moved amount of accesses to more strict handling for api calls

added api /auth/me to whitelist apicalls
added whitelist with loopback addresses for api rateLimit
2025-12-01 06:55:45 +01:00 · 2025-11-07 16:37:43 +01:00 · 2025-11-07 16:35:57 +01:00 · 2025-11-07 16:32:10 +01:00 · 2025-11-06 00:11:24 +01:00 · 2025-11-05 15:22:29 +01:00
12 changed files with 1826 additions and 523 deletions
--- a/backend/package.json
+++ b/backend/package.json
@@ -4,7 +4,9 @@
  "type": "module",
  "scripts": {
    "dev": "npm run build && npx tsx src/server.ts",
-    "dev:single": "cross-env NODE_ENV=development TRUST_PROXY_ENABLED=false npx tsx src/server.ts",
+    "dev:single": "cross-env NODE_ENV=development TRUST_PROXY_ENABLED=false SEED_TEST_DATA=true npx tsx src/server.ts",
+    "seed:test-data": "npx tsx src/scripts/seedTestData.ts",
+    "dev:all": "npm run dev:single",
    "build": "tsc",
    "start": "node dist/server.js",
    "prestart": "npm run build",
@@ -16,7 +18,7 @@
  "dependencies": {
    "@types/bcrypt": "^6.0.0",
    "@types/node": "24.9.2",
-    "vite":"7.1.12",
+    "vite": "7.1.12",
    "bcrypt": "^6.0.0",
    "bcryptjs": "^2.4.3",
    "express": "^4.18.2",
@@ -25,7 +27,9 @@
    "uuid": "^9.0.0",
    "express-rate-limit": "8.1.0",
    "helmet": "8.1.0",
-    "express-validator": "7.3.0"
+    "express-validator": "7.3.0",
+    "exceljs": "4.4.0",
+    "playwright-chromium": "^1.37.0"
  },
  "devDependencies": {
    "@types/bcryptjs": "^2.4.2",
--- a/backend/src/controllers/shiftPlanController.ts
+++ b/backend/src/controllers/shiftPlanController.ts
--- a/backend/src/middleware/rateLimit.ts
+++ b/backend/src/middleware/rateLimit.ts
@@ -5,11 +5,11 @@ import { Request } from 'express';
 const getClientIP = (req: Request): string => {
  // Read from environment which header to trust
  const trustedHeader = process.env.TRUSTED_PROXY_HEADER || 'x-forwarded-for';
-  
+
  const forwarded = req.headers[trustedHeader];
  const realIp = req.headers['x-real-ip'];
  const cfConnectingIp = req.headers['cf-connecting-ip']; // Cloudflare
-  
+
  // If we have a forwarded header and trust proxy is configured
  if (forwarded) {
    if (Array.isArray(forwarded)) {
@@ -22,66 +22,96 @@ const getClientIP = (req: Request): string => {
      return firstIP;
    }
  }
-  
+
  // Cloudflare support
  if (cfConnectingIp) {
    console.log(`🔍 Using Cloudflare IP: ${cfConnectingIp}`);
    return cfConnectingIp.toString();
  }
-  
+
  // Fallback to x-real-ip
  if (realIp) {
    console.log(`🔍 Using x-real-ip: ${realIp}`);
    return realIp.toString();
  }
-  
+
  // Final fallback to connection remote address
  const remoteAddress = req.socket.remoteAddress || req.ip || 'unknown';
  console.log(`🔍 Using remote address: ${remoteAddress}`);
  return remoteAddress;
 };

+// Helper to check if an IP is a loopback address (IPv4 or IPv6)
+const isLoopbackAddress = (ip: string): boolean => {
+  // IPv4 loopback: 127.0.0.0/8
+  if (ip.startsWith('127.') || ip === 'localhost') {
+    return true;
+  }
+
+  // IPv6 loopback: ::1
+  // Also handle IPv4-mapped IPv6 addresses like ::ffff:127.0.0.1
+  if (ip === '::1' || ip === '::ffff:127.0.0.1') {
+    return true;
+  }
+
+  // Handle full IPv6 loopback notation
+  if (ip.toLowerCase().startsWith('0000:0000:0000:0000:0000:0000:0000:0001') ||
+    ip.toLowerCase() === '0:0:0:0:0:0:0:1') {
+    return true;
+  }
+
+  return false;
+};
+
 // Helper to check if request should be limited
 const shouldSkipLimit = (req: Request): boolean => {
  const skipPaths = [
-    '/api/health', 
+    '/api/health',
    '/api/setup/status',
-    '/api/auth/validate'
+    '/api/auth/validate',
+    '/api/auth/me',
  ];
-  
+
  // Skip for successful GET requests (data fetching)
  if (req.method === 'GET' && req.path.startsWith('/api/')) {
    return true;
  }
-  
+
+  const clientIP = getClientIP(req);
+
+  // Skip for loopback addresses (local development)
+  if (isLoopbackAddress(clientIP)) {
+    console.log(`✅ Loopback address skipped: ${clientIP}`);
+    return true;
+  }
+
  // Skip for whitelisted IPs from environment
  const whitelist = process.env.RATE_LIMIT_WHITELIST?.split(',') || [];
-  const clientIP = getClientIP(req);
  if (whitelist.includes(clientIP)) {
    console.log(`✅ IP whitelisted: ${clientIP}`);
    return true;
  }
-  
+
  return skipPaths.includes(req.path);
 };

 // Environment-based configuration
 const getRateLimitConfig = () => {
  const isProduction = process.env.NODE_ENV === 'production';
-  
+
  return {
    windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || '900000'), // 15 minutes default
-    max: isProduction 
-      ? parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '1000')  // Stricter in production
-      : parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '5000'), // More lenient in development
-    
+    max: isProduction
+      ? parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '50')  // Stricter in production
+      : parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '100'), // More lenient in development
+
    // Development-specific relaxations
    skip: (req: Request) => {
      // Skip all GET requests in development for easier testing
      if (!isProduction && req.method === 'GET') {
        return true;
      }
-      
+
      return shouldSkipLimit(req);
    }
  };
@@ -90,8 +120,8 @@ const getRateLimitConfig = () => {
 // Main API limiter - nur für POST/PUT/DELETE
 export const apiLimiter = rateLimit({
  ...getRateLimitConfig(),
-  message: { 
-    error: 'Zu viele Anfragen, bitte verlangsamen Sie Ihre Aktionen' 
+  message: {
+    error: 'Zu viele Anfragen, bitte verlangsamen Sie Ihre Aktionen'
  },
  standardHeaders: true,
  legacyHeaders: false,
@@ -99,8 +129,8 @@ export const apiLimiter = rateLimit({
  handler: (req, res) => {
    const clientIP = getClientIP(req);
    console.warn(`🚨 Rate limit exceeded for IP: ${clientIP}, Path: ${req.path}, Method: ${req.method}`);
-    
-    res.status(429).json({ 
+
+    res.status(429).json({
      error: 'Zu viele Anfragen',
      message: 'Bitte versuchen Sie es später erneut',
      retryAfter: '15 Minuten',
@@ -112,9 +142,9 @@ export const apiLimiter = rateLimit({
 // Strict limiter for auth endpoints
 export const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
-  max: parseInt(process.env.AUTH_RATE_LIMIT_MAX_REQUESTS || '100'),
-  message: { 
-    error: 'Zu viele Login-Versuche, bitte versuchen Sie es später erneut' 
+  max: parseInt(process.env.AUTH_RATE_LIMIT_MAX_REQUESTS || '50'),
+  message: {
+    error: 'Zu viele Login-Versuche, bitte versuchen Sie es später erneut'
  },
  standardHeaders: true,
  legacyHeaders: false,
@@ -123,8 +153,8 @@ export const authLimiter = rateLimit({
  handler: (req, res) => {
    const clientIP = getClientIP(req);
    console.warn(`🚨 Auth rate limit exceeded for IP: ${clientIP}`);
-    
-    res.status(429).json({ 
+
+    res.status(429).json({
      error: 'Zu viele Login-Versuche',
      message: 'Aus Sicherheitsgründen wurde Ihr Konto temporär gesperrt',
      retryAfter: '15 Minuten'
@@ -135,7 +165,7 @@ export const authLimiter = rateLimit({
 // Separate limiter for expensive endpoints
 export const expensiveEndpointLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
-  max: parseInt(process.env.EXPENSIVE_ENDPOINT_LIMIT || '100'),
+  max: parseInt(process.env.EXPENSIVE_ENDPOINT_LIMIT || '20'),
  message: {
    error: 'Zu viele Anfragen für diese Ressource'
  },
--- a/backend/src/scripts/seedTestData.ts
+++ b/backend/src/scripts/seedTestData.ts
@@ -0,0 +1,347 @@
+// backend/src/scripts/seedTestData.ts
+import { db } from '../services/databaseService.js';
+import bcrypt from 'bcryptjs';
+import { v4 as uuidv4 } from 'uuid';
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+interface TestData {
+    plan_name: string;
+    description: string;
+    period: string;
+    status: string;
+    created_by: string;
+    shifts: {
+        [day: string]: {
+            [shiftType: string]: {
+                time: string;
+                assignments: { [employeeName: string]: number };
+            };
+        };
+    };
+    employee_info: {
+        contract_sizes: { [name: string]: string };
+        employee_types: { [name: string]: string };
+        roles: { [name: string]: string };
+        trainees: { [name: string]: boolean };
+        can_work_alone: { [name: string]: boolean };
+    };
+    availability_scale: {
+        [key: string]: string;
+    };
+}
+
+function generateEmail(firstname: string, lastname: string): string {
+    const convertUmlauts = (str: string): string => {
+        return str
+            .toLowerCase()
+            .replace(/ü/g, 'ue')
+            .replace(/ö/g, 'oe')
+            .replace(/ä/g, 'ae')
+            .replace(/ß/g, 'ss');
+    };
+
+    const cleanFirstname = convertUmlauts(firstname).replace(/[^a-z0-9]/g, '');
+    const cleanLastname = convertUmlauts(lastname).replace(/[^a-z0-9]/g, '');
+
+    return `${cleanFirstname}.${cleanLastname}@sp.de`;
+}
+
+function mapContractType(germanType: string): 'small' | 'large' | 'flexible' {
+    switch (germanType) {
+        case 'groß': return 'large';
+        case 'klein': return 'small';
+        case 'flexible': return 'flexible';
+        default: return 'small';
+    }
+}
+
+function mapDayToNumber(day: string): number {
+    const dayMap: { [key: string]: number } = {
+        'monday': 1,
+        'tuesday': 2,
+        'wednesday': 3,
+        'thursday': 4,
+        'friday': 5,
+        'saturday': 6,
+        'sunday': 7
+    };
+    return dayMap[day.toLowerCase()] || 1;
+}
+
+function parseTimeSlot(time: string): { startTime: string; endTime: string } {
+    const [start, end] = time.split(' - ');
+    return {
+        startTime: start.trim(),
+        endTime: end.trim()
+    };
+}
+
+export async function seedTestData(): Promise<void> {
+    try {
+        console.log('🌱 Starting test data seeding...');
+
+        // Read test.json file - adjust path to be relative to project root
+        //const testDataPath = path.resolve(process.cwd(), './test.json');
+        const testDataPath = path.resolve(__dirname, './test.json');
+
+        console.log('🔍 Looking for test.json at:', testDataPath);
+
+        if (!fs.existsSync(testDataPath)) {
+            console.log('❌ test.json file not found at:', testDataPath);
+
+            // Try alternative paths
+            const alternativePaths = [
+                //path.resolve(__dirname, '../../../test.json'),
+                //path.resolve(process.cwd(), '../test.json'),
+                //path.resolve(__dirname, '../../test.json'),
+                path.resolve(__dirname, './test.json')
+            ];
+
+            for (const altPath of alternativePaths) {
+                console.log('🔍 Trying alternative path:', altPath);
+                if (fs.existsSync(altPath)) {
+                    console.log('✅ Found test.json at:', altPath);
+                    // Continue with the found path
+                    break;
+                }
+            }
+
+            return;
+        }
+
+        const testDataRaw = fs.readFileSync(testDataPath, 'utf-8');
+        const testData: TestData = JSON.parse(testDataRaw);
+
+        console.log('📊 Loaded test data:', {
+            planName: testData.plan_name,
+            employeeCount: Object.keys(testData.employee_info.contract_sizes).length,
+            days: Object.keys(testData.shifts).length
+        });
+
+        // Start transaction
+        await db.run('BEGIN TRANSACTION');
+
+        try {
+            // 1. Create employees
+            console.log('👥 Creating employees...');
+            const employeeMap: { [name: string]: string } = {};
+            const employeeNames = Object.keys(testData.employee_info.contract_sizes);
+
+            for (const name of employeeNames) {
+                const employeeId = uuidv4();
+                employeeMap[name] = employeeId;
+
+                const [firstname, lastname = ''] = name.split(' ');
+                const email = generateEmail(firstname, lastname || 'Test');
+                const passwordHash = await bcrypt.hash('ZebraAux123!', 10);
+
+                const contractType = mapContractType(testData.employee_info.contract_sizes[name]);
+                const employeeType = testData.employee_info.employee_types[name];
+                const role = testData.employee_info.roles[name];
+                const isTrainee = testData.employee_info.trainees[name];
+                const canWorkAlone = testData.employee_info.can_work_alone[name];
+
+                // Insert employee
+                await db.run(
+                    `INSERT INTO employees (
+            id, email, password, firstname, lastname, 
+            employee_type, contract_type, can_work_alone, 
+            is_trainee, is_active
+          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+                    [
+                        employeeId,
+                        email,
+                        passwordHash,
+                        firstname,
+                        lastname || 'Test',
+                        employeeType,
+                        contractType,
+                        canWorkAlone ? 1 : 0,
+                        isTrainee ? 1 : 0,
+                        1
+                    ]
+                );
+
+                // Insert role
+                await db.run(
+                    `INSERT INTO employee_roles (employee_id, role) VALUES (?, ?)`,
+                    [employeeId, role]
+                );
+
+                console.log(`✅ Created employee: ${name} (${email})`);
+            }
+
+            // 2. Create shift plan
+            console.log('📅 Creating shift plan...');
+            const planId = uuidv4();
+            const [startDate, endDate] = testData.period.split(' bis ');
+
+            // Use the first admin employee as creator
+            const adminEmployee = Object.entries(testData.employee_info.roles)
+                .find(([_, role]) => role === 'admin');
+            const createdBy = adminEmployee ? employeeMap[adminEmployee[0]] : employeeMap[employeeNames[0]];
+
+            await db.run(
+                `INSERT INTO shift_plans (
+          id, name, description, start_date, end_date, 
+          is_template, status, created_by
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+                [
+                    planId,
+                    testData.plan_name,
+                    testData.description,
+                    startDate.trim(),
+                    endDate.trim(),
+                    0, // is_template = false
+                    'published',
+                    createdBy
+                ]
+            );
+
+            // 3. Create time slots
+            console.log('⏰ Creating time slots...');
+            const timeSlotMap: { [key: string]: string } = {};
+
+            // Extract unique time slots from shifts
+            const uniqueTimeSlots = new Set<string>();
+            Object.values(testData.shifts).forEach(dayShifts => {
+                Object.values(dayShifts).forEach(shift => {
+                    uniqueTimeSlots.add(shift.time);
+                });
+            });
+
+            let timeSlotIndex = 0;
+            for (const time of uniqueTimeSlots) {
+                const timeSlotId = uuidv4();
+                const { startTime, endTime } = parseTimeSlot(time);
+                const name = timeSlotIndex === 0 ? 'Vormittag' : 'Nachmittag';
+
+                await db.run(
+                    `INSERT INTO time_slots (id, plan_id, name, start_time, end_time, description) 
+           VALUES (?, ?, ?, ?, ?, ?)`,
+                    [timeSlotId, planId, name, startTime, endTime, `Time slot: ${time}`]
+                );
+
+                timeSlotMap[time] = timeSlotId;
+                timeSlotIndex++;
+            }
+
+            // 4. Create shifts
+            console.log('🔄 Creating shifts...');
+            const shiftMap: { [dayTime: string]: string } = {};
+
+            for (const [dayName, dayShifts] of Object.entries(testData.shifts)) {
+                const dayOfWeek = mapDayToNumber(dayName);
+
+                for (const [shiftType, shiftData] of Object.entries(dayShifts)) {
+                    const shiftId = uuidv4();
+                    const timeSlotId = timeSlotMap[shiftData.time];
+
+                    await db.run(
+                        `INSERT INTO shifts (id, plan_id, time_slot_id, day_of_week, required_employees, color) 
+             VALUES (?, ?, ?, ?, ?, ?)`,
+                        [shiftId, planId, timeSlotId, dayOfWeek, 2, '#3498db']
+                    );
+
+                    shiftMap[`${dayName}_${shiftType}`] = shiftId;
+                }
+            }
+
+            // 5. Generate scheduled shifts for one week (for template demonstration)
+            console.log('📋 Generating scheduled shifts...');
+            const start = new Date(startDate.trim());
+
+            for (let dayOffset = 0; dayOffset < 7; dayOffset++) {
+                const currentDate = new Date(start);
+                currentDate.setDate(start.getDate() + dayOffset);
+
+                const dayOfWeek = currentDate.getDay() === 0 ? 7 : currentDate.getDay();
+                const dayName = Object.keys(testData.shifts).find(day =>
+                    mapDayToNumber(day) === dayOfWeek
+                );
+
+                if (dayName && testData.shifts[dayName]) {
+                    for (const [shiftType, shiftData] of Object.entries(testData.shifts[dayName])) {
+                        const scheduledShiftId = uuidv4();
+                        const timeSlotId = timeSlotMap[shiftData.time];
+
+                        await db.run(
+                            `INSERT INTO scheduled_shifts (id, plan_id, date, time_slot_id, required_employees, assigned_employees) 
+               VALUES (?, ?, ?, ?, ?, ?)`,
+                            [
+                                scheduledShiftId,
+                                planId,
+                                currentDate.toISOString().split('T')[0],
+                                timeSlotId,
+                                2,
+                                JSON.stringify([])
+                            ]
+                        );
+                    }
+                }
+            }
+
+            // 6. Create employee availabilities
+            console.log('📝 Creating employee availabilities...');
+
+            for (const [dayName, dayShifts] of Object.entries(testData.shifts)) {
+                const dayOfWeek = mapDayToNumber(dayName);
+
+                for (const [shiftType, shiftData] of Object.entries(dayShifts)) {
+                    const shiftId = shiftMap[`${dayName}_${shiftType}`];
+
+                    for (const [employeeName, preferenceLevel] of Object.entries(shiftData.assignments)) {
+                        const employeeId = employeeMap[employeeName];
+
+                        if (employeeId) {
+                            const availabilityId = uuidv4();
+
+                            await db.run(
+                                `INSERT INTO employee_availability (id, employee_id, plan_id, shift_id, preference_level) 
+                 VALUES (?, ?, ?, ?, ?)`,
+                                [availabilityId, employeeId, planId, shiftId, preferenceLevel]
+                            );
+                        }
+                    }
+                }
+            }
+
+            await db.run('COMMIT');
+
+            console.log('🎉 Test data seeded successfully!');
+            console.log('📊 Summary:');
+            console.log(`   - Employees: ${employeeNames.length}`);
+            console.log(`   - Shift Plan: ${testData.plan_name}`);
+            console.log(`   - Time Slots: ${Object.keys(timeSlotMap).length}`);
+            console.log(`   - Shifts: ${Object.keys(shiftMap).length}`);
+            console.log(`   - Period: ${testData.period}`);
+
+        } catch (error) {
+            await db.run('ROLLBACK');
+            console.error('❌ Error during test data seeding:', error);
+            throw error;
+        }
+
+    } catch (error) {
+        console.error('❌ Failed to seed test data:', error);
+        throw error;
+    }
+}
+
+// Run if called directly
+if (import.meta.url === `file://${process.argv[1]}`) {
+    seedTestData()
+        .then(() => {
+            console.log('✅ Seed script completed');
+            process.exit(0);
+        })
+        .catch((error) => {
+            console.error('❌ Seed script failed:', error);
+            process.exit(1);
+        });
+}
--- a/backend/src/scripts/test.json
+++ b/backend/src/scripts/test.json
@@ -0,0 +1,235 @@
+{
+  "plan_name": "test",
+  "description": "Standard Vorlage für ZEBRA: Mo-Do Vormittag+Nachmittag, Fr nur Vormittag",
+  "period": "2025-10-01 bis 2026-02-01",
+  "status": "published",
+  "created_by": "Max Mustermann",
+  "shifts": {
+    "monday": {
+      "early": {
+        "time": "8:00 - 12:00",
+        "assignments": {
+          "Jerome": 2,
+          "Patrick": 2,
+          "Andrey": 1,
+          "Fabian": 2,
+          "Lu": 3,
+          "Basti": 1,
+          "Kilian": 3,
+          "Gerald": 1,
+          "Uliana": 2,
+          "Nico": 1,
+          "Linuuuus": 1
+        }
+      },
+      "late": {
+        "time": "11:30 - 15:30",
+        "assignments": {
+          "Jerome": 1,
+          "Patrick": 3,
+          "Andrey": 1,
+          "Fabian": 3,
+          "Lu": 1,
+          "Basti": 1,
+          "Kilian": 3,
+          "Gerald": 3,
+          "Uliana": 3,
+          "Nico": 1,
+          "Linuuuus": 3
+        }
+      }
+    },
+    "tuesday": {
+      "early": {
+        "time": "8:00 - 12:00",
+        "assignments": {
+          "Jerome": 2,
+          "Patrick": 2,
+          "Andrey": 1,
+          "Fabian": 2,
+          "Lu": 3,
+          "Basti": 1,
+          "Kilian": 3,
+          "Gerald": 2,
+          "Uliana": 1,
+          "Nico": 1,
+          "Linuuuus": 2
+        }
+      },
+      "late": {
+        "time": "11:30 - 15:30",
+        "assignments": {
+          "Jerome": 1,
+          "Patrick": 3,
+          "Andrey": 1,
+          "Fabian": 3,
+          "Lu": 3,
+          "Basti": 1,
+          "Kilian": 3,
+          "Gerald": 2,
+          "Uliana": 2,
+          "Nico": 3,
+          "Linuuuus": 2
+        }
+      }
+    },
+    "wednesday": {
+      "early": {
+        "time": "8:00 - 12:00",
+        "assignments": {
+          "Jerome": 2,
+          "Patrick": 2,
+          "Andrey": 1,
+          "Fabian": 2,
+          "Lu": 3,
+          "Basti": 3,
+          "Kilian": 3,
+          "Gerald": 3,
+          "Uliana": 2,
+          "Nico": 3,
+          "Linuuuus": 2
+        }
+      },
+      "late": {
+        "time": "11:30 - 15:30",
+        "assignments": {
+          "Jerome": 2,
+          "Patrick": 3,
+          "Andrey": 1,
+          "Fabian": 3,
+          "Lu": 3,
+          "Basti": 3,
+          "Kilian": 3,
+          "Gerald": 3,
+          "Uliana": 3,
+          "Nico": 1,
+          "Linuuuus": 3
+        }
+      }
+    },
+    "thursday": {
+      "early": {
+        "time": "8:00 - 12:00",
+        "assignments": {
+          "Jerome": 3,
+          "Patrick": 3,
+          "Andrey": 1,
+          "Fabian": 3,
+          "Lu": 3,
+          "Basti": 3,
+          "Kilian": 3,
+          "Gerald": 3,
+          "Uliana": 3,
+          "Nico": 2,
+          "Linuuuus": 2
+        }
+      },
+      "late": {
+        "time": "11:30 - 15:30",
+        "assignments": {
+          "Jerome": 1,
+          "Patrick": 1,
+          "Andrey": 1,
+          "Fabian": 1,
+          "Lu": 3,
+          "Basti": 3,
+          "Kilian": 1,
+          "Gerald": 2,
+          "Uliana": 3,
+          "Nico": 3,
+          "Linuuuus": 3
+        }
+      }
+    },
+    "friday": {
+      "early": {
+        "time": "8:00 - 12:00",
+        "assignments": {
+          "Jerome": 1,
+          "Patrick": 1,
+          "Andrey": 1,
+          "Fabian": 1,
+          "Lu": 1,
+          "Basti": 3,
+          "Kilian": 1,
+          "Gerald": 1,
+          "Uliana": 1,
+          "Nico": 3,
+          "Linuuuus": 3
+        }
+      }
+    }
+  },
+  "employee_info": {
+    "contract_sizes": {
+      "Jerome": "groß",
+      "Patrick": "groß",
+      "Andrey": "groß",
+      "Fabian": "klein",
+      "Lu": "klein",
+      "Basti": "flexible",
+      "Kilian": "klein",
+      "Gerald": "groß",
+      "Uliana": "groß",
+      "Nico": "klein",
+      "Linuuuus": "klein"
+    },
+    "employee_types": {
+      "Jerome": "personell",
+      "Patrick": "personell",
+      "Andrey": "personell",
+      "Fabian": "personell",
+      "Lu": "personell",
+      "Basti": "manager",
+      "Kilian": "personell",
+      "Gerald": "personell",
+      "Uliana": "personell",
+      "Nico": "personell",
+      "Linuuuus": "personell"
+    },
+    "roles": {
+      "Jerome": "user",
+      "Patrick": "maintenance",
+      "Andrey": "user",
+      "Fabian": "user",
+      "Lu": "user",
+      "Basti": "admin",
+      "Kilian": "user",
+      "Gerald": "user",
+      "Uliana": "user",
+      "Nico": "user",
+      "Linuuuus": "user"
+    },
+    "trainees": {
+      "Jerome": false,
+      "Patrick": false,
+      "Andrey": false,
+      "Fabian": false,
+      "Lu": false,
+      "Basti": false,
+      "Kilian": true,
+      "Gerald": true,
+      "Uliana": true,
+      "Nico": true,
+      "Linuuuus": false
+    },
+    "can_work_alone": {
+      "Jerome": true,
+      "Patrick": true,
+      "Andrey": false,
+      "Fabian": true,
+      "Lu": false,
+      "Basti": false,
+      "Kilian": false,
+      "Gerald": false,
+      "Uliana": false,
+      "Nico": false,
+      "Linuuuus": true
+    }
+  },
+  "availability_scale": {
+    "1": "available",
+    "2": "limited",
+    "3": "unavailable"
+  }
+}
--- a/backend/src/server.ts
+++ b/backend/src/server.ts
@@ -14,9 +14,9 @@ import shiftPlanRoutes from './routes/shiftPlans.js';
 import setupRoutes from './routes/setup.js';
 import scheduledShifts from './routes/scheduledShifts.js';
 import schedulingRoutes from './routes/scheduling.js';
-import { 
-  apiLimiter, 
-  authLimiter, 
+import {
+  apiLimiter,
+  authLimiter,
  expensiveEndpointLimiter
 } from './middleware/rateLimit.js';
 import { ipSecurityCheck as authIpCheck } from './middleware/auth.js';
@@ -27,6 +27,15 @@ const __dirname = path.dirname(__filename);
 const app = express();
 const PORT = 3002;
 const isDevelopment = process.env.NODE_ENV === 'development';
+if (isDevelopment) {
+  console.log('🔧 Running in Development mode');
+} else if (process.env.NODE_ENV === 'production') {
+  console.log('🚀 Running in Production mode');
+} else {
+  console.log('⚠️  NODE_ENV not set, defaulting to Development mode');
+  console.error('❌ Please set NODE_ENV to "production" or "development" for proper behavior.');
+  process.exit(1);
+}

 app.use(authIpCheck);

@@ -96,12 +105,12 @@ const configureTrustProxy = (): string | string[] | boolean | number => {
  // If specific IPs are provided via environment variable
  if (trustedProxyIps) {
    console.log('🔒 Trust proxy: Using configured IPs:', trustedProxyIps);
-    
+
    // Handle comma-separated list of IPs/CIDR ranges
    if (trustedProxyIps.includes(',')) {
      return trustedProxyIps.split(',').map(ip => ip.trim());
    }
-    
+
    // Handle single IP/CIDR
    return trustedProxyIps.trim();
  }
@@ -116,15 +125,15 @@ app.set('trust proxy', configureTrustProxy());
 app.use((req, res, next) => {
  const protocol = req.headers['x-forwarded-proto'] || req.protocol;
  const isHttps = protocol === 'https';
-  
+
  // Add security warning for HTTP requests
  if (!isHttps && process.env.NODE_ENV === 'production') {
    res.setHeader('X-Security-Warning', 'This application is being accessed over HTTP. For secure communication, please use HTTPS.');
-    
+
    // Log HTTP access in production
    console.warn(`⚠️  HTTP access detected: ${req.method} ${req.path} from ${req.ip}`);
  }
-  
+
  next();
 });

@@ -273,7 +282,7 @@ app.get('*', (req, res, next) => {
  // Serve React app for all other routes
  const frontendPath = '/app/frontend-build';
  const indexPath = path.join(frontendPath, 'index.html');
-  
+
  if (fs.existsSync(indexPath)) {
    res.sendFile(indexPath);
  } else {
@@ -311,6 +320,16 @@ const initializeApp = async () => {
    const { applyMigration } = await import('./scripts/applyMigration.js');
    await applyMigration();

+    if (isDevelopment && process.env.SEED_TEST_DATA === 'true') {
+      try {
+        const { seedTestData } = await import('./scripts/seedTestData.js');
+        await seedTestData();
+        console.log('✅ Test data seeded successfully');
+      } catch (error) {
+        console.log('⚠️ Test data seeding skipped or failed:', error);
+      }
+    }
+
    app.listen(PORT, () => {
      console.log('🎉 APPLICATION STARTED SUCCESSFULLY!');
      console.log(`📍 Port: ${PORT}`);
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -30,7 +30,6 @@
    "framer-motion": "12.23.24",
    "file-saver": "2.0.5",
    "@types/file-saver": "2.0.5"
-
  },
  "scripts": {
    "dev": "vite dev",
--- a/frontend/src/design/DesignSystem.txt
+++ b/frontend/src/design/DesignSystem.txt
@@ -19,6 +19,8 @@ export const designTokens = {
      9: '#cda8f0',
      10: '#ebd7fa',
    },
+
+    manager: '#CC0000',
    
    // Semantic Colors
    primary: '#51258f',
--- a/frontend/src/pages/Employees/components/AvailabilityManager.tsx
+++ b/frontend/src/pages/Employees/components/AvailabilityManager.tsx
@@ -317,7 +317,17 @@ const AvailabilityManager: React.FC<AvailabilityManagerProps> = ({

    // Convert to array and sort by start time
    const sortedTimeSlots = Array.from(allTimeSlots.values()).sort((a, b) => {
-      return (a.startTime || '').localeCompare(b.startTime || '');
+      // Convert time strings to minutes for proper numeric comparison
+      const timeToMinutes = (timeStr: string) => {
+        if (!timeStr) return 0;
+        const [hours, minutes] = timeStr.split(':').map(Number);
+        return hours * 60 + minutes;
+      };
+
+      const minutesA = timeToMinutes(a.startTime);
+      const minutesB = timeToMinutes(b.startTime);
+      
+      return minutesA - minutesB; // Ascending order (earliest first)
    });

    return (
--- a/frontend/src/pages/ShiftPlans/ShiftPlanCreate.tsx
+++ b/frontend/src/pages/ShiftPlans/ShiftPlanCreate.tsx
@@ -18,7 +18,7 @@ const ShiftPlanCreate: React.FC = () => {
  const [searchParams] = useSearchParams();
  const { showNotification } = useNotification();
  const { executeWithValidation, isSubmitting } = useBackendValidation();
-  
+
  const [planName, setPlanName] = useState('');
  const [startDate, setStartDate] = useState('');
  const [endDate, setEndDate] = useState('');
@@ -35,9 +35,9 @@ const ShiftPlanCreate: React.FC = () => {
      console.log('🔄 Lade verfügbare Vorlagen-Presets...');
      const data = await shiftPlanService.getTemplatePresets();
      console.log('✅ Presets geladen:', data);
-      
+
      setPresets(data);
-      
+
      // Setze das erste Preset als Standard, falls vorhanden
      if (data.length > 0) {
        setSelectedPreset(data[0].name);
@@ -75,7 +75,7 @@ const ShiftPlanCreate: React.FC = () => {
    if (!endDate) {
      showNotification({
        type: 'error',
-        title: 'Fehlende Angaben', 
+        title: 'Fehlende Angaben',
        message: 'Bitte wählen Sie ein Enddatum'
      });
      return;
@@ -115,14 +115,14 @@ const ShiftPlanCreate: React.FC = () => {
      });

      console.log('✅ Plan erstellt:', createdPlan);
-      
+
      // Erfolgsmeldung und Weiterleitung
      showNotification({
        type: 'success',
        title: 'Erfolg',
        message: 'Schichtplan erfolgreich erstellt!'
      });
-      
+
      setTimeout(() => {
        navigate(`/shift-plans/${createdPlan.id}`);
      }, 1500);
@@ -146,20 +146,20 @@ const ShiftPlanCreate: React.FC = () => {
    <div className={styles.container}>
      <div className={styles.header}>
        <h1>Neuen Schichtplan erstellen</h1>
-        <button 
-          onClick={() => navigate(-1)} 
+        <button
+          onClick={() => navigate(-1)}
          className={styles.backButton}
          disabled={isSubmitting}
        >
          Zurück
        </button>
      </div>
-      
+
      <div className={styles.form}>
        <div className={styles.formGroup}>
          <label>Plan Name:</label>
-          <input 
-            type="text" 
+          <input
+            type="text"
            value={planName}
            onChange={(e) => setPlanName(e.target.value)}
            placeholder="z.B. KW 42 2025"
@@ -171,8 +171,8 @@ const ShiftPlanCreate: React.FC = () => {
        <div className={styles.dateGroup}>
          <div className={styles.formGroup}>
            <label>Von:</label>
-            <input 
-              type="date" 
+            <input
+              type="date"
              value={startDate}
              onChange={(e) => setStartDate(e.target.value)}
              className={styles.input}
@@ -182,8 +182,8 @@ const ShiftPlanCreate: React.FC = () => {

          <div className={styles.formGroup}>
            <label>Bis:</label>
-            <input 
-              type="date" 
+            <input
+              type="date"
              value={endDate}
              onChange={(e) => setEndDate(e.target.value)}
              className={styles.input}
@@ -194,8 +194,8 @@ const ShiftPlanCreate: React.FC = () => {

        <div className={styles.formGroup}>
          <label>Vorlage verwenden:</label>
-          <select 
-            value={selectedPreset} 
+          <select
+            value={selectedPreset}
            onChange={(e) => setSelectedPreset(e.target.value)}
            className={`${styles.select} ${presets.length === 0 ? styles.empty : ''}`}
            disabled={isSubmitting}
@@ -207,7 +207,7 @@ const ShiftPlanCreate: React.FC = () => {
              </option>
            ))}
          </select>
-          
+
          {selectedPreset && (
            <div className={styles.presetDescription}>
              {getSelectedPresetDescription()}
@@ -222,9 +222,9 @@ const ShiftPlanCreate: React.FC = () => {
        </div>

        <div className={styles.actions}>
-          <button 
-            onClick={handleCreate} 
-            className={styles.createButton} 
+          <button
+            onClick={handleCreate}
+            className={styles.createButton}
            disabled={isSubmitting || !selectedPreset || !planName.trim() || !startDate || !endDate}
          >
            {isSubmitting ? 'Wird erstellt...' : 'Schichtplan erstellen'}
--- a/frontend/src/pages/ShiftPlans/ShiftPlanView.tsx
+++ b/frontend/src/pages/ShiftPlans/ShiftPlanView.tsx
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
  "private": true,
  "workspaces": [
    "frontend",
-    "backend", 
+    "backend",
    "premium"
  ],
  "scripts": {
@@ -12,7 +12,7 @@
    "build:all": "npm run build --workspace=backend && npm run build --workspace=frontend",
    "dev": "concurrently \"npm run dev:backend\" \"npm run dev:frontend\"",
    "dev:frontend": "cd frontend && npm run dev",
-    "dev:backend": "cd backend && npm run dev:single"
+    "dev:backend": "cd backend && npm run dev:all"
  },
  "devDependencies": {
    "typescript": "^5.3.3",
Author	SHA1	Message	Date
donpat1to	e5d836d037	moved amount of accesses to more strict handling for api calls	2025-11-07 16:37:43 +01:00
donpat1to	99d5105768	added api /auth/me to whitelist apicalls	2025-11-07 16:35:57 +01:00
donpat1to	a8dc11b024	added whitelist with loopback addresses for api rateLimit	2025-11-07 16:32:10 +01:00
donpat1to	0473a3b5bf	added sorting to time table entries	2025-11-06 00:11:24 +01:00
donpat1to	ec86290d72	fixed package.json executing seeding script	2025-11-05 15:22:29 +01:00
donpat1to	eec9ea92d0	added seedtestData script	2025-11-05 15:09:03 +01:00
donpat1to	80cfe71362	added node_env detection	2025-11-05 15:03:31 +01:00
donpat1to	f6e19bc1ed	added dropdown menu	2025-11-05 14:18:18 +01:00
donpat1to	e66c0f9e28	export drop down menu doesnt disappear when exporttype is selected	2025-11-05 13:22:00 +01:00
donpat1to	822b170920	added dropdown menu for export	2025-11-05 11:32:40 +01:00
donpat1to	c6dfa5b4c6	fixed manager detection	2025-11-05 09:43:28 +01:00
donpat1to	d0be1b4a61	excel timetable with employee with each cell	2025-11-05 09:40:26 +01:00
donpat1to	b337fd0e0a	using playwright for pdf export instead of pdfkit	2025-11-05 09:20:24 +01:00
donpat1to	badccb4f55	more fancy excel export	2025-11-05 08:31:39 +01:00
donpat1to	9eb9afce1e	added timetable export to the export funciton	2025-11-04 23:25:26 +01:00
donpat1to	17d68c2426	Merge branch 'staging' of https://github.com/donpat1to/Schichtenplaner into staging	2025-11-04 22:31:23 +01:00
donpat1to	cff2374f41	fixed klammer usage	2025-11-04 22:28:39 +01:00
donpat1to	3a787875e6	implemented export with pdf and excel library	2025-11-04 15:33:51 +01:00