Fix 8 bugs found in code review

- auth/login.py: guard against missing JSON body (get_json silent=True, empty-string check)
- app.py: replace infinite redirect with 404 for unknown /api/* and /setup/* paths
- tools/jwtdecoder.py: add algorithms list to jwt.decode() for PyJWT 2.x compatibility
- util/setup_routes.py: call reset_pool() after save_config() so pool re-initialises with new DB credentials
- util/logger.py: set ERROR level on error.log handler so it no longer receives INFO/WARNING messages
- LoginForm.jsx: remove dead navigate() call that was immediately overridden by window.location.href
- main.jsx: remove base.css, dark.css, light.css that were already imported in App.jsx (duplicate imports)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/auth/login.py

@@ -11,9 +11,12 @@ from auth.token import SECRET_KEY
 
 @limiter.limit("10 per minute")
 def login_route():
-    data = request.get_json()
-    username = data.get('username')
-    password = data.get('password')
+    data = request.get_json(silent=True) or {}
+    username = data.get('username', '').strip()
+    password = data.get('password', '')
+
+    if not username or not password:
+        return jsonify({"message": "Username und Passwort erforderlich"}), 400
 
     if not SECRET_KEY:
         logger.error("Login blocked: SECRET_KEY is not configured.")