/navigation';
 	import { api, ApiError } from '$lib/api';
 	import { setAuth, getPin } from '$lib/auth';
 	import { browser } from '$app/environment';
 	let displayName = $state('');
 	let pin = $state('');
 	let error = $state('');
 	let loading = $state(false);
 	// Pre-fill PIN from localStorage if available
 	if (browser) {
 		const savedPin = getPin();
 		if (savedPin) pin = savedPin;
 	}
 	async function handleRecover() {
 		if (!displayName.trim() || !pin.trim()) return;
 		loading = true;
 		error = '';
 		try {
 			const res = await api.post<{
 				jwt: string;
 				user_id: string;
 			}>('/recover', { display_name: displayName.trim(), pin: pin.trim() });
 			setAuth(res.jwt, pin.trim(), res.user_id);
 			goto('/feed');
 		} catch (e) {
 			if (e instanceof ApiError) {
 				error = e.message;
 			} else {
 				error = 'Ein Fehler ist aufgetreten.';
 			}
 		} finally {
 			loading = false;
 		}
 	}
 </script>
 <div class="flex min-h-screen items-center justify-center bg-gray-50 px-4">
 	<div class="w-full max-w-sm">
 		<h1 class="mb-2 text-center text-2xl font-bold text-gray-900">Konto wiederherstellen</h1>
 		<p class="mb-6 text-center text-gray-600">Gib deinen Namen und deinen PIN ein.</p>
 		<form onsubmit={(e) => { e.preventDefault(); handleRecover(); }}>
 			<input
 				type="text"
 				bind:value={displayName}
 				placeholder="Dein Name"
 				maxlength={50}
 				class="mb-3 w-full rounded-lg border border-gray-300 px-4 py-3 text-lg focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-200"
 			/>
 			<input
 				type="text"
 				bind:value={pin}
 				placeholder="4-stelliger PIN"
 				maxlength={4}
 				inputmode="numeric"
 				pattern="[0-9]*"
 				class="mb-3 w-full rounded-lg border border-gray-300 px-4 py-3 text-center text-2xl font-mono tracking-widest focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-200"
 			/>
 			{#if error}
 				<p class="mb-3 text-sm text-red-600">{error}</p>
 			{/if}
 			<button
 				type="submit"
 				disabled={loading || !displayName.trim() || pin.length < 4}
 				class="w-full rounded-lg bg-blue-600 px-4 py-3 text-lg font-medium text-white transition hover:bg-blue-700 disabled:opacity-50"
 			>
 				{loading ? 'Wird geladen...' : 'Wiederherstellen'}
 			</button>
 		</form>
 		<p class="mt-4 text-center text-sm text-gray-500">
 			Noch kein Konto?
 			<a href="/join" class="text-blue-600 hover:underline">Neu beitreten</a>
 		</p>
 	</div>
 </div>
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE "user" DROP COLUMN IF EXISTS pin_locked_until;`
							`ALTER TABLE "user" DROP COLUMN IF EXISTS failed_pin_attempts;`
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE "user" ADD COLUMN failed_pin_attempts SMALLINT NOT NULL DEFAULT 0;`
							`ALTER TABLE "user" ADD COLUMN pin_locked_until TIMESTAMPTZ;`