From c0aaa86546a7952ddfcced950b2f45618dcd5a2d Mon Sep 17 00:00:00 2001
From: Nirodan <nirodan.production@gmail.com>
Date: Thu, 22 Jan 2026 07:56:27 +0100
Subject: [PATCH] Fix config path, env secrets, and align API calls

---
 Dockerfile                            |  4 +++-
 backend/auth/login.py                 |  4 ++++
 backend/auth/token.py                 | 10 +++++++++-
 backend/util/db_config.py             | 21 ++++++++++++++++++++-
 docker-compose.dev.yml                |  3 +++
 frontend/src/components/LoginForm.jsx |  2 +-
 frontend/src/components/Md5Tool.jsx   |  2 +-
 7 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 62295f0..90816e7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,7 +15,8 @@ COPY backend/util ./backend/util
 COPY backend/auth ./backend/auth
 COPY backend/tools ./backend/tools
 COPY backend/templates ./backend/templates
-COPY backend/config ./config
+# Store DB config in a docker-friendly location (/config), override via DB_CONFIG_PATH env if needed
+COPY backend/config /config
 COPY backend/requirements.txt ./requirements.txt
 
 # Frontend aus Build-Stage übernehmen
@@ -27,5 +28,6 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Flask starten
 WORKDIR /app/backend
 ENV PYTHONPATH=/app/backend
+ENV DB_CONFIG_PATH=/config/db_config.json
 EXPOSE 5000
 CMD ["python", "app.py"]
diff --git a/backend/auth/login.py b/backend/auth/login.py
index 4269115..08b937c 100644
--- a/backend/auth/login.py
+++ b/backend/auth/login.py
@@ -13,6 +13,10 @@ def login_route():
     username = data.get('username')
     password = data.get('password')
 
+    if not SECRET_KEY:
+        logger.error("Login blocked: SECRET_KEY is not configured.")
+        return jsonify({"message": "Server misconfigured"}), 500
+
     try:
         config = load_config()
         conn = connect(**config)
diff --git a/backend/auth/token.py b/backend/auth/token.py
index 6387256..ed26663 100644
--- a/backend/auth/token.py
+++ b/backend/auth/token.py
@@ -1,10 +1,18 @@
+import os
 from flask import request
 from jwt import decode, ExpiredSignatureError, InvalidTokenError
 from util.logger import logger
 
-SECRET_KEY = "bitte_hier_dein_geheimes_passwort_setzen"  # später .env verwenden
+# SECRET_KEY must be provided via environment for production safety
+SECRET_KEY = os.environ.get("SECRET_KEY")
+if not SECRET_KEY:
+    logger.error("SECRET_KEY environment variable is not set – authentication disabled until configured.")
+
 
 def verify_token():
+    if not SECRET_KEY:
+        return None
+
     auth_header = request.headers.get("Authorization", "")
     if not auth_header.startswith("Bearer "):
         logger.warning("🔐 Invalid Bearer header")
diff --git a/backend/util/db_config.py b/backend/util/db_config.py
index 27c6175..48090a7 100644
--- a/backend/util/db_config.py
+++ b/backend/util/db_config.py
@@ -4,7 +4,26 @@ import os
 import mysql.connector
 from util.logger import logger
 
-CONFIG_PATH = "./config/db_config.json"
+
+def _resolve_config_path() -> str:
+    """
+    Prefer an explicit env override, otherwise use a docker-friendly default
+    (/config) and fall back to the repo-local config folder for non-docker dev.
+    """
+    if env_path := os.environ.get("DB_CONFIG_PATH"):
+        return os.path.abspath(env_path)
+
+    docker_path = "/config/db_config.json"
+    if os.path.exists("/config"):
+        return docker_path
+
+    # local fallback: backend/config/db_config.json (relative to this file)
+    return os.path.abspath(
+        os.path.join(os.path.dirname(__file__), "..", "config", "db_config.json")
+    )
+
+
+CONFIG_PATH = _resolve_config_path()
 
 def is_configured():
     return os.path.exists(CONFIG_PATH)
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 5703b1b..8cce371 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -5,6 +5,9 @@ services:
       dockerfile: Dockerfile
     ports:
       - "5000:5000"
+    environment:
+      - SECRET_KEY=dev-change-me
+      - DB_CONFIG_PATH=/config/db_config.json
     volumes:
       - ./backend:/backend
       - ./frontend:/frontend
diff --git a/frontend/src/components/LoginForm.jsx b/frontend/src/components/LoginForm.jsx
index 42bc3f2..6d8db02 100644
--- a/frontend/src/components/LoginForm.jsx
+++ b/frontend/src/components/LoginForm.jsx
@@ -9,7 +9,7 @@ function LoginForm() {
 
   const login = async () => {
     try {
-      const res = await axios.post('/api/login', { username, password });
+      const res = await axios.post('/login', { username, password });
       localStorage.setItem('token', res.data.token);
       localStorage.setItem('role', res.data.role);
       navigate('/');
diff --git a/frontend/src/components/Md5Tool.jsx b/frontend/src/components/Md5Tool.jsx
index 1af5d95..eb75814 100644
--- a/frontend/src/components/Md5Tool.jsx
+++ b/frontend/src/components/Md5Tool.jsx
@@ -7,7 +7,7 @@ function Md5Tool() {
 
   const hashPassword = async () => {
     try {
-      const res = await axios.post('/api/hash/md5', { password: input });
+      const res = await axios.post('/hash/md5', { password: input });
 
       setResult(res.data.md5);
     } catch (err) {