security: enforce auth on all API write endpoints, remove mario-kart

- Remove all mario-kart routes and model (zero auth, unused)
- Add requireGroup() helper to auth middleware
- Recipe write APIs (add/edit/delete/img/*): require rezepte_users group
- Translate endpoint: require rezepte_users (was fully unauthenticated)
- Nutrition overwrites: require auth (was no-op)
- Nutrition generate-all: require rezepte_users (was no-op)
- Alt-text/color endpoints: require rezepte_users group
- Image delete/mv: add path traversal protection
- Period shared endpoint: normalize username for consistent lookup

This commit is contained in:

Alexander Bocken

2026-04-07 20:10:48 +02:00

parent 0fe6990df9

commit 02bb889629

24 changed files with 119 additions and 1211 deletions

									
										package.json
									
		+1
		-1
	
												View File
												
				@@ -1,6 +1,6 @@

				{

					"name": "homepage",

					"version": "1.4.4",

					"version": "1.5.0",

					"private": true,

					"type": "module",

					"scripts": {