F-10/F-11 + Verwaltungsskript

- F-10 Open Redirect: is_safe_url()-Pruefung des next-Parameters beim Login;
  login_required gibt next weiter, Login-Formular traegt es als Hidden-Feld.
  Externe/protokoll-relative Ziele werden ignoriert -> Dashboard.
- F-11 Info-Leak: eigene Fehlerseiten (400/403/404/405/500) ohne Framework-
  Hinweis oder Stacktrace (templates/error.html).
- manage.sh: 'unlock' (Brute-Force-Sperren aufheben) und 'reset-password'
  (Admin-Passwort setzen/zufaellig erzeugen) via docker-compose run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/templates/error.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>{{ code }} — DynDNS Manager</title>
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
+  <link rel="stylesheet" href="{{ url_for('static', filename='css/login.css') }}">
+</head>
+<body class="justify-content-center">
+<div class="login-card text-center">
+  <div class="card shadow">
+    <div class="card-body p-5">
+      <div class="display-4 fw-bold text-primary mb-2">{{ code }}</div>
+      <p class="text-muted mb-4">{{ message }}</p>
+      <a href="{{ url_for('dashboard') }}" class="btn btn-primary">Zur Startseite</a>
+    </div>
+  </div>
+</div>
+</body>
+</html>

app/templates/login.html

@@ -23,6 +23,7 @@
       {% endwith %}
       <form method="post">
         <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+        <input type="hidden" name="next" value="{{ request.args.get('next', '') }}">
         <div class="mb-3">
           <label class="form-label fw-semibold">Benutzername</label>
           <input name="username" type="text" class="form-control" autofocus required>