From 7a1861c0eeac790ec2139cfd5b7adfbfdaace854 Mon Sep 17 00:00:00 2001
From: Axel Rindle <axel@rindle.dev>
Date: Fri, 6 Feb 2026 10:40:05 +0100
Subject: [PATCH 1/7] fix: quote boolean value

---
 chart/brahmsee-digital/templates/secrets.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chart/brahmsee-digital/templates/secrets.yaml b/chart/brahmsee-digital/templates/secrets.yaml
index 829f5c70..b296c04a 100644
--- a/chart/brahmsee-digital/templates/secrets.yaml
+++ b/chart/brahmsee-digital/templates/secrets.yaml
@@ -23,7 +23,7 @@ stringData:
   oidc_issuer: {{ .Values.app.oidc.issuer }}
   oidc_clientId: {{ .Values.app.oidc.clientId }}
   oidc_clientSecret: {{ .Values.app.oidc.clientSecret }}
-  oidc_allowInsecure: {{ .Values.app.oidc.allowInsecure }}
+  oidc_allowInsecure: {{ .Values.app.oidc.allowInsecure | quote }}
 ---
 apiVersion: v1
 kind: Secret

From ce3e604d26d7a6e4ea782dc98713ee538aed982d Mon Sep 17 00:00:00 2001
From: Axel Rindle <axel@rindle.dev>
Date: Fri, 6 Feb 2026 11:05:34 +0100
Subject: [PATCH 2/7] fix: install openssl

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 2251e120..bfe04bad 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM node:22.20.0-alpine3.22  AS workspace-base
 
-RUN apk add --no-cache bash curl jq
+RUN apk add --no-cache bash curl jq openssl
 
 RUN export COREPACK_INTEGRITY_KEYS="$(curl https://registry.npmjs.org/-/npm/v1/keys | jq -c '{npm: .keys}')"
 

From 55a8915f3a88dcf11236a03bf0c0d300be24acd8 Mon Sep 17 00:00:00 2001
From: Axel Rindle <axel@rindle.dev>
Date: Fri, 6 Feb 2026 11:19:42 +0100
Subject: [PATCH 3/7] fix: coerce boolean

---
 apps/api/src/config.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/api/src/config.ts b/apps/api/src/config.ts
index d6b7558d..4fdff314 100644
--- a/apps/api/src/config.ts
+++ b/apps/api/src/config.ts
@@ -47,7 +47,7 @@ export const configSchema = z.strictObject({
           }
           return trimmed
         }),
-      allowInsecure: z.boolean(),
+      allowInsecure: z.coerce.boolean(),
     }),
   }),
 

From 3510dae8259e90d956d72a5be5cc25106aac79ae Mon Sep 17 00:00:00 2001
From: Axel Rindle <axel@rindle.dev>
Date: Fri, 6 Feb 2026 11:29:50 +0100
Subject: [PATCH 4/7] fix: tweak ingress routes

---
 chart/brahmsee-digital/templates/ingress.yaml | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/chart/brahmsee-digital/templates/ingress.yaml b/chart/brahmsee-digital/templates/ingress.yaml
index e124f8b6..6969f669 100644
--- a/chart/brahmsee-digital/templates/ingress.yaml
+++ b/chart/brahmsee-digital/templates/ingress.yaml
@@ -23,30 +23,16 @@ spec:
     certResolver: default
   routes:
   {{- range .Values.global.ingress.hosts }}
-    - match:  Host(`{{ . }}`) && PathPrefix(`/`)
-      kind: Rule
-      services:
-        - name: {{ $.Chart.Name }}-app-svc
-          port: 80
-    - match:  Host(`{{ . }}`) && PathPrefix(`/api/connect`)
-      kind: Rule
-      services:
-        - name: {{ $.Chart.Name }}-app-svc
-          port: 80
-      middlewares:
-        - name: stripapiprefix
-    - match:  Host(`{{ . }}`) && PathPrefix(`/api/export`)
+    - match:  Host(`{{ . }}`) && PathPrefix(`/api`)
       kind: Rule
       services:
         - name: {{ $.Chart.Name }}-app-svc
           port: 80
       middlewares:
         - name: stripapiprefix
-    - match:  Host(`{{ . }}`) && PathPrefix(`/api/upload`)
+    - match:  Host(`{{ . }}`) && PathPrefix(`/`)
       kind: Rule
       services:
         - name: {{ $.Chart.Name }}-app-svc
           port: 80
-      middlewares:
-        - name: stripapiprefix
   {{- end }}

From 4458a68f2d354f2a2cf14619b1b382702f4d6fc1 Mon Sep 17 00:00:00 2001
From: Axel Rindle <axel@rindle.dev>
Date: Fri, 6 Feb 2026 11:52:41 +0100
Subject: [PATCH 5/7] fix: restore original /connect path

---
 apps/api/src/routes/oidc/index.ts       | 4 ++--
 apps/api/src/server.ts                  | 2 +-
 apps/frontend/src/views/Login/Login.vue | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/routes/oidc/index.ts b/apps/api/src/routes/oidc/index.ts
index eed98eaa..ceeb1765 100644
--- a/apps/api/src/routes/oidc/index.ts
+++ b/apps/api/src/routes/oidc/index.ts
@@ -31,7 +31,7 @@ oidcRouter.get('/dlrg/callback', async (c) => {
     config.authentication.dlrg.clientSecret === undefined
       ? oauth.None()
       : oauth.ClientSecretPost(config.authentication.dlrg.clientSecret)
-  const redirect_uri = `${config.clientUrl}/api/oidc/dlrg/callback`
+  const redirect_uri = `${config.clientUrl}/api/connect/dlrg/callback`
   const currentUrl: URL = new URL(c.req.url, config.clientUrl)
   const params = oauth.validateAuthResponse(as, client, currentUrl)
 
@@ -144,7 +144,7 @@ oidcRouter.get('/dlrg/login', async (c) => {
   const as = await oauth.processDiscoveryResponse(issuer, discoveryRequestResponse)
   const authorizationUrl = new URL(as.authorization_endpoint!)
 
-  const redirectUri = new URL('/api/oidc/dlrg/callback', config.clientUrl)
+  const redirectUri = new URL('/api/connect/dlrg/callback', config.clientUrl)
   const registerAs = c.req.query('as')?.trim()
   if (registerAs !== undefined && registerAs?.length > 0) {
     redirectUri.searchParams.set('as', registerAs)
diff --git a/apps/api/src/server.ts b/apps/api/src/server.ts
index 3cce184b..88a59442 100644
--- a/apps/api/src/server.ts
+++ b/apps/api/src/server.ts
@@ -55,7 +55,7 @@ const app = makeApp()
   .route('/export', routes.exportRouter)
   .route('/import', routes.importRouter)
   .route('/file', routes.fileRouter)
-  .route('/oidc', routes.oidcRouter)
+  .route('/connect', routes.oidcRouter)
 
 const server = serve({
   fetch: app.fetch,
diff --git a/apps/frontend/src/views/Login/Login.vue b/apps/frontend/src/views/Login/Login.vue
index ba523aeb..f632577e 100644
--- a/apps/frontend/src/views/Login/Login.vue
+++ b/apps/frontend/src/views/Login/Login.vue
@@ -54,7 +54,7 @@ const formatLoginError = computed(() => {
 
 const version = `${import.meta.env.VITE_APP_VERSION || 'unknown'}-${import.meta.env.VITE_APP_COMMIT_HASH || 'unknown'}`
 
-const oauthHref = `/api/oidc/dlrg/login`
+const oauthHref = `/api/connect/dlrg/login`
 </script>
 
 <template>

From d6ea9be790c2a39af45a4db917879acd9252dc8f Mon Sep 17 00:00:00 2001
From: Axel Rindle <axel@rindle.dev>
Date: Fri, 6 Feb 2026 12:12:37 +0100
Subject: [PATCH 6/7] fix: index.html fallback and api routing

---
 apps/api/src/server.ts                        | 19 ++++++++++++++-----
 apps/frontend/vite.config.js                  |  1 -
 chart/brahmsee-digital/templates/ingress.yaml | 19 +------------------
 3 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/apps/api/src/server.ts b/apps/api/src/server.ts
index 88a59442..d7319e59 100644
--- a/apps/api/src/server.ts
+++ b/apps/api/src/server.ts
@@ -13,6 +13,8 @@ import { logger as appLogger } from './logger.js'
 import * as routes from './routes/index.js'
 import { makeApp } from './util/make-app.js'
 
+const staticRoot = resolve('./static')
+
 const app = makeApp()
   .use(async (c, next) => {
     // generic error handler
@@ -46,16 +48,23 @@ const app = makeApp()
       createContext,
     })
   )
+  .route('/api/export', routes.exportRouter)
+  .route('/api/import', routes.importRouter)
+  .route('/api/file', routes.fileRouter)
+  .route('/api/connect', routes.oidcRouter)
   .use(
     serveStatic({
-      root: resolve('./static'),
+      root: staticRoot,
       rewriteRequestPath: (p) => p.replace(/^\/static/, '/'),
     })
   )
-  .route('/export', routes.exportRouter)
-  .route('/import', routes.importRouter)
-  .route('/file', routes.fileRouter)
-  .route('/connect', routes.oidcRouter)
+  // fallback to index.html for client-side routing
+  .use(
+    serveStatic({
+      root: staticRoot,
+      rewriteRequestPath: () => '/index.html',
+    })
+  )
 
 const server = serve({
   fetch: app.fetch,
diff --git a/apps/frontend/vite.config.js b/apps/frontend/vite.config.js
index 46b6240c..ce1d92a5 100644
--- a/apps/frontend/vite.config.js
+++ b/apps/frontend/vite.config.js
@@ -18,7 +18,6 @@ export default defineConfig({
     proxy: {
       '/api': {
         target: 'http://127.0.0.1:3030',
-        rewrite: (path) => path.replace(/^\/api/, ''),
         ws: true,
       },
     },
diff --git a/chart/brahmsee-digital/templates/ingress.yaml b/chart/brahmsee-digital/templates/ingress.yaml
index 6969f669..0ee1b25d 100644
--- a/chart/brahmsee-digital/templates/ingress.yaml
+++ b/chart/brahmsee-digital/templates/ingress.yaml
@@ -1,18 +1,8 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: stripapiprefix
-  labels:
-    {{- include "codeanker.label" . | indent 4 }}
-spec:
-  stripPrefix:
-    prefixes:
-      - /api
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: ingressroutestripprefix
+  name: {{ .Chart.Name }}-ingress
   labels:
     {{- include "codeanker.label" . | indent 4 }}
 spec:
@@ -23,13 +13,6 @@ spec:
     certResolver: default
   routes:
   {{- range .Values.global.ingress.hosts }}
-    - match:  Host(`{{ . }}`) && PathPrefix(`/api`)
-      kind: Rule
-      services:
-        - name: {{ $.Chart.Name }}-app-svc
-          port: 80
-      middlewares:
-        - name: stripapiprefix
     - match:  Host(`{{ . }}`) && PathPrefix(`/`)
       kind: Rule
       services:

From 8531fd06415441208b3d5de9f421acade5bb0c53 Mon Sep 17 00:00:00 2001
From: Axel Rindle <axel@rindle.dev>
Date: Fri, 6 Feb 2026 12:25:44 +0100
Subject: [PATCH 7/7] fix: route protection

---
 apps/api/src/routes/exports/index.ts          |  9 ++-
 .../routes/exports/middleware/authorize.ts    | 74 +++++++++++++++++++
 apps/api/src/routes/exports/photos.archive.ts | 14 ++--
 apps/api/src/routes/exports/sheets.schema.ts  | 53 -------------
 .../exports/teilnehmendenliste.sheet.ts       | 13 +---
 .../src/routes/exports/verpflegung.sheet.ts   | 13 +---
 apps/api/src/routes/imports/index.ts          |  9 +--
 7 files changed, 95 insertions(+), 90 deletions(-)
 create mode 100644 apps/api/src/routes/exports/middleware/authorize.ts

diff --git a/apps/api/src/routes/exports/index.ts b/apps/api/src/routes/exports/index.ts
index 5ae64bed..54b550f9 100644
--- a/apps/api/src/routes/exports/index.ts
+++ b/apps/api/src/routes/exports/index.ts
@@ -1,12 +1,13 @@
 import { makeApp } from '../../util/make-app.js'
+import { authorize } from './middleware/authorize.js'
 import { veranstaltungPhotoArchive } from './photos.archive.js'
 import { veranstaltungTeilnehmendenliste } from './teilnehmendenliste.sheet.js'
 import { veranstaltungVerpflegung } from './verpflegung.sheet.js'
 
 const exportRouter = makeApp()
-
-exportRouter.get('/sheet/teilnehmendenliste', veranstaltungTeilnehmendenliste)
-exportRouter.get('/sheet/verpflegung', veranstaltungVerpflegung)
-exportRouter.get('/archive/photos', veranstaltungPhotoArchive)
+  .use(authorize)
+  .get('/sheet/teilnehmendenliste', veranstaltungTeilnehmendenliste)
+  .get('/sheet/verpflegung', veranstaltungVerpflegung)
+  .get('/archive/photos', veranstaltungPhotoArchive)
 
 export { exportRouter }
diff --git a/apps/api/src/routes/exports/middleware/authorize.ts b/apps/api/src/routes/exports/middleware/authorize.ts
new file mode 100644
index 00000000..d411eb61
--- /dev/null
+++ b/apps/api/src/routes/exports/middleware/authorize.ts
@@ -0,0 +1,74 @@
+import type { Context } from 'hono'
+import { createMiddleware } from 'hono/factory'
+import { zodSafe } from '../../../util/zod.js'
+import { sheetQuerySchema } from '../sheets.schema.js'
+import { getEntityIdFromHeader } from '../../../authentication.js'
+import prisma from '../../../prisma.js'
+import { Role, type Gliederung } from '@prisma/client'
+import { getGliederungRequireAdmin } from '../../../util/getGliederungRequireAdmin.js'
+
+export type AuthorizeResults = Exclude<Awaited<ReturnType<typeof sheetAuthorize>>, false>
+
+export const authorize = createMiddleware<{
+  Variables: AuthorizeResults
+}>(async (ctx, next) => {
+  const authorization = await sheetAuthorize(ctx)
+  if (!authorization) {
+    return ctx.text('Unauthorized', 401)
+  }
+
+  const { query, account, gliederung } = authorization
+
+  ctx.set('query', query)
+  ctx.set('account', account)
+  ctx.set('gliederung', gliederung)
+
+  await next()
+})
+
+async function sheetAuthorize(ctx: Context) {
+  const [success, query] = await zodSafe(sheetQuerySchema, ctx.req.query())
+  if (!success) {
+    ctx.status(400)
+    return false
+  }
+
+  const accountId = getEntityIdFromHeader(`Bearer ${query.jwt}`)
+  if (typeof accountId !== 'string') {
+    ctx.status(401)
+    return false
+  }
+
+  const account = await prisma.account.findUnique({
+    where: {
+      id: accountId,
+    },
+    select: {
+      role: true,
+      person: {
+        select: {
+          firstname: true,
+          lastname: true,
+        },
+      },
+    },
+  })
+
+  if (account == null) {
+    ctx.status(401)
+    return false
+  }
+
+  let gliederung: Gliederung | undefined = undefined
+  if (account.role == Role.GLIEDERUNG_ADMIN) {
+    try {
+      gliederung = await getGliederungRequireAdmin(accountId)
+      // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    } catch (error) {
+      ctx.status(401)
+      return false
+    }
+  }
+
+  return { query, account, gliederung }
+}
diff --git a/apps/api/src/routes/exports/photos.archive.ts b/apps/api/src/routes/exports/photos.archive.ts
index a0a7bc99..e5d22e82 100644
--- a/apps/api/src/routes/exports/photos.archive.ts
+++ b/apps/api/src/routes/exports/photos.archive.ts
@@ -3,15 +3,16 @@ import XLSX from '@e965/xlsx'
 import type { Gliederung } from '@prisma/client'
 import { TRPCError } from '@trpc/server'
 import archiver from 'archiver'
+import type { Context } from 'hono'
 import { stream } from 'hono/streaming'
 import mime from 'mime'
 import { Readable } from 'node:stream'
 import { z } from 'zod'
 import prisma from '../../prisma.js'
 import { openFileStream } from '../../services/file/helpers/getFileUrl.js'
-import type { AppContext } from '../../util/make-app.js'
 import { getSecurityWorksheet } from './helpers/getSecurityWorksheet.js'
-import { sheetAuthorize, type SheetQuery } from './sheets.schema.js'
+import type { AuthorizeResults } from './middleware/authorize.js'
+import { type SheetQuery } from './sheets.schema.js'
 
 const querySchema = z.object({
   mode: z.enum(['group', 'flat']),
@@ -104,13 +105,8 @@ function buildSheet(
 
 const baseDirectory = 'Fotos'
 
-export async function veranstaltungPhotoArchive(ctx: AppContext) {
-  const authorization = await sheetAuthorize(ctx)
-  if (!authorization) {
-    return
-  }
-
-  const { query, gliederung, account } = authorization
+export async function veranstaltungPhotoArchive(ctx: Context<{ Variables: AuthorizeResults }>) {
+  const { query, account, gliederung } = ctx.var
   const { mode } = querySchema.parse(ctx.req.query())
 
   if (mode === 'flat' && account.role !== 'ADMIN') {
diff --git a/apps/api/src/routes/exports/sheets.schema.ts b/apps/api/src/routes/exports/sheets.schema.ts
index c3b4ff3d..6b46ed08 100644
--- a/apps/api/src/routes/exports/sheets.schema.ts
+++ b/apps/api/src/routes/exports/sheets.schema.ts
@@ -1,10 +1,4 @@
-import { Role, type Gliederung } from '@prisma/client'
-import type { Context } from 'hono'
 import { z } from 'zod'
-import { getEntityIdFromHeader } from '../../authentication.js'
-import prisma from '../../prisma.js'
-import { getGliederungRequireAdmin } from '../../util/getGliederungRequireAdmin.js'
-import { zodSafe } from '../../util/zod.js'
 
 export const sheetQuerySchema = z
   .object({
@@ -17,50 +11,3 @@ export const sheetQuerySchema = z
   })
 
 export type SheetQuery = z.infer<typeof sheetQuerySchema>
-
-export async function sheetAuthorize(ctx: Context) {
-  const [success, query] = await zodSafe(sheetQuerySchema, ctx.req.query())
-  if (!success) {
-    ctx.status(400)
-    return false
-  }
-
-  const accountId = getEntityIdFromHeader(`Bearer ${query.jwt}`)
-  if (typeof accountId !== 'string') {
-    ctx.status(401)
-    return false
-  }
-
-  const account = await prisma.account.findUnique({
-    where: {
-      id: accountId,
-    },
-    select: {
-      role: true,
-      person: {
-        select: {
-          firstname: true,
-          lastname: true,
-        },
-      },
-    },
-  })
-
-  if (account == null) {
-    ctx.status(401)
-    return false
-  }
-
-  let gliederung: Gliederung | undefined = undefined
-  if (account.role == Role.GLIEDERUNG_ADMIN) {
-    try {
-      gliederung = await getGliederungRequireAdmin(accountId)
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    } catch (error) {
-      ctx.status(401)
-      return false
-    }
-  }
-
-  return { query, account, gliederung }
-}
diff --git a/apps/api/src/routes/exports/teilnehmendenliste.sheet.ts b/apps/api/src/routes/exports/teilnehmendenliste.sheet.ts
index 517b5e6f..f7465cea 100644
--- a/apps/api/src/routes/exports/teilnehmendenliste.sheet.ts
+++ b/apps/api/src/routes/exports/teilnehmendenliste.sheet.ts
@@ -1,18 +1,13 @@
 import XLSX from '@e965/xlsx'
 import dayjs from 'dayjs'
+import type { Context } from 'hono'
 import { AnmeldungStatusMapping, GenderMapping } from '../../client.js'
 import prisma from '../../prisma.js'
 import { getSecurityWorksheet } from './helpers/getSecurityWorksheet.js'
-import { sheetAuthorize } from './sheets.schema.js'
-import type { Context } from 'hono'
-
-export async function veranstaltungTeilnehmendenliste(ctx: Context) {
-  const authorization = await sheetAuthorize(ctx)
-  if (!authorization) {
-    return
-  }
+import type { AuthorizeResults } from './middleware/authorize.js'
 
-  const { query, account, gliederung } = authorization
+export async function veranstaltungTeilnehmendenliste(ctx: Context<{ Variables: AuthorizeResults }>) {
+  const { query, account, gliederung } = ctx.var
 
   const anmeldungenList = await prisma.anmeldung.findMany({
     where: {
diff --git a/apps/api/src/routes/exports/verpflegung.sheet.ts b/apps/api/src/routes/exports/verpflegung.sheet.ts
index ed8a2589..22eb063b 100644
--- a/apps/api/src/routes/exports/verpflegung.sheet.ts
+++ b/apps/api/src/routes/exports/verpflegung.sheet.ts
@@ -1,19 +1,14 @@
+import XLSX from '@e965/xlsx'
 import { AnmeldungStatus, Essgewohnheit, NahrungsmittelIntoleranz } from '@prisma/client'
 import dayjs from 'dayjs'
 import type { Context } from 'hono'
-import XLSX from '@e965/xlsx'
 import prisma from '../../prisma.js'
 import { getSecurityWorksheet } from './helpers/getSecurityWorksheet.js'
 import { getWorkbookDefaultProps } from './helpers/getWorkbookDefaultProps.js'
-import { sheetAuthorize } from './sheets.schema.js'
-
-export async function veranstaltungVerpflegung(ctx: Context) {
-  const authorization = await sheetAuthorize(ctx)
-  if (!authorization) {
-    return
-  }
+import type { AuthorizeResults } from './middleware/authorize.js'
 
-  const { query, account, gliederung } = authorization
+export async function veranstaltungVerpflegung(ctx: Context<{ Variables: AuthorizeResults }>) {
+  const { query, account, gliederung } = ctx.var
 
   const unterveranstaltungen = await prisma.unterveranstaltung.findMany({
     where: {
diff --git a/apps/api/src/routes/imports/index.ts b/apps/api/src/routes/imports/index.ts
index e1c25234..d0eedfeb 100644
--- a/apps/api/src/routes/imports/index.ts
+++ b/apps/api/src/routes/imports/index.ts
@@ -11,14 +11,12 @@ const importRouter = makeApp()
 importRouter.post('/anmeldungen/:unterveranstaltungId', async (ctx) => {
   const authorization = ctx.req.header('Authorization')
   if (!authorization) {
-    ctx.status(401)
-    return
+    return ctx.status(401)
   }
 
   const accountId = getEntityIdFromHeader(authorization)
   if (!accountId) {
-    ctx.status(401)
-    return
+    return ctx.status(401)
   }
 
   const account = await prisma.account.findUnique({
@@ -36,8 +34,7 @@ importRouter.post('/anmeldungen/:unterveranstaltungId', async (ctx) => {
     },
   })
   if (!account || account.role !== Role.ADMIN) {
-    ctx.status(401)
-    return
+    return ctx.status(401)
   }
 
   const body = await ctx.req.parseBody({