Fix 8 bugs found in code review

- auth/login.py: guard against missing JSON body (get_json silent=True, empty-string check)
- app.py: replace infinite redirect with 404 for unknown /api/* and /setup/* paths
- tools/jwtdecoder.py: add algorithms list to jwt.decode() for PyJWT 2.x compatibility
- util/setup_routes.py: call reset_pool() after save_config() so pool re-initialises with new DB credentials
- util/logger.py: set ERROR level on error.log handler so it no longer receives INFO/WARNING messages
- LoginForm.jsx: remove dead navigate() call that was immediately overridden by window.location.href
- main.jsx: remove base.css, dark.css, light.css that were already imported in App.jsx (duplicate imports)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app.py

@@ -44,7 +44,8 @@ def serve_frontend(path):
         return redirect('/setup')
 
     if path.startswith('setup') or path.startswith('api'):
-        return redirect(f'/{path}')
+        from flask import abort
+        abort(404)
 
     dist_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'frontend', 'dist'))
     file_path = os.path.join(dist_dir, path)

backend/auth/login.py

@@ -11,9 +11,12 @@ from auth.token import SECRET_KEY
 
 @limiter.limit("10 per minute")
 def login_route():
-    data = request.get_json()
-    username = data.get('username')
-    password = data.get('password')
+    data = request.get_json(silent=True) or {}
+    username = data.get('username', '').strip()
+    password = data.get('password', '')
+
+    if not username or not password:
+        return jsonify({"message": "Username und Passwort erforderlich"}), 400
 
     if not SECRET_KEY:
         logger.error("Login blocked: SECRET_KEY is not configured.")

backend/tools/jwtdecoder.py

@@ -16,7 +16,7 @@ def decode_jwt():
         data = request.get_json()
         token = data.get("token", "").strip()
         header = jwt.get_unverified_header(token)
-        payload = jwt.decode(token, options={"verify_signature": False})
+        payload = jwt.decode(token, options={"verify_signature": False}, algorithms=["HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512"])
 
         expired = False
         if "exp" in payload:

backend/util/logger.py

@@ -1,19 +1,21 @@
 import logging
 import os
 
-# Ensure logs directory exists
 os.makedirs("logs", exist_ok=True)
 
-# Configure logger
+fmt = "%(asctime)s [%(levelname)s] %(message)s"
+
+error_handler = logging.FileHandler("logs/error.log")
+error_handler.setLevel(logging.ERROR)
+
 logging.basicConfig(
     level=logging.INFO,
-    format="%(asctime)s [%(levelname)s] %(message)s",
+    format=fmt,
     handlers=[
         logging.FileHandler("logs/app.log"),
-        logging.FileHandler("logs/error.log"),
+        error_handler,
         logging.StreamHandler()
     ]
 )
 
-# Hauptlogger, wird von anderen Modulen importiert
 logger = logging.getLogger("main")

backend/util/setup_routes.py

@@ -2,6 +2,7 @@ import time
 import os
 from flask import Blueprint, request, render_template, redirect, jsonify, send_from_directory
 from util.db_config import load_config, save_config, test_connection, is_configured
+from util.db_pool import reset_pool
 from auth.setup_admin import initialize_admin_user
 from util.logger import logger
 
@@ -39,6 +40,7 @@ def setup():
             "database": request.form['database']
         }
         save_config(db_config)
+        reset_pool()
         if test_connection(db_config):
             initialize_admin_user(db_config)
             return redirect('/')