feat(auth): implement user authentication and profile management

- Added authentication context and provider to manage user state.
- Created login and registration forms with validation and error handling.
- Implemented user profile component for updating user information and changing passwords.
- Introduced user settings in the database for notification preferences.
- Updated translations for authentication-related strings in English and German.
- Enhanced styles for authentication components and user profile.
- Added middleware for optional and required authentication checks.

backend/src/plugins/auth.ts

@@ -0,0 +1,112 @@
+import { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
+import { env } from "./env.js";
+import { db } from "../db/client.js";
+import { users } from "../db/schema.js";
+import { sql, count } from "drizzle-orm";
+
+// =============================================================================
+// Auth State - Computed at runtime
+// =============================================================================
+export interface AuthState {
+  authEnabled: boolean;
+  registrationEnabled: boolean;
+  localAuthEnabled: boolean;
+  hasUsers: boolean;
+  needsSetup: boolean;
+}
+
+export async function getAuthState(): Promise<AuthState> {
+  const [result] = await db.select({ count: count() }).from(users);
+  const hasUsers = result.count > 0;
+  
+  return {
+    authEnabled: env.AUTH_ENABLED,
+    // Registration: enabled via ENV OR no users exist (first-time setup)
+    registrationEnabled: env.REGISTRATION_ENABLED || !hasUsers,
+    localAuthEnabled: !env.DISABLE_LOCAL_AUTH,
+    hasUsers,
+    needsSetup: env.AUTH_ENABLED && !hasUsers,
+  };
+}
+
+// =============================================================================
+// Request User Type (no roles - all users are equal)
+// =============================================================================
+export interface RequestUser {
+  id: number;
+  username: string;
+}
+
+// =============================================================================
+// Auth Middleware Functions
+// =============================================================================
+
+/**
+ * Optional auth - verifies JWT if present, but doesn't require it
+ */
+export async function optionalAuth(request: FastifyRequest, reply: FastifyReply) {
+  if (!env.AUTH_ENABLED) {
+    return;
+  }
+
+  const token = request.cookies.access_token;
+  if (!token) {
+    return;
+  }
+
+  try {
+    const decoded = await request.jwtVerify<{ sub: number; username: string }>();
+    const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
+    if (user && user.isActive) {
+      request.user = {
+        id: user.id,
+        username: user.username,
+      };
+    }
+  } catch {
+    // Invalid token, continue as anonymous
+  }
+}
+
+/**
+ * Required auth - requires valid JWT when auth is enabled
+ */
+export async function requireAuth(request: FastifyRequest, reply: FastifyReply) {
+  if (!env.AUTH_ENABLED) {
+    return;
+  }
+
+  const token = request.cookies.access_token;
+  if (!token) {
+    return reply.status(401).send({ error: "Authentication required", code: "AUTH_REQUIRED" });
+  }
+
+  try {
+    const decoded = await request.jwtVerify<{ sub: number; username: string }>();
+    const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
+    
+    if (!user) {
+      return reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
+    }
+    
+    if (!user.isActive) {
+      return reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
+    }
+
+    request.user = {
+      id: user.id,
+      username: user.username,
+    };
+  } catch {
+    return reply.status(401).send({ error: "Invalid or expired token", code: "INVALID_TOKEN" });
+  }
+}
+
+/**
+ * Auth state endpoint plugin
+ */
+export async function authPlugin(app: FastifyInstance) {
+  app.get("/auth/state", async () => {
+    return getAuthState();
+  });
+}

backend/src/plugins/env.ts

@@ -8,11 +8,36 @@ const EnvSchema = z.object({
   PORT: z.string().transform((v) => parseInt(v, 10)).default("3000"),
   CORS_ORIGINS: z.string().default("http://localhost:5173,http://localhost:4173"),
   LOG_LEVEL: z.string().default("info"),
-  JWT_SECRET: z.string().min(10),
-  REFRESH_SECRET: z.string().min(10),
-  COOKIE_SECRET: z.string().min(10),
+  
+  // ==========================================================================
+  // Auth Configuration
+  // ==========================================================================
+  // Master switch: Enable/disable authentication (default: disabled for easy setup)
+  AUTH_ENABLED: z.string().transform((v) => v === "true").default("false"),
+  // Allow new user registrations (auto-enabled if no users exist)
+  REGISTRATION_ENABLED: z.string().transform((v) => v === "true").default("false"),
+  // Disable local auth when using SSO only (Phase 2)
+  DISABLE_LOCAL_AUTH: z.string().transform((v) => v === "true").default("false"),
+  
+  // JWT Secrets - only required when AUTH_ENABLED=true
+  JWT_SECRET: z.string().min(10).optional(),
+  REFRESH_SECRET: z.string().min(10).optional(),
+  COOKIE_SECRET: z.string().min(10).optional(),
 });
 
 export type Env = z.infer<typeof EnvSchema>;
 
-export const env: Env = EnvSchema.parse(process.env);
+// Parse and validate
+const parsed = EnvSchema.parse(process.env);
+
+// Validate that secrets are provided when auth is enabled
+if (parsed.AUTH_ENABLED) {
+  if (!parsed.JWT_SECRET || !parsed.REFRESH_SECRET || !parsed.COOKIE_SECRET) {
+    throw new Error(
+      "AUTH_ENABLED=true requires JWT_SECRET, REFRESH_SECRET, and COOKIE_SECRET to be set. " +
+      "Generate them with: openssl rand -hex 32"
+    );
+  }
+}
+
+export const env = parsed;