chore(env): JWT_EXPIRES_IN 15m + JWT_REFRESH_EXPIRES_IN dokumentieren

Folge-Aufräumen zur Refresh-Cookie-Migration: - .env.example: JWT_EXPIRES_IN von 7d auf 15m (Access-Token-Lifetime), neue JWT_REFRESH_EXPIRES_IN=7d. Kommentar erklärt das Access-/Refresh- Pattern (Memory vs. httpOnly-Cookie, transparenter Refresh). - docker-compose.yml: durchreichen + Default mit 15m statt 7d, plus JWT_REFRESH_EXPIRES_IN als neue Variable. Bestandsinstallationen mit altem JWT_EXPIRES_IN=7d in der .env funktionieren weiter (die Variable überschreibt den Default), aber bei neuen Setups ist sofort der Branchenstandard aktiv. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(gdpr): processedBy aus useAuth statt totem localStorage('user')
2026-05-16 16:53:40 +02:00 · 2026-05-16 16:51:02 +02:00
3 changed files with 14 additions and 4 deletions
@@ -36,8 +36,16 @@ DATABASE_URL=mysql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}

 # ============== SECURITY ==============
 # JWT-Secret: min. 32 Zeichen. Generieren: openssl rand -hex 64
+# Wird sowohl für Access- als auch Refresh-Token verwendet.
 JWT_SECRET=change-this-to-a-very-long-random-secret-please-rotate-before-production
-JWT_EXPIRES_IN=7d
+
+# Access-/Refresh-Token-Lifetimes
+# - Access-Token: kurzlebig, lebt nur im Browser-Memory (XSS-Schutz)
+# - Refresh-Token: lang, im httpOnly-Cookie (JS-unzugänglich)
+# Wenn der Access abläuft, holt das Frontend transparent einen neuen über
+# /api/auth/refresh – User merkt nichts. Logout invalidiert beide sofort.
+JWT_EXPIRES_IN=15m
+JWT_REFRESH_EXPIRES_IN=7d

 # Encryption-Key für Portal-Credentials: GENAU 64 Hex-Zeichen.
 # Generieren: openssl rand -hex 32
@@ -59,7 +59,8 @@ services:
      DB_USER: ${DB_USER}
      DB_PASSWORD: ${DB_PASSWORD}
      JWT_SECRET: ${JWT_SECRET}
-      JWT_EXPIRES_IN: ${JWT_EXPIRES_IN:-7d}
+      JWT_EXPIRES_IN: ${JWT_EXPIRES_IN:-15m}
+      JWT_REFRESH_EXPIRES_IN: ${JWT_REFRESH_EXPIRES_IN:-7d}
      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
      NODE_ENV: production
      PORT: 3001
@@ -8,6 +8,7 @@ import Button from '../../components/ui/Button';
 import Select from '../../components/ui/Select';
 import { ArrowLeft, FileText, Users, CheckCircle, Clock, XCircle, AlertTriangle, Download, X, ChevronRight } from 'lucide-react';
 import { fileUrl } from '../../utils/fileUrl';
+import { useAuth } from '../../context/AuthContext';

 const STATUS_OPTIONS = [
  { value: '', label: 'Alle Status' },
@@ -155,6 +156,7 @@ function ProcessModal({ request, onClose, onProcess, isPending }: ProcessModalPr
 export default function GDPRDashboard() {
  const navigate = useNavigate();
  const queryClient = useQueryClient();
+  const { user } = useAuth();
  const [statusFilter, setStatusFilter] = useState<DeletionRequestStatus | ''>('');
  const [selectedRequest, setSelectedRequest] = useState<DataDeletionRequest | null>(null);

@@ -191,11 +193,10 @@ export default function GDPRDashboard() {

  const handleProcess = (action: 'complete' | 'partial' | 'reject', reason?: string) => {
    if (!selectedRequest) return;
-    const user = JSON.parse(localStorage.getItem('user') || '{}');
    processMutation.mutate({
      id: selectedRequest.id,
      data: {
-        processedBy: user.email || 'System',
+        processedBy: user?.email || 'System',
        action,
        retentionReason: reason,
      },