Hallo {_ename},
willkommen bei Ban Yaro! Bitte bestätige deine E-Mail-Adresse, damit dein Konto aktiv wird.
Der Link ist 7 Tage gültig.
Falls du dich nicht bei Ban Yaro registriert hast, ignoriere diese E-Mail einfach.
""" html = email_html(body_html, cta_url=url, cta_label="E-Mail bestätigen") plain = f"Hallo {name},\n\nbitte bestätige deine E-Mail:\n{url}\n\nLink ist 7 Tage gültig.\n" try: _send_smtp(email, subject, plain, "support", html=html) except Exception: pass # Nicht blockieren wenn SMTP fehlschlägt class LoginRequest(BaseModel): email: EmailStr password: str class RegisterRequest(BaseModel): email: EmailStr password: str name: str ref_code: Optional[str] = None def _gen_referral_code() -> str: alphabet = string.ascii_uppercase + string.digits return ''.join(secrets.choice(alphabet) for _ in range(8)) def _set_cookie(response: Response, token: str): response.set_cookie( key=COOKIE_NAME, value=token, httponly=True, secure=True, samesite="lax", max_age=30 * 24 * 3600 ) @router.post("/register") async def register(data: RegisterRequest, response: Response, request: Request): rl_check(request, max_requests=5, window_seconds=3600, key="register") name = data.name.strip() if len(name) < 2: raise HTTPException(400, "Benutzername muss mindestens 2 Zeichen lang sein.") if len(name) > 40: raise HTTPException(400, "Benutzername darf maximal 40 Zeichen lang sein.") if ' ' in name: raise HTTPException(400, "Benutzername darf keine Leerzeichen enthalten.") if is_username_blocked(name): raise HTTPException(400, "Dieser Benutzername ist nicht erlaubt.") if len(data.password) < 8: raise HTTPException(400, "Passwort muss mindestens 8 Zeichen lang sein.") with db() as conn: if conn.execute("SELECT 1 FROM users WHERE email=?", (data.email,)).fetchone(): raise HTTPException(400, "E-Mail bereits registriert.") if conn.execute( "SELECT 1 FROM users WHERE name=? COLLATE NOCASE", (name,) ).fetchone(): raise HTTPException(400, "Dieser Name ist bereits vergeben. Bitte wähle einen anderen.") code = _gen_referral_code() verify_token = secrets.token_urlsafe(32) try: conn.execute( "INSERT INTO users (email, pw_hash, name, referral_code, verification_token) VALUES (?,?,?,?,?)", (data.email, hash_password(data.password), name, code, verify_token) ) except Exception: raise HTTPException(400, "Dieser Name ist bereits vergeben. Bitte wähle einen anderen.") user = conn.execute( "SELECT id, rolle FROM users WHERE email=?", (data.email,) ).fetchone() new_user_id = user["id"] if data.ref_code: code_upper = data.ref_code.strip().upper() # Zuerst prüfen ob es ein Partner-Code ist partner = conn.execute( "SELECT id, grants_founder, max_uses, uses FROM partner_codes WHERE code=?", (code_upper,) ).fetchone() if partner: # Nur einlösen wenn max_uses nicht erreicht if partner["max_uses"] is None or partner["uses"] < partner["max_uses"]: conn.execute( "UPDATE partner_codes SET uses=uses+1 WHERE id=?", (partner["id"],) ) updates = {"referred_by": -partner["id"]} if partner["grants_founder"]: total_founders = conn.execute( "SELECT COUNT(*) FROM users WHERE is_founder=1" ).fetchone()[0] if total_founders < 100: # Pending — wird nach erstem Hunde-Profil mit Plausibilitätsprüfung aktiviert updates["is_founder_pending"] = 1 set_clause = ", ".join(f"{k}=?" for k in updates) conn.execute( f"UPDATE users SET {set_clause} WHERE id=?", (*updates.values(), new_user_id) ) else: # Fallback: Referral-Code eines anderen Users referrer = conn.execute( "SELECT id FROM users WHERE referral_code=? AND id != ?", (code_upper, new_user_id) ).fetchone() if referrer: conn.execute("UPDATE users SET referred_by=? WHERE id=?", (referrer['id'], new_user_id)) _send_verification_email(data.email, name, verify_token) return {"pending_verification": True} @router.post("/login") async def login(data: LoginRequest, response: Response, request: Request): rl_check(request, max_requests=10, window_seconds=300, key="login") rl_check(request, max_requests=5, window_seconds=300, key=f"login_email:{data.email.lower()}") if is_account_locked(data.email): raise HTTPException(429, "Zu viele Fehlversuche. Bitte warte 15 Minuten und versuche es erneut.") with db() as conn: user = conn.execute( "SELECT id, pw_hash, name, rolle, is_premium, email_verified FROM users WHERE email=?", (data.email,) ).fetchone() if not user or not verify_password(data.password, user["pw_hash"]): record_login_failure(data.email) raise HTTPException(401, "E-Mail oder Passwort falsch.") if not user["email_verified"]: raise HTTPException(403, "EMAIL_NOT_VERIFIED") clear_login_failures(data.email) token = create_token(user["id"], user["rolle"]) _set_cookie(response, token) with db() as conn: conn.execute( "UPDATE users SET last_login=datetime('now') WHERE id=?", (user["id"],) ) return {"token": token, "name": user["name"], "is_premium": bool(user["is_premium"])} @router.post("/logout") async def logout(response: Response): response.delete_cookie(COOKIE_NAME) return {"ok": True} _REFERRAL_TIERS = [ (50, 50), (20, 30), (10, 20), ] def _referral_tier(count: int): for threshold, discount in _REFERRAL_TIERS: if count >= threshold: return discount return 0 def _referral_next(count: int): for threshold, discount in reversed(_REFERRAL_TIERS): if count < threshold: return {"count": threshold, "discount": discount} return None # Maximalstufe erreicht @router.get("/referral") async def get_referral_info(user=Depends(get_current_user)): with db() as conn: row = conn.execute( """SELECT referral_code, COALESCE((SELECT COUNT(*) FROM users WHERE referred_by=?), 0) AS count FROM users WHERE id=?""", (user['id'], user['id']) ).fetchone() code = row["referral_code"] if row else None if not code: code = _gen_referral_code() conn.execute("UPDATE users SET referral_code=? WHERE id=?", (code, user['id'])) count = row["count"] if row else 0 base = os.getenv("APP_URL", "https://banyaro.app") return { "code": code, "count": count, "link": f"{base}/?ref={code}", "discount_pct": _referral_tier(count), "next_tier": _referral_next(count), } @router.get("/me") async def me(user=Depends(get_current_user)): with db() as conn: row = conn.execute( """SELECT id, name, real_name, email, rolle, is_premium, email_verified, bio, wohnort, erfahrung, social_link, profil_sichtbarkeit, avatar_url, created_at, is_founder, is_partner, founder_number, is_founder_pending, notes_ki_enabled, gassi_stunde_push, preferred_theme FROM users WHERE id=?""", (user["id"],) ).fetchone() if not row: raise HTTPException(404, "User nicht gefunden.") data = dict(row) data["is_premium"] = bool(data["is_premium"]) return data @router.get("/verify-email/{token}") async def verify_email(token: str): with db() as conn: row = conn.execute( "SELECT id, email_verified FROM users WHERE verification_token=?", (token,) ).fetchone() if not row: return RedirectResponse(f"{_APP_URL}/#settings?verified=error", status_code=302) conn.execute( "UPDATE users SET email_verified=1, verification_token=NULL WHERE id=?", (row["id"],) ) return RedirectResponse(f"{_APP_URL}/#settings?verified=1", status_code=302) class ResendVerificationRequest(BaseModel): email: EmailStr @router.post("/resend-verification") async def resend_verification(data: ResendVerificationRequest, request: Request): rl_check(request, max_requests=3, window_seconds=3600, key=f"resend_verify_{data.email}") with db() as conn: row = conn.execute( "SELECT id, name, email_verified FROM users WHERE email=?", (data.email,) ).fetchone() if not row or row["email_verified"]: return {"ok": True} token = secrets.token_urlsafe(32) with db() as conn: conn.execute( "UPDATE users SET verification_token=? WHERE id=?", (token, row["id"]) ) _send_verification_email(data.email, row["name"], token) return {"ok": True} class ForgotPasswordRequest(BaseModel): email: EmailStr class ResetPasswordRequest(BaseModel): token: str password: str @router.post("/forgot-password") async def forgot_password(data: ForgotPasswordRequest, request: Request): rl_check(request, max_requests=3, window_seconds=3600, key="forgot_pw") with db() as conn: user = conn.execute( "SELECT id, name FROM users WHERE email=?", (data.email,) ).fetchone() # Immer OK zurückgeben — kein User-Enumeration if user: token = secrets.token_urlsafe(32) expires = (datetime.utcnow() + timedelta(hours=2)).isoformat() with db() as conn: conn.execute( "UPDATE users SET password_reset_token=?, password_reset_expires=? WHERE id=?", (token, expires, user["id"]) ) import html as _html app_url = os.getenv("APP_URL", "https://banyaro.app") url = f"{app_url}/#reset-password?token={token}" subject = "Ban Yaro — Passwort zurücksetzen" from routes.outreach import _send_smtp from mailer import email_html _ename = _html.escape(user['name']) body_html = f"""Hallo {_ename},
du hast eine Passwort-Zurücksetzen-Anfrage gestellt. Klicke auf den Button, um ein neues Passwort zu setzen.
Der Link ist 2 Stunden gültig.
Falls du keine Anfrage gestellt hast, ignoriere diese E-Mail einfach.
""" html = email_html(body_html, cta_url=url, cta_label="Passwort zurücksetzen") plain = f"Hallo {user['name']},\n\nPasswort zurücksetzen:\n{url}\n\nLink ist 2h gültig.\n" try: _send_smtp(data.email, subject, plain, "support", html=html) except Exception: pass return {"ok": True} @router.post("/reset-password") async def reset_password(data: ResetPasswordRequest, request: Request): rl_check(request, max_requests=5, window_seconds=3600, key="reset_pw") if len(data.password) < 8: raise HTTPException(400, "Passwort muss mindestens 8 Zeichen lang sein.") with db() as conn: user = conn.execute( "SELECT id, password_reset_expires FROM users WHERE password_reset_token=?", (data.token,) ).fetchone() if not user: raise HTTPException(400, "Ungültiger oder abgelaufener Link.") if user["password_reset_expires"] < datetime.utcnow().isoformat(): raise HTTPException(400, "Dieser Link ist abgelaufen. Bitte fordere einen neuen an.") conn.execute( "UPDATE users SET pw_hash=?, password_reset_token=NULL, password_reset_expires=NULL WHERE id=?", (hash_password(data.password), user["id"]) ) return {"ok": True}