From 492bc3139340a35ac8de46ff28bf5da76d527d43 Mon Sep 17 00:00:00 2001
From: Nirodan <nirodan.production@gmail.com>
Date: Mon, 16 Jun 2025 10:24:54 +0200
Subject: [PATCH] Passwort hashen

---
 backend/app.py                 | 13 ++++++++-----
 backend/datenbankverbindung.py | 10 +++++-----
 backend/requirements.txt       |  3 ++-
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/backend/app.py b/backend/app.py
index 57ec79a..97e3cce 100644
--- a/backend/app.py
+++ b/backend/app.py
@@ -75,6 +75,8 @@ def serve_react(path):
 @app.route('/api/login', methods=['POST'])
 def login():
     from mysql.connector import connect, Error
+    from werkzeug.security import check_password_hash
+
     data = request.get_json()
     username = data.get('username')
     password = data.get('password')
@@ -83,24 +85,25 @@ def login():
         config = lade_db_config()
         conn = connect(**config)
         cursor = conn.cursor(dictionary=True)
-        cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
+        cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
         user = cursor.fetchone()
         cursor.close()
         conn.close()
 
-        if user:
+        if user and check_password_hash(user['password'], password):
             return jsonify({
-                "token": "mock-token",  # später JWT etc.
+                "token": "mock-token",
                 "role": user['role']
             })
-        else:
-            return jsonify({"message": "Login fehlgeschlagen"}), 401
+
+        return jsonify({"message": "Login fehlgeschlagen"}), 401
 
     except Error as e:
         print("[Fehler bei /api/login]:", e)
         return jsonify({"message": "Serverfehler"}), 500
 
 
+
 if __name__ == '__main__':
     os.makedirs("config", exist_ok=True)
     app.run(host='127.0.0.1', port=5000)
diff --git a/backend/datenbankverbindung.py b/backend/datenbankverbindung.py
index c3e8316..96ac41f 100644
--- a/backend/datenbankverbindung.py
+++ b/backend/datenbankverbindung.py
@@ -1,5 +1,7 @@
 import json
 import mysql.connector
+from werkzeug.security import generate_password_hash
+
 
 def lade_db_config(pfad='config/db_config.json'):
     with open(pfad, 'r') as f:
@@ -19,11 +21,9 @@ def teste_verbindung(db_config):
         return False
 
 def initialisiere_admin_user(db_config):
-    import mysql.connector
     conn = mysql.connector.connect(**db_config)
     cursor = conn.cursor()
 
-    # Tabelle erstellen, falls nicht vorhanden
     cursor.execute("""
         CREATE TABLE IF NOT EXISTS users (
             id INT AUTO_INCREMENT PRIMARY KEY,
@@ -33,14 +33,14 @@ def initialisiere_admin_user(db_config):
         )
     """)
 
-    # Prüfen, ob admin existiert
     cursor.execute("SELECT id FROM users WHERE username = 'admin'")
     if not cursor.fetchone():
+        hashed_pw = generate_password_hash('admin')
         cursor.execute("""
             INSERT INTO users (username, password, role)
             VALUES (%s, %s, 'admin')
-        """, ('admin', 'admin'))
-        print("[INFO] Admin-Account wurde erstellt: admin / admin")
+        """, ('admin', hashed_pw))
+        print("[INFO] Admin-Account wurde erstellt (gehashed): admin / admin")
 
     conn.commit()
     cursor.close()
diff --git a/backend/requirements.txt b/backend/requirements.txt
index 06523e7..954f173 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -1,3 +1,4 @@
 flask
 flask-cors
-mysql-connector-python
\ No newline at end of file
+mysql-connector-python
+werkzeug>=2.3
\ No newline at end of file