chore(ci): Align GH Workflows with Docker SSoT, new paths; minimal SSoT guard; staticAnalysis (#23)

* chore(MP-21): snapshot pre-refactor state (Epic 1) * chore(MP-22): scaffold new repo structure, relocate Docker Compose, move frontend/backend modules, update Makefile; add docs mapping and env template * MP-22 Epic 2: Erfolgreich umgesetzt und verifiziert * MP-23 Epic 3: Gradle/Build Governance zentralisieren * MP-23 Epic 3: Gradle/Build Governance zentralisieren * chore(devops)!: Docker-SSoT (.env) konsolidiert, Compose-Mounts ergänzt, Makefile entfernt - ENV Single Source of Truth - docker/.env.example neu (inkl. REDIS_PASSWORD, Ports, Build-Overrides) - config/.env(.example) als DEPRECATED markiert (Verweis auf docker/.env[.example]) - Docker Compose vereinheitlicht (docker/docker-compose.yaml) - Postgres: zentralen postgresql.conf mounten (../config/postgres/postgresql.conf) und Start mit -c config_file=/etc/postgresql/postgresql.conf - Redis: zentralen redis.conf mounten (../config/redis/redis.conf) und Start via "redis-server … ${REDIS_PASSWORD:+--requirepass $REDIS_PASSWORD}" - Web-Nginx: ../config/nginx/nginx.prod.conf → /etc/nginx/nginx.conf (ro) - Monitoring: Prometheus/Grafana nutzen ../config/monitoring/* als SSoT - Frontend/DI/Network (MP-23 Grundlage) - :frontend:core:network Modul mit Koin `apiClient` (Ktor + JSON/Retry/Timeout/Logging) - Plattform-Basis-URL-Auflösung (JVM: ENV API_BASE_URL; JS: globalThis.API_BASE_URL / Same-Origin) - Web index.html setzt API_BASE_URL (Query `?apiBaseUrl=…` > Same-Origin > Fallback) - Build/Gradle & Module-Refs - settings.gradle.kts: neue Frontend-/Backend-Pfade bereits inkludiert - Features/Shell: Abhängigkeiten auf :frontend:shared / :frontend:core:* angepasst - Ping-API-Refs auf :backend:services:ping:ping-api vereinheitlicht - Dockerfiles angepasst - backend/infrastructure/gateway/Dockerfile → Tasks/Pfade auf :backend:gateway - backend/services/ping/Dockerfile → Tasks/Pfade auf :backend:services:ping:ping-service - Static Analysis / Guards - config/detekt/detekt.yml hinzugefügt - Leichter Arch-Guard (Frontend) gegen manuelle Authorization-Header vorbereitet - Doku - docs/ARCHITECTURE.md (Struktur, Mapping, Next Steps) ergänzt - docs/adr/README.md angelegt BREAKING CHANGES: - Makefile komplett entfernt (bitte direkt `docker compose` verwenden) - ENV-Quelle ist jetzt docker/.env (statt config/.env oder Root) - Compose-Datei unter docker/docker-compose.yaml (nicht mehr compose.yaml im Repo-Root) Verifikation (lokal): - ENV anlegen: `cp docker/.env.example docker/.env` (Werte anpassen) - Compose prüfen: `docker compose --env-file docker/.env -f docker/docker-compose.yaml config` - Infrastruktur: `docker compose --env-file docker/.env -f docker/docker-compose.yaml -p meldestelle up -d postgres redis keycloak web-app` - Services bauen: `docker compose --env-file docker/.env -f docker/docker-compose.yaml -p meldestelle build api-gateway ping-service --no-cache --progress=plain` Refs: MP-22 (Epic 2), MP-23 (Epic 3) * chore(devops)!: Docker-SSoT (.env) konsolidiert, Compose-Mounts ergänzt, Makefile entfernt - ENV Single Source of Truth - docker/.env.example neu (inkl. REDIS_PASSWORD, Ports, Build-Overrides) - config/.env(.example) als DEPRECATED markiert (Verweis auf docker/.env[.example]) - Docker Compose vereinheitlicht (docker/docker-compose.yaml) - Postgres: zentralen postgresql.conf mounten (../config/postgres/postgresql.conf) und Start mit -c config_file=/etc/postgresql/postgresql.conf - Redis: zentralen redis.conf mounten (../config/redis/redis.conf) und Start via "redis-server … ${REDIS_PASSWORD:+--requirepass $REDIS_PASSWORD}" - Web-Nginx: ../config/nginx/nginx.prod.conf → /etc/nginx/nginx.conf (ro) - Monitoring: Prometheus/Grafana nutzen ../config/monitoring/* als SSoT - Frontend/DI/Network (MP-23 Grundlage) - :frontend:core:network Modul mit Koin `apiClient` (Ktor + JSON/Retry/Timeout/Logging) - Plattform-Basis-URL-Auflösung (JVM: ENV API_BASE_URL; JS: globalThis.API_BASE_URL / Same-Origin) - Web index.html setzt API_BASE_URL (Query `?apiBaseUrl=…` > Same-Origin > Fallback) - Build/Gradle & Module-Refs - settings.gradle.kts: neue Frontend-/Backend-Pfade bereits inkludiert - Features/Shell: Abhängigkeiten auf :frontend:shared / :frontend:core:* angepasst - Ping-API-Refs auf :backend:services:ping:ping-api vereinheitlicht - Dockerfiles angepasst - backend/infrastructure/gateway/Dockerfile → Tasks/Pfade auf :backend:gateway - backend/services/ping/Dockerfile → Tasks/Pfade auf :backend:services:ping:ping-service - Static Analysis / Guards - config/detekt/detekt.yml hinzugefügt - Leichter Arch-Guard (Frontend) gegen manuelle Authorization-Header vorbereitet - Doku - docs/ARCHITECTURE.md (Struktur, Mapping, Next Steps) ergänzt - docs/adr/README.md angelegt BREAKING CHANGES: - Makefile komplett entfernt (bitte direkt `docker compose` verwenden) - ENV-Quelle ist jetzt docker/.env (statt config/.env oder Root) - Compose-Datei unter docker/docker-compose.yaml (nicht mehr compose.yaml im Repo-Root) Verifikation (lokal): - ENV anlegen: `cp docker/.env.example docker/.env` (Werte anpassen) - Compose prüfen: `docker compose --env-file docker/.env -f docker/docker-compose.yaml config` - Infrastruktur: `docker compose --env-file docker/.env -f docker/docker-compose.yaml -p meldestelle up -d postgres redis keycloak web-app` - Services bauen: `docker compose --env-file docker/.env -f docker/docker-compose.yaml -p meldestelle build api-gateway ping-service --no-cache --progress=plain` Refs: MP-22 (Epic 2), MP-23 (Epic 3) * chore(devops)!: Docker-SSoT (.env) konsolidiert, Compose-Mounts ergänzt, Makefile entfernt - ENV Single Source of Truth - docker/.env.example neu (inkl. REDIS_PASSWORD, Ports, Build-Overrides) - config/.env(.example) als DEPRECATED markiert (Verweis auf docker/.env[.example]) - Docker Compose vereinheitlicht (docker/docker-compose.yaml) - Postgres: zentralen postgresql.conf mounten (../config/postgres/postgresql.conf) und Start mit -c config_file=/etc/postgresql/postgresql.conf - Redis: zentralen redis.conf mounten (../config/redis/redis.conf) und Start via "redis-server … ${REDIS_PASSWORD:+--requirepass $REDIS_PASSWORD}" - Web-Nginx: ../config/nginx/nginx.prod.conf → /etc/nginx/nginx.conf (ro) - Monitoring: Prometheus/Grafana nutzen ../config/monitoring/* als SSoT - Frontend/DI/Network (MP-23 Grundlage) - :frontend:core:network Modul mit Koin `apiClient` (Ktor + JSON/Retry/Timeout/Logging) - Plattform-Basis-URL-Auflösung (JVM: ENV API_BASE_URL; JS: globalThis.API_BASE_URL / Same-Origin) - Web index.html setzt API_BASE_URL (Query `?apiBaseUrl=…` > Same-Origin > Fallback) - Build/Gradle & Module-Refs - settings.gradle.kts: neue Frontend-/Backend-Pfade bereits inkludiert - Features/Shell: Abhängigkeiten auf :frontend:shared / :frontend:core:* angepasst - Ping-API-Refs auf :backend:services:ping:ping-api vereinheitlicht - Dockerfiles angepasst - backend/infrastructure/gateway/Dockerfile → Tasks/Pfade auf :backend:gateway - backend/services/ping/Dockerfile → Tasks/Pfade auf :backend:services:ping:ping-service - Static Analysis / Guards - config/detekt/detekt.yml hinzugefügt - Leichter Arch-Guard (Frontend) gegen manuelle Authorization-Header vorbereitet - Doku - docs/ARCHITECTURE.md (Struktur, Mapping, Next Steps) ergänzt - docs/adr/README.md angelegt BREAKING CHANGES: - Makefile komplett entfernt (bitte direkt `docker compose` verwenden) - ENV-Quelle ist jetzt docker/.env (statt config/.env oder Root) - Compose-Datei unter docker/docker-compose.yaml (nicht mehr compose.yaml im Repo-Root) Verifikation (lokal): - ENV anlegen: `cp docker/.env.example docker/.env` (Werte anpassen) - Compose prüfen: `docker compose --env-file docker/.env -f docker/docker-compose.yaml config` - Infrastruktur: `docker compose --env-file docker/.env -f docker/docker-compose.yaml -p meldestelle up -d postgres redis keycloak web-app` - Services bauen: `docker compose --env-file docker/.env -f docker/docker-compose.yaml -p meldestelle build api-gateway ping-service --no-cache --progress=plain` Refs: MP-22 (Epic 2), MP-23 (Epic 3) * chore(ci): Workflows an Docker-SSoT & neue Struktur angepasst, minimaler SSoT-Guard - ssot-guard.yml: Option B (minimal) → `docker compose -f docker/docker-compose.yaml config` als Lint - integration-tests.yml: `./gradlew staticAnalysis` vor Integrationstests - docs-kdoc-sync.yml: Dokka-Task Fallback (dokkaGfmAll || dokkaGfm), YouTrack-Sync nur wenn Script vorhanden - deploy-proxmox.yml: Compose-Pfade auf docker/docker-compose.yaml + `--env-file docker/.env`; Build/Test Schritte vereinheitlicht - ci-main.yml: SSoT-Skripte per `if: hashFiles(...)` guarded, Compose-Lint Fallback; OpenAPI‑Pfad → backend/gateway; ADR‑Pfade → docs/adr/**; `staticAnalysis` in Build integriert - youtrack-sync.yml: unverändert (funktional) Refs: MP-22, MP-23 * chore(ci): Workflows an Docker-SSoT & neue Struktur angepasst, minimaler SSoT-Guard - ssot-guard.yml: Option B (minimal) → `docker compose -f docker/docker-compose.yaml config` als Lint - integration-tests.yml: `./gradlew staticAnalysis` vor Integrationstests - docs-kdoc-sync.yml: Dokka-Task Fallback (dokkaGfmAll || dokkaGfm), YouTrack-Sync nur wenn Script vorhanden - deploy-proxmox.yml: Compose-Pfade auf docker/docker-compose.yaml + `--env-file docker/.env`; Build/Test Schritte vereinheitlicht - ci-main.yml: SSoT-Skripte per `if: hashFiles(...)` guarded, Compose-Lint Fallback; OpenAPI‑Pfad → backend/gateway; ADR‑Pfade → docs/adr/**; `staticAnalysis` in Build integriert - youtrack-sync.yml: unverändert (funktional) Refs: MP-22, MP-23 * fix(ci): create .env from example before validating compose config * fix(ci): update ssot-guard filename (.yaml) and sync workflow state * fixing * fix(webpack): correct sql.js fallback configuration for webpack 5
2025-12-03 12:03:40 +01:00
parent 034892e890
commit 95fe3e0573
365 changed files with 2283 additions and 15142 deletions
@@ -0,0 +1,191 @@
+package at.mocode.clients.authfeature
+
+import at.mocode.shared.core.AppConstants
+import io.ktor.client.call.*
+import io.ktor.client.request.forms.*
+import io.ktor.http.*
+import kotlinx.serialization.Serializable
+
+/**
+ * Data classes for authentication API communication
+ */
+@Serializable
+data class LoginRequest(
+  val username: String,
+  val password: String
+)
+
+@Serializable
+data class LoginResponse(
+  val success: Boolean,
+  val token: String? = null,
+  val message: String? = null,
+  val userId: String? = null,
+  val username: String? = null
+)
+
+/**
+ * HTTP client for authentication API calls
+ */
+class AuthApiClient(
+  // Keycloak Basis-URL (z. B. http://localhost:8180)
+  private val keycloakBaseUrl: String = AppConstants.KEYCLOAK_URL,
+  // Realm-Name in Keycloak
+  private val realm: String = AppConstants.KEYCLOAK_REALM,
+  // Client-ID (Public Client empfohlen für Frontend-Flows)
+  private val clientId: String = AppConstants.KEYCLOAK_CLIENT_ID,
+  // Optional: Client-Secret (nur bei vertraulichen Clients erforderlich)
+  private val clientSecret: String? = null
+) {
+  private val client = AuthenticatedHttpClient.createUnauthenticated()
+
+  /**
+   * Authenticate user with username and password
+   */
+  suspend fun login(username: String, password: String): LoginResponse {
+    val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
+    return try {
+      val response = client.submitForm(
+        url = tokenEndpoint,
+        formParameters = Parameters.build {
+          append("grant_type", "password")
+          append("client_id", clientId)
+          if (!clientSecret.isNullOrBlank()) {
+            append("client_secret", clientSecret)
+          }
+          append("username", username)
+          append("password", password)
+        }
+      ) {
+        // Explicit: URL-encoded Form
+        contentType(ContentType.Application.FormUrlEncoded)
+      }
+
+      if (response.status.isSuccess()) {
+        val kc = response.body<KeycloakTokenResponse>()
+        LoginResponse(
+          success = true,
+          token = kc.access_token,
+          message = null,
+          userId = null,
+          username = username
+        )
+      } else {
+        LoginResponse(
+          success = false,
+          message = "Login fehlgeschlagen: HTTP ${response.status.value}"
+        )
+      }
+    } catch (e: Exception) {
+      LoginResponse(
+        success = false,
+        message = "Verbindungsfehler: ${e.message}"
+      )
+    }
+  }
+
+  /**
+   * Exchange an authorization code (PKCE) for tokens
+   */
+  suspend fun exchangeAuthorizationCode(code: String, codeVerifier: String, redirectUri: String): LoginResponse {
+    val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
+    return try {
+      val response = client.submitForm(
+        url = tokenEndpoint,
+        formParameters = Parameters.build {
+          append("grant_type", "authorization_code")
+          append("client_id", clientId)
+          if (!clientSecret.isNullOrBlank()) {
+            append("client_secret", clientSecret)
+          }
+          append("code", code)
+          append("code_verifier", codeVerifier)
+          append("redirect_uri", redirectUri)
+        }
+      ) {
+        contentType(ContentType.Application.FormUrlEncoded)
+      }
+
+      if (response.status.isSuccess()) {
+        val kc = response.body<KeycloakTokenResponse>()
+        LoginResponse(
+          success = true,
+          token = kc.access_token,
+          message = null
+        )
+      } else {
+        LoginResponse(
+          success = false,
+          message = "Code-Exchange fehlgeschlagen: HTTP ${'$'}{response.status.value}"
+        )
+      }
+    } catch (e: Exception) {
+      LoginResponse(
+        success = false,
+        message = "Code-Exchange Fehler: ${'$'}{e.message}"
+      )
+    }
+  }
+
+  /**
+   * Refresh authentication token
+   */
+  suspend fun refreshToken(refreshToken: String): LoginResponse {
+    val tokenEndpoint = "$keycloakBaseUrl/realms/$realm/protocol/openid-connect/token"
+    return try {
+      val response = client.submitForm(
+        url = tokenEndpoint,
+        formParameters = Parameters.build {
+          append("grant_type", "refresh_token")
+          append("client_id", clientId)
+          if (!clientSecret.isNullOrBlank()) {
+            append("client_secret", clientSecret)
+          }
+          append("refresh_token", refreshToken)
+        }
+      ) {
+        contentType(ContentType.Application.FormUrlEncoded)
+      }
+
+      if (response.status.isSuccess()) {
+        val kc = response.body<KeycloakTokenResponse>()
+        LoginResponse(
+          success = true,
+          token = kc.access_token,
+          message = null
+        )
+      } else {
+        LoginResponse(
+          success = false,
+          message = "Token refresh fehlgeschlagen: HTTP ${response.status.value}"
+        )
+      }
+    } catch (e: Exception) {
+      LoginResponse(
+        success = false,
+        message = "Token refresh Fehler: ${e.message}"
+      )
+    }
+  }
+
+  /**
+   * Logout and invalidate token
+   */
+  suspend fun logout(token: String): Boolean {
+    // Empfehlung: Frontend-seitig Token lokal verwerfen.
+    // Optional könnten hier Keycloak-Endpoints für Token-Revocation aufgerufen werden.
+    return true
+  }
+
+  @Serializable
+  private data class KeycloakTokenResponse(
+    val access_token: String,
+    val expires_in: Long? = null,
+    val refresh_expires_in: Long? = null,
+    val refresh_token: String? = null,
+    val token_type: String? = null,
+    val not_before_policy: Long? = null,
+    val session_state: String? = null,
+    val scope: String? = null
+  )
+}
@@ -0,0 +1,338 @@
+package at.mocode.clients.authfeature
+
+import kotlinx.coroutines.flow.MutableStateFlow
+import kotlinx.coroutines.flow.StateFlow
+import kotlinx.coroutines.flow.asStateFlow
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
+import kotlin.io.encoding.Base64
+import kotlin.io.encoding.ExperimentalEncodingApi
+import kotlin.time.ExperimentalTime
+
+/**
+ * Client-side permission enumeration that mirrors server-side BerechtigungE
+ */
+@Serializable
+enum class Permission {
+  // Person management
+  PERSON_READ,
+  PERSON_CREATE,
+  PERSON_UPDATE,
+  PERSON_DELETE,
+
+  // Club management
+  VEREIN_READ,
+  VEREIN_CREATE,
+  VEREIN_UPDATE,
+  VEREIN_DELETE,
+
+  // Event management
+  VERANSTALTUNG_READ,
+  VERANSTALTUNG_CREATE,
+  VERANSTALTUNG_UPDATE,
+  VERANSTALTUNG_DELETE,
+
+  // Horse management
+  PFERD_READ,
+  PFERD_CREATE,
+  PFERD_UPDATE,
+  PFERD_DELETE
+}
+
+/**
+ * JWT token payload for basic validation and permissions extraction
+ */
+@Serializable
+data class JwtPayload(
+  val sub: String? = null,        // User ID
+  val username: String? = null,   // Username
+  val exp: Long? = null,          // Expiration timestamp
+  val iat: Long? = null,          // Issued at timestamp
+  val iss: String? = null,        // Issuer
+  val permissions: List<String>? = null  // Permissions array
+)
+
+/**
+ * Authentication state
+ */
+data class AuthState(
+  val isAuthenticated: Boolean = false,
+  val token: String? = null,
+  val userId: String? = null,
+  val username: String? = null,
+  val permissions: List<Permission> = emptyList()
+)
+
+/**
+ * Secure in-memory JWT token manager
+ *
+ * For web clients, storing tokens in memory is the most secure approach
+ * to prevent XSS attacks. The token is lost when the browser tab is closed
+ * or refreshed, requiring re-authentication.
+ */
+class AuthTokenManager {
+
+  private var currentToken: String? = null
+  private var tokenPayload: JwtPayload? = null
+
+  private val _authState = MutableStateFlow(AuthState())
+  val authState: StateFlow<AuthState> = _authState.asStateFlow()
+
+  /**
+   * Store JWT token in memory
+   */
+  fun setToken(token: String) {
+    currentToken = token
+    tokenPayload = parseJwtPayload(token)
+
+    // Parse permissions from token payload
+    val permissions = tokenPayload?.permissions?.mapNotNull { permissionString ->
+      try {
+        Permission.valueOf(permissionString)
+      } catch (e: IllegalArgumentException) {
+        // Ignore unknown permissions
+        null
+      }
+    } ?: emptyList()
+
+    _authState.value = AuthState(
+      isAuthenticated = true,
+      token = token,
+      userId = tokenPayload?.sub,
+      username = tokenPayload?.username,
+      permissions = permissions
+    )
+  }
+
+  /**
+   * Get current JWT token
+   */
+  fun getToken(): String? = currentToken
+
+  /**
+   * Check if we have a valid (non-expired) token
+   */
+  @OptIn(ExperimentalTime::class)
+  fun hasValidToken(): Boolean {
+    val token = currentToken ?: return false
+    val payload = tokenPayload ?: return false
+
+    // Check expiration
+    val expiration = payload.exp ?: return false
+    val currentTime = kotlin.time.Clock.System.now().epochSeconds
+
+    return currentTime < expiration
+  }
+
+  /**
+   * Clear token from memory (logout)
+   */
+  fun clearToken() {
+    currentToken = null
+    tokenPayload = null
+
+    _authState.value = AuthState()
+  }
+
+  /**
+   * Get user ID from token
+   */
+  fun getUserId(): String? = tokenPayload?.sub
+
+  /**
+   * Get username from token
+   */
+  fun getUsername(): String? = tokenPayload?.username
+
+  /**
+   * Get current user permissions
+   */
+  fun getPermissions(): List<Permission> = _authState.value.permissions
+
+  /**
+   * Check if user has a specific permission
+   */
+  fun hasPermission(permission: Permission): Boolean {
+    return _authState.value.permissions.contains(permission)
+  }
+
+  /**
+   * Check if user has any of the specified permissions
+   */
+  fun hasAnyPermission(vararg permissions: Permission): Boolean {
+    return permissions.any { _authState.value.permissions.contains(it) }
+  }
+
+  /**
+   * Check if user has all of the specified permissions
+   */
+  fun hasAllPermissions(vararg permissions: Permission): Boolean {
+    return permissions.all { _authState.value.permissions.contains(it) }
+  }
+
+  /**
+   * Check if user can perform read operations
+   */
+  fun canRead(): Boolean {
+    return hasAnyPermission(
+      Permission.PERSON_READ,
+      Permission.VEREIN_READ,
+      Permission.VERANSTALTUNG_READ,
+      Permission.PFERD_READ
+    )
+  }
+
+  /**
+   * Check if user can perform create operations
+   */
+  fun canCreate(): Boolean {
+    return hasAnyPermission(
+      Permission.PERSON_CREATE,
+      Permission.VEREIN_CREATE,
+      Permission.VERANSTALTUNG_CREATE,
+      Permission.PFERD_CREATE
+    )
+  }
+
+  /**
+   * Check if user can perform update operations
+   */
+  fun canUpdate(): Boolean {
+    return hasAnyPermission(
+      Permission.PERSON_UPDATE,
+      Permission.VEREIN_UPDATE,
+      Permission.VERANSTALTUNG_UPDATE,
+      Permission.PFERD_UPDATE
+    )
+  }
+
+  /**
+   * Check if user can perform delete operations (admin-level)
+   */
+  fun canDelete(): Boolean {
+    return hasAnyPermission(
+      Permission.PERSON_DELETE,
+      Permission.VEREIN_DELETE,
+      Permission.VERANSTALTUNG_DELETE,
+      Permission.PFERD_DELETE
+    )
+  }
+
+  /**
+   * Check if user is admin (has delete permissions)
+   */
+  fun isAdmin(): Boolean = canDelete()
+
+  /**
+   * Check if token expires within specified minutes
+   */
+  @OptIn(ExperimentalTime::class)
+  fun isTokenExpiringSoon(minutesThreshold: Int = 5): Boolean {
+    val payload = tokenPayload ?: return false
+    val expiration = payload.exp ?: return false
+    val currentTime = kotlin.time.Clock.System.now().epochSeconds
+    val thresholdTime = currentTime + (minutesThreshold * 60)
+
+    return expiration <= thresholdTime
+  }
+
+  /**
+   * Parse JWT payload for basic validation and user info extraction
+   * Note: This is for client-side info extraction only, not security validation
+   */
+  @OptIn(ExperimentalEncodingApi::class)
+  private fun parseJwtPayload(token: String): JwtPayload? {
+    return try {
+      val parts = token.split(".")
+      if (parts.size != 3) return null
+
+      // Decode the payload (second part)
+      val payloadJson = Base64.decode(parts[1]).decodeToString()
+
+      // First try to parse with standard approach
+      val basicPayload = try {
+        Json.decodeFromString<JwtPayload>(payloadJson)
+      } catch (e: Exception) {
+        // If that fails, extract manually
+        null
+      }
+
+      // If basic parsing succeeded and has permissions, return it
+      if (basicPayload != null && basicPayload.permissions != null) {
+        return basicPayload
+      }
+
+      // Otherwise, extract permissions manually from JSON string
+      val permissions = extractPermissionsFromJson(payloadJson)
+
+      // Return payload with manually extracted permissions
+      JwtPayload(
+        sub = basicPayload?.sub,
+        username = basicPayload?.username,
+        exp = basicPayload?.exp,
+        iat = basicPayload?.iat,
+        iss = basicPayload?.iss,
+        permissions = permissions
+      )
+    } catch (e: Exception) {
+      // Failed to parse - token might be invalid format
+      null
+    }
+  }
+
+  /**
+   * Extract permissions array from JSON string using simple string parsing
+   */
+  private fun extractPermissionsFromJson(jsonString: String): List<String>? {
+    return try {
+      // Simple regex to find permissions array
+      val permissionsRegex = """"permissions":\s*\[(.*?)\]""".toRegex()
+      val match = permissionsRegex.find(jsonString)
+
+      match?.let {
+        val permissionsContent = it.groupValues[1]
+        if (permissionsContent.isBlank()) return emptyList()
+
+        // Extract individual permission strings
+        val permissions = permissionsContent
+          .split(",")
+          .mapNotNull { permission ->
+            permission.trim()
+              .removePrefix("\"")
+              .removeSuffix("\"")
+              .takeIf { it.isNotBlank() }
+          }
+        permissions
+      }
+    } catch (e: Exception) {
+      null
+    }
+  }
+
+  /**
+   * Get token with Bearer prefix for HTTP headers
+   */
+  fun getBearerToken(): String? {
+    val token = getToken() ?: return null
+    return "Bearer $token"
+  }
+
+  /**
+   * Refresh token if needed based on expiry
+   */
+  suspend fun refreshTokenIfNeeded(authApiClient: AuthApiClient): Boolean {
+    if (!isTokenExpiringSoon()) return true
+
+    val currentToken = getToken() ?: return false
+
+    val refreshResponse = authApiClient.refreshToken(currentToken)
+    if (refreshResponse.success && refreshResponse.token != null) {
+      setToken(refreshResponse.token)
+      return true
+    }
+
+    // Refresh failed, clear token
+    clearToken()
+    return false
+  }
+}
@@ -0,0 +1,62 @@
+package at.mocode.clients.authfeature
+
+import at.mocode.shared.core.AppConstants
+import io.ktor.client.*
+import io.ktor.client.plugins.contentnegotiation.*
+import io.ktor.client.request.*
+import io.ktor.http.*
+import io.ktor.serialization.kotlinx.json.*
+import kotlinx.serialization.json.Json
+
+/**
+ * Singleton object for managing authenticated HTTP client configuration.
+ * Provides methods to create HTTP clients and add authentication headers manually.
+ */
+object AuthenticatedHttpClient {
+
+  private val authTokenManager = AuthTokenManager()
+
+  /**
+   * Create a basic HTTP client with JSON support
+   */
+  fun create(baseUrl: String = AppConstants.GATEWAY_URL): HttpClient {
+    return HttpClient {
+      install(ContentNegotiation) {
+        json(Json {
+          prettyPrint = true
+          isLenient = true
+          ignoreUnknownKeys = true
+        })
+      }
+    }
+  }
+
+  /**
+   * Add an authentication header to an HTTP request builder if a token is available
+   */
+  fun HttpRequestBuilder.addAuthHeader() {
+    authTokenManager.getBearerToken()?.let { bearerToken ->
+      header(HttpHeaders.Authorization, bearerToken)
+    }
+  }
+
+  /**
+   * Get the shared AuthTokenManager instance
+   */
+  fun getAuthTokenManager(): AuthTokenManager = authTokenManager
+
+  /**
+   * Create an HTTP client without authentication (for login/public endpoints)
+   */
+  fun createUnauthenticated(): HttpClient {
+    return HttpClient {
+      install(ContentNegotiation) {
+        json(Json {
+          prettyPrint = true
+          isLenient = true
+          ignoreUnknownKeys = true
+        })
+      }
+    }
+  }
+}
@@ -0,0 +1,136 @@
+package at.mocode.clients.authfeature
+
+import androidx.compose.foundation.layout.*
+import androidx.compose.foundation.text.KeyboardActions
+import androidx.compose.foundation.text.KeyboardOptions
+import androidx.compose.material3.*
+import androidx.compose.runtime.*
+import androidx.compose.ui.Alignment
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.focus.FocusRequester
+import androidx.compose.ui.focus.focusRequester
+import androidx.compose.ui.text.input.ImeAction
+import androidx.compose.ui.text.input.KeyboardType
+import androidx.compose.ui.text.input.PasswordVisualTransformation
+import androidx.compose.ui.text.style.TextAlign
+import androidx.compose.ui.unit.dp
+import androidx.lifecycle.viewmodel.compose.viewModel
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+fun LoginScreen(
+  authTokenManager: AuthTokenManager,
+  viewModel: LoginViewModel = viewModel { LoginViewModel(authTokenManager) },
+  onLoginSuccess: () -> Unit = {}
+) {
+  val uiState by viewModel.uiState.collectAsState()
+  val passwordFocusRequester = remember { FocusRequester() }
+
+  Column(
+    modifier = Modifier
+      .fillMaxSize()
+      .padding(24.dp),
+    horizontalAlignment = Alignment.CenterHorizontally,
+    verticalArrangement = Arrangement.Center
+  ) {
+    // Title
+    Text(
+      text = "Anmelden",
+      style = MaterialTheme.typography.headlineMedium,
+      color = MaterialTheme.colorScheme.onSurface,
+      modifier = Modifier.padding(bottom = 32.dp)
+    )
+
+    // Username field
+    OutlinedTextField(
+      value = uiState.username,
+      onValueChange = viewModel::updateUsername,
+      label = { Text("Benutzername") },
+      enabled = !uiState.isLoading,
+      isError = uiState.usernameError != null,
+      supportingText = uiState.usernameError?.let { { Text(it) } },
+      keyboardOptions = KeyboardOptions(
+        keyboardType = KeyboardType.Text,
+        imeAction = ImeAction.Next
+      ),
+      keyboardActions = KeyboardActions(
+        onNext = { passwordFocusRequester.requestFocus() }
+      ),
+      modifier = Modifier
+        .fillMaxWidth()
+        .padding(bottom = 16.dp)
+    )
+
+    // Password field
+    OutlinedTextField(
+      value = uiState.password,
+      onValueChange = viewModel::updatePassword,
+      label = { Text("Passwort") },
+      enabled = !uiState.isLoading,
+      isError = uiState.passwordError != null,
+      supportingText = uiState.passwordError?.let { { Text(it) } },
+      visualTransformation = PasswordVisualTransformation(),
+      keyboardOptions = KeyboardOptions(
+        keyboardType = KeyboardType.Password,
+        imeAction = ImeAction.Done
+      ),
+      keyboardActions = KeyboardActions(
+        onDone = {
+          if (uiState.canLogin) {
+            viewModel.login()
+          }
+        }
+      ),
+      modifier = Modifier
+        .fillMaxWidth()
+        .focusRequester(passwordFocusRequester)
+        .padding(bottom = 24.dp)
+    )
+
+    // Error message
+    if (uiState.errorMessage != null) {
+      Card(
+        colors = CardDefaults.cardColors(
+          containerColor = MaterialTheme.colorScheme.errorContainer
+        ),
+        modifier = Modifier
+          .fillMaxWidth()
+          .padding(bottom = 16.dp)
+      ) {
+        Text(
+          text = uiState.errorMessage!!,
+          color = MaterialTheme.colorScheme.onErrorContainer,
+          style = MaterialTheme.typography.bodyMedium,
+          textAlign = TextAlign.Center,
+          modifier = Modifier.padding(16.dp)
+        )
+      }
+    }
+
+    // Login button
+    Button(
+      onClick = { viewModel.login() },
+      enabled = uiState.canLogin && !uiState.isLoading,
+      modifier = Modifier
+        .fillMaxWidth()
+        .height(48.dp)
+    ) {
+      if (uiState.isLoading) {
+        CircularProgressIndicator(
+          modifier = Modifier.size(20.dp),
+          strokeWidth = 2.dp,
+          color = MaterialTheme.colorScheme.onPrimary
+        )
+      } else {
+        Text("Anmelden")
+      }
+    }
+  }
+
+  // Handle login success
+  LaunchedEffect(uiState.isAuthenticated) {
+    if (uiState.isAuthenticated) {
+      onLoginSuccess()
+    }
+  }
+}
@@ -0,0 +1,131 @@
+package at.mocode.clients.authfeature
+
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
+import at.mocode.clients.authfeature.AuthenticatedHttpClient.addAuthHeader
+import at.mocode.shared.core.AppConstants
+import io.ktor.client.request.*
+import kotlinx.coroutines.flow.MutableStateFlow
+import kotlinx.coroutines.flow.StateFlow
+import kotlinx.coroutines.flow.asStateFlow
+import kotlinx.coroutines.launch
+
+/**
+ * UI state for the login screen
+ */
+data class LoginUiState(
+  val username: String = "",
+  val password: String = "",
+  val isLoading: Boolean = false,
+  val isAuthenticated: Boolean = false,
+  val errorMessage: String? = null,
+  val usernameError: String? = null,
+  val passwordError: String? = null
+) {
+  val canLogin: Boolean
+    get() = username.isNotBlank() && password.isNotBlank() && !isLoading
+}
+
+/**
+ * ViewModel for handling login authentication logic
+ */
+class LoginViewModel(
+  private val authTokenManager: AuthTokenManager
+) : ViewModel() {
+
+  private val _uiState = MutableStateFlow(LoginUiState())
+  val uiState: StateFlow<LoginUiState> = _uiState.asStateFlow()
+
+  private val authApiClient = AuthApiClient()
+
+  fun updateUsername(username: String) {
+    _uiState.value = _uiState.value.copy(
+      username = username,
+      usernameError = null,
+      errorMessage = null
+    )
+  }
+
+  fun updatePassword(password: String) {
+    _uiState.value = _uiState.value.copy(
+      password = password,
+      passwordError = null,
+      errorMessage = null
+    )
+  }
+
+  fun login() {
+    val currentState = _uiState.value
+
+    // Validate input
+    if (currentState.username.isBlank()) {
+      _uiState.value = currentState.copy(usernameError = "Benutzername ist erforderlich")
+      return
+    }
+
+    if (currentState.password.isBlank()) {
+      _uiState.value = currentState.copy(passwordError = "Passwort ist erforderlich")
+      return
+    }
+
+    // Start the login process
+    _uiState.value = currentState.copy(
+      isLoading = true,
+      errorMessage = null,
+      usernameError = null,
+      passwordError = null
+    )
+
+    viewModelScope.launch {
+      try {
+        val loginResponse = authApiClient.login(
+          username = currentState.username,
+          password = currentState.password
+        )
+
+        if (loginResponse.success && loginResponse.token != null) {
+          // Store the JWT token
+          authTokenManager.setToken(loginResponse.token)
+
+          _uiState.value = _uiState.value.copy(
+            isLoading = false,
+            isAuthenticated = true,
+            errorMessage = null
+          )
+
+          // Fire-and-forget: Trigger Backend Sync so the user exists in Members
+          viewModelScope.launch {
+            try {
+              val client = AuthenticatedHttpClient.create()
+              client.post("${AppConstants.GATEWAY_URL}/api/members/sync") {
+                addAuthHeader()
+              }
+            } catch (_: Exception) {
+              // Non-fatal: Wir zeigen Sync-Fehler im Login nicht an
+            }
+          }
+        } else {
+          _uiState.value = _uiState.value.copy(
+            isLoading = false,
+            errorMessage = loginResponse.message ?: "Anmeldung fehlgeschlagen"
+          )
+        }
+      } catch (e: Exception) {
+        _uiState.value = _uiState.value.copy(
+          isLoading = false,
+          errorMessage = "Verbindungsfehler: ${e.message}"
+        )
+      }
+    }
+  }
+
+  fun logout() {
+    authTokenManager.clearToken()
+    _uiState.value = LoginUiState()
+  }
+
+  fun checkAuthenticationStatus() {
+    val isAuthenticated = authTokenManager.hasValidToken()
+    _uiState.value = _uiState.value.copy(isAuthenticated = isAuthenticated)
+  }
+}
@@ -0,0 +1,12 @@
+package at.mocode.clients.authfeature.oauth
+
+data class CallbackParams(val code: String, val state: String?)
+
+expect object AuthCallbackParams {
+  /**
+   * Parse OAuth callback parameters from the current environment.
+   * - JS (web): reads window.location.search for `code` and `state` and removes them from the URL.
+   * - JVM (desktop): returns null.
+   */
+  fun parse(): CallbackParams?
+}
@@ -0,0 +1,34 @@
+package at.mocode.clients.authfeature.oauth
+
+import at.mocode.shared.core.AppConstants
+
+data class PkceState(
+  val state: String,
+  val codeVerifier: String,
+  val codeChallenge: String,
+  val method: String = "S256"
+)
+
+object OAuthParams {
+  const val RESPONSE_TYPE = "code"
+  const val SCOPE = "openid"
+}
+
+/**
+ * expect/actual service to support PKCE across JS and JVM.
+ * For the desktop (JVM) target we currently do not start a browser flow,
+ * but we provide hashing to keep API parity.
+ */
+expect object OAuthPkceService {
+  /** Starts a PKCE auth attempt and stores transient state in memory. */
+  suspend fun startAuth(): PkceState
+
+  /** Returns currently active state if any (not persisted). */
+  fun current(): PkceState?
+
+  /** Clears transient state (after success/failure). */
+  fun clear()
+
+  /** Builds the authorize URL for the current state. */
+  fun buildAuthorizeUrl(state: PkceState, redirectUri: String = AppConstants.webRedirectUri()): String
+}
@@ -0,0 +1,19 @@
+package at.mocode.clients.authfeature.oauth
+
+import kotlinx.browser.window
+
+actual object AuthCallbackParams {
+  actual fun parse(): CallbackParams? {
+    val search = window.location.search
+    if (search.isBlank()) return null
+    val params = js("new URLSearchParams(arguments[0])").unsafeCast<(String) -> dynamic>()(search)
+    val code = params.get("code") as String?
+    val state = params.get("state") as String?
+    return if (!code.isNullOrBlank()) {
+      // Clean up query params to avoid re-processing on recomposition
+      val url = window.location.origin + window.location.pathname
+      window.history.replaceState(null, "", url)
+      CallbackParams(code, state)
+    } else null
+  }
+}
@@ -0,0 +1,81 @@
+package at.mocode.clients.authfeature.oauth
+
+import at.mocode.shared.core.AppConstants
+import kotlinx.browser.window
+import kotlinx.coroutines.await
+import org.khronos.webgl.ArrayBuffer
+import org.khronos.webgl.Uint8Array
+import kotlin.js.Promise
+import kotlin.random.Random
+
+private var currentPkce: PkceState? = null
+
+private fun base64UrlFromBytes(bytes: ByteArray): String {
+  // Build binary string from bytes
+  val sb = StringBuilder(bytes.size)
+  for (b in bytes) sb.append(b.toInt().toChar())
+  val b64 = window.btoa(sb.toString())
+  return b64.replace("+", "-").replace("/", "_").trimEnd('=')
+}
+
+private fun base64UrlFromArrayBuffer(buf: ArrayBuffer): String {
+  val arr = Uint8Array(buf)
+  var binary = ""
+  val len = arr.length
+  for (i in 0 until len) {
+    val v = (arr.asDynamic()[i] as Number).toInt()
+    binary += fromCharCode(v)
+  }
+  val b64 = window.btoa(binary)
+  return b64.replace("+", "-").replace("/", "_").trimEnd('=')
+}
+
+private fun randomUrlSafe(length: Int): String {
+  val bytes = Random.Default.nextBytes(length)
+  // Use base64url for entropy; ensure URL-safe by replacing padding removed already
+  return base64UrlFromBytes(bytes)
+}
+
+private fun sha256(input: String): Promise<ArrayBuffer> {
+  val enc: dynamic = js("new TextEncoder()")
+  val data = enc.encode(input)
+  val subtle: dynamic = window.asDynamic().crypto.subtle
+  return subtle.digest("SHA-256", data) as Promise<ArrayBuffer>
+}
+
+actual object OAuthPkceService {
+  actual suspend fun startAuth(): PkceState {
+    val codeVerifier = randomUrlSafe(64)
+    val challengeBuf = sha256(codeVerifier).await()
+    val codeChallenge = base64UrlFromArrayBuffer(challengeBuf)
+    val state = randomUrlSafe(16)
+    val pkce = PkceState(state, codeVerifier, codeChallenge)
+    currentPkce = pkce
+    return pkce
+  }
+
+  actual fun current(): PkceState? = currentPkce
+
+  actual fun clear() {
+    currentPkce = null
+  }
+
+  actual fun buildAuthorizeUrl(state: PkceState, redirectUri: String): String {
+    val params = listOf(
+      "response_type" to OAuthParams.RESPONSE_TYPE,
+      "client_id" to AppConstants.KEYCLOAK_CLIENT_ID,
+      "redirect_uri" to redirectUri,
+      "scope" to OAuthParams.SCOPE,
+      "state" to state.state,
+      "code_challenge" to state.codeChallenge,
+      "code_challenge_method" to state.method
+    ).joinToString("&") { (k, v) -> "$k=" + encodeURIComponent(v) }
+    return AppConstants.authorizeEndpoint() + "?" + params
+  }
+}
+
+@Suppress("UnsafeCastFromDynamic")
+private fun encodeURIComponent(value: String): String = js("encodeURIComponent")(value)
+
+@Suppress("UnsafeCastFromDynamic")
+private fun fromCharCode(code: Int): String = js("String.fromCharCode")(code)
@@ -0,0 +1,5 @@
+package at.mocode.clients.authfeature.oauth
+
+actual object AuthCallbackParams {
+  actual fun parse(): CallbackParams? = null
+}
@@ -0,0 +1,55 @@
+package at.mocode.clients.authfeature.oauth
+
+import at.mocode.shared.core.AppConstants
+import java.security.MessageDigest
+import java.security.SecureRandom
+import java.util.Base64
+
+private var currentPkceJvm: PkceState? = null
+
+private fun base64UrlNoPad(bytes: ByteArray): String =
+  Base64.getUrlEncoder().withoutPadding().encodeToString(bytes)
+
+private fun randomUrlSafe(length: Int): String {
+  // Generate bytes and Base64 URL encode (will be > length due to encoding)
+  val rnd = SecureRandom()
+  val bytes = ByteArray(length)
+  rnd.nextBytes(bytes)
+  return base64UrlNoPad(bytes)
+}
+
+private fun sha256Base64Url(input: String): String {
+  val md = MessageDigest.getInstance("SHA-256")
+  val digest = md.digest(input.toByteArray(Charsets.UTF_8))
+  return base64UrlNoPad(digest)
+}
+
+actual object OAuthPkceService {
+  actual suspend fun startAuth(): PkceState {
+    val codeVerifier = randomUrlSafe(64)
+    val codeChallenge = sha256Base64Url(codeVerifier)
+    val state = randomUrlSafe(16)
+    val pkce = PkceState(state, codeVerifier, codeChallenge)
+    currentPkceJvm = pkce
+    return pkce
+  }
+
+  actual fun current(): PkceState? = currentPkceJvm
+
+  actual fun clear() {
+    currentPkceJvm = null
+  }
+
+  actual fun buildAuthorizeUrl(state: PkceState, redirectUri: String): String {
+    val params = listOf(
+      "response_type" to OAuthParams.RESPONSE_TYPE,
+      "client_id" to AppConstants.KEYCLOAK_CLIENT_ID,
+      "redirect_uri" to redirectUri,
+      "scope" to OAuthParams.SCOPE,
+      "state" to state.state,
+      "code_challenge" to state.codeChallenge,
+      "code_challenge_method" to state.method
+    ).joinToString("&") { (k, v) -> "$k=" + java.net.URLEncoder.encode(v, Charsets.UTF_8) }
+    return AppConstants.authorizeEndpoint() + "?" + params
+  }
+}