Fix config path, env secrets, and align API calls

Dockerfile

@@ -15,7 +15,8 @@ COPY backend/util ./backend/util
 COPY backend/auth ./backend/auth
 COPY backend/tools ./backend/tools
 COPY backend/templates ./backend/templates
-COPY backend/config ./config
+# Store DB config in a docker-friendly location (/config), override via DB_CONFIG_PATH env if needed
+COPY backend/config /config
 COPY backend/requirements.txt ./requirements.txt
 
 # Frontend aus Build-Stage übernehmen
@@ -27,5 +28,6 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Flask starten
 WORKDIR /app/backend
 ENV PYTHONPATH=/app/backend
+ENV DB_CONFIG_PATH=/config/db_config.json
 EXPOSE 5000
 CMD ["python", "app.py"]

backend/auth/login.py

@@ -13,6 +13,10 @@ def login_route():
     username = data.get('username')
     password = data.get('password')
 
+    if not SECRET_KEY:
+        logger.error("Login blocked: SECRET_KEY is not configured.")
+        return jsonify({"message": "Server misconfigured"}), 500
+
     try:
         config = load_config()
         conn = connect(**config)

backend/auth/token.py

@@ -1,10 +1,18 @@
+import os
 from flask import request
 from jwt import decode, ExpiredSignatureError, InvalidTokenError
 from util.logger import logger
 
-SECRET_KEY = "bitte_hier_dein_geheimes_passwort_setzen"  # später .env verwenden
+# SECRET_KEY must be provided via environment for production safety
+SECRET_KEY = os.environ.get("SECRET_KEY")
+if not SECRET_KEY:
+    logger.error("SECRET_KEY environment variable is not set – authentication disabled until configured.")
+
 
 def verify_token():
+    if not SECRET_KEY:
+        return None
+
     auth_header = request.headers.get("Authorization", "")
     if not auth_header.startswith("Bearer "):
         logger.warning("🔐 Invalid Bearer header")

backend/util/db_config.py

@@ -4,7 +4,26 @@ import os
 import mysql.connector
 from util.logger import logger
 
-CONFIG_PATH = "./config/db_config.json"
+
+def _resolve_config_path() -> str:
+    """
+    Prefer an explicit env override, otherwise use a docker-friendly default
+    (/config) and fall back to the repo-local config folder for non-docker dev.
+    """
+    if env_path := os.environ.get("DB_CONFIG_PATH"):
+        return os.path.abspath(env_path)
+
+    docker_path = "/config/db_config.json"
+    if os.path.exists("/config"):
+        return docker_path
+
+    # local fallback: backend/config/db_config.json (relative to this file)
+    return os.path.abspath(
+        os.path.join(os.path.dirname(__file__), "..", "config", "db_config.json")
+    )
+
+
+CONFIG_PATH = _resolve_config_path()
 
 def is_configured():
     return os.path.exists(CONFIG_PATH)

docker-compose.dev.yml

@@ -5,6 +5,9 @@ services:
       dockerfile: Dockerfile
     ports:
       - "5000:5000"
+    environment:
+      - SECRET_KEY=dev-change-me
+      - DB_CONFIG_PATH=/config/db_config.json
     volumes:
       - ./backend:/backend
       - ./frontend:/frontend

frontend/src/components/LoginForm.jsx

@@ -9,7 +9,7 @@ function LoginForm() {
 
   const login = async () => {
     try {
-      const res = await axios.post('/api/login', { username, password });
+      const res = await axios.post('/login', { username, password });
       localStorage.setItem('token', res.data.token);
       localStorage.setItem('role', res.data.role);
       navigate('/');

frontend/src/components/Md5Tool.jsx

@@ -7,7 +7,7 @@ function Md5Tool() {
 
   const hashPassword = async () => {
     try {
-      const res = await axios.post('/api/hash/md5', { password: input });
+      const res = await axios.post('/hash/md5', { password: input });
 
       setResult(res.data.md5);
     } catch (err) {